diff options
51 files changed, 149 insertions, 17 deletions
diff --git a/etc/0ad.profile b/etc/0ad.profile index e946c1418..a564d0a09 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile | |||
@@ -37,3 +37,4 @@ tracelog | |||
37 | 37 | ||
38 | private-dev | 38 | private-dev |
39 | private-tmp | 39 | private-tmp |
40 | disable-mnt | ||
diff --git a/etc/arduino.profile b/etc/arduino.profile index 2d7d92856..60c071c01 100644 --- a/etc/arduino.profile +++ b/etc/arduino.profile | |||
@@ -22,6 +22,7 @@ nogroups | |||
22 | nonewprivs | 22 | nonewprivs |
23 | noroot | 23 | noroot |
24 | nosound | 24 | nosound |
25 | novideo | ||
25 | protocol unix,inet,inet6 | 26 | protocol unix,inet,inet6 |
26 | seccomp | 27 | seccomp |
27 | shell none | 28 | shell none |
diff --git a/etc/brave.profile b/etc/brave.profile index 9dac688c2..e73dd37a2 100644 --- a/etc/brave.profile +++ b/etc/brave.profile | |||
@@ -23,6 +23,8 @@ netfilter | |||
23 | #protocol unix,inet,inet6,netlink | 23 | #protocol unix,inet,inet6,netlink |
24 | #seccomp | 24 | #seccomp |
25 | 25 | ||
26 | #disable-mnt | ||
27 | |||
26 | whitelist ${DOWNLOADS} | 28 | whitelist ${DOWNLOADS} |
27 | 29 | ||
28 | mkdir ~/.config/brave | 30 | mkdir ~/.config/brave |
diff --git a/etc/chromium.profile b/etc/chromium.profile index 2728bf74a..330c455b6 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -35,6 +35,7 @@ shell none | |||
35 | 35 | ||
36 | private-dev | 36 | private-dev |
37 | #private-tmp - problems with multiple browser sessions | 37 | #private-tmp - problems with multiple browser sessions |
38 | #disable-mnt | ||
38 | 39 | ||
39 | noexec ${HOME} | 40 | noexec ${HOME} |
40 | noexec /tmp | 41 | noexec /tmp |
diff --git a/etc/dino.profile b/etc/dino.profile index 6d63e894e..94563fa1d 100644 --- a/etc/dino.profile +++ b/etc/dino.profile | |||
@@ -35,6 +35,7 @@ private-bin dino | |||
35 | #private-etc fonts #breaks server connection | 35 | #private-etc fonts #breaks server connection |
36 | private-dev | 36 | private-dev |
37 | private-tmp | 37 | private-tmp |
38 | disable-mnt | ||
38 | 39 | ||
39 | noexec ${HOME} | 40 | noexec ${HOME} |
40 | noexec /tmp | 41 | noexec /tmp |
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index 317efdd9a..797f093a1 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile | |||
@@ -22,3 +22,5 @@ nosound | |||
22 | no3d | 22 | no3d |
23 | protocol unix,inet,inet6,netlink | 23 | protocol unix,inet,inet6,netlink |
24 | seccomp | 24 | seccomp |
25 | |||
26 | disable-mnt | ||
diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 49b65c91d..72d00b4ce 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile | |||
@@ -20,6 +20,7 @@ nogroups | |||
20 | nonewprivs | 20 | nonewprivs |
21 | noroot | 21 | noroot |
22 | nosound | 22 | nosound |
23 | novideo | ||
23 | protocol unix | 24 | protocol unix |
24 | seccomp | 25 | seccomp |
25 | shell none | 26 | shell none |
diff --git a/etc/firefox.profile b/etc/firefox.profile index 70b41a240..aff6e8334 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -71,6 +71,7 @@ include /etc/firejail/whitelist-common.inc | |||
71 | # private-dev might prevent video calls going out | 71 | # private-dev might prevent video calls going out |
72 | private-dev | 72 | private-dev |
73 | private-tmp | 73 | private-tmp |
74 | #disable-mnt | ||
74 | 75 | ||
75 | noexec ${HOME} | 76 | noexec ${HOME} |
