diff options
-rw-r--r-- | etc/chromium.profile | 1 | ||||
-rw-r--r-- | etc/clementine.profile | 3 | ||||
-rw-r--r-- | etc/disable-common.inc | 3 | ||||
-rw-r--r-- | etc/disable-programs.inc | 3 | ||||
-rw-r--r-- | etc/eog.profile | 1 | ||||
-rw-r--r-- | etc/gnome-calculator.profile | 1 | ||||
-rw-r--r-- | etc/google-chrome.profile | 1 | ||||
-rw-r--r-- | etc/gthumb.profile | 1 | ||||
-rw-r--r-- | etc/pix.profile | 1 | ||||
-rw-r--r-- | etc/qupzilla.profile | 6 | ||||
-rw-r--r-- | etc/ristretto.profile | 4 | ||||
-rw-r--r-- | etc/steam.profile | 2 | ||||
-rw-r--r-- | etc/viewnior.profile | 1 | ||||
-rw-r--r-- | etc/wine.profile | 2 | ||||
-rw-r--r-- | etc/xviewer.profile | 1 |
15 files changed, 23 insertions, 8 deletions
diff --git a/etc/chromium.profile b/etc/chromium.profile index 071c8a18a..ff51f6976 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -24,6 +24,7 @@ whitelist ~/.config/chromium-flags.conf | |||
24 | 24 | ||
25 | include /etc/firejail/whitelist-common.inc | 25 | include /etc/firejail/whitelist-common.inc |
26 | 26 | ||
27 | caps.keep sys_chroot,sys_admin | ||
27 | ipc-namespace | 28 | ipc-namespace |
28 | netfilter | 29 | netfilter |
29 | nogroups | 30 | nogroups |
diff --git a/etc/clementine.profile b/etc/clementine.profile index f92413a36..d9ce4c9c8 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile | |||
@@ -12,4 +12,5 @@ caps.drop all | |||
12 | nonewprivs | 12 | nonewprivs |
13 | noroot | 13 | noroot |
14 | protocol unix,inet,inet6 | 14 | protocol unix,inet,inet6 |
15 | seccomp | 15 | # Clementine makes ioprio_set system calls, which are blacklisted by default. |
16 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old | ||
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 7a5e8bf5b..c78640cd7 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -6,6 +6,7 @@ include /etc/firejail/disable-common.local | |||
6 | blacklist-nolog ${HOME}/.history | 6 | blacklist-nolog ${HOME}/.history |
7 | blacklist-nolog ${HOME}/.*_history | 7 | blacklist-nolog ${HOME}/.*_history |
8 | blacklist-nolog ${HOME}/.bash_history | 8 | blacklist-nolog ${HOME}/.bash_history |
9 | blacklist-nolog ${HOME}/.local/share/fish/fish_history | ||
9 | blacklist-nolog ${HOME}/.adobe | 10 | blacklist-nolog ${HOME}/.adobe |
10 | blacklist-nolog ${HOME}/.macromedia | 11 | blacklist-nolog ${HOME}/.macromedia |
11 | 12 | ||
@@ -142,6 +143,8 @@ read-only ${HOME}/.zsh_files | |||
142 | read-only ${HOME}/.tcshrc | 143 | read-only ${HOME}/.tcshrc |
143 | read-only ${HOME}/.cshrc | 144 | read-only ${HOME}/.cshrc |
144 | read-only ${HOME}/.csh_files | 145 | read-only ${HOME}/.csh_files |
146 | read-only ${HOME}/.config/fish | ||
147 | read-only ${HOME}/.local/share/fish | ||
145 | read-only ${HOME}/.profile | 148 | read-only ${HOME}/.profile |
146 | read-only ${HOME}/.forward | 149 | read-only ${HOME}/.forward |
147 | read-only ${HOME}/.login | 150 | read-only ${HOME}/.login |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 0ee47a89e..a4fdbd0a9 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -10,6 +10,9 @@ blacklist ${HOME}/.LuminanceHDR | |||
10 | blacklist ${HOME}/.Mathematica | 10 | blacklist ${HOME}/.Mathematica |
11 | blacklist ${HOME}/.Natron | 11 | blacklist ${HOME}/.Natron |
12 | blacklist ${HOME}/.Skype | 12 | blacklist ${HOME}/.Skype |
13 | blacklist ${HOME}/.Steam | ||
14 | blacklist ${HOME}/.Steampath | ||
15 | blacklist ${HOME}/.Steampid | ||
13 | blacklist ${HOME}/.TelegramDesktop | 16 | blacklist ${HOME}/.TelegramDesktop |
14 | blacklist ${HOME}/.VirtualBox | 17 | blacklist ${HOME}/.VirtualBox |
