diff options
53 files changed, 645 insertions, 81 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 40ba00db6..29f14788d 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
@@ -10,6 +10,9 @@ on: | |||
10 | - RELNOTES | 10 | - RELNOTES |
11 | - SECURITY.md | 11 | - SECURITY.md |
12 | - 'etc/**' | 12 | - 'etc/**' |
13 | - 'src/firecfg/firecfg.config' | ||
14 | - '.github/ISSUE_TEMPLATE/*' | ||
15 | - '.github/pull_request_template.md' | ||
13 | pull_request: | 16 | pull_request: |
14 | branches: [ master ] | 17 | branches: [ master ] |
15 | paths-ignore: | 18 | paths-ignore: |
@@ -19,6 +22,9 @@ on: | |||
19 | - RELNOTES | 22 | - RELNOTES |
20 | - SECURITY.md | 23 | - SECURITY.md |
21 | - 'etc/**' | 24 | - 'etc/**' |
25 | - 'src/firecfg/firecfg.config' | ||
26 | - '.github/ISSUE_TEMPLATE/*' | ||
27 | - '.github/pull_request_template.md' | ||
22 | 28 | ||
23 | jobs: | 29 | jobs: |
24 | build-clang: | 30 | build-clang: |
@@ -827,7 +827,7 @@ soredake (https://github.com/soredake) | |||
827 | - fix handling of STEAM_RUNTIME_PREFER_HOST_LIBRARIES in steam profile | 827 | - fix handling of STEAM_RUNTIME_PREFER_HOST_LIBRARIES in steam profile |
828 | - fix keepassxc.profile | 828 | - fix keepassxc.profile |
829 | - fix qtox.profile | 829 | - fix qtox.profile |
830 | - add ocaltime to private-etc to make qtox show correct time | 830 | - add localtime to private-etc to make qtox show correct time |
831 | - fixes for the keepassxc 2.2.5 version | 831 | - fixes for the keepassxc 2.2.5 version |
832 | SkewedZeppelin (https://github.com/SkewedZeppelin) | 832 | SkewedZeppelin (https://github.com/SkewedZeppelin) |
833 | - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles | 833 | - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles |
@@ -333,4 +333,6 @@ Stats: | |||
333 | vmware-view, display-im6.q16, ipcalc, ipcalc-ng, ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop, | 333 | vmware-view, display-im6.q16, ipcalc, ipcalc-ng, ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop, |
334 | avidemux, calligragemini, vmware-player, vmware-workstation, gget, com.github.phase1geo.minder, nextcloud-desktop, | 334 | avidemux, calligragemini, vmware-player, vmware-workstation, gget, com.github.phase1geo.minder, nextcloud-desktop, |
335 | pcsxr, PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, bcompare, b2sum, cksum, md5sum, sha1sum, sha224sum, | 335 | pcsxr, PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, bcompare, b2sum, cksum, md5sum, sha1sum, sha224sum, |
336 | sha256sum, sha384sum, sha512sum, sum, librewold-nightly, Quodlibet, tmux, sway | 336 | sha256sum, sha384sum, sha512sum, sum, librewold-nightly, Quodlibet, tmux, sway, alienarena, alienarena-wrapper, |
337 | ballbuster, ballbuster-wrapper, colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium, glaxium-wrapper, | ||
338 | pinball, pinball-wrapper, etr-wrapper, neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, firedragon | ||
@@ -19,6 +19,10 @@ firejail (0.9.65) baseline; urgency=low | |||
19 | * PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, sum | 19 | * PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, sum |
20 | * bcompare, b2sum, cksum, md5sum, sha1sum, sha224sum, sha256sum | 20 | * bcompare, b2sum, cksum, md5sum, sha1sum, sha224sum, sha256sum |
21 | * sha384sum, sha512sum, librewold-nightly, Quodlibet, tmux, sway | 21 | * sha384sum, sha512sum, librewold-nightly, Quodlibet, tmux, sway |
22 | * alienarena, alienarena-wrapper, ballbuster, ballbuster-wrapper, | ||
23 | * colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium, | ||
24 | * glaxium-wrapper, pinball, pinball-wrapper, etr-wrapper, firedragon | ||
25 | * neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper | ||
22 | -- netblue30 <netblue30@yahoo.com> Tue, 9 Feb 2021 09:00:00 -0500 | 26 | -- netblue30 <netblue30@yahoo.com> Tue, 9 Feb 2021 09:00:00 -0500 |
23 | 27 | ||
24 | firejail (0.9.64.4) baseline; urgency=low | 28 | firejail (0.9.64.4) baseline; urgency=low |
diff --git a/contrib/sort.py b/contrib/sort.py index 9e5062c3c..c7325facb 100755 --- a/contrib/sort.py +++ b/contrib/sort.py | |||
@@ -35,43 +35,16 @@ def sort_alphabetical(raw_items): | |||
35 | 35 | ||
36 | def sort_protocol(protocols): | 36 | def sort_protocol(protocols): |
37 | """sort the given protocole into this scheme: unix,inet,inet6,netlink,packet,bluetooth""" | 37 | """sort the given protocole into this scheme: unix,inet,inet6,netlink,packet,bluetooth""" |
38 | |||
38 | # shortcut for common protocol lines | 39 | # shortcut for common protocol lines |
39 | if protocols in ("unix", "unix,inet,inet6"): | 40 | if protocols in ("unix", "unix,inet,inet6"): |
40 | return protocols | 41 | return protocols |
42 | |||
41 | fixed_protocols = "" | 43 | fixed_protocols = "" |
42 | present_protocols = { | 44 | for protocol in ("unix", "inet", "inet6", "netlink", "packet", "bluetooth"): |
43 | "unix": False, | 45 | for prefix in ("", "-", "+", "="): |
44 | "inet": False, | 46 | if f",{prefix}{protocol}," in f",{protocols},": |
45 | "inet6": False, | 47 | fixed_protocols += f"{prefix}{protocol}," |
46 | "netlink": False, | ||
47 | "packet": False, | ||
48 | "bluetooth": False, | ||
49 | } | ||
50 | for protocol in protocols.split(","): | ||
51 | if protocol == "unix": | ||
52 | present_protocols["unix"] = True | ||
53 | elif protocol == "inet": | ||
54 | present_protocols["inet"] = True | ||
55 | elif protocol == "inet6": | ||
56 | present_protocols["inet6"] = True | ||
57 | elif protocol == "netlink": | ||
58 | present_protocols["netlink"] = True | ||
59 | elif protocol == "packet": | ||
60 | present_protocols["packet"] = True | ||
61 | elif protocol == "bluetooth": | ||
62 | present_protocols["bluetooth"] = True | ||
63 | if present_protocols["unix"]: | ||
64 | fixed_protocols += "unix," | ||
65 | if present_protocols["inet"]: | ||
66 | fixed_protocols += "inet," | ||
67 | if present_protocols["inet6"]: | ||
68 | fixed_protocols += "inet6," | ||
69 | if present_protocols["netlink"]: | ||
70 | fixed_protocols += "netlink," | ||
71 | if present_protocols["packet"]: | ||
72 | fixed_protocols += "packet," | ||
73 | if present_protocols["bluetooth"]: | ||
74 | fixed_protocols += "bluetooth," | ||
75 | return fixed_protocols[:-1] | 48 | return fixed_protocols[:-1] |
76 | 49 | ||
77 | 50 | ||
diff --git a/etc/inc/allow-opengl-game.inc b/etc/inc/allow-opengl-game.inc new file mode 100644 index 000000000..b5ff1bd50 --- /dev/null +++ b/etc/inc/allow-opengl-game.inc | |||
@@ -0,0 +1,3 @@ | |||
1 | noblacklist ${PATH}/bash | ||
2 | whitelist /usr/share/opengl-games-utils/opengl-game-functions.sh | ||
3 | private-bin basename,bash,cut,glxinfo,grep,head,sed,zenity | ||
diff --git a/etc/inc/disable-passwdmgr.inc b/etc/inc/disable-passwdmgr.inc index 316378cb8..3ed9a1b14 100644 --- a/etc/inc/disable-passwdmgr.inc +++ b/etc/inc/disable-passwdmgr.inc | |||
@@ -7,6 +7,7 @@ blacklist ${HOME}/.config/KeePass | |||
7 | blacklist ${HOME}/.config/keepass | 7 | blacklist ${HOME}/.config/keepass |
8 | blacklist ${HOME}/.config/keepassx | 8 | blacklist ${HOME}/.config/keepassx |
9 | blacklist ${HOME}/.config/keepassxc | 9 | blacklist ${HOME}/.config/keepassxc |
10 | blacklist ${HOME}/.config/KeePassXCrc | ||
10 | blacklist ${HOME}/.config/Sinew Software Systems | 11 | blacklist ${HOME}/.config/Sinew Software Systems |
11 | blacklist ${HOME}/.fpm | 12 | blacklist ${HOME}/.fpm |
12 | blacklist ${HOME}/.keepass | 13 | blacklist ${HOME}/.keepass |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 8ccbae5ca..1e1734a9e 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -52,6 +52,7 @@ blacklist ${HOME}/.atom | |||
52 | blacklist ${HOME}/.attic | 52 | blacklist ${HOME}/.attic |