76 | noexec /tmp | 77 | noexec /tmp |
diff --git a/etc/gajim.profile b/etc/gajim.profile index b2d68a9be..a3deb2c73 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile | |||
@@ -43,3 +43,4 @@ shell none | |||
43 | #private-etc fonts | 43 | #private-etc fonts |
44 | private-dev | 44 | private-dev |
45 | #private-tmp | 45 | #private-tmp |
46 | disable-mnt | ||
diff --git a/etc/gnome-2048.profile b/etc/gnome-2048.profile index 0e757a06f..5e0dfc2a1 100644 --- a/etc/gnome-2048.profile +++ b/etc/gnome-2048.profile | |||
@@ -26,7 +26,17 @@ include /etc/firejail/whitelist-common.inc | |||
26 | #Options | 26 | #Options |
27 | caps.drop all | 27 | caps.drop all |
28 | netfilter | 28 | netfilter |
29 | no3d | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
32 | #nosound | ||
33 | novideo | ||
31 | protocol unix,inet,inet6 | 34 | protocol unix,inet,inet6 |
32 | seccomp | 35 | seccomp |
36 | |||
37 | private-dev | ||
38 | private-tmp | ||
39 | disable-mnt | ||
40 | |||
41 | noexec ${HOME} | ||
42 | noexec /tmp | ||
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile index 07431e51b..af6da6cd4 100644 --- a/etc/gnome-books.profile +++ b/etc/gnome-books.profile | |||
@@ -16,10 +16,12 @@ include /etc/firejail/disable-devel.inc | |||
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include /etc/firejail/disable-passwdmgr.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | no3d | ||
19 | nogroups | 20 | nogroups |
20 | nonewprivs | 21 | nonewprivs |
21 | noroot | 22 | noroot |
22 | nosound | 23 | nosound |
24 | novideo | ||
23 | protocol unix | 25 | protocol unix |
24 | seccomp | 26 | seccomp |
25 | netfilter | 27 | netfilter |
@@ -30,3 +32,6 @@ tracelog | |||
30 | private-tmp | 32 | private-tmp |
31 | private-dev | 33 | private-dev |
32 | #private-etc fonts | 34 | #private-etc fonts |
35 | |||
36 | noexec ${HOME} | ||
37 | noexec /tmp | ||
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index bdc450dfe..e64f62b70 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile | |||
@@ -34,6 +34,7 @@ private-bin gnome-calculator | |||
34 | private-dev | 34 | private-dev |
35 | #private-etc fonts | 35 | #private-etc fonts |
36 | private-tmp | 36 | private-tmp |
37 | disable-mnt | ||
37 | 38 | ||
38 | noexec ${HOME} | 39 | noexec ${HOME} |
39 | noexec /tmp | 40 | noexec /tmp |
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile index 9ff978803..8c098d592 100644 --- a/etc/gnome-chess.profile +++ b/etc/gnome-chess.profile | |||
@@ -14,10 +14,12 @@ include /etc/firejail/disable-programs.inc | |||
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | no3d | ||
17 | nogroups | 18 | nogroups |
18 | nonewprivs | 19 | nonewprivs |
19 | noroot | 20 | noroot |
20 | nosound | 21 | nosound |
22 | novideo | ||
21 | protocol unix | 23 | protocol unix |
22 | seccomp | 24 | seccomp |
23 | shell none | 25 | shell none |
@@ -27,3 +29,7 @@ private-bin fairymax,gnome-chess,hoichess | |||
27 | private-dev | 29 | private-dev |
28 | private-etc fonts,gnome-chess | 30 | private-etc fonts,gnome-chess |
29 | private-tmp | 31 | private-tmp |
32 | disable-mnt | ||
33 | |||
34 | noexec ${HOME} | ||
35 | noexec /tmp | ||
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile index 40df92454..129bd6e71 100644 --- a/etc/gnome-clocks.profile +++ b/etc/gnome-clocks.profile | |||
@@ -12,10 +12,11 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | no3d | ||