15 | blacklist ${HOME}/.Wolfram Research | 18 | blacklist ${HOME}/.Wolfram Research |
diff --git a/etc/eog.profile b/etc/eog.profile index e7a84993c..33628bbe3 100644 --- a/etc/eog.profile +++ b/etc/eog.profile | |||
@@ -4,6 +4,7 @@ include /etc/firejail/eog.local | |||
4 | 4 | ||
5 | # eog (gnome image viewer) profile | 5 | # eog (gnome image viewer) profile |
6 | noblacklist ~/.config/eog | 6 | noblacklist ~/.config/eog |
7 | noblacklist ~/.Steam | ||
7 | noblacklist ~/.steam | 8 | noblacklist ~/.steam |
8 | 9 | ||
9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index eb9027ca4..67610abea 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile | |||
@@ -16,7 +16,6 @@ include /etc/firejail/whitelist-common.inc | |||
16 | 16 | ||
17 | #Options | 17 | #Options |
18 | caps.drop all | 18 | caps.drop all |
19 | ipc-namespace | ||
20 | netfilter | 19 | netfilter |
21 | #net none | 20 | #net none |
22 | no3d | 21 | no3d |
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 38feb12a5..9cfafdb82 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile | |||
@@ -13,6 +13,7 @@ include /etc/firejail/disable-programs.inc | |||
13 | # include /etc/firejail/disable-devel.inc | 13 | # include /etc/firejail/disable-devel.inc |
14 | # | 14 | # |
15 | 15 | ||
16 | caps.keep sys_chroot,sys_admin | ||
16 | netfilter | 17 | netfilter |
17 | 18 | ||
18 | whitelist ${DOWNLOADS} | 19 | whitelist ${DOWNLOADS} |
diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 3fd1880bf..31d7a8fd4 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile | |||
@@ -4,6 +4,7 @@ include /etc/firejail/gthumb.local | |||
4 | 4 | ||
5 | # gthumb profile | 5 | # gthumb profile |
6 | noblacklist ${HOME}/.config/gthumb | 6 | noblacklist ${HOME}/.config/gthumb |
7 | noblacklist ~/.Steam | ||
7 | noblacklist ~/.steam | 8 | noblacklist ~/.steam |
8 | 9 | ||
9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
diff --git a/etc/pix.profile b/etc/pix.profile index 5aa706a2a..f505c8a3f 100644 --- a/etc/pix.profile +++ b/etc/pix.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/pix.local | |||
5 | # Firejail profile for pix | 5 | # Firejail profile for pix |
6 | noblacklist ${HOME}/.config/pix | 6 | noblacklist ${HOME}/.config/pix |
7 | noblacklist ${HOME}/.local/share/pix | 7 | noblacklist ${HOME}/.local/share/pix |
8 | noblacklist ~/.Steam | ||
8 | noblacklist ~/.steam | 9 | noblacklist ~/.steam |
9 | 10 | ||
10 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile index 3f5cb60c0..9a588f8b3 100644 --- a/etc/qupzilla.profile +++ b/etc/qupzilla.profile | |||
@@ -5,10 +5,10 @@ include /etc/firejail/qupzilla.local | |||
5 | # Firejail profile for Qupzilla web browser | 5 | # Firejail profile for Qupzilla web browser |
6 | noblacklist ${HOME}/.config/qupzilla | 6 | noblacklist ${HOME}/.config/qupzilla |
7 | noblacklist ${HOME}/.cache/qupzilla | 7 | noblacklist ${HOME}/.cache/qupzilla |
8 | include /etc/firejail/disable-mgmt.inc | ||
9 | include /etc/firejail/disable-secret.inc | ||
10 | include /etc/firejail/disable-common.inc | 8 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 9 | include /etc/firejail/disable-devel.inc |
10 | include /etc/firejail/disable-passwdmgr.inc | ||
11 | include /etc/firejail/disable-programs.inc | ||
12 | caps.drop all | 12 | caps.drop all |
13 | seccomp | 13 | seccomp |
14 | protocol unix,inet,inet6,netlink | 14 | protocol unix,inet,inet6,netlink |
@@ -22,5 +22,3 @@ include /etc/firejail/whitelist-common.inc | |||
22 | 22 | ||
23 | # experimental features | 23 | # experimental features |