53 | blacklist ${HOME}/.audacity-data | 53 | blacklist ${HOME}/.audacity-data |
54 | blacklist ${HOME}/.avidemux6 | 54 | blacklist ${HOME}/.avidemux6 |
55 | blacklist ${HOME}/.ballbuster.hs | ||
55 | blacklist ${HOME}/.balsa | 56 | blacklist ${HOME}/.balsa |
56 | blacklist ${HOME}/.bcast5 | 57 | blacklist ${HOME}/.bcast5 |
57 | blacklist ${HOME}/.bibletime | 58 | blacklist ${HOME}/.bibletime |
@@ -137,6 +138,7 @@ blacklist ${HOME}/.config/Rambox | |||
137 | blacklist ${HOME}/.config/Riot | 138 | blacklist ${HOME}/.config/Riot |
138 | blacklist ${HOME}/.config/Rocket.Chat | 139 | blacklist ${HOME}/.config/Rocket.Chat |
139 | blacklist ${HOME}/.config/RogueLegacy | 140 | blacklist ${HOME}/.config/RogueLegacy |
141 | blacklist ${HOME}/.config/RogueLegacyStorageContainer | ||
140 | blacklist ${HOME}/.config/Signal | 142 | blacklist ${HOME}/.config/Signal |
141 | blacklist ${HOME}/.config/Sinew Software Systems | 143 | blacklist ${HOME}/.config/Sinew Software Systems |
142 | blacklist ${HOME}/.config/Slack | 144 | blacklist ${HOME}/.config/Slack |
@@ -220,6 +222,7 @@ blacklist ${HOME}/.config/d-feet | |||
220 | blacklist ${HOME}/.config/electron-mail | 222 | blacklist ${HOME}/.config/electron-mail |
221 | blacklist ${HOME}/.config/emaildefaults | 223 | blacklist ${HOME}/.config/emaildefaults |
222 | blacklist ${HOME}/.config/emailidentities | 224 | blacklist ${HOME}/.config/emailidentities |
225 | blacklist ${HOME}/.config/emilia | ||
223 | blacklist ${HOME}/.config/enchant | 226 | blacklist ${HOME}/.config/enchant |
224 | blacklist ${HOME}/.config/eog | 227 | blacklist ${HOME}/.config/eog |
225 | blacklist ${HOME}/.config/epiphany | 228 | blacklist ${HOME}/.config/epiphany |
@@ -479,6 +482,7 @@ blacklist ${HOME}/.equalx | |||
479 | blacklist ${HOME}/.ethereum | 482 | blacklist ${HOME}/.ethereum |
480 | blacklist ${HOME}/.etr | 483 | blacklist ${HOME}/.etr |
481 | blacklist ${HOME}/.filezilla | 484 | blacklist ${HOME}/.filezilla |
485 | blacklist ${HOME}/.firedragon | ||
482 | blacklist ${HOME}/.flowblade | 486 | blacklist ${HOME}/.flowblade |
483 | blacklist ${HOME}/.fltk | 487 | blacklist ${HOME}/.fltk |
484 | blacklist ${HOME}/.fossamail | 488 | blacklist ${HOME}/.fossamail |
@@ -490,6 +494,8 @@ blacklist ${HOME}/.frozen-bubble | |||
490 | blacklist ${HOME}/.gimp* | 494 | blacklist ${HOME}/.gimp* |
491 | blacklist ${HOME}/.gist | 495 | blacklist ${HOME}/.gist |
492 | blacklist ${HOME}/.gitconfig | 496 | blacklist ${HOME}/.gitconfig |
497 | blacklist ${HOME}/.gl-117 | ||
498 | blacklist ${HOME}/.glaxiumrc | ||
493 | blacklist ${HOME}/.gnome/gnome-schedule | 499 | blacklist ${HOME}/.gnome/gnome-schedule |
494 | blacklist ${HOME}/.googleearth | 500 | blacklist ${HOME}/.googleearth |
495 | blacklist ${HOME}/.gradle | 501 | blacklist ${HOME}/.gradle |
@@ -607,7 +613,8 @@ blacklist ${HOME}/.local/share/QGIS | |||
607 | blacklist ${HOME}/.local/share/QMediathekView | 613 | blacklist ${HOME}/.local/share/QMediathekView |
608 | blacklist ${HOME}/.local/share/QuiteRss | 614 | blacklist ${HOME}/.local/share/QuiteRss |
609 | blacklist ${HOME}/.local/share/Ricochet | 615 | blacklist ${HOME}/.local/share/Ricochet |
610 | blacklist ${HOME}/.local/share/RogueLegacy* | 616 | blacklist ${HOME}/.local/share/RogueLegacy |
617 | blacklist ${HOME}/.local/share/RogueLegacyStorageContainer | ||
611 | blacklist ${HOME}/.local/share/Shortwave | 618 | blacklist ${HOME}/.local/share/Shortwave |
612 | blacklist ${HOME}/.local/share/Steam | 619 | blacklist ${HOME}/.local/share/Steam |
613 | blacklist ${HOME}/.local/share/SteamWorldDig | 620 | blacklist ${HOME}/.local/share/SteamWorldDig |
@@ -637,6 +644,7 @@ blacklist ${HOME}/.local/share/cdprojektred | |||
637 | blacklist ${HOME}/.local/share/clipit | 644 | blacklist ${HOME}/.local/share/clipit |
638 | blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate | 645 | blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate |
639 | blacklist ${HOME}/.local/share/contacts | 646 | blacklist ${HOME}/.local/share/contacts |
647 | blacklist ${HOME}/.local/share/cor-games | ||
640 | blacklist ${HOME}/.local/share/data/Mendeley Ltd. | 648 | blacklist ${HOME}/.local/share/data/Mendeley Ltd. |
641 | blacklist ${HOME}/.local/share/data/Mumble | 649 | blacklist ${HOME}/.local/share/data/Mumble |
642 | blacklist ${HOME}/.local/share/data/MusE | 650 | blacklist ${HOME}/.local/share/data/MusE |
@@ -844,6 +852,7 @@ blacklist ${HOME}/.steampid | |||
844 | blacklist ${HOME}/.stellarium | 852 | blacklist ${HOME}/.stellarium |
845 | blacklist ${HOME}/.subversion | 853 | blacklist ${HOME}/.subversion |
846 | blacklist ${HOME}/.surf | 854 | blacklist ${HOME}/.surf |
855 | blacklist ${HOME}/.suve/colorful | ||
847 | blacklist ${HOME}/.swb.ini | 856 | blacklist ${HOME}/.swb.ini |
848 | blacklist ${HOME}/.sword | 857 | blacklist ${HOME}/.sword |
849 | blacklist ${HOME}/.sylpheed-2.0 | 858 | blacklist ${HOME}/.sylpheed-2.0 |
@@ -952,6 +961,7 @@ blacklist ${HOME}/.cache/epiphany | |||
952 | blacklist ${HOME}/.cache/evolution | 961 | blacklist ${HOME}/.cache/evolution |
953 | blacklist ${HOME}/.cache/falkon | 962 | blacklist ${HOME}/.cache/falkon |
954 | blacklist ${HOME}/.cache/feedreader | 963 | blacklist ${HOME}/.cache/feedreader |
964 | blacklist ${HOME}/.cache/firedragon | ||
955 | blacklist ${HOME}/.cache/flaska.net/trojita | 965 | blacklist ${HOME}/.cache/flaska.net/trojita |
956 | blacklist ${HOME}/.cache/folks | 966 | blacklist ${HOME}/.cache/folks |
957 | blacklist ${HOME}/.cache/font-manager | 967 | blacklist ${HOME}/.cache/font-manager |
diff --git a/etc/profile-a-l/alienarena-wrapper.profile b/etc/profile-a-l/alienarena-wrapper.profile new file mode 100644 index 000000000..b31996cd2 --- /dev/null +++ b/etc/profile-a-l/alienarena-wrapper.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for alienarena-wrapper | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include alienarena-wrapper.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | include allow-opengl-game.inc | ||
10 | |||
11 | private-bin alienarena-wrapper | ||
12 | |||
13 | # Redirect | ||
14 | include alienarena.profile | ||
diff --git a/etc/profile-a-l/alienarena.profile b/etc/profile-a-l/alienarena.profile new file mode 100644 index 000000000..4048b66f8 --- /dev/null +++ b/etc/profile-a-l/alienarena.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for alienarena | ||
2 | # Description: Multiplayer retro sci-fi deathmatch game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include alienarena.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/cor-games | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-shell.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.local/share/cor-games | ||
21 | whitelist ${HOME}/.local/share/cor-games | ||
22 | whitelist /usr/share/alienarena | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | netfilter | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix,inet,inet6 | ||
39 | seccomp | ||
40 | seccomp.block-secondary | ||
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | disable-mnt | ||
45 | private-bin alienarena | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11 | ||
49 | private-tmp | ||
50 | |||
51 | dbus-user none | ||
52 | dbus-system none | ||
diff --git a/etc/profile-a-l/audio-recorder.profile b/etc/profile-a-l/audio-recorder.profile index b2ed3b030..2c7fdc812 100644 --- a/etc/profile-a-l/audio-recorder.profile +++ b/etc/profile-a-l/audio-recorder.profile | |||
@@ -20,6 +20,7 @@ include disable-xdg.inc | |||
20 | whitelist ${MUSIC} | 20 | whitelist ${MUSIC} |
21 | whitelist ${DOWNLOADS} | 21 | whitelist ${DOWNLOADS} |
22 | whitelist /usr/share/audio-recorder | 22 | whitelist /usr/share/audio-recorder |
23 | whitelist /usr/share/gstreamer-1.0 | ||
