diff options
52 files changed, 991 insertions, 5 deletions
@@ -173,4 +173,9 @@ $ | |||
173 | 173 | ||
174 | ## New profiles: | 174 | ## New profiles: |
175 | 175 | ||
176 | terasology, surf, rocketchat, clamscan, dlamdscan, clamdtop, freshclam, xmr-stak-cpu | 176 | terasology, surf, rocketchat, clamscan, clamdscan, clamdtop, freshclam, xmr-stak-cpu, |
177 | amule, ardour4, ardour5, brackets, calligra, calligraauthor, calligraconverter, | ||
178 | calligraflow, calligraplan, calligraplanwork, calligrasheets, calligrastage, | ||
179 | calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd, google-earth, | ||
180 | imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natron, | ||
181 | ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart | ||
diff --git a/etc/Natron.profile b/etc/Natron.profile new file mode 100644 index 000000000..b21790fe4 --- /dev/null +++ b/etc/Natron.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for natron | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/natron.profile | ||
diff --git a/etc/Viber.profile b/etc/Viber.profile new file mode 100644 index 000000000..03e5f1086 --- /dev/null +++ b/etc/Viber.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for Viber | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/Viber.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.ViberPC | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | whitelist ${DOWNLOADS} | ||
17 | whitelist ${HOME}/.ViberPC | ||
18 | include /etc/firejail/whitelist-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | ipc-namespace | ||
22 | netfilter | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | notv | ||
28 | protocol unix,inet,inet6 | ||
29 | seccomp | ||
30 | shell none | ||
31 | |||
32 | disable-mnt | ||
33 | private-bin sh,bash,dash,dig,awk,Viber | ||
34 | private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf | ||
35 | private-tmp | ||
36 | |||
37 | noexec ${HOME} | ||
38 | noexec /tmp | ||
diff --git a/etc/akregator.profile b/etc/akregator.profile index 12bb06fb5..55434e45b 100644 --- a/etc/akregator.profile +++ b/etc/akregator.profile | |||
@@ -13,6 +13,12 @@ include /etc/firejail/disable-devel.inc | |||
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | mkfile ${HOME}/.config/akregatorrc | ||
17 | mkdir ${HOME}/.local/share/akregator | ||
18 | whitelist ${HOME}/.config/akregatorrc | ||
19 | whitelist ${HOME}/.local/share/akregator | ||
20 | include /etc/firejail/whitelist-common.inc | ||
21 | |||
16 | caps.drop all | 22 | caps.drop all |
17 | netfilter | 23 | netfilter |
18 | no3d | 24 | no3d |
@@ -27,6 +33,7 @@ seccomp | |||
27 | shell none | 33 | shell none |
28 | 34 | ||
29 | disable-mnt | 35 | disable-mnt |
36 | private-bin akregator,akregatorstorageexporter,dbus-launch,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper | ||
30 | private-dev | 37 | private-dev |
31 | private-tmp | 38 | private-tmp |
32 | 39 | ||
diff --git a/etc/amule.profile b/etc/amule.profile new file mode 100644 index 000000000..98ec52015 --- /dev/null +++ b/etc/amule.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for amule | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/amule.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.aMule | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | whitelist ${DOWNLOADS} | ||
17 | whitelist ${HOME}/.aMule | ||
18 | include /etc/firejail/whitelist-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | ipc-namespace | ||
22 | netfilter | ||
23 | no3d | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | nosound | ||
29 | notv | ||
30 | novideo | ||
31 | protocol unix,inet,inet6 | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | private-bin amule | ||
36 | private-dev | ||
37 | private-tmp | ||
38 | |||
39 | noexec ${HOME} | ||
40 | noexec /tmp | ||
diff --git a/etc/ardour4.profile b/etc/ardour4.profile new file mode 100644 index 000000000..7d1163174 --- /dev/null +++ b/etc/ardour4.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for ardour5 | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/ardour5.profile | ||
diff --git a/etc/ardour5.profile b/etc/ardour5.profile new file mode 100644 index 000000000..69b3dde46 --- /dev/null +++ b/etc/ardour5.profile | |||
@@ -0,0 +1,37 @@ | |||
1 | # Firejail profile for ardour5 | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/ardour5.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.config/ardour4 | ||
10 | noblacklist ${HOME}/.config/ardour5 | ||
11 | noblacklist ${HOME}/.lv2 | ||
12 | noblacklist ${HOME}/.vst | ||
13 | |||
14 | include /etc/firejail/disable-common.inc | ||
15 | include /etc/firejail/disable-devel.inc | ||
16 | include /etc/firejail/disable-passwdmgr.inc | ||
17 | include /etc/firejail/disable-programs.inc | ||
18 | |||
19 | caps.drop all | ||
20 | ipc-namespace | ||
21 | net none | ||
22 | nodvd | ||
23 | nogroups | ||
24 | nonewprivs | ||
25 | noroot | ||
26 | notv | ||
27 | protocol unix | ||
28 | seccomp | ||
29 | shell none | ||
30 | |||
31 | #private-bin sh,ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm | ||
32 | private-dev | ||
