diff options
-rw-r--r-- | etc/deluge.profile | 3 | ||||
-rw-r--r-- | etc/eog.profile | 1 | ||||
-rw-r--r-- | etc/evince.profile | 4 | ||||
-rw-r--r-- | etc/evolution.profile | 1 | ||||
-rw-r--r-- | etc/fbreader.profile | 3 | ||||
-rw-r--r-- | etc/feh.profile | 2 | ||||
-rw-r--r-- | etc/filezilla.profile | 3 | ||||
-rw-r--r-- | etc/firefox.profile | 6 | ||||
-rw-r--r-- | etc/gthumb.profile | 2 | ||||
-rw-r--r-- | etc/mupdf.profile | 4 | ||||
-rw-r--r-- | etc/pix.profile | 2 | ||||
-rw-r--r-- | etc/qbittorrent.profile | 3 | ||||
-rw-r--r-- | etc/rtorrent.profile | 2 | ||||
-rw-r--r-- | etc/transmission-gtk.profile | 3 | ||||
-rw-r--r-- | etc/transmission-qt.profile | 3 | ||||
-rw-r--r-- | etc/uget-gtk.profile | 2 | ||||
-rw-r--r-- | etc/wesnoth.profile | 3 | ||||
-rw-r--r-- | etc/zathura.profile | 3 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 2 | ||||
-rw-r--r-- | src/man/firejail.txt | 2 |
20 files changed, 31 insertions, 23 deletions
diff --git a/etc/deluge.profile b/etc/deluge.profile index 8fde9acf9..b82bd4936 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile | |||
@@ -15,7 +15,6 @@ seccomp | |||
15 | 15 | ||
16 | shell none | 16 | shell none |
17 | private-bin deluge,sh,python,uname | 17 | private-bin deluge,sh,python,uname |
18 | whitelist /tmp/.X11-unix | ||
19 | private-dev | 18 | private-dev |
20 | nosound | 19 | private-tmp |
21 | 20 | ||
diff --git a/etc/eog.profile b/etc/eog.profile index 7eb7fd127..68e950bd7 100644 --- a/etc/eog.profile +++ b/etc/eog.profile | |||
@@ -12,6 +12,7 @@ netfilter | |||
12 | nogroups | 12 | nogroups |
13 | nonewprivs | 13 | nonewprivs |
14 | noroot | 14 | noroot |
15 | nosound | ||
15 | protocol unix | 16 | protocol unix |
16 | seccomp | 17 | seccomp |
17 | shell none | 18 | shell none |
diff --git a/etc/evince.profile b/etc/evince.profile index 894c7c70d..9a9113c70 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/disable-devel.inc | |||
5 | include /etc/firejail/disable-passwdmgr.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
6 | 6 | ||
7 | caps.drop all | 7 | caps.drop all |
8 | netfilter | ||
9 | net none | ||
8 | nogroups | 10 | nogroups |
9 | nonewprivs | 11 | nonewprivs |
10 | noroot | 12 | noroot |
@@ -16,3 +18,5 @@ tracelog | |||
16 | 18 | ||
17 | private-bin evince,evince-previewer,evince-thumbnailer | 19 | private-bin evince,evince-previewer,evince-thumbnailer |
18 | private-dev | 20 | private-dev |
21 | private-etc fonts | ||
22 | private-tmp \ No newline at end of file | ||
diff --git a/etc/evolution.profile b/etc/evolution.profile index d097c0f34..d63eeed74 100644 --- a/etc/evolution.profile +++ b/etc/evolution.profile | |||
@@ -17,6 +17,7 @@ netfilter | |||
17 | nogroups | 17 | nogroups |
18 | nonewprivs | 18 | nonewprivs |
19 | noroot | 19 | noroot |
20 | nosound | ||
20 | protocol unix,inet,inet6 | 21 | protocol unix,inet,inet6 |
21 | seccomp | 22 | seccomp |
22 | shell none | 23 | shell none |
diff --git a/etc/fbreader.profile b/etc/fbreader.profile index de31ce8de..ec098d5fe 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile | |||
@@ -16,6 +16,5 @@ seccomp | |||
16 | 16 | ||
17 | shell none | 17 | shell none |
18 | private-bin fbreader,FBReader | 18 | private-bin fbreader,FBReader |
19 | whitelist /tmp/.X11-unix | ||
20 | private-dev | 19 | private-dev |
21 | nosound | 20 | private-tmp |
diff --git a/etc/feh.profile b/etc/feh.profile index e3b1ec528..2812effc9 100644 --- a/etc/feh.profile +++ b/etc/feh.profile | |||
@@ -16,6 +16,6 @@ seccomp | |||
16 | shell none | 16 | shell none |
17 | 17 | ||
18 | private-bin feh | 18 | private-bin feh |
19 | whitelist /tmp/.X11-unix | ||
20 | private-dev | 19 | private-dev |
21 | private-etc feh | 20 | private-etc feh |
21 | private-tmp \ No newline at end of file | ||
diff --git a/etc/filezilla.profile b/etc/filezilla.profile index fe1d9d20d..a40fceec1 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile | |||
@@ -17,5 +17,4 @@ shell none | |||
17 | 17 | ||
18 | private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp | 18 | private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp |
19 | private-dev | 19 | private-dev |
20 | 20 | private-tmp | |
21 | whitelist /tmp/.X11-unix | ||
diff --git a/etc/firefox.profile b/etc/firefox.profile index 170d0fe10..7875ca6b9 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -47,4 +47,8 @@ whitelist ~/.config/pipelight-silverlight5.1 | |||
47 | include /etc/firejail/whitelist-common.inc | 47 | include /etc/firejail/whitelist-common.inc |
48 | 48 | ||
49 | # experimental features | 49 | # experimental features |
50 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 50 | |
51 | private-bin firefox,which,sh,dbus-launch,dbus-send,env | ||
52 | private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse | ||
53 | private-dev | ||
54 | private-tmp | ||
diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 3ffd10add..055d78935 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile | |||
@@ -17,5 +17,5 @@ shell none | |||
17 | tracelog | 17 | tracelog |
18 | 18 | ||
19 | private-bin gthumb | 19 | private-bin gthumb |
20 | whitelist /tmp/.X11-unix | ||
21 | private-dev | 20 | private-dev |
21 | private-tmp \ No newline at end of file | ||
diff --git a/etc/mupdf.profile b/etc/mupdf.profile index d1a157c3c..65e6a8978 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile | |||
@@ -12,12 +12,16 @@ nosound | |||
12 | protocol unix | 12 | protocol unix |
13 | seccomp | 13 | seccomp |
14 | netfilter | 14 | netfilter |
15 | net none | ||
15 | shell none | 16 | shell none |
16 | tracelog | 17 | tracelog |
17 | 18 | ||
19 | seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev | ||
20 | |||
18 | private-bin mupdf | 21 | private-bin mupdf |
19 | private-tmp | 22 | private-tmp |
20 | private-dev | 23 | private-dev |
24 | private-etc fonts | ||
21 | 25 | ||
22 | # mupdf will never write anything | 26 | # mupdf will never write anything |
23 | read-only ${HOME} | 27 | read-only ${HOME} |
diff --git a/etc/pix.profile b/etc/pix.profile index e21ddadc6..dc8192b01 100644 --- a/etc/pix.profile +++ b/etc/pix.profile | |||
@@ -18,5 +18,5 @@ shell none | |||
18 | tracelog | 18 | tracelog |
19 | 19 | ||
20 | private-bin pix | 20 | private-bin pix |
21 | whitelist /tmp/.X11-unix | ||
22 | private-dev | 21 | private-dev |
22 | private-tmp \ No newline at end of file | ||
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 67829c9ca..89e0e4c78 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
@@ -16,5 +16,4 @@ seccomp | |||
16 | #shell none | 16 | #shell none |
17 | #private-bin qbittorrent | 17 | #private-bin qbittorrent |
18 | private-dev | 18 | private-dev |
19 | 19 | private-tmp | |
20 | whitelist /tmp/.X11-unix | ||
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 1226a51cd..55bfcd77f 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile | |||
@@ -14,5 +14,5 @@ seccomp | |||
14 | 14 | ||
15 | shell none | 15 | shell none |
16 | private-bin rtorrent | 16 | private-bin rtorrent |
17 | whitelist /tmp/.X11-unix | ||
18 | private-dev | 17 | private-dev |
18 | private-tmp \ No newline at end of file | ||
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 316cdfec6..fa54ea81b 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
@@ -19,5 +19,4 @@ tracelog | |||
19 | 19 | ||
20 | private-bin transmission-gtk | 20 | private-bin transmission-gtk |
21 | private-dev | 21 | private-dev |
22 | 22 | private-tmp | |
23 | whitelist /tmp/.X11-unix | ||
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 51c58e224..100fadc27 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile | |||
@@ -19,5 +19,4 @@ tracelog | |||
19 | 19 | ||
20 | private-bin transmission-qt | 20 | private-bin transmission-qt |
21 | private-dev | 21 | private-dev |
22 | 22 | private-tmp | |
23 | whitelist /tmp/.X11-unix | ||
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index f42e6c69a..3ba28f772 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile | |||
@@ -16,8 +16,8 @@ shell none | |||
16 | 16 | ||
17 | private-bin uget-gtk | 17 | private-bin uget-gtk |
18 | private-dev | 18 | private-dev |
19 | private-tmp | ||
19 | 20 | ||
20 | whitelist /tmp/.X11-unix | ||
21 | whitelist ${DOWNLOADS} | 21 | whitelist ${DOWNLOADS} |
22 | mkdir ~/.config/uGet | 22 | mkdir ~/.config/uGet |
23 | whitelist ~/.config/uGet | 23 | whitelist ~/.config/uGet |
diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index 2ddb59d11..bb489ddeb 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile | |||
@@ -15,8 +15,7 @@ protocol unix,inet,inet6 | |||
15 | seccomp | 15 | seccomp |
16 | 16 | ||
17 | private-dev | 17 | private-dev |
18 | 18 | private-tmp | |
19 | whitelist /tmp/.X11-unix | ||
20 | 19 | ||
21 | mkdir ${HOME}/.local/share/wesnoth | 20 | mkdir ${HOME}/.local/share/wesnoth |
22 | mkdir ${HOME}/.config/wesnoth | 21 | mkdir ${HOME}/.config/wesnoth |
diff --git a/etc/zathura.profile b/etc/zathura.profile index 99a8ea90d..6c93a2480 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile | |||
@@ -8,6 +8,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | netfilter | 10 | netfilter |
11 | net none | ||
11 | nogroups | 12 | nogroups |
12 | nonewprivs | 13 | nonewprivs |
13 | noroot | 14 | noroot |
@@ -19,7 +20,7 @@ protocol unix | |||
19 | private-bin zathura | 20 | private-bin zathura |
20 | private-dev | 21 | private-dev |
21 | private-etc fonts | 22 | private-etc fonts |
22 | whitelist /tmp/.X11-unix | 23 | private-tmp |
23 | 24 | ||
24 | read-only ~/ | 25 | read-only ~/ |
25 | read-write ~/.local/share/zathura/ | 26 | read-write ~/.local/share/zathura/ |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 09dc46bbc..d6113218c 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -200,7 +200,7 @@ filesystem, and copy the files and directories in the list. | |||
200 | All modifications are discarded when the sandbox is closed. | 200 | All modifications are discarded when the sandbox is closed. |
201 | .TP | 201 | .TP |
202 | \fBprivate-tmp | 202 | \fBprivate-tmp |
203 | Mount an empty temporary filesystem on top of /tmp directory. | 203 | Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. |
204 | .TP | 204 | .TP |
205 | \fBread-only file_or_directory | 205 | \fBread-only file_or_directory |
206 | Make directory or file read-only. | 206 | Make directory or file read-only. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 666a6a8ef..bb9ae270c 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1180,7 +1180,7 @@ nsswitch.conf,passwd,resolv.conf | |||
1180 | 1180 | ||
1181 | .TP | 1181 | .TP |
1182 | \fB\-\-private-tmp | 1182 | \fB\-\-private-tmp |
1183 | Mount an empty temporary filesystem on top of /tmp directory. | 1183 | Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. |
1184 | .br | 1184 | .br |
1185 | 1185 | ||
1186 | .br | 1186 | .br |