23 | include whitelist-common.inc | 24 | include whitelist-common.inc |
24 | include whitelist-usr-share-common.inc | 25 | include whitelist-usr-share-common.inc |
25 | include whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
@@ -44,7 +45,11 @@ tracelog | |||
44 | disable-mnt | 45 | disable-mnt |
45 | # private-bin audio-recorder | 46 | # private-bin audio-recorder |
46 | private-cache | 47 | private-cache |
47 | private-etc alternatives,fonts | 48 | private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload |
48 | private-tmp | 49 | private-tmp |
49 | 50 | ||
51 | dbus-user filter | ||
52 | dbus-user.talk ca.desrt.dconf | ||
53 | dbus-system none | ||
54 | |||
50 | # memory-deny-write-execute - breaks on Arch | 55 | # memory-deny-write-execute - breaks on Arch |
diff --git a/etc/profile-a-l/ballbuster-wrapper.profile b/etc/profile-a-l/ballbuster-wrapper.profile new file mode 100644 index 000000000..419dcaab5 --- /dev/null +++ b/etc/profile-a-l/ballbuster-wrapper.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for ballbuster-wrapper | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include ballbuster-wrapper.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | include allow-opengl-game.inc | ||
10 | |||
11 | private-bin ballbuster-wrapper | ||
12 | |||
13 | # Redirect | ||
14 | include ballbuster.profile | ||
diff --git a/etc/profile-a-l/ballbuster.profile b/etc/profile-a-l/ballbuster.profile new file mode 100644 index 000000000..1c137e6ae --- /dev/null +++ b/etc/profile-a-l/ballbuster.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for ballbuster | ||
2 | # Description: Move the paddle to bounce the ball and break all the bricks | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include ballbuster.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.ballbuster.hs | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-shell.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkfile ${HOME}/.ballbuster.hs | ||
21 | whitelist ${HOME}/.ballbuster.hs | ||
22 | whitelist /usr/share/ballbuster | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | net none | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix | ||
39 | seccomp | ||
40 | seccomp.block-secondary | ||
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | disable-mnt | ||
45 | private-bin ballbuster | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pulse | ||
49 | private-tmp | ||
50 | |||
51 | dbus-user none | ||
52 | dbus-system none | ||
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index e9bef8df7..134f4665c 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile | |||
@@ -12,6 +12,10 @@ include chromium-common.local | |||
12 | noblacklist ${HOME}/.pki | 12 | noblacklist ${HOME}/.pki |
13 | noblacklist ${HOME}/.local/share/pki | 13 | noblacklist ${HOME}/.local/share/pki |
14 | 14 | ||
15 | # Add the next line to your chromium-common.local if you want Google Chrome/Chromium browser | ||
16 | # to have access to Gnome extensions (extensions.gnome.org) via browser connector | ||
17 | #include allow-python3.inc | ||
18 | |||
15 | include disable-common.inc | 19 | include disable-common.inc |
16 | include disable-devel.inc | 20 | include disable-devel.inc |
17 | include disable-exec.inc | 21 | include disable-exec.inc |
diff --git a/etc/profile-a-l/colorful-wrapper.profile b/etc/profile-a-l/colorful-wrapper.profile new file mode 100644 index 000000000..4b762047d --- /dev/null +++ b/etc/profile-a-l/colorful-wrapper.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for colorful-wrapper | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include colorful-wrapper.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | include allow-opengl-game.inc | ||
10 | |||
11 | private-bin colorful-wrapper | ||
12 | |||
13 | # Redirect | ||
14 | include colorful.profile | ||
diff --git a/etc/profile-a-l/colorful.profile b/etc/profile-a-l/colorful.profile new file mode 100644 index 000000000..4b8a5e477 --- /dev/null +++ b/etc/profile-a-l/colorful.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for colorful | ||
2 | # Description: simple 2D sideview shooter | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include colorful.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.suve/colorful | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-shell.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.suve/colorful | ||
21 | whitelist ${HOME}/.suve/colorful | ||
22 | whitelist /usr/share/suve | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | net none | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix | ||
39 | seccomp | ||
40 | seccomp.block-secondary | ||
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | disable-mnt | ||
45 | private-bin colorful | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pulse | ||
49 | private-tmp | ||
50 | |||
51 | dbus-user none | ||
52 | dbus-system none | ||
diff --git a/etc/profile-a-l/digikam.profile b/etc/profile-a-l/digikam.profile index ae4a63c62..2ca7bd400 100644 --- a/etc/profile-a-l/digikam.profile +++ b/etc/profile-a-l/digikam.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/digikam | |||
10 | noblacklist ${HOME}/.config/digikamrc | 10 | noblacklist ${HOME}/.config/digikamrc |
11 | noblacklist ${HOME}/.kde/share/apps/digikam | 11 | noblacklist ${HOME}/.kde/share/apps/digikam |
12 | noblacklist ${HOME}/.kde4/share/apps/digikam | 12 | noblacklist ${HOME}/.kde4/share/apps/digikam |
13 | noblacklist ${HOME}/.local/share/kxmlgui5/digikam | ||
13 | noblacklist ${PICTURES} | 14 | noblacklist ${PICTURES} |
14 | 15 | ||
15 | include disable-common.inc | 16 | include disable-common.inc |
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile index b583f1a1d..b83e626d9 100644 --- a/etc/profile-a-l/discord-common.profile +++ b/etc/profile-a-l/discord-common.profile | |||
@@ -18,6 +18,7 @@ ignore dbus-user none | |||
18 | ignore dbus-system none | 18 | ignore dbus-system none |
19 | 19 | ||
20 | ignore noexec ${HOME} | 20 | ignore noexec ${HOME} |
21 | ignore novideo | ||
21 | 22 | ||
22 | whitelist ${HOME}/.config/BetterDiscord | 23 | whitelist ${HOME}/.config/BetterDiscord |
23 | whitelist ${HOME}/.local/share/betterdiscordctl | 24 | whitelist ${HOME}/.local/share/betterdiscordctl |
diff --git a/etc/profile-a-l/etr-wrapper.profile b/etc/profile-a-l/etr-wrapper.profile new file mode 100644 index 000000000..98f949918 --- /dev/null +++ b/etc/profile-a-l/etr-wrapper.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for etr-wrapper | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include etr-wrapper.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | include allow-opengl-game.inc | ||
10 | |||
11 | private-bin etr-wrapper | ||
12 | |||
13 | # Redirect | ||
14 | include etr.profile | ||
diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile index f55d23778..6d31f3042 100644 --- a/etc/profile-a-l/etr.profile +++ b/etc/profile-a-l/etr.profile | |||
@@ -37,6 +37,7 @@ nou2f | |||
37 | novideo | 37 | novideo |
38 | protocol unix,netlink | 38 | protocol unix,netlink |
39 | seccomp | 39 | seccomp |
40 | seccomp.block-secondary | ||
40 | shell none | 41 | shell none |
41 | tracelog | 42 | tracelog |
42 | 43 | ||
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile index e61c3d1ff..50d2b923b 100644 --- a/etc/profile-a-l/file-roller.profile +++ b/etc/profile-a-l/file-roller.profile | |||
@@ -38,7 +38,7 @@ seccomp.block-secondary | |||
38 | shell none | 38 | shell none |
39 | tracelog | 39 | tracelog |
40 | 40 | ||
41 | private-bin 7z,7za,7zr,ar,arj,bash,brotli,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,xz,zip,zoo,zstd | 41 | private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd |
42 | private-cache | 42 | private-cache |