33 | #private-etc pulse,X11,alternatives,ardour4,ardour5,fonts | ||
34 | private-tmp | ||
35 | |||
36 | noexec ${HOME} | ||
37 | noexec /tmp | ||
diff --git a/etc/brackets.profile b/etc/brackets.profile new file mode 100644 index 000000000..0a8c592a7 --- /dev/null +++ b/etc/brackets.profile | |||
@@ -0,0 +1,29 @@ | |||
1 | # Firejail profile for brackets | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/brackets.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/Brackets | ||
9 | noblacklist /opt/brackets/ | ||
10 | noblacklist /opt/google/ | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | netfilter | ||
18 | nodvd | ||
19 | nogroups | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | nosound | ||
23 | notv | ||
24 | novideo | ||
25 | protocol unix,inet,inet6 | ||
26 | seccomp | ||
27 | shell none | ||
28 | |||
29 | private-dev | ||
diff --git a/etc/calligra.profile b/etc/calligra.profile new file mode 100644 index 000000000..e90c8efe8 --- /dev/null +++ b/etc/calligra.profile | |||
@@ -0,0 +1,29 @@ | |||
1 | # Firejail profile for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/calligra.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | include /etc/firejail/disable-common.inc | ||
9 | include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-passwdmgr.inc | ||
11 | include /etc/firejail/disable-programs.inc | ||
12 | |||
13 | caps.drop all | ||
14 | ipc-namespace | ||
15 | nodvd | ||
16 | nogroups | ||
17 | nonewprivs | ||
18 | noroot | ||
19 | notv | ||
20 | novideo | ||
21 | protocol unix | ||
22 | seccomp | ||
23 | shell none | ||
24 | |||
25 | private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch | ||
26 | private-dev | ||
27 | |||
28 | noexec ${HOME} | ||
29 | noexec /tmp | ||
diff --git a/etc/calligraauthor.profile b/etc/calligraauthor.profile new file mode 100644 index 000000000..629ab46c1 --- /dev/null +++ b/etc/calligraauthor.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/calligra.profile | ||
diff --git a/etc/calligraconverter.profile b/etc/calligraconverter.profile new file mode 100644 index 000000000..629ab46c1 --- /dev/null +++ b/etc/calligraconverter.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/calligra.profile | ||
diff --git a/etc/calligraflow.profile b/etc/calligraflow.profile new file mode 100644 index 000000000..629ab46c1 --- /dev/null +++ b/etc/calligraflow.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/calligra.profile | ||
diff --git a/etc/calligraplan.profile b/etc/calligraplan.profile new file mode 100644 index 000000000..629ab46c1 --- /dev/null +++ b/etc/calligraplan.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/calligra.profile | ||
diff --git a/etc/calligraplanwork.profile b/etc/calligraplanwork.profile new file mode 100644 index 000000000..629ab46c1 --- /dev/null +++ b/etc/calligraplanwork.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/calligra.profile | ||
diff --git a/etc/calligrasheets.profile b/etc/calligrasheets.profile new file mode 100644 index 000000000..629ab46c1 --- /dev/null +++ b/etc/calligrasheets.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/calligra.profile | ||
diff --git a/etc/calligrastage.profile b/etc/calligrastage.profile new file mode 100644 index 000000000..629ab46c1 --- /dev/null +++ b/etc/calligrastage.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/calligra.profile | ||
diff --git a/etc/calligrawords.profile b/etc/calligrawords.profile new file mode 100644 index 000000000..629ab46c1 --- /dev/null +++ b/etc/calligrawords.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/calligra.profile | ||
diff --git a/etc/cin.profile b/etc/cin.profile new file mode 100644 index 000000000..eeeda476f --- /dev/null +++ b/etc/cin.profile | |||
@@ -0,0 +1,31 @@ | |||
1 | # Firejail profile for cin | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/cin.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.bcast5 | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | caps.drop all | ||
16 | ipc-namespace | ||
17 | net none | ||
18 | nodvd | ||
19 | nogroups | ||
20 | nonewprivs | ||
21 | notv | ||
22 | noroot | ||
23 | protocol unix | ||
24 | seccomp | ||
25 | shell none | ||
26 | |||
27 | #private-bin cin | ||
28 | private-dev | ||
29 | |||
30 | noexec ${HOME} | ||
31 | noexec /tmp | ||
diff --git a/etc/darktable.profile b/etc/darktable.profile index e04163486..c2dc0b42c 100644 --- a/etc/darktable.profile +++ b/etc/darktable.profile | |||
@@ -26,6 +26,7 @@ protocol unix,inet,inet6 | |||
26 | seccomp | 26 | seccomp |
27 | shell none | 27 | shell none |
28 | 28 | ||
29 | #private-bin darktable | ||
29 | private-dev | 30 | private-dev |
30 | private-tmp | 31 | private-tmp |
31 | 32 | ||
diff --git a/etc/dia.profile b/etc/dia.profile index a625ab36d..abe83ac8c 100644 --- a/etc/dia.profile +++ b/etc/dia.profile | |||
@@ -27,6 +27,7 @@ seccomp | |||
27 | shell none | 27 | shell none |
28 | 28 | ||
29 | disable-mnt | 29 | disable-mnt |
30 | #private-bin dia | ||
30 | private-dev | 31 | private-dev |
31 | private-tmp | 32 | private-tmp |
