diff options
227 files changed, 1499 insertions, 828 deletions
diff --git a/Makefile.in b/Makefile.in index 0cbbb374c..af57f7d2c 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -121,6 +121,7 @@ endif | |||
121 | install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/. | 121 | install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/. |
122 | install -c -m 0644 README $(DESTDIR)/$(DOCDIR)/. | 122 | install -c -m 0644 README $(DESTDIR)/$(DOCDIR)/. |
123 | install -c -m 0644 RELNOTES $(DESTDIR)/$(DOCDIR)/. | 123 | install -c -m 0644 RELNOTES $(DESTDIR)/$(DOCDIR)/. |
124 | install -c -m 0644 etc/templates/* $(DESTDIR)/$(DOCDIR)/. | ||
124 | # etc files | 125 | # etc files |
125 | ./mketc.sh $(sysconfdir) $(BUSYBOX_WORKAROUND) | 126 | ./mketc.sh $(sysconfdir) $(BUSYBOX_WORKAROUND) |
126 | install -m 0755 -d $(DESTDIR)/$(sysconfdir)/firejail | 127 | install -m 0755 -d $(DESTDIR)/$(sysconfdir)/firejail |
@@ -97,6 +97,9 @@ announ (https://github.com/announ) | |||
97 | Antonio Russo (https://github.com/aerusso) | 97 | Antonio Russo (https://github.com/aerusso) |
98 | - enumerate root directories in apparmor profile | 98 | - enumerate root directories in apparmor profile |
99 | - fix join-or-start | 99 | - fix join-or-start |
100 | Austin Morton | ||
101 | - deterministic-exit-code option | ||
102 | - private-cwd options | ||
100 | Austin S. Hemmelgarn (https://github.com/Ferroin) | 103 | Austin S. Hemmelgarn (https://github.com/Ferroin) |
101 | - unbound profile update | 104 | - unbound profile update |
102 | avoidr (https://github.com/avoidr) | 105 | avoidr (https://github.com/avoidr) |
@@ -176,6 +179,8 @@ curiosity-seeker (https://github.com/curiosity-seeker) | |||
176 | - write-protection for thumbnailer dir | 179 | - write-protection for thumbnailer dir |
177 | - added gramps, newsboat, freeoffice-planmaker profiles | 180 | - added gramps, newsboat, freeoffice-planmaker profiles |
178 | - added freeoffice-textmaker, freeoffice-presentations profiles | 181 | - added freeoffice-textmaker, freeoffice-presentations profiles |
182 | - added cantata profile | ||
183 | - updated keypassxc profile | ||
179 | da2x (https://github.com/da2x) | 184 | da2x (https://github.com/da2x) |
180 | - matched RPM license tag | 185 | - matched RPM license tag |
181 | Daan Bakker (https://github.com/dbakker) | 186 | Daan Bakker (https://github.com/dbakker) |
@@ -304,6 +309,8 @@ greigdp (https://github.com/greigdp) | |||
304 | - fixed spotify profile | 309 | - fixed spotify profile |
305 | - added Slack profile | 310 | - added Slack profile |
306 | - add Spotify profile | 311 | - add Spotify profile |
312 | grizzlyuser (https://github.com/grizzlyuser) | ||
313 | - added support for youtube-dl in smplayer profile | ||
307 | GSI (https://github.com/GSI) | 314 | GSI (https://github.com/GSI) |
308 | - added Uzbl browser profile | 315 | - added Uzbl browser profile |
309 | hamzadis (https://github.com/hamzadis) | 316 | hamzadis (https://github.com/hamzadis) |
@@ -353,6 +360,7 @@ Jean Lucas (https://github.com/flacks) | |||
353 | - fix wire profile | 360 | - fix wire profile |
354 | - add Beaker profile | 361 | - add Beaker profile |
355 | - fixes for gnome-music | 362 | - fixes for gnome-music |
363 | - allow reading of system-wide Flatpak locale in gajim profile | ||
356 | Jericho (https://github.com/attritionorg) | 364 | Jericho (https://github.com/attritionorg) |
357 | - spelling | 365 | - spelling |
358 | Jesse Smith (https://github.com/slicer69) | 366 | Jesse Smith (https://github.com/slicer69) |
@@ -368,6 +376,8 @@ John Mullee (https://github.com/jmullee) | |||
368 | Jonas Heinrich (https://github.com/onny) | 376 | Jonas Heinrich (https://github.com/onny) |
369 | - added signal-desktop profile | 377 | - added signal-desktop profile |
370 | - fixed franz profile | 378 | - fixed franz profile |
379 | Jose Riha (https://github.com/jose1711) | ||
380 | - added meteo-qt profile | ||
371 | jrabe (https://github.com/jrabe) | 381 | jrabe (https://github.com/jrabe) |
372 | - disallow access to kdbx files | 382 | - disallow access to kdbx files |
373 | - Epiphany profile | 383 | - Epiphany profile |
@@ -516,6 +526,7 @@ pwnage-pineapple (https://github.com/pwnage-pineapple) | |||
516 | Quentin Minster (https://github.com/laomaiweng) | 526 | Quentin Minster (https://github.com/laomaiweng) |
517 | - propagate --quiet to children Firejail'ed processes | 527 | - propagate --quiet to children Firejail'ed processes |
518 | - nodbus enhancements/bugfixes | 528 | - nodbus enhancements/bugfixes |
529 | - added vim syntax and ftdetect files | ||
519 | Rafael Cavalcanti (https://github.com/rccavalcanti) | 530 | Rafael Cavalcanti (https://github.com/rccavalcanti) |
520 | - chromium profile fixes for Arch Linux | 531 | - chromium profile fixes for Arch Linux |
521 | Rahiel Kasim (https://github.com/rahiel) | 532 | Rahiel Kasim (https://github.com/rahiel) |
@@ -554,22 +565,10 @@ rusty-snake (https://github.com/rusty-snake) | |||
554 | - added profiles: gajim-history-manager, freemind, nomacs, kid3 | 565 | - added profiles: gajim-history-manager, freemind, nomacs, kid3 |
555 | - added profiles: kid3-qt, kid3-cli, anki, utox, mp3splt, mp3wrap | 566 | - added profiles: kid3-qt, kid3-cli, anki, utox, mp3splt, mp3wrap |
556 | - added profiles: oggsplt, flacsplt, cheese, inkview, mp3splt-gtk | 567 | - added profiles: oggsplt, flacsplt, cheese, inkview, mp3splt-gtk |
557 | - fixed profiles: kdenlive, bibletime, rhythmbox, gajim, seahorse | 568 | - added profiles: ktouch, yelp |
558 | - fixed profiles: libreoffice, gnome-maps, wget, seahorse-tool | 569 | - many profile fixing and hardening |
559 | - fixed profiles: gnome-logs, atom, brackets, gnome-builder, geany | ||
560 | - fixed profiles: vim, emacs, pycharm-community, gedit, klavaro | ||
561 | - fixed profiles: default, mpv, authenticator, gramps, webstorm | ||
562 | - fixed profiles: freeoffice-planmaker, freeoffice-presentations | ||
563 | - fixed profiles: freeoffice-textmaker, code, newsboat, aosp, clion | ||
564 | - fixed profiles: android-studio, git, gitg, github-desktop, idea.sh | ||
565 | - fixed profiles: ffmpeg, thunderbird, gnome-system-log, file-roller | ||
566 | - fixed profiles: eog, eom, xiphos | ||
567 | - hardened profiles: disable-common.inc, disable-programs.inc | ||
568 | - hardened profiles: gajim, evince, ffmpeg, feh-network.inc, qtox | ||
569 | - hardened profiles: gnome-clocks, meld, minetest, youtube-dl | ||
570 | - hardened profiles: bibletime, whois, etr, display, feh, mpv, xiphos | ||
571 | - gnome-mpv was renamed to celluloid | ||
572 | - some typo fixes | 570 | - some typo fixes |
571 | - added profile templates | ||
573 | Salvo 'LtWorf' Tomaselli (https://github.com/ltworf) | 572 | Salvo 'LtWorf' Tomaselli (https://github.com/ltworf) |
574 | - fixed ktorrent profile | 573 | - fixed ktorrent profile |
575 | sarneaud (https://github.com/sarneaud) | 574 | sarneaud (https://github.com/sarneaud) |
@@ -753,6 +752,8 @@ veloute (https://github.com/veloute) | |||
753 | - add anki profile | 752 | - add anki profile |
754 | Vincent43 (https://github.com/Vincent43) | 753 | Vincent43 (https://github.com/Vincent43) |
755 | - apparmor enhancements | 754 | - apparmor enhancements |
755 | Vincent Blillault (https://github.com/Feandil) | ||
756 | - fix mumble profile | ||
756 | vismir2 (https://github.com/vismir2) | 757 | vismir2 (https://github.com/vismir2) |
757 | - feh, ranger, 7z, keepass, keepassx and zathura profiles | 758 | - feh, ranger, 7z, keepass, keepassx and zathura profiles |
758 | - claws-mail, mutt, git, emacs, vim profiles | 759 | - claws-mail, mutt, git, emacs, vim profiles |
@@ -33,6 +33,10 @@ FAQ: https://firejail.wordpress.com/support/ | |||
33 | Travis-CI status: https://travis-ci.org/netblue30/firejail | 33 | Travis-CI status: https://travis-ci.org/netblue30/firejail |
34 | 34 | ||
35 | 35 | ||
36 | ## Security vulnerabilities | ||
37 | |||
38 | We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@yahoo.com | ||
39 | |||
36 | ## Compile and install | 40 | ## Compile and install |
37 | ````` | 41 | ````` |
38 | $ git clone https://github.com/netblue30/firejail.git | 42 | $ git clone https://github.com/netblue30/firejail.git |
@@ -95,18 +99,16 @@ If you keep additional Firejail security profiles in a public repository, please | |||
95 | 99 | ||
96 | Use this issue to request new profiles: [#1139](https://github.com/netblue30/firejail/issues/1139) | 100 | Use this issue to request new profiles: [#1139](https://github.com/netblue30/firejail/issues/1139) |
97 | 101 | ||
98 | We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory . | 102 | You can also use this tool to get a list of syscalls needed by a program: [https://github.com/avilum/syscalls](https://github.com/avilum/syscalls). |
103 | |||
104 | We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory. | ||
99 | ````` | 105 | ````` |
100 | 106 | ||
101 | ````` | 107 | ````` |
102 | ## Current development version: 0.9.60-rc2 | 108 | ## Latest released version: 0.9.60 |
103 | 109 | ||
104 | ## 0.9.60-rc1 is out! | 110 | ## Current development version: 0.9.61 |
105 | 111 | ||
106 | ## New profiles: | 112 | ## New profiles: |
107 | anki, assogiate, autokey-gtk, autokey-qt, autokey-run, autokey-shell, bzflag, celluoid, cheese, code-oss, crawl, crawl-tiles, crow, d-feet, dconf, | 113 | |
108 | dconf-editor, devhelp, exfalso, font-manager, freeciv, freecol, freeoffice-planmaker, freeoffice-presentations, freeoffice-textmaker, freemind, | 114 | klatexformula, klatexformula_cmdl, links, pandoc, qgis, xlinks |
109 | gconf-editor, geekbench, gnome-keyring, gnome-nettool, gnome-system-log, gramps, gsettings, inkview kid3, kid3-cli, kid3-qt, lincity-ng, lugaru, | ||
110 | Maelstrom, manaplus, megaglest, mp3splt-gtk, mpdris2, mypaint, nano, netactview, newsboat, nomacs, nyx, opencity, openclonk, openttd, ostrichriders, pavucontrol, | ||
111 | pioneer, pragha, redshift, regextester, seahorse, seahorse-tool, scorched3d, secret-tool, simplescreenrecorder, slashem, subdownloader, sysprof, | ||
112 | sysprof-cli, teeworlds, torcs, tremulous, transgui, utox, vulturesclaw, vultureseye, warsow, widelands, xfce4-mixer | ||
@@ -1,4 +1,21 @@ | |||
1 | firejail (0.9.60~rc2) baseline; urgency=low | 1 | firejail (0.9.61) baseline; urgency=low |
2 | * work in progress | ||
3 | * profile templates | ||
4 | * new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks | ||
5 | * new profiles: pandoc | ||
6 | -- netblue30 <netblue30@yahoo.com> Sat, 1 Jun 2019 08:00:00 -0500 | ||
7 | |||
8 | firejail (0.9.60) baseline; urgency=low | ||
9 | * security bug reported by Austin Morton: | ||
10 | Seccomp filters are copied into /run/firejail/mnt, and are writable | ||
11 | within the jail. A malicious process can modify files from inside the | ||
12 | jail. Processes that are later joined to the jail will not have seccomp | ||
13 | filters applied. | ||
14 | * memory-deny-write-execute now also blocks memfd_create | ||
15 | * add private-cwd option to control working directory within jail | ||
16 | * blocking system D-Bus socket with --nodbus | ||
17 | * bringing back Centos 6 support | ||
18 | * drop support for flatpak/snap packages | ||
2 | * new profiles: crow, nyx, mypaint, celluoid, nano, transgui, mpdris2 | 19 | * new profiles: crow, nyx, mypaint, celluoid, nano, transgui, mpdris2 |
3 | * new profiles: sysprof, simplescreenrecorder, geekbench, xfce4-mixer | 20 | * new profiles: sysprof, simplescreenrecorder, geekbench, xfce4-mixer |
4 | * new profiles: pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring | 21 | * new profiles: pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring |
@@ -15,10 +32,8 @@ firejail (0.9.60~rc2) baseline; urgency=low | |||
15 | * new profiles: oggsplt, flacsplt, gramps, newsboat, freeoffice-planmaker | 32 | * new profiles: oggsplt, flacsplt, gramps, newsboat, freeoffice-planmaker |
16 | * new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell | 33 | * new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell |
17 | * new profiles: freeoffice-presentations, freeoffice-textmaker, mp3wrap | 34 | * new profiles: freeoffice-presentations, freeoffice-textmaker, mp3wrap |
18 | * new profiles: inkview, mp3splt-gtk | 35 | * new profiles: inkview, meteo-qt, mp3splt-gtk, ktouch, yelp, cantata |
19 | * memory-deny-write-execute now also blocks memfd_create | 36 | -- netblue30 <netblue30@yahoo.com> Sun, 26 May 2019 08:00:00 -0500 |
20 | * drop support for flatpak/snap packages | ||
21 | -- netblue30 <netblue30@yahoo.com> Sun, 21 Apr 2019 08:00:00 -0500 | ||
22 | 37 | ||
23 | firejail (0.9.58,2) baseline; urgency=low | 38 | firejail (0.9.58,2) baseline; urgency=low |
24 | * cgroup flag in /etc/firejail/firejail.config file | 39 | * cgroup flag in /etc/firejail/firejail.config file |
diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..96da4aff7 --- /dev/null +++ b/SECURITY.md | |||
@@ -0,0 +1,23 @@ | |||
1 | # Security Policy | ||
2 | |||
3 | ## Supported Versions | ||
4 | |||
5 | | Version | Supported by us | EOL | Supported by distribution | | ||
6 | | ------- | ------------------ | ---- | --------------------------- | ||
7 | | 0.9.60 | :heavy_check_mark: | | :white_check_mark: Debian experimental | ||
8 | | 0.9.58 |:heavy_check_mark: | | :white_check_mark: Ubuntu 19.04 & 19.10; Debian 9 (**backports**), 10, & Sid | ||
9 | | 0.9.56 | :x: | 27 Jan 2019 | | ||
10 | | 0.9.54 | :x: | | :white_check_mark: Ubuntu 18.10 | ||
11 | | 0.9.52 | :x: | | :white_check_mark: Ubuntu 18.04 LTS | ||
12 | | 0.9.50 | :x: | 12 Dec 2017 | | ||
13 | | 0.9.48 | :x: | 09 Sep 2017 | | ||
14 | | 0.9.46 | :x: | 12 Jun 2017 | | ||
15 | | 0.9.44 | :x: | | :white_check_mark: Debian 9 | ||
16 | | 0.9.42 | :x: | 22 Oct 2016 | | ||
17 | | 0.9.40 | :x: | 09 Sep 2016 | | ||
18 | | 0.9.38 | :x: | | :white_check_mark: Ubuntu 16.04 LTS | ||
19 | | <0.9.38 | :x: | Before 05 Feb 2016 | | ||
20 | |||
21 | ## Security vulnerabilities | ||
22 | |||
23 | We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@yahoo.com | ||
@@ -1,6 +1,6 @@ | |||
1 | #! /bin/sh | 1 | #! /bin/sh |
2 | # Guess values for system-dependent variables and create Makefiles. | 2 | # Guess values for system-dependent variables and create Makefiles. |
3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.60~rc2. | 3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.61. |
4 | # | 4 | # |
5 | # Report bugs to <netblue30@yahoo.com>. | 5 | # Report bugs to <netblue30@yahoo.com>. |
6 | # | 6 | # |
@@ -580,8 +580,8 @@ MAKEFLAGS= | |||
580 | # Identity of this package. | 580 | # Identity of this package. |
581 | PACKAGE_NAME='firejail' | 581 | PACKAGE_NAME='firejail' |
582 | PACKAGE_TARNAME='firejail' | 582 | PACKAGE_TARNAME='firejail' |
583 | PACKAGE_VERSION='0.9.60~rc2' | 583 | PACKAGE_VERSION='0.9.61' |
584 | PACKAGE_STRING='firejail 0.9.60~rc2' | 584 | PACKAGE_STRING='firejail 0.9.61' |
585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' | 585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' |
586 | PACKAGE_URL='https://firejail.wordpress.com' | 586 | PACKAGE_URL='https://firejail.wordpress.com' |
587 | 587 | ||
@@ -1275,7 +1275,7 @@ if test "$ac_init_help" = "long"; then | |||
1275 | # Omit some internal or obsolete options to make the list less imposing. | 1275 | # Omit some internal or obsolete options to make the list less imposing. |
1276 | # This message is too long to be a string in the A/UX 3.1 sh. | 1276 | # This message is too long to be a string in the A/UX 3.1 sh. |
1277 | cat <<_ACEOF | 1277 | cat <<_ACEOF |
1278 | \`configure' configures firejail 0.9.60~rc2 to adapt to many kinds of systems. | 1278 | \`configure' configures firejail 0.9.61 to adapt to many kinds of systems. |
1279 | 1279 | ||
1280 | Usage: $0 [OPTION]... [VAR=VALUE]... | 1280 | Usage: $0 [OPTION]... [VAR=VALUE]... |
1281 | 1281 | ||
@@ -1337,7 +1337,7 @@ fi | |||
1337 | 1337 | ||
1338 | if test -n "$ac_init_help"; then | 1338 | if test -n "$ac_init_help"; then |
1339 | case $ac_init_help in | 1339 | case $ac_init_help in |
1340 | short | recursive ) echo "Configuration of firejail 0.9.60~rc2:";; | 1340 | short | recursive ) echo "Configuration of firejail 0.9.61:";; |
1341 | esac | 1341 | esac |
1342 | cat <<\_ACEOF | 1342 | cat <<\_ACEOF |
1343 | 1343 | ||
@@ -1442,7 +1442,7 @@ fi | |||
1442 | test -n "$ac_init_help" && exit $ac_status | 1442 | test -n "$ac_init_help" && exit $ac_status |
1443 | if $ac_init_version; then | 1443 | if $ac_init_version; then |
1444 | cat <<\_ACEOF | 1444 | cat <<\_ACEOF |
1445 | firejail configure 0.9.60~rc2 | 1445 | firejail configure 0.9.61 |
1446 | generated by GNU Autoconf 2.69 | 1446 | generated by GNU Autoconf 2.69 |
1447 | 1447 | ||
1448 | Copyright (C) 2012 Free Software Foundation, Inc. | 1448 | Copyright (C) 2012 Free Software Foundation, Inc. |
@@ -1744,7 +1744,7 @@ cat >config.log <<_ACEOF | |||
1744 | This file contains any messages produced by compilers while | 1744 | This file contains any messages produced by compilers while |
1745 | running configure, to aid debugging if configure makes a mistake. | 1745 | running configure, to aid debugging if configure makes a mistake. |
1746 | 1746 | ||
1747 | It was created by firejail $as_me 0.9.60~rc2, which was | 1747 | It was created by firejail $as_me 0.9.61, which was |
1748 | generated by GNU Autoconf 2.69. Invocation command line was | 1748 | generated by GNU Autoconf 2.69. Invocation command line was |
1749 | 1749 | ||
1750 | $ $0 $@ | 1750 | $ $0 $@ |
@@ -4379,7 +4379,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |||
4379 | # report actual input values of CONFIG_FILES etc. instead of their | 4379 | # report actual input values of CONFIG_FILES etc. instead of their |
4380 | # values after options handling. | 4380 | # values after options handling. |
4381 | ac_log=" | 4381 | ac_log=" |
4382 | This file was extended by firejail $as_me 0.9.60~rc2, which was | 4382 | This file was extended by firejail $as_me 0.9.61, which was |
4383 | generated by GNU Autoconf 2.69. Invocation command line was | 4383 | generated by GNU Autoconf 2.69. Invocation command line was |
4384 | 4384 | ||
4385 | CONFIG_FILES = $CONFIG_FILES | 4385 | CONFIG_FILES = $CONFIG_FILES |
@@ -4433,7 +4433,7 @@ _ACEOF | |||
4433 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | 4433 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
4434 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" | 4434 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
4435 | ac_cs_version="\\ | 4435 | ac_cs_version="\\ |
4436 | firejail config.status 0.9.60~rc2 | 4436 | firejail config.status 0.9.61 |
4437 | configured by $0, generated by GNU Autoconf 2.69, | 4437 | configured by $0, generated by GNU Autoconf 2.69, |
4438 | with options \\"\$ac_cs_config\\" | 4438 | with options \\"\$ac_cs_config\\" |
4439 | 4439 | ||
diff --git a/configure.ac b/configure.ac index 4d0b847f5..40ead1604 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,5 +1,5 @@ | |||
1 | AC_PREREQ([2.68]) | 1 | AC_PREREQ([2.68]) |
2 | AC_INIT(firejail, 0.9.60~rc2, netblue30@yahoo.com, , https://firejail.wordpress.com) | 2 | AC_INIT(firejail, 0.9.61, netblue30@yahoo.com, , https://firejail.wordpress.com) |
3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) | 3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) |
4 | #AC_CONFIG_HEADERS([config.h]) | 4 | #AC_CONFIG_HEADERS([config.h]) |
5 | 5 | ||
diff --git a/etc-fixes/seccomp-join-bug/README b/etc-fixes/seccomp-join-bug/README new file mode 100644 index 000000000..9f85a0e00 --- /dev/null +++ b/etc-fixes/seccomp-join-bug/README | |||
@@ -0,0 +1,11 @@ | |||
1 | These are patches for various Firejail versions for the security bug reported by Austin Morton | ||
2 | on May 21, 2019: | ||
3 | |||
4 | Seccomp filters are copied into /run/firejail/mnt, and are writable | ||
5 | within the jail. A malicious process can modify files from inside the | ||
6 | jail. Processes that are later joined to the jail will not have seccomp | ||
7 | filters applied. | ||
8 | |||
9 | The original discussion thread: https://github.com/netblue30/firejail/issues/2718 | ||
10 | The fix on mainline: https://github.com/netblue30/firejail/commit/eecf35c2f8249489a1d3e512bb07f0d427183134 | ||
11 | |||
diff --git a/etc-fixes/seccomp-join-bug/eecf35c-backports.zip b/etc-fixes/seccomp-join-bug/eecf35c-backports.zip new file mode 100644 index 000000000..59782461e --- /dev/null +++ b/etc-fixes/seccomp-join-bug/eecf35c-backports.zip | |||
Binary files differ | |||
diff --git a/etc/7z.profile b/etc/7z.profile index 44ab377b3..ee2b493f8 100644 --- a/etc/7z.profile +++ b/etc/7z.profile | |||
@@ -4,23 +4,34 @@ quiet | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include 7z.local | 5 | include 7z.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | # added by included profile | 7 | include globals.local |
8 | #include globals.local | ||
9 | 8 | ||
10 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
11 | 10 | ||
12 | ignore noroot | 11 | include disable-common.inc |
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | caps.drop all | ||
19 | ipc-namespace | ||
20 | machine-id | ||
13 | net none | 21 | net none |
14 | no3d | 22 | no3d |
15 | nodbus | 23 | nodbus |
16 | nodvd | 24 | nodvd |
25 | #nogroups | ||
26 | nonewprivs | ||
27 | #noroot | ||
17 | nosound | 28 | nosound |
18 | notv | 29 | notv |
19 | nou2f | 30 | nou2f |
20 | novideo | 31 | novideo |
32 | protocol unix | ||
33 | seccomp | ||
21 | shell none | 34 | shell none |
22 | tracelog | 35 | tracelog |
23 | 36 | ||
24 | private-dev | 37 | private-dev |
25 | |||
26 | include default.profile | ||
diff --git a/etc/JDownloader.profile b/etc/JDownloader.profile index d1bd5c9b2..1435f3422 100644 --- a/etc/JDownloader.profile +++ b/etc/JDownloader.profile | |||
@@ -5,14 +5,10 @@ include JDownloader.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | |||
9 | noblacklist ${HOME}/.jd | 8 | noblacklist ${HOME}/.jd |
10 | 9 | ||
11 | # Allow access to java | 10 | # Allow java (blacklisted by disable-devel.inc) |
12 | noblacklist ${PATH}/java | 11 | include allow-java.inc |
13 | noblacklist /usr/lib/java | ||
14 | noblacklist /etc/java | ||
15 | noblacklist /usr/share/java | ||
16 | 12 | ||
17 | include disable-common.inc | 13 | include disable-common.inc |
18 | include disable-devel.inc | 14 | include disable-devel.inc |
diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile index 6aba2678b..c2734b1c1 100644 --- a/etc/Mathematica.profile +++ b/etc/Mathematica.profile | |||
@@ -16,6 +16,7 @@ include disable-programs.inc | |||
16 | 16 | ||
17 | mkdir ${HOME}/.Mathematica | 17 | mkdir ${HOME}/.Mathematica |
18 | mkdir ${HOME}/.Wolfram Research | 18 | mkdir ${HOME}/.Wolfram Research |
19 | mkdir ${HOME}/Documents/Wolfram Mathematica | ||
19 | whitelist ${HOME}/.Mathematica | 20 | whitelist ${HOME}/.Mathematica |
20 | whitelist ${HOME}/.Wolfram Research | 21 | whitelist ${HOME}/.Wolfram Research |
21 | whitelist ${HOME}/Documents/Wolfram Mathematica | 22 | whitelist ${HOME}/Documents/Wolfram Mathematica |
diff --git a/etc/Viber.profile b/etc/Viber.profile index 3f3ee8590..40358aa87 100644 --- a/etc/Viber.profile +++ b/etc/Viber.profile | |||
@@ -5,7 +5,6 @@ include Viber.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | |||
9 | noblacklist ${HOME}/.ViberPC | 8 | noblacklist ${HOME}/.ViberPC |
10 | 9 | ||
11 | include disable-common.inc | 10 | include disable-common.inc |
@@ -15,6 +14,7 @@ include disable-interpreters.inc | |||
15 | include disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 15 | include disable-programs.inc |
17 | 16 | ||
17 | mkdir ${HOME}/.ViberPC | ||
18 | whitelist ${DOWNLOADS} | 18 | whitelist ${DOWNLOADS} |
19 | whitelist ${HOME}/.ViberPC | 19 | whitelist ${HOME}/.ViberPC |
20 | include whitelist-common.inc | 20 | include whitelist-common.inc |
@@ -36,5 +36,4 @@ private-bin sh,bash,dig,awk,Viber | |||
36 | private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf,pki,ca-certificates,crypto-policies,machine-id,asound.conf | 36 | private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf,pki,ca-certificates,crypto-policies,machine-id,asound.conf |
37 | private-tmp | 37 | private-tmp |
38 | 38 | ||
39 | |||
40 | env QTWEBENGINE_DISABLE_SANDBOX=1 | 39 | env QTWEBENGINE_DISABLE_SANDBOX=1 |
diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile index d9b7f8c26..230a88472 100644 --- a/etc/Xephyr.profile +++ b/etc/Xephyr.profile | |||
@@ -7,16 +7,13 @@ include globals.local | |||
7 | 7 | ||
8 | # | 8 | # |
9 | # This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr. | 9 | # This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr. |
10 | # To enable it, create a firejail-Xephyr symlink in /usr/local/bin: | 10 | # To enable it, create a firejail-Xephyr symlink in /usr/local/bin: |
11 | # | 11 | # |
12 | # $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xephyr | 12 | # $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xephyr |
13 | # | 13 | # |
14 | # or run "sudo firecfg" | 14 | # or run "sudo firecfg" |
15 | # | 15 | # |
16 | 16 | ||
17 | |||
18 | blacklist /media | ||
19 | |||
20 | whitelist /var/lib/xkb | 17 | whitelist /var/lib/xkb |
21 | include whitelist-common.inc | 18 | include whitelist-common.inc |
22 | 19 | ||
@@ -34,10 +31,11 @@ protocol unix | |||
34 | seccomp | 31 | seccomp |
35 | shell none | 32 | shell none |
36 | 33 | ||
34 | disable-mnt | ||
37 | # using a private home directory | 35 | # using a private home directory |
38 | private | 36 | private |
39 | # private-bin Xephyr,sh,xkbcomp | 37 | # private-bin Xephyr,sh,xkbcomp |
40 | # private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls | 38 | # private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls |
41 | private-dev | 39 | private-dev |
42 | # private-etc alternatives,ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname | 40 | # private-etc alternatives,ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname |
43 | private-tmp | 41 | #private-tmp |
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile index ed07485d6..3580f8336 100644 --- a/etc/Xvfb.profile +++ b/etc/Xvfb.profile | |||
@@ -9,7 +9,7 @@ include globals.local | |||
9 | # | 9 | # |
10 | # This profile will sandbox Xvfb server itself when used with firejail --x11=xvfb. | 10 | # This profile will sandbox Xvfb server itself when used with firejail --x11=xvfb. |
11 | # The target program is sandboxed with its own profile. By default the this functionality | 11 | # The target program is sandboxed with its own profile. By default the this functionality |
12 | # is disabled. To enable it, create a firejail-Xvfb symlink in /usr/local/bin: | 12 | # is disabled. To enable it, create a firejail-Xvfb symlink in /usr/local/bin: |
13 | # | 13 | # |
14 | # $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xvfb | 14 | # $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xvfb |
15 | # | 15 | # |
@@ -17,8 +17,6 @@ include globals.local | |||
17 | # some Linux distributions. Also, older versions of Xpra use Xvfb. | 17 | # some Linux distributions. Also, older versions of Xpra use Xvfb. |
18 | # | 18 | # |
19 | 19 | ||
20 | blacklist /media | ||
21 | |||
22 | whitelist /var/lib/xkb | 20 | whitelist /var/lib/xkb |
23 | include whitelist-common.inc | 21 | include whitelist-common.inc |
24 | 22 | ||
@@ -36,6 +34,7 @@ protocol unix | |||
36 | seccomp | 34 | seccomp |
37 | shell none | 35 | shell none |
38 | 36 | ||
37 | disable-mnt | ||
39 | # using a private home directory | 38 | # using a private home directory |
40 | private | 39 | private |
41 | # private-bin Xvfb,sh,xkbcomp | 40 | # private-bin Xvfb,sh,xkbcomp |
diff --git a/etc/allow-java.inc b/etc/allow-java.inc new file mode 100644 index 000000000..c6ab3b2eb --- /dev/null +++ b/etc/allow-java.inc | |||
@@ -0,0 +1,4 @@ | |||
1 | noblacklist ${PATH}/java | ||
2 | noblacklist /usr/lib/java | ||
3 | noblacklist /etc/java | ||
4 | noblacklist /usr/share/java | ||
diff --git a/etc/allow-lua.inc b/etc/allow-lua.inc new file mode 100644 index 000000000..51d76f9b1 --- /dev/null +++ b/etc/allow-lua.inc | |||
@@ -0,0 +1,4 @@ | |||
1 | noblacklist ${PATH}/lua* | ||
2 | noblacklist /usr/include/lua* | ||
3 | noblacklist /usr/lib/lua | ||
4 | noblacklist /usr/share/lua | ||
diff --git a/etc/allow-perl.inc b/etc/allow-perl.inc new file mode 100644 index 000000000..d37328936 --- /dev/null +++ b/etc/allow-perl.inc | |||
@@ -0,0 +1,7 @@ | |||
1 | noblacklist ${PATH}/cpan* | ||
2 | noblacklist ${PATH}/core_perl | ||
3 | noblacklist ${PATH}/perl | ||
4 | noblacklist ${PATH}/site_perl | ||
5 | noblacklist ${PATH}/vendor_perl | ||
6 | noblacklist /usr/lib/perl* | ||
7 | noblacklist /usr/share/perl* | ||
diff --git a/etc/allow-python2.inc b/etc/allow-python2.inc new file mode 100644 index 000000000..8ea61648b --- /dev/null +++ b/etc/allow-python2.inc | |||