43 | private-dev | 43 | private-dev |
44 | private-etc dconf,fonts,gtk-3.0,xdg | 44 | private-etc dconf,fonts,gtk-3.0,xdg |
diff --git a/etc/profile-a-l/firedragon.profile b/etc/profile-a-l/firedragon.profile new file mode 100644 index 000000000..77487161e --- /dev/null +++ b/etc/profile-a-l/firedragon.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # Firejail profile for FireDragon | ||
2 | # Description: Librewolf fork with enhanced KDE integration | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include firedragon.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/firedragon | ||
10 | noblacklist ${HOME}/.firedragon | ||
11 | |||
12 | mkdir ${HOME}/.cache/firedragon | ||
13 | mkdir ${HOME}/.firedragon | ||
14 | whitelist ${HOME}/.cache/firedragon | ||
15 | whitelist ${HOME}/.firedragon | ||
16 | |||
17 | # Add the next lines to your firedragon.local if you want to use the migration wizard. | ||
18 | #noblacklist ${HOME}/.mozilla | ||
19 | #whitelist ${HOME}/.mozilla | ||
20 | |||
21 | # FireDragon requires a shell to launch on Arch. We can possibly remove sh though. | ||
22 | # Add the next line to your firedragon.local to enable private-bin. | ||
23 | #private-bin bash,dbus-launch,dbus-send,env,firedragon,python*,sh,which | ||
24 | |||
25 | # Redirect | ||
26 | include firefox-common.profile | ||
diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile index 4da087f7f..d282f9a60 100644 --- a/etc/profile-a-l/firefox-common-addons.profile +++ b/etc/profile-a-l/firefox-common-addons.profile | |||
@@ -73,8 +73,9 @@ whitelist /usr/share/vulkan | |||
73 | # GNOME Shell integration (chrome-gnome-shell) needs dbus and python | 73 | # GNOME Shell integration (chrome-gnome-shell) needs dbus and python |
74 | noblacklist ${HOME}/.local/share/gnome-shell | 74 | noblacklist ${HOME}/.local/share/gnome-shell |
75 | whitelist ${HOME}/.local/share/gnome-shell | 75 | whitelist ${HOME}/.local/share/gnome-shell |
76 | ignore dbus-user none | 76 | dbus-user.talk ca.desrt.dconf |
77 | ignore dbus-system none | 77 | dbus-user.talk org.gnome.ChromeGnomeShell |
78 | dbus-user.talk org.gnome.Shell | ||
78 | # Allow python (blacklisted by disable-interpreters.inc) | 79 | # Allow python (blacklisted by disable-interpreters.inc) |
79 | include allow-python3.inc | 80 | include allow-python3.inc |
80 | 81 | ||
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index cefba93d4..b22a78458 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile | |||
@@ -6,6 +6,14 @@ include firefox.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # NOTE: sandboxing web browsers is as important as it is complex. Users might be | ||
10 | # interested in creating custom profiles depending on use case (e.g. one for | ||
11 | # general browsing, another for banking, ...). Consult our FAQ/issue tracker for more | ||
12 | # info. Here are a few links to get you going. | ||
13 | # https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#firefox-doesnt-open-in-a-new-sandbox-instead-it-opens-a-new-tab-in-an-existing-firefox-instance | ||
14 | # https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox | ||
15 | # https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968 | ||
16 | |||
9 | noblacklist ${HOME}/.cache/mozilla | 17 | noblacklist ${HOME}/.cache/mozilla |
10 | noblacklist ${HOME}/.mozilla | 18 | noblacklist ${HOME}/.mozilla |
11 | 19 | ||
diff --git a/etc/profile-a-l/gl-117-wrapper.profile b/etc/profile-a-l/gl-117-wrapper.profile new file mode 100644 index 000000000..d783940f3 --- /dev/null +++ b/etc/profile-a-l/gl-117-wrapper.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for gl-117-wrapper | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include gl-117-wrapper.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | include allow-opengl-game.inc | ||
10 | |||
11 | private-bin gl-117-wrapper | ||
12 | |||
13 | # Redirect | ||
14 | include gl-117.profile | ||
diff --git a/etc/profile-a-l/gl-117.profile b/etc/profile-a-l/gl-117.profile new file mode 100644 index 000000000..87194843a --- /dev/null +++ b/etc/profile-a-l/gl-117.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for gl-117 | ||
2 | # Description: Action flight simulator | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gl-117.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.gl-117 | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-shell.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.gl-117 | ||
21 | whitelist ${HOME}/.gl-117 | ||
22 | whitelist /usr/share/gl-117 | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | net none | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix | ||
39 | seccomp | ||
40 | seccomp.block-secondary | ||
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | disable-mnt | ||
45 | private-bin gl-117 | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-etc alsa,alternatives,asound.conf,bumblebee,drirc,glvnd,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nvidia,pulse | ||
49 | private-tmp | ||
50 | |||
51 | dbus-user none | ||
52 | dbus-system none | ||
diff --git a/etc/profile-a-l/glaxium-wrapper.profile b/etc/profile-a-l/glaxium-wrapper.profile new file mode 100644 index 000000000..7dc2cf65e --- /dev/null +++ b/etc/profile-a-l/glaxium-wrapper.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for glaxium-wrapper | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include glaxium-wrapper.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | include allow-opengl-game.inc | ||
10 | |||
11 | private-bin glaxium-wrapper | ||
12 | |||
13 | # Redirect | ||
14 | include glaxium.profile | ||
diff --git a/etc/profile-a-l/glaxium.profile b/etc/profile-a-l/glaxium.profile new file mode 100644 index 000000000..ea5211e9e --- /dev/null +++ b/etc/profile-a-l/glaxium.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for glaxium | ||
2 | # Description: 3d spaceship shoot-em-up | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include glaxium.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.glaxiumrc | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-shell.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkfile ${HOME}/.glaxiumrc | ||
21 | whitelist ${HOME}/.glaxiumrc | ||
22 | whitelist /usr/share/glaxium | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | net none | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix | ||
39 | seccomp | ||
40 | seccomp.block-secondary | ||
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | disable-mnt | ||
45 | private-bin glaxium | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-etc alsa,alternatives,asound.conf,bumblebee,drirc,glvnd,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nvidia,pulse | ||
49 | private-tmp | ||
50 | |||
51 | dbus-user none | ||
52 | dbus-system none | ||
diff --git a/etc/profile-a-l/kcalc.profile b/etc/profile-a-l/kcalc.profile index fa82e76f3..c1414472b 100644 --- a/etc/profile-a-l/kcalc.profile +++ b/etc/profile-a-l/kcalc.profile | |||
@@ -15,6 +15,7 @@ include disable-interpreters.inc | |||
15 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-shell.inc | 17 | include disable-shell.inc |
18 | include disable-xdg.inc | ||
18 | 19 | ||
19 | mkdir ${HOME}/.local/share/kxmlgui5/kcalc | 20 | mkdir ${HOME}/.local/share/kxmlgui5/kcalc |
20 | mkfile ${HOME}/.config/kcalcrc | 21 | mkfile ${HOME}/.config/kcalcrc |
@@ -24,7 +25,12 @@ whitelist ${HOME}/.config/kcalcrc | |||
24 | whitelist ${HOME}/.kde/share/config/kcalcrc | 25 | whitelist ${HOME}/.kde/share/config/kcalcrc |
25 | whitelist ${HOME}/.kde4/share/config/kcalcrc | 26 | whitelist ${HOME}/.kde4/share/config/kcalcrc |
26 | whitelist ${HOME}/.local/share/kxmlgui5/kcalc | 27 | whitelist ${HOME}/.local/share/kxmlgui5/kcalc |