15 | nogroups | 16 | nogroups |
16 | nonewprivs | 17 | nonewprivs |
17 | noroot | 18 | noroot |
18 | nosound | 19 | novideo |
19 | protocol unix,inet,inet6 | 20 | protocol unix,inet,inet6 |
20 | seccomp | 21 | seccomp |
21 | netfilter | 22 | netfilter |
@@ -26,3 +27,7 @@ tracelog | |||
26 | private-tmp | 27 | private-tmp |
27 | private-dev | 28 | private-dev |
28 | # private-etc fonts | 29 | # private-etc fonts |
30 | disable-mnt | ||
31 | |||
32 | noexec ${HOME} | ||
33 | noexec /tmp | ||
diff --git a/etc/gnome-contacts.profile b/etc/gnome-contacts.profile index 55817323d..9164f6360 100644 --- a/etc/gnome-contacts.profile +++ b/etc/gnome-contacts.profile | |||
@@ -20,7 +20,17 @@ include /etc/firejail/whitelist-common.inc | |||
20 | #Options | 20 | #Options |
21 | caps.drop all | 21 | caps.drop all |
22 | netfilter | 22 | netfilter |
23 | no3d | ||
23 | nonewprivs | 24 | nonewprivs |
24 | noroot | 25 | noroot |
26 | nosound | ||
27 | novideo | ||
25 | protocol unix,inet,inet6 | 28 | protocol unix,inet,inet6 |
26 | seccomp | 29 | seccomp |
30 | |||
31 | private-dev | ||
32 | private-tmp | ||
33 | disable-mnt | ||
34 | |||
35 | noexec ${HOME} | ||
36 | noexec /tmp | ||
diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile index 03277e6e1..5d2a90b64 100644 --- a/etc/gnome-documents.profile +++ b/etc/gnome-documents.profile | |||
@@ -17,10 +17,12 @@ include /etc/firejail/disable-devel.inc | |||
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include /etc/firejail/disable-passwdmgr.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | no3d | ||
20 | nogroups | 21 | nogroups |
21 | nonewprivs | 22 | nonewprivs |
22 | noroot | 23 | noroot |
23 | nosound | 24 | nosound |
25 | novideo | ||
24 | protocol unix | 26 | protocol unix |
25 | seccomp | 27 | seccomp |
26 | netfilter | 28 | netfilter |
@@ -29,3 +31,6 @@ tracelog | |||
29 | 31 | ||
30 | private-tmp | 32 | private-tmp |
31 | private-dev | 33 | private-dev |
34 | |||
35 | noexec ${HOME} | ||
36 | noexec /tmp | ||
diff --git a/etc/gnome-font-viewer.profile b/etc/gnome-font-viewer.profile index 3ea1b6b33..605dafc62 100644 --- a/etc/gnome-font-viewer.profile +++ b/etc/gnome-font-viewer.profile | |||
@@ -5,25 +5,26 @@ include /etc/firejail/globals.local | |||
5 | # Persistent customizations should go in a .local file. | 5 | # Persistent customizations should go in a .local file. |
6 | include /etc/firejail/gnome-font-viewer.local | 6 | include /etc/firejail/gnome-font-viewer.local |
7 | 7 | ||
8 | private | 8 | #Blacklist Paths |
9 | #include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | #include /etc/firejail/disable-programs.inc | 10 | include /etc/firejail/disable-programs.inc |
11 | #include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-devel.inc | ||
12 | 13 | ||
14 | #Options | ||
13 | caps.drop all | 15 | caps.drop all |
14 | netfilter | 16 | netfilter |
17 | no3d | ||
15 | nonewprivs | 18 | nonewprivs |
16 | noroot | 19 | noroot |
20 | nosound | ||
21 | novideo | ||
17 | protocol unix,inet,inet6 | 22 | protocol unix,inet,inet6 |
18 | seccomp | 23 | seccomp |
19 | 24 | ||
20 | # | 25 | private-dev |
21 | # depending on your usage, you can enable some of the commands below: | 26 | private-tmp |
22 | # | 27 | disable-mnt |
23 | nogroups | 28 | |
24 | shell none | 29 | noexec ${HOME} |
25 | # private-bin program | 30 | noexec /tmp |
26 | # private-etc none | ||
27 | # private-dev | ||
28 | # private-tmp | ||
29 | nosound | ||
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile index 1494c1493..8c7310fa9 100644 --- a/etc/gnome-maps.profile +++ b/etc/gnome-maps.profile | |||
@@ -19,6 +19,7 @@ nogroups | |||
19 | nonewprivs | 19 | nonewprivs |
20 | noroot | 20 | noroot |
21 | nosound | 21 | nosound |
22 | novideo | ||
22 | protocol unix,inet,inet6 | 23 | protocol unix,inet,inet6 |
23 | seccomp | 24 | seccomp |
24 | netfilter | 25 | netfilter |
@@ -29,3 +30,7 @@ tracelog | |||
29 | private-tmp | 30 | private-tmp |
30 | private-dev | 31 | private-dev |
31 | # private-etc fonts | 32 | # private-etc fonts |
33 | disable-mnt | ||
34 | |||
35 | noexec ${HOME} | ||
36 | noexec /tmp | ||
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index 4216791e3..51b3279f3 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile | |||
@@ -22,3 +22,7 @@ shell none | |||
22 | # private-bin gnome-mplayer,mplayer | 22 | # private-bin gnome-mplayer,mplayer |
23 | private-dev | 23 | private-dev |
24 | private-tmp | 24 | private-tmp |
25 | |||
26 | |||
27 | noexec ${HOME} | ||
28 | noexec /tmp | ||
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile index 44931576f..abdb6bfb5 100644 --- a/etc/gnome-music.profile +++ b/etc/gnome-music.profile | |||
@@ -14,9 +14,11 @@ include /etc/firejail/disable-devel.inc | |||
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | no3d | ||
17 | nogroups | 18 | nogroups |
18 | nonewprivs | 19 | nonewprivs |
19 | noroot | 20 | noroot |
21 | novideo | ||
20 | protocol unix | 22 | protocol unix |
21 | seccomp | 23 | seccomp |
22 | netfilter | 24 | netfilter |
@@ -27,3 +29,7 @@ tracelog | |||
27 | private-tmp | 29 | private-tmp |
28 | private-dev | 30 | private-dev |
29 | # private-etc fonts | 31 | # private-etc fonts |
32 | |||
33 | |||
34 | noexec ${HOME} | ||
35 | noexec /tmp | ||
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile index 6ee2ccf82..93823d0f4 100644 --- a/etc/gnome-photos.profile +++ b/etc/gnome-photos.profile | |||
@@ -31,3 +31,6 @@ tracelog | |||
31 | private-tmp | 31 | private-tmp |
32 | private-dev | 32 | private-dev |
33 | # private-etc fonts | 33 | # private-etc fonts |
34 | |||
35 | noexec ${HOME} | ||
36 | noexec /tmp | ||
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile index 9a2c4d553..815fba7ca 100644 --- a/etc/gnome-weather.profile +++ b/etc/gnome-weather.profile | |||
@@ -16,10 +16,12 @@ include /etc/firejail/disable-devel.inc | |||
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include /etc/firejail/disable-passwdmgr.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | no3d | ||
19 | nogroups | 20 | nogroups |
20 | nonewprivs | 21 | nonewprivs |
21 | noroot | 22 | noroot |
22 | nosound | 23 | nosound |
24 | novideo | ||
23 | protocol unix,inet,inet6 | 25 | protocol unix,inet,inet6 |
24 | seccomp | 26 | seccomp |
25 | netfilter | 27 | netfilter |
@@ -30,3 +32,7 @@ tracelog | |||
30 | private-tmp | 32 | private-tmp |
31 | private-dev | 33 | private-dev |
32 | # private-etc fonts | 34 | # private-etc fonts |
35 | disable-mnt | ||
36 | |||
37 | noexec ${HOME} | ||
38 | noexec /tmp | ||
diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile index 5848640af..a5c23d0aa 100644 --- a/etc/hedgewars.profile +++ b/etc/hedgewars.profile | |||
@@ -23,6 +23,7 @@ tracelog | |||
23 | 23 | ||