@@ -0,0 +1,5 @@ | |||
1 | noblacklist ${PATH}/python2* | ||
2 | noblacklist /usr/include/python2* | ||
3 | noblacklist /usr/lib/python2* | ||
4 | noblacklist /usr/local/lib/python2* | ||
5 | noblacklist /usr/share/python2* | ||
diff --git a/etc/allow-python3.inc b/etc/allow-python3.inc new file mode 100644 index 000000000..91c7ffca4 --- /dev/null +++ b/etc/allow-python3.inc | |||
@@ -0,0 +1,5 @@ | |||
1 | noblacklist ${PATH}/python3* | ||
2 | noblacklist /usr/include/python3* | ||
3 | noblacklist /usr/lib/python3* | ||
4 | noblacklist /usr/local/lib/python3* | ||
5 | noblacklist /usr/share/python3* | ||
diff --git a/etc/amule.profile b/etc/amule.profile index 7cb2130bb..feb4a5e7e 100644 --- a/etc/amule.profile +++ b/etc/amule.profile | |||
@@ -6,7 +6,6 @@ include amule.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | |||
10 | noblacklist ${HOME}/.aMule | 9 | noblacklist ${HOME}/.aMule |
11 | 10 | ||
12 | include disable-common.inc | 11 | include disable-common.inc |
@@ -16,6 +15,7 @@ include disable-interpreters.inc | |||
16 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 16 | include disable-programs.inc |
18 | 17 | ||
18 | mkdir ${HOME}/.aMule | ||
19 | whitelist ${DOWNLOADS} | 19 | whitelist ${DOWNLOADS} |
20 | whitelist ${HOME}/.aMule | 20 | whitelist ${HOME}/.aMule |
21 | include whitelist-common.inc | 21 | include whitelist-common.inc |
diff --git a/etc/anki.profile b/etc/anki.profile index 6ab95dd52..d50c720f7 100644 --- a/etc/anki.profile +++ b/etc/anki.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${DOCUMENTS} | |||
10 | noblacklist ${HOME}/.local/share/Anki2 | 10 | noblacklist ${HOME}/.local/share/Anki2 |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
@@ -25,6 +21,7 @@ include disable-passwdmgr.inc | |||
25 | include disable-programs.inc | 21 | include disable-programs.inc |
26 | include disable-xdg.inc | 22 | include disable-xdg.inc |
27 | 23 | ||
24 | mkdir ${HOME}/.local/share/Anki2 | ||
28 | whitelist ${DOCUMENTS} | 25 | whitelist ${DOCUMENTS} |
29 | whitelist ${HOME}/.local/share/Anki2 | 26 | whitelist ${HOME}/.local/share/Anki2 |
30 | include whitelist-common.inc | 27 | include whitelist-common.inc |
diff --git a/etc/arduino.profile b/etc/arduino.profile index 2ea8445fe..26bd3d0a7 100644 --- a/etc/arduino.profile +++ b/etc/arduino.profile | |||
@@ -11,11 +11,8 @@ noblacklist ${HOME}/.java | |||
11 | noblacklist ${HOME}/Arduino | 11 | noblacklist ${HOME}/Arduino |
12 | noblacklist ${DOCUMENTS} | 12 | noblacklist ${DOCUMENTS} |
13 | 13 | ||
14 | # Allow access to java | 14 | # Allow java (blacklisted by disable-devel.inc) |
15 | noblacklist ${PATH}/java | 15 | include allow-java.inc |
16 | noblacklist /usr/lib/java | ||
17 | noblacklist /etc/java | ||
18 | noblacklist /usr/share/java | ||
19 | 16 | ||
20 | include disable-common.inc | 17 | include disable-common.inc |
21 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/arm.profile b/etc/arm.profile index ae93e9665..dd3fa190a 100644 --- a/etc/arm.profile +++ b/etc/arm.profile | |||
@@ -9,12 +9,8 @@ include globals.local | |||
9 | noblacklist ${HOME}/.arm | 9 | noblacklist ${HOME}/.arm |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 12 | include allow-python2.inc |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/assogiate.profile b/etc/assogiate.profile index 6a9848e83..02a4798f4 100644 --- a/etc/assogiate.profile +++ b/etc/assogiate.profile | |||
@@ -7,7 +7,6 @@ include assogiate.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${PICTURES} | 9 | noblacklist ${PICTURES} |
10 | whitelist ${PICTURES} | ||
11 | 10 | ||
12 | include disable-common.inc | 11 | include disable-common.inc |
13 | include disable-devel.inc | 12 | include disable-devel.inc |
@@ -16,6 +15,8 @@ include disable-interpreters.inc | |||
16 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 16 | include disable-programs.inc |
18 | include disable-xdg.inc | 17 | include disable-xdg.inc |
18 | |||
19 | whitelist ${PICTURES} | ||
19 | include whitelist-common.inc | 20 | include whitelist-common.inc |
20 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
21 | 22 | ||
diff --git a/etc/atool.profile b/etc/atool.profile index b17498e9d..3df32baac 100644 --- a/etc/atool.profile +++ b/etc/atool.profile | |||
@@ -7,14 +7,10 @@ include atool.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | |||
12 | # Allow perl (blacklisted by disable-interpreters.inc) | 10 | # Allow perl (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/cpan* | 11 | include allow-perl.inc |
14 | noblacklist ${PATH}/core_perl | 12 | |
15 | noblacklist ${PATH}/perl | 13 | blacklist /tmp/.X11-unix |
16 | noblacklist /usr/lib/perl* | ||
17 | noblacklist /usr/share/perl* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | # include disable-devel.inc | 16 | # include disable-devel.inc |
diff --git a/etc/authenticator.profile b/etc/authenticator.profile index e08dc12eb..39546112e 100644 --- a/etc/authenticator.profile +++ b/etc/authenticator.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.cache/Authenticator | |||
10 | noblacklist ${HOME}/.config/Authenticator | 10 | noblacklist ${HOME}/.config/Authenticator |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | #noblacklist ${PATH}/python2* | 13 | #include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | #noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | #noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/autokey-common.profile b/etc/autokey-common.profile index 44c0a3c15..47396fe43 100644 --- a/etc/autokey-common.profile +++ b/etc/autokey-common.profile | |||
@@ -10,14 +10,8 @@ noblacklist ${HOME}/.config/autokey | |||
10 | noblacklist ${HOME}/.local/share/autokey | 10 | noblacklist ${HOME}/.local/share/autokey |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | noblacklist /usr/share/python2* | ||
20 | noblacklist /usr/share/python3* | ||
21 | 15 | ||
22 | include disable-common.inc | 16 | include disable-common.inc |
23 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/baobab.profile b/etc/baobab.profile index fc4e7f268..893865edd 100644 --- a/etc/baobab.profile +++ b/etc/baobab.profile | |||
@@ -33,4 +33,4 @@ private-bin baobab | |||
33 | private-dev | 33 | private-dev |
34 | private-tmp | 34 | private-tmp |
35 | 35 | ||
36 | #memory-deny-write-execute - breaks on Arch | 36 | #memory-deny-write-execute - breaks on Arch |
diff --git a/etc/basilisk.profile b/etc/basilisk.profile index 5f9fc8ef7..5bc91dc74 100644 --- a/etc/basilisk.profile +++ b/etc/basilisk.profile | |||
@@ -10,7 +10,6 @@ noblacklist ${HOME}/.moonchild productions/basilisk | |||
10 | 10 | ||
11 | mkdir ${HOME}/.cache/moonchild productions/basilisk | 11 | mkdir ${HOME}/.cache/moonchild productions/basilisk |
12 | mkdir ${HOME}/.moonchild productions | 12 | mkdir ${HOME}/.moonchild productions |
13 | whitelist ${DOWNLOADS} | ||
14 | whitelist ${HOME}/.cache/moonchild productions/basilisk | 13 | whitelist ${HOME}/.cache/moonchild productions/basilisk |
15 | whitelist ${HOME}/.moonchild productions | 14 | whitelist ${HOME}/.moonchild productions |
16 | 15 | ||
diff --git a/etc/bibletime.profile b/etc/bibletime.profile index c41aafd47..4f1b05c88 100644 --- a/etc/bibletime.profile +++ b/etc/bibletime.profile | |||
@@ -6,12 +6,12 @@ include bibletime.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${HOME}/.bashrc | ||
10 | |||
11 | noblacklist ${HOME}/.bibletime | 9 | noblacklist ${HOME}/.bibletime |
12 | noblacklist ${HOME}/.sword | 10 | noblacklist ${HOME}/.sword |
13 | noblacklist ${HOME}/.local/share/bibletime | 11 | noblacklist ${HOME}/.local/share/bibletime |
14 | 12 | ||
13 | blacklist ${HOME}/.bashrc | ||
14 | |||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | 17 | include disable-exec.inc |
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index 2c2f88ed5..287e5f52e 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile | |||
@@ -33,6 +33,6 @@ private | |||
33 | private-cache | 33 | private-cache |
34 | private-dev | 34 | private-dev |
35 | private-tmp | 35 | private-tmp |
36 | read-write /var/lib/bitlbee | ||
37 | 36 | ||
38 | noexec /tmp | 37 | noexec /tmp |
38 | read-write /var/lib/bitlbee | ||
diff --git a/etc/bitwarden.profile b/etc/bitwarden.profile index 2a6fe9d42..609543e14 100644 --- a/etc/bitwarden.profile +++ b/etc/bitwarden.profile | |||
@@ -6,9 +6,10 @@ include bitwarden.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/Bitwarden | ||
10 | ignore noexec /tmp | 9 | ignore noexec /tmp |
11 | 10 | ||
11 | noblacklist ${HOME}/.config/Bitwarden | ||
12 | |||
12 | include disable-common.inc | 13 | include disable-common.inc |
13 | include disable-devel.inc | 14 | include disable-devel.inc |
14 | include disable-exec.inc | 15 | include disable-exec.inc |
@@ -17,11 +18,11 @@ include disable-passwdmgr.inc | |||
17 | include disable-programs.inc | 18 | include disable-programs.inc |
18 | include disable-xdg.inc | 19 | include disable-xdg.inc |
19 | 20 | ||
20 | include whitelist-common.inc | 21 | mkdir ${HOME}/.config/Bitwarden |
21 | include whitelist-var-common.inc | ||
22 | |||
23 | whitelist ${HOME}/.config/Bitwarden | 22 | whitelist ${HOME}/.config/Bitwarden |
24 | whitelist ${DOWNLOADS} | 23 | whitelist ${DOWNLOADS} |
24 | include whitelist-common.inc | ||
25 | include whitelist-var-common.inc | ||
25 | 26 | ||
26 | apparmor | 27 | apparmor |
27 | caps.drop all | 28 | caps.drop all |
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile index cbc8c25d6..47c0cfa48 100644 --- a/etc/bleachbit.profile +++ b/etc/bleachbit.profile | |||
@@ -7,12 +7,8 @@ include bleachbit.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Allow python (blacklisted by disable-interpreters.inc) | 9 | # Allow python (blacklisted by disable-interpreters.inc) |
10 | noblacklist ${PATH}/python2* | 10 | include allow-python2.inc |
11 | noblacklist ${PATH}/python3* | 11 | include allow-python3.inc |
12 | noblacklist /usr/lib/python2* | ||
13 | noblacklist /usr/lib/python3* | ||
14 | noblacklist /usr/local/lib/python2* | ||
15 | noblacklist /usr/local/lib/python3* | ||
16 | 12 | ||
17 | include disable-common.inc | 13 | include disable-common.inc |
18 | include disable-devel.inc | 14 | include disable-devel.inc |
diff --git a/etc/blender.profile b/etc/blender.profile index bfe906408..6a72fb602 100644 --- a/etc/blender.profile +++ b/etc/blender.profile | |||
@@ -9,12 +9,8 @@ include globals.local | |||
9 | noblacklist ${HOME}/.config/blender | 9 | noblacklist ${HOME}/.config/blender |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 12 | include allow-python2.inc |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/brackets.profile b/etc/brackets.profile index fa0d7e592..3e157d841 100644 --- a/etc/brackets.profile +++ b/etc/brackets.profile | |||
@@ -8,7 +8,7 @@ include globals.local | |||
8 | noblacklist ${HOME}/.config/Brackets | 8 | noblacklist ${HOME}/.config/Brackets |
9 | #noblacklist /opt/brackets/ | 9 | #noblacklist /opt/brackets/ |
10 | #noblacklist /opt/google/ | 10 | #noblacklist /opt/google/ |
11 | # Uncomment the the next two lines if you are developing rust. | 11 | # Uncomment the next two lines if you are developing rust. |
12 | # or put it in your brackets.local | 12 | # or put it in your brackets.local |
13 | #noblacklist ${HOME}/.cargo/config | 13 | #noblacklist ${HOME}/.cargo/config |
14 | #noblacklist ${HOME}/.cargo/registry | 14 | #noblacklist ${HOME}/.cargo/registry |
diff --git a/etc/brave-browser.profile b/etc/brave-browser.profile index 6d9d162fd..e223ecf87 100644 --- a/etc/brave-browser.profile +++ b/etc/brave-browser.profile | |||
@@ -1,6 +1,5 @@ | |||
1 | # Firejail profile alias for brave | 1 | # Firejail profile alias for brave |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | |||
5 | # Redirect | 4 | # Redirect |
6 | include brave.profile | 5 | include brave.profile |
diff --git a/etc/brave.profile b/etc/brave.profile index cc003d49a..984fab5a8 100644 --- a/etc/brave.profile +++ b/etc/brave.profile | |||
@@ -6,6 +6,9 @@ include brave.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # noexec /tmp is included in chromium-common.profile and breaks Brave | ||
10 | ignore noexec /tmp | ||
11 | |||
9 | noblacklist ${HOME}/.config/brave | 12 | noblacklist ${HOME}/.config/brave |
10 | noblacklist ${HOME}/.config/BraveSoftware | 13 | noblacklist ${HOME}/.config/BraveSoftware |
11 | # brave uses gpg for built-in password manager | 14 | # brave uses gpg for built-in password manager |
@@ -17,8 +20,5 @@ whitelist ${HOME}/.config/brave | |||
17 | whitelist ${HOME}/.config/BraveSoftware | 20 | whitelist ${HOME}/.config/BraveSoftware |
18 | whitelist ${HOME}/.gnupg | 21 | whitelist ${HOME}/.gnupg |
19 | 22 | ||
20 | # noexec /tmp is included in chromium-common.profile and breaks Brave | ||
21 | ignore noexec /tmp | ||
22 | |||
23 | # Redirect | 23 | # Redirect |
24 | include chromium-common.profile | 24 | include chromium-common.profile |
diff --git a/etc/caja.profile b/etc/caja.profile index f38110dc9..2a95649af 100644 --- a/etc/caja.profile +++ b/etc/caja.profile | |||
@@ -14,12 +14,8 @@ noblacklist ${HOME}/.local/share/Trash | |||
14 | # noblacklist ${HOME}/.local/share/caja-python | 14 | # noblacklist ${HOME}/.local/share/caja-python |
15 | 15 | ||
16 | # Allow python (blacklisted by disable-interpreters.inc) | 16 | # Allow python (blacklisted by disable-interpreters.inc) |
17 | noblacklist ${PATH}/python2* | 17 | include allow-python2.inc |
18 | noblacklist ${PATH}/python3* | 18 | include allow-python3.inc |
19 | noblacklist /usr/lib/python2* | ||
20 | noblacklist /usr/lib/python3* | ||
21 | noblacklist /usr/local/lib/python2* | ||
22 | noblacklist /usr/local/lib/python3* | ||
23 | 19 | ||
24 | include disable-common.inc | 20 | include disable-common.inc |
25 | include disable-devel.inc | 21 | include disable-devel.inc |
diff --git a/etc/cantata.profile b/etc/cantata.profile index e4a4de9c1..19abbfea2 100644 --- a/etc/cantata.profile +++ b/etc/cantata.profile | |||
@@ -11,9 +11,8 @@ noblacklist ${HOME}/.config/cantata | |||
11 | noblacklist ${HOME}/.local/share/cantata | 11 | noblacklist ${HOME}/.local/share/cantata |
12 | noblacklist ${MUSIC} | 12 | noblacklist ${MUSIC} |
13 | 13 | ||
14 | noblacklist ${PATH}/perl | 14 | # Allow perl (blacklisted by disable-interpreters.inc) |
15 | noblacklist /usr/lib/perl* | 15 | include allow-perl.inc |
16 | noblacklist /usr/share/perl* | ||
17 | 16 | ||
18 | include disable-common.inc | 17 | include disable-common.inc |
19 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/catfish.profile b/etc/catfish.profile index 341348ff9..f615b5323 100644 --- a/etc/catfish.profile +++ b/etc/catfish.profile | |||
@@ -12,12 +12,8 @@ include globals.local | |||
12 | noblacklist ${HOME}/.config/catfish | 12 | noblacklist ${HOME}/.config/catfish |
13 | 13 | ||
14 | # Allow python (blacklisted by disable-interpreters.inc) | 14 | # Allow python (blacklisted by disable-interpreters.inc) |
15 | noblacklist ${PATH}/python2* | 15 | include allow-python2.inc |
16 | noblacklist ${PATH}/python3* | 16 | include allow-python3.inc |
17 | noblacklist /usr/lib/python2* | ||
18 | noblacklist /usr/lib/python3* | ||
19 | noblacklist /usr/local/lib/python2* | ||
20 | noblacklist /usr/local/lib/python3* | ||
21 | 17 | ||
22 | include disable-common.inc | 18 | include disable-common.inc |
23 | # include disable-devel.inc | 19 | # include disable-devel.inc |
diff --git a/etc/celluloid.profile b/etc/celluloid.profile index 5604a16b9..190a49588 100644 --- a/etc/celluloid.profile +++ b/etc/celluloid.profile | |||
@@ -12,12 +12,8 @@ noblacklist ${MUSIC} | |||
12 | noblacklist ${VIDEOS} | 12 | noblacklist ${VIDEOS} |
13 | 13 | ||
14 | # Allow python (blacklisted by disable-interpreters.inc) | 14 | # Allow python (blacklisted by disable-interpreters.inc) |
15 | noblacklist ${PATH}/python2* | 15 | include allow-python2.inc |
16 | noblacklist ${PATH}/python3* | 16 | include allow-python3.inc |
17 | noblacklist /usr/lib/python2* | ||
18 | noblacklist /usr/lib/python3* | ||
19 | noblacklist /usr/local/lib/python2* | ||
20 | noblacklist /usr/local/lib/python3* | ||
21 | 17 | ||
22 | include disable-common.inc | 18 | include disable-common.inc |
23 | include disable-devel.inc | 19 | include disable-devel.inc |
diff --git a/etc/checkbashisms.profile b/etc/checkbashisms.profile index 5afbf2d56..1bb9b1860 100644 --- a/etc/checkbashisms.profile +++ b/etc/checkbashisms.profile | |||
@@ -10,11 +10,7 @@ include globals.local | |||
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | 11 | ||
12 | # Allow perl (blacklisted by disable-interpreters.inc) | 12 | # Allow perl (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/cpan* | 13 | include allow-perl.inc |
14 | noblacklist ${PATH}/core_perl | ||
15 | noblacklist ${PATH}/perl | ||
16 | noblacklist /usr/lib/perl* | ||
17 | noblacklist /usr/share/perl* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 44ef12aa2..70dea5bd9 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/cherrytree | |||
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/chromium.profile b/etc/chromium.profile index dab9ce449..1c977a8ba 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.config/chromium-flags.conf | |||
12 | 12 | ||
13 | mkdir ${HOME}/.cache/chromium | 13 | mkdir ${HOME}/.cache/chromium |
14 | mkdir ${HOME}/.config/chromium | 14 | mkdir ${HOME}/.config/chromium |
15 | mkfile ${HOME}/.config/chromium-flags.conf | ||
15 | whitelist ${HOME}/.cache/chromium | 16 | whitelist ${HOME}/.cache/chromium |
16 | whitelist ${HOME}/.config/chromium | 17 | whitelist ${HOME}/.config/chromium |
17 | whitelist ${HOME}/.config/chromium-flags.conf | 18 | whitelist ${HOME}/.config/chromium-flags.conf |
diff --git a/etc/clawsker.profile b/etc/clawsker.profile index c519ecedb..95f15398a 100644 --- a/etc/clawsker.profile +++ b/etc/clawsker.profile | |||
@@ -9,11 +9,7 @@ include globals.local | |||
9 | noblacklist ${HOME}/.claws-mail | 9 | noblacklist ${HOME}/.claws-mail |
10 | 10 | ||
11 | # Allow perl (blacklisted by disable-interpreters.inc) | 11 | # Allow perl (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/cpan* | 12 | include allow-perl.inc |
13 | noblacklist ${PATH}/core_perl | ||
14 | noblacklist ${PATH}/perl | ||
15 | noblacklist /usr/lib/perl* | ||
16 | noblacklist /usr/share/perl* | ||
17 | 13 | ||
18 | include disable-common.inc | 14 | include disable-common.inc |
19 | include disable-devel.inc | 15 | include disable-devel.inc |
diff --git a/etc/conkeror.profile b/etc/conkeror.profile index 21bef48a4..38edf0d21 100644 --- a/etc/conkeror.profile +++ b/etc/conkeror.profile | |||
@@ -10,9 +10,10 @@ noblacklist ${HOME}/.conkeror.mozdev.org | |||
10 | include disable-common.inc | 10 | include disable-common.inc |
11 | include disable-programs.inc | 11 | include disable-programs.inc |
12 | 12 | ||
13 | mkdir ${HOME}/.conkeror.mozdev.org | ||
14 | mkfile ${HOME}/.conkerorrc | ||
13 | whitelist ${HOME}/.conkeror.mozdev.org | 15 | whitelist ${HOME}/.conkeror.mozdev.org |
14 | whitelist ${HOME}/.conkerorrc | 16 | whitelist ${HOME}/.conkerorrc |
15 | whitelist ${HOME}/.gtkrc-2.0 | ||
16 | whitelist ${HOME}/.lastpass | 17 | whitelist ${HOME}/.lastpass |
17 | whitelist ${HOME}/.pentadactyl | 18 | whitelist ${HOME}/.pentadactyl |
18 | whitelist ${HOME}/.pentadactylrc | 19 | whitelist ${HOME}/.pentadactylrc |
diff --git a/etc/cower.profile b/etc/cower.profile index bc1eeedc0..69575cea4 100644 --- a/etc/cower.profile +++ b/etc/cower.profile | |||
@@ -1,20 +1,13 @@ | |||
1 | # Firejail profile for cower | 1 | # Firejail profile for cower |
2 | # Description: a simple AUR agent with a pretentious name | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | |||
4 | # This profile could be significantly strengthened by adding the following to cower.local | ||
5 | # whitelist ${HOME}/<Your Build Folder> | ||
6 | # whitelist ${HOME}/.config/cower/ | ||
7 | |||
8 | quiet | 4 | quiet |
9 | |||
10 | # Persistent local customizations | 5 | # Persistent local customizations |
11 | include cower.local | 6 | include cower.local |
12 | # Persistent global definitions | 7 | # Persistent global definitions |
13 | include globals.local | 8 | include globals.local |
14 | 9 | ||
15 | noblacklist ${HOME}/.config/cower/config | 10 | noblacklist ${HOME}/.config/cower |
16 | read-only ${HOME}/.config/cower/config | ||
17 | |||
18 | noblacklist /var/lib/pacman | 11 | noblacklist /var/lib/pacman |
19 | 12 | ||
20 | include disable-common.inc | 13 | include disable-common.inc |
@@ -23,6 +16,11 @@ include disable-exec.inc | |||
23 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
24 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
25 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | include disable-xdg.inc | ||
20 | |||
21 | # This profile could be significantly strengthened by adding the following to cower.local | ||
22 | # whitelist ${HOME}/<Your Build Folder> | ||
23 | # whitelist ${HOME}/.config/cower | ||
26 | 24 | ||
27 | caps.drop all | 25 | caps.drop all |
28 | ipc-namespace | 26 | ipc-namespace |
@@ -42,7 +40,9 @@ shell none | |||
42 | 40 | ||
43 | disable-mnt | 41 | disable-mnt |
44 | private-bin cower | 42 | private-bin cower |
43 | private-cache | ||
45 | private-dev | 44 | private-dev |
46 | private-tmp | 45 | private-tmp |
47 | 46 | ||
48 | memory-deny-write-execute | 47 | memory-deny-write-execute |
48 | read-only ${HOME}/.config/cower/config | ||
diff --git a/etc/cpio.profile b/etc/cpio.profile index b6f7e7f9f..0bb45f5cd 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile | |||
@@ -7,11 +7,11 @@ include cpio.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | |||
12 | noblacklist /sbin | 10 | noblacklist /sbin |
13 | noblacklist /usr/sbin | 11 | noblacklist /usr/sbin |
14 | 12 | ||
13 | blacklist /tmp/.X11-unix | ||
14 | |||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | # include disable-devel.inc | 16 | # include disable-devel.inc |
17 | include disable-exec.inc | 17 | include disable-exec.inc |
diff --git a/etc/curl.profile b/etc/curl.profile index 2703c6fe8..b8b91d278 100644 --- a/etc/curl.profile +++ b/etc/curl.profile | |||
@@ -7,10 +7,10 @@ include curl.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | |||
12 | noblacklist ${HOME}/.curlrc | 10 | noblacklist ${HOME}/.curlrc |
13 | 11 | ||
12 | blacklist /tmp/.X11-unix | ||
13 | |||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-exec.inc | 15 | include disable-exec.inc |
16 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
diff --git a/etc/d-feet.profile b/etc/d-feet.profile index 9475bdd2a..30749ab40 100644 --- a/etc/d-feet.profile +++ b/etc/d-feet.profile | |||
@@ -9,12 +9,8 @@ include globals.local | |||
9 | noblacklist ${HOME}/.config/d-feet | 9 | noblacklist ${HOME}/.config/d-feet |
10 | 10 | ||
11 | # Allow python (disabled by disable-interpreters.inc) | 11 | # Allow python (disabled by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 12 | include allow-python2.inc |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/dconf-editor.profile b/etc/dconf-editor.profile index 6b7f8f112..7cd39ca6a 100644 --- a/etc/dconf-editor.profile +++ b/etc/dconf-editor.profile | |||
@@ -6,8 +6,6 @@ include dconf-editor.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | whitelist ${HOME}/.local/share/glib-2.0 | ||
10 | |||
11 | include disable-common.inc | 9 | include disable-common.inc |
12 | include disable-devel.inc | 10 | include disable-devel.inc |
13 | include disable-exec.inc | 11 | include disable-exec.inc |
@@ -16,6 +14,7 @@ include disable-passwdmgr.inc | |||
16 | include disable-programs.inc | 14 | include disable-programs.inc |
17 | include disable-xdg.inc | 15 | include disable-xdg.inc |
18 | 16 | ||
17 | whitelist ${HOME}/.local/share/glib-2.0 | ||
19 | include whitelist-common.inc | 18 | include whitelist-common.inc |
20 | 19 | ||
21 | apparmor | 20 | apparmor |
@@ -39,7 +38,7 @@ disable-mnt | |||
39 | private-bin dconf-editor | 38 | private-bin dconf-editor |
40 | private-cache | 39 | private-cache |
41 | private-dev | 40 | private-dev |
42 | private-etc alternatives,fonts,machine-id | 41 | private-etc alternatives,dconf,fonts,gtk-3.0,machine-id |
43 | private-lib | 42 | private-lib |
44 | private-tmp | 43 | private-tmp |
45 | 44 | ||
diff --git a/etc/dconf.profile b/etc/dconf.profile index 6ffcddaf5..cf8b4ab43 100644 --- a/etc/dconf.profile +++ b/etc/dconf.profile | |||
@@ -6,8 +6,6 @@ include dconf.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | whitelist ${HOME}/.local/share/glib-2.0 | ||
10 | |||
11 | include disable-common.inc | 9 | include disable-common.inc |
12 | include disable-devel.inc | 10 | include disable-devel.inc |
13 | include disable-exec.inc | 11 | include disable-exec.inc |
@@ -16,6 +14,7 @@ include disable-passwdmgr.inc | |||
16 | include disable-programs.inc | 14 | include disable-programs.inc |
17 | include disable-xdg.inc | 15 | include disable-xdg.inc |
18 | 16 | ||
17 | whitelist ${HOME}/.local/share/glib-2.0 | ||
19 | # dconf paths are whitelisted by the following | 18 | # dconf paths are whitelisted by the following |
20 | include whitelist-common.inc | 19 | include whitelist-common.inc |
21 | 20 | ||
diff --git a/etc/deluge.profile b/etc/deluge.profile index e86c84272..e86255d22 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile | |||
@@ -9,12 +9,8 @@ include globals.local | |||
9 | noblacklist ${HOME}/.config/deluge | 9 | noblacklist ${HOME}/.config/deluge |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 12 | include allow-python2.inc |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | # include disable-devel.inc | 16 | # include disable-devel.inc |
diff --git a/etc/devilspie2.profile b/etc/devilspie2.profile index 2f599366b..9d67ee76e 100644 --- a/etc/devilspie2.profile +++ b/etc/devilspie2.profile | |||
@@ -8,6 +8,9 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/devilspie2 | 9 | noblacklist ${HOME}/.config/devilspie2 |
10 | 10 | ||
11 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
12 | include allow-lua.inc | ||
13 | |||
11 | include disable-common.inc | 14 | include disable-common.inc |
12 | include disable-devel.inc | 15 | include disable-devel.inc |
13 | include disable-exec.inc | 16 | include disable-exec.inc |
diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile index 06a6be3aa..a6fed6c78 100644 --- a/etc/dex2jar.profile +++ b/etc/dex2jar.profile | |||
@@ -6,11 +6,8 @@ include dex2jar.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Allow access to java | 9 | # Allow java (blacklisted by disable-devel.inc) |
10 | noblacklist ${PATH}/java | 10 | include allow-java.inc |
11 | noblacklist /usr/lib/java | ||
12 | noblacklist /etc/java | ||
13 | noblacklist /usr/share/java | ||
14 | 11 | ||
15 | include disable-common.inc | 12 | include disable-common.inc |
16 | include disable-devel.inc | 13 | include disable-devel.inc |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 9d7a34bc5..9d9be1426 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -242,6 +242,7 @@ read-only ${HOME}/.ssh/authorized_keys | |||
242 | 242 | ||
243 | # Initialization files that allow arbitrary command execution | 243 | # Initialization files that allow arbitrary command execution |
244 | read-only ${HOME}/.caffrc | 244 | read-only ${HOME}/.caffrc |
245 | read-only ${HOME}/.cargo/env | ||
245 | read-only ${HOME}/.dotfiles | 246 | read-only ${HOME}/.dotfiles |
246 | read-only ${HOME}/.emacs | 247 | read-only ${HOME}/.emacs |
247 | read-only ${HOME}/.emacs.d | 248 | read-only ${HOME}/.emacs.d |
@@ -275,7 +276,6 @@ read-only ${HOME}/bin | |||
275 | read-only ${HOME}/.bin | 276 | read-only ${HOME}/.bin |
276 | read-only ${HOME}/.local/bin | 277 | read-only ${HOME}/.local/bin |
277 | read-only ${HOME}/.cargo/bin | 278 | read-only ${HOME}/.cargo/bin |
278 | read-only ${HOME}/.cargo/env | ||
279 | blacklist ${HOME}/.cargo/registry | 279 | blacklist ${HOME}/.cargo/registry |
280 | blacklist ${HOME}/.cargo/config | 280 | blacklist ${HOME}/.cargo/config |
281 | 281 | ||
@@ -414,3 +414,12 @@ blacklist /usr/share/flatpak | |||
414 | blacklist /var/lib/flatpak | 414 | blacklist /var/lib/flatpak |
415 | # most of the time bwrap is SUID binary | 415 | # most of the time bwrap is SUID binary |
416 | blacklist ${PATH}/bwrap | 416 | blacklist ${PATH}/bwrap |
417 | |||
418 | # mail directories used by mutt | ||
419 | blacklist ${HOME}/.Mail | ||
420 | blacklist ${HOME}/.mail | ||
421 | blacklist ${HOME}/.signature | ||
422 | blacklist ${HOME}/Mail | ||
423 | blacklist ${HOME}/mail | ||
424 | blacklist ${HOME}/postponed | ||
425 | blacklist ${HOME}/sent | ||
diff --git a/etc/disable-interpreters.inc b/etc/disable-interpreters.inc index 22f58bb85..4c4eed25d 100644 --- a/etc/disable-interpreters.inc +++ b/etc/disable-interpreters.inc | |||
@@ -19,6 +19,8 @@ blacklist ${HOME}/.nvm | |||
19 | blacklist ${PATH}/cpan* | 19 | blacklist ${PATH}/cpan* |