28 | whitelist /usr/share/config.kcfg/kcalc.kcfg | ||
29 | whitelist /usr/share/kcalc | ||
30 | whitelist /usr/share/kconf_update/kcalcrc.upd | ||
27 | include whitelist-common.inc | 31 | include whitelist-common.inc |
32 | include whitelist-runuser-common.inc | ||
33 | include whitelist-usr-share-common.inc | ||
28 | include whitelist-var-common.inc | 34 | include whitelist-var-common.inc |
29 | 35 | ||
30 | apparmor | 36 | apparmor |
@@ -41,13 +47,19 @@ nou2f | |||
41 | novideo | 47 | novideo |
42 | protocol unix | 48 | protocol unix |
43 | seccomp | 49 | seccomp |
50 | seccomp.block-secondary | ||
44 | shell none | 51 | shell none |
52 | tracelog | ||
45 | 53 | ||
46 | disable-mnt | 54 | disable-mnt |
47 | private-bin kcalc | 55 | private-bin kcalc |
56 | private-cache | ||
48 | private-dev | 57 | private-dev |
58 | private-etc alternatives,fonts,ld.so.cache,locale,locale.conf | ||
49 | # private-lib - problems on Arch | 59 | # private-lib - problems on Arch |
50 | private-tmp | 60 | private-tmp |
51 | 61 | ||
52 | dbus-user none | 62 | dbus-user none |
53 | dbus-system none | 63 | dbus-system none |
64 | |||
65 | #memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile index 11c279911..3c7737063 100644 --- a/etc/profile-a-l/keepassxc.profile +++ b/etc/profile-a-l/keepassxc.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/*.kdb | |||
10 | noblacklist ${HOME}/*.kdbx | 10 | noblacklist ${HOME}/*.kdbx |
11 | noblacklist ${HOME}/.cache/keepassxc | 11 | noblacklist ${HOME}/.cache/keepassxc |
12 | noblacklist ${HOME}/.config/keepassxc | 12 | noblacklist ${HOME}/.config/keepassxc |
13 | noblacklist ${HOME}/.config/KeePassXCrc | ||
13 | noblacklist ${HOME}/.keepassxc | 14 | noblacklist ${HOME}/.keepassxc |
14 | noblacklist ${DOCUMENTS} | 15 | noblacklist ${DOCUMENTS} |
15 | 16 | ||
@@ -51,6 +52,7 @@ include disable-xdg.inc | |||
51 | #mkdir ${HOME}/.config/keepassxc | 52 | #mkdir ${HOME}/.config/keepassxc |
52 | #whitelist ${HOME}/.cache/keepassxc | 53 | #whitelist ${HOME}/.cache/keepassxc |
53 | #whitelist ${HOME}/.config/keepassxc | 54 | #whitelist ${HOME}/.config/keepassxc |
55 | #whitelist ${HOME}/.config/KeePassXCrc | ||
54 | #include whitelist-common.inc | 56 | #include whitelist-common.inc |
55 | 57 | ||
56 | whitelist /usr/share/keepassxc | 58 | whitelist /usr/share/keepassxc |
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile index f02a4f357..5b2164bae 100644 --- a/etc/profile-m-z/mrrescue.profile +++ b/etc/profile-m-z/mrrescue.profile | |||
@@ -8,18 +8,23 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.local/share/love | 9 | noblacklist ${HOME}/.local/share/love |
10 | 10 | ||
11 | include allow-bin-sh.inc | ||
12 | include allow-lua.inc | ||
13 | |||
11 | include disable-common.inc | 14 | include disable-common.inc |
12 | include disable-devel.inc | 15 | include disable-devel.inc |
13 | include disable-exec.inc | 16 | include disable-exec.inc |
14 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | include disable-shell.inc | ||
17 | include disable-xdg.inc | 21 | include disable-xdg.inc |
18 | 22 | ||
19 | mkdir ${HOME}/.local/share/love | 23 | mkdir ${HOME}/.local/share/love |
20 | whitelist ${HOME}/.local/share/love | 24 | whitelist ${HOME}/.local/share/love |
21 | whitelist /usr/share/mrrescue | 25 | whitelist /usr/share/mrrescue |
22 | include whitelist-common.inc | 26 | include whitelist-common.inc |
27 | include whitelist-runuser-common.inc | ||
23 | include whitelist-usr-share-common.inc | 28 | include whitelist-usr-share-common.inc |
24 | include whitelist-var-common.inc | 29 | include whitelist-var-common.inc |
25 | 30 | ||
@@ -35,6 +40,7 @@ nou2f | |||
35 | novideo | 40 | novideo |
36 | protocol unix,netlink | 41 | protocol unix,netlink |
37 | seccomp | 42 | seccomp |
43 | seccomp.block-secondary | ||
38 | shell none | 44 | shell none |
39 | tracelog | 45 | tracelog |
40 | 46 | ||
diff --git a/etc/profile-m-z/neverball-wrapper.profile b/etc/profile-m-z/neverball-wrapper.profile new file mode 100644 index 000000000..534e41dd1 --- /dev/null +++ b/etc/profile-m-z/neverball-wrapper.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for neverball-wrapper | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include neverball-wrapper.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | include allow-opengl-game.inc | ||
10 | |||
11 | private-bin neverball-wrapper | ||
12 | |||
13 | # Redirect | ||
14 | include neverball.profile | ||
diff --git a/etc/profile-m-z/neverball.profile b/etc/profile-m-z/neverball.profile index 84c634549..2695f2f90 100644 --- a/etc/profile-m-z/neverball.profile +++ b/etc/profile-m-z/neverball.profile | |||
@@ -14,13 +14,19 @@ include disable-exec.inc | |||
14 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-shell.inc | ||
18 | include disable-xdg.inc | ||
17 | 19 | ||
18 | mkdir ${HOME}/.neverball | 20 | mkdir ${HOME}/.neverball |
19 | whitelist ${HOME}/.neverball | 21 | whitelist ${HOME}/.neverball |
22 | whitelist /usr/share/neverball | ||
20 | include whitelist-common.inc | 23 | include whitelist-common.inc |
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
21 | 27 | ||
22 | caps.drop all | 28 | caps.drop all |
23 | netfilter | 29 | net none |
24 | nodvd | 30 | nodvd |
25 | nogroups | 31 | nogroups |
26 | nonewprivs | 32 | nonewprivs |
@@ -28,12 +34,18 @@ noroot | |||
28 | notv | 34 | notv |
29 | nou2f | 35 | nou2f |
30 | novideo | 36 | novideo |
31 | protocol unix,netlink | 37 | protocol unix |
32 | seccomp | 38 | seccomp |
39 | seccomp.block-secondary | ||
33 | shell none | 40 | shell none |
41 | tracelog | ||
34 | 42 | ||
35 | disable-mnt | 43 | disable-mnt |
36 | private-bin neverball | 44 | private-bin neverball |
45 | private-cache | ||
37 | private-dev | 46 | private-dev |
47 | private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,machine-id | ||
38 | private-tmp | 48 | private-tmp |
39 | 49 | ||
50 | dbus-user none | ||
51 | dbus-system none | ||
diff --git a/etc/profile-m-z/neverputt-wrapper.profile b/etc/profile-m-z/neverputt-wrapper.profile new file mode 100644 index 000000000..dacd113cc --- /dev/null +++ b/etc/profile-m-z/neverputt-wrapper.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for neverputt-wrapper | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include neverputt-wrapper.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | include allow-opengl-game.inc | ||
10 | |||
11 | private-bin neverputt-wrapper | ||
12 | |||
13 | # Redirect | ||
14 | include neverputt.profile | ||
diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile index e21ac997a..3f75d4f09 100644 --- a/etc/profile-m-z/okular.profile +++ b/etc/profile-m-z/okular.profile | |||
@@ -28,10 +28,16 @@ include disable-programs.inc | |||
28 | include disable-shell.inc | 28 | include disable-shell.inc |
29 | include disable-xdg.inc | 29 | include disable-xdg.inc |
30 | 30 | ||
31 | whitelist /usr/share/config.kcfg | 31 | whitelist /usr/share/config.kcfg/gssettings.kcfg |
32 | whitelist /usr/share/config.kcfg/pdfsettings.kcfg | ||
33 | whitelist /usr/share/config.kcfg/okular.kcfg | ||
34 | whitelist /usr/share/config.kcfg/okular_core.kcfg | ||
35 | whitelist /usr/share/ghostscript | ||
36 | whitelist /usr/share/kconf_update/okular.upd | ||
32 | whitelist /usr/share/kxmlgui5/okular | 37 | whitelist /usr/share/kxmlgui5/okular |
33 | whitelist /usr/share/okular | 38 | whitelist /usr/share/okular |
34 | whitelist /usr/share/poppler | 39 | whitelist /usr/share/poppler |
40 | include whitelist-runuser-common.inc | ||
35 | include whitelist-usr-share-common.inc | 41 | include whitelist-usr-share-common.inc |
36 | include whitelist-var-common.inc | 42 | include whitelist-var-common.inc |
37 | 43 | ||