24 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 24 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse |
25 | |||
26 | |||
diff --git a/etc/ristretto.profile b/etc/ristretto.profile index c70ae55a8..9931813d9 100644 --- a/etc/ristretto.profile +++ b/etc/ristretto.profile | |||
@@ -3,6 +3,7 @@ | |||
3 | include /etc/firejail/risretto.local | 3 | include /etc/firejail/risretto.local |
4 | 4 | ||
5 | noblacklist ${HOME}/.config/ristretto | 5 | noblacklist ${HOME}/.config/ristretto |
6 | noblacklist ~/.Steam | ||
6 | noblacklist ~/.steam | 7 | noblacklist ~/.steam |
7 | 8 | ||
8 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
@@ -17,7 +18,7 @@ protocol unix,inet,inet6 | |||
17 | seccomp | 18 | seccomp |
18 | 19 | ||
19 | # | 20 | # |
20 | # depending on your usage, you can enable some of the commands below: | 21 | # depending on your usage, you can enable some of the commands below: |
21 | # | 22 | # |
22 | nogroups | 23 | nogroups |
23 | shell none | 24 | shell none |
@@ -25,4 +26,3 @@ shell none | |||
25 | # private-etc none | 26 | # private-etc none |
26 | private-dev | 27 | private-dev |
27 | # private-tmp | 28 | # private-tmp |
28 | |||
diff --git a/etc/steam.profile b/etc/steam.profile index eef91a0d5..fc7717115 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -3,7 +3,9 @@ | |||
3 | include /etc/firejail/steam.local | 3 | include /etc/firejail/steam.local |
4 | 4 | ||
5 | # Steam profile (applies to games/apps launched from Steam as well) | 5 | # Steam profile (applies to games/apps launched from Steam as well) |
6 | noblacklist ${HOME}/.Steam | ||
6 | noblacklist ${HOME}/.steam | 7 | noblacklist ${HOME}/.steam |
8 | noblacklist ${HOME}/.local/share/Steam | ||
7 | noblacklist ${HOME}/.local/share/steam | 9 | noblacklist ${HOME}/.local/share/steam |
8 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
9 | include /etc/firejail/disable-programs.inc | 11 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/viewnior.profile b/etc/viewnior.profile index 87bb07938..ba6548892 100644 --- a/etc/viewnior.profile +++ b/etc/viewnior.profile | |||
@@ -4,6 +4,7 @@ include /etc/firejail/viewnior.local | |||
4 | 4 | ||
5 | # Firejail profile for viewnior | 5 | # Firejail profile for viewnior |
6 | noblacklist ~/.config/viewnior | 6 | noblacklist ~/.config/viewnior |
7 | noblacklist ~/.Steam | ||
7 | noblacklist ~/.steam | 8 | noblacklist ~/.steam |
8 | 9 | ||
9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
diff --git a/etc/wine.profile b/etc/wine.profile index c732d6edf..2b44ff2c6 100644 --- a/etc/wine.profile +++ b/etc/wine.profile | |||
@@ -3,7 +3,9 @@ | |||
3 | include /etc/firejail/wine.local | 3 | include /etc/firejail/wine.local |
4 | 4 | ||
5 | # wine profile | 5 | # wine profile |
6 | noblacklist ${HOME}/.Steam | ||
6 | noblacklist ${HOME}/.steam | 7 | noblacklist ${HOME}/.steam |
8 | noblacklist ${HOME}/.local/share/Steam | ||
7 | noblacklist ${HOME}/.local/share/steam | 9 | noblacklist ${HOME}/.local/share/steam |
8 | noblacklist ${HOME}/.wine | 10 | noblacklist ${HOME}/.wine |
9 | 11 | ||
diff --git a/etc/xviewer.profile b/etc/xviewer.profile index 9ccd148ad..43dba1b35 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile | |||
@@ -4,6 +4,7 @@ include /etc/firejail/xviewer.local | |||
4 | 4 | ||
5 | # xviewer profile | 5 | # xviewer profile |
6 | noblacklist ~/.config/xviewer | 6 | noblacklist ~/.config/xviewer |
7 | noblacklist ~/.Steam | ||
7 | noblacklist ~/.steam | 8 | noblacklist ~/.steam |
8 | 9 | ||
9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |