aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.gitignore2
-rw-r--r--Makefile.in4
-rw-r--r--README4
-rw-r--r--README.md22
-rw-r--r--RELNOTES8
-rwxr-xr-xconfigure25
-rw-r--r--configure.ac16
-rw-r--r--etc/0ad.profile1
-rw-r--r--etc/7z.profile2
-rw-r--r--etc/akonadi_control.profile4
-rw-r--r--etc/apktool.profile3
-rw-r--r--etc/ardour5.profile3
-rw-r--r--etc/ark.profile3
-rw-r--r--etc/asunder.profile1
-rw-r--r--etc/atom.profile3
-rw-r--r--etc/atril.profile3
-rw-r--r--etc/audacious.profile1
-rw-r--r--etc/audacity.profile5
-rw-r--r--etc/baobab.profile3
-rw-r--r--etc/bibletime.profile1
-rw-r--r--etc/bleachbit.profile6
-rw-r--r--etc/bless.profile3
-rw-r--r--etc/bluefish.profile3
-rw-r--r--etc/calligra.profile3
-rw-r--r--etc/catfish.profile3
-rw-r--r--etc/chromium-common.profile4
-rw-r--r--etc/cin.profile3
-rw-r--r--etc/clamav.profile3
-rw-r--r--etc/cpio.profile2
-rw-r--r--etc/default.profile1
-rw-r--r--etc/dex2jar.profile3
-rw-r--r--etc/dia.profile3
-rw-r--r--etc/digikam.profile1
-rw-r--r--etc/disable-common.inc7
-rw-r--r--etc/disable-programs.inc7
-rw-r--r--etc/display.profile3
-rw-r--r--etc/ebook-viewer.profile3
-rw-r--r--etc/electron.profile1
-rw-r--r--etc/engrampa.profile6
-rw-r--r--etc/eog.profile5
-rw-r--r--etc/eom.profile5
-rw-r--r--etc/etr.profile3
-rw-r--r--etc/evince.profile3
-rw-r--r--etc/exiftool.profile2
-rw-r--r--etc/feh.profile3
-rw-r--r--etc/ffmpeg.profile3
-rw-r--r--etc/file-roller.profile6
-rw-r--r--etc/file.profile2
-rw-r--r--etc/firefox-common.profile1
-rw-r--r--etc/firejail.config3
-rw-r--r--etc/freecad.profile3
-rw-r--r--etc/frozen-bubble.profile3
-rw-r--r--etc/galculator.profile3
-rw-r--r--etc/gcloud.profile40
-rw-r--r--etc/gedit.profile6
-rw-r--r--etc/gimp.profile3
-rw-r--r--etc/gnome-calculator.profile4
-rw-r--r--etc/gnome-logs.profile40
-rw-r--r--etc/gnome-recipes.profile2
-rw-r--r--etc/gpicview.profile3
-rw-r--r--etc/gwenview.profile4
-rw-r--r--etc/gzip.profile2
-rw-r--r--etc/handbrake.profile1
-rw-r--r--etc/hashcat.profile3
-rw-r--r--etc/highlight.profile2
-rw-r--r--etc/hugin.profile3
-rw-r--r--etc/imagej.profile3
-rw-r--r--etc/img2txt.profile3
-rw-r--r--etc/inkscape.profile7
-rw-r--r--etc/jd-gui.profile3
-rw-r--r--etc/kate.profile6
-rw-r--r--etc/kcalc.profile4
-rw-r--r--etc/kdenlive.profile2
-rw-r--r--etc/keepassx.profile3
-rw-r--r--etc/keepassxc.profile4
-rw-r--r--etc/kmail.profile3
-rw-r--r--etc/knotes.profile34
-rw-r--r--etc/krita.profile2
-rw-r--r--etc/krunner.profile3
-rw-r--r--etc/kwrite.profile3
-rw-r--r--etc/less.profile2
-rw-r--r--etc/libreoffice.profile1
-rw-r--r--etc/lmms.profile3
-rw-r--r--etc/macrofusion.profile3
-rw-r--r--etc/mate-calc.profile3
-rw-r--r--etc/mediainfo.profile2
-rw-r--r--etc/meld.profile3
-rw-r--r--etc/mpv.profile1
-rw-r--r--etc/mupdf.profile3
-rw-r--r--etc/mupen64plus.profile3
-rw-r--r--etc/natron.profile3
-rw-r--r--etc/ncdu.profile29
-rw-r--r--etc/odt2txt.profile2
-rw-r--r--etc/okular.profile3
-rw-r--r--etc/open-invaders.profile3
-rw-r--r--etc/openshot.profile1
-rw-r--r--etc/pcmanfm.profile3
-rwxr-xr-xetc/pdfchain.profile4
-rw-r--r--etc/pdfmod.profile3
-rw-r--r--etc/pdfsam.profile3
-rw-r--r--etc/pdftotext.profile2
-rw-r--r--etc/peek.profile3
-rw-r--r--etc/pingus.profile3
-rw-r--r--etc/pinta.profile3
-rw-r--r--etc/pluma.profile6
-rw-r--r--etc/qbittorrent.profile1
-rw-r--r--etc/ranger.profile3
-rw-r--r--etc/rhythmbox.profile3
-rw-r--r--etc/scribus.profile6
-rw-r--r--etc/sdat2img.profile3
-rw-r--r--etc/shotcut.profile3
-rw-r--r--etc/simutrans.profile3
-rw-r--r--etc/skanlite.profile3
-rw-r--r--etc/smplayer.profile1
-rw-r--r--etc/spotify.profile1
-rw-r--r--etc/sqlitebrowser.profile3
-rw-r--r--etc/steam.profile16
-rw-r--r--etc/strings.profile2
-rw-r--r--etc/supertux2.profile3
-rw-r--r--etc/synfigstudio.profile3
-rw-r--r--etc/tar.profile2
-rw-r--r--etc/terasology.profile3
-rw-r--r--etc/totem.profile3
-rw-r--r--etc/transmission-gtk.profile1
-rw-r--r--etc/transmission-qt.profile1
-rw-r--r--etc/transmission-show.profile3
-rw-r--r--etc/uefitool.profile3
-rw-r--r--etc/unrar.profile2
-rw-r--r--etc/unzip.profile2
-rw-r--r--etc/uudeview.profile3
-rw-r--r--etc/viewnior.profile2
-rw-r--r--etc/vlc.profile2
-rw-r--r--etc/x-terminal-emulator.profile3
-rw-r--r--etc/xcalc.profile3
-rw-r--r--etc/xed.profile6
-rw-r--r--etc/xpdf.profile3
-rw-r--r--etc/xplayer.profile2
-rw-r--r--etc/xreader.profile1
-rw-r--r--etc/xviewer.profile4
-rw-r--r--etc/xzdec.profile2
-rw-r--r--etc/zart.profile3
-rw-r--r--etc/zathura.profile4
-rwxr-xr-xgcov.sh11
-rw-r--r--src/common.mk.in37
-rw-r--r--src/faudit/Makefile.in19
-rw-r--r--src/fbuilder/Makefile.in33
-rw-r--r--src/fcopy/Makefile.in34
-rw-r--r--src/firecfg/Makefile.in31
-rw-r--r--src/firecfg/firecfg.config3
-rw-r--r--src/firejail/Makefile.in36
-rw-r--r--src/firejail/checkcfg.c9
-rw-r--r--src/firejail/dbus.c5
-rw-r--r--src/firejail/firejail.h1
-rw-r--r--src/firejail/usage.c4
-rw-r--r--src/firemon/Makefile.in20
-rw-r--r--src/fldd/Makefile.in33
-rw-r--r--src/fnet/Makefile.in33