diff --git a/etc/profile-m-z/pinball-wrapper.profile b/etc/profile-m-z/pinball-wrapper.profile new file mode 100644 index 000000000..2b5ed6e27 --- /dev/null +++ b/etc/profile-m-z/pinball-wrapper.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for pinball-wrapper | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include pinball-wrapper.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | include allow-opengl-game.inc | ||
10 | |||
11 | private-bin pinball-wrapper | ||
12 | |||
13 | # Redirect | ||
14 | include pinball.profile | ||
diff --git a/etc/profile-m-z/pinball.profile b/etc/profile-m-z/pinball.profile new file mode 100644 index 000000000..feeed8184 --- /dev/null +++ b/etc/profile-m-z/pinball.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for pinball | ||
2 | # Description: Emilia 3D Pinball Game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include pinball.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/emilia | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-shell.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.config/emilia | ||
21 | whitelist ${HOME}/.config/emilia | ||
22 | whitelist /usr/share/pinball | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | net none | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix | ||
39 | seccomp | ||
40 | seccomp.block-secondary | ||
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | disable-mnt | ||
45 | private-bin pinball | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-etc alsa,alternatives,asound.conf,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,machine-id,pulse | ||
49 | private-tmp | ||
50 | |||
51 | dbus-user none | ||
52 | dbus-system none | ||
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile index ebfd236aa..e3b20e59f 100644 --- a/etc/profile-m-z/pingus.profile +++ b/etc/profile-m-z/pingus.profile | |||
@@ -8,12 +8,15 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.pingus | 9 | noblacklist ${HOME}/.pingus |
10 | 10 | ||
11 | include allow-bin-sh.inc | ||
12 | |||
11 | include disable-common.inc | 13 | include disable-common.inc |
12 | include disable-devel.inc | 14 | include disable-devel.inc |
13 | include disable-exec.inc | 15 | include disable-exec.inc |
14 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | include disable-shell.inc | ||
17 | include disable-xdg.inc | 20 | include disable-xdg.inc |
18 | 21 | ||
19 | mkdir ${HOME}/.pingus | 22 | mkdir ${HOME}/.pingus |
@@ -36,6 +39,7 @@ nou2f | |||
36 | novideo | 39 | novideo |
37 | protocol unix,netlink | 40 | protocol unix,netlink |
38 | seccomp | 41 | seccomp |
42 | seccomp.block-secondary | ||
39 | shell none | 43 | shell none |
40 | tracelog | 44 | tracelog |
41 | 45 | ||
diff --git a/etc/profile-m-z/regextester.profile b/etc/profile-m-z/regextester.profile index 6fb0d4b5f..bab2badb5 100644 --- a/etc/profile-m-z/regextester.profile +++ b/etc/profile-m-z/regextester.profile | |||
@@ -16,9 +16,8 @@ include disable-shell.inc | |||
16 | include disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | whitelist /usr/share/com.github.artemanufrij.regextester | 18 | whitelist /usr/share/com.github.artemanufrij.regextester |
19 | include whitelist-usr-share-common.inc | ||
20 | |||
21 | include whitelist-common.inc | 19 | include whitelist-common.inc |
20 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
23 | 22 | ||
24 | apparmor | 23 | apparmor |
@@ -48,11 +47,9 @@ private-etc alternatives,fonts | |||
48 | private-lib libgranite.so.* | 47 | private-lib libgranite.so.* |
49 | private-tmp | 48 | private-tmp |
50 | 49 | ||
51 | # makes settings immutable | 50 | dbus-user filter |
52 | # dbus-user none | 51 | dbus-user.talk ca.desrt.dconf |
53 | # dbus-system none | 52 | dbus-system none |
54 | |||
55 | memory-deny-write-execute | ||
56 | 53 | ||
57 | # never write anything | 54 | # never write anything |
58 | read-only ${HOME} | 55 | read-only ${HOME} |
diff --git a/etc/profile-m-z/scorched3d-wrapper.profile b/etc/profile-m-z/scorched3d-wrapper.profile index 507d0827e..e76caec1d 100644 --- a/etc/profile-m-z/scorched3d-wrapper.profile +++ b/etc/profile-m-z/scorched3d-wrapper.profile | |||
@@ -1,10 +1,11 @@ | |||
1 | # Firejail profile for scorched3d | 1 | # Firejail profile for scorched3d-wrapper |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include scorched3d-wrapper.local | 4 | include scorched3d-wrapper.local |
5 | 5 | ||
6 | whitelist /usr/share/opengl-games-utils | 6 | include allow-opengl-game.inc |
7 | private-bin basename,bash,cut,glxinfo,grep,head,sed,zenity | 7 | |
8 | private-bin scorched3d-wrapper | ||
8 | 9 | ||
9 | # Redirect | 10 | # Redirect |
10 | include scorched3d.profile | 11 | include scorched3d.profile |
diff --git a/etc/profile-m-z/scorched3d.profile b/etc/profile-m-z/scorched3d.profile index 6a1003c33..1808018d1 100644 --- a/etc/profile-m-z/scorched3d.profile +++ b/etc/profile-m-z/scorched3d.profile | |||
@@ -40,7 +40,7 @@ shell none | |||
40 | tracelog | 40 | tracelog |
41 | 41 | ||
42 | disable-mnt | 42 | disable-mnt |
43 | private-bin scorched3d,scorched3d-wrapper,scorched3dc,scorched3ds | 43 | private-bin scorched3d,scorched3dc,scorched3ds |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-tmp | 46 | private-tmp |
diff --git a/etc/profile-m-z/spectacle.profile b/etc/profile-m-z/spectacle.profile index cedff0b83..f99246ad6 100644 --- a/etc/profile-m-z/spectacle.profile +++ b/etc/profile-m-z/spectacle.profile | |||
@@ -26,6 +26,8 @@ include disable-xdg.inc | |||
26 | mkfile ${HOME}/.config/spectaclerc | 26 | mkfile ${HOME}/.config/spectaclerc |
27 | whitelist ${HOME}/.config/spectaclerc | 27 | whitelist ${HOME}/.config/spectaclerc |
28 | whitelist ${PICTURES} | 28 | whitelist ${PICTURES} |
29 | whitelist /usr/share/kconf_update/spectacle_newConfig.upd | ||
30 | whitelist /usr/share/kconf_update/spectacle_shortcuts.upd | ||
29 | include whitelist-common.inc | 31 | include whitelist-common.inc |
30 | include whitelist-runuser-common.inc | 32 | include whitelist-runuser-common.inc |
31 | include whitelist-usr-share-common.inc | 33 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index 0bcbe6da2..922823f98 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/Epic | |||
10 | noblacklist ${HOME}/.config/Loop_Hero | 10 | noblacklist ${HOME}/.config/Loop_Hero |
11 | noblacklist ${HOME}/.config/ModTheSpire | 11 | noblacklist ${HOME}/.config/ModTheSpire |
12 | noblacklist ${HOME}/.config/RogueLegacy | 12 | noblacklist ${HOME}/.config/RogueLegacy |
13 | noblacklist ${HOME}/.config/RogueLegacyStorageContainer | ||
13 | noblacklist ${HOME}/.killingfloor | 14 | noblacklist ${HOME}/.killingfloor |
14 | noblacklist ${HOME}/.klei | 15 | noblacklist ${HOME}/.klei |
15 | noblacklist ${HOME}/.local/share/3909/PapersPlease | 16 | noblacklist ${HOME}/.local/share/3909/PapersPlease |
@@ -22,7 +23,8 @@ noblacklist ${HOME}/.local/share/feral-interactive | |||
22 | noblacklist ${HOME}/.local/share/IntoTheBreach | 23 | noblacklist ${HOME}/.local/share/IntoTheBreach |
23 | noblacklist ${HOME}/.local/share/Paradox Interactive | 24 | noblacklist ${HOME}/.local/share/Paradox Interactive |
24 | noblacklist ${HOME}/.local/share/PillarsOfEternity | 25 | noblacklist ${HOME}/.local/share/PillarsOfEternity |
25 | noblacklist ${HOME}/.local/share/RogueLegacy* | 26 | noblacklist ${HOME}/.local/share/RogueLegacy |
27 | noblacklist ${HOME}/.local/share/RogueLegacyStorageContainer | ||
26 | noblacklist ${HOME}/.local/share/Steam | 28 | noblacklist ${HOME}/.local/share/Steam |
27 | noblacklist ${HOME}/.local/share/SteamWorldDig | 29 | noblacklist ${HOME}/.local/share/SteamWorldDig |
28 | noblacklist ${HOME}/.local/share/SteamWorld Dig 2 | 30 | noblacklist ${HOME}/.local/share/SteamWorld Dig 2 |