24 | private-dev | 24 | private-dev |
25 | private-tmp | 25 | private-tmp |
26 | disable-mnt | ||
26 | 27 | ||
27 | mkdir ~/.hedgewars | 28 | mkdir ~/.hedgewars |
28 | whitelist ~/.hedgewars | 29 | whitelist ~/.hedgewars |
diff --git a/etc/hexchat.profile b/etc/hexchat.profile index ebfd9224c..36ddb9e89 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile | |||
@@ -22,6 +22,7 @@ nogroups | |||
22 | nonewprivs | 22 | nonewprivs |
23 | noroot | 23 | noroot |
24 | nosound | 24 | nosound |
25 | novideo | ||
25 | protocol unix,inet,inet6 | 26 | protocol unix,inet,inet6 |
26 | seccomp | 27 | seccomp |
27 | shell none | 28 | shell none |
@@ -35,6 +36,7 @@ private-bin hexchat | |||
35 | #debug note: private-bin requires perl, python, etc on some systems | 36 | #debug note: private-bin requires perl, python, etc on some systems |
36 | private-dev | 37 | private-dev |
37 | private-tmp | 38 | private-tmp |
39 | disable-mnt | ||
38 | 40 | ||
39 | noexec ${HOME} | 41 | noexec ${HOME} |
40 | noexec /tmp | 42 | noexec /tmp |
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index 2520babb1..a96eedee6 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile | |||
@@ -27,6 +27,7 @@ nogroups | |||
27 | nonewprivs | 27 | nonewprivs |
28 | noroot | 28 | noroot |
29 | nosound | 29 | nosound |
30 | novideo | ||
30 | protocol unix | 31 | protocol unix |
31 | seccomp | 32 | seccomp |
32 | shell none | 33 | shell none |
diff --git a/etc/jitsi.profile b/etc/jitsi.profile index 642ad6cc2..59459b5e9 100644 --- a/etc/jitsi.profile +++ b/etc/jitsi.profile | |||
@@ -22,3 +22,4 @@ shell none | |||
22 | tracelog | 22 | tracelog |
23 | 23 | ||
24 | private-tmp | 24 | private-tmp |
25 | disable-mnt | ||
diff --git a/etc/kodi.profile b/etc/kodi.profile index 132a0044c..ea4020232 100644 --- a/etc/kodi.profile +++ b/etc/kodi.profile | |||
@@ -19,6 +19,7 @@ netfilter | |||
19 | nogroups | 19 | nogroups |
20 | nonewprivs | 20 | nonewprivs |
21 | noroot | 21 | noroot |
22 | #novideo | ||
22 | protocol unix,inet,inet6,netlink | 23 | protocol unix,inet,inet6,netlink |
23 | seccomp | 24 | seccomp |
24 | shell none | 25 | shell none |
diff --git a/etc/less.profile b/etc/less.profile index dd63d3e2e..9d4eb3fcf 100644 --- a/etc/less.profile +++ b/etc/less.profile | |||
@@ -11,11 +11,15 @@ ignore noroot | |||
11 | include /etc/firejail/default.profile | 11 | include /etc/firejail/default.profile |
12 | 12 | ||
13 | net none | 13 | net none |
14 | nosound | ||
15 | no3d | 14 | no3d |
15 | nosound | ||
16 | novideo | ||
16 | shell none | 17 | shell none |
17 | tracelog | 18 | tracelog |
18 | 19 | ||
19 | blacklist /tmp/.X11-unix | 20 | blacklist /tmp/.X11-unix |
20 | 21 | ||
21 | private-dev | 22 | private-dev |
23 | |||
24 | noexec ${HOME} | ||
25 | noexec /tmp | ||
diff --git a/etc/lollypop.profile b/etc/lollypop.profile index 6494ccc6b..4be7721e3 100644 --- a/etc/lollypop.profile +++ b/etc/lollypop.profile | |||
@@ -26,6 +26,7 @@ no3d | |||
26 | nogroups | 26 | nogroups |
27 | nonewprivs | 27 | nonewprivs |
28 | noroot | 28 | noroot |
29 | novideo | ||
29 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
30 | seccomp | 31 | seccomp |
31 | shell none | 32 | shell none |
diff --git a/etc/meld.profile b/etc/meld.profile index 0ec737989..bc4cd8356 100644 --- a/etc/meld.profile +++ b/etc/meld.profile | |||
@@ -22,6 +22,7 @@ nogroups | |||
22 | nonewprivs | 22 | nonewprivs |