32 | 33 | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 3007a51b3..88b7e7d32 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -17,8 +17,10 @@ blacklist ${HOME}/.Steam | |||
17 | blacklist ${HOME}/.Steampath | 17 | blacklist ${HOME}/.Steampath |
18 | blacklist ${HOME}/.Steampid | 18 | blacklist ${HOME}/.Steampid |
19 | blacklist ${HOME}/.TelegramDesktop | 19 | blacklist ${HOME}/.TelegramDesktop |
20 | blacklist ${HOME}/.ViberPC | ||
20 | blacklist ${HOME}/.VirtualBox | 21 | blacklist ${HOME}/.VirtualBox |
21 | blacklist ${HOME}/.Wolfram Research | 22 | blacklist ${HOME}/.Wolfram Research |
23 | blacklist ${HOME}/.aMule | ||
22 | blacklist ${HOME}/.android | 24 | blacklist ${HOME}/.android |
23 | blacklist ${HOME}/.arduino15 | 25 | blacklist ${HOME}/.arduino15 |
24 | blacklist ${HOME}/.atom | 26 | blacklist ${HOME}/.atom |
@@ -35,6 +37,7 @@ blacklist ${HOME}/.config/Brackets | |||
35 | blacklist ${HOME}/.config/Clementine | 37 | blacklist ${HOME}/.config/Clementine |
36 | blacklist ${HOME}/.config/Cryptocat | 38 | blacklist ${HOME}/.config/Cryptocat |
37 | blacklist ${HOME}/.config/Franz | 39 | blacklist ${HOME}/.config/Franz |
40 | blacklist ${HOME}/.config/FreeCAD | ||
38 | blacklist ${HOME}/.config/Gitter | 41 | blacklist ${HOME}/.config/Gitter |
39 | blacklist ${HOME}/.config/Google | 42 | blacklist ${HOME}/.config/Google |
40 | blacklist ${HOME}/.config/Gpredict | 43 | blacklist ${HOME}/.config/Gpredict |
@@ -124,6 +127,7 @@ blacklist ${HOME}/.config/lximage-qt | |||
124 | blacklist ${HOME}/.config/mate-calc | 127 | blacklist ${HOME}/.config/mate-calc |
125 | blacklist ${HOME}/.config/mate/eom | 128 | blacklist ${HOME}/.config/mate/eom |
126 | blacklist ${HOME}/.config/mate/mate-dictionary | 129 | blacklist ${HOME}/.config/mate/mate-dictionary |
130 | blacklist ${HOME}/.config/mfusion | ||
127 | blacklist ${HOME}/.config/midori | 131 | blacklist ${HOME}/.config/midori |
128 | blacklist ${HOME}/.config/mpv | 132 | blacklist ${HOME}/.config/mpv |
129 | blacklist ${HOME}/.config/mupen64plus | 133 | blacklist ${HOME}/.config/mupen64plus |
@@ -188,6 +192,7 @@ blacklist ${HOME}/.conkeror.mozdev.org | |||
188 | blacklist ${HOME}/.curlrc | 192 | blacklist ${HOME}/.curlrc |
189 | blacklist ${HOME}/.dia | 193 | blacklist ${HOME}/.dia |
190 | blacklist ${HOME}/.dillo | 194 | blacklist ${HOME}/.dillo |
195 | blacklist ${HOME}/.dooble | ||
191 | blacklist ${HOME}/.dosbox | 196 | blacklist ${HOME}/.dosbox |
192 | blacklist ${HOME}/.dropbox-dist | 197 | blacklist ${HOME}/.dropbox-dist |
193 | blacklist ${HOME}/.electrum* | 198 | blacklist ${HOME}/.electrum* |
@@ -212,6 +217,7 @@ blacklist ${HOME}/.guayadeque | |||
212 | blacklist ${HOME}/.hedgewars | 217 | blacklist ${HOME}/.hedgewars |
213 | blacklist ${HOME}/.hugin | 218 | blacklist ${HOME}/.hugin |
214 | blacklist ${HOME}/.icedove | 219 | blacklist ${HOME}/.icedove |
220 | blacklist ${HOME}/.imagej | ||
215 | blacklist ${HOME}/.inkscape | 221 | blacklist ${HOME}/.inkscape |
216 | blacklist ${HOME}/.java | 222 | blacklist ${HOME}/.java |
217 | blacklist ${HOME}/.jitsi | 223 | blacklist ${HOME}/.jitsi |
@@ -410,6 +416,7 @@ blacklist ${HOME}/.cache/google-chrome | |||
410 | blacklist ${HOME}/.cache/google-chrome-beta | 416 | blacklist ${HOME}/.cache/google-chrome-beta |
411 | blacklist ${HOME}/.cache/google-chrome-unstable | 417 | blacklist ${HOME}/.cache/google-chrome-unstable |
412 | blacklist ${HOME}/.cache/icedove | 418 | blacklist ${HOME}/.cache/icedove |
419 | blacklist ${HOME}/.cache/INRIA/Natron | ||
413 | blacklist ${HOME}/.cache/inox | 420 | blacklist ${HOME}/.cache/inox |
414 | blacklist ${HOME}/.cache/libgweather | 421 | blacklist ${HOME}/.cache/libgweather |
415 | blacklist ${HOME}/.cache/midori | 422 | blacklist ${HOME}/.cache/midori |
diff --git a/etc/dooble-qt4.profile b/etc/dooble-qt4.profile new file mode 100644 index 000000000..4e1227a0f --- /dev/null +++ b/etc/dooble-qt4.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for dooble | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/dooble.profile | ||
diff --git a/etc/dooble.profile b/etc/dooble.profile new file mode 100644 index 000000000..2a57b0ef3 --- /dev/null +++ b/etc/dooble.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for dooble | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/dooble-qt4.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.dooble | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | mkdir ${HOME}/.dooble | ||
17 | whitelist ${DOWNLOADS} | ||
18 | whitelist ${HOME}/.dooble | ||
19 | include /etc/firejail/whitelist-common.inc | ||
20 | |||
21 | caps.drop all | ||
22 | netfilter | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | notv | ||
28 | novideo | ||
29 | protocol unix,inet,inet6,netlink | ||
30 | seccomp | ||
31 | shell none | ||
32 | tracelog | ||
33 | |||
34 | disable-mnt | ||
35 | private-dev | ||
36 | private-tmp | ||
37 | |||
38 | noexec ${HOME} | ||
39 | noexec /tmp | ||
diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile new file mode 100644 index 000000000..3fd7f3d75 --- /dev/null +++ b/etc/fetchmail.profile | |||
@@ -0,0 +1,29 @@ | |||