20 | blacklist ${PATH}/core_perl | 20 | blacklist ${PATH}/core_perl |
21 | blacklist ${PATH}/perl | 21 | blacklist ${PATH}/perl |
22 | blacklist ${PATH}/site_perl | ||
23 | blacklist ${PATH}/vendor_perl | ||
22 | blacklist /usr/lib/perl* | 24 | blacklist /usr/lib/perl* |
23 | blacklist /usr/share/perl* | 25 | blacklist /usr/share/perl* |
24 | 26 | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index aa1205549..b1e5a9e64 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -7,6 +7,7 @@ blacklist ${HOME}/Monero/wallets | |||
7 | blacklist ${HOME}/Nextcloud/Notes | 7 | blacklist ${HOME}/Nextcloud/Notes |
8 | blacklist ${HOME}/SoftMaker | 8 | blacklist ${HOME}/SoftMaker |
9 | blacklist ${HOME}/Standard Notes Backups | 9 | blacklist ${HOME}/Standard Notes Backups |
10 | blacklist ${HOME}/mps | ||
10 | blacklist ${HOME}/wallet.dat | 11 | blacklist ${HOME}/wallet.dat |
11 | blacklist ${HOME}/.*coin | 12 | blacklist ${HOME}/.*coin |
12 | blacklist ${HOME}/.8pecxstudios | 13 | blacklist ${HOME}/.8pecxstudios |
@@ -94,6 +95,7 @@ blacklist ${HOME}/.config/Nathan Osman | |||
94 | blacklist ${HOME}/.config/Nylas Mail | 95 | blacklist ${HOME}/.config/Nylas Mail |
95 | blacklist ${HOME}/.config/PBE | 96 | blacklist ${HOME}/.config/PBE |
96 | blacklist ${HOME}/.config/Qlipper | 97 | blacklist ${HOME}/.config/Qlipper |
98 | blacklist ${HOME}/.config/QGIS | ||
97 | blacklist ${HOME}/.config/QMediathekView | 99 | blacklist ${HOME}/.config/QMediathekView |
98 | blacklist ${HOME}/.config/QuiteRss | 100 | blacklist ${HOME}/.config/QuiteRss |
99 | blacklist ${HOME}/.config/QuiteRssrc | 101 | blacklist ${HOME}/.config/QuiteRssrc |
@@ -117,6 +119,7 @@ blacklist ${HOME}/.config/artha.conf | |||
117 | blacklist ${HOME}/.config/asunder | 119 | blacklist ${HOME}/.config/asunder |
118 | blacklist ${HOME}/.config/atril | 120 | blacklist ${HOME}/.config/atril |
119 | blacklist ${HOME}/.config/audacious | 121 | blacklist ${HOME}/.config/audacious |
122 | blacklist ${HOME}/.config/autokey | ||
120 | blacklist ${HOME}/.config/aweather | 123 | blacklist ${HOME}/.config/aweather |
121 | blacklist ${HOME}/.config/baloofilerc | 124 | blacklist ${HOME}/.config/baloofilerc |
122 | blacklist ${HOME}/.config/baloorc | 125 | blacklist ${HOME}/.config/baloorc |
@@ -139,6 +142,7 @@ blacklist ${HOME}/.config/clipit | |||
139 | blacklist ${HOME}/.config/cliqz | 142 | blacklist ${HOME}/.config/cliqz |
140 | blacklist ${HOME}/.config/cmus | 143 | blacklist ${HOME}/.config/cmus |
141 | blacklist ${HOME}/.config/corebird | 144 | blacklist ${HOME}/.config/corebird |
145 | blacklist ${HOME}/.config/cower | ||
142 | blacklist ${HOME}/.config/darktable | 146 | blacklist ${HOME}/.config/darktable |
143 | blacklist ${HOME}/.config/deadbeef | 147 | blacklist ${HOME}/.config/deadbeef |
144 | blacklist ${HOME}/.config/deluge | 148 | blacklist ${HOME}/.config/deluge |
@@ -196,6 +200,7 @@ blacklist ${HOME}/.config/katerc | |||
196 | blacklist ${HOME}/.config/kateschemarc | 200 | blacklist ${HOME}/.config/kateschemarc |
197 | blacklist ${HOME}/.config/katesyntaxhighlightingrc | 201 | blacklist ${HOME}/.config/katesyntaxhighlightingrc |
198 | blacklist ${HOME}/.config/katevirc | 202 | blacklist ${HOME}/.config/katevirc |
203 | blacklist ${HOME}/.config/kdeconnect | ||
199 | blacklist ${HOME}/.config/kdenliverc | 204 | blacklist ${HOME}/.config/kdenliverc |
200 | blacklist ${HOME}/.config/kgetrc | 205 | blacklist ${HOME}/.config/kgetrc |
201 | blacklist ${HOME}/.config/kid3rc | 206 | blacklist ${HOME}/.config/kid3rc |
@@ -203,12 +208,12 @@ blacklist ${HOME}/.config/klavaro | |||
203 | blacklist ${HOME}/.config/klipperrc | 208 | blacklist ${HOME}/.config/klipperrc |
204 | blacklist ${HOME}/.config/kmail2rc | 209 | blacklist ${HOME}/.config/kmail2rc |
205 | blacklist ${HOME}/.config/kmailsearchindexingrc | 210 | blacklist ${HOME}/.config/kmailsearchindexingrc |
206 | blacklist ${HOME}/.config/kritarc | ||
207 | blacklist ${HOME}/.config/kwriterc | ||
208 | blacklist ${HOME}/.config/kdeconnect | ||
209 | blacklist ${HOME}/.config/knotesrc | 211 | blacklist ${HOME}/.config/knotesrc |
210 | blacklist ${HOME}/.config/konversationrc | 212 | blacklist ${HOME}/.config/konversationrc |
213 | blacklist ${HOME}/.config/kritarc | ||
211 | blacklist ${HOME}/.config/ktorrentrc | 214 | blacklist ${HOME}/.config/ktorrentrc |
215 | blacklist ${HOME}/.config/ktouch2rc | ||
216 | blacklist ${HOME}/.config/kwriterc | ||
212 | blacklist ${HOME}/.config/leafpad | 217 | blacklist ${HOME}/.config/leafpad |
213 | blacklist ${HOME}/.config/libreoffice | 218 | blacklist ${HOME}/.config/libreoffice |
214 | blacklist ${HOME}/.config/liferea | 219 | blacklist ${HOME}/.config/liferea |
@@ -265,6 +270,7 @@ blacklist ${HOME}/.config/redshift.conf | |||
265 | blacklist ${HOME}/.config/remmina | 270 | blacklist ${HOME}/.config/remmina |
266 | blacklist ${HOME}/.config/ristretto | 271 | blacklist ${HOME}/.config/ristretto |
267 | blacklist ${HOME}/.config/scribus | 272 | blacklist ${HOME}/.config/scribus |
273 | blacklist ${HOME}/.config/scribusrc | ||
268 | blacklist ${HOME}/.config/sinew.in | 274 | blacklist ${HOME}/.config/sinew.in |
269 | blacklist ${HOME}/.config/skypeforlinux | 275 | blacklist ${HOME}/.config/skypeforlinux |
270 | blacklist ${HOME}/.config/slimjet | 276 | blacklist ${HOME}/.config/slimjet |
@@ -273,17 +279,17 @@ blacklist ${HOME}/.config/smtube | |||
273 | blacklist ${HOME}/.config/snox | 279 | blacklist ${HOME}/.config/snox |
274 | blacklist ${HOME}/.config/specialmailcollectionsrc | 280 | blacklist ${HOME}/.config/specialmailcollectionsrc |
275 | blacklist ${HOME}/.config/spotify | 281 | blacklist ${HOME}/.config/spotify |
276 | blacklist ${HOME}/.config/supertuxkart | ||
277 | blacklist ${HOME}/.config/sqlitebrowser | 282 | blacklist ${HOME}/.config/sqlitebrowser |
278 | blacklist ${HOME}/.config/stellarium | 283 | blacklist ${HOME}/.config/stellarium |
284 | blacklist ${HOME}/.config/supertuxkart | ||
279 | blacklist ${HOME}/.config/synfig | 285 | blacklist ${HOME}/.config/synfig |
280 | blacklist ${HOME}/.config/telepathy-account-widgets | 286 | blacklist ${HOME}/.config/telepathy-account-widgets |
281 | blacklist ${HOME}/.config/torbrowser | 287 | blacklist ${HOME}/.config/torbrowser |
282 | blacklist ${HOME}/.config/totem | 288 | blacklist ${HOME}/.config/totem |
283 | blacklist ${HOME}/.config/tox | 289 | blacklist ${HOME}/.config/tox |
284 | blacklist ${HOME}/.config/transgui | 290 | blacklist ${HOME}/.config/transgui |
285 | blacklist ${HOME}/.config/truecraft | ||
286 | blacklist ${HOME}/.config/transmission | 291 | blacklist ${HOME}/.config/transmission |
292 | blacklist ${HOME}/.config/truecraft | ||
287 | blacklist ${HOME}/.config/uGet | 293 | blacklist ${HOME}/.config/uGet |
288 | blacklist ${HOME}/.config/uzbl | 294 | blacklist ${HOME}/.config/uzbl |
289 | blacklist ${HOME}/.config/viewnior | 295 | blacklist ${HOME}/.config/viewnior |
@@ -307,6 +313,7 @@ blacklist ${HOME}/.config/xreader | |||
307 | blacklist ${HOME}/.config/xviewer | 313 | blacklist ${HOME}/.config/xviewer |
308 | blacklist ${HOME}/.config/yandex-browser | 314 | blacklist ${HOME}/.config/yandex-browser |
309 | blacklist ${HOME}/.config/yandex-browser-beta | 315 | blacklist ${HOME}/.config/yandex-browser-beta |
316 | blacklist ${HOME}/.config/yelp | ||
310 | blacklist ${HOME}/.config/zathura | 317 | blacklist ${HOME}/.config/zathura |
311 | blacklist ${HOME}/.config/zoomus.conf | 318 | blacklist ${HOME}/.config/zoomus.conf |
312 | blacklist ${HOME}/.conkeror.mozdev.org | 319 | blacklist ${HOME}/.conkeror.mozdev.org |
@@ -325,7 +332,6 @@ blacklist ${HOME}/.electron-cache | |||
325 | blacklist ${HOME}/.electrum* | 332 | blacklist ${HOME}/.electrum* |
326 | blacklist ${HOME}/.elinks | 333 | blacklist ${HOME}/.elinks |
327 | blacklist ${HOME}/.emacs | 334 | blacklist ${HOME}/.emacs |
328 | blacklist ${HOME}/.emacs | ||
329 | blacklist ${HOME}/.emacs.d | 335 | blacklist ${HOME}/.emacs.d |
330 | blacklist ${HOME}/.ethereum | 336 | blacklist ${HOME}/.ethereum |
331 | blacklist ${HOME}/.etr | 337 | blacklist ${HOME}/.etr |
@@ -367,10 +373,10 @@ blacklist ${HOME}/.kde/share/apps/kaffeine | |||
367 | blacklist ${HOME}/.kde/share/apps/kcookiejar | 373 | blacklist ${HOME}/.kde/share/apps/kcookiejar |
368 | blacklist ${HOME}/.kde/share/apps/kget | 374 | blacklist ${HOME}/.kde/share/apps/kget |
369 | blacklist ${HOME}/.kde/share/apps/khtml | 375 | blacklist ${HOME}/.kde/share/apps/khtml |
376 | blacklist ${HOME}/.kde/share/apps/klatexformula | ||
370 | blacklist ${HOME}/.kde/share/apps/konqsidebartng | 377 | blacklist ${HOME}/.kde/share/apps/konqsidebartng |
371 | blacklist ${HOME}/.kde/share/apps/konqueror | 378 | blacklist ${HOME}/.kde/share/apps/konqueror |
372 | blacklist ${HOME}/.kde/share/apps/kopete | 379 | blacklist ${HOME}/.kde/share/apps/kopete |
373 | blacklist ${HOME}/.kde/share/apps/khtml | ||
374 | blacklist ${HOME}/.kde/share/apps/ktorrent | 380 | blacklist ${HOME}/.kde/share/apps/ktorrent |
375 | blacklist ${HOME}/.kde/share/apps/okular | 381 | blacklist ${HOME}/.kde/share/apps/okular |
376 | blacklist ${HOME}/.kde/share/config/baloofilerc | 382 | blacklist ${HOME}/.kde/share/config/baloofilerc |
@@ -423,10 +429,12 @@ blacklist ${HOME}/.kde4/share/config/okularrc | |||
423 | blacklist ${HOME}/.killingfloor | 429 | blacklist ${HOME}/.killingfloor |
424 | blacklist ${HOME}/.kino-history | 430 | blacklist ${HOME}/.kino-history |
425 | blacklist ${HOME}/.kinorc | 431 | blacklist ${HOME}/.kinorc |
432 | blacklist ${HOME}/.klatexformula | ||
426 | blacklist ${HOME}/.kodi | 433 | blacklist ${HOME}/.kodi |
427 | blacklist ${HOME}/.lincity-ng | 434 | blacklist ${HOME}/.lincity-ng |
428 | blacklist ${HOME}/.linphone-history.db | 435 | blacklist ${HOME}/.linphone-history.db |
429 | blacklist ${HOME}/.linphonerc | 436 | blacklist ${HOME}/.linphonerc |
437 | blacklist ${HOME}/.links | ||
430 | blacklist ${HOME}/.lmmsrc.xml | 438 | blacklist ${HOME}/.lmmsrc.xml |
431 | blacklist ${HOME}/.local/lib/vivaldi | 439 | blacklist ${HOME}/.local/lib/vivaldi |
432 | blacklist ${HOME}/.local/share/0ad | 440 | blacklist ${HOME}/.local/share/0ad |
@@ -438,6 +446,7 @@ blacklist ${HOME}/.local/share/JetBrains | |||
438 | blacklist ${HOME}/.local/share/Mendeley Ltd. | 446 | blacklist ${HOME}/.local/share/Mendeley Ltd. |
439 | blacklist ${HOME}/.local/share/Mumble | 447 | blacklist ${HOME}/.local/share/Mumble |
440 | blacklist ${HOME}/.local/share/PBE | 448 | blacklist ${HOME}/.local/share/PBE |
449 | blacklist ${HOME}/.local/share/QGIS | ||
441 | blacklist ${HOME}/.local/share/QMediathekView | 450 | blacklist ${HOME}/.local/share/QMediathekView |
442 | blacklist ${HOME}/.local/share/QuiteRss | 451 | blacklist ${HOME}/.local/share/QuiteRss |
443 | blacklist ${HOME}/.local/share/Ricochet | 452 | blacklist ${HOME}/.local/share/Ricochet |
@@ -450,6 +459,7 @@ blacklist ${HOME}/.local/share/akonadi* | |||
450 | blacklist ${HOME}/.local/share/akregator | 459 | blacklist ${HOME}/.local/share/akregator |
451 | blacklist ${HOME}/.local/share/apps/korganizer | 460 | blacklist ${HOME}/.local/share/apps/korganizer |
452 | blacklist ${HOME}/.local/share/aspyr-media | 461 | blacklist ${HOME}/.local/share/aspyr-media |
462 | blacklist ${HOME}/.local/share/autokey | ||
453 | blacklist ${HOME}/.local/share/baloo | 463 | blacklist ${HOME}/.local/share/baloo |
454 | blacklist ${HOME}/.local/share/bibletime | 464 | blacklist ${HOME}/.local/share/bibletime |
455 | blacklist ${HOME}/.local/share/caja-python | 465 | blacklist ${HOME}/.local/share/caja-python |
@@ -492,8 +502,9 @@ blacklist ${HOME}/.local/share/klavaro | |||
492 | blacklist ${HOME}/.local/share/kmail2 | 502 | blacklist ${HOME}/.local/share/kmail2 |
493 | blacklist ${HOME}/.local/share/knotes | 503 | blacklist ${HOME}/.local/share/knotes |
494 | blacklist ${HOME}/.local/share/krita | 504 | blacklist ${HOME}/.local/share/krita |
495 | blacklist ${HOME}/.local/share/ktorrentrc | ||
496 | blacklist ${HOME}/.local/share/ktorrent | 505 | blacklist ${HOME}/.local/share/ktorrent |
506 | blacklist ${HOME}/.local/share/ktorrentrc | ||
507 | blacklist ${HOME}/.local/share/ktouch | ||
497 | blacklist ${HOME}/.local/share/kwrite | 508 | blacklist ${HOME}/.local/share/kwrite |
498 | blacklist ${HOME}/.local/share/liferea | 509 | blacklist ${HOME}/.local/share/liferea |
499 | blacklist ${HOME}/.local/share/local-mail | 510 | blacklist ${HOME}/.local/share/local-mail |
@@ -517,13 +528,13 @@ blacklist ${HOME}/.local/share/ocenaudio | |||
517 | blacklist ${HOME}/.local/share/okular | 528 | blacklist ${HOME}/.local/share/okular |
518 | blacklist ${HOME}/.local/share/orage | 529 | blacklist ${HOME}/.local/share/orage |
519 | blacklist ${HOME}/.local/share/org.kde.gwenview | 530 | blacklist ${HOME}/.local/share/org.kde.gwenview |
520 | blacklist ${HOME}/.local/share/rhythmbox | ||
521 | blacklist ${HOME}/.local/share/pix | 531 | blacklist ${HOME}/.local/share/pix |
522 | blacklist ${HOME}/.local/share/plasma_notes | 532 | blacklist ${HOME}/.local/share/plasma_notes |
523 | blacklist ${HOME}/.local/share/psi+ | 533 | blacklist ${HOME}/.local/share/psi+ |
524 | blacklist ${HOME}/.local/share/qpdfview | 534 | blacklist ${HOME}/.local/share/qpdfview |
525 | blacklist ${HOME}/.local/share/qutebrowser | 535 | blacklist ${HOME}/.local/share/qutebrowser |
526 | blacklist ${HOME}/.local/share/remmina | 536 | blacklist ${HOME}/.local/share/remmina |
537 | blacklist ${HOME}/.local/share/rhythmbox | ||
527 | blacklist ${HOME}/.local/share/scribus | 538 | blacklist ${HOME}/.local/share/scribus |
528 | blacklist ${HOME}/.local/share/spotify | 539 | blacklist ${HOME}/.local/share/spotify |
529 | blacklist ${HOME}/.local/share/steam | 540 | blacklist ${HOME}/.local/share/steam |
@@ -576,6 +587,7 @@ blacklist ${HOME}/.pingus | |||
576 | blacklist ${HOME}/.pioneer | 587 | blacklist ${HOME}/.pioneer |
577 | blacklist ${HOME}/.purple | 588 | blacklist ${HOME}/.purple |
578 | blacklist ${HOME}/.qemu-launcher | 589 | blacklist ${HOME}/.qemu-launcher |
590 | blacklist ${HOME}/.qgis2 | ||
579 | blacklist ${HOME}/.qmmp | 591 | blacklist ${HOME}/.qmmp |
580 | blacklist ${HOME}/.quodlibet | 592 | blacklist ${HOME}/.quodlibet |
581 | blacklist ${HOME}/.redeclipse | 593 | blacklist ${HOME}/.redeclipse |
@@ -624,8 +636,8 @@ blacklist ${HOME}/.wget-hsts | |||
624 | blacklist ${HOME}/.wgetrc | 636 | blacklist ${HOME}/.wgetrc |
625 | blacklist ${HOME}/.widelands | 637 | blacklist ${HOME}/.widelands |
626 | blacklist ${HOME}/.wine | 638 | blacklist ${HOME}/.wine |
627 | blacklist ${HOME}/.wireshark | ||
628 | blacklist ${HOME}/.wine64 | 639 | blacklist ${HOME}/.wine64 |
640 | blacklist ${HOME}/.wireshark | ||
629 | blacklist ${HOME}/.xiphos | 641 | blacklist ${HOME}/.xiphos |
630 | blacklist ${HOME}/.xmind | 642 | blacklist ${HOME}/.xmind |
631 | blacklist ${HOME}/.xmms | 643 | blacklist ${HOME}/.xmms |
diff --git a/etc/display.profile b/etc/display.profile index 0bab32db1..0b9d685e8 100644 --- a/etc/display.profile +++ b/etc/display.profile | |||
@@ -8,12 +8,8 @@ include globals.local | |||
8 | noblacklist ${PICTURES} | 8 | noblacklist ${PICTURES} |
9 | 9 | ||
10 | # Allow python (blacklisted by disable-interpreters.inc) | 10 | # Allow python (blacklisted by disable-interpreters.inc) |
11 | noblacklist ${PATH}/python2* | 11 | include allow-python2.inc |
12 | noblacklist ${PATH}/python3* | 12 | include allow-python3.inc |
13 | noblacklist /usr/lib/python2* | ||
14 | noblacklist /usr/lib/python3* | ||
15 | noblacklist /usr/local/lib/python2* | ||
16 | noblacklist /usr/local/lib/python3* | ||
17 | 13 | ||
18 | include disable-common.inc | 14 | include disable-common.inc |
19 | include disable-devel.inc | 15 | include disable-devel.inc |
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index 0dc0cc793..ffced747b 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile | |||
@@ -6,11 +6,11 @@ include dnscrypt-proxy.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist /sbin | 9 | noblacklist /sbin |
12 | noblacklist /usr/sbin | 10 | noblacklist /usr/sbin |
13 | 11 | ||
12 | blacklist /tmp/.X11-unix | ||
13 | |||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index bb41b71d1..daf4795c3 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile | |||
@@ -6,11 +6,11 @@ include dnsmasq.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist /sbin | 9 | noblacklist /sbin |
12 | noblacklist /usr/sbin | 10 | noblacklist /usr/sbin |
13 | 11 | ||
12 | blacklist /tmp/.X11-unix | ||
13 | |||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
diff --git a/etc/dooble.profile b/etc/dooble.profile index 80bcce463..bc197b223 100644 --- a/etc/dooble.profile +++ b/etc/dooble.profile | |||
@@ -1,11 +1,12 @@ | |||
1 | # Firejail profile for dooble | 1 | # Firejail profile for dooble |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include dooble.local | ||
5 | # Backward compatibility | ||
4 | include dooble-qt4.local | 6 | include dooble-qt4.local |
5 | # Persistent global definitions | 7 | # Persistent global definitions |
6 | include globals.local | 8 | include globals.local |
7 | 9 | ||
8 | |||
9 | noblacklist ${HOME}/.dooble | 10 | noblacklist ${HOME}/.dooble |
10 | 11 | ||
11 | include disable-common.inc | 12 | include disable-common.inc |
diff --git a/etc/electrum.profile b/etc/electrum.profile index ffa0fb5f6..ab554b21f 100644 --- a/etc/electrum.profile +++ b/etc/electrum.profile | |||
@@ -9,12 +9,8 @@ include globals.local | |||
9 | noblacklist ${HOME}/.electrum | 9 | noblacklist ${HOME}/.electrum |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 12 | include allow-python2.inc |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/elinks.profile b/etc/elinks.profile index 842a0db04..980fa7617 100644 --- a/etc/elinks.profile +++ b/etc/elinks.profile | |||
@@ -6,10 +6,10 @@ include elinks.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist ${HOME}/.elinks | 9 | noblacklist ${HOME}/.elinks |
12 | 10 | ||
11 | blacklist /tmp/.X11-unix | ||
12 | |||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
diff --git a/etc/enpass.profile b/etc/enpass.profile index b337c721d..4ac35bbd6 100644 --- a/etc/enpass.profile +++ b/etc/enpass.profile | |||
@@ -20,12 +20,16 @@ include disable-passwdmgr.inc | |||
20 | include disable-programs.inc | 20 | include disable-programs.inc |
21 | include disable-xdg.inc | 21 | include disable-xdg.inc |
22 | 22 | ||
23 | mkdir ${HOME}/.cache/Enpass | ||
24 | mkfile ${HOME}/.config/sinew.in | ||
25 | mkdir ${HOME}/.config/Sinew Software Systems | ||
26 | mkdir ${HOME}/.local/share/Enpass | ||
23 | whitelist ${HOME}/.cache/Enpass | 27 | whitelist ${HOME}/.cache/Enpass |
24 | whitelist ${HOME}/.config/sinew.in | 28 | whitelist ${HOME}/.config/sinew.in |
25 | whitelist ${HOME}/.config/Sinew Software Systems | 29 | whitelist ${HOME}/.config/Sinew Software Systems |
26 | whitelist ${HOME}/.local/share/Enpass | 30 | whitelist ${HOME}/.local/share/Enpass |
27 | whitelist ${DOCUMENTS} | 31 | whitelist ${DOCUMENTS} |
28 | 32 | include whitelist-common.inc | |
29 | include whitelist-var-common.inc | 33 | include whitelist-var-common.inc |
30 | 34 | ||
31 | # machine-id and nosound break audio notification functionality | 35 | # machine-id and nosound break audio notification functionality |
diff --git a/etc/exfalso.profile b/etc/exfalso.profile index 6146a8952..978629452 100644 --- a/etc/exfalso.profile +++ b/etc/exfalso.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.quodlibet | |||
10 | noblacklist ${MUSIC} | 10 | noblacklist ${MUSIC} |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/exiftool.profile b/etc/exiftool.profile index 2ee4aae6f..52e090b89 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile | |||
@@ -6,12 +6,10 @@ include exiftool.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | 9 | # Allow perl (blacklisted by disable-interpreters.inc) |
10 | include allow-perl.inc | ||
10 | 11 | ||
11 | # Allow access to perl | 12 | blacklist /tmp/.X11-unix |
12 | noblacklist ${PATH}/perl | ||
13 | noblacklist /usr/lib/perl* | ||
14 | noblacklist /usr/share/perl* | ||
15 | 13 | ||
16 | include disable-common.inc | 14 | include disable-common.inc |
17 | include disable-devel.inc | 15 | include disable-devel.inc |
@@ -41,7 +39,7 @@ shell none | |||
41 | tracelog | 39 | tracelog |
42 | 40 | ||
43 | # To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool to /usr/bin/exiftool and uncomment the below. | 41 | # To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool to /usr/bin/exiftool and uncomment the below. |
44 | # Users on non-Arch Linux distributions can safely uncomment the below to enable extra hardening. | 42 | # Users on non-Arch Linux distributions can safely uncomment (or put in exiftool.local) the line below to enable extra hardening. |
45 | #private-bin exiftool,perl | 43 | #private-bin exiftool,perl |
46 | private-cache | 44 | private-cache |
47 | private-dev | 45 | private-dev |
diff --git a/etc/falkon.profile b/etc/falkon.profile index af6aaa1a7..cabf5aeba 100644 --- a/etc/falkon.profile +++ b/etc/falkon.profile | |||
@@ -16,6 +16,8 @@ include disable-interpreters.inc | |||
16 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | mkdir ${HOME}/.cache/falkon | ||
20 | mkdir ${HOME}/.config/falkon | ||
19 | whitelist ${DOWNLOADS} | 21 | whitelist ${DOWNLOADS} |
20 | whitelist ${HOME}/.cache/falkon | 22 | whitelist ${HOME}/.cache/falkon |
21 | whitelist ${HOME}/.config/falkon | 23 | whitelist ${HOME}/.config/falkon |
diff --git a/etc/filezilla.profile b/etc/filezilla.profile index d1bebafb5..af535880d 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/filezilla | |||
10 | noblacklist ${HOME}/.filezilla | 10 | noblacklist ${HOME}/.filezilla |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/firefox-common-addons.inc b/etc/firefox-common-addons.inc index 7a0c3e99f..7d9e512b2 100644 --- a/etc/firefox-common-addons.inc +++ b/etc/firefox-common-addons.inc | |||
@@ -56,8 +56,7 @@ whitelist ${HOME}/dwhelper | |||
56 | noblacklist ${HOME}/.local/share/gnome-shell | 56 | noblacklist ${HOME}/.local/share/gnome-shell |
57 | whitelist ${HOME}/.local/share/gnome-shell | 57 | whitelist ${HOME}/.local/share/gnome-shell |
58 | ignore nodbus | 58 | ignore nodbus |
59 | noblacklist ${PATH}/python3* | 59 | include allow-python3.inc |
60 | noblacklist /usr/lib/python3* | ||
61 | 60 | ||
62 | # Flash plugin | 61 | # Flash plugin |
63 | # private-etc must first be enabled in firefox-common.profile and in profiles including it. | 62 | # private-etc must first be enabled in firefox-common.profile and in profiles including it. |
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index 080d9e81a..bccbb3412 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile | |||
@@ -9,7 +9,7 @@ include firefox-common.local | |||
9 | # noexec ${HOME} breaks DRM binaries. | 9 | # noexec ${HOME} breaks DRM binaries. |
10 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} | 10 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} |
11 | 11 | ||
12 | # Uncomment the following line to allow access to common programs/addons/plugins. | 12 | # Uncomment the following line (or put it in your firefox-common.local) to allow access to common programs/addons/plugins. |
13 | #include firefox-common-addons.inc | 13 | #include firefox-common-addons.inc |
14 | 14 | ||
15 | noblacklist ${HOME}/.pki | 15 | noblacklist ${HOME}/.pki |
diff --git a/etc/firejail.config b/etc/firejail.config index 497d9633e..92df8ad1a 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -32,7 +32,7 @@ | |||
32 | 32 | ||
33 | # Disable /mnt, /media, /run/mount and /run/media access. By default access | 33 | # Disable /mnt, /media, /run/mount and /run/media access. By default access |
34 | # to these directories is enabled. Unlike --disable-mnt profile option this | 34 | # to these directories is enabled. Unlike --disable-mnt profile option this |
35 | # cannot be overridden by --noblacklist. | 35 | # cannot be overridden by --noblacklist or --ignore. |
36 | # disable-mnt no | 36 | # disable-mnt no |
37 | 37 | ||
38 | # Enable or disable file transfer support, default enabled. | 38 | # Enable or disable file transfer support, default enabled. |
diff --git a/etc/flowblade.profile b/etc/flowblade.profile index 1e84d4ca6..40472ab93 100644 --- a/etc/flowblade.profile +++ b/etc/flowblade.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/flowblade | |||
10 | noblacklist ${HOME}/.flowblade | 10 | noblacklist ${HOME}/.flowblade |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/font-manager.profile b/etc/font-manager.profile index 98952e1cc..a1280124a 100644 --- a/etc/font-manager.profile +++ b/etc/font-manager.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.cache/font-manager | |||
10 | noblacklist ${HOME}/.config/font-manager | 10 | noblacklist ${HOME}/.config/font-manager |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/fontforge.profile b/etc/fontforge.profile index f98ad9983..6d305e2af 100644 --- a/etc/fontforge.profile +++ b/etc/fontforge.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.FontForge | |||
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/franz.profile b/etc/franz.profile index d6445ff8e..e917e5517 100644 --- a/etc/franz.profile +++ b/etc/franz.profile | |||
@@ -5,6 +5,8 @@ include franz.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | ignore noexec /tmp | ||
9 | |||
8 | noblacklist ${HOME}/.cache/Franz | 10 | noblacklist ${HOME}/.cache/Franz |
9 | noblacklist ${HOME}/.config/Franz | 11 | noblacklist ${HOME}/.config/Franz |
10 | noblacklist ${HOME}/.pki | 12 | noblacklist ${HOME}/.pki |
@@ -12,6 +14,7 @@ noblacklist ${HOME}/.local/share/pki | |||
12 | 14 | ||
13 | include disable-common.inc | 15 | include disable-common.inc |
14 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
16 | include disable-programs.inc | 19 | include disable-programs.inc |
17 | 20 | ||
@@ -41,5 +44,3 @@ shell none | |||
41 | disable-mnt | 44 | disable-mnt |
42 | private-dev | 45 | private-dev |
43 | private-tmp | 46 | private-tmp |
44 | |||
45 | noexec ${HOME} | ||
diff --git a/etc/freecol.profile b/etc/freecol.profile index 7987cc076..2d2853c9c 100644 --- a/etc/freecol.profile +++ b/etc/freecol.profile | |||
@@ -12,11 +12,8 @@ noblacklist ${HOME}/.cache/freecol | |||
12 | noblacklist ${HOME}/.config/freecol | 12 | noblacklist ${HOME}/.config/freecol |
13 | noblacklist ${HOME}/.local/share/freecol | 13 | noblacklist ${HOME}/.local/share/freecol |
14 | 14 | ||
15 | # Allow access to java | 15 | # Allow java (blacklisted by disable-devel.inc) |
16 | noblacklist ${PATH}/java | 16 | include allow-java.inc |
17 | noblacklist /usr/lib/java | ||
18 | noblacklist /etc/java | ||
19 | noblacklist /usr/share/java | ||
20 | 17 | ||
21 | include disable-common.inc | 18 | include disable-common.inc |
22 | include disable-devel.inc | 19 | include disable-devel.inc |
diff --git a/etc/freemind.profile b/etc/freemind.profile index 507bd564d..7ab4ae129 100644 --- a/etc/freemind.profile +++ b/etc/freemind.profile | |||
@@ -7,12 +7,11 @@ include freemind.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${DOCUMENTS} | 9 | noblacklist ${DOCUMENTS} |
10 | noblacklist ${PATH}/java | ||
11 | noblacklist /etc/java | ||
12 | noblacklist /usr/lib/java | ||
13 | noblacklist /usr/share/java | ||
14 | noblacklist ${HOME}/.freemind | 10 | noblacklist ${HOME}/.freemind |
15 | 11 | ||
12 | # Allow java (blacklisted by disable-devel.inc) | ||
13 | include allow-java.inc | ||
14 | |||
16 | include disable-common.inc | 15 | include disable-common.inc |
17 | include disable-devel.inc | 16 | include disable-devel.inc |
18 | include disable-exec.inc | 17 | include disable-exec.inc |
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile index 6de61840c..9596bc610 100644 --- a/etc/frozen-bubble.profile +++ b/etc/frozen-bubble.profile | |||
@@ -9,11 +9,7 @@ include globals.local | |||
9 | noblacklist ${HOME}/.frozen-bubble | 9 | noblacklist ${HOME}/.frozen-bubble |
10 | 10 | ||
11 | # Allow perl (blacklisted by disable-interpreters.inc) | 11 | # Allow perl (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/cpan* | 12 | include allow-perl.inc |
13 | noblacklist ${PATH}/core_perl | ||
14 | noblacklist ${PATH}/perl | ||
15 | noblacklist /usr/lib/perl* | ||
16 | noblacklist /usr/share/perl* | ||
17 | 13 | ||
18 | include disable-common.inc | 14 | include disable-common.inc |
19 | include disable-devel.inc | 15 | include disable-devel.inc |
diff --git a/etc/gajim.profile b/etc/gajim.profile index 238b4fca9..75d2f0774 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile | |||
@@ -11,12 +11,8 @@ noblacklist ${HOME}/.config/gajim | |||
11 | noblacklist ${HOME}/.local/share/gajim | 11 | noblacklist ${HOME}/.local/share/gajim |
12 | 12 | ||
13 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
14 | #noblacklist ${PATH}/python2* | 14 | #include allow-python2.inc |