-rw-r--r--src/fnetfilter/Makefile.in33
-rw-r--r--src/fsec-optimize/Makefile.in33
-rw-r--r--src/fsec-print/Makefile.in34
-rw-r--r--src/fseccomp/Makefile.in33
-rw-r--r--src/ftee/Makefile.in18
-rw-r--r--src/lib/Makefile.in16
-rw-r--r--src/man/firejail.txt11
-rwxr-xr-xtest/root/firecfg.exp8
-rwxr-xr-xtest/root/root.sh4
-rwxr-xr-xtest/utils/audit.exp20
-rwxr-xr-xtest/utils/build.exp58
-rwxr-xr-xtest/utils/utils.sh11
169 files changed, 573 insertions, 639 deletions
diff --git a/.gitignore b/.gitignore
index eeaa0bb03..1285dea92 100644
--- a/.gitignore
+++ b/.gitignore
@@ -38,3 +38,5 @@ seccomp.32
38seccomp.64 38seccomp.64
39seccomp.block_secondary 39seccomp.block_secondary
40seccomp.mdwx 40seccomp.mdwx
41src/common.mk
42
diff --git a/Makefile.in b/Makefile.in
index 21055b694..134e7bd66 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -75,7 +75,7 @@ distclean: clean
75 for dir in $(APPS) $(MYLIBS); do \ 75 for dir in $(APPS) $(MYLIBS); do \
76 $(MAKE) -C $$dir distclean; \ 76 $(MAKE) -C $$dir distclean; \
77 done 77 done
78 rm -fr Makefile autom4te.cache config.log config.status config.h uids.h dummy.o 78 rm -fr Makefile autom4te.cache config.log config.status config.h uids.h dummy.o src/common.mk
79 79
80realinstall: 80realinstall:
81 # firejail executable 81 # firejail executable
@@ -107,6 +107,7 @@ endif
107 install -c -m 0755 src/fbuilder/fbuilder $(DESTDIR)/$(libdir)/firejail/. 107 install -c -m 0755 src/fbuilder/fbuilder $(DESTDIR)/$(libdir)/firejail/.
108ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) 108ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
109 install -c -m 0755 src/fsec-print/fsec-print $(DESTDIR)/$(libdir)/firejail/. 109 install -c -m 0755 src/fsec-print/fsec-print $(DESTDIR)/$(libdir)/firejail/.
110 install -c -m 0755 src/fsec-optimize/fsec-optimize $(DESTDIR)/$(libdir)/firejail/.
110 install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/. 111 install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/.
111 install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/. 112 install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/.
112 install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/. 113 install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/.
@@ -176,6 +177,7 @@ install-strip: all
176 strip src/fnetfilter/fnetfilter 177 strip src/fnetfilter/fnetfilter
177 strip src/fseccomp/fseccomp 178 strip src/fseccomp/fseccomp
178 strip src/fsec-print/fsec-print 179 strip src/fsec-print/fsec-print
180 strip src/fsec-optimize/fsec-optimize
179 strip src/fcopy/fcopy 181 strip src/fcopy/fcopy
180 strip src/fldd/fldd 182 strip src/fldd/fldd
181 strip src/fbuilder/fbuilder 183 strip src/fbuilder/fbuilder
diff --git a/README b/README
index ff0500504..80a133148 100644
--- a/README
+++ b/README
@@ -246,7 +246,7 @@ geg2048 (https://github.com/geg2048)
246 - kwallet profile fixes 246 - kwallet profile fixes
247glitsj16 (https://github.com/glitsj16) 247glitsj16 (https://github.com/glitsj16)
248 - evince-previewer, evince-thumbnailer profiles 248 - evince-previewer, evince-thumbnailer profiles
249 - gnome-recipes profile 249 - gnome-recipes, gnome-logs profiles
250graywolf (https://github.com/graywolf) 250graywolf (https://github.com/graywolf)
251 - spelling fix 251 - spelling fix
252greigdp (https://github.com/greigdp) 252greigdp (https://github.com/greigdp)
@@ -287,6 +287,8 @@ Jaykishan Mutkawoa (https://github.com/jmutkawoa)
287James Elford (https://github.com/jelford) 287James Elford (https://github.com/jelford)
288 - pass password manager support 288 - pass password manager support
289 - removed shell none from ssh-agent configuration, fixing the infinit loop 289 - removed shell none from ssh-agent configuration, fixing the infinit loop
290 - added gcloud profile
291 - blacklist sensitive cloud provider files in disable-common
290Jericho (https://github.com/attritionorg) 292Jericho (https://github.com/attritionorg)
291 - spelling 293 - spelling
292Jesse Smith (https://github.com/slicer69) 294Jesse Smith (https://github.com/slicer69)
diff --git a/README.md b/README.md
index 0c466a5e5..4d9727797 100644
--- a/README.md
+++ b/README.md
@@ -143,6 +143,19 @@ Configuration options:
143 Gcov instrumentation: 143 Gcov instrumentation:
144 Install contrib scripts: yes 144 Install contrib scripts: yes
145````` 145`````
146This feature is also supported for LLVM/clang compiler
147
148## New command line options
149`````
150 --nodbus
151 Disable D-Bus access. Only the regular UNIX socket is handled by
152 this command. To disable the abstract socket you would need to
153 request a new network namespace using --net command. Another
154 option is to remove unix from --protocol set.
155
156 Example:
157 $ firejail --nodbus --net=none
158`````
146 159
147## AppImage development 160## AppImage development
148 161
@@ -259,9 +272,10 @@ enable/disable apparmor functionality globally. By default the flag is enabled.
259AppArmor deployment: we are starting apparmor by default for the following programs: 272AppArmor deployment: we are starting apparmor by default for the following programs:
260- web browsers: firefox (firefox-common.profile), chromium (chromium-common.profile) 273- web browsers: firefox (firefox-common.profile), chromium (chromium-common.profile)
261- torrent clients: transmission-qt, transmission-gtk, qbittorrent 274- torrent clients: transmission-qt, transmission-gtk, qbittorrent
262- media players: vlc, mpv, audacious, totem, rhythmbox 275- media players: vlc, mpv, audacious, kodi, smplayer
263- media editing: kdenlive, audacity, handbrake, gimp, inkscape, krita, openshot 276- media editing: kdenlive, audacity, handbrake, inkscape, gimp, krita, openshot
264- etc.: atril, gnome-calculator, galculator, eom, eog 277- archive managers: ark, engrampa, file-roller
278- etc.: digikam, libreoffice, okular, gwenview, galculator, kcalc
265 279
266Checking apparmor status: 280Checking apparmor status:
267````` 281`````
@@ -294,4 +308,4 @@ Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-can
294pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain, 308pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain,
295tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder, 309tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder,
296gnome-recipes, akonadi_control, evince-previewer, evince-thumbnailer, blender-2.8, 310gnome-recipes, akonadi_control, evince-previewer, evince-thumbnailer, blender-2.8,
297thunderbird-beta \ No newline at end of file 311thunderbird-beta, ncdu, gnome-logs, gcloud
diff --git a/RELNOTES b/RELNOTES
index b299c5b9b..e76800f2c 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -9,11 +9,11 @@ firejail (0.9.53) baseline; urgency=low
9 All users of Firefox-based browsers who use addons and plugins 9 All users of Firefox-based browsers who use addons and plugins
10 that read/write from ${HOME} will need to uncomment the includes for 10 that read/write from ${HOME} will need to uncomment the includes for
11 firefox-common-addons.inc in firefox-common.profile. 11 firefox-common-addons.inc in firefox-common.profile.
12 * Spectre mitigation patch for gcc compiler 12 * Spectre mitigation patch for gcc and clang compiler
13 * D-Bus handling (--nodbus)
13 * AppArmor support for overlayfs and chroot sandboxes 14 * AppArmor support for overlayfs and chroot sandboxes
14 * AppArmor support for AppImages 15 * AppArmor support for AppImages
15 * Enable AppArmor by default for Firefox, Chromium, Transmission 16 * Enable AppArmor by default for a large number of programs
16 VLC and mpv
17 * firejail --apparmor.print option 17 * firejail --apparmor.print option
18 * firemon --apparmor option 18 * firemon --apparmor option
19 * apparmor yes/no flag in /etc/firejail/firejail.config 19 * apparmor yes/no flag in /etc/firejail/firejail.config
@@ -30,7 +30,7 @@ firejail (0.9.53) baseline; urgency=low
30 * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine, 30 * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine,
31 * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes 31 * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes
32 * new profiles: akonadi_controle, evince-previewer, evince-thumbnailer, 32 * new profiles: akonadi_controle, evince-previewer, evince-thumbnailer,
33 * new profiles: blender-2.8, thunderbird-beta 33 * new profiles: blender-2.8, thunderbird-beta, ncdu, gnome-logs, gcloud
34 -- netblue30 <netblue30@yahoo.com> Thu, 1 Mar 2018 08:00:00 -0500 34 -- netblue30 <netblue30@yahoo.com> Thu, 1 Mar 2018 08:00:00 -0500
35 35
36firejail (0.9.52) baseline; urgency=low 36firejail (0.9.52) baseline; urgency=low
diff --git a/configure b/configure
index 0ccaad051..5addefc72 100755
--- a/configure
+++ b/configure
@@ -3106,20 +3106,36 @@ fi
3106 3106
3107 3107
3108HAVE_SPECTRE="no" 3108HAVE_SPECTRE="no"
3109{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for Spectre mitigation support in gcc compiler" >&5 3109{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for Spectre mitigation support in gcc or clang compiler" >&5
3110$as_echo_n "checking for Spectre mitigation support in gcc compiler... " >&6; } 3110$as_echo_n "checking for Spectre mitigation support in gcc or clang compiler... " >&6; }
3111if test "$CC" = "gcc"; then : 3111if test "$CC" = "gcc"; then :
3112 3112
3113 HAVE_SPECTRE="yes" 3113 HAVE_SPECTRE="yes"
3114 $CC -mindirect-branch=thunk -c dummy.c || HAVE_SPECTRE="no" 3114 $CC -mindirect-branch=thunk -c dummy.c || HAVE_SPECTRE="no"
3115 rm -f dummy.o 3115 rm -f dummy.o
3116 if test "$HAVE_SPECTRE" = "yes"; then :
3117
3118 EXTRA_CFLAGS+=" -mindirect-branch=thunk "
3119
3120fi
3121
3122fi
3123if test "$CC" = "clang"; then :
3124
3125 HAVE_SPECTRE="yes"
3126 $CC -mretpoline -c dummy.c || HAVE_SPECTRE="no"
3127 rm -f dummy.o
3128 if test "$HAVE_SPECTRE" = "yes"; then :
3129
3130 EXTRA_CFLAGS+=" -mretpoline "
3131
3132fi
3116 3133
3117fi 3134fi
3118if test "$HAVE_SPECTRE" = "yes"; then : 3135if test "$HAVE_SPECTRE" = "yes"; then :
3119 3136
3120 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 3137 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
3121$as_echo "yes" >&6; } 3138$as_echo "yes" >&6; }
3122 EXTRA_CFLAGS+=" -mindirect-branch=thunk "
3123 3139
3124fi 3140fi
3125if test "$HAVE_SPECTRE" = "no"; then : 3141if test "$HAVE_SPECTRE" = "no"; then :
@@ -3847,7 +3863,7 @@ if test "$prefix" = /usr; then
3847 sysconfdir="/etc" 3863 sysconfdir="/etc"
3848fi 3864fi
3849 3865
3850ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile" 3866ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile"
3851 3867
3852cat >confcache <<\_ACEOF 3868cat >confcache <<\_ACEOF
3853# This file is a shell script that caches the results of configure 3869# This file is a shell script that caches the results of configure
@@ -4557,6 +4573,7 @@ for ac_config_target in $ac_config_targets
4557do 4573do
4558 case $ac_config_target in 4574 case $ac_config_target in
4559 "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; 4575 "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
4576 "src/common.mk") CONFIG_FILES="$CONFIG_FILES src/common.mk" ;;
4560 "src/lib/Makefile") CONFIG_FILES="$CONFIG_FILES src/lib/Makefile" ;; 4577 "src/lib/Makefile") CONFIG_FILES="$CONFIG_FILES src/lib/Makefile" ;;
4561 "src/fcopy/Makefile") CONFIG_FILES="$CONFIG_FILES src/fcopy/Makefile" ;; 4578 "src/fcopy/Makefile") CONFIG_FILES="$CONFIG_FILES src/fcopy/Makefile" ;;
4562 "src/fnet/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnet/Makefile" ;; 4579 "src/fnet/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnet/Makefile" ;;
diff --git a/configure.ac b/configure.ac
index 9a7a9d65e..460c93d50 100644
--- a/configure.ac
+++ b/configure.ac
@@ -9,15 +9,25 @@ AC_PROG_INSTALL
9AC_PROG_RANLIB 9AC_PROG_RANLIB
10 10
11HAVE_SPECTRE="no" 11HAVE_SPECTRE="no"
12AC_MSG_CHECKING(for Spectre mitigation support in gcc compiler) 12AC_MSG_CHECKING(for Spectre mitigation support in gcc or clang compiler)
13AS_IF([test "$CC" = "gcc"], [ 13AS_IF([test "$CC" = "gcc"], [
14 HAVE_SPECTRE="yes" 14 HAVE_SPECTRE="yes"
15 $CC -mindirect-branch=thunk -c dummy.c || HAVE_SPECTRE="no" 15 $CC -mindirect-branch=thunk -c dummy.c || HAVE_SPECTRE="no"
16 rm -f dummy.o 16 rm -f dummy.o
17 AS_IF([test "$HAVE_SPECTRE" = "yes"], [
18 EXTRA_CFLAGS+=" -mindirect-branch=thunk "
19 ])
20])
21AS_IF([test "$CC" = "clang"], [
22 HAVE_SPECTRE="yes"
23 $CC -mretpoline -c dummy.c || HAVE_SPECTRE="no"
24 rm -f dummy.o
25 AS_IF([test "$HAVE_SPECTRE" = "yes"], [
26 EXTRA_CFLAGS+=" -mretpoline "
27 ])
17]) 28])
18AS_IF([test "$HAVE_SPECTRE" = "yes"], [ 29AS_IF([test "$HAVE_SPECTRE" = "yes"], [
19 AC_MSG_RESULT(yes) 30 AC_MSG_RESULT(yes)
20 EXTRA_CFLAGS+=" -mindirect-branch=thunk "
21]) 31])
22AS_IF([test "$HAVE_SPECTRE" = "no"], [ 32AS_IF([test "$HAVE_SPECTRE" = "no"], [
23 AC_MSG_RESULT(... not available) 33 AC_MSG_RESULT(... not available)
@@ -189,7 +199,7 @@ if test "$prefix" = /usr; then
189 sysconfdir="/etc" 199 sysconfdir="/etc"
190fi 200fi
191 201
192AC_OUTPUT(Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \ 202AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \
193src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \ 203src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \
194src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile) 204src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile)
195 205
diff --git a/etc/0ad.profile b/etc/0ad.profile
index 057dcf49e..766783997 100644
--- a/etc/0ad.profile
+++ b/etc/0ad.profile
@@ -24,6 +24,7 @@ include /etc/firejail/whitelist-common.inc
24 24
25caps.drop all 25caps.drop all
26netfilter 26netfilter
27nodbus
27nodvd 28nodvd
28nogroups 29nogroups
29nonewprivs 30nonewprivs
diff --git a/etc/7z.profile b/etc/7z.profile
index ededacbbe..0330e4dbf 100644
--- a/etc/7z.profile
+++ b/etc/7z.profile
@@ -6,12 +6,12 @@ include /etc/firejail/7z.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10blacklist /tmp/.X11-unix 9blacklist /tmp/.X11-unix
11 10
12ignore noroot 11ignore noroot
13net none 12net none
14no3d 13no3d
14nodbus
15nodvd 15nodvd
16nosound 16nosound
17notv 17notv
diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile
index 296b25b83..3a4404b28 100644
--- a/etc/akonadi_control.profile
+++ b/etc/akonadi_control.profile
@@ -23,8 +23,8 @@ include /etc/firejail/disable-programs.inc
23 23
24include /etc/firejail/whitelist-var-common.inc 24include /etc/firejail/whitelist-var-common.inc
25 25
26# the default mysqld-akonadi apparmor profile in debian and ubuntu 26# disabled options below are not compatible with the apparmor profile for mysqld-akonadi.
27# is not compatible with the commented options below 27# this affects ubuntu and debian currently
28 28
29# apparmor 29# apparmor
30caps.drop all 30caps.drop all
diff --git a/etc/apktool.profile b/etc/apktool.profile
index bbf91c264..d5063d79b 100644
--- a/etc/apktool.profile
+++ b/etc/apktool.profile
@@ -6,8 +6,6 @@ include /etc/firejail/apktool.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10
11include /etc/firejail/disable-common.inc 9include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-passwdmgr.inc 10include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc 11include /etc/firejail/disable-programs.inc
@@ -15,6 +13,7 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 13caps.drop all
16net none 14net none
17no3d 15no3d
16nodbus
18nodvd 17nodvd
19nogroups 18nogroups
20nonewprivs 19nonewprivs
diff --git a/etc/ardour5.profile b/etc/ardour5.profile
index 1f2228544..cf72561da 100644
--- a/etc/ardour5.profile
+++ b/etc/ardour5.profile
@@ -5,8 +5,6 @@ include /etc/firejail/ardour5.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/ardour4 8noblacklist ${HOME}/.config/ardour4
11noblacklist ${HOME}/.config/ardour5 9noblacklist ${HOME}/.config/ardour5
12noblacklist ${HOME}/.lv2 10noblacklist ${HOME}/.lv2
@@ -20,6 +18,7 @@ include /etc/firejail/disable-programs.inc
20caps.drop all 18caps.drop all
21ipc-namespace 19ipc-namespace
22net none 20net none
21nodbus
23nodvd 22nodvd
24nogroups 23nogroups
25nonewprivs 24nonewprivs
diff --git a/etc/ark.profile b/etc/ark.profile
index beeb652cf..8e156df0f 100644
--- a/etc/ark.profile
+++ b/etc/ark.profile
@@ -5,8 +5,6 @@ include /etc/firejail/ark.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/arkrc 8noblacklist ${HOME}/.config/arkrc
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -20,6 +18,7 @@ apparmor
20caps.drop all 18caps.drop all
21# net none 19# net none
22netfilter 20netfilter
21# nodbus
23nodvd 22nodvd
24nogroups 23nogroups
25nonewprivs 24nonewprivs
diff --git a/etc/asunder.profile b/etc/asunder.profile
index 0fbc3a158..7d643877f 100644
--- a/etc/asunder.profile
+++ b/etc/asunder.profile
@@ -20,6 +20,7 @@ include /etc/firejail/whitelist-var-common.inc
20apparmor 20apparmor
21caps.drop all 21caps.drop all
22netfilter 22netfilter
23nodbus
23# nogroups 24# nogroups
24nonewprivs 25nonewprivs
25noroot 26noroot
diff --git a/etc/atom.profile b/etc/atom.profile
index de09275cc..c513c7531 100644
--- a/etc/atom.profile
+++ b/etc/atom.profile
@@ -5,8 +5,6 @@ include /etc/firejail/atom.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.atom 8noblacklist ${HOME}/.atom
11noblacklist ${HOME}/.config/Atom 9noblacklist ${HOME}/.config/Atom
12 10
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 15caps.drop all
18# net none 16# net none
19netfilter 17netfilter
18nodbus
20nodvd 19nodvd
21nogroups 20nogroups
22nonewprivs 21nonewprivs
diff --git a/etc/atril.profile b/etc/atril.profile
index a05f11076..e08b70ac6 100644
--- a/etc/atril.profile
+++ b/etc/atril.profile
@@ -5,6 +5,7 @@ include /etc/firejail/atril.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8noblacklist ${HOME}/.cache/atril
8noblacklist ${HOME}/.config/atril 9noblacklist ${HOME}/.config/atril
9 10
10#noblacklist ${HOME}/.local/share 11#noblacklist ${HOME}/.local/share
@@ -17,7 +18,7 @@ include /etc/firejail/disable-programs.inc
17 18
18include /etc/firejail/whitelist-var-common.inc 19include /etc/firejail/whitelist-var-common.inc
19 20
20apparmor 21# apparmor
21caps.drop all 22caps.drop all
22machine-id 23machine-id
23no3d 24no3d
diff --git a/etc/audacious.profile b/etc/audacious.profile
index 93ba5a45d..71003f156 100644
--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@@ -18,6 +18,7 @@ include /etc/firejail/whitelist-var-common.inc
18apparmor 18apparmor
19caps.drop all 19caps.drop all
20netfilter 20netfilter
21nodbus
21nogroups 22nogroups
22nonewprivs 23nonewprivs
23noroot 24noroot
diff --git a/etc/audacity.profile b/etc/audacity.profile
index 8c85dd6be..907dbeb55 100644
--- a/etc/audacity.profile
+++ b/etc/audacity.profile
@@ -5,8 +5,6 @@ include /etc/firejail/audacity.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.audacity-data 8noblacklist ${HOME}/.audacity-data
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -18,8 +16,9 @@ include /etc/firejail/whitelist-var-common.inc
18 16
19apparmor 17apparmor
20caps.drop all 18caps.drop all
21#net none 19net none
22no3d 20no3d
21# nodbus - problems on Fedora 27
23nodvd 22nodvd
24nogroups 23nogroups
25nonewprivs 24nonewprivs
diff --git a/etc/baobab.profile b/etc/baobab.profile
index e47e31bb1..5c1675611 100644
--- a/etc/baobab.profile
+++ b/etc/baobab.profile
@@ -5,8 +5,6 @@ include /etc/firejail/baobab.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10include /etc/firejail/disable-common.inc 8include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 9include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 10include /etc/firejail/disable-passwdmgr.inc
@@ -15,6 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc
15caps.drop all 13caps.drop all
16net none 14net none
17no3d 15no3d
16nodbus
18nodvd 17nodvd
19nogroups 18nogroups
20nonewprivs 19nonewprivs
diff --git a/etc/bibletime.profile b/etc/bibletime.profile
index 018569603..f23a29052 100644
--- a/etc/bibletime.profile
+++ b/etc/bibletime.profile
@@ -21,6 +21,7 @@ include /etc/firejail/whitelist-common.inc
21 21
22caps.drop all 22caps.drop all
23netfilter 23netfilter
24nodbus
24nodvd 25nodvd
25nogroups 26nogroups
26nonewprivs 27nonewprivs
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile
index dce7892a4..ae40c3ec7 100644
--- a/etc/bleachbit.profile
+++ b/etc/bleachbit.profile
@@ -5,8 +5,6 @@ include /etc/firejail/bleachbit.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10include /etc/firejail/disable-common.inc 8include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 9include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 10include /etc/firejail/disable-passwdmgr.inc
@@ -15,6 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc
15caps.drop all 13caps.drop all
16net none 14net none
17no3d 15no3d
16nodbus
18nodvd 17nodvd
19nogroups 18nogroups
20nonewprivs 19nonewprivs
@@ -29,6 +28,7 @@ shell none
29private-dev 28private-dev
30# private-tmp 29# private-tmp
31 30
32memory-deny-write-execute 31# memory-deny-write-execute breaks some systems, see issue #1850
32# memory-deny-write-execute
33noexec ${HOME} 33noexec ${HOME}
34noexec /tmp 34noexec /tmp
diff --git a/etc/bless.profile b/etc/bless.profile
index 37d1e856f..10b471582 100644
--- a/etc/bless.profile
+++ b/etc/bless.profile
@@ -5,8 +5,6 @@ include /etc/firejail/bless.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/bless 8noblacklist ${HOME}/.config/bless
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 15caps.drop all
18net none 16net none
19no3d 17no3d
18nodbus
20nodvd 19nodvd
21nogroups 20nogroups
22nonewprivs 21nonewprivs
diff --git a/etc/bluefish.profile b/etc/bluefish.profile
index 66ba0168b..6eb1d753f 100644
--- a/etc/bluefish.profile
+++ b/etc/bluefish.profile
@@ -5,8 +5,6 @@ include /etc/firejail/bluefish.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10include /etc/firejail/disable-common.inc 8include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 9include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 10include /etc/firejail/disable-passwdmgr.inc
@@ -17,6 +15,7 @@ include /etc/firejail/whitelist-var-common.inc
17caps.drop all 15caps.drop all
18net none 16net none
19no3d 17no3d
18nodbus
20nodvd 19nodvd
21nogroups 20nogroups
22nonewprivs 21nonewprivs
diff --git a/etc/calligra.profile b/etc/calligra.profile
index f09716bc3..f7df8ce85 100644
--- a/etc/calligra.profile
+++ b/etc/calligra.profile
@@ -5,8 +5,6 @@ include /etc/firejail/calligra.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus
9
10include /etc/firejail/disable-common.inc 8include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 9include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 10include /etc/firejail/disable-passwdmgr.inc
@@ -15,6 +13,7 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 13caps.drop all
16ipc-namespace 14ipc-namespace
17# net none 15# net none
16# nodbus
18nodvd 17nodvd
19nogroups 18nogroups
20nonewprivs 19nonewprivs
diff --git a/etc/catfish.profile b/etc/catfish.profile
index 6d5ec1c52..6a608c673 100644
--- a/etc/catfish.profile
+++ b/etc/catfish.profile
@@ -8,8 +8,6 @@ include /etc/firejail/globals.local
8# We can't blacklist much since catfish 8# We can't blacklist much since catfish
9# is for finding files/content 9# is for finding files/content
10 10
11blacklist /run/user/*/bus
12
13noblacklist ${HOME}/.config/catfish 11noblacklist ${HOME}/.config/catfish
14 12
15include /etc/firejail/disable-common.inc 13include /etc/firejail/disable-common.inc
@@ -23,6 +21,7 @@ include /etc/firejail/whitelist-var-common.inc
23caps.drop all 21caps.drop all
24net none 22net none
25no3d 23no3d
24nodbus
26nodvd 25nodvd
27nogroups 26nogroups
28nonewprivs 27nonewprivs
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile
index a11947334..7f07c5b26 100644
--- a/etc/chromium-common.profile
+++ b/etc/chromium-common.profile
@@ -20,6 +20,7 @@ include /etc/firejail/whitelist-var-common.inc
20apparmor 20apparmor
21caps.keep sys_chroot,sys_admin 21caps.keep sys_chroot,sys_admin
22netfilter 22netfilter
23nodbus
23nodvd 24nodvd
24nogroups 25nogroups
25notv 26notv
@@ -31,3 +32,6 @@ private-dev
31 32
32noexec ${HOME} 33noexec ${HOME}
33noexec /tmp 34noexec /tmp
35
36# the file dialog needs to work without d-bus
37env NO_CHROME_KDE_FILE_DIALOG=1
diff --git a/etc/cin.profile b/etc/cin.profile
index d114e50b1..e86a4d9b4 100644
--- a/etc/cin.profile
+++ b/etc/cin.profile
@@ -5,8 +5,6 @@ include /etc/firejail/cin.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.bcast5 8noblacklist ${HOME}/.bcast5
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 15caps.drop all
18ipc-namespace 16ipc-namespace
19net none 17net none
18nodbus
20nodvd 19nodvd
21nogroups 20nogroups
22nonewprivs 21nonewprivs
diff --git a/etc/clamav.profile b/etc/clamav.profile
index c3a0132d0..41bd3b679 100644
--- a/etc/clamav.profile
+++ b/etc/clamav.profile
@@ -6,12 +6,11 @@ include /etc/firejail/clamav.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10
11caps.drop all 9caps.drop all
12ipc-namespace 10ipc-namespace
13net none 11net none
14no3d 12no3d
13nodbus
15nodvd 14nodvd
16nogroups 15nogroups
17nonewprivs 16nonewprivs
diff --git a/etc/cpio.profile b/etc/cpio.profile
index caee6570e..445e1cec7 100644
--- a/etc/cpio.profile
+++ b/etc/cpio.profile
@@ -6,7 +6,6 @@ include /etc/firejail/cpio.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10blacklist /tmp/.X11-unix 9blacklist /tmp/.X11-unix
11 10
12noblacklist /sbin 11noblacklist /sbin
@@ -19,6 +18,7 @@ include /etc/firejail/disable-programs.inc
19caps.drop all 18caps.drop all
20net none 19net none
21no3d 20no3d
21nodbus
22nodvd 22nodvd
23nonewprivs 23nonewprivs
24nosound 24nosound
diff --git a/etc/default.profile b/etc/default.profile
index 82eded802..1af7ceba4 100644
--- a/etc/default.profile
+++ b/etc/default.profile
@@ -17,6 +17,7 @@ caps.drop all
17# ipc-namespace 17# ipc-namespace
18netfilter 18netfilter
19# no3d 19# no3d
20# nodbus
20# nodvd 21# nodvd
21# nogroups 22# nogroups
22nonewprivs 23nonewprivs
diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile
index f89e17239..ed73b8b8c 100644
--- a/etc/dex2jar.profile
+++ b/etc/dex2jar.profile
@@ -6,8 +6,6 @@ include /etc/firejail/dex2jar.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10
11include /etc/firejail/disable-common.inc 9include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc 10include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc 11include /etc/firejail/disable-passwdmgr.inc
@@ -16,6 +14,7 @@ include /etc/firejail/disable-programs.inc
16caps.drop all 14caps.drop all
17net none 15net none
18no3d 16no3d
17nodbus
19nodvd 18nodvd
20nogroups 19nogroups
21nonewprivs 20nonewprivs
diff --git a/etc/dia.profile b/etc/dia.profile
index b1a723da0..fb3506955 100644
--- a/etc/dia.profile
+++ b/etc/dia.profile
@@ -5,8 +5,6 @@ include /etc/firejail/dia.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.dia 8noblacklist ${HOME}/.dia
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 15caps.drop all
18net none 16net none
19no3d 17no3d
18nodbus
20nodvd 19nodvd
21nogroups 20nogroups
22nonewprivs 21nonewprivs
diff --git a/etc/digikam.profile b/etc/digikam.profile
index 516876c6b..4df344cbc 100644
--- a/etc/digikam.profile
+++ b/etc/digikam.profile
@@ -20,6 +20,7 @@ include /etc/firejail/whitelist-var-common.inc
20apparmor 20apparmor
21caps.drop all 21caps.drop all
22netfilter 22netfilter
23# nodbus
23nodvd 24nodvd
24nogroups 25nogroups
25nonewprivs 26nonewprivs
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index e5de0b61f..0f605b933 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -297,6 +297,13 @@ blacklist /etc/ssh
297blacklist /home/.ecryptfs 297blacklist /home/.ecryptfs
298blacklist /var/backup 298blacklist /var/backup
299 299
300# cloud provider configuration
301blacklist ${HOME}/.aws
302blacklist ${HOME}/.boto
303blacklist /etc/boto.cfg
304blacklist ${HOME}/.config/gcloud
305blacklist ${HOME}/.kube
306
300# system directories 307# system directories
301blacklist /sbin 308blacklist /sbin
302blacklist /usr/local/sbin 309blacklist /usr/local/sbin
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 96cc9b48c..a6f12f3db 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -138,6 +138,7 @@ blacklist ${HOME}/.config/itch
138blacklist ${HOME}/.config/jd-gui.cfg 138blacklist ${HOME}/.config/jd-gui.cfg
139blacklist ${HOME}/.config/k3brc 139blacklist ${HOME}/.config/k3brc
140blacklist ${HOME}/.config/kaffeinerc 140blacklist ${HOME}/.config/kaffeinerc
141blacklist ${HOME}/.config/katemetainfos
141blacklist ${HOME}/.config/katepartrc 142blacklist ${HOME}/.config/katepartrc
142blacklist ${HOME}/.config/katerc 143blacklist ${HOME}/.config/katerc
143blacklist ${HOME}/.config/kateschemarc 144blacklist ${HOME}/.config/kateschemarc
@@ -384,6 +385,7 @@ blacklist ${HOME}/.local/share/kate
384blacklist ${HOME}/.local/share/kdenlive 385blacklist ${HOME}/.local/share/kdenlive
385blacklist ${HOME}/.local/share/kget 386blacklist ${HOME}/.local/share/kget
386blacklist ${HOME}/.local/share/kmail2 387blacklist ${HOME}/.local/share/kmail2
388blacklist ${HOME}/.local/share/knotes
387blacklist ${HOME}/.local/share/krita 389blacklist ${HOME}/.local/share/krita
388blacklist ${HOME}/.local/share/ktorrentrc 390blacklist ${HOME}/.local/share/ktorrentrc
389blacklist ${HOME}/.local/share/ktorrent 391blacklist ${HOME}/.local/share/ktorrent
@@ -507,6 +509,7 @@ blacklist ${HOME}/.cache/INRIA
507blacklist ${HOME}/.cache/MusicBrainz 509blacklist ${HOME}/.cache/MusicBrainz
508blacklist ${HOME}/.cache/QuiteRss 510blacklist ${HOME}/.cache/QuiteRss
509blacklist ${HOME}/.cache/akonadi* 511blacklist ${HOME}/.cache/akonadi*
512blacklist ${HOME}/.cache/atril
510blacklist ${HOME}/.cache/attic 513blacklist ${HOME}/.cache/attic
511blacklist ${HOME}/.cache/borg 514blacklist ${HOME}/.cache/borg