1 | # Firejail profile for fetchmail | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/fetchmail.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | caps.drop all | ||
15 | netfilter | ||
16 | no3d | ||
17 | nodvd | ||
18 | nogroups | ||
19 | nonewprivs | ||
20 | noroot | ||
21 | nosound | ||
22 | notv | ||
23 | novideo | ||
24 | protocol unix,inet,inet6 | ||
25 | seccomp | ||
26 | shell none | ||
27 | |||
28 | #private-bin fetchmail,procmail,bash,chmod | ||
29 | private-dev | ||
diff --git a/etc/freecad.profile b/etc/freecad.profile new file mode 100644 index 000000000..4fde66839 --- /dev/null +++ b/etc/freecad.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | # Firejail profile for freecad | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/freecad.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.config/FreeCAD | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | ipc-namespace | ||
18 | net none | ||
19 | nodvd | ||
20 | nogroups | ||
21 | nonewprivs | ||
22 | noroot | ||
23 | nosound | ||
24 | notv | ||
25 | novideo | ||
26 | protocol unix | ||
27 | seccomp | ||
28 | shell none | ||
29 | |||
30 | private-bin freecad,freecadcmd | ||
31 | private-dev | ||
32 | private-tmp | ||
33 | |||
34 | noexec ${HOME} | ||
35 | noexec /tmp | ||
diff --git a/etc/freecadcmd.profile b/etc/freecadcmd.profile new file mode 100644 index 000000000..f8bbff593 --- /dev/null +++ b/etc/freecadcmd.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for freecad | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/freecad.profile | ||
diff --git a/etc/google-earth.profile b/etc/google-earth.profile new file mode 100644 index 000000000..b60f5b3a5 --- /dev/null +++ b/etc/google-earth.profile | |||
@@ -0,0 +1,48 @@ | |||
1 | # Firejail profile for google-earth | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/google-earth.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/Google | ||
9 | noblacklist ${HOME}/.googleearth/Cache/ | ||
10 | noblacklist ${HOME}/.googleearth/Temp/ | ||
11 | noblacklist ${HOME}/.googleearth/myplaces.backup.kml | ||
12 | noblacklist ${HOME}/.googleearth/myplaces.kml | ||
13 | |||
14 | include /etc/firejail/disable-common.inc | ||
15 | include /etc/firejail/disable-devel.inc | ||
16 | include /etc/firejail/disable-passwdmgr.inc | ||
17 | include /etc/firejail/disable-programs.inc | ||
18 | |||
19 | mkdir ${HOME}/.config/Google | ||
20 | mkdir ${HOME}/.googleearth/Cache/ | ||
21 | mkdir ${HOME}/.googleearth/Temp/ | ||
22 | mkfile ${HOME}/.googleearth/myplaces.backup.kml | ||
23 | mkfile ${HOME}/.googleearth/myplaces.kml | ||
24 | whitelist ${HOME}/.config/Google | ||
25 | whitelist ${HOME}/.googleearth/Cache/ | ||
26 | whitelist ${HOME}/.googleearth/Temp/ | ||
27 | whitelist ${HOME}/.googleearth/myplaces.backup.kml | ||
28 | whitelist ${HOME}/.googleearth/myplaces.kml | ||
29 | include /etc/firejail/whitelist-common.inc | ||
30 | |||
31 | caps.drop all | ||
32 | ipc-namespace | ||
33 | netfilter | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | notv | ||
39 | novideo | ||
40 | protocol unix,inet,inet6 | ||
41 | seccomp | ||
42 | shell none | ||
43 | |||
44 | private-bin google-earth,sh,bash,dash,grep,sed,ls,dirname | ||
45 | private-dev | ||
46 | |||
47 | noexec ${HOME} | ||
48 | noexec /tmp | ||
diff --git a/etc/hugin.profile b/etc/hugin.profile index d3cd181b1..ff88e0d5c 100644 --- a/etc/hugin.profile +++ b/etc/hugin.profile | |||
@@ -25,6 +25,7 @@ protocol unix | |||
25 | seccomp | 25 | seccomp |
26 | shell none | 26 | shell none |
27 | 27 | ||
28 | private-bin PTBatcherGUI,calibrate_lens_gui,hugin,hugin_stitch_project,align_image_stack,autooptimiser,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,fulla,geocpset,hugin_executor,hugin_hdrmerge,hugin_lensdb,icpfind,linefind,nona,pano_modify,pano_trafo,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,tca_correct,verdandi,vig_optimize,enblend | ||
28 | private-dev | 29 | private-dev |
29 | private-tmp | 30 | private-tmp |
30 | 31 | ||
diff --git a/etc/imagej.profile b/etc/imagej.profile new file mode 100644 index 000000000..88a56c706 --- /dev/null +++ b/etc/imagej.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | # Firejail profile for imagej | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/imagej.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.imagej | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | ipc-namespace | ||
18 | net none | ||
19 | nodvd | ||
20 | nogroups | ||
21 | nonewprivs | ||
22 | noroot | ||
23 | nosound | ||
24 | notv | ||
25 | novideo | ||
26 | protocol unix | ||
27 | seccomp | ||
28 | shell none | ||
29 | |||
30 | private-bin imagej,bash,grep,sort,tail,tr,cut,whoami,hostname,uname,mkdir,ls,touch,free,awk,update-java-alternatives,basename,xprop,rm,ln | ||
31 | private-dev | ||
32 | private-tmp | ||
33 | |||
34 | noexec ${HOME} | ||
35 | noexec /tmp | ||
diff --git a/etc/inkscape.profile b/etc/inkscape.profile index 3266d8230..c062ab8ef 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile | |||
@@ -27,6 +27,7 @@ protocol unix | |||
27 | seccomp | 27 | seccomp |