23 | noroot | 23 | noroot |
24 | nosound | 24 | nosound |
25 | novideo | ||
25 | protocol unix | 26 | protocol unix |
26 | seccomp | 27 | seccomp |
27 | shell none | 28 | shell none |
diff --git a/etc/multimc5.profile b/etc/multimc5.profile index c5a2eb525..e45ab9cba 100644 --- a/etc/multimc5.profile +++ b/etc/multimc5.profile | |||
@@ -33,12 +33,14 @@ netfilter | |||
33 | nogroups | 33 | nogroups |
34 | nonewprivs | 34 | nonewprivs |
35 | noroot | 35 | noroot |
36 | novideo | ||
36 | protocol unix,inet,inet6 | 37 | protocol unix,inet,inet6 |
37 | #seccomp | 38 | #seccomp |
38 | shell none | 39 | shell none |
39 | 40 | ||
40 | private-dev | 41 | private-dev |
41 | private-tmp | 42 | private-tmp |
43 | disable-mnt | ||
42 | 44 | ||
43 | noexec ${HOME} | 45 | noexec ${HOME} |
44 | noexec /tmp | 46 | noexec /tmp |
diff --git a/etc/mumble.profile b/etc/mumble.profile index d92156ebb..7303ac65a 100644 --- a/etc/mumble.profile +++ b/etc/mumble.profile | |||
@@ -33,6 +33,7 @@ tracelog | |||
33 | 33 | ||
34 | private-bin mumble | 34 | private-bin mumble |
35 | private-tmp | 35 | private-tmp |
36 | disable-mnt | ||
36 | 37 | ||
37 | noexec ${HOME} | 38 | noexec ${HOME} |
38 | noexec /tmp | 39 | noexec /tmp |
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index 36694dcc6..611ca3775 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile | |||
@@ -25,6 +25,7 @@ nogroups | |||
25 | nonewprivs | 25 | nonewprivs |
26 | noroot | 26 | noroot |
27 | nosound | 27 | nosound |
28 | novideo | ||
28 | protocol unix | 29 | protocol unix |
29 | seccomp | 30 | seccomp |
30 | shell none | 31 | shell none |
diff --git a/etc/pithos.profile b/etc/pithos.profile index 67b8ee7e4..c08f27f17 100644 --- a/etc/pithos.profile +++ b/etc/pithos.profile | |||
@@ -25,12 +25,14 @@ no3d | |||
25 | nogroups | 25 | nogroups |
26 | nonewprivs | 26 | nonewprivs |
27 | noroot | 27 | noroot |
28 | novideo | ||
28 | protocol unix,inet,inet6 | 29 | protocol unix,inet,inet6 |
29 | seccomp | 30 | seccomp |
30 | shell none | 31 | shell none |
31 | 32 | ||
32 | private-dev | 33 | private-dev |
33 | private-tmp | 34 | private-tmp |
35 | disable-mnt | ||
34 | 36 | ||
35 | noexec ${HOME} | 37 | noexec ${HOME} |
36 | noexec /tmp | 38 | noexec /tmp |
diff --git a/etc/polari.profile b/etc/polari.profile index 1a82f2819..657139b6b 100644 --- a/etc/polari.profile +++ b/etc/polari.profile | |||
@@ -38,6 +38,7 @@ tracelog | |||
38 | 38 | ||
39 | private-dev | 39 | private-dev |
40 | private-tmp | 40 | private-tmp |
41 | disable-mnt | ||
41 | 42 | ||
42 | noexec ${HOME} | 43 | noexec ${HOME} |
43 | noexec /tmp | 44 | noexec /tmp |
diff --git a/etc/qtox.profile b/etc/qtox.profile index 7601372ca..cc2a45bb2 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile | |||
@@ -34,3 +34,4 @@ noexec /tmp | |||
34 | 34 | ||
35 | private-bin qtox | 35 | private-bin qtox |
36 | private-tmp | 36 | private-tmp |
37 | disable-mnt | ||
diff --git a/etc/quiterss.profile b/etc/quiterss.profile index 4a852bc67..c8112f064 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile | |||
@@ -39,5 +39,6 @@ tracelog | |||
39 | private-bin quiterss | 39 | private-bin quiterss |
40 | private-dev | 40 | private-dev |
41 | #private-etc X11,ssl | 41 | #private-etc X11,ssl |
42 | disable-mnt | ||
42 | 43 | ||
43 | include /etc/firejail/whitelist-common.inc | 44 | include /etc/firejail/whitelist-common.inc |