15 | noblacklist ${PATH}/python3* | 15 | include allow-python3.inc |
16 | #noblacklist /usr/lib/python2* | ||
17 | noblacklist /usr/lib/python3* | ||
18 | #noblacklist /usr/local/lib/python2* | ||
19 | noblacklist /usr/local/lib/python3* | ||
20 | 16 | ||
21 | include disable-common.inc | 17 | include disable-common.inc |
22 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/gconf.profile b/etc/gconf.profile index 5cc6b87a0..a795afa17 100644 --- a/etc/gconf.profile +++ b/etc/gconf.profile | |||
@@ -9,12 +9,8 @@ include globals.local | |||
9 | noblacklist ${HOME}/.config/gconf | 9 | noblacklist ${HOME}/.config/gconf |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 12 | include allow-python2.inc |
13 | #noblacklist ${PATH}/python3* | 13 | #include allow-python3.inc |
14 | noblacklist /usr/lib/python2* | ||
15 | #noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | #noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/geary.profile b/etc/geary.profile index a21eed9f1..a446c81d0 100644 --- a/etc/geary.profile +++ b/etc/geary.profile | |||
@@ -4,27 +4,25 @@ | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include geary.local | 5 | include geary.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | # added by included profile |
8 | #include globals.local | ||
8 | 9 | ||
9 | # Users have Geary set to open a browser by clicking a link in an email | 10 | # Users have Geary set to open a browser by clicking a link in an email |
10 | # We are not allowed to blacklist browser-specific directories | 11 | # We are not allowed to blacklist browser-specific directories |
11 | 12 | ||
13 | ignore nodbus | ||
14 | ignore private-tmp | ||
15 | |||
12 | noblacklist ${HOME}/.gnupg | 16 | noblacklist ${HOME}/.gnupg |
13 | noblacklist ${HOME}/.local/share/geary | 17 | noblacklist ${HOME}/.local/share/geary |
14 | 18 | ||
15 | mkdir ${HOME}/.gnupg | 19 | mkdir ${HOME}/.gnupg |
16 | mkdir ${HOME}/.config/geary | 20 | mkdir ${HOME}/.config/geary |
17 | mkdir ${HOME}/.local/share/geary | 21 | mkdir ${HOME}/.local/share/geary |
18 | |||
19 | whitelist ${HOME}/.gnupg | 22 | whitelist ${HOME}/.gnupg |
20 | whitelist ${HOME}/.config/geary | 23 | whitelist ${HOME}/.config/geary |
21 | whitelist ${HOME}/.local/share/geary | 24 | whitelist ${HOME}/.local/share/geary |
22 | 25 | ||
23 | include whitelist-common.inc | ||
24 | |||
25 | ignore nodbus | ||
26 | ignore private-tmp | ||
27 | |||
28 | read-only ${HOME}/.config/mimeapps.list | 26 | read-only ${HOME}/.config/mimeapps.list |
29 | 27 | ||
30 | # allow browsers | 28 | # allow browsers |
diff --git a/etc/gimp.profile b/etc/gimp.profile index 91001cd30..762e743c8 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile | |||
@@ -7,7 +7,8 @@ include gimp.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory | 9 | # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory |
10 | # if you are not using external plugins, you can disable ignore noexec statement below | 10 | # if you are not using external plugins, you can comment 'ignore noexec' statement below |
11 | # or put 'ignore ignore noexec ${HOME}' in your gimp.local | ||
11 | ignore noexec ${HOME} | 12 | ignore noexec ${HOME} |
12 | 13 | ||
13 | noblacklist ${HOME}/.config/GIMP | 14 | noblacklist ${HOME}/.config/GIMP |
diff --git a/etc/git.profile b/etc/git.profile index 0eb69faed..f7c812e65 100644 --- a/etc/git.profile +++ b/etc/git.profile | |||
@@ -7,8 +7,6 @@ include git.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | |||
12 | noblacklist ${HOME}/.config/git | 10 | noblacklist ${HOME}/.config/git |
13 | noblacklist ${HOME}/.config/nano | 11 | noblacklist ${HOME}/.config/nano |
14 | noblacklist ${HOME}/.emacs | 12 | noblacklist ${HOME}/.emacs |
@@ -22,6 +20,8 @@ noblacklist ${HOME}/.ssh | |||
22 | noblacklist ${HOME}/.vim | 20 | noblacklist ${HOME}/.vim |
23 | noblacklist ${HOME}/.viminfo | 21 | noblacklist ${HOME}/.viminfo |
24 | 22 | ||
23 | blacklist /tmp/.X11-unix | ||
24 | |||
25 | include disable-common.inc | 25 | include disable-common.inc |
26 | include disable-exec.inc | 26 | include disable-exec.inc |
27 | include disable-passwdmgr.inc | 27 | include disable-passwdmgr.inc |
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile index 2f4626891..04409a5e4 100644 --- a/etc/gnome-chess.profile +++ b/etc/gnome-chess.profile | |||
@@ -18,7 +18,10 @@ include disable-xdg.inc | |||
18 | 18 | ||
19 | include whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
20 | 20 | ||
21 | apparmor | ||
21 | caps.drop all | 22 | caps.drop all |
23 | machine-id | ||
24 | net none | ||
22 | no3d | 25 | no3d |
23 | nodvd | 26 | nodvd |
24 | nogroups | 27 | nogroups |
@@ -35,6 +38,7 @@ tracelog | |||
35 | 38 | ||
36 | disable-mnt | 39 | disable-mnt |
37 | private-bin fairymax,gnome-chess,hoichess,gnuchess | 40 | private-bin fairymax,gnome-chess,hoichess,gnuchess |
41 | private-cache | ||
38 | private-dev | 42 | private-dev |
39 | private-etc alternatives,fonts,gnome-chess | 43 | private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0 |
40 | private-tmp | 44 | private-tmp |
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile index 6bebeb526..f843452c9 100644 --- a/etc/gnome-music.profile +++ b/etc/gnome-music.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.local/share/gnome-music | |||
10 | noblacklist ${MUSIC} | 10 | noblacklist ${MUSIC} |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/gnome-schedule.profile b/etc/gnome-schedule.profile index 931efbbab..08256f3a5 100644 --- a/etc/gnome-schedule.profile +++ b/etc/gnome-schedule.profile | |||
@@ -36,12 +36,8 @@ noblacklist ${PATH}/xfce4-terminal | |||
36 | noblacklist ${PATH}/xfce4-terminal.wrapper | 36 | noblacklist ${PATH}/xfce4-terminal.wrapper |
37 | 37 | ||
38 | # Allow python (blacklisted by disable-interpreters.inc) | 38 | # Allow python (blacklisted by disable-interpreters.inc) |
39 | noblacklist ${PATH}/python2* | 39 | include allow-python2.inc |
40 | noblacklist ${PATH}/python3* | 40 | include allow-python3.inc |
41 | noblacklist /usr/lib/python2* | ||
42 | noblacklist /usr/lib/python3* | ||
43 | noblacklist /usr/local/lib/python2* | ||
44 | noblacklist /usr/local/lib/python3* | ||
45 | 41 | ||
46 | include disable-common.inc | 42 | include disable-common.inc |
47 | include disable-devel.inc | 43 | include disable-devel.inc |
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile index 4932c9e42..daa385234 100644 --- a/etc/google-play-music-desktop-player.profile +++ b/etc/google-play-music-desktop-player.profile | |||
@@ -5,14 +5,19 @@ include google-play-music-desktop-player.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # noexec /tmp breaks mpris support | ||
9 | ignore noexec /tmp | ||
10 | |||
8 | noblacklist ${HOME}/.config/Google Play Music Desktop Player | 11 | noblacklist ${HOME}/.config/Google Play Music Desktop Player |
9 | 12 | ||
10 | include disable-common.inc | 13 | include disable-common.inc |
11 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
13 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 18 | include disable-programs.inc |
15 | 19 | ||
20 | mkdir ${HOME}/.config/Google Play Music Desktop Player | ||
16 | # whitelist ${HOME}/.config/pulse | 21 | # whitelist ${HOME}/.config/pulse |
17 | # whitelist ${HOME}/.pulse | 22 | # whitelist ${HOME}/.pulse |
18 | whitelist ${HOME}/.config/Google Play Music Desktop Player | 23 | whitelist ${HOME}/.config/Google Play Music Desktop Player |
@@ -35,7 +40,3 @@ shell none | |||
35 | disable-mnt | 40 | disable-mnt |
36 | private-dev | 41 | private-dev |
37 | private-tmp | 42 | private-tmp |
38 | |||
39 | noexec ${HOME} | ||
40 | # noexec /tmp breaks mpris support | ||
41 | #noexec /tmp | ||
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile index 7181837d5..61b485df5 100644 --- a/etc/gpg-agent.profile +++ b/etc/gpg-agent.profile | |||
@@ -6,10 +6,10 @@ include gpg-agent.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist ${HOME}/.gnupg | 9 | noblacklist ${HOME}/.gnupg |
12 | 10 | ||
11 | blacklist /tmp/.X11-unix | ||
12 | |||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
diff --git a/etc/gpg.profile b/etc/gpg.profile index 47e6e5265..99ad1b888 100644 --- a/etc/gpg.profile +++ b/etc/gpg.profile | |||
@@ -6,10 +6,10 @@ include gpg.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist ${HOME}/.gnupg | 9 | noblacklist ${HOME}/.gnupg |
12 | 10 | ||
11 | blacklist /tmp/.X11-unix | ||
12 | |||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
@@ -29,8 +29,7 @@ nou2f | |||
29 | novideo | 29 | novideo |
30 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
31 | seccomp | 31 | seccomp |
32 | # Causes gpg to hang | 32 | shell none |
33 | #shell none | ||
34 | tracelog | 33 | tracelog |
35 | 34 | ||
36 | # private-bin gpg,gpg-agent | 35 | # private-bin gpg,gpg-agent |
diff --git a/etc/gpredict.profile b/etc/gpredict.profile index be3742fe3..e6d37ee27 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile | |||
@@ -15,6 +15,7 @@ include disable-interpreters.inc | |||
15 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | mkdir ${HOME}/.config/Gpredict | ||
18 | whitelist ${HOME}/.config/Gpredict | 19 | whitelist ${HOME}/.config/Gpredict |
19 | include whitelist-common.inc | 20 | include whitelist-common.inc |
20 | 21 | ||
diff --git a/etc/gramps.profile b/etc/gramps.profile index 764c14b60..54b154964 100644 --- a/etc/gramps.profile +++ b/etc/gramps.profile | |||
@@ -9,12 +9,8 @@ include globals.local | |||
9 | noblacklist ${HOME}/.gramps | 9 | noblacklist ${HOME}/.gramps |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | #noblacklist ${PATH}/python2* | 12 | #include allow-python2.inc |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | #noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | #noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/gzip.profile b/etc/gzip.profile index 27e262f87..810684eae 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile | |||
@@ -9,12 +9,15 @@ include globals.local | |||
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
11 | 11 | ||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
12 | include disable-exec.inc | 14 | include disable-exec.inc |
13 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
14 | 16 | include disable-passwdmgr.inc | |
15 | ignore noroot | 17 | include disable-programs.inc |
16 | 18 | ||
17 | apparmor | 19 | apparmor |
20 | caps.drop all | ||
18 | hostname gzip | 21 | hostname gzip |
19 | ipc-namespace | 22 | ipc-namespace |
20 | machine-id | 23 | machine-id |
@@ -23,10 +26,14 @@ no3d | |||
23 | nodbus | 26 | nodbus |
24 | nodvd | 27 | nodvd |
25 | nogroups | 28 | nogroups |
29 | nonewprivs | ||
30 | #noroot | ||
26 | nosound | 31 | nosound |
27 | notv | 32 | notv |
28 | nou2f | 33 | nou2f |
29 | novideo | 34 | novideo |
35 | protocol unix | ||
36 | seccomp | ||
30 | shell none | 37 | shell none |
31 | tracelog | 38 | tracelog |
32 | 39 | ||
@@ -34,5 +41,3 @@ private-cache | |||
34 | private-dev | 41 | private-dev |
35 | 42 | ||
36 | memory-deny-write-execute | 43 | memory-deny-write-execute |
37 | |||
38 | include default.profile | ||
diff --git a/etc/hexchat.profile b/etc/hexchat.profile index ee70e6655..d032c93e6 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/hexchat | |||
10 | noblacklist /usr/share/perl* | 10 | noblacklist /usr/share/perl* |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/imagej.profile b/etc/imagej.profile index 9d0ab43a0..be656bafa 100644 --- a/etc/imagej.profile +++ b/etc/imagej.profile | |||
@@ -8,11 +8,8 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.imagej | 9 | noblacklist ${HOME}/.imagej |
10 | 10 | ||
11 | # Allow access to java | 11 | # Allow java (blacklisted by disable-devel.inc) |
12 | noblacklist ${PATH}/java | 12 | include allow-java.inc |
13 | noblacklist /usr/lib/java | ||
14 | noblacklist /etc/java | ||
15 | noblacklist /usr/share/java | ||
16 | 13 | ||
17 | include disable-common.inc | 14 | include disable-common.inc |
18 | include disable-devel.inc | 15 | include disable-devel.inc |
diff --git a/etc/inkscape.profile b/etc/inkscape.profile index ecc5e5d35..bc0377e53 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile | |||
@@ -13,12 +13,8 @@ noblacklist ${DOCUMENTS} | |||
13 | noblacklist ${PICTURES} | 13 | noblacklist ${PICTURES} |
14 | 14 | ||
15 | # Allow python (blacklisted by disable-interpreters.inc) | 15 | # Allow python (blacklisted by disable-interpreters.inc) |
16 | noblacklist ${PATH}/python2* | 16 | include allow-python2.inc |
17 | noblacklist ${PATH}/python3* | 17 | include allow-python3.inc |
18 | noblacklist /usr/lib/python2* | ||
19 | noblacklist /usr/lib/python3* | ||
20 | noblacklist /usr/local/lib/python2* | ||
21 | noblacklist /usr/local/lib/python3* | ||
22 | 18 | ||
23 | include disable-common.inc | 19 | include disable-common.inc |
24 | include disable-devel.inc | 20 | include disable-devel.inc |
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index dce44e5d4..8442c6ed7 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile | |||
@@ -8,11 +8,8 @@ include globals.local | |||
8 | noblacklist ${HOME}/.config/jd-gui.cfg | 8 | noblacklist ${HOME}/.config/jd-gui.cfg |
9 | noblacklist ${HOME}/.java | 9 | noblacklist ${HOME}/.java |
10 | 10 | ||
11 | # Allow access to java | 11 | # Allow java (blacklisted by disable-devel.inc) |
12 | noblacklist ${PATH}/java | 12 | include allow-java.inc |
13 | noblacklist /usr/lib/java | ||
14 | noblacklist /etc/java | ||
15 | noblacklist /usr/share/java | ||
16 | 13 | ||
17 | include disable-common.inc | 14 | include disable-common.inc |
18 | include disable-devel.inc | 15 | include disable-devel.inc |
diff --git a/etc/jitsi.profile b/etc/jitsi.profile index 5a575bb71..223c360b8 100644 --- a/etc/jitsi.profile +++ b/etc/jitsi.profile | |||
@@ -7,11 +7,8 @@ include globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.jitsi | 8 | noblacklist ${HOME}/.jitsi |
9 | 9 | ||
10 | # Allow access to java | 10 | # Allow java (blacklisted by disable-devel.inc) |
11 | noblacklist ${PATH}/java | 11 | include allow-java.inc |
12 | noblacklist /usr/lib/java | ||
13 | noblacklist /etc/java | ||
14 | noblacklist /usr/share/java | ||
15 | 12 | ||
16 | include disable-common.inc | 13 | include disable-common.inc |
17 | include disable-devel.inc | 14 | include disable-devel.inc |
diff --git a/etc/klatexformula.profile b/etc/klatexformula.profile new file mode 100644 index 000000000..d584f6a56 --- /dev/null +++ b/etc/klatexformula.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for klatexformula | ||
2 | # Description: generating images from LaTeX equations | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include klatexformula.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.kde/share/apps/klatexformula | ||
10 | noblacklist ${HOME}/.klatexformula | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python2.inc | ||
14 | include allow-python3.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | machine-id | ||
26 | net none | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | nosound | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix | ||
37 | seccomp | ||
38 | shell none | ||
39 | tracelog | ||
40 | |||
41 | private-cache | ||
42 | private-dev | ||
43 | private-tmp | ||
diff --git a/etc/klatexformula_cmdl.profile b/etc/klatexformula_cmdl.profile new file mode 100644 index 000000000..9137963c4 --- /dev/null +++ b/etc/klatexformula_cmdl.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for klatexformula_cmdl | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include klatexformula.profile | ||
diff --git a/etc/kodi.profile b/etc/kodi.profile index dad085967..86afe46b5 100644 --- a/etc/kodi.profile +++ b/etc/kodi.profile | |||
@@ -15,12 +15,8 @@ noblacklist ${PICTURES} | |||
15 | noblacklist ${VIDEOS} | 15 | noblacklist ${VIDEOS} |
16 | 16 | ||
17 | # Allow python (blacklisted by disable-interpreters.inc) | 17 | # Allow python (blacklisted by disable-interpreters.inc) |
18 | noblacklist ${PATH}/python2* | 18 | include allow-python2.inc |
19 | noblacklist ${PATH}/python3* | 19 | include allow-python3.inc |
20 | noblacklist /usr/lib/python2* | ||
21 | noblacklist /usr/lib/python3* | ||
22 | noblacklist /usr/local/lib/python2* | ||
23 | noblacklist /usr/local/lib/python3* | ||
24 | 20 | ||
25 | include disable-common.inc | 21 | include disable-common.inc |
26 | include disable-devel.inc | 22 | include disable-devel.inc |
diff --git a/etc/krita.profile b/etc/krita.profile index 8f275f8df..49c36274a 100644 --- a/etc/krita.profile +++ b/etc/krita.profile | |||
@@ -15,12 +15,8 @@ noblacklist ${DOCUMENTS} | |||
15 | noblacklist ${PICTURES} | 15 | noblacklist ${PICTURES} |
16 | 16 | ||
17 | # Allow python (blacklisted by disable-interpreters.inc) | 17 | # Allow python (blacklisted by disable-interpreters.inc) |
18 | noblacklist ${PATH}/python2* | 18 | include allow-python2.inc |
19 | noblacklist ${PATH}/python3* | 19 | include allow-python3.inc |
20 | noblacklist /usr/lib/python2* | ||
21 | noblacklist /usr/lib/python3* | ||
22 | noblacklist /usr/local/lib/python2* | ||
23 | noblacklist /usr/local/lib/python3* | ||
24 | 20 | ||
25 | include disable-common.inc | 21 | include disable-common.inc |
26 | include disable-devel.inc | 22 | include disable-devel.inc |
diff --git a/etc/ktouch.profile b/etc/ktouch.profile new file mode 100644 index 000000000..446bc50ee --- /dev/null +++ b/etc/ktouch.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for KTouch | ||
2 | # Description: a typing tutor by KDE | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include ktouch.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/ktouch2rc | ||
10 | noblacklist ${HOME}/.local/share/ktouch | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkfile ${HOME}/.config/ktouch2rc | ||
21 | mkdir ${HOME}/.local/share/ktouch | ||
22 | whitelist ${HOME}/.config/ktouch2rc | ||
23 | whitelist ${HOME}/.local/share/ktouch | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | machine-id | ||
30 | net none | ||
31 | nodbus | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix,netlink | ||
41 | seccomp | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | disable-mnt | ||
46 | private-bin ktouch | ||
47 | private-cache | ||
48 | private-dev | ||
49 | private-etc alternatives,fonts,kde5rc,machine-id | ||
50 | private-tmp | ||
diff --git a/etc/less.profile b/etc/less.profile index 5ad7cb959..bc85e5ad5 100644 --- a/etc/less.profile +++ b/etc/less.profile | |||
@@ -5,24 +5,33 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include less.local | 6 | include less.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included profile | 8 | include globals.local |
9 | #include globals.local | ||
10 | 9 | ||
11 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
12 | include disable-exec.inc | 14 | include disable-exec.inc |
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
13 | 18 | ||
14 | ignore noroot | ||
15 | apparmor | 19 | apparmor |
20 | caps.drop all | ||
16 | ipc-namespace | 21 | ipc-namespace |
17 | machine-id | 22 | machine-id |
18 | net none | 23 | net none |
19 | no3d | 24 | no3d |
20 | nodbus | 25 | nodbus |
21 | nodvd | 26 | nodvd |
27 | nonewprivs | ||
28 | #noroot | ||
22 | nosound | 29 | nosound |
23 | notv | 30 | notv |
24 | nou2f | 31 | nou2f |
25 | novideo | 32 | novideo |
33 | protocol unix | ||
34 | seccomp | ||
26 | shell none | 35 | shell none |
27 | tracelog | 36 | tracelog |
28 | writable-var-log | 37 | writable-var-log |
@@ -35,5 +44,3 @@ private-cache | |||
35 | private-dev | 44 | private-dev |
36 | 45 | ||
37 | memory-deny-write-execute | 46 | memory-deny-write-execute |
38 | |||
39 | include default.profile | ||
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 6e77cd741..05dfd4ca6 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile | |||
@@ -10,12 +10,10 @@ noblacklist ${HOME}/.java | |||
10 | noblacklist /usr/local/sbin | 10 | noblacklist /usr/local/sbin |
11 | noblacklist ${HOME}/.config/libreoffice | 11 | noblacklist ${HOME}/.config/libreoffice |
12 | 12 | ||
13 | # libreoffice uses java; if you don't care about java functionality, | 13 | # libreoffice uses java for some certain operations |
14 | # comment the next four lines | 14 | # comment if you don't care about java functionality |
15 | noblacklist ${PATH}/java | 15 | # Allow java (blacklisted by disable-devel.inc) |
16 | noblacklist /usr/lib/java | 16 | include allow-java.inc |
17 | noblacklist /etc/java | ||
18 | noblacklist /usr/share/java | ||
19 | 17 | ||
20 | include disable-common.inc | 18 | include disable-common.inc |
21 | include disable-devel.inc | 19 | include disable-devel.inc |
@@ -29,9 +27,7 @@ include whitelist-var-common.inc | |||
29 | # comment the next line to use the ubuntu profile instead of firejail's apparmor profile | 27 | # comment the next line to use the ubuntu profile instead of firejail's apparmor profile |
30 | apparmor | 28 | apparmor |
31 | caps.drop all | 29 | caps.drop all |
32 | #machine-id | ||
33 | netfilter | 30 | netfilter |
34 | #nodbus | ||
35 | nodvd | 31 | nodvd |
36 | nogroups | 32 | nogroups |
37 | # comment nonewprivs when using the ubuntu 18.04/debian 10 apparmor profile | 33 | # comment nonewprivs when using the ubuntu 18.04/debian 10 apparmor profile |
@@ -50,5 +46,4 @@ tracelog | |||
50 | private-dev | 46 | private-dev |
51 | private-tmp | 47 | private-tmp |
52 | 48 | ||
53 | |||
54 | join-or-start libreoffice | 49 | join-or-start libreoffice |
diff --git a/etc/liferea.profile b/etc/liferea.profile index e778d7b55..70d317199 100644 --- a/etc/liferea.profile +++ b/etc/liferea.profile | |||
@@ -11,12 +11,8 @@ noblacklist ${HOME}/.config/liferea | |||
11 | noblacklist ${HOME}/.local/share/liferea | 11 | noblacklist ${HOME}/.local/share/liferea |
12 | 12 | ||
13 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
14 | noblacklist ${PATH}/python2* | 14 | include allow-python2.inc |
15 | noblacklist ${PATH}/python3* | 15 | include allow-python3.inc |
16 | noblacklist /usr/lib/python2* | ||
17 | noblacklist /usr/lib/python3* | ||
18 | noblacklist /usr/local/lib/python2* | ||
19 | noblacklist /usr/local/lib/python3* | ||
20 | 16 | ||
21 | include disable-common.inc | 17 | include disable-common.inc |
22 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/links.profile b/etc/links.profile new file mode 100644 index 000000000..bd0b0cc92 --- /dev/null +++ b/etc/links.profile | |||
@@ -0,0 +1,64 @@ | |||
1 | # Firejail profile for links | ||
2 | # Description: Text WWW browser | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include links.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.links | ||
10 | |||
11 | blacklist /tmp/.X11-unix | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | # you may want to noblacklist files/directories blacklisted in | ||
19 | # disable-programs.inc and used as associated programs | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | mkdir ${HOME}/.links | ||
24 | whitelist ${HOME}/.links | ||
25 | whitelist ${DOWNLOADS} | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | # comment machine-id (or put 'ignore machine-id' in your links.local) if you want | ||
31 | # to allow access only to user-configured associated media player | ||
32 | machine-id | ||
33 | netfilter | ||
34 | # comment no3d (or put 'ignore no3d' in your links.local) if you want | ||
35 | # to allow access only to user-configured associated media player | ||
36 | no3d | ||
37 | nodvd | ||
38 | nogroups | ||
39 | nonewprivs | ||
40 | noroot | ||
41 | # comment nosound (or put 'ignore nosound' in your links.local) if you want | ||
42 | # to allow access only to user-configured associated media player | ||
43 | nosound | ||
44 | notv | ||
45 | nou2f | ||
46 | novideo | ||
47 | protocol unix,inet,inet6 | ||
48 | seccomp | ||
49 | shell none | ||
50 | tracelog | ||
51 | |||
52 | disable-mnt | ||
53 | # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' to your links.local | ||
54 | # or append 'PROGRAM1,PROGRAM2' to this private-bin line | ||
55 | private-bin links,sh | ||
56 | private-cache | ||
57 | private-dev | ||
58 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | ||
59 | # Uncomment the following line (or put it in your links.local) allow external | ||
60 | # media players | ||
61 | # private-etc alsa,asound.conf,machine-id,openal,pulse | ||
62 | private-tmp | ||
63 | |||
64 | memory-deny-write-execute | ||
diff --git a/etc/lollypop.profile b/etc/lollypop.profile index 76b8ed75c..6667815b9 100644 --- a/etc/lollypop.profile +++ b/etc/lollypop.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.local/share/lollypop | |||
10 | noblacklist ${MUSIC} | 10 | noblacklist ${MUSIC} |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile index 7d42f2bfe..f7a059f50 100644 --- a/etc/macrofusion.profile +++ b/etc/macrofusion.profile | |||
@@ -9,12 +9,8 @@ noblacklist ${HOME}/.config/mfusion | |||
9 | noblacklist ${PICTURES} | 9 | noblacklist ${PICTURES} |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 12 | include allow-python2.inc |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/masterpdfeditor.profile b/etc/masterpdfeditor.profile index ce6486115..e4da0c66a 100644 --- a/etc/masterpdfeditor.profile +++ b/etc/masterpdfeditor.profile | |||
@@ -20,9 +20,7 @@ include whitelist-var-common.inc | |||
20 | 20 | ||
21 | apparmor | 21 | apparmor |
22 | caps.drop all | 22 | caps.drop all |
23 | ipc-namespace | ||
24 | machine-id | 23 | machine-id |
25 | no3d | ||
26 | nodvd | 24 | nodvd |
27 | nogroups | 25 | nogroups |
28 | nonewprivs | 26 | nonewprivs |
@@ -36,7 +34,6 @@ seccomp | |||
36 | shell none | 34 | shell none |
37 | tracelog | 35 | tracelog |
38 | 36 | ||
39 | private-bin masterpdfedito* | ||
40 | private-cache | 37 | private-cache |
41 | private-dev | 38 | private-dev |
42 | private-etc alternatives,fonts | 39 | private-etc alternatives,fonts |
diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile index ac5577b4c..2f6020ad3 100644 --- a/etc/mate-calc.profile +++ b/etc/mate-calc.profile | |||
@@ -15,12 +15,13 @@ include disable-interpreters.inc | |||
15 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | mkdir ${HOME}/.cache/mate-calc | ||
19 | mkdir ${HOME}/.config/caja | ||
20 | mkdir ${HOME}/.config/mate-menu | ||
18 | whitelist ${HOME}/.cache/mate-calc | 21 | whitelist ${HOME}/.cache/mate-calc |
19 | whitelist ${HOME}/.config/caja | 22 | whitelist ${HOME}/.config/caja |
20 | whitelist ${HOME}/.config/gtk-3.0 | ||
21 | whitelist ${HOME}/.config/dconf | ||
22 | whitelist ${HOME}/.config/mate-menu | 23 | whitelist ${HOME}/.config/mate-menu |
23 | whitelist ${HOME}/.themes | 24 | include whitelist-common.inc |
24 | 25 | ||
25 | caps.drop all | 26 | caps.drop all |
26 | net none | 27 | net none |
@@ -40,7 +41,7 @@ shell none | |||
40 | 41 | ||
41 | disable-mnt | 42 | disable-mnt |
42 | private-bin mate-calc,mate-calculator | 43 | private-bin mate-calc,mate-calculator |
43 | private-etc alternatives,fonts | 44 | private-etc alternatives,dconf,fonts,gtk-3.0 |
44 | private-dev | 45 | private-dev |
45 | private-opt none | 46 | private-opt none |
46 | private-tmp | 47 | private-tmp |
diff --git a/etc/mate-color-select.profile b/etc/mate-color-select.profile index bd3631445..f1a7ca18f 100644 --- a/etc/mate-color-select.profile +++ b/etc/mate-color-select.profile | |||
@@ -5,7 +5,6 @@ include mate-color-select.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | |||
9 | include disable-common.inc | 8 | include disable-common.inc |
10 | include disable-devel.inc | 9 | include disable-devel.inc |
11 | include disable-exec.inc | 10 | include disable-exec.inc |
@@ -13,10 +12,7 @@ include disable-interpreters.inc | |||
13 | include disable-passwdmgr.inc | 12 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 13 | include disable-programs.inc |
15 | 14 | ||
16 | whitelist ${HOME}/.config/gtk-3.0 | 15 | include whitelist-common.inc |
17 | whitelist ${HOME}/.fonts | ||
18 | whitelist ${HOME}/.icons | ||
19 | whitelist ${HOME}/.themes | ||
20 | 16 | ||
21 | caps.drop all | 17 | caps.drop all |
22 | netfilter | 18 | netfilter |
diff --git a/etc/mate-dictionary.profile b/etc/mate-dictionary.profile index 1217910a0..d1dc76260 100644 --- a/etc/mate-dictionary.profile +++ b/etc/mate-dictionary.profile | |||
@@ -14,11 +14,9 @@ include disable-interpreters.inc | |||
14 | include disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | mkdir ${HOME}/.config/mate/mate-dictionary | ||
17 | whitelist ${HOME}/.config/mate/mate-dictionary | 18 | whitelist ${HOME}/.config/mate/mate-dictionary |
18 | whitelist ${HOME}/.config/gtk-3.0 | 19 | include whitelist-common.inc |
19 | whitelist ${HOME}/.fonts | ||
20 | whitelist ${HOME}/.icons | ||
21 | whitelist ${HOME}/.themes | ||
22 | 20 | ||
23 | caps.drop all | 21 | caps.drop all |
24 | netfilter | 22 | netfilter |
diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile index 497014dab..4ebb5429a 100644 --- a/etc/mediathekview.profile +++ b/etc/mediathekview.profile | |||
@@ -18,11 +18,8 @@ noblacklist ${HOME}/.mediathek3 | |||
18 | noblacklist ${HOME}/.mplayer | 18 | noblacklist ${HOME}/.mplayer |
19 | noblacklist ${VIDEOS} | 19 | noblacklist ${VIDEOS} |
20 | 20 | ||
21 | # Allow access to java | 21 | # Allow java (blacklisted by disable-devel.inc) |
22 | noblacklist ${PATH}/java | 22 | include allow-java.inc |
23 | noblacklist /usr/lib/java | ||
24 | noblacklist /etc/java | ||
25 | noblacklist /usr/share/java | ||
26 | 23 | ||
27 | include disable-common.inc | 24 | include disable-common.inc |
28 | include disable-devel.inc | 25 | include disable-devel.inc |
diff --git a/etc/meld.profile b/etc/meld.profile index 14e0f238d..34b1f22de 100644 --- a/etc/meld.profile +++ b/etc/meld.profile | |||
@@ -6,22 +6,17 @@ include meld.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.local/share/meld | ||
10 | |||
11 | # Allow python (blacklisted by disable-interpreters.inc) | ||
12 | noblacklist ${PATH}/python2* | ||
13 | noblacklist ${PATH}/python3* | ||
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | |||
19 | noblacklist ${HOME}/.config/git | 9 | noblacklist ${HOME}/.config/git |
20 | noblacklist ${HOME}/.gitconfig | 10 | noblacklist ${HOME}/.gitconfig |
21 | noblacklist ${HOME}/.git-credentials | 11 | noblacklist ${HOME}/.git-credentials |
12 | noblacklist ${HOME}/.local/share/meld | ||
22 | noblacklist ${HOME}/.ssh | 13 | noblacklist ${HOME}/.ssh |
23 | noblacklist ${HOME}/.subversion | 14 | noblacklist ${HOME}/.subversion |
24 | 15 | ||
16 | # Allow python (blacklisted by disable-interpreters.inc) | ||
17 | include allow-python2.inc | ||
18 | include allow-python3.inc | ||
19 | |||
25 | # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-common.inc. | 20 | # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-common.inc. |
26 | #include disable-common.inc | 21 | #include disable-common.inc |
27 | include disable-devel.inc | 22 | include disable-devel.inc |
@@ -59,3 +54,4 @@ private-dev | |||
59 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion | 54 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion |
60 | private-tmp | 55 | private-tmp |
61 | 56 | ||
57 | read-only ${HOME}/.ssh | ||
diff --git a/etc/mendeleydesktop.profile b/etc/mendeleydesktop.profile index d54371371..ed6cc3ae0 100644 --- a/etc/mendeleydesktop.profile +++ b/etc/mendeleydesktop.profile | |||
@@ -15,12 +15,8 @@ noblacklist ${HOME}/.pki | |||
15 | noblacklist ${HOME}/.local/share/pki | 15 | noblacklist ${HOME}/.local/share/pki |
16 | 16 | ||
17 | # Allow python (blacklisted by disable-interpreters.inc) | 17 | # Allow python (blacklisted by disable-interpreters.inc) |
18 | noblacklist ${PATH}/python2* | 18 | include allow-python2.inc |
19 | noblacklist ${PATH}/python3* | 19 | include allow-python3.inc |
20 | noblacklist /usr/lib/python2* | ||
21 | noblacklist /usr/lib/python3* | ||
22 | noblacklist /usr/local/lib/python2* | ||
23 | noblacklist /usr/local/lib/python3* | ||
24 | 20 | ||
25 | include disable-common.inc | 21 | include disable-common.inc |
26 | include disable-devel.inc | 22 | include disable-devel.inc |
diff --git a/etc/meteo-qt.profile b/etc/meteo-qt.profile index a769a97ec..4437d86ea 100644 --- a/etc/meteo-qt.profile +++ b/etc/meteo-qt.profile | |||
@@ -10,9 +10,7 @@ noblacklist ${HOME}/.config/autostart | |||
10 | noblacklist ${HOME}/.config/meteo-qt | 10 | noblacklist ${HOME}/.config/meteo-qt |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | noblacklist /usr/lib/python3* | ||
15 | noblacklist /usr/local/lib/python3* | ||
16 | 14 | ||
17 | include disable-common.inc | 15 | include disable-common.inc |
18 | include disable-devel.inc | 16 | include disable-devel.inc |
@@ -22,8 +20,8 @@ include disable-passwdmgr.inc | |||
22 | include disable-programs.inc | 20 | include disable-programs.inc |
23 | include disable-xdg.inc | 21 | include disable-xdg.inc |
24 | 22 | ||
25 | whitelist ${HOME}/.config/autostart | ||
26 | mkdir ${HOME}/.config/meteo-qt | 23 | mkdir ${HOME}/.config/meteo-qt |
24 | whitelist ${HOME}/.config/autostart | ||
27 | whitelist ${HOME}/.config/meteo-qt | 25 | whitelist ${HOME}/.config/meteo-qt |
28 | include whitelist-common.inc | 26 | include whitelist-common.inc |
29 | include whitelist-var-common.inc | 27 | include whitelist-var-common.inc |
diff --git a/etc/midori.profile b/etc/midori.profile index e4d39cd70..ffae4919f 100644 --- a/etc/midori.profile +++ b/etc/midori.profile | |||
@@ -6,6 +6,9 @@ include midori.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # noexec ${HOME} breaks DRM binaries. | ||
10 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} | ||
11 | |||
9 | noblacklist ${HOME}/.config/midori | 12 | noblacklist ${HOME}/.config/midori |
10 | noblacklist ${HOME}/.local/share/midori | 13 | noblacklist ${HOME}/.local/share/midori |
11 | # noblacklist ${HOME}/.local/share/webkit | 14 | # noblacklist ${HOME}/.local/share/webkit |
@@ -13,9 +16,6 @@ noblacklist ${HOME}/.local/share/midori | |||
13 | noblacklist ${HOME}/.pki | 16 | noblacklist ${HOME}/.pki |
14 | noblacklist ${HOME}/.local/share/pki | 17 | noblacklist ${HOME}/.local/share/pki |
15 | 18 | ||
16 | # noexec ${HOME} breaks DRM binaries. | ||
17 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} | ||
18 | |||
19 | include disable-common.inc | 19 | include disable-common.inc |
20 | include disable-devel.inc | 20 | include disable-devel.inc |
21 | include disable-exec.inc | 21 | include disable-exec.inc |
diff --git a/etc/mpDris2.profile b/etc/mpDris2.profile index 81bf88b8b..db2bb6a93 100644 --- a/etc/mpDris2.profile +++ b/etc/mpDris2.profile | |||
@@ -9,12 +9,8 @@ include globals.local | |||
9 | noblacklist ${HOME}/.config/mpDris2 | 9 | noblacklist ${HOME}/.config/mpDris2 |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 12 | include allow-python2.inc |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/mpsyt.profile b/etc/mpsyt.profile index 0808c5a1a..775e137bc 100644 --- a/etc/mpsyt.profile +++ b/etc/mpsyt.profile | |||
@@ -6,14 +6,6 @@ include mpsyt.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Allow python (blacklisted by disable-interpreters.inc) | ||
10 | noblacklist ${PATH}/python2* | ||
11 | noblacklist ${PATH}/python3* | ||
12 | noblacklist /usr/lib/python2* | ||
13 | noblacklist /usr/lib/python3* | ||
14 | noblacklist /usr/local/lib/python2* | ||
15 | noblacklist /usr/local/lib/python3* | ||
16 | |||
17 | noblacklist ${HOME}/.config/mpv | 9 | noblacklist ${HOME}/.config/mpv |
18 | noblacklist ${HOME}/.mplayer | 10 | noblacklist ${HOME}/.mplayer |
19 | noblacklist ${HOME}/.config/mps-youtube | 11 | noblacklist ${HOME}/.config/mps-youtube |
@@ -22,6 +14,10 @@ noblacklist ${HOME}/mps | |||
22 | noblacklist ${MUSIC} | 14 | noblacklist ${MUSIC} |
23 | noblacklist ${VIDEOS} | 15 | noblacklist ${VIDEOS} |
24 | 16 | ||
17 | # Allow python (blacklisted by disable-interpreters.inc) | ||
18 | include allow-python2.inc | ||
19 | include allow-python3.inc | ||
20 | |||
25 | include disable-common.inc | 21 | include disable-common.inc |
26 | include disable-devel.inc | 22 | include disable-devel.inc |
27 | include disable-exec.inc | 23 | include disable-exec.inc |
diff --git a/etc/mpv.profile b/etc/mpv.profile index 34542b11b..aa2335516 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile | |||
@@ -13,12 +13,8 @@ noblacklist ${MUSIC} | |||
13 | noblacklist ${VIDEOS} | 13 | noblacklist ${VIDEOS} |
14 | 14 | ||
15 | # Allow python (blacklisted by disable-interpreters.inc) | 15 | # Allow python (blacklisted by disable-interpreters.inc) |
16 | noblacklist ${PATH}/python2* | 16 | include allow-python2.inc |
17 | noblacklist ${PATH}/python3* | 17 | include allow-python3.inc |
18 | noblacklist /usr/lib/python2* | ||
19 | noblacklist /usr/lib/python3* | ||
20 | noblacklist /usr/local/lib/python2* | ||
21 | noblacklist /usr/local/lib/python3* | ||
22 | 18 | ||
23 | include disable-common.inc | 19 | include disable-common.inc |
24 | include disable-devel.inc | 20 | include disable-devel.inc |
diff --git a/etc/ms-office.profile b/etc/ms-office.profile index f8e75379e..25b097d72 100644 --- a/etc/ms-office.profile +++ b/etc/ms-office.profile | |||
@@ -9,12 +9,8 @@ noblacklist ${HOME}/.cache/ms-office-online | |||
9 | noblacklist ${HOME}/.jak | 9 | noblacklist ${HOME}/.jak |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 12 | include allow-python2.inc |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/ms-skype.profile b/etc/ms-skype.profile index 02084d923..df1618361 100644 --- a/etc/ms-skype.profile +++ b/etc/ms-skype.profile | |||
@@ -3,10 +3,13 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include ms-skype.local | 4 | include ms-skype.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | # added by included profile |
7 | #include globals.local | ||
7 | 8 | ||
8 | noblacklist ${HOME}/.cache/ms-skype-online | ||
9 | ignore novideo | 9 | ignore novideo |
10 | |||
11 | noblacklist ${HOME}/.cache/ms-skype-online | ||
12 | |||
10 | private-bin ms-skype | 13 | private-bin ms-skype |
11 | 14 | ||
12 | # Redirect | 15 | # Redirect |
diff --git a/etc/multimc5.profile b/etc/multimc5.profile index b6407c4f9..98edf273e 100644 --- a/etc/multimc5.profile +++ b/etc/multimc5.profile | |||
@@ -10,11 +10,8 @@ noblacklist ${HOME}/.local/share/multimc | |||
10 | noblacklist ${HOME}/.local/share/multimc5 | 10 | noblacklist ${HOME}/.local/share/multimc5 |
11 | noblacklist ${HOME}/.multimc5 | 11 | noblacklist ${HOME}/.multimc5 |
12 | 12 | ||
13 | # Allow access to java | 13 | # Allow java (blacklisted by disable-devel.inc) |
14 | noblacklist ${PATH}/java | 14 | include allow-java.inc |
15 | noblacklist /usr/lib/java | ||
16 | noblacklist /etc/java | ||
17 | noblacklist /usr/share/java | ||
18 | 15 | ||
19 | include disable-common.inc | 16 | include disable-common.inc |
20 | include disable-devel.inc | 17 | include disable-devel.inc |
@@ -24,6 +21,8 @@ include disable-passwdmgr.inc | |||
24 | include disable-programs.inc | 21 | include disable-programs.inc |
25 | 22 | ||
26 | mkdir ${HOME}/.local/share/multimc | 23 | mkdir ${HOME}/.local/share/multimc |
24 | mkdir ${HOME}/.local/share/multimc5 | ||
25 | mkdir ${HOME}/.multimc5 | ||
27 | whitelist ${HOME}/.local/share/multimc | 26 | whitelist ${HOME}/.local/share/multimc |
28 | whitelist ${HOME}/.local/share/multimc5 | 27 | whitelist ${HOME}/.local/share/multimc5 |
29 | whitelist ${HOME}/.multimc5 | 28 | whitelist ${HOME}/.multimc5 |
diff --git a/etc/mutt.profile b/etc/mutt.profile index cc3a323e0..419e17e95 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile | |||
@@ -6,8 +6,6 @@ include mutt.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist /var/mail | 9 | noblacklist /var/mail |
12 | noblacklist /var/spool/mail | 10 | noblacklist /var/spool/mail |
13 | noblacklist ${HOME}/.Mail | 11 | noblacklist ${HOME}/.Mail |
@@ -34,6 +32,8 @@ noblacklist ${HOME}/mail | |||
34 | noblacklist ${HOME}/postponed | 32 | noblacklist ${HOME}/postponed |
35 | noblacklist ${HOME}/sent | 33 | noblacklist ${HOME}/sent |
36 | 34 | ||
35 | blacklist /tmp/.X11-unix | ||
36 | |||
37 | include disable-common.inc | 37 | include disable-common.inc |
38 | include disable-devel.inc | 38 | include disable-devel.inc |
39 | include disable-interpreters.inc | 39 | include disable-interpreters.inc |
diff --git a/etc/mypaint.profile b/etc/mypaint.profile index 615bb60d1..19643e749 100644 --- a/etc/mypaint.profile +++ b/etc/mypaint.profile | |||
@@ -9,10 +9,12 @@ include globals.local | |||
9 | noblacklist ${HOME}/.cache/mypaint | 9 | noblacklist ${HOME}/.cache/mypaint |
10 | noblacklist ${HOME}/.config/mypaint | 10 | noblacklist ${HOME}/.config/mypaint |
11 | noblacklist ${HOME}/.local/share/mypaint | 11 | noblacklist ${HOME}/.local/share/mypaint |
12 | noblacklist ${PATH}/python2* | ||
13 | noblacklist /usr/lib/python2* | ||
14 | noblacklist ${PICTURES} | 12 | noblacklist ${PICTURES} |
15 | 13 | ||
14 | # Allow python (blacklisted by disable-interpreters.inc) | ||
15 | include allow-python2.inc | ||
16 | include allow-python3.inc | ||
17 | |||
16 | include disable-common.inc | 18 | include disable-common.inc |
17 | include disable-devel.inc | 19 | include disable-devel.inc |
18 | include disable-exec.inc | 20 | include disable-exec.inc |
diff --git a/etc/natron.profile b/etc/natron.profile index 3f997a7a0..7ad217b72 100644 --- a/etc/natron.profile +++ b/etc/natron.profile | |||
@@ -5,18 +5,13 @@ include natron.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Allow python (blacklisted by disable-interpreters.inc) | ||
9 | noblacklist ${PATH}/python2* | ||
10 | noblacklist ${PATH}/python3* | ||
11 | noblacklist /usr/lib/python2* | ||
12 | noblacklist /usr/lib/python3* | ||
13 | noblacklist /usr/local/lib/python2* | ||
14 | noblacklist /usr/local/lib/python3* | ||
15 | |||
16 | noblacklist ${HOME}/.Natron | 8 | noblacklist ${HOME}/.Natron |
17 | noblacklist ${HOME}/.cache/INRIA/Natron | 9 | noblacklist ${HOME}/.cache/INRIA/Natron |
18 | noblacklist ${HOME}/.config/INRIA | 10 | noblacklist ${HOME}/.config/INRIA |
19 | noblacklist /opt/natron | 11 | |
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python2.inc | ||
14 | include allow-python3.inc | ||
20 | 15 | ||
21 | include disable-common.inc | 16 | include disable-common.inc |
22 | include disable-devel.inc | 17 | include disable-devel.inc |
@@ -33,9 +28,9 @@ nogroups | |||
33 | nonewprivs | 28 | nonewprivs |
34 | noroot | 29 | noroot |
35 | notv | 30 | notv |
36 | protocol unix,inet,inet6 | 31 | nou2f |
32 | protocol unix | ||
37 | seccomp | 33 | seccomp |
38 | shell none | 34 | shell none |
39 | 35 | ||
40 | private-bin natron,Natron,NatronRenderer | 36 | private-bin natron,Natron,NatronRenderer |
41 | |||
diff --git a/etc/nautilus.profile b/etc/nautilus.profile index 1d68ef8e3..b81313b6a 100644 --- a/etc/nautilus.profile +++ b/etc/nautilus.profile | |||
@@ -15,12 +15,8 @@ noblacklist ${HOME}/.local/share/nautilus | |||
15 | noblacklist ${HOME}/.local/share/nautilus-python | 15 | noblacklist ${HOME}/.local/share/nautilus-python |
16 | 16 | ||
17 | # Allow python (blacklisted by disable-interpreters.inc) | 17 | # Allow python (blacklisted by disable-interpreters.inc) |
18 | noblacklist ${PATH}/python2* | 18 | include allow-python2.inc |
19 | noblacklist ${PATH}/python3* | 19 | include allow-python3.inc |
20 | noblacklist /usr/lib/python2* | ||
21 | noblacklist /usr/lib/python3* | ||
22 | noblacklist /usr/local/lib/python2* | ||
23 | noblacklist /usr/local/lib/python3* | ||
24 | 20 | ||
25 | include disable-common.inc | 21 | include disable-common.inc |
26 | include disable-devel.inc | 22 | include disable-devel.inc |
diff --git a/etc/nemo.profile b/etc/nemo.profile index a23ba1700..26cfedb66 100644 --- a/etc/nemo.profile +++ b/etc/nemo.profile | |||
@@ -12,12 +12,8 @@ noblacklist ${HOME}/.local/share/nemo | |||
12 | noblacklist ${HOME}/.local/share/nemo-python | 12 | noblacklist ${HOME}/.local/share/nemo-python |
13 | 13 | ||
14 | # Allow python (blacklisted by disable-interpreters.inc) | 14 | # Allow python (blacklisted by disable-interpreters.inc) |
15 | noblacklist ${PATH}/python2* | 15 | include allow-python2.inc |
16 | noblacklist ${PATH}/python3* | 16 | include allow-python3.inc |
17 | noblacklist /usr/lib/python2* | ||
18 | noblacklist /usr/lib/python3* | ||
19 | noblacklist /usr/local/lib/python2* | ||
20 | noblacklist /usr/local/lib/python3* | ||
21 | 17 | ||
22 | include disable-common.inc | 18 | include disable-common.inc |
23 | include disable-devel.inc | 19 | include disable-devel.inc |
diff --git a/etc/nethack-vultures.profile b/etc/nethack-vultures.profile index 2c23a4868..e1294153b 100644 --- a/etc/nethack-vultures.profile +++ b/etc/nethack-vultures.profile | |||
@@ -6,7 +6,6 @@ include nethack.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | |||
10 | noblacklist ${HOME}/.vultures | 9 | noblacklist ${HOME}/.vultures |
11 | noblacklist /var/log | 10 | noblacklist /var/log |
12 | 11 | ||
@@ -43,4 +42,3 @@ private-cache | |||
43 | private-dev | 42 | private-dev |
44 | private-tmp | 43 | private-tmp |
45 | writable-var | 44 | writable-var |
46 | |||
diff --git a/etc/nethack.profile b/etc/nethack.profile index 5375d2f4f..3df632451 100644 --- a/etc/nethack.profile +++ b/etc/nethack.profile | |||
@@ -6,7 +6,6 @@ include nethack.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | |||
10 | noblacklist /var/games/nethack | 9 | noblacklist /var/games/nethack |
11 | 10 | ||
12 | include disable-common.inc | 11 | include disable-common.inc |
diff --git a/etc/nheko.profile b/etc/nheko.profile index 2dfddf872..119b30239 100644 --- a/etc/nheko.profile +++ b/etc/nheko.profile | |||
@@ -18,11 +18,9 @@ include disable-programs.inc | |||
18 | 18 | ||
19 | mkdir ${HOME}/.config/nheko | 19 | mkdir ${HOME}/.config/nheko |
20 | mkdir ${HOME}/.cache/nheko/nheko | 20 | mkdir ${HOME}/.cache/nheko/nheko |
21 | |||
22 | whitelist ${HOME}/.config/nheko | 21 | whitelist ${HOME}/.config/nheko |
23 | whitelist ${HOME}/.cache/nheko/nheko | 22 | whitelist ${HOME}/.cache/nheko/nheko |
24 | whitelist ${DOWNLOADS} | 23 | whitelist ${DOWNLOADS} |
25 | |||
26 | include whitelist-common.inc | 24 | include whitelist-common.inc |
27 | 25 | ||
28 | caps.drop all | 26 | caps.drop all |
diff --git a/etc/nitroshare.profile b/etc/nitroshare.profile index 7aba69490..19b6615ef 100644 --- a/etc/nitroshare.profile +++ b/etc/nitroshare.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/Nathan Osman | |||
10 | noblacklist ${HOME}/.config/NitroShare | 10 | noblacklist ${HOME}/.config/NitroShare |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/nylas.profile b/etc/nylas.profile index 263e09198..c959eb991 100644 --- a/etc/nylas.profile +++ b/etc/nylas.profile | |||
@@ -14,6 +14,8 @@ include disable-interpreters.inc | |||
14 | include disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | mkdir ${HOME}/.config/Nylas Mail | ||
18 | mkdir ${HOME}/.nylas-mail | ||
17 | whitelist ${DOWNLOADS} | 19 | whitelist ${DOWNLOADS} |
18 | whitelist ${HOME}/.config/Nylas Mail | 20 | whitelist ${HOME}/.config/Nylas Mail |
19 | whitelist ${HOME}/.nylas-mail | 21 | whitelist ${HOME}/.nylas-mail |
diff --git a/etc/nyx.profile b/etc/nyx.profile index ed39283b2..1ea33ac4d 100644 --- a/etc/nyx.profile +++ b/etc/nyx.profile | |||
@@ -6,14 +6,11 @@ include nyx.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${PATH}/python2* | 9 | # Allow python (blacklisted by disable-interpreters.inc) |
10 | noblacklist ${PATH}/python3* | 10 | include allow-python2.inc |
11 | noblacklist /usr/lib/python2* | 11 | include allow-python3.inc |
12 | noblacklist /usr/lib/python3* | ||
13 | 12 | ||
14 | noblacklist ${HOME}/.nyx | 13 | noblacklist ${HOME}/.nyx |
15 | mkdir ${HOME}/.nyx | ||
16 | whitelist ${HOME}/.nyx | ||
17 | 14 | ||
18 | include disable-common.inc | 15 | include disable-common.inc |
19 | include disable-devel.inc | 16 | include disable-devel.inc |
@@ -23,6 +20,11 @@ include disable-passwdmgr.inc | |||
23 | include disable-programs.inc | 20 | include disable-programs.inc |
24 | include disable-xdg.inc | 21 | include disable-xdg.inc |
25 | 22 | ||
23 | mkdir ${HOME}/.nyx | ||
24 | whitelist ${HOME}/.nyx | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
26 | caps.drop all | 28 | caps.drop all |
27 | netfilter | 29 | netfilter |
28 | no3d | 30 | no3d |
diff --git a/etc/obs.profile b/etc/obs.profile index 1f02efc7f..038242cae 100644 --- a/etc/obs.profile +++ b/etc/obs.profile | |||
@@ -11,12 +11,8 @@ noblacklist ${PICTURES} | |||
11 | noblacklist ${VIDEOS} | 11 | noblacklist ${VIDEOS} |
12 | 12 | ||
13 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
14 | noblacklist ${PATH}/python2* | 14 | include allow-python2.inc |
15 | noblacklist ${PATH}/python3* | 15 | include allow-python3.inc |
16 | noblacklist /usr/lib/python2* | ||
17 | noblacklist /usr/lib/python3* | ||
18 | noblacklist /usr/local/lib/python2* | ||
19 | noblacklist /usr/local/lib/python3* | ||
20 | 16 | ||
21 | include disable-common.inc | 17 | include disable-common.inc |
22 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/ocenaudio.profile b/etc/ocenaudio.profile index ceeb59384..b2249f63b 100644 --- a/etc/ocenaudio.profile +++ b/etc/ocenaudio.profile | |||
@@ -24,7 +24,7 @@ ipc-namespace | |||
24 | # net none breaks AppArmor on Ubuntu systems | 24 | # net none breaks AppArmor on Ubuntu systems |
25 | netfilter | 25 | netfilter |
26 | no3d | 26 | no3d |
27 | # nodbus - breaks preferences, comment when needed | 27 | # nodbus - breaks preferences, comment (or put 'ignore nodbus' in your oceanaudio.local) when needed |
28 | nodbus | 28 | nodbus |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
@@ -39,12 +39,10 @@ shell none | |||
39 | tracelog | 39 | tracelog |
40 | 40 | ||
41 | # disable-mnt | 41 | # disable-mnt |
42 | # private | ||
43 | private-bin ocenaudio | 42 | private-bin ocenaudio |
44 | private-cache | 43 | private-cache |
45 | private-dev | 44 | private-dev |
46 | private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse | 45 | private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse |
47 | # private-lib | ||
48 | private-tmp | 46 | private-tmp |
49 | 47 | ||
50 | # memory-deny-write-execute - breaks on Arch | 48 | # memory-deny-write-execute - breaks on Arch |
diff --git a/etc/onionshare-gui.profile b/etc/onionshare-gui.profile index 3ee78c59d..5bfcd0527 100644 --- a/etc/onionshare-gui.profile +++ b/etc/onionshare-gui.profile | |||
@@ -8,9 +8,7 @@ include globals.local | |||
8 | noblacklist ${HOME}/.config/onionshare | 8 | noblacklist ${HOME}/.config/onionshare |
9 | 9 | ||
10 | # Allow python (blacklisted by disable-interpreters.inc) | 10 | # Allow python (blacklisted by disable-interpreters.inc) |
11 | noblacklist ${PATH}/python3* | 11 | include allow-python3.inc |
12 | noblacklist /usr/lib/python3* | ||
13 | noblacklist /usr/local/lib/python3* | ||
14 | 12 | ||
15 | include disable-common.inc | 13 | include disable-common.inc |
16 | include disable-devel.inc | 14 | include disable-devel.inc |
diff --git a/etc/openshot.profile b/etc/openshot.profile index cfda1d0ce..0222243ed 100644 --- a/etc/openshot.profile +++ b/etc/openshot.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.openshot | |||
10 | noblacklist ${HOME}/.openshot_qt | 10 | noblacklist ${HOME}/.openshot_qt |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/orage.profile b/etc/orage.profile index 2c55ab909..4e12892d6 100644 --- a/etc/orage.profile +++ b/etc/orage.profile | |||
@@ -24,7 +24,7 @@ nodvd | |||
24 | nogroups | 24 | nogroups |
25 | nonewprivs | 25 | nonewprivs |
26 | noroot | 26 | noroot |
27 | nosound | 27 | # nosound - calendar application, It must be able to play sound to wake you up. |
28 | notv | 28 | notv |
29 | nou2f | 29 | nou2f |
30 | novideo | 30 | novideo |
diff --git a/etc/pandoc.profile b/etc/pandoc.profile new file mode 100644 index 000000000..687a31cc2 --- /dev/null +++ b/etc/pandoc.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for pandoc | ||
2 | # Description: general markup converter | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include pandoc.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${DOCUMENTS} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | # breaks pdf output | ||
21 | #include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | machine-id | ||
27 | net none | ||
28 | no3d | ||
29 | nodbus | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | |||
43 | disable-mnt | ||
44 | private-bin context,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf | ||
45 | private-cache | ||
46 | private-dev | ||
47 | private-tmp | ||
48 | |||
49 | memory-deny-write-execute | ||
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index 98dcce0b7..bd3592f48 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile | |||
@@ -9,11 +9,8 @@ include globals.local | |||
9 | noblacklist ${HOME}/.java | 9 | noblacklist ${HOME}/.java |
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | 11 | ||
12 | # Allow access to java | 12 | # Allow java (blacklisted by disable-devel.inc) |
13 | noblacklist ${PATH}/java | 13 | include allow-java.inc |
14 | noblacklist /usr/lib/java | ||
15 | noblacklist /etc/java | ||
16 | noblacklist /usr/share/java | ||
17 | 14 | ||
18 | include disable-common.inc | 15 | include disable-common.inc |
19 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/picard.profile b/etc/picard.profile index b756ed629..15fc7a454 100644 --- a/etc/picard.profile +++ b/etc/picard.profile | |||
@@ -11,12 +11,8 @@ noblacklist ${HOME}/.config/MusicBrainz | |||
11 | noblacklist ${MUSIC} | 11 | noblacklist ${MUSIC} |
12 | 12 | ||
13 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
14 | noblacklist ${PATH}/python2* | 14 | include allow-python2.inc |
15 | noblacklist ${PATH}/python3* | 15 | include allow-python3.inc |
16 | noblacklist /usr/lib/python2* | ||
17 | noblacklist /usr/lib/python3* | ||
18 | noblacklist /usr/local/lib/python2* | ||
19 | noblacklist /usr/local/lib/python3* | ||
20 | 16 | ||
21 | include disable-common.inc | 17 | include disable-common.inc |
22 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/pidgin.profile b/etc/pidgin.profile index bdd5404f5..299f807af 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile | |||
@@ -6,11 +6,11 @@ include pidgin.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.purple | ||
10 | |||
11 | ignore noexec ${RUNUSER} | 9 | ignore noexec ${RUNUSER} |
12 | ignore noexec /dev/shm | 10 | ignore noexec /dev/shm |
13 | 11 | ||
12 | noblacklist ${HOME}/.purple | ||
13 | |||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-exec.inc | 16 | include disable-exec.inc |
diff --git a/etc/pithos.profile b/etc/pithos.profile index d6a0a7822..62050eb55 100644 --- a/etc/pithos.profile +++ b/etc/pithos.profile | |||
@@ -7,12 +7,8 @@ include pithos.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Allow python (blacklisted by disable-interpreters.inc) | 9 | # Allow python (blacklisted by disable-interpreters.inc) |
10 | noblacklist ${PATH}/python2* | 10 | include allow-python2.inc |
11 | noblacklist ${PATH}/python3* | 11 | include allow-python3.inc |
12 | noblacklist /usr/lib/python2* | ||
13 | noblacklist /usr/lib/python3* | ||
14 | noblacklist /usr/local/lib/python2* | ||
15 | noblacklist /usr/local/lib/python3* | ||
16 | 12 | ||
17 | include disable-common.inc | 13 | include disable-common.inc |
18 | include disable-devel.inc | 14 | include disable-devel.inc |
diff --git a/etc/pitivi.profile b/etc/pitivi.profile index 83f5ccbb9..89a6a020b 100644 --- a/etc/pitivi.profile +++ b/etc/pitivi.profile | |||
@@ -10,12 +10,8 @@ include globals.local | |||
10 | noblacklist ${HOME}/.config/pitivi | 10 | noblacklist ${HOME}/.config/pitivi |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/playonlinux.profile b/etc/playonlinux.profile index 2f287223b..03091af6d 100644 --- a/etc/playonlinux.profile +++ b/etc/playonlinux.profile | |||
@@ -16,19 +16,11 @@ noblacklist ${HOME}/.PlayOnLinux | |||
16 | noblacklist ${PATH}/nc | 16 | noblacklist ${PATH}/nc |
17 | 17 | ||
18 | # Allow python (blacklisted by disable-interpreters.inc) | 18 | # Allow python (blacklisted by disable-interpreters.inc) |
19 | noblacklist ${PATH}/python2* | 19 | include allow-python2.inc |
20 | noblacklist ${PATH}/python3* | 20 | include allow-python3.inc |
21 | noblacklist /usr/lib/python2* | ||
22 | noblacklist /usr/lib/python3* | ||
23 | noblacklist /usr/local/lib/python2* | ||
24 | noblacklist /usr/local/lib/python3* | ||
25 | 21 | ||
26 | # Allow perl (blacklisted by disable-interpreters.inc) | 22 | # Allow perl (blacklisted by disable-interpreters.inc) |
27 | noblacklist ${PATH}/cpan* | 23 | include allow-perl.inc |
28 | noblacklist ${PATH}/core_perl | ||
29 | noblacklist ${PATH}/perl | ||
30 | noblacklist /usr/lib/perl* | ||
31 | noblacklist /usr/share/perl* | ||
32 | 24 | ||
33 | include disable-common.inc | 25 | include disable-common.inc |
34 | include disable-devel.inc | 26 | include disable-devel.inc |
diff --git a/etc/pybitmessage.profile b/etc/pybitmessage.profile index 28ab8caa6..3bce425d9 100644 --- a/etc/pybitmessage.profile +++ b/etc/pybitmessage.profile | |||
@@ -10,12 +10,8 @@ noblacklist /usr/local/sbin | |||
10 | noblacklist /usr/sbin | 10 | noblacklist /usr/sbin |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/pycharm-community.profile b/etc/pycharm-community.profile index 1a6f171c8..0531aee4a 100644 --- a/etc/pycharm-community.profile +++ b/etc/pycharm-community.profile | |||
@@ -10,11 +10,8 @@ noblacklist ${HOME}/.python-history | |||
10 | noblacklist ${HOME}/.pythonrc.py | 10 | noblacklist ${HOME}/.pythonrc.py |
11 | noblacklist ${HOME}/.java | 11 | noblacklist ${HOME}/.java |
12 | 12 | ||
13 | # Allow access to java | 13 | # Allow java (blacklisted by disable-devel.inc) |
14 | noblacklist ${PATH}/java | 14 | include allow-java.inc |
15 | noblacklist /usr/lib/java | ||
16 | noblacklist /etc/java | ||
17 | noblacklist /usr/share/java | ||
18 | 15 | ||
19 | include disable-common.inc | 16 | include disable-common.inc |
20 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index b0a6a0016..82e237d54 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
@@ -12,12 +12,8 @@ noblacklist ${HOME}/.config/qBittorrentrc | |||
12 | noblacklist ${HOME}/.local/share/data/qBittorrent | 12 | noblacklist ${HOME}/.local/share/data/qBittorrent |
13 | 13 | ||
14 | # Allow python (blacklisted by disable-interpreters.inc) | 14 | # Allow python (blacklisted by disable-interpreters.inc) |
15 | noblacklist ${PATH}/python2* | 15 | include allow-python2.inc |
16 | noblacklist ${PATH}/python3* | 16 | include allow-python3.inc |
17 | noblacklist /usr/lib/python2* | ||
18 | noblacklist /usr/lib/python3* | ||
19 | noblacklist /usr/local/lib/python2* | ||
20 | noblacklist /usr/local/lib/python3* | ||
21 | 17 | ||
22 | include disable-common.inc | 18 | include disable-common.inc |
23 | include disable-devel.inc | 19 | include disable-devel.inc |
@@ -61,4 +57,4 @@ private-dev | |||
61 | # private-lib - problems on Arch | 57 | # private-lib - problems on Arch |
62 | private-tmp | 58 | private-tmp |
63 | 59 | ||
64 | # memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo | 60 | # memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo |
diff --git a/etc/qgis.profile b/etc/qgis.profile new file mode 100644 index 000000000..70788b207 --- /dev/null +++ b/etc/qgis.profile | |||
@@ -0,0 +1,57 @@ | |||
1 | # Firejail profile for qgis | ||
2 | # Description: GIS application | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include qgis.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/QGIS | ||
10 | noblacklist ${HOME}/.local/share/QGIS | ||
11 | noblacklist ${HOME}/.qgis2 | ||
12 | noblacklist ${DOCUMENTS} | ||
13 | |||
14 | # Allow python (blacklisted by disable-interpreters.inc) | ||
15 | include allow-python3.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | mkdir ${HOME}/.local/share/QGIS | ||
26 | mkdir ${HOME}/.qgis2 | ||
27 | mkdir ${HOME}/.config/QGIS | ||
28 | whitelist ${HOME}/.local/share/QGIS | ||
29 | whitelist ${HOME}/.qgis2 | ||
30 | whitelist ${HOME}/.config/QGIS | ||
31 | whitelist ${DOCUMENTS} | ||
32 | include whitelist-common.inc | ||
33 | include whitelist-var-common.inc | ||
34 | |||
35 | caps.drop all | ||
36 | netfilter | ||
37 | machine-id | ||
38 | nodbus | ||
39 | nodvd | ||
40 | nogroups | ||
41 | nonewprivs | ||
42 | noroot | ||
43 | nosound | ||
44 | notv | ||
45 | nou2f | ||
46 | novideo | ||
47 | # blacklisting of mbind system calls breaks old version | ||
48 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,set_mempolicy,migrate_pages,move_pages,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,vmsplice,umount,userfaultfd,mincore | ||
49 | protocol unix,inet,inet6,netlink | ||
50 | shell none | ||
51 | tracelog | ||
52 | |||
53 | disable-mnt | ||
54 | private-cache | ||
55 | private-dev | ||
56 | private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl,QGIS,QGIS.conf,Trolltech.conf | ||
57 | private-tmp | ||
diff --git a/etc/quiterss.profile b/etc/quiterss.profile index 41c84425b..e2a3c9c23 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile | |||
@@ -22,6 +22,8 @@ mkdir ${HOME}/.cache/QuiteRss | |||
22 | mkdir ${HOME}/.config/QuiteRss | 22 | mkdir ${HOME}/.config/QuiteRss |
23 | mkdir ${HOME}/.local/share/data | 23 | mkdir ${HOME}/.local/share/data |
24 | mkdir ${HOME}/.local/share/data/QuiteRss | 24 | mkdir ${HOME}/.local/share/data/QuiteRss |
25 | mkdir ${HOME}/.local/share/QuiteRss | ||
26 | mkfile ${HOME}/quiterssfeeds.opml | ||
25 | whitelist ${HOME}/.cache/QuiteRss | 27 | whitelist ${HOME}/.cache/QuiteRss |
26 | whitelist ${HOME}/.config/QuiteRss/ | 28 | whitelist ${HOME}/.config/QuiteRss/ |
27 | whitelist ${HOME}/.config/QuiteRssrc | 29 | whitelist ${HOME}/.config/QuiteRssrc |
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile index 1b23b2baf..954b1a3b4 100644 --- a/etc/qupzilla.profile +++ b/etc/qupzilla.profile | |||
@@ -15,6 +15,8 @@ include disable-interpreters.inc | |||
15 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | mkdir ${HOME}/.cache/qupzilla | ||
19 | mkdir ${HOME}/.config/qupzilla | ||
18 | whitelist ${DOWNLOADS} | 20 | whitelist ${DOWNLOADS} |
19 | whitelist ${HOME}/.cache/qupzilla | 21 | whitelist ${HOME}/.cache/qupzilla |
20 | whitelist ${HOME}/.config/qupzilla | 22 | whitelist ${HOME}/.config/qupzilla |
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index 9e3853a09..e556ecf1f 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile | |||
@@ -9,18 +9,13 @@ include globals.local | |||
9 | noblacklist ${HOME}/.cache/qutebrowser | 9 | noblacklist ${HOME}/.cache/qutebrowser |
10 | noblacklist ${HOME}/.config/qutebrowser | 10 | noblacklist ${HOME}/.config/qutebrowser |
11 | noblacklist ${HOME}/.local/share/qutebrowser | 11 | noblacklist ${HOME}/.local/share/qutebrowser |
12 | |||
13 | # Allow python (blacklisted by disable-interpreters.inc) | ||
14 | noblacklist ${PATH}/python2* | ||
15 | noblacklist ${PATH}/python3* | ||
16 | noblacklist /usr/lib/python2* | ||
17 | noblacklist /usr/lib/python3* | ||
18 | noblacklist /usr/local/lib/python2* | ||
19 | noblacklist /usr/local/lib/python3* | ||
20 | |||
21 | # with >=llvm-4 mesa drivers need llvm stuff | 12 | # with >=llvm-4 mesa drivers need llvm stuff |
22 | noblacklist /usr/lib/llvm* | 13 | noblacklist /usr/lib/llvm* |
23 | 14 | ||
15 | # Allow python (blacklisted by disable-interpreters.inc) | ||
16 | include allow-python2.inc | ||
17 | include allow-python3.inc | ||
18 | |||
24 | include disable-common.inc | 19 | include disable-common.inc |
25 | include disable-devel.inc | 20 | include disable-devel.inc |
26 | include disable-interpreters.inc | 21 | include disable-interpreters.inc |
diff --git a/etc/ranger.profile b/etc/ranger.profile index 1e50ca9fa..13e8911ea 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile | |||
@@ -11,18 +11,11 @@ noblacklist ${HOME}/.config/ranger | |||
11 | noblacklist ${HOME}/.nanorc | 11 | noblacklist ${HOME}/.nanorc |
12 | 12 | ||
13 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
14 | noblacklist ${PATH}/python2* | 14 | include allow-python2.inc |
15 | noblacklist ${PATH}/python3* | 15 | include allow-python3.inc |
16 | noblacklist /usr/lib/python2* | ||
17 | noblacklist /usr/lib/python3* | ||
18 | noblacklist /usr/local/lib/python2* | ||
19 | noblacklist /usr/local/lib/python3* | ||
20 | 16 | ||
21 | # Allow perl | 17 | # Allow perl |
22 | # noblacklist ${PATH}/cpan* | 18 | include allow-perl.inc |
23 | noblacklist ${PATH}/perl | ||
24 | noblacklist /usr/lib/perl* | ||
25 | noblacklist /usr/share/perl* | ||
26 | 19 | ||
27 | include disable-common.inc | 20 | include disable-common.inc |
28 | include disable-devel.inc | 21 | include disable-devel.inc |
diff --git a/etc/ricochet.profile b/etc/ricochet.profile index 3cb30c459..fc770d62d 100644 --- a/etc/ricochet.profile +++ b/etc/ricochet.profile | |||
@@ -5,7 +5,6 @@ include ricochet.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/Ricochet | 8 | noblacklist ${HOME}/.local/share/Ricochet |
10 | 9 | ||
11 | include disable-common.inc | 10 | include disable-common.inc |
@@ -15,6 +14,7 @@ include disable-interpreters.inc | |||
15 | include disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 15 | include disable-programs.inc |
17 | 16 | ||
17 | mkdir ${HOME}/.local/share/Ricochet | ||
18 | whitelist ${DOWNLOADS} | 18 | whitelist ${DOWNLOADS} |
19 | whitelist ${HOME}/.local/share/Ricochet | 19 | whitelist ${HOME}/.local/share/Ricochet |
20 | include whitelist-common.inc | 20 | include whitelist-common.inc |
diff --git a/etc/rocketchat.profile b/etc/rocketchat.profile index c95bc3c3d..8170c62e7 100644 --- a/etc/rocketchat.profile +++ b/etc/rocketchat.profile | |||
@@ -7,6 +7,7 @@ include globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.config/Rocket.Chat | 8 | noblacklist ${HOME}/.config/Rocket.Chat |
9 | 9 | ||
10 | mkdir ${HOME}/.config/Rocket.Chat | ||
10 | whitelist ${HOME}/.config/Rocket.Chat | 11 | whitelist ${HOME}/.config/Rocket.Chat |
11 | include whitelist-common.inc | 12 | include whitelist-common.inc |
12 | 13 | ||
diff --git a/etc/scribus.profile b/etc/scribus.profile index d8dc7b0e0..c50e0861c 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile | |||
@@ -27,12 +27,8 @@ noblacklist ${DOCUMENTS} | |||
27 | noblacklist ${PICTURES} | 27 | noblacklist ${PICTURES} |
28 | 28 | ||
29 | # Allow python (blacklisted by disable-interpreters.inc) | 29 | # Allow python (blacklisted by disable-interpreters.inc) |
30 | noblacklist ${PATH}/python2* | 30 | include allow-python2.inc |
31 | noblacklist ${PATH}/python3* | 31 | include allow-python3.inc |
32 | noblacklist /usr/lib/python2* | ||
33 | noblacklist /usr/lib/python3* | ||
34 | noblacklist /usr/local/lib/python2* | ||
35 | noblacklist /usr/local/lib/python3* | ||
36 | 32 | ||
37 | include disable-common.inc | 33 | include disable-common.inc |
38 | include disable-devel.inc | 34 | include disable-devel.inc |
diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile index 485326fcc..176842c44 100644 --- a/etc/sdat2img.profile +++ b/etc/sdat2img.profile | |||
@@ -7,12 +7,8 @@ include sdat2img.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Allow python (blacklisted by disable-interpreters.inc) | 9 | # Allow python (blacklisted by disable-interpreters.inc) |
10 | noblacklist ${PATH}/python2* | 10 | include allow-python2.inc |
11 | noblacklist ${PATH}/python3* | 11 | include allow-python3.inc |
12 | noblacklist /usr/lib/python2* | ||
13 | noblacklist /usr/lib/python3* | ||
14 | noblacklist /usr/local/lib/python2* | ||
15 | noblacklist /usr/local/lib/python3* | ||
16 | 12 | ||
17 | include disable-common.inc | 13 | include disable-common.inc |
18 | include disable-devel.inc | 14 | include disable-devel.inc |
diff --git a/etc/seahorse.profile b/etc/seahorse.profile index cd9f6c767..7baae2603 100644 --- a/etc/seahorse.profile +++ b/etc/seahorse.profile | |||
@@ -32,6 +32,7 @@ include disable-interpreters.inc | |||
32 | include disable-passwdmgr.inc | 32 | include disable-passwdmgr.inc |
33 | include disable-programs.inc | 33 | include disable-programs.inc |
34 | include disable-xdg.inc | 34 | include disable-xdg.inc |
35 | |||
35 | include whitelist-common.inc | 36 | include whitelist-common.inc |
36 | include whitelist-var-common.inc | 37 | include whitelist-var-common.inc |
37 | 38 | ||
@@ -50,7 +51,7 @@ nou2f | |||
50 | novideo | 51 | novideo |
51 | protocol unix,inet,inet6 | 52 | protocol unix,inet,inet6 |
52 | seccomp | 53 | seccomp |
53 | # shell none - causes gpg to hang | 54 | shell none |
54 | tracelog | 55 | tracelog |
55 | 56 | ||
56 | disable-mnt | 57 | disable-mnt |
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index d92c62a52..ca74efe68 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile | |||
@@ -18,6 +18,8 @@ include disable-programs.inc | |||
18 | 18 | ||
19 | mkdir ${HOME}/.cache/mozilla | 19 | mkdir ${HOME}/.cache/mozilla |
20 | mkdir ${HOME}/.mozilla | 20 | mkdir ${HOME}/.mozilla |
21 | mkdir ${HOME}/.pki | ||
22 | mkdir ${HOME}/.local/share/pki | ||
21 | whitelist ${DOWNLOADS} | 23 | whitelist ${DOWNLOADS} |
22 | whitelist ${HOME}/.cache/gnome-mplayer/plugin | 24 | whitelist ${HOME}/.cache/gnome-mplayer/plugin |
23 | whitelist ${HOME}/.cache/mozilla | 25 | whitelist ${HOME}/.cache/mozilla |
diff --git a/etc/server.profile b/etc/server.profile index 686268a18..6e077ff84 100644 --- a/etc/server.profile +++ b/etc/server.profile | |||
@@ -9,12 +9,12 @@ include globals.local | |||
9 | # it allows /sbin and /usr/sbin directories - this is where servers are installed | 9 | # it allows /sbin and /usr/sbin directories - this is where servers are installed |
10 | # depending on your usage, you can enable some of the commands below: | 10 | # depending on your usage, you can enable some of the commands below: |
11 | 11 | ||
12 | blacklist /tmp/.X11-unix | ||
13 | |||
14 | noblacklist /sbin | 12 | noblacklist /sbin |
15 | noblacklist /usr/sbin | 13 | noblacklist /usr/sbin |
16 | # noblacklist /var/opt | 14 | # noblacklist /var/opt |
17 | 15 | ||
16 | blacklist /tmp/.X11-unix | ||
17 | |||
18 | include disable-common.inc | 18 | include disable-common.inc |
19 | # include disable-devel.inc | 19 | # include disable-devel.inc |
20 | # include disable-exec.inc | 20 | # include disable-exec.inc |
diff --git a/etc/signal-desktop.profile b/etc/signal-desktop.profile index 008cd218e..04696a918 100644 --- a/etc/signal-desktop.profile +++ b/etc/signal-desktop.profile | |||
@@ -5,10 +5,13 @@ include signal-desktop.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | ignore noexec /tmp | ||
9 | |||
8 | noblacklist ${HOME}/.config/Signal | 10 | noblacklist ${HOME}/.config/Signal |
9 | 11 | ||
10 | include disable-common.inc | 12 | include disable-common.inc |
11 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
13 | include disable-programs.inc | 16 | include disable-programs.inc |
14 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
@@ -34,5 +37,3 @@ shell none | |||
34 | disable-mnt | 37 | disable-mnt |
35 | private-dev | 38 | private-dev |
36 | private-tmp | 39 | private-tmp |
37 | |||
38 | noexec ${HOME} | ||
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile index ad200be37..eae7dada0 100644 --- a/etc/skypeforlinux.profile +++ b/etc/skypeforlinux.profile | |||
@@ -5,10 +5,14 @@ include skypeforlinux.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # breaks Skype | ||
9 | ignore noexec /tmp | ||
10 | |||
8 | noblacklist ${HOME}/.config/skypeforlinux | 11 | noblacklist ${HOME}/.config/skypeforlinux |
9 | 12 | ||
10 | include disable-common.inc | 13 | include disable-common.inc |
11 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
13 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -28,6 +32,3 @@ disable-mnt | |||
28 | private-cache | 32 | private-cache |
29 | # private-dev - needs /dev/disk | 33 | # private-dev - needs /dev/disk |
30 | private-tmp | 34 | private-tmp |
31 | |||
32 | noexec ${HOME} | ||
33 | # noexec /tmp - breaks Skype | ||
diff --git a/etc/slack.profile b/etc/slack.profile index ed76be373..53baf5f40 100644 --- a/etc/slack.profile +++ b/etc/slack.profile | |||
@@ -13,7 +13,6 @@ include disable-interpreters.inc | |||
13 | include disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | mkdir ${HOME}/.config | ||
17 | mkdir ${HOME}/.config/Slack | 16 | mkdir ${HOME}/.config/Slack |
18 | whitelist ${HOME}/.config/Slack | 17 | whitelist ${HOME}/.config/Slack |
19 | whitelist ${DOWNLOADS} | 18 | whitelist ${DOWNLOADS} |
diff --git a/etc/slashem.profile b/etc/slashem.profile index 011698e1f..8c84180d7 100644 --- a/etc/slashem.profile +++ b/etc/slashem.profile | |||
@@ -6,7 +6,6 @@ include slashem.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | |||
10 | noblacklist /var/games/slashem | 9 | noblacklist /var/games/slashem |
11 | 10 | ||
12 | include disable-common.inc | 11 | include disable-common.inc |
diff --git a/etc/smplayer.profile b/etc/smplayer.profile index 5ae498ab2..0363a2475 100644 --- a/etc/smplayer.profile +++ b/etc/smplayer.profile | |||
@@ -12,12 +12,8 @@ noblacklist ${MUSIC} | |||
12 | noblacklist ${VIDEOS} | 12 | noblacklist ${VIDEOS} |
13 | 13 | ||
14 | # Allow python (blacklisted by disable-interpreters.inc) | 14 | # Allow python (blacklisted by disable-interpreters.inc) |
15 | noblacklist ${PATH}/python2* | 15 | include allow-python2.inc |
16 | noblacklist ${PATH}/python3* | 16 | include allow-python3.inc |
17 | noblacklist /usr/lib/python2* | ||
18 | noblacklist /usr/lib/python3* | ||
19 | noblacklist /usr/local/lib/python2* | ||
20 | noblacklist /usr/local/lib/python3* | ||
21 | 17 | ||
22 | include disable-common.inc | 18 | include disable-common.inc |
23 | include disable-devel.inc | 19 | include disable-devel.inc |
diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile index 4d6e80840..d875146de 100644 --- a/etc/soundconverter.profile +++ b/etc/soundconverter.profile | |||
@@ -9,12 +9,8 @@ include globals.local | |||
9 | noblacklist ${MUSIC} | 9 | noblacklist ${MUSIC} |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 12 | include allow-python2.inc |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/spectre-meltdown-checker.profile b/etc/spectre-meltdown-checker.profile index 74582dd2f..edbe0e772 100644 --- a/etc/spectre-meltdown-checker.profile +++ b/etc/spectre-meltdown-checker.profile | |||
@@ -11,12 +11,8 @@ include globals.local | |||
11 | noblacklist ${PATH}/mount | 11 | noblacklist ${PATH}/mount |
12 | noblacklist ${PATH}/umount | 12 | noblacklist ${PATH}/umount |
13 | 13 | ||
14 | # Allow access to perl | 14 | # Allow perl (blacklisted by disable-interpreters.inc) |
15 | noblacklist ${PATH}/cpan* | 15 | include allow-perl.inc |
16 | noblacklist ${PATH}/core_perl | ||
17 | noblacklist ${PATH}/perl | ||
18 | noblacklist /usr/lib/perl* | ||
19 | noblacklist /usr/share/perl* | ||
20 | 16 | ||
21 | include disable-common.inc | 17 | include disable-common.inc |
22 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/spotify.profile b/etc/spotify.profile index 6f7f6ec85..2d5c4a48f 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile | |||
@@ -5,15 +5,12 @@ include spotify.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | blacklist ${HOME}/.bashrc | ||
9 | blacklist /lost+found | ||
10 | blacklist /sbin | ||
11 | blacklist /srv | ||
12 | |||
13 | noblacklist ${HOME}/.cache/spotify | 8 | noblacklist ${HOME}/.cache/spotify |
14 | noblacklist ${HOME}/.config/spotify | 9 | noblacklist ${HOME}/.config/spotify |
15 | noblacklist ${HOME}/.local/share/spotify | 10 | noblacklist ${HOME}/.local/share/spotify |
16 | 11 | ||
12 | blacklist ${HOME}/.bashrc | ||
13 | |||
17 | include disable-common.inc | 14 | include disable-common.inc |
18 | include disable-devel.inc | 15 | include disable-devel.inc |
19 | include disable-exec.inc | 16 | include disable-exec.inc |
@@ -49,5 +46,6 @@ private-bin spotify,bash,sh,zenity | |||
49 | private-dev | 46 | private-dev |
50 | private-etc alternatives,fonts,group,ld.so.cache,machine-id,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies | 47 | private-etc alternatives,fonts,group,ld.so.cache,machine-id,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies |
51 | private-opt spotify | 48 | private-opt spotify |
49 | private-srv none | ||
52 | private-tmp | 50 | private-tmp |
53 | 51 | ||
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile index 8aafca8aa..9af747b62 100644 --- a/etc/ssh-agent.profile +++ b/etc/ssh-agent.profile | |||
@@ -6,12 +6,12 @@ include ssh-agent.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist /etc/ssh | 9 | noblacklist /etc/ssh |
12 | noblacklist /tmp/ssh-* | 10 | noblacklist /tmp/ssh-* |
13 | noblacklist ${HOME}/.ssh | 11 | noblacklist ${HOME}/.ssh |
14 | 12 | ||
13 | blacklist /tmp/.X11-unix | ||
14 | |||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 17 | include disable-programs.inc |
diff --git a/etc/start-tor-browser.desktop.profile b/etc/start-tor-browser.desktop.profile index a61038157..d5d7a17e4 100644 --- a/etc/start-tor-browser.desktop.profile +++ b/etc/start-tor-browser.desktop.profile | |||
@@ -3,7 +3,6 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include start-tor-browser.desktop.local | 4 | include start-tor-browser.desktop.local |
5 | 5 | ||
6 | |||
7 | noblacklist ${HOME}/.tor-browser-* | 6 | noblacklist ${HOME}/.tor-browser-* |
8 | noblacklist ${HOME}/.tor-browser_* | 7 | noblacklist ${HOME}/.tor-browser_* |
9 | 8 | ||
diff --git a/etc/steam.profile b/etc/steam.profile index 8f08b18f0..5ab600bfb 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -25,19 +25,12 @@ noblacklist /usr/lib/llvm* | |||
25 | # needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work | 25 | # needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work |
26 | noblacklist /sbin | 26 | noblacklist /sbin |
27 | 27 | ||
28 | # Allow access to java | 28 | # Allow java (blacklisted by disable-devel.inc) |
29 | noblacklist ${PATH}/java | 29 | include allow-java.inc |
30 | noblacklist /usr/lib/java | ||
31 | noblacklist /etc/java | ||
32 | noblacklist /usr/share/java | ||
33 | 30 | ||
34 | # Allow python (blacklisted by disable-interpreters.inc) | 31 | # Allow python (blacklisted by disable-interpreters.inc) |
35 | noblacklist ${PATH}/python2* | 32 | include allow-python2.inc |
36 | noblacklist ${PATH}/python3* | 33 | include allow-python3.inc |
37 | noblacklist /usr/lib/python2* | ||
38 | noblacklist /usr/lib/python3* | ||
39 | noblacklist /usr/local/lib/python2* | ||
40 | noblacklist /usr/local/lib/python3* | ||
41 | 34 | ||
42 | include disable-common.inc | 35 | include disable-common.inc |
43 | include disable-devel.inc | 36 | include disable-devel.inc |
diff --git a/etc/strings.profile b/etc/strings.profile index 0caecdf7b..ace0d9351 100644 --- a/etc/strings.profile +++ b/etc/strings.profile | |||
@@ -4,30 +4,43 @@ quiet | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include strings.local | 5 | include strings.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | # added by included profile | 7 | include globals.local |
8 | #include globals.local | ||
9 | 8 | ||
10 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
11 | include disable-exec.inc | 13 | include disable-exec.inc |
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
12 | 17 | ||
13 | ignore noroot | 18 | apparmor |
19 | caps.drop all | ||
20 | ipc-namespace | ||
21 | machine-id | ||
14 | net none | 22 | net none |
15 | no3d | 23 | no3d |
16 | nodbus | 24 | nodbus |
17 | nodvd | 25 | nodvd |
26 | nogroups | ||
27 | nonewprivs | ||
28 | #noroot | ||
18 | nosound | 29 | nosound |
19 | notv | 30 | notv |
20 | nou2f | 31 | nou2f |
21 | novideo | 32 | novideo |
33 | protocol unix | ||
34 | seccomp | ||
22 | shell none | 35 | shell none |
23 | tracelog | 36 | tracelog |
24 | 37 | ||
38 | #private | ||
25 | private-bin strings | 39 | private-bin strings |
26 | private-cache | 40 | private-cache |
27 | private-dev | 41 | private-dev |
28 | private-etc alternatives | 42 | private-etc alternatives |
29 | private-lib libfakeroot | 43 | private-lib libfakeroot |
44 | private-tmp | ||
30 | 45 | ||
31 | memory-deny-write-execute | 46 | memory-deny-write-execute |
32 | |||
33 | include default.profile | ||
diff --git a/etc/subdownloader.profile b/etc/subdownloader.profile index c07131893..b55300c88 100644 --- a/etc/subdownloader.profile +++ b/etc/subdownloader.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/SubDownloader | |||
10 | noblacklist ${VIDEOS} | 10 | noblacklist ${VIDEOS} |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/surf.profile b/etc/surf.profile index 0504b5fe5..5f116fd0c 100644 --- a/etc/surf.profile +++ b/etc/surf.profile | |||
@@ -15,6 +15,7 @@ include disable-passwdmgr.inc | |||
15 | include disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | mkdir ${HOME}/.surf | 17 | mkdir ${HOME}/.surf |
18 | whitelist ${HOME}/.surf | ||
18 | whitelist ${DOWNLOADS} | 19 | whitelist ${DOWNLOADS} |
19 | include whitelist-common.inc | 20 | include whitelist-common.inc |
20 | 21 | ||
diff --git a/etc/sysprof.profile b/etc/sysprof.profile index 3cfea5c5e..e978e03f2 100644 --- a/etc/sysprof.profile +++ b/etc/sysprof.profile | |||
@@ -24,7 +24,7 @@ no3d | |||
24 | nodvd | 24 | nodvd |
25 | nogroups | 25 | nogroups |
26 | nonewprivs | 26 | nonewprivs |
27 | # Ubuntu 16.04 version needs root privileges - uncomment if you don't use that | 27 | # Ubuntu 16.04 version needs root privileges - uncomment or put in sysprof.local if you don't use that |
28 | #noroot | 28 | #noroot |
29 | nosound | 29 | nosound |
30 | notv | 30 | notv |
diff --git a/etc/tar.profile b/etc/tar.profile index 14fc00d21..b6a874217 100644 --- a/etc/tar.profile +++ b/etc/tar.profile | |||
@@ -5,17 +5,19 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include tar.local | 6 | include tar.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included profile | 8 | include globals.local |
9 | #include globals.local | ||
10 | 9 | ||
11 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
12 | 11 | ||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
13 | include disable-exec.inc | 14 | include disable-exec.inc |
14 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
15 | 16 | include disable-passwdmgr.inc | |
16 | ignore noroot | 17 | include disable-programs.inc |
17 | 18 | ||
18 | apparmor | 19 | apparmor |
20 | caps.drop all | ||
19 | hostname tar | 21 | hostname tar |
20 | ipc-namespace | 22 | ipc-namespace |
21 | machine-id | 23 | machine-id |
@@ -24,10 +26,14 @@ no3d | |||
24 | nodbus | 26 | nodbus |
25 | nodvd | 27 | nodvd |
26 | nogroups | 28 | nogroups |
29 | nonewprivs | ||
30 | #noroot | ||
27 | nosound | 31 | nosound |
28 | notv | 32 | notv |
29 | nou2f | 33 | nou2f |
30 | novideo | 34 | novideo |
35 | protocol unix | ||
36 | seccomp | ||
31 | shell none | 37 | shell none |
32 | tracelog | 38 | tracelog |
33 | 39 | ||
@@ -39,8 +45,5 @@ private-etc alternatives,passwd,group,localtime | |||
39 | private-lib libfakeroot | 45 | private-lib libfakeroot |
40 | 46 | ||
41 | memory-deny-write-execute | 47 | memory-deny-write-execute |
42 | |||
43 | # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) | 48 | # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) |
44 | writable-var | 49 | writable-var |
45 | |||
46 | include default.profile | ||
diff --git a/etc/templates/profile.template b/etc/templates/profile.template new file mode 100644 index 000000000..16bf05cec --- /dev/null +++ b/etc/templates/profile.template | |||
@@ -0,0 +1,139 @@ | |||
1 | # Firejail profile for PROGRAM_NAME | ||
2 | # Description: DESCRIPTION | ||
3 | # This file is overwritten after every install/update | ||
4 | # --- CUT HERE --- | ||
5 | # This is a generic template to help you with creation of profiles | ||
6 | # for new programs. PRs welcome at https://github.com/netblue30/firejail/ | ||
7 | # | ||
8 | # Rules to follow: | ||
9 | # - lines with one # are often used in profiles | ||
10 | # - lines with two ## are only needed in special situations | ||
11 | # - make the profile as restrictive as possible while still keeping the program useful | ||
12 | # (e. g. a program that is unable to save user's work is considered a bad practice) | ||
13 | # - dedicate some time (based on how complex the application is) to profile testing before raising | ||
14 | # a pull request | ||
15 | # - keep the sections structure, use a single empty line as a separator | ||
16 | # - entries within sections are alphabetically sorted | ||
17 | # - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware | ||
18 | # to not do this for essential utilities as this may *break* your OS! (related discussion: | ||
19 | # https://github.com/netblue30/firejail/issues/2507) | ||
20 | # - remove this comment section and any generic comment past 'Persistent global definitions' | ||
21 | # | ||
22 | # Sections structure | ||
23 | # HEADER | ||
24 | # COMMENTS | ||
25 | # IGNORES | ||
26 | # NOBLACKLISTS | ||
27 | # ALLOW INCLUDES | ||
28 | # BLACKLISTS | ||
29 | # DISABLE INCLUDES | ||
30 | # MKDIRS | ||
31 | # WHITELISTS | ||
32 | # WHITELIST INCLUDES | ||
33 | # OPTIONS (no*) | ||
34 | # PRIVATE OPTIONS (disable-mnt, private-*) | ||
35 | # SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start) | ||
36 | # REDIRECT INCLUDES | ||
37 | # | ||
38 | # --- CUT HERE --- | ||
39 | ##quiet | ||
40 | # Persistent local customizations | ||
41 | #include PROFILE.local | ||
42 | # Persistent global definitions | ||
43 | #include globals.local | ||
44 | |||
45 | ##ignore noexec ${HOME} | ||
46 | |||
47 | ##blacklist PATH | ||
48 | |||
49 | # It is common practice to add files/dirs containing program-specific configuration | ||
50 | # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc | ||
51 | # (keep list sorted) and then disable blacklisting below. | ||
52 | # One way to retrieve the files a program uses is: | ||
53 | # - launch binary with --private naming a sandbox | ||
54 | # `firejail --name=test --ignore=private-bin [--profile=PROFILE] --private BINARY` | ||
55 | # - work with the program, do some configuration changes and save them, open new documents, | ||
56 | # install plugins if they exists, etc | ||
57 | # - join the sandbox with bash: | ||
58 | # `firejail --join=test bash` | ||
59 | # - look what has changed and use that information to populate blacklist and whitelist sections | ||
60 | # `ls -aR` | ||
61 | #noblacklist PATH | ||
62 | |||
63 | # Allow python (blacklisted by disable-interpreters.inc) | ||
64 | #include allow-python2.inc | ||
65 | #include allow-python3.inc | ||
66 | |||
67 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