@@ -69,7 +71,7 @@ mkdir ${HOME}/.local/share/feral-interactive | |||
69 | mkdir ${HOME}/.local/share/IntoTheBreach | 71 | mkdir ${HOME}/.local/share/IntoTheBreach |
70 | mkdir ${HOME}/.local/share/Paradox Interactive | 72 | mkdir ${HOME}/.local/share/Paradox Interactive |
71 | mkdir ${HOME}/.local/share/PillarsOfEternity | 73 | mkdir ${HOME}/.local/share/PillarsOfEternity |
72 | mkdir ${HOME}/.local/share/RogueLegacy* | 74 | mkdir ${HOME}/.local/share/RogueLegacy |
73 | mkdir ${HOME}/.local/share/Steam | 75 | mkdir ${HOME}/.local/share/Steam |
74 | mkdir ${HOME}/.local/share/SteamWorldDig | 76 | mkdir ${HOME}/.local/share/SteamWorldDig |
75 | mkdir ${HOME}/.local/share/SteamWorld Dig 2 | 77 | mkdir ${HOME}/.local/share/SteamWorld Dig 2 |
@@ -86,6 +88,7 @@ whitelist ${HOME}/.config/Epic | |||
86 | whitelist ${HOME}/.config/Loop_Hero | 88 | whitelist ${HOME}/.config/Loop_Hero |
87 | whitelist ${HOME}/.config/ModTheSpire | 89 | whitelist ${HOME}/.config/ModTheSpire |
88 | whitelist ${HOME}/.config/RogueLegacy | 90 | whitelist ${HOME}/.config/RogueLegacy |
91 | whitelist ${HOME}/.config/RogueLegacyStorageContainer | ||
89 | whitelist ${HOME}/.config/unity3d | 92 | whitelist ${HOME}/.config/unity3d |
90 | whitelist ${HOME}/.killingfloor | 93 | whitelist ${HOME}/.killingfloor |
91 | whitelist ${HOME}/.klei | 94 | whitelist ${HOME}/.klei |
@@ -99,7 +102,8 @@ whitelist ${HOME}/.local/share/feral-interactive | |||
99 | whitelist ${HOME}/.local/share/IntoTheBreach | 102 | whitelist ${HOME}/.local/share/IntoTheBreach |
100 | whitelist ${HOME}/.local/share/Paradox Interactive | 103 | whitelist ${HOME}/.local/share/Paradox Interactive |
101 | whitelist ${HOME}/.local/share/PillarsOfEternity | 104 | whitelist ${HOME}/.local/share/PillarsOfEternity |
102 | whitelist ${HOME}/.local/share/RogueLegacy* | 105 | whitelist ${HOME}/.local/share/RogueLegacy |
106 | whitelist ${HOME}/.local/share/RogueLegacyStorageContainer | ||
103 | whitelist ${HOME}/.local/share/Steam | 107 | whitelist ${HOME}/.local/share/Steam |
104 | whitelist ${HOME}/.local/share/SteamWorldDig | 108 | whitelist ${HOME}/.local/share/SteamWorldDig |
105 | whitelist ${HOME}/.local/share/SteamWorld Dig 2 | 109 | whitelist ${HOME}/.local/share/SteamWorld Dig 2 |
@@ -115,6 +119,14 @@ whitelist ${HOME}/.steampid | |||
115 | include whitelist-common.inc | 119 | include whitelist-common.inc |
116 | include whitelist-var-common.inc | 120 | include whitelist-var-common.inc |
117 | 121 | ||
122 | # Note: The following were intentionally left out as they are alternative | ||
123 | # (i.e.: unnecessary and/or legacy) paths whose existence may potentially | ||
124 | # clobber other paths (see #4225). If you use any, either add the entry to | ||
125 | # steam.local or move the contents to a path listed above (or open an issue if | ||
126 | # it's missing above). | ||
127 | #mkdir ${HOME}/.config/RogueLegacyStorageContainer | ||
128 | #mkdir ${HOME}/.local/share/RogueLegacyStorageContainer | ||
129 | |||
118 | caps.drop all | 130 | caps.drop all |
119 | #ipc-namespace | 131 | #ipc-namespace |
120 | netfilter | 132 | netfilter |
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile index 9cc023765..d31f25c0d 100644 --- a/etc/profile-m-z/supertux2.profile +++ b/etc/profile-m-z/supertux2.profile | |||
@@ -14,6 +14,7 @@ include disable-exec.inc | |||
14 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-shell.inc | ||
17 | include disable-xdg.inc | 18 | include disable-xdg.inc |
18 | 19 | ||
19 | mkdir ${HOME}/.local/share/supertux2 | 20 | mkdir ${HOME}/.local/share/supertux2 |
@@ -42,6 +43,8 @@ tracelog | |||
42 | 43 | ||
43 | disable-mnt | 44 | disable-mnt |
44 | # private-bin supertux2 | 45 | # private-bin supertux2 |
46 | private-cache | ||
47 | private-etc machine-id | ||
45 | private-dev | 48 | private-dev |
46 | private-tmp | 49 | private-tmp |
47 | 50 | ||
diff --git a/etc/profile-m-z/supertuxkart-wrapper.profile b/etc/profile-m-z/supertuxkart-wrapper.profile new file mode 100644 index 000000000..af8d73deb --- /dev/null +++ b/etc/profile-m-z/supertuxkart-wrapper.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for supertuxkart-wrapper | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include supertuxkart-wrapper.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | include allow-opengl-game.inc | ||
10 | |||
11 | private-bin supertuxkart-wrapper | ||
12 | |||
13 | # Redirect | ||
14 | include supertuxkart.profile | ||
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile index 64d787bfb..c22fb0ff9 100644 --- a/etc/profile-m-z/virtualbox.profile +++ b/etc/profile-m-z/virtualbox.profile | |||
@@ -44,7 +44,7 @@ shell none | |||
44 | tracelog | 44 | tracelog |
45 | 45 | ||
46 | #disable-mnt | 46 | #disable-mnt |
47 | #private-bin basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami | 47 | #private-bin awk,basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami |
48 | private-cache | 48 | private-cache |
49 | private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl | 49 | private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl |
50 | private-tmp | 50 | private-tmp |
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile index 78cb2862c..d9d1cd393 100644 --- a/etc/profile-m-z/xfce4-mixer.profile +++ b/etc/profile-m-z/xfce4-mixer.profile | |||
@@ -19,7 +19,7 @@ include disable-xdg.inc | |||
19 | 19 | ||
20 | mkfile ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml | 20 | mkfile ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml |
21 | whitelist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml | 21 | whitelist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml |
22 | whitelist /usr/share/gstreamer | 22 | whitelist /usr/share/gstreamer-* |
23 | whitelist /usr/share/xfce4 | 23 | whitelist /usr/share/xfce4 |
24 | whitelist /usr/share/xfce4-mixer | 24 | whitelist /usr/share/xfce4-mixer |
25 | include whitelist-common.inc | 25 | include whitelist-common.inc |
diff --git a/etc/profile-m-z/xonotic.profile b/etc/profile-m-z/xonotic.profile index aa8cc7d0e..df6c34fbb 100644 --- a/etc/profile-m-z/xonotic.profile +++ b/etc/profile-m-z/xonotic.profile | |||
@@ -8,12 +8,16 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.xonotic | 9 | noblacklist ${HOME}/.xonotic |
10 | 10 | ||
11 | include allow-bin-sh.inc | ||
12 | include allow-opengl-game.inc | ||
13 | |||
11 | include disable-common.inc | 14 | include disable-common.inc |
12 | include disable-devel.inc | 15 | include disable-devel.inc |
13 | include disable-exec.inc | 16 | include disable-exec.inc |
14 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | include disable-shell.inc | ||
17 | include disable-xdg.inc | 21 | include disable-xdg.inc |
18 | 22 | ||
19 | mkdir ${HOME}/.xonotic | 23 | mkdir ${HOME}/.xonotic |
@@ -41,7 +45,7 @@ tracelog | |||
41 | 45 | ||
42 | disable-mnt | 46 | disable-mnt |
43 | private-cache | 47 | private-cache |
44 | private-bin basename,bash,blind-id,cut,darkplaces-glx,darkplaces-sdl,dirname,glxinfo,grep,head,ldd,netstat,ps,readlink,sed,sh,uname,xonotic,xonotic-glx,xonotic-linux32-dedicated,xonotic-linux32-glx,xonotic-linux32-sdl,xonotic-linux64-dedicated,xonotic-linux64-glx,xonotic-linux64-sdl,xonotic-sdl,xonotic-sdl-wrapper,zenity | 48 | private-bin blind-id,darkplaces-glx,darkplaces-sdl,dirname,ldd,netstat,ps,readlink,sh,uname,xonotic* |
45 | private-dev | 49 | private-dev |
46 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl | 50 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl |
47 | private-tmp | 51 | private-tmp |
diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c index 96bd351f3..431aebee6 100644 --- a/src/fbuilder/build_bin.c +++ b/src/fbuilder/build_bin.c | |||
@@ -121,6 +121,6 @@ void build_bin(const char *fname, FILE *fp) { | |||