28 | shell none | 28 | shell none |
29 | 29 | ||
30 | #private-bin inkscape | ||
30 | private-dev | 31 | private-dev |
31 | private-tmp | 32 | private-tmp |
32 | 33 | ||
diff --git a/etc/karbon.profile b/etc/karbon.profile new file mode 100644 index 000000000..3525a3e06 --- /dev/null +++ b/etc/karbon.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for krita | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/krita.profile | ||
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile new file mode 100644 index 000000000..a1a5f957c --- /dev/null +++ b/etc/kdenlive.profile | |||
@@ -0,0 +1,30 @@ | |||
1 | # Firejail profile for kdenlive | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/kdenlive.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | caps.drop all | ||
15 | net none | ||
16 | nodvd | ||
17 | nogroups | ||
18 | nonewprivs | ||
19 | noroot | ||
20 | notv | ||
21 | protocol unix,inet,inet6 | ||
22 | seccomp | ||
23 | shell none | ||
24 | |||
25 | private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper | ||
26 | private-dev | ||
27 | #private-etc fonts,alternatives,X11,pulse,passwd | ||
28 | |||
29 | noexec ${HOME} | ||
30 | noexec /tmp | ||
diff --git a/etc/krita.profile b/etc/krita.profile new file mode 100644 index 000000000..e91f5b242 --- /dev/null +++ b/etc/krita.profile | |||
@@ -0,0 +1,32 @@ | |||
1 | # Firejail profile for krita | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/krita.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | caps.drop all | ||
15 | ipc-namespace | ||
16 | net none | ||
17 | nodvd | ||
18 | nogroups | ||
19 | nonewprivs | ||
20 | noroot | ||
21 | nosound | ||
22 | notv | ||
23 | novideo | ||
24 | protocol unix | ||
25 | seccomp | ||
26 | shell none | ||
27 | |||
28 | private-dev | ||
29 | private-tmp | ||
30 | |||
31 | noexec ${HOME} | ||
32 | noexec /tmp | ||
diff --git a/etc/linphone.profile b/etc/linphone.profile new file mode 100644 index 000000000..41f9245a2 --- /dev/null +++ b/etc/linphone.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Firejail profile for linphone | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/linphone.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.linphone-history.db | ||
9 | noblacklist ${HOME}/.linphonerc | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | mkfile ${HOME}/.linphone-history.db | ||
17 | mkfile ${HOME}/.linphonerc | ||
18 | whitelist ${HOME}/.linphone-history.db | ||
19 | whitelist ${HOME}/.linphonerc | ||
20 | whitelist ${HOME}/Downloads | ||
21 | include /etc/firejail/whitelist-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | netfilter | ||
25 | no3d | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | notv | ||
31 | novideo | ||
32 | protocol unix,inet,inet6 | ||
33 | seccomp | ||
34 | shell none | ||
35 | |||
36 | disable-mnt | ||
37 | private-dev | ||
38 | private-tmp | ||
39 | |||
40 | noexec ${HOME} | ||
41 | noexec /tmp | ||
diff --git a/etc/lmms.profile b/etc/lmms.profile new file mode 100644 index 000000000..29ed235c6 --- /dev/null +++ b/etc/lmms.profile | |||
@@ -0,0 +1,34 @@ | |||
1 | # Firejail profile for lmms | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/lmms.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.lmmsrc.xml | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | ipc-namespace | ||
18 | net none | ||
19 | no3d | ||
20 | nodvd | ||
21 | nogroups | ||
22 | nonewprivs | ||
23 | noroot | ||
24 | notv | ||
25 | novideo | ||
26 | protocol unix | ||
27 | seccomp | ||
28 | shell none | ||
29 | |||
30 | private-dev | ||
31 | private-tmp | ||
32 | |||
33 | noexec ${HOME} | ||
34 | noexec /tmp | ||
diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile index bd32e0c70..ec2a65290 100644 --- a/etc/luminance-hdr.profile +++ b/etc/luminance-hdr.profile | |||
@@ -26,6 +26,7 @@ seccomp | |||
26 | shell none | 26 | shell none |
27 | tracelog | 27 | tracelog |
28 | 28 | ||
29 | #private-bin luminance-hdr,luminance-hdr-cli,align_image_stack | ||
29 | private-dev | 30 | private-dev |
30 | private-tmp | 31 | private-tmp |
31 | 32 | ||
diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile new file mode 100644 index 000000000..be66cf6ee --- /dev/null +++ b/etc/macrofusion.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | # Firejail profile for macrofusion | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/macrofusion.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.config/mfusion | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | ipc-namespace | ||
18 | net none | ||
19 | nodvd | ||
20 | nogroups | ||
21 | nonewprivs | ||
22 | noroot | ||
23 | nosound | ||
24 | notv | ||
25 | novideo | ||
26 | protocol unix | ||
27 | seccomp | ||
28 | shell none | ||
29 | |||
30 | #private-bin python3,macrofusion,env,enfuse,exiftool,align_image_stack | ||
31 | private-dev | ||
32 | private-tmp | ||
33 | |||
34 | noexec ${HOME} | ||
35 | noexec /tmp | ||
diff --git a/etc/mpd.profile b/etc/mpd.profile new file mode 100644 index 000000000..7bfa47d77 --- /dev/null +++ b/etc/mpd.profile | |||
@@ -0,0 +1,33 @@ | |||