68 | #include allow-perl.inc | ||
69 | |||
70 | # Allow java (blacklisted by disable-devel.inc) | ||
71 | #include allow-java.inc | ||
72 | |||
73 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
74 | include allow-lua.inc | ||
75 | |||
76 | #include disable-common.inc | ||
77 | #include disable-devel.inc | ||
78 | #include disable-exec.inc | ||
79 | #include disable-interpreters.inc | ||
80 | #include disable-passwdmgr.inc | ||
81 | #include disable-programs.inc | ||
82 | #include disable-xdg.inc | ||
83 | |||
84 | # This section often mirrors noblacklist section above. The idea is | ||
85 | # that if a user feels too restricted (he's unable to save files into | ||
86 | # home directory for instance) he/she may disable whitelist (nowhitelist) | ||
87 | # in PROFILE.local but still be protected by BLACKLISTS section | ||
88 | # (further explanation at https://github.com/netblue30/firejail/issues/1569) | ||
89 | #mkdir PATH | ||
90 | #mkfile PATH | ||
91 | #whitelist PATH | ||
92 | #include whitelist-common.inc | ||
93 | #include whitelist-var-common.inc | ||
94 | |||
95 | #apparmor | ||
96 | #caps.drop all | ||
97 | # CLI only | ||
98 | ##ipc-namespace | ||
99 | #machine-id | ||
100 | # 'net none' or 'netfilter' | ||
101 | #net none | ||
102 | #netfilter | ||
103 | #no3d | ||
104 | #nodbus | ||
105 | #nodvd | ||
106 | #nogroups | ||
107 | #nonewprivs | ||
108 | #noroot | ||
109 | #nosound | ||
110 | #notv | ||
111 | #nou2f | ||
112 | #novideo | ||
113 | #protocol unix,inet,inet6,netlink | ||
114 | #seccomp | ||
115 | ##seccomp.drop SYSCALLS | ||
116 | #shell none | ||
117 | #tracelog | ||
118 | |||
119 | #disable-mnt | ||
120 | ##private | ||
121 | #private-bin PROGRAMS | ||
122 | #private-cache | ||
123 | #private-dev | ||
124 | #private-etc FILES | ||
125 | # private-etc templates (see also #1734) | ||
126 | # Internet: ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | ||
127 | # Sound: alsa,asound.conf,machine-id,openal,pulse | ||
128 | # GTK: dconf,fonts,gtk-2.0,gtk-3.0,pango,xdg | ||
129 | # KDE/QT: fonts,kde4rc,kde5rc,ld.so.cache,machine-id,Trolltech.conf,xdg | ||
130 | # GUIs: fonts | ||
131 | # Alternatives: alternatives | ||
132 | ##private-lib LIBS | ||
133 | ##private-opt NAME | ||
134 | #private-tmp | ||
135 | |||
136 | ##env VAR=VALUE | ||
137 | #memory-deny-write-execute | ||
138 | ##read-only ${HOME} | ||
139 | ##join-or-start NAME | ||
diff --git a/etc/templates/redirect_alias-profile.template b/etc/templates/redirect_alias-profile.template new file mode 100644 index 000000000..0a0788e96 --- /dev/null +++ b/etc/templates/redirect_alias-profile.template | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for PROGRAM_NAME | ||
2 | # Description: DESCRIPTION | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include PROFILE.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | #NOTE: let include globals.local commented | ||
10 | |||
11 | # For more informations see profile.template | ||
12 | |||
13 | # Ignore something that is in the included profile | ||
14 | #ignore net none | ||
15 | #ignore private-bin | ||
16 | #ignore seccomp | ||
17 | #... | ||
18 | |||
19 | # Additional noblacklisting (if needed) | ||
20 | #noblacklist PATH | ||
21 | |||
22 | # Additional allow includes (if needed) | ||
23 | |||
24 | # Additional blacklisting (if needed) | ||
25 | #blacklist PATH | ||
26 | |||
27 | # Additional whitelisting (if needed) | ||
28 | #mkdir PATH | ||
29 | ##mkfile PATH | ||
30 | #whitelist PATH | ||
31 | |||
32 | # Additional options (if needed) | ||
33 | |||
34 | # Additional private-options (if needed) | ||
35 | # Add programs to private-bin (if needed) | ||
36 | #private-bin PROGRAMS | ||
37 | # Add files to private-etc (if needed) | ||
38 | #private-etc FILES | ||
39 | |||
40 | # Additional special options (if needed) | ||
41 | |||
42 | # Redirect | ||
43 | include PROFILE.profile | ||
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt new file mode 100644 index 000000000..2464df9ee --- /dev/null +++ b/etc/templates/syscalls.txt | |||
@@ -0,0 +1,43 @@ | |||
1 | Hints for writing seccomp.drop lines | ||
2 | ==================================== | ||
3 | |||
4 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime | ||
5 | @module=delete_module,finit_module,init_module | ||
6 | @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write | ||
7 | @reboot=kexec_file_load,kexec_load,reboot | ||
8 | @swap=swapoff,swapon | ||
9 | |||
10 | @privileged=@clock,@module,@raw-io,@reboot,@swap,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup | ||
11 | |||
12 | @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old | ||
13 | @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext | ||
14 | @obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver | ||
15 | @resources=mbind,migrate_pages,move_pages,set_mempolicy | ||
16 | |||
17 | @default=@cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,ioprio_set,io_setup,io_submit,kcmp,keyctl,mincore,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | ||
18 | |||
19 | @default-nodebuggers=@default,personality,process_vm_readv,ptrace | ||
20 | |||
21 | @default-keep=execve,prctl | ||
22 | |||
23 | |||
24 | +---------+----------------+---------------+ | ||
25 | | @clock | @cpu-emulation | @default-keep | | ||
26 | | @module | @debug | | | ||
27 | | @raw-io | @obsolete | | | ||
28 | | @reboot | @resources | | | ||
29 | | @swap | | | | ||
30 | +---------+----------------+---------------+ | ||
31 | : : | ||
32 | +-------------+ : | ||
33 | | @privileged | : | ||
34 | +-------------+ : | ||
35 | : : | ||
36 | +----------+ : | ||
37 | | @default |........: | ||
38 | +----------+ | ||
39 | : | ||
40 | +----------------------+ | ||
41 | | @default-nodebuggers | | ||
42 | +----------------------+ | ||
43 | |||
diff --git a/etc/terasology.profile b/etc/terasology.profile index 43865b6fb..2a7212395 100644 --- a/etc/terasology.profile +++ b/etc/terasology.profile | |||
@@ -5,17 +5,17 @@ include terasology.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | ignore noexec /tmp | ||
9 | |||
8 | noblacklist ${HOME}/.java | 10 | noblacklist ${HOME}/.java |
9 | noblacklist ${HOME}/.local/share/terasology | 11 | noblacklist ${HOME}/.local/share/terasology |
10 | 12 | ||
11 | # Allow access to java | 13 | # Allow java (blacklisted by disable-devel.inc) |
12 | noblacklist ${PATH}/java | 14 | include allow-java.inc |
13 | noblacklist /usr/lib/java | ||
14 | noblacklist /etc/java | ||
15 | noblacklist /usr/share/java | ||
16 | 15 | ||
17 | include disable-common.inc | 16 | include disable-common.inc |
18 | include disable-devel.inc | 17 | include disable-devel.inc |
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | 19 | include disable-interpreters.inc |
20 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
21 | include disable-programs.inc | 21 | include disable-programs.inc |
@@ -46,5 +46,3 @@ disable-mnt | |||
46 | private-dev | 46 | private-dev |
47 | private-etc alternatives,asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,java-8-openjdk,java-7-openjdk,pki,crypto-policies | 47 | private-etc alternatives,asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,java-8-openjdk,java-7-openjdk,pki,crypto-policies |
48 | private-tmp | 48 | private-tmp |
49 | |||
50 | noexec ${HOME} | ||
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile index c7c810cda..ff4a85871 100644 --- a/etc/torbrowser-launcher.profile +++ b/etc/torbrowser-launcher.profile | |||
@@ -12,12 +12,8 @@ noblacklist ${HOME}/.config/torbrowser | |||
12 | noblacklist ${HOME}/.local/share/torbrowser | 12 | noblacklist ${HOME}/.local/share/torbrowser |
13 | 13 | ||
14 | # Allow python (blacklisted by disable-interpreters.inc) | 14 | # Allow python (blacklisted by disable-interpreters.inc) |
15 | noblacklist ${PATH}/python2* | 15 | include allow-python2.inc |
16 | noblacklist ${PATH}/python3* | 16 | include allow-python3.inc |
17 | noblacklist /usr/lib/python2* | ||
18 | noblacklist /usr/lib/python3* | ||
19 | noblacklist /usr/local/lib/python2* | ||
20 | noblacklist /usr/local/lib/python3* | ||
21 | 17 | ||
22 | include disable-common.inc | 18 | include disable-common.inc |
23 | include disable-devel.inc | 19 | include disable-devel.inc |
diff --git a/etc/transgui.profile b/etc/transgui.profile index 8043bfa01..0d09cef87 100644 --- a/etc/transgui.profile +++ b/etc/transgui.profile | |||
@@ -2,7 +2,7 @@ | |||
2 | # Description: Cross-platform Transmission BitTorrent client | 2 | # Description: Cross-platform Transmission BitTorrent client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/transgui.local | 5 | include transgui.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
diff --git a/etc/transmission-daemon.profile b/etc/transmission-daemon.profile index c67200826..9a6052ada 100644 --- a/etc/transmission-daemon.profile +++ b/etc/transmission-daemon.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for transmission-daemon | 1 | # Firejail profile for transmission-daemon |
2 | # Description: Fast, easy and free BitTorrent client (daemon) | 2 | # Description: Fast, easy and free BitTorrent client (daemon) |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/transmission-remote-cli.profile b/etc/transmission-remote-cli.profile index 3e3ad1a07..7b7a47f14 100644 --- a/etc/transmission-remote-cli.profile +++ b/etc/transmission-remote-cli.profile | |||
@@ -8,12 +8,8 @@ include transmission-remote-cli.local | |||
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | # Allow python (blacklisted by disable-interpreters.inc) | 10 | # Allow python (blacklisted by disable-interpreters.inc) |
11 | noblacklist ${PATH}/python2* | 11 | include allow-python2.inc |
12 | noblacklist ${PATH}/python3* | 12 | include allow-python3.inc |
13 | noblacklist /usr/lib/python2* | ||
14 | noblacklist /usr/lib/python3* | ||
15 | noblacklist /usr/local/lib/python2* | ||
16 | noblacklist /usr/local/lib/python3* | ||
17 | 13 | ||
18 | mkdir ${HOME}/.cache/transmission | 14 | mkdir ${HOME}/.cache/transmission |
19 | mkdir ${HOME}/.config/transmission | 15 | mkdir ${HOME}/.config/transmission |
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile index 1b657d083..3111a1e22 100644 --- a/etc/tuxguitar.profile +++ b/etc/tuxguitar.profile | |||
@@ -11,11 +11,8 @@ noblacklist ${HOME}/.tuxguitar* | |||
11 | noblacklist ${DOCUMENTS} | 11 | noblacklist ${DOCUMENTS} |
12 | noblacklist ${MUSIC} | 12 | noblacklist ${MUSIC} |
13 | 13 | ||
14 | # Allow access to java | 14 | # Allow java (blacklisted by disable-devel.inc) |
15 | noblacklist ${PATH}/java | 15 | include allow-java.inc |
16 | noblacklist /usr/lib/java | ||
17 | noblacklist /etc/java | ||
18 | noblacklist /usr/share/java | ||
19 | 16 | ||
20 | include disable-common.inc | 17 | include disable-common.inc |
21 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/unbound.profile b/etc/unbound.profile index 6e4b5ed1c..8e7a4a8a8 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile | |||
@@ -6,11 +6,11 @@ include unbound.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist /sbin | 9 | noblacklist /sbin |
12 | noblacklist /usr/sbin | 10 | noblacklist /usr/sbin |
13 | 11 | ||
12 | blacklist /tmp/.X11-unix | ||
13 | |||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
diff --git a/etc/unrar.profile b/etc/unrar.profile index 7fe37f061..5b55f30d2 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile | |||
@@ -5,21 +5,34 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include unrar.local | 6 | include unrar.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included profile | 8 | include globals.local |
9 | #include globals.local | ||
10 | 9 | ||
11 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
12 | 11 | ||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | caps.drop all | ||
13 | hostname unrar | 20 | hostname unrar |
14 | ignore noroot | 21 | ipc-namespace |
22 | machine-id | ||
15 | net none | 23 | net none |
16 | no3d | 24 | no3d |
17 | nodbus | 25 | nodbus |
18 | nodvd | 26 | nodvd |
27 | #nogroups | ||
28 | nonewprivs | ||
29 | #noroot | ||
19 | nosound | 30 | nosound |
20 | notv | 31 | notv |
21 | nou2f | 32 | nou2f |
22 | novideo | 33 | novideo |
34 | protocol unix | ||
35 | seccomp | ||
23 | shell none | 36 | shell none |
24 | tracelog | 37 | tracelog |
25 | 38 | ||
@@ -27,5 +40,3 @@ private-bin unrar | |||
27 | private-dev | 40 | private-dev |
28 | private-etc alternatives,passwd,group,localtime | 41 | private-etc alternatives,passwd,group,localtime |
29 | private-tmp | 42 | private-tmp |
30 | |||
31 | include default.profile | ||
diff --git a/etc/unzip.profile b/etc/unzip.profile index be6b6c321..79b41f9d8 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile | |||
@@ -5,29 +5,41 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include unzip.local | 6 | include unzip.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included profile | 8 | include globals.local |
9 | #include globals.local | 9 | |
10 | # GNOME Shell integration (chrome-gnome-shell) | ||
11 | noblacklist ${HOME}/.local/share/gnome-shell | ||
10 | 12 | ||
11 | blacklist /tmp/.X11-unix | 13 | blacklist /tmp/.X11-unix |
12 | 14 | ||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | |||
22 | caps.drop all | ||
13 | hostname unzip | 23 | hostname unzip |
14 | ignore noroot | 24 | ipc-namespace |
25 | machine-id | ||
15 | net none | 26 | net none |
16 | no3d | 27 | no3d |
17 | nodbus | 28 | nodbus |
18 | nodvd | 29 | nodvd |
30 | #nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
19 | nosound | 33 | nosound |
20 | notv | 34 | notv |
21 | nou2f | 35 | nou2f |
22 | novideo | 36 | novideo |
37 | protocol unix | ||
38 | seccomp | ||
23 | shell none | 39 | shell none |
24 | tracelog | 40 | tracelog |
25 | 41 | ||
26 | private-bin unzip | 42 | private-bin unzip |
43 | private-cache | ||
27 | private-dev | 44 | private-dev |
28 | private-etc alternatives,passwd,group,localtime | 45 | private-etc alternatives,passwd,group,localtime |
29 | |||
30 | # GNOME Shell integration (chrome-gnome-shell) | ||
31 | noblacklist ${HOME}/.local/share/gnome-shell | ||
32 | |||
33 | include default.profile | ||
diff --git a/etc/uudeview.profile b/etc/uudeview.profile index 859656fa5..53fad0ba5 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile | |||
@@ -5,18 +5,31 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include uudeview.local | 6 | include uudeview.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included profile | 8 | include globals.local |
9 | #include globals.local | ||
10 | 9 | ||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | |||
17 | caps.drop all | ||
11 | hostname uudeview | 18 | hostname uudeview |
12 | ignore noroot | 19 | ipc-namespace |
20 | machine-id | ||
13 | net none | 21 | net none |
14 | nodbus | 22 | nodbus |
15 | nodvd | 23 | nodvd |
24 | #nogroups | ||
25 | nonewprivs | ||
26 | #noroot | ||
16 | nosound | 27 | nosound |
17 | notv | 28 | notv |
18 | nou2f | 29 | nou2f |
19 | novideo | 30 | novideo |
31 | protocol unix | ||
32 | seccomp | ||
20 | shell none | 33 | shell none |
21 | tracelog | 34 | tracelog |
22 | 35 | ||
@@ -24,5 +37,3 @@ private-bin uudeview | |||
24 | private-cache | 37 | private-cache |
25 | private-dev | 38 | private-dev |
26 | private-etc alternatives,ld.so.preload | 39 | private-etc alternatives,ld.so.preload |
27 | |||
28 | include default.profile | ||
diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile index dbee819cd..d4e54235b 100644 --- a/etc/uzbl-browser.profile +++ b/etc/uzbl-browser.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.gnupg | |||
10 | noblacklist ${HOME}/.local/share/uzbl | 10 | noblacklist ${HOME}/.local/share/uzbl |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/viewnior.profile b/etc/viewnior.profile index f9fb1cefe..943719e75 100644 --- a/etc/viewnior.profile +++ b/etc/viewnior.profile | |||
@@ -6,12 +6,12 @@ include viewnior.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${HOME}/.bashrc | ||
10 | |||
11 | noblacklist ${HOME}/.Steam | 9 | noblacklist ${HOME}/.Steam |
12 | noblacklist ${HOME}/.config/viewnior | 10 | noblacklist ${HOME}/.config/viewnior |
13 | noblacklist ${HOME}/.steam | 11 | noblacklist ${HOME}/.steam |
14 | 12 | ||
13 | blacklist ${HOME}/.bashrc | ||
14 | |||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | 17 | include disable-exec.inc |
diff --git a/etc/w3m.profile b/etc/w3m.profile index 143ac4f63..d577932e3 100644 --- a/etc/w3m.profile +++ b/etc/w3m.profile | |||
@@ -6,10 +6,10 @@ include w3m.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist ${HOME}/.w3m | 9 | noblacklist ${HOME}/.w3m |
12 | 10 | ||
11 | blacklist /tmp/.X11-unix | ||
12 | |||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
diff --git a/etc/wget.profile b/etc/wget.profile index a7ef32e2c..ff10b2316 100644 --- a/etc/wget.profile +++ b/etc/wget.profile | |||
@@ -7,11 +7,11 @@ include wget.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | |||
12 | noblacklist ${HOME}/.wget-hsts | 10 | noblacklist ${HOME}/.wget-hsts |
13 | noblacklist ${HOME}/.wgetrc | 11 | noblacklist ${HOME}/.wgetrc |
14 | 12 | ||
13 | blacklist /tmp/.X11-unix | ||
14 | |||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-exec.inc | 16 | include disable-exec.inc |
17 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
diff --git a/etc/wire-desktop.profile b/etc/wire-desktop.profile index 3953de614..7c545d08f 100644 --- a/etc/wire-desktop.profile +++ b/etc/wire-desktop.profile | |||
@@ -16,7 +16,6 @@ include disable-programs.inc | |||
16 | mkdir ${HOME}/.config/Wire | 16 | mkdir ${HOME}/.config/Wire |
17 | whitelist ${HOME}/.config/Wire | 17 | whitelist ${HOME}/.config/Wire |
18 | whitelist ${DOWNLOADS} | 18 | whitelist ${DOWNLOADS} |
19 | |||
20 | include whitelist-common.inc | 19 | include whitelist-common.inc |
21 | 20 | ||
22 | caps.drop all | 21 | caps.drop all |
diff --git a/etc/wireshark.profile b/etc/wireshark.profile index 9b9757cd5..b44eae128 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile | |||
@@ -10,11 +10,8 @@ noblacklist ${HOME}/.config/wireshark | |||
10 | noblacklist ${HOME}/.wireshark | 10 | noblacklist ${HOME}/.wireshark |
11 | noblacklist ${DOCUMENTS} | 11 | noblacklist ${DOCUMENTS} |
12 | 12 | ||
13 | # Wireshark can use Lua for scripting | 13 | # Allow lua (blacklisted by disable-interpreters.inc) |
14 | noblacklist ${PATH}/lua* | 14 | include allow-lua.inc |
15 | noblacklist /usr/lib/lua | ||
16 | noblacklist /usr/include/lua* | ||
17 | noblacklist /usr/share/lua | ||
18 | 15 | ||
19 | include disable-common.inc | 16 | include disable-common.inc |
20 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/xed.profile b/etc/xed.profile index cce0432a4..9a7806b19 100644 --- a/etc/xed.profile +++ b/etc/xed.profile | |||
@@ -9,12 +9,8 @@ noblacklist ${HOME}/.config/xed | |||
9 | noblacklist ${HOME}/.pythonrc.py | 9 | noblacklist ${HOME}/.pythonrc.py |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 12 | include allow-python2.inc |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/xiphos.profile b/etc/xiphos.profile index 33056395e..043e513bd 100644 --- a/etc/xiphos.profile +++ b/etc/xiphos.profile | |||
@@ -6,11 +6,11 @@ include xiphos.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${HOME}/.bashrc | ||
10 | |||
11 | noblacklist ${HOME}/.sword | 9 | noblacklist ${HOME}/.sword |
12 | noblacklist ${HOME}/.xiphos | 10 | noblacklist ${HOME}/.xiphos |
13 | 11 | ||
12 | blacklist ${HOME}/.bashrc | ||
13 | |||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-exec.inc | 16 | include disable-exec.inc |
@@ -18,6 +18,8 @@ include disable-interpreters.inc | |||
18 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | 20 | ||
21 | mkdir ${HOME}/.sword | ||
22 | mkdir ${HOME}/.xiphos | ||
21 | whitelist ${HOME}/.sword | 23 | whitelist ${HOME}/.sword |
22 | whitelist ${HOME}/.xiphos | 24 | whitelist ${HOME}/.xiphos |
23 | include whitelist-common.inc | 25 | include whitelist-common.inc |
diff --git a/etc/xlinks.profile b/etc/xlinks.profile new file mode 100644 index 000000000..ad1511791 --- /dev/null +++ b/etc/xlinks.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # Firejail profile for xlinks | ||
2 | # Description: Text WWW browser (X11) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include xlinks.local | ||
6 | |||
7 | noblacklist /tmp/.X11-unix | ||
8 | noblacklist ${HOME}/.links | ||
9 | |||
10 | include whitelist-common.inc | ||
11 | |||
12 | # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' | ||
13 | # to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line | ||
14 | private-bin xlinks | ||
15 | private-etc fonts | ||
16 | |||
17 | # Redirect | ||
18 | include links.profile | ||
diff --git a/etc/xplayer.profile b/etc/xplayer.profile index b4932c99e..5f4e3bf4c 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile | |||
@@ -11,12 +11,8 @@ noblacklist ${MUSIC} | |||
11 | noblacklist ${VIDEOS} | 11 | noblacklist ${VIDEOS} |
12 | 12 | ||
13 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
14 | noblacklist ${PATH}/python2* | 14 | include allow-python2.inc |
15 | noblacklist ${PATH}/python3* | 15 | include allow-python3.inc |
16 | noblacklist /usr/lib/python2* | ||
17 | noblacklist /usr/lib/python3* | ||
18 | noblacklist /usr/local/lib/python2* | ||
19 | noblacklist /usr/local/lib/python3* | ||
20 | 16 | ||
21 | include disable-common.inc | 17 | include disable-common.inc |
22 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/xpra.profile b/etc/xpra.profile index d967c1da2..dc8d7a665 100644 --- a/etc/xpra.profile +++ b/etc/xpra.profile | |||
@@ -8,21 +8,15 @@ include globals.local | |||
8 | 8 | ||
9 | # | 9 | # |
10 | # This profile will sandbox Xpra server itself when used with firejail --x11=xpra. | 10 | # This profile will sandbox Xpra server itself when used with firejail --x11=xpra. |
11 | # To enable it, create a firejail-xpra symlink in /usr/local/bin: | 11 | # To enable it, create a firejail-xpra symlink in /usr/local/bin: |
12 | # | 12 | # |
13 | # $ sudo ln -s /usr/bin/firejail /usr/local/bin/xpra | 13 | # $ sudo ln -s /usr/bin/firejail /usr/local/bin/xpra |
14 | # | 14 | # |
15 | # or run "sudo firecfg" | 15 | # or run "sudo firecfg" |
16 | 16 | ||
17 | blacklist /media | ||
18 | |||
19 | # Allow python (blacklisted by disable-interpreters.inc) | 17 | # Allow python (blacklisted by disable-interpreters.inc) |
20 | noblacklist ${PATH}/python2* | 18 | include allow-python2.inc |
21 | noblacklist ${PATH}/python3* | 19 | include allow-python3.inc |
22 | noblacklist /usr/lib/python2* | ||
23 | noblacklist /usr/lib/python3* | ||
24 | noblacklist /usr/local/lib/python2* | ||
25 | noblacklist /usr/local/lib/python3* | ||
26 | 20 | ||
27 | include disable-common.inc | 21 | include disable-common.inc |
28 | include disable-devel.inc | 22 | include disable-devel.inc |
@@ -49,6 +43,7 @@ protocol unix | |||
49 | seccomp | 43 | seccomp |
50 | shell none | 44 | shell none |
51 | 45 | ||
46 | disable-mnt | ||
52 | # private home directory doesn't work on some distros, so we go for a regular home | 47 | # private home directory doesn't work on some distros, so we go for a regular home |
53 | # private | 48 | # private |
54 | # older Xpra versions also use Xvfb | 49 | # older Xpra versions also use Xvfb |
diff --git a/etc/xzdec.profile b/etc/xzdec.profile index a1f265c1e..3adaa557c 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile | |||
@@ -5,23 +5,34 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include xzdec.local | 6 | include xzdec.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included profile | 8 | include globals.local |
9 | #include globals.local | ||
10 | 9 | ||
11 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
12 | 11 | ||
13 | ignore noroot | 12 | include disable-common.inc |
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | caps.drop all | ||
20 | ipc-namespace | ||
21 | machine-id | ||
14 | net none | 22 | net none |
15 | no3d | 23 | no3d |
16 | nodbus | 24 | nodbus |
17 | nodvd | 25 | nodvd |
26 | #nogroups | ||
27 | nonewprivs | ||
28 | #noroot | ||
18 | nosound | 29 | nosound |
19 | notv | 30 | notv |
20 | nou2f | 31 | nou2f |
21 | novideo | 32 | novideo |
33 | protocol unix | ||
34 | seccomp | ||
22 | shell none | 35 | shell none |
23 | tracelog | 36 | tracelog |
24 | 37 | ||
25 | private-dev | 38 | private-dev |
26 | |||
27 | include default.profile | ||
diff --git a/etc/yelp.profile b/etc/yelp.profile new file mode 100644 index 000000000..66f094e1d --- /dev/null +++ b/etc/yelp.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for yelp | ||
2 | # Description: Help browser for the GNOME desktop | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include yelp.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/yelp | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.config/yelp | ||
20 | whitelist ${HOME}/.config/yelp | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | net none | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | disable-mnt | ||
40 | private-bin yelp | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,gtk-3.0,machine-id,openal,os-release,pulse,sgml,xml | ||
44 | private-tmp | ||
45 | |||
46 | # read-only ${HOME} breaks some not necesarry featrues, comment it if | ||
47 | # you need them or put 'ignore read-only ${HOME}' into your yelp.local. | ||
48 | # broken features: | ||
49 | # 1. yelp --editor-mode | ||
50 | # 2. saving the window geometry | ||
51 | read-only ${HOME} | ||
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index 621ffb2b0..1c2bad51c 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile | |||
@@ -7,20 +7,16 @@ include youtube-dl.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | # breaks when installed via pip | ||
11 | ignore noexec ${HOME} | ||
12 | |||
10 | noblacklist ${HOME}/.netrc | 13 | noblacklist ${HOME}/.netrc |
11 | noblacklist ${MUSIC} | 14 | noblacklist ${MUSIC} |
12 | noblacklist ${VIDEOS} | 15 | noblacklist ${VIDEOS} |
13 | 16 | ||
14 | # Allow python (blacklisted by disable-interpreters.inc) | 17 | # Allow python (blacklisted by disable-interpreters.inc) |
15 | noblacklist ${PATH}/python2* | 18 | include allow-python2.inc |
16 | noblacklist ${PATH}/python3* | 19 | include allow-python3.inc |
17 | noblacklist /usr/lib/python2* | ||
18 | noblacklist /usr/lib/python3* | ||
19 | noblacklist /usr/local/lib/python2* | ||
20 | noblacklist /usr/local/lib/python3* | ||
21 | |||
22 | # breaks when installed via pip | ||
23 | ignore noexec ${HOME} | ||
24 | 20 | ||
25 | include disable-common.inc | 21 | include disable-common.inc |
26 | include disable-devel.inc | 22 | include disable-devel.inc |
diff --git a/etc/zaproxy.profile b/etc/zaproxy.profile index dc3164da1..0598ea18d 100644 --- a/etc/zaproxy.profile +++ b/etc/zaproxy.profile | |||
@@ -9,11 +9,8 @@ include globals.local | |||
9 | noblacklist ${HOME}/.java | 9 | noblacklist ${HOME}/.java |
10 | noblacklist ${HOME}/.ZAP | 10 | noblacklist ${HOME}/.ZAP |
11 | 11 | ||
12 | # Allow access to java | 12 | # Allow java (blacklisted by disable-devel.inc) |
13 | noblacklist ${PATH}/java | 13 | include allow-java.inc |
14 | noblacklist /usr/lib/java | ||
15 | noblacklist /etc/java | ||
16 | noblacklist /usr/share/java | ||
17 | 14 | ||
18 | include disable-common.inc | 15 | include disable-common.inc |
19 | include disable-devel.inc | 16 | include disable-devel.inc |
@@ -22,6 +19,7 @@ include disable-interpreters.inc | |||
22 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
23 | include disable-programs.inc | 20 | include disable-programs.inc |
24 | 21 | ||
22 | mkdir ${HOME}/.java | ||
25 | mkdir ${HOME}/.ZAP | 23 | mkdir ${HOME}/.ZAP |
26 | whitelist ${HOME}/.java | 24 | whitelist ${HOME}/.java |
27 | whitelist ${HOME}/.ZAP | 25 | whitelist ${HOME}/.ZAP |
diff --git a/etc/zoom.profile b/etc/zoom.profile index 456b197f3..6d312aff6 100644 --- a/etc/zoom.profile +++ b/etc/zoom.profile | |||
@@ -13,6 +13,8 @@ include disable-devel.inc | |||
13 | include disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | mkdir ${HOME}/.cache/zoom | ||
17 | mkfile ${HOME}/.config/zoomus.conf | ||
16 | mkdir ${HOME}/.zoom | 18 | mkdir ${HOME}/.zoom |
17 | whitelist ${HOME}/.cache/zoom | 19 | whitelist ${HOME}/.cache/zoom |
18 | whitelist ${HOME}/.config/zoomus.conf | 20 | whitelist ${HOME}/.config/zoomus.conf |
diff --git a/etc/zpaq.profile b/etc/zpaq.profile index 6d4501e4f..6bf3605eb 100644 --- a/etc/zpaq.profile +++ b/etc/zpaq.profile | |||
@@ -10,6 +10,5 @@ include zpaq.local | |||
10 | # mdwx breaks 'list' functionality | 10 | # mdwx breaks 'list' functionality |
11 | ignore memory-deny-write-execute | 11 | ignore memory-deny-write-execute |
12 | 12 | ||
13 | |||
14 | # Redirect | 13 | # Redirect |
15 | include cpio.profile | 14 | include cpio.profile |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 65605edb3..d21abbc9a 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -132,7 +132,6 @@ deluge | |||