121 | ptr = ptr->next; | 121 | ptr = ptr->next; |
122 | } | 122 | } |
123 | fprintf(fp, "\n"); | 123 | fprintf(fp, "\n"); |
124 | fprintf(fp, "# private-lib\n"); | 124 | fprintf(fp, "#private-lib\n"); |
125 | } | 125 | } |
126 | } | 126 | } |
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c index 495f71ab8..ac0cd455a 100644 --- a/src/fbuilder/build_fs.c +++ b/src/fbuilder/build_fs.c | |||
@@ -220,6 +220,10 @@ static void tmp_callback(char *ptr) { | |||
220 | // skip strace file | 220 | // skip strace file |
221 | if (strncmp(ptr, "/tmp/firejail-strace", 20) == 0) | 221 | if (strncmp(ptr, "/tmp/firejail-strace", 20) == 0) |
222 | return; | 222 | return; |
223 | if (strncmp(ptr, "/tmp/runtime-", 13) == 0) | ||
224 | return; | ||
225 | if (strcmp(ptr, "/tmp") == 0) | ||
226 | return; | ||
223 | 227 | ||
224 | tmp_out = filedb_add(tmp_out, ptr); | 228 | tmp_out = filedb_add(tmp_out, ptr); |
225 | } | 229 | } |
@@ -232,8 +236,7 @@ void build_tmp(const char *fname, FILE *fp) { | |||
232 | if (tmp_out == NULL) | 236 | if (tmp_out == NULL) |
233 | fprintf(fp, "private-tmp\n"); | 237 | fprintf(fp, "private-tmp\n"); |
234 | else { | 238 | else { |
235 | fprintf(fp, "\n"); | 239 | fprintf(fp, "#private-tmp\n"); |
236 | fprintf(fp, "# private-tmp\n"); | ||
237 | fprintf(fp, "# File accessed in /tmp directory:\n"); | 240 | fprintf(fp, "# File accessed in /tmp directory:\n"); |
238 | fprintf(fp, "# "); | 241 | fprintf(fp, "# "); |
239 | FileDB *ptr = tmp_out; | 242 | FileDB *ptr = tmp_out; |
@@ -310,9 +313,8 @@ void build_dev(const char *fname, FILE *fp) { | |||
310 | if (dev_out == NULL) | 313 | if (dev_out == NULL) |
311 | fprintf(fp, "private-dev\n"); | 314 | fprintf(fp, "private-dev\n"); |
312 | else { | 315 | else { |
313 | fprintf(fp, "\n"); | 316 | fprintf(fp, "#private-dev\n"); |
314 | fprintf(fp, "# private-dev\n"); | 317 | fprintf(fp, "# This is the list of devices accessed on top of regular private-dev devices:\n"); |
315 | fprintf(fp, "# This is the list of devices accessed (on top of regular private-dev devices:\n"); | ||
316 | fprintf(fp, "# "); | 318 | fprintf(fp, "# "); |
317 | FileDB *ptr = dev_out; | 319 | FileDB *ptr = dev_out; |
318 | while (ptr) { | 320 | while (ptr) { |
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c index 683009b71..d7706282a 100644 --- a/src/fbuilder/build_home.c +++ b/src/fbuilder/build_home.c | |||
@@ -141,7 +141,7 @@ void process_home(const char *fname, char *home, int home_len) { | |||
141 | } | 141 | } |
142 | 142 | ||
143 | // skip files and directories in whitelist-common.inc | 143 | // skip files and directories in whitelist-common.inc |
144 | if (filedb_find(db_skip, toadd)) { | 144 | if (strlen(toadd) == 0 || filedb_find(db_skip, toadd)) { |
145 | if (dir) | 145 | if (dir) |
146 | free(dir); | 146 | free(dir); |
147 | continue; | 147 | continue; |
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 96a83954d..0c1b57384 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
@@ -150,12 +150,12 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
150 | 150 | ||
151 | fprintf(fp, "### basic blacklisting\n"); | 151 | fprintf(fp, "### basic blacklisting\n"); |
152 | fprintf(fp, "include disable-common.inc\n"); | 152 | fprintf(fp, "include disable-common.inc\n"); |
153 | fprintf(fp, "# include disable-devel.inc\n"); | 153 | fprintf(fp, "#include disable-devel.inc\n"); |
154 | fprintf(fp, "# include disable-exec.inc\n"); | 154 | fprintf(fp, "#include disable-exec.inc\n"); |
155 | fprintf(fp, "# include disable-interpreters.inc\n"); | 155 | fprintf(fp, "#include disable-interpreters.inc\n"); |
156 | fprintf(fp, "include disable-passwdmgr.inc\n"); | 156 | fprintf(fp, "include disable-passwdmgr.inc\n"); |
157 | fprintf(fp, "# include disable-programs.inc\n"); | 157 | fprintf(fp, "#include disable-programs.inc\n"); |
158 | fprintf(fp, "# include disable-xdg.inc\n"); | 158 | fprintf(fp, "#include disable-xdg.inc\n"); |
159 | fprintf(fp, "\n"); | 159 | fprintf(fp, "\n"); |
160 | 160 | ||
161 | fprintf(fp, "### home directory whitelisting\n"); | 161 | fprintf(fp, "### home directory whitelisting\n"); |
@@ -163,18 +163,17 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
163 | fprintf(fp, "\n"); | 163 | fprintf(fp, "\n"); |
164 | 164 | ||
165 | fprintf(fp, "### filesystem\n"); | 165 | fprintf(fp, "### filesystem\n"); |
166 | fprintf(fp, "# /usr/share:\n"); | 166 | fprintf(fp, "### /usr/share:\n"); |
167 | build_share(trace_output, fp); | 167 | build_share(trace_output, fp); |
168 | fprintf(fp, "# /var:\n"); | 168 | fprintf(fp, "### /var:\n"); |
169 | build_var(trace_output, fp); | 169 | build_var(trace_output, fp); |
170 | fprintf(fp, "\n"); | 170 | fprintf(fp, "### /bin:\n"); |
171 | fprintf(fp, "# $PATH:\n"); | ||
172 | build_bin(trace_output, fp); | 171 | build_bin(trace_output, fp); |
173 | fprintf(fp, "# /dev:\n"); | 172 | fprintf(fp, "### /dev:\n"); |
174 | build_dev(trace_output, fp); | 173 | build_dev(trace_output, fp); |
175 | fprintf(fp, "# /etc:\n"); | 174 | fprintf(fp, "### /etc:\n"); |
176 | build_etc(trace_output, fp); | 175 | build_etc(trace_output, fp); |
177 | fprintf(fp, "# /tmp:\n"); | 176 | fprintf(fp, "### /tmp:\n"); |
178 | build_tmp(trace_output, fp); | 177 | build_tmp(trace_output, fp); |
179 | fprintf(fp, "\n"); | 178 | fprintf(fp, "\n"); |
180 | 179 | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index be50d5f44..35954cfb8 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -74,6 +74,7 @@ autokey-run | |||
74 | autokey-shell | 74 | autokey-shell |
75 | avidemux3_qt5 | 75 | avidemux3_qt5 |
76 | aweather | 76 | aweather |
77 | ballbuster | ||
77 | baloo_file | 78 | baloo_file |
78 | baloo_filemetadata_temp_extractor | 79 | baloo_filemetadata_temp_extractor |
79 | balsa | 80 | balsa |
@@ -147,6 +148,7 @@ cmus | |||
147 | code | 148 | code |
148 | code-oss | 149 | code-oss |
149 | cola | 150 | cola |
151 | colorful | ||
150 | com.github.bleakgrey.tootle | 152 | com.github.bleakgrey.tootle |
151 | com.github.dahenson.agenda | 153 | com.github.dahenson.agenda |
152 | com.github.johnfactotum.Foliate | 154 | com.github.johnfactotum.Foliate |
@@ -236,6 +238,7 @@ ffplay | |||
236 | ffprobe | 238 | ffprobe |
237 | file-roller | 239 | file-roller |
238 | filezilla | 240 | filezilla |
241 | firedragon | ||
239 | firefox | 242 | firefox |
240 | firefox-beta | 243 | firefox-beta |
241 | firefox-developer-edition | 244 | firefox-developer-edition |
@@ -293,6 +296,8 @@ git-cola | |||
293 | github-desktop | 296 | github-desktop |
294 | gitter | 297 | gitter |
295 | # gjs -- https://github.com/netblue30/firejail/issues/3333#issuecomment-612601102 | 298 | # gjs -- https://github.com/netblue30/firejail/issues/3333#issuecomment-612601102 |
299 | gl-117 | ||
300 | glaxium | ||
296 | globaltime | 301 | globaltime |
297 | gmpc | 302 | gmpc |
298 | gnome-2048 | 303 | gnome-2048 |
@@ -615,6 +620,7 @@ penguin-command | |||
615 | photoflare | 620 | photoflare |
616 | picard | 621 | picard |
617 | pidgin | 622 | pidgin |
623 | pinball | ||
618 | #ping - disabled until we fix #1912 | 624 | #ping - disabled until we fix #1912 |
619 | pingus | 625 | pingus |
620 | pinta | 626 | pinta |
@@ -673,7 +679,6 @@ runenpass.sh | |||
673 | sayonara | 679 | sayonara |
674 | scallion | 680 | scallion |
675 | scorched3d | 681 | scorched3d |
676 | scorched3d-wrapper | ||
677 | scorchwentbonkers | 682 | scorchwentbonkers |
678 | scribus | 683 | scribus |
679 | sdat2img | 684 | sdat2img |
@@ -867,7 +872,6 @@ xmr-stak | |||
867 | xonotic | 872 | xonotic |
868 | xonotic-glx | 873 | xonotic-glx |
869 | xonotic-sdl | 874 | xonotic-sdl |
870 | xonotic-sdl-wrapper | ||
871 | xournal | 875 | xournal |
872 | xournalpp | 876 | xournalpp |
873 | xpdf | 877 | xpdf |