1 | # Firejail profile for mpd | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/mpd.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.mpdconf | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | netfilter | ||
18 | no3d | ||
19 | nodvd | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | notv | ||
23 | novideo | ||
24 | protocol unix,inet,inet6 | ||
25 | seccomp | ||
26 | shell none | ||
27 | |||
28 | #private-bin mpd,bash | ||
29 | private-dev | ||
30 | private-tmp | ||
31 | |||
32 | noexec ${HOME} | ||
33 | noexec /tmp | ||
diff --git a/etc/natron.profile b/etc/natron.profile new file mode 100644 index 000000000..d77539d83 --- /dev/null +++ b/etc/natron.profile | |||
@@ -0,0 +1,33 @@ | |||
1 | # Firejail profile for natron | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/natron.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.Natron | ||
10 | noblacklist ${HOME}/.cache/INRIA/Natron | ||
11 | noblacklist ${HOME}/.config/INRIA | ||
12 | noblacklist /opt/natron | ||
13 | |||
14 | include /etc/firejail/disable-common.inc | ||
15 | include /etc/firejail/disable-devel.inc | ||
16 | include /etc/firejail/disable-passwdmgr.inc | ||
17 | include /etc/firejail/disable-programs.inc | ||
18 | |||
19 | caps.drop all | ||
20 | netfilter | ||
21 | nodvd | ||
22 | nogroups | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | notv | ||
26 | protocol unix,inet,inet6 | ||
27 | seccomp | ||
28 | shell none | ||
29 | |||
30 | private-bin natron,Natron,NatronRenderer | ||
31 | |||
32 | noexec ${HOME} | ||
33 | noexec /tmp | ||
diff --git a/etc/pidgin.profile b/etc/pidgin.profile index dd610920a..d195cf586 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile | |||
@@ -27,3 +27,6 @@ tracelog | |||
27 | private-bin pidgin | 27 | private-bin pidgin |
28 | private-dev | 28 | private-dev |
29 | private-tmp | 29 | private-tmp |
30 | |||
31 | noexec ${HOME} | ||
32 | noexec /tmp | ||
diff --git a/etc/ricochet.profile b/etc/ricochet.profile new file mode 100644 index 000000000..6da0e21d5 --- /dev/null +++ b/etc/ricochet.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for ricochet | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/ricochet.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.local/share/Ricochet | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | whitelist ${DOWNLOADS} | ||
17 | whitelist ${HOME}/.local/share/Ricochet | ||
18 | include /etc/firejail/whitelist-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | ipc-namespace | ||
22 | netfilter | ||
23 | no3d | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | notv | ||
29 | novideo | ||
30 | protocol unix,inet,inet6 | ||
31 | seccomp | ||
32 | shell none | ||
33 | |||
34 | disable-mnt | ||
35 | private-bin ricochet,tor | ||
36 | private-dev | ||
37 | #private-etc fonts,tor,X11,alternatives | ||
38 | |||
39 | noexec ${HOME} | ||
40 | noexec /tmp | ||
diff --git a/etc/scribus.profile b/etc/scribus.profile index e4c88be49..dd06fa59f 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile | |||
@@ -38,5 +38,6 @@ protocol unix | |||
38 | seccomp | 38 | seccomp |
39 | tracelog | 39 | tracelog |
40 | 40 | ||
41 | #private-bin scribus,gs | ||
41 | private-dev | 42 | private-dev |
42 | # private-tmp | 43 | # private-tmp |
diff --git a/etc/shotcut.profile b/etc/shotcut.profile new file mode 100644 index 000000000..e30bc1f46 --- /dev/null +++ b/etc/shotcut.profile | |||
@@ -0,0 +1,31 @@ | |||
1 | # Firejail profile for shotcut | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/shotcut.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.config/Meltytech | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | net none | ||
18 | nodvd | ||
19 | nogroups | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | notv | ||
23 | protocol unix | ||
24 | seccomp | ||
25 | shell none | ||
26 | |||
27 | #private-bin shotcut,melt,qmelt,nice | ||
28 | private-dev | ||
29 | |||
30 | noexec ${HOME} | ||
31 | noexec /tmp | ||
diff --git a/etc/skype.profile b/etc/skype.profile index f3e504a3f..b12f9879e 100644 --- a/etc/skype.profile +++ b/etc/skype.profile | |||
@@ -24,6 +24,7 @@ seccomp | |||
24 | shell none | 24 | shell none |
25 | 25 | ||
26 | disable-mnt | 26 | disable-mnt |
27 | #private-bin skype,bash | ||
27 | private-dev | 28 | private-dev |
28 | private-tmp | 29 | private-tmp |
29 | 30 | ||
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index 08ece1e9b..b0014ace6 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile | |||
@@ -26,6 +26,7 @@ protocol unix | |||
26 | seccomp | 26 | seccomp |
27 | shell none | 27 | shell none |
28 | 28 | ||
29 | #private-bin synfigstudio | ||
29 | private-dev | 30 | private-dev |
30 | private-tmp | 31 | private-tmp |
31 | 32 | ||
diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile new file mode 100644 index 000000000..86f96ba50 --- /dev/null +++ b/etc/teamspeak3.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for teamspeak3 | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/teamspeak3.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.ts3client | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | mkdir ${HOME}/.ts3client | ||