132 | devhelp | 132 | devhelp |
133 | dex2jar | 133 | dex2jar |
134 | dia | 134 | dia |
135 | dig | ||
136 | digikam | 135 | digikam |
137 | dillo | 136 | dillo |
138 | dino | 137 | dino |
@@ -187,8 +186,8 @@ firefox-developer-edition | |||
187 | firefox-esr | 186 | firefox-esr |
188 | firefox-nightly | 187 | firefox-nightly |
189 | firefox-wayland | 188 | firefox-wayland |
190 | flameshot | ||
191 | flacsplt | 189 | flacsplt |
190 | flameshot | ||
192 | flashpeak-slimjet | 191 | flashpeak-slimjet |
193 | flowblade | 192 | flowblade |
194 | font-manager | 193 | font-manager |
@@ -306,6 +305,8 @@ kid3 | |||
306 | kid3-cli | 305 | kid3-cli |
307 | kid3-qt | 306 | kid3-qt |
308 | kino | 307 | kino |
308 | klatexformula | ||
309 | klatexformula_cmdl | ||
309 | klavaro | 310 | klavaro |
310 | kmail | 311 | kmail |
311 | knotes | 312 | knotes |
@@ -315,6 +316,7 @@ kopete | |||
315 | krita | 316 | krita |
316 | # krunner | 317 | # krunner |
317 | ktorrent | 318 | ktorrent |
319 | ktouch | ||
318 | # kwin_x11 | 320 | # kwin_x11 |
319 | kwrite | 321 | kwrite |
320 | leafpad | 322 | leafpad |
@@ -322,6 +324,7 @@ less | |||
322 | libreoffice | 324 | libreoffice |
323 | liferea | 325 | liferea |
324 | lincity-ng | 326 | lincity-ng |
327 | links | ||
325 | linphone | 328 | linphone |
326 | lmms | 329 | lmms |
327 | lobase | 330 | lobase |
@@ -422,6 +425,7 @@ opera-beta | |||
422 | orage | 425 | orage |
423 | ostrichriders | 426 | ostrichriders |
424 | palemoon | 427 | palemoon |
428 | pandoc | ||
425 | parole | 429 | parole |
426 | patch | 430 | patch |
427 | pavucontrol | 431 | pavucontrol |
@@ -450,6 +454,7 @@ pybitmessage | |||
450 | # pycharm-professional | 454 | # pycharm-professional |
451 | qbittorrent | 455 | qbittorrent |
452 | qemu-launcher | 456 | qemu-launcher |
457 | qgis | ||
453 | qlipper | 458 | qlipper |
454 | qmmp | 459 | qmmp |
455 | qpdfview | 460 | qpdfview |
@@ -622,6 +627,7 @@ xfce4-dict | |||
622 | xfce4-mixer | 627 | xfce4-mixer |
623 | xfce4-notes | 628 | xfce4-notes |
624 | xiphos | 629 | xiphos |
630 | xlinks | ||
625 | xmms | 631 | xmms |
626 | xmr-stak | 632 | xmr-stak |
627 | xonotic | 633 | xonotic |
@@ -637,6 +643,7 @@ xreader-previewer | |||
637 | xreader-thumbnailer | 643 | xreader-thumbnailer |
638 | xviewer | 644 | xviewer |
639 | yandex-browser | 645 | yandex-browser |
646 | yelp | ||
640 | youtube-dl | 647 | youtube-dl |
641 | zaproxy | 648 | zaproxy |
642 | zart | 649 | zart |
diff --git a/src/firecfg/firecfg.h b/src/firecfg/firecfg.h index e847719cf..71e5d625d 100644 --- a/src/firecfg/firecfg.h +++ b/src/firecfg/firecfg.h | |||
@@ -17,6 +17,8 @@ | |||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | 17 | * with this program; if not, write to the Free Software Foundation, Inc., |
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #ifndef FIRECFG_H | ||
21 | #define FIRECFG_H | ||
20 | #define _GNU_SOURCE | 22 | #define _GNU_SOURCE |
21 | #include <stdio.h> | 23 | #include <stdio.h> |
22 | #include <sys/types.h> | 24 | #include <sys/types.h> |
@@ -48,3 +50,5 @@ void sound(void); | |||
48 | 50 | ||
49 | // desktop_files.c | 51 | // desktop_files.c |
50 | void fix_desktop_files(char *homedir); | 52 | void fix_desktop_files(char *homedir); |
53 | |||
54 | #endif | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index e0f3a6a16..fd6cb9ff2 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -283,6 +283,7 @@ extern int arg_private_srv; // private srv directory | |||
283 | extern int arg_private_bin; // private bin directory | 283 | extern int arg_private_bin; // private bin directory |
284 | extern int arg_private_tmp; // private tmp directory | 284 | extern int arg_private_tmp; // private tmp directory |
285 | extern int arg_private_lib; // private lib directory | 285 | extern int arg_private_lib; // private lib directory |
286 | extern int arg_private_cwd; // private working directory | ||
286 | extern int arg_scan; // arp-scan all interfaces | 287 | extern int arg_scan; // arp-scan all interfaces |
287 | extern int arg_whitelist; // whitelist command | 288 | extern int arg_whitelist; // whitelist command |
288 | extern int arg_nosound; // disable sound | 289 | extern int arg_nosound; // disable sound |
@@ -315,6 +316,7 @@ extern int arg_notv; // --notv | |||
315 | extern int arg_nodvd; // --nodvd | 316 | extern int arg_nodvd; // --nodvd |
316 | extern int arg_nou2f; // --nou2f | 317 | extern int arg_nou2f; // --nou2f |
317 | extern int arg_nodbus; // -nodbus | 318 | extern int arg_nodbus; // -nodbus |
319 | extern int arg_deterministic_exit_code; // always exit with first child's exit status | ||
318 | 320 | ||
319 | extern int login_shell; | 321 | extern int login_shell; |
320 | extern int parent_to_child_fds[2]; | 322 | extern int parent_to_child_fds[2]; |
@@ -521,6 +523,8 @@ void fs_private(void); | |||
521 | void fs_private_homedir(void); | 523 | void fs_private_homedir(void); |
522 | // check new private home directory (--private= option) - exit if it fails | 524 | // check new private home directory (--private= option) - exit if it fails |
523 | void fs_check_private_dir(void); | 525 | void fs_check_private_dir(void); |
526 | // check new private working directory (--private-cwd= option) - exit if it fails | ||
527 | void fs_check_private_cwd(const char *dir); | ||
524 | void fs_private_home_list(void); | 528 | void fs_private_home_list(void); |
525 | 529 | ||
526 | 530 | ||
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index b44d09acc..3f6d78db4 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -370,6 +370,21 @@ void fs_check_private_dir(void) { | |||
370 | } | 370 | } |
371 | } | 371 | } |
372 | 372 | ||
373 | // check new private working directory (--private-cwd= option) - exit if it fails | ||
374 | void fs_check_private_cwd(const char *dir) { | ||
375 | EUID_ASSERT(); | ||
376 | invalid_filename(dir, 0); // no globbing | ||
377 | |||
378 | // Expand the working directory | ||
379 | cfg.cwd = expand_macros(dir); | ||
380 | |||
381 | // realpath/is_dir not used because path may not exist outside of jail | ||
382 | if (strstr(cfg.cwd, "..")) { | ||
383 | fprintf(stderr, "Error: invalid private working directory\n"); | ||
384 | exit(1); | ||
385 | } | ||
386 | } | ||
387 | |||
373 | //*********************************************************************************** | 388 | //*********************************************************************************** |
374 | // --private-home | 389 | // --private-home |
375 | //*********************************************************************************** | 390 | //*********************************************************************************** |
diff --git a/src/firejail/main.c b/src/firejail/main.c index f3dc72944..c50ed4dc4 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -92,6 +92,7 @@ int arg_private_srv = 0; // private srv directory | |||
92 | int arg_private_bin = 0; // private bin directory | 92 | int arg_private_bin = 0; // private bin directory |
93 | int arg_private_tmp = 0; // private tmp directory | 93 | int arg_private_tmp = 0; // private tmp directory |
94 | int arg_private_lib = 0; // private lib directory | 94 | int arg_private_lib = 0; // private lib directory |
95 | int arg_private_cwd = 0; // private working directory | ||
95 | int arg_scan = 0; // arp-scan all interfaces | 96 | int arg_scan = 0; // arp-scan all interfaces |
96 | int arg_whitelist = 0; // whitelist command | 97 | int arg_whitelist = 0; // whitelist command |
97 | int arg_nosound = 0; // disable sound | 98 | int arg_nosound = 0; // disable sound |
@@ -125,6 +126,7 @@ int arg_notv = 0; // --notv | |||
125 | int arg_nodvd = 0; // --nodvd | 126 | int arg_nodvd = 0; // --nodvd |
126 | int arg_nodbus = 0; // -nodbus | 127 | int arg_nodbus = 0; // -nodbus |
127 | int arg_nou2f = 0; // --nou2f | 128 | int arg_nou2f = 0; // --nou2f |
129 | int arg_deterministic_exit_code = 0; // always exit with first child's exit status | ||
128 | int login_shell = 0; | 130 | int login_shell = 0; |
129 | 131 | ||
130 | 132 | ||
@@ -630,6 +632,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
630 | else if (strncmp(argv[i], "--get=", 6) == 0) { | 632 | else if (strncmp(argv[i], "--get=", 6) == 0) { |
631 | if (checkcfg(CFG_FILE_TRANSFER)) { | 633 | if (checkcfg(CFG_FILE_TRANSFER)) { |
632 | logargs(argc, argv); | 634 | logargs(argc, argv); |
635 | if (arg_private_cwd) { | ||
636 | fprintf(stderr, "Error: --get and --private-cwd options are mutually exclusive\n"); | ||
637 | exit(1); | ||
638 | } | ||
633 | 639 | ||
634 | // verify path | 640 | // verify path |
635 | if ((i + 2) != argc) { | 641 | if ((i + 2) != argc) { |
@@ -654,6 +660,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
654 | else if (strncmp(argv[i], "--put=", 6) == 0) { | 660 | else if (strncmp(argv[i], "--put=", 6) == 0) { |
655 | if (checkcfg(CFG_FILE_TRANSFER)) { | 661 | if (checkcfg(CFG_FILE_TRANSFER)) { |
656 | logargs(argc, argv); | 662 | logargs(argc, argv); |
663 | if (arg_private_cwd) { | ||
664 | fprintf(stderr, "Error: --put and --private-cwd options are mutually exclusive\n"); | ||
665 | exit(1); | ||
666 | } | ||
657 | 667 | ||
658 | // verify path | 668 | // verify path |
659 | if ((i + 3) != argc) { | 669 | if ((i + 3) != argc) { |
@@ -684,6 +694,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
684 | else if (strncmp(argv[i], "--ls=", 5) == 0) { | 694 | else if (strncmp(argv[i], "--ls=", 5) == 0) { |
685 | if (checkcfg(CFG_FILE_TRANSFER)) { | 695 | if (checkcfg(CFG_FILE_TRANSFER)) { |
686 | logargs(argc, argv); | 696 | logargs(argc, argv); |
697 | if (arg_private_cwd) { | ||
698 | fprintf(stderr, "Error: --ls and --private-cwd options are mutually exclusive\n"); | ||
699 | exit(1); | ||
700 | } | ||
687 | 701 | ||
688 | // verify path | 702 | // verify path |
689 | if ((i + 2) != argc) { | 703 | if ((i + 2) != argc) { |
@@ -1773,6 +1787,19 @@ int main(int argc, char **argv) { | |||
1773 | else | 1787 | else |
1774 | exit_err_feature("private-cache"); | 1788 | exit_err_feature("private-cache"); |
1775 | } | 1789 | } |
1790 | else if (strcmp(argv[i], "--private-cwd") == 0) { | ||
1791 | cfg.cwd = NULL; | ||
1792 | arg_private_cwd = 1; | ||
1793 | } | ||
1794 | else if (strncmp(argv[i], "--private-cwd=", 14) == 0) { | ||
1795 | if (*(argv[i] + 14) == '\0') { | ||
1796 | fprintf(stderr, "Error: invalid private-cwd option\n"); | ||
1797 | exit(1); | ||
1798 | } | ||
1799 | |||
1800 | fs_check_private_cwd(argv[i] + 14); | ||
1801 | arg_private_cwd = 1; | ||
1802 | } | ||
1776 | 1803 | ||
1777 | //************************************* | 1804 | //************************************* |
1778 | // hostname, etc | 1805 | // hostname, etc |
@@ -2275,6 +2302,9 @@ int main(int argc, char **argv) { | |||
2275 | return 1; | 2302 | return 1; |
2276 | } | 2303 | } |
2277 | } | 2304 | } |
2305 | else if (strcmp(argv[i], "--deterministic-exit-code") == 0) { | ||
2306 | arg_deterministic_exit_code = 1; | ||
2307 | } | ||
2278 | else { | 2308 | else { |
2279 | // double dash - positional params to follow | 2309 | // double dash - positional params to follow |
2280 | if (strcmp(argv[i], "--") == 0) { | 2310 | if (strcmp(argv[i], "--") == 0) { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index c8619f7e2..99d83c16a 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -338,7 +338,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
338 | arg_private = 1; | 338 | arg_private = 1; |
339 | return 0; | 339 | return 0; |
340 | } | 340 | } |
341 | if (strncmp(ptr, "private-home ", 13) == 0) { | 341 | else if (strncmp(ptr, "private-home ", 13) == 0) { |
342 | #ifdef HAVE_PRIVATE_HOME | 342 | #ifdef HAVE_PRIVATE_HOME |
343 | if (checkcfg(CFG_PRIVATE_HOME)) { | 343 | if (checkcfg(CFG_PRIVATE_HOME)) { |
344 | if (cfg.home_private_keep) { | 344 | if (cfg.home_private_keep) { |
@@ -353,6 +353,16 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
353 | #endif | 353 | #endif |
354 | return 0; | 354 | return 0; |
355 | } | 355 | } |
356 | else if (strcmp(ptr, "private-cwd") == 0) { | ||
357 | cfg.cwd = NULL; | ||
358 | arg_private_cwd = 1; | ||
359 | return 0; | ||
360 | } | ||
361 | else if (strncmp(ptr, "private-cwd ", 12) == 0) { | ||
362 | fs_check_private_cwd(ptr + 12); | ||
363 | arg_private_cwd = 1; | ||
364 | return 0; | ||
365 | } | ||
356 | else if (strcmp(ptr, "allusers") == 0) { | 366 | else if (strcmp(ptr, "allusers") == 0) { |
357 | arg_allusers = 1; | 367 | arg_allusers = 1; |
358 | return 0; | 368 | return 0; |
@@ -1301,6 +1311,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1301 | return 0; | 1311 | return 0; |
1302 | } | 1312 | } |
1303 | 1313 | ||
1314 | if (strcmp(ptr, "deterministic-exit-code") == 0) { | ||
1315 | arg_deterministic_exit_code = 1; | ||
1316 | return 0; | ||
1317 | } | ||
1318 | |||
1304 | // rest of filesystem | 1319 | // rest of filesystem |
1305 | if (strncmp(ptr, "blacklist ", 10) == 0) | 1320 | if (strncmp(ptr, "blacklist ", 10) == 0) |
1306 | ptr += 10; | 1321 | ptr += 10; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 9f0a5f25c..2c5c5fc12 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -271,6 +271,7 @@ static int monitor_application(pid_t app_pid) { | |||
271 | } | 271 | } |
272 | 272 | ||
273 | int status = 0; | 273 | int status = 0; |
274 | int app_status = 0; | ||
274 | while (monitored_pid) { | 275 | while (monitored_pid) { |
275 | usleep(20000); | 276 | usleep(20000); |
276 | char *msg; | 277 | char *msg; |
@@ -295,6 +296,8 @@ static int monitor_application(pid_t app_pid) { | |||
295 | sleep(1); | 296 | sleep(1); |
296 | break; | 297 | break; |
297 | } | 298 | } |
299 | else if (rv == app_pid) | ||
300 | app_status = status; | ||
298 | 301 | ||
299 | // handle --timeout | 302 | // handle --timeout |
300 | if (options) { | 303 | if (options) { |
@@ -352,8 +355,8 @@ static int monitor_application(pid_t app_pid) { | |||
352 | printf("Sandbox monitor: monitoring %d\n", monitored_pid); | 355 | printf("Sandbox monitor: monitoring %d\n", monitored_pid); |
353 | } | 356 | } |
354 | 357 | ||
355 | // return the latest exit status. | 358 | // return the appropriate exit status. |
356 | return status; | 359 | return arg_deterministic_exit_code ? app_status : status; |
357 | } | 360 | } |
358 | 361 | ||
359 | static void print_time(void) { | 362 | static void print_time(void) { |
@@ -1016,6 +1019,10 @@ int sandbox(void* sandbox_arg) { | |||
1016 | if (cfg.cwd) { | 1019 | if (cfg.cwd) { |
1017 | if (chdir(cfg.cwd) == 0) | 1020 | if (chdir(cfg.cwd) == 0) |
1018 | cwd = 1; | 1021 | cwd = 1; |
1022 | else if (arg_private_cwd) { | ||
1023 | fprintf(stderr, "Error: unable to enter private working directory: %s: %s\n", cfg.cwd, strerror(errno)); | ||
1024 | exit(1); | ||
1025 | } | ||
1019 | } | 1026 | } |
1020 | 1027 | ||
1021 | if (!cwd) { | 1028 | if (!cwd) { |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 7620bba82..fbace7374 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -66,6 +66,7 @@ static char *usage_str = | |||
66 | #ifdef HAVE_NETWORK | 66 | #ifdef HAVE_NETWORK |
67 | " --defaultgw=address - configure default gateway.\n" | 67 | " --defaultgw=address - configure default gateway.\n" |
68 | #endif | 68 | #endif |
69 | " --deterministic-exit-code - always exit with first child's status code.\n" | ||
69 | " --dns=address - set DNS server.\n" | 70 | " --dns=address - set DNS server.\n" |
70 | " --dns.print=name|pid - print DNS configuration.\n" | 71 | " --dns.print=name|pid - print DNS configuration.\n" |
71 | " --env=name=value - set environment variable.\n" | 72 | " --env=name=value - set environment variable.\n" |
@@ -162,6 +163,8 @@ static char *usage_str = | |||
162 | " --private-etc=file,directory - build a new /etc in a temporary\n" | 163 | " --private-etc=file,directory - build a new /etc in a temporary\n" |
163 | "\tfilesystem, and copy the files and directories in the list.\n" | 164 | "\tfilesystem, and copy the files and directories in the list.\n" |
164 | " --private-tmp - mount a tmpfs on top of /tmp directory.\n" | 165 | " --private-tmp - mount a tmpfs on top of /tmp directory.\n" |
166 | " --private-cwd - do not inherit working directory inside jail.\n" | ||
167 | " --private-cwd=directory - set working directory inside jail.\n" | ||
165 | " --private-opt=file,directory - build a new /opt in a temporary filesystem.\n" | 168 | " --private-opt=file,directory - build a new /opt in a temporary filesystem.\n" |
166 | " --private-srv=file,directory - build a new /srv in a temporary filesystem.\n" | 169 | " --private-srv=file,directory - build a new /srv in a temporary filesystem.\n" |
167 | " --profile=filename|profile_name - use a custom profile.\n" | 170 | " --profile=filename|profile_name - use a custom profile.\n" |
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c index e5f1b6f9a..b3c435d9e 100644 --- a/src/firemon/firemon.c +++ b/src/firemon/firemon.c | |||
@@ -83,7 +83,9 @@ int find_child(int id) { | |||
83 | return i; | 83 | return i; |
84 | } | 84 | } |
85 | 85 | ||
86 | return -1; | 86 | // if a second child is not found, return the first child pid |
87 | // this happens for processes sandboxed with --join | ||
88 | return first_child; | ||
87 | } | 89 | } |
88 | 90 | ||
89 | // sleep and wait for a key to be pressed | 91 | // sleep and wait for a key to be pressed |
diff --git a/src/include/rundefs.h b/src/include/rundefs.h index 67d7cfa4f..67c693dce 100644 --- a/src/include/rundefs.h +++ b/src/include/rundefs.h | |||
@@ -51,13 +51,13 @@ | |||
51 | #define RUN_DNS_ETC "/run/firejail/mnt/dns-etc" | 51 | #define RUN_DNS_ETC "/run/firejail/mnt/dns-etc" |
52 | 52 | ||
53 | #define RUN_SECCOMP_DIR "/run/firejail/mnt/seccomp" | 53 | #define RUN_SECCOMP_DIR "/run/firejail/mnt/seccomp" |
54 | #define RUN_SECCOMP_LIST "/run/firejail/mnt/seccomp/seccomp.list" // list of seccomp files installed | 54 | #define RUN_SECCOMP_LIST (RUN_SECCOMP_DIR "/seccomp.list") // list of seccomp files installed |
55 | #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp/seccomp.protocol" // protocol filter | 55 | #define RUN_SECCOMP_PROTOCOL (RUN_SECCOMP_DIR "/seccomp.protocol") // protocol filter |
56 | #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp/seccomp" // configured filter | 56 | #define RUN_SECCOMP_CFG (RUN_SECCOMP_DIR "/seccomp") // configured filter |
57 | #define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp/seccomp.32" // 32bit arch filter installed on 64bit architectures | 57 | #define RUN_SECCOMP_32 (RUN_SECCOMP_DIR "/seccomp.32") // 32bit arch filter installed on 64bit architectures |
58 | #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp/seccomp.mdwx" // filter for memory-deny-write-execute | 58 | #define RUN_SECCOMP_MDWX (RUN_SECCOMP_DIR "/seccomp.mdwx") // filter for memory-deny-write-execute |
59 | #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp/seccomp.block_secondary" // secondary arch blocking filter | 59 | #define RUN_SECCOMP_BLOCK_SECONDARY (RUN_SECCOMP_DIR "/seccomp.block_secondary") // secondary arch blocking filter |
60 | #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp/seccomp.postexec" // filter for post-exec library | 60 | #define RUN_SECCOMP_POSTEXEC (RUN_SECCOMP_DIR "/seccomp.postexec") // filter for post-exec library |
61 | #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make | 61 | #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make |
62 | #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make | 62 | #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make |
63 | #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make | 63 | #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 703fac30f..8c9989970 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -288,6 +288,12 @@ All modifications are discarded when the sandbox is closed. | |||
288 | \fBprivate-tmp | 288 | \fBprivate-tmp |
289 | Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. | 289 | Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. |
290 | .TP | 290 | .TP |
291 | \fBprivate-cwd | ||
292 | Set working directory inside jail to the home directory, and failing that, the root directory. | ||
293 | .TP | ||
294 | \fBprivate-cwd directory | ||
295 | Set working directory inside the jail. | ||
296 | .TP | ||
291 | \fBread-only file_or_directory | 297 | \fBread-only file_or_directory |
292 | Make directory or file read-only. | 298 | Make directory or file read-only. |
293 | .TP | 299 | .TP |
@@ -661,6 +667,10 @@ instead of the default one. | |||
661 | Join the sandbox identified by name or start a new one. | 667 | Join the sandbox identified by name or start a new one. |
662 | Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname". | 668 | Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname". |
663 | 669 | ||
670 | .TP | ||
671 | \fBdeterministic-exit-code | ||
672 | Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. | ||
673 | |||
664 | .SH FILES | 674 | .SH FILES |
665 | /etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile | 675 | /etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile |
666 | 676 | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index e6826448b..67b84de0e 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -410,6 +410,10 @@ Example: | |||
410 | $ firejail \-\-disable-mnt firefox | 410 | $ firejail \-\-disable-mnt firefox |
411 | 411 | ||
412 | .TP | 412 | .TP |
413 | \fB\-\-deterministic-exit-code | ||
414 | Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. | ||
415 | |||
416 | .TP | ||
413 | \fB\-\-dns=address | 417 | \fB\-\-dns=address |
414 | Set a DNS server for the sandbox. Up to three DNS servers can be defined. | 418 | Set a DNS server for the sandbox. Up to three DNS servers can be defined. |
415 | Use this option if you don't trust the DNS setup on your network. | 419 | Use this option if you don't trust the DNS setup on your network. |
@@ -1568,6 +1572,48 @@ drwx------ 2 nobody nogroup 4096 Apr 30 10:52 pulse-PKdhtXMmr18n | |||
1568 | drwxrwxrwt 2 nobody nogroup 4096 Apr 30 10:52 .X11-unix | 1572 | drwxrwxrwt 2 nobody nogroup 4096 Apr 30 10:52 .X11-unix |
1569 | .br | 1573 | .br |
1570 | 1574 | ||
1575 | .TP | ||
1576 | \fB\-\-private-cwd | ||
1577 | Set working directory inside jail to the home directory, and failing that, the root directory. | ||
1578 | .br | ||
1579 | Does not impact working directory of profile include paths. | ||
1580 | .br | ||
1581 | |||
1582 | .br | ||
1583 | Example: | ||
1584 | .br | ||
1585 | $ pwd | ||
1586 | .br | ||
1587 | /tmp | ||
1588 | .br | ||
1589 | $ firejail \-\-private-cwd | ||
1590 | .br | ||
1591 | $ pwd | ||
1592 | .br | ||
1593 | /home/user | ||
1594 | .br | ||
1595 | |||
1596 | .TP | ||
1597 | \fB\-\-private-cwd=directory | ||
1598 | Set working directory inside the jail. | ||
1599 | .br | ||
1600 | Does not impact working directory of profile include paths. | ||
1601 | .br | ||
1602 | |||
1603 | .br | ||
1604 | Example: | ||
1605 | .br | ||
1606 | $ pwd | ||
1607 | .br | ||
1608 | /tmp | ||
1609 | .br | ||
1610 | $ firejail \-\-private-cwd=/opt | ||
1611 | .br | ||
1612 | $ pwd | ||
1613 | .br | ||
1614 | /opt | ||
1615 | .br | ||
1616 | |||
1571 | 1617 | ||
1572 | .TP | 1618 | .TP |
1573 | \fB\-\-profile=filename_or_profilename | 1619 | \fB\-\-profile=filename_or_profilename |
diff --git a/test/environment/deterministic-exit-code.exp b/test/environment/deterministic-exit-code.exp new file mode 100755 index 000000000..165b9ebe0 --- /dev/null +++ b/test/environment/deterministic-exit-code.exp | |||
@@ -0,0 +1,55 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2019 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 4 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Child process initialized" | ||
14 | } | ||
15 | sleep 1 | ||
16 | |||
17 | send -- "({ nohup bash -c \"sleep 0.2; exit 53\" &> /dev/null & } &)\r" | ||
18 | send -- "exit 35\r" | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 1\n";exit} | ||
21 | "Parent is shutting down" | ||
22 | } | ||
23 | after 300 | ||
24 | |||
25 | send -- "echo $?\r" | ||
26 | expect { | ||
27 | timeout {puts "TESTING ERROR 2\n";exit} | ||
28 | "53" | ||
29 | } | ||
30 | after 100 | ||
31 | |||
32 | send -- "firejail --deterministic-exit-code\r" | ||
33 | expect { | ||
34 | timeout {puts "TESTING ERROR 3\n";exit} | ||
35 | "Child process initialized" | ||
36 | } | ||
37 | sleep 1 | ||
38 | |||
39 | send -- "({ nohup bash -c \"sleep 0.2; exit 53\" &> /dev/null & } &)\r" | ||
40 | send -- "exit 35\r" | ||
41 | expect { | ||
42 | timeout {puts "TESTING ERROR 4\n";exit} | ||
43 | "Parent is shutting down" | ||
44 | } | ||
45 | after 300 | ||
46 | |||
47 | send -- "echo $?\r" | ||
48 | expect { | ||
49 | timeout {puts "TESTING ERROR 5\n";exit} | ||
50 | "35" | ||
51 | } | ||
52 | after 100 | ||
53 | |||
54 | |||
55 | puts "\nall done\n" | ||
diff --git a/test/environment/environment.sh b/test/environment/environment.sh index 85d6c0873..5b4aa32f4 100755 --- a/test/environment/environment.sh +++ b/test/environment/environment.sh | |||
@@ -116,3 +116,6 @@ echo "TESTING: rlimit errors (test/environment/rlimit-bad.exp)" | |||
116 | 116 | ||
117 | echo "TESTING: rlimit errors profile (test/environment/rlimit-bad-profile.exp)" | 117 | echo "TESTING: rlimit errors profile (test/environment/rlimit-bad-profile.exp)" |
118 | ./rlimit-bad-profile.exp | 118 | ./rlimit-bad-profile.exp |
119 | |||
120 | echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code.exp" | ||
121 | ./deterministic-exit-code.exp | ||
diff --git a/test/environment/rlimit.profile b/test/environment/rlimit.profile index a57471604..a569edc6d 100644 --- a/test/environment/rlimit.profile +++ b/test/environment/rlimit.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | rlimit-fsize 1024 | 1 | rlimit-fsize 1024 |
2 | rlimit-nproc 1000 | 2 | rlimit-nproc 1000 |
3 | rlimit-nofile 500 | 3 | rlimit-nofile 500 |
4 | rlimit-sigpending 200 | 4 | rlimit-sigpending 200 |
5 | rlimit-as 123456789012 | 5 | rlimit-as 123456789012 |
diff --git a/test/fs/fs.sh b/test/fs/fs.sh index 0fc216b20..7e1d46f0a 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh | |||
@@ -69,6 +69,9 @@ echo "TESTING: empty private-etc (test/fs/private-etc-empty.exp)" | |||
69 | echo "TESTING: private-bin (test/fs/private-bin.exp)" | 69 | echo "TESTING: private-bin (test/fs/private-bin.exp)" |
70 | ./private-bin.exp | 70 | ./private-bin.exp |
71 | 71 | ||
72 | echo "TESTING: private-cwd (test/fs/private-cwd.exp)" | ||
73 | ./private-cwd.exp | ||
74 | |||
72 | echo "TESTING: macros (test/fs/macro.exp)" | 75 | echo "TESTING: macros (test/fs/macro.exp)" |
73 | ./macro.exp | 76 | ./macro.exp |
74 | 77 | ||
diff --git a/test/fs/private-cwd.exp b/test/fs/private-cwd.exp new file mode 100755 index 000000000..0fa87a92f --- /dev/null +++ b/test/fs/private-cwd.exp | |||
@@ -0,0 +1,52 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2019 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "cd /tmp\r" | ||
11 | after 100 | ||
12 | |||
13 | # testing profile and private | ||
14 | send -- "firejail --private-cwd\r" | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 0\n";exit} | ||
17 | "Child process initialized" | ||
18 | } | ||
19 | sleep 1 | ||
20 | |||
21 | send -- "pwd\r" | ||
22 | expect { | ||
23 | timeout {puts "TESTING ERROR 1\n";exit} | ||
24 | "$env(HOME)" | ||
25 | } | ||
26 | after 100 | ||
27 | |||
28 | send -- "exit\r" | ||
29 | sleep 1 | ||
30 | |||
31 | send -- "cd /\r" | ||
32 | after 100 | ||
33 | |||
34 | # testing profile and private | ||
35 | send -- "firejail --private-cwd=/tmp\r" | ||
36 | expect { | ||
37 | timeout {puts "TESTING ERROR 3\n";exit} | ||
38 | "Child process initialized" | ||
39 | } | ||
40 | sleep 1 | ||
41 | |||
42 | send -- "pwd\r" | ||
43 | expect { | ||
44 | timeout {puts "TESTING ERROR 4\n";exit} | ||
45 | "/tmp" | ||
46 | } | ||
47 | after 100 | ||
48 | |||
49 | send -- "exit\r" | ||
50 | sleep 1 | ||
51 | |||
52 | puts "all done\n" | ||
diff --git a/test/private-lib/private-lib.sh b/test/private-lib/private-lib.sh index 5e9d75379..79913fed6 100755 --- a/test/private-lib/private-lib.sh +++ b/test/private-lib/private-lib.sh | |||
@@ -5,7 +5,7 @@ | |||
5 | 5 | ||
6 | export MALLOC_CHECK_=3g | 6 | export MALLOC_CHECK_=3g |
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | 7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) |
8 | LIST="gnome-logs gnome-system-log gnome-nettool pavucontrol dig whois evince galculator gnome-calculator gedit leafpad mousepad pluma transmission-gtk xcalc atril gpicview eom eog" | 8 | LIST="gnome-logs gnome-system-log gnome-nettool pavucontrol dig evince whois galculator gnome-calculator gedit leafpad mousepad pluma transmission-gtk xcalc atril gpicview eom eog" |
9 | 9 | ||
10 | 10 | ||
11 | for app in $LIST; do | 11 | for app in $LIST; do |