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 192382f77..930a8fed5 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile | |||
@@ -13,9 +13,11 @@ include /etc/firejail/disable-passwdmgr.inc | |||
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | netfilter | 15 | netfilter |
16 | #no3d | ||
16 | nogroups | 17 | nogroups |
17 | nonewprivs | 18 | nonewprivs |
18 | noroot | 19 | noroot |
20 | novideo | ||
19 | protocol unix,inet,inet6 | 21 | protocol unix,inet,inet6 |
20 | seccomp | 22 | seccomp |
21 | shell none | 23 | shell none |
@@ -24,3 +26,6 @@ tracelog | |||
24 | private-bin rhythmbox | 26 | private-bin rhythmbox |
25 | private-dev | 27 | private-dev |
26 | private-tmp | 28 | private-tmp |
29 | |||
30 | noexec ${HOME} | ||
31 | noexec /tmp | ||
diff --git a/etc/skype.profile b/etc/skype.profile index 67cacea63..8b97c7152 100644 --- a/etc/skype.profile +++ b/etc/skype.profile | |||
@@ -17,3 +17,9 @@ nonewprivs | |||
17 | noroot | 17 | noroot |
18 | protocol unix,inet,inet6 | 18 | protocol unix,inet,inet6 |
19 | seccomp | 19 | seccomp |
20 | |||
21 | private-tmp | ||
22 | disable-mnt | ||
23 | |||
24 | noexec ${HOME} | ||
25 | noexec /tmp | ||
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile index bcdb251dd..71bc1b9a6 100644 --- a/etc/skypeforlinux.profile +++ b/etc/skypeforlinux.profile | |||
@@ -16,3 +16,9 @@ netfilter | |||
16 | noroot | 16 | noroot |
17 | seccomp | 17 | seccomp |
18 | protocol unix,inet,inet6,netlink | 18 | protocol unix,inet,inet6,netlink |
19 | |||
20 | private-tmp | ||
21 | disable-mnt | ||
22 | |||
23 | noexec ${HOME} | ||
24 | noexec /tmp | ||
diff --git a/etc/slack.profile b/etc/slack.profile index 7cde1067e..a68717ea3 100644 --- a/etc/slack.profile +++ b/etc/slack.profile | |||
@@ -30,6 +30,7 @@ private-bin slack | |||
30 | private-dev | 30 | private-dev |
31 | private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime | 31 | private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime |
32 | private-tmp | 32 | private-tmp |
33 | disable-mnt | ||
33 | 34 | ||
34 | mkdir ${HOME}/.config | 35 | mkdir ${HOME}/.config |
35 | mkdir ${HOME}/.config/Slack | 36 | mkdir ${HOME}/.config/Slack |
diff --git a/etc/spotify.profile b/etc/spotify.profile index e7890d23f..07103b112 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile | |||
@@ -38,6 +38,7 @@ private-bin spotify,bash,sh,dash | |||
38 | private-etc fonts,machine-id,pulse,resolv.conf | 38 | private-etc fonts,machine-id,pulse,resolv.conf |
39 | private-dev | 39 | private-dev |
40 | private-tmp | 40 | private-tmp |
41 | disable-mnt | ||
41 | 42 | ||
42 | blacklist ${HOME}/.bashrc | 43 | blacklist ${HOME}/.bashrc |
43 | blacklist /boot | 44 | blacklist /boot |
diff --git a/etc/steam.profile b/etc/steam.profile index 7e806c2ad..e2dc6216b 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -25,6 +25,7 @@ netfilter | |||
25 | nogroups | 25 | nogroups |
26 | nonewprivs | 26 | nonewprivs |
27 | noroot | 27 | noroot |
28 | #novideo | ||
28 | protocol unix,inet,inet6,netlink | 29 | protocol unix,inet,inet6,netlink |
29 | seccomp | 30 | seccomp |
30 | shell none | 31 | shell none |
diff --git a/etc/stellarium.profile b/etc/stellarium.profile index 78c442a4a..00579f8fd 100644 --- a/etc/stellarium.profile +++ b/etc/stellarium.profile | |||
@@ -33,3 +33,4 @@ tracelog | |||
33 | private-bin stellarium | 33 | private-bin stellarium |
34 | private-dev | 34 | private-dev |
35 | private-tmp | 35 | private-tmp |
36 | disable-mnt | ||
diff --git a/etc/strings.profile b/etc/strings.profile index a9301c652..af49feb04 100644 --- a/etc/strings.profile +++ b/etc/strings.profile | |||
@@ -11,9 +11,10 @@ ignore noroot | |||
11 | include /etc/firejail/default.profile | 11 | include /etc/firejail/default.profile |
12 | 12 | ||
13 | net none | 13 | net none |
14 | no3d | ||
14 | nosound | 15 | nosound |
16 | novideo | ||
15 | shell none | 17 | shell none |
16 | tracelog | 18 | tracelog |
17 | private-dev | 19 | private-dev |
18 | no3d | ||
19 | blacklist /tmp/.X11-unix | 20 | blacklist /tmp/.X11-unix |
diff --git a/etc/telegram.profile b/etc/telegram.profile index 2d3325a94..5282789ce 100644 --- a/etc/telegram.profile +++ b/etc/telegram.profile | |||
@@ -17,3 +17,9 @@ nonewprivs | |||
17 | noroot | 17 | noroot |
18 | protocol unix,inet,inet6 | 18 | protocol unix,inet,inet6 |
19 | seccomp | 19 | seccomp |
20 | |||
21 | private-tmp | ||
22 | disable-mnt | ||
23 | |||
24 | noexec ${HOME} | ||
25 | noexec /tmp | ||
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile index 6f3f0bd15..767824d8d 100644 --- a/etc/warzone2100.profile +++ b/etc/warzone2100.profile | |||
@@ -32,3 +32,4 @@ tracelog | |||
32 | private-bin warzone2100 | 32 | private-bin warzone2100 |
33 | private-dev | 33 | private-dev |
34 | private-tmp | 34 | private-tmp |
35 | disable-mnt | ||
diff --git a/etc/wget.profile b/etc/wget.profile index b5ba8b196..1b09eac26 100644 --- a/etc/wget.profile +++ b/etc/wget.profile | |||
@@ -20,6 +20,7 @@ nogroups | |||
20 | nonewprivs | 20 | nonewprivs |
21 | noroot | 21 | noroot |
22 | nosound | 22 | nosound |
23 | novideo | ||
23 | protocol unix,inet,inet6 | 24 | protocol unix,inet,inet6 |
24 | seccomp | 25 | seccomp |
25 | shell none | 26 | shell none |
diff --git a/etc/wire.profile b/etc/wire.profile index 1fdd8b018..71147ebc1 100644 --- a/etc/wire.profile +++ b/etc/wire.profile | |||
@@ -25,6 +25,7 @@ shell none | |||
25 | 25 | ||
26 | private-tmp | 26 | private-tmp |
27 | private-dev | 27 | private-dev |
28 | disable-mnt | ||
28 | 29 | ||
29 | # Note: the current beta version of wire is located in /opt/Wire/wire and therefore not in PATH. | 30 | # Note: the current beta version of wire is located in /opt/Wire/wire and therefore not in PATH. |
30 | # To use wire with firejail run "firejail /opt/Wire/wire" | 31 | # To use wire with firejail run "firejail /opt/Wire/wire" |
diff --git a/etc/xonotic.profile b/etc/xonotic.profile index b9115b70a..611c7b379 100644 --- a/etc/xonotic.profile +++ b/etc/xonotic.profile | |||
@@ -37,6 +37,7 @@ shell none | |||
37 | private-bin xonotic-sdl,xonotic-glx,blind-id | 37 | private-bin xonotic-sdl,xonotic-glx,blind-id |
38 | private-dev | 38 | private-dev |
39 | private-tmp | 39 | private-tmp |
40 | disable-mnt | ||
40 | 41 | ||
41 | noexec ${HOME} | 42 | noexec ${HOME} |
42 | noexec /tmp | 43 | noexec /tmp |
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index 90ed12b3b..a58617ddf 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile | |||
@@ -22,6 +22,7 @@ nogroups | |||
22 | nonewprivs | 22 | nonewprivs |
23 | noroot | 23 | noroot |
24 | nosound | 24 | nosound |
25 | novideo | ||
25 | protocol unix,inet,inet6 | 26 | protocol unix,inet,inet6 |
26 | seccomp | 27 | seccomp |
27 | shell none | 28 | shell none |