16 | whitelist ${DOWNLOADS} | ||
17 | whitelist ${HOME}/.ts3client | ||
18 | include /etc/firejail/whitelist-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | ipc-namespace | ||
22 | netfilter | ||
23 | no3d | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | notv | ||
29 | novideo | ||
30 | protocol unix,inet,inet6 | ||
31 | seccomp | ||
32 | shell none | ||
33 | |||
34 | disable-mnt | ||
35 | private-dev | ||
36 | private-tmp | ||
37 | |||
38 | noexec ${HOME} | ||
39 | noexec /tmp | ||
diff --git a/etc/tor-browser-en.profile b/etc/tor-browser-en.profile new file mode 100644 index 000000000..bf3a80139 --- /dev/null +++ b/etc/tor-browser-en.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/torbrowser-launcher.profile | ||
diff --git a/etc/tor.profile b/etc/tor.profile new file mode 100644 index 000000000..fcb123eef --- /dev/null +++ b/etc/tor.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for tor | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/tor.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | # How to use: | ||
9 | # Create a script called anything (e.g. mytor) | ||
10 | # with the following contents: | ||
11 | |||
12 | # #!/bin/bash | ||
13 | # TORCMD="tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 1" | ||
14 | # sudo -b daemon -f -d -- firejail --profile=/home/<username>/.config/firejail/tor.profile $TORCMD | ||
15 | |||
16 | # You'll also likely want to disable the system service (if it exists) | ||
17 | # Run mytor (or whatever you called the script above) whenever you want to start tor | ||
18 | |||
19 | include /etc/firejail/disable-common.inc | ||
20 | include /etc/firejail/disable-devel.inc | ||
21 | include /etc/firejail/disable-passwdmgr.inc | ||
22 | include /etc/firejail/disable-programs.inc | ||
23 | |||
24 | caps.keep setuid,setgid,net_bind_service,dac_read_search | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | no3d | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | nosound | ||
32 | notv | ||
33 | novideo | ||
34 | protocol unix,inet,inet6 | ||
35 | seccomp | ||
36 | shell none | ||
37 | writable-var | ||
38 | |||
39 | disable-mnt | ||
40 | private | ||
41 | private-bin tor,bash | ||
42 | private-dev | ||
43 | private-etc tor,passwd | ||
44 | private-tmp | ||
45 | |||
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile index 763c2d051..3b6b65bec 100644 --- a/etc/torbrowser-launcher.profile +++ b/etc/torbrowser-launcher.profile | |||
@@ -5,17 +5,20 @@ include /etc/firejail/torbrowser-launcher.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | 8 | noblacklist ~/.tor-browser-en | |
9 | noblacklist ~/.config/torbrowser | 9 | noblacklist ~/.config/torbrowser |
10 | whitelist ~/.config/torbrowser | ||
11 | noblacklist ~/.local/share/torbrowser | 10 | noblacklist ~/.local/share/torbrowser |
12 | whitelist ~/.local/share/torbrowser | ||
13 | 11 | ||
14 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
18 | 16 | ||
17 | whitelist ~/.tor-browser-en | ||
18 | whitelist ~/.config/torbrowser | ||
19 | whitelist ~/.local/share/torbrowser | ||
20 | include /etc/firejail/whitelist-common.inc | ||
21 | |||
19 | caps.drop all | 22 | caps.drop all |
20 | netfilter | 23 | netfilter |
21 | nodvd | 24 | nodvd |
@@ -29,7 +32,7 @@ seccomp | |||
29 | shell none | 32 | shell none |
30 | tracelog | 33 | tracelog |
31 | 34 | ||
32 | private-bin torbrowser-launcher,python2.7,python,bash,dash,sh,grep,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf | 35 | private-bin bash,cp,dash,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python,python2.7,readlink,rm,sed,sh,tail,test,tor-browser-en,torbrowser-launcher |
33 | private-dev | 36 | private-dev |
34 | private-etc fonts | 37 | private-etc fonts |
35 | private-tmp | 38 | private-tmp |
diff --git a/etc/x-terminal-emulator.profile b/etc/x-terminal-emulator.profile new file mode 100644 index 000000000..1395b81c9 --- /dev/null +++ b/etc/x-terminal-emulator.profile | |||
@@ -0,0 +1,20 @@ | |||
1 | # Firejail profile for x-terminal-emulator | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/x-terminal-emulator.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | caps.drop all | ||
10 | ipc-namespace | ||
11 | net none | ||
12 | netfilter | ||
13 | nogroups | ||
14 | noroot | ||
15 | protocol unix | ||
16 | seccomp | ||
17 | |||
18 | private-dev | ||
19 | |||
20 | noexec /tmp | ||
diff --git a/etc/zart.profile b/etc/zart.profile new file mode 100644 index 000000000..6e136d0c9 --- /dev/null +++ b/etc/zart.profile | |||
@@ -0,0 +1,30 @@ | |||
1 | # Firejail profile for zart | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/zart.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | caps.drop all | ||
15 | ipc-namespace | ||
16 | net none | ||
17 | nodvd | ||
18 | nogroups | ||
19 | nonewprivs | ||
20 | noroot | ||
21 | notv | ||
22 | protocol unix | ||
23 | seccomp | ||
24 | shell none | ||
25 | |||
26 | private-bin zart,ffmpeg,melt,ffprobe,ffplay | ||
27 | private-dev | ||
28 | |||
29 | noexec ${HOME} | ||
30 | noexec /tmp | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 67b5b7042..5d6afe68b 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -8,15 +8,20 @@ | |||
8 | Cyberfox | 8 | Cyberfox |
9 | FossaMail | 9 | FossaMail |
10 | Mathematica | 10 | Mathematica |
11 | Natron | ||
11 | Telegram | 12 | Telegram |
13 | Viber | ||
12 | VirtualBox | 14 | VirtualBox |
13 | Wire | 15 | Wire |
14 | Xephyr | 16 | Xephyr |
15 | abrowser | 17 | abrowser |
16 | akregator | 18 | akregator |
17 | amarok | 19 | amarok |
20 | amule | ||
18 | android-studio | 21 | android-studio |
19 | apktool | 22 | apktool |
23 | ardour4 | ||
24 | ardour5 | ||
20 | arduino | 25 | arduino |
21 | ark | 26 | ark |
22 | arm | 27 | arm |
@@ -34,13 +39,24 @@ bitlbee | |||
34 | bleachbit | 39 | bleachbit |
35 | blender | 40 | blender |
36 | bless | 41 | bless |
42 | brackets | ||
37 | brasero | 43 | brasero |
38 | brave | 44 | brave |
39 | calibre | 45 | calibre |
46 | calligra | ||
47 | calligraauthor | ||
48 | calligraconverter | ||
49 | calligraflow | ||
50 | calligraplan | ||
51 | calligraplanwork | ||
52 | calligrasheets | ||
53 | calligrastage | ||
54 | calligrawords | ||
40 | catfish | 55 | catfish |
41 | cherrytree | 56 | cherrytree |
42 | chromium | 57 | chromium |
43 | chromium-browser | 58 | chromium-browser |
59 | cin | ||
44 | clamdscan | 60 | clamdscan |
45 | clamdtop | 61 | clamdtop |
46 | clamscan | 62 | clamscan |
@@ -64,6 +80,8 @@ display | |||
64 | dnscrypt-proxy | 80 | dnscrypt-proxy |
65 | dnsmasq | 81 | dnsmasq |
66 | dolphin | 82 | dolphin |
83 | dooble | ||
84 | dooble-qt4 | ||
67 | dosbox | 85 | dosbox |
68 | dragon | 86 | dragon |
69 | dropbox | 87 | dropbox |
@@ -88,6 +106,8 @@ flashpeak-slimjet | |||
88 | flowblade | 106 | flowblade |
89 | fontforge | 107 | fontforge |
90 | franz | 108 | franz |
109 | freecad | ||
110 | freecadcmd | ||
91 | freshclam | 111 | freshclam |
92 | frozen-bubble | 112 | frozen-bubble |
93 | gajim | 113 | gajim |
@@ -122,6 +142,7 @@ google-chrome | |||
122 | google-chrome-beta | 142 | google-chrome-beta |
123 | google-chrome-stable | 143 | google-chrome-stable |
124 | google-chrome-unstable | 144 | google-chrome-unstable |
145 | google-earth | ||
125 | google-play-music-desktop-player | 146 | google-play-music-desktop-player |
126 | gpa | 147 | gpa |
127 | gpicview | 148 | gpicview |
@@ -141,6 +162,7 @@ icecat | |||
141 | icedove | 162 | icedove |
142 | iceweasel | 163 | iceweasel |
143 | idea.sh | 164 | idea.sh |
165 | imagej | ||
144 | img2txt | 166 | img2txt |
145 | inkscape | 167 | inkscape |
146 | inox | 168 | inox |
@@ -149,8 +171,10 @@ iridium-browser | |||
149 | jd-gui | 171 | jd-gui |
150 | jitsi | 172 | jitsi |
151 | k3b | 173 | k3b |
174 | karbon | ||
152 | kate | 175 | kate |
153 | kcalc | 176 | kcalc |
177 | kdenlive | ||
154 | keepass | 178 | keepass |
155 | keepass2 | 179 | keepass2 |
156 | keepassx | 180 | keepassx |
@@ -161,12 +185,15 @@ kmail | |||
161 | knotes | 185 | knotes |
162 | kodi | 186 | kodi |
163 | konversation | 187 | konversation |
188 | krita | ||
164 | ktorrent | 189 | ktorrent |
165 | kwrite | 190 | kwrite |
166 | leafpad | 191 | leafpad |
167 | less | 192 | less |
168 | libreoffice | 193 | libreoffice |
169 | liferea | 194 | liferea |
195 | linphone | ||
196 | lmms | ||
170 | localc | 197 | localc |
171 | lodraw | 198 | lodraw |
172 | loffice | 199 | loffice |
@@ -180,6 +207,7 @@ luminance-hdr | |||
180 | lximage-qt | 207 | lximage-qt |
181 | lxmusic | 208 | lxmusic |
182 | lynx | 209 | lynx |
210 | macrofusion | ||
183 | mate-calc | 211 | mate-calc |
184 | mate-calculator | 212 | mate-calculator |
185 | mate-color-select | 213 | mate-color-select |
@@ -200,6 +228,7 @@ mupdf | |||
200 | mupen64plus | 228 | mupen64plus |
201 | musescore | 229 | musescore |
202 | mutt | 230 | mutt |
231 | natron | ||
203 | nautilus | 232 | nautilus |
204 | netsurf | 233 | netsurf |
205 | neverball | 234 | neverball |
@@ -238,6 +267,7 @@ rambox | |||
238 | ranger | 267 | ranger |
239 | remmina | 268 | remmina |
240 | rhythmbox | 269 | rhythmbox |
270 | ricochet | ||
241 | riot-web | 271 | riot-web |
242 | ristretto | 272 | ristretto |
243 | rocketchat | 273 | rocketchat |
@@ -246,6 +276,7 @@ scribus | |||
246 | sdat2img | 276 | sdat2img |
247 | seamonkey | 277 | seamonkey |
248 | seamonkey-bin | 278 | seamonkey-bin |
279 | shotcut | ||
249 | silentarmy | 280 | silentarmy |
250 | simple-scan | 281 | simple-scan |
251 | simutrans | 282 | simutrans |
@@ -266,10 +297,12 @@ stellarium | |||
266 | strings | 297 | strings |
267 | supertux2 | 298 | supertux2 |
268 | synfigstudio | 299 | synfigstudio |
300 | teamspeak3 | ||
269 | telegram | 301 | telegram |
270 | telegram-desktop | 302 | telegram-desktop |
271 | terasology | 303 | terasology |
272 | thunderbird | 304 | thunderbird |
305 | tor-browser-en | ||
273 | totem | 306 | totem |
274 | tracker | 307 | tracker |
275 | transmission-cli | 308 | transmission-cli |
@@ -321,5 +354,6 @@ xreader | |||
321 | xviewer | 354 | xviewer |
322 | yandex-browser | 355 | yandex-browser |
323 | youtube-dl | 356 | youtube-dl |
357 | zart | ||
324 | zathura | 358 | zathura |
325 | zoom | 359 | zoom |