512blacklist ${HOME}/.cache/calibre 515blacklist ${HOME}/.cache/calibre
@@ -529,11 +532,14 @@ blacklist ${HOME}/.cache/google-chrome-unstable
529blacklist ${HOME}/.cache/gnome-twitch 532blacklist ${HOME}/.cache/gnome-twitch
530blacklist ${HOME}/.cache/icedove 533blacklist ${HOME}/.cache/icedove
531blacklist ${HOME}/.cache/INRIA/Natron 534blacklist ${HOME}/.cache/INRIA/Natron
535blacklist ${HOME}/.cache/inkscape
532blacklist ${HOME}/.cache/inox 536blacklist ${HOME}/.cache/inox
533blacklist ${HOME}/.cache/iridium 537blacklist ${HOME}/.cache/iridium
534blacklist ${HOME}/.cache/kdenlive 538blacklist ${HOME}/.cache/kdenlive
535blacklist ${HOME}/.cache/kinfocenter 539blacklist ${HOME}/.cache/kinfocenter
540blacklist ${HOME}/.cache/kmail2
536blacklist ${HOME}/.cache/krunner 541blacklist ${HOME}/.cache/krunner
542blacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite
537blacklist ${HOME}/.cache/kscreenlocker_greet 543blacklist ${HOME}/.cache/kscreenlocker_greet
538blacklist ${HOME}/.cache/ksmserver-logout-greeter 544blacklist ${HOME}/.cache/ksmserver-logout-greeter
539blacklist ${HOME}/.cache/ksplashqml 545blacklist ${HOME}/.cache/ksplashqml
@@ -566,6 +572,7 @@ blacklist ${HOME}/.cache/torbrowser
566blacklist ${HOME}/.cache/transmission 572blacklist ${HOME}/.cache/transmission
567blacklist ${HOME}/.cache/vivaldi 573blacklist ${HOME}/.cache/vivaldi
568blacklist ${HOME}/.cache/vivaldi-snapshot 574blacklist ${HOME}/.cache/vivaldi-snapshot
575blacklist ${HOME}/.cache/vlc
569blacklist ${HOME}/.cache/waterfox 576blacklist ${HOME}/.cache/waterfox
570blacklist ${HOME}/.cache/wesnoth 577blacklist ${HOME}/.cache/wesnoth
571blacklist ${HOME}/.cache/xmms2 578blacklist ${HOME}/.cache/xmms2
diff --git a/etc/display.profile b/etc/display.profile
index 41512a0cb..69183f4ca 100644
--- a/etc/display.profile
+++ b/etc/display.profile
@@ -5,8 +5,6 @@ include /etc/firejail/display.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10include /etc/firejail/disable-common.inc 8include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 9include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 10include /etc/firejail/disable-passwdmgr.inc
@@ -16,6 +14,7 @@ include /etc/firejail/whitelist-var-common.inc
16 14
17caps.drop all 15caps.drop all
18net none 16net none
17nodbus
19nodvd 18nodvd
20nogroups 19nogroups
21nonewprivs 20nonewprivs
diff --git a/etc/ebook-viewer.profile b/etc/ebook-viewer.profile
index 9f7e1382b..1e28b854a 100644
--- a/etc/ebook-viewer.profile
+++ b/etc/ebook-viewer.profile
@@ -1,9 +1,8 @@
1# Firejail profile alias for calibre 1# Firejail profile alias for calibre
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4blacklist /run/user/*/bus
5
6net none 4net none
5nodbus
7 6
8# Redirect 7# Redirect
9include /etc/firejail/calibre.profile 8include /etc/firejail/calibre.profile
diff --git a/etc/electron.profile b/etc/electron.profile
index 222beada0..52d45b3f8 100644
--- a/etc/electron.profile
+++ b/etc/electron.profile
@@ -14,6 +14,7 @@ whitelist ${DOWNLOADS}
14apparmor 14apparmor
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17nodbus
17nodvd 18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
diff --git a/etc/engrampa.profile b/etc/engrampa.profile
index ae61f1d93..cf32d579e 100644
--- a/etc/engrampa.profile
+++ b/etc/engrampa.profile
@@ -5,8 +5,6 @@ include /etc/firejail/engrampa.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus - makes settings immutable
9
10include /etc/firejail/disable-common.inc 8include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 9include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 10include /etc/firejail/disable-passwdmgr.inc
@@ -14,9 +12,11 @@ include /etc/firejail/disable-programs.inc
14 12
15include /etc/firejail/whitelist-var-common.inc 13include /etc/firejail/whitelist-var-common.inc
16 14
15apparmor
17caps.drop all 16caps.drop all
18# net none - makes settings immutable 17net none
19no3d 18no3d
19nodbus
20nodvd 20nodvd
21nogroups 21nogroups
22nonewprivs 22nonewprivs
diff --git a/etc/eog.profile b/etc/eog.profile
index 475abc4a5..66434ae05 100644
--- a/etc/eog.profile
+++ b/etc/eog.profile
@@ -5,8 +5,6 @@ include /etc/firejail/eog.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus - makes settings immutable
9
10noblacklist ${HOME}/.Steam 8noblacklist ${HOME}/.Steam
11noblacklist ${HOME}/.config/eog 9noblacklist ${HOME}/.config/eog
12noblacklist ${HOME}/.local/share/Trash 10noblacklist ${HOME}/.local/share/Trash
@@ -19,10 +17,11 @@ include /etc/firejail/disable-programs.inc
19 17
20include /etc/firejail/whitelist-var-common.inc 18include /etc/firejail/whitelist-var-common.inc
21 19
22apparmor 20# apparmor - makes settings immutable
23caps.drop all 21caps.drop all
24# net none - makes settings immutable 22# net none - makes settings immutable
25no3d 23no3d
24# nodbus - makes settings immutable
26nodvd 25nodvd
27nogroups 26nogroups
28nonewprivs 27nonewprivs
diff --git a/etc/eom.profile b/etc/eom.profile
index c7c92db0e..48965bcb9 100644
--- a/etc/eom.profile
+++ b/etc/eom.profile
@@ -5,8 +5,6 @@ include /etc/firejail/eom.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus - makes settings immutable
9
10noblacklist ${HOME}/.Steam 8noblacklist ${HOME}/.Steam
11noblacklist ${HOME}/.config/mate/eom 9noblacklist ${HOME}/.config/mate/eom
12noblacklist ${HOME}/.local/share/Trash 10noblacklist ${HOME}/.local/share/Trash
@@ -19,10 +17,11 @@ include /etc/firejail/disable-programs.inc
19 17
20include /etc/firejail/whitelist-var-common.inc 18include /etc/firejail/whitelist-var-common.inc
21 19
22apparmor 20# apparmor - makes settings immutable
23caps.drop all 21caps.drop all
24# net none - makes settings immutable 22# net none - makes settings immutable
25no3d 23no3d
24# nodbus - makes settings immutable
26nodvd 25nodvd
27nogroups 26nogroups
28nonewprivs 27nonewprivs
diff --git a/etc/etr.profile b/etc/etr.profile
index ad2e5be5d..5c01636cc 100644
--- a/etc/etr.profile
+++ b/etc/etr.profile
@@ -5,8 +5,6 @@ include /etc/firejail/etr.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.etr 8noblacklist ${HOME}/.etr
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -20,6 +18,7 @@ include /etc/firejail/whitelist-var-common.inc
20 18
21caps.drop all 19caps.drop all
22net none 20net none
21nodbus
23nodvd 22nodvd
24nogroups 23nogroups
25nonewprivs 24nonewprivs
diff --git a/etc/evince.profile b/etc/evince.profile
index 72c1ffc97..08c82086b 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -5,8 +5,6 @@ include /etc/firejail/evince.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/evince 8noblacklist ${HOME}/.config/evince
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -21,6 +19,7 @@ machine-id
21# net none breaks AppArmor on Ubuntu systems 19# net none breaks AppArmor on Ubuntu systems
22netfilter 20netfilter
23no3d 21no3d
22# nodbus
24nodvd 23nodvd
25nogroups 24nogroups
26nonewprivs 25nonewprivs
diff --git a/etc/exiftool.profile b/etc/exiftool.profile
index 18d1e3c81..8ab6012f5 100644
--- a/etc/exiftool.profile
+++ b/etc/exiftool.profile
@@ -6,7 +6,6 @@ include /etc/firejail/exiftool.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10blacklist /tmp/.X11-unix 9blacklist /tmp/.X11-unix
11 10
12noblacklist /usr/bin/perl 11noblacklist /usr/bin/perl
@@ -21,6 +20,7 @@ include /etc/firejail/disable-programs.inc
21caps.drop all 20caps.drop all
22net none 21net none
23no3d 22no3d
23nodbus
24nodvd 24nodvd
25nogroups 25nogroups
26nonewprivs 26nonewprivs
diff --git a/etc/feh.profile b/etc/feh.profile
index 1320434f1..ba7a76c49 100644
--- a/etc/feh.profile
+++ b/etc/feh.profile
@@ -5,8 +5,6 @@ include /etc/firejail/feh.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10include /etc/firejail/disable-common.inc 8include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 9include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 10include /etc/firejail/disable-passwdmgr.inc
@@ -15,6 +13,7 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 13caps.drop all
16net none 14net none
17no3d 15no3d
16nodbus
18nodvd 17nodvd
19nogroups 18nogroups
20nonewprivs 19nonewprivs
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile
index acea1e834..538179107 100644
--- a/etc/ffmpeg.profile
+++ b/etc/ffmpeg.profile
@@ -6,8 +6,6 @@ include /etc/firejail/ffmpeg.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10
11include /etc/firejail/disable-common.inc 9include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc 10include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc 11include /etc/firejail/disable-passwdmgr.inc
@@ -18,6 +16,7 @@ include /etc/firejail/whitelist-var-common.inc
18caps.drop all 16caps.drop all
19net none 17net none
20no3d 18no3d
19nodbus
21nodvd 20nodvd
22nosound 21nosound
23notv 22notv
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
index bc4e70da4..eb76d1dbb 100644
--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@@ -5,8 +5,6 @@ include /etc/firejail/file-roller.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus - makes settings immutable
9
10include /etc/firejail/disable-common.inc 8include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 9include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 10include /etc/firejail/disable-passwdmgr.inc
@@ -14,9 +12,11 @@ include /etc/firejail/disable-programs.inc
14 12
15include /etc/firejail/whitelist-var-common.inc 13include /etc/firejail/whitelist-var-common.inc
16 14
15apparmor
17caps.drop all 16caps.drop all
18# net none - makes settings immutable 17net none
19no3d 18no3d
19nodbus
20nodvd 20nodvd
21nogroups 21nogroups
22nonewprivs 22nonewprivs
diff --git a/etc/file.profile b/etc/file.profile
index 041bf5ae5..2bdbaaaa8 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -6,7 +6,6 @@ include /etc/firejail/file.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10blacklist /tmp/.X11-unix 9blacklist /tmp/.X11-unix
11 10
12include /etc/firejail/disable-common.inc 11include /etc/firejail/disable-common.inc
@@ -17,6 +16,7 @@ caps.drop all
17hostname file 16hostname file
18net none 17net none
19no3d 18no3d
19nodbus
20nodvd 20nodvd
21nogroups 21nogroups
22nonewprivs 22nonewprivs
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index 12d160155..1f531c1b7 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -25,6 +25,7 @@ caps.drop all
25# machine-id breaks pulse audio; it should work fine in setups where sound is not required 25# machine-id breaks pulse audio; it should work fine in setups where sound is not required
26#machine-id 26#machine-id
27netfilter 27netfilter
28nodbus
28nodvd 29nodvd
29nogroups 30nogroups
30nonewprivs 31nonewprivs
diff --git a/etc/firejail.config b/etc/firejail.config
index ade3e3c84..0cd4dca3a 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -23,6 +23,9 @@
23# and it will harden the rest of the chroot tree. 23# and it will harden the rest of the chroot tree.
24# chroot-desktop yes 24# chroot-desktop yes
25 25
26# Enable or disable dbus handling by --nodbus flag, default enabled.
27# dbus yes
28
26# Disable /mnt, /media, /run/mount and /run/media access. By default access 29# Disable /mnt, /media, /run/mount and /run/media access. By default access
27# to these directories is enabled. 30# to these directories is enabled.
28# disable-mnt no 31# disable-mnt no
diff --git a/etc/freecad.profile b/etc/freecad.profile
index bac502a5f..c51d88f7a 100644
--- a/etc/freecad.profile
+++ b/etc/freecad.profile
@@ -5,8 +5,6 @@ include /etc/firejail/freecad.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/FreeCAD 8noblacklist ${HOME}/.config/FreeCAD
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 15caps.drop all
18ipc-namespace 16ipc-namespace
19net none 17net none
18nodbus
20nodvd 19nodvd
21nogroups 20nogroups
22nonewprivs 21nonewprivs
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile
index ca38ed1b8..8acd32bdd 100644
--- a/etc/frozen-bubble.profile
+++ b/etc/frozen-bubble.profile
@@ -5,8 +5,6 @@ include /etc/firejail/frozen-bubble.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.frozen-bubble 8noblacklist ${HOME}/.frozen-bubble
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -21,6 +19,7 @@ include /etc/firejail/whitelist-var-common.inc
21 19
22caps.drop all 20caps.drop all
23net none 21net none
22nodbus
24nodvd 23nodvd
25nogroups 24nogroups
26nonewprivs 25nonewprivs
diff --git a/etc/galculator.profile b/etc/galculator.profile
index b28c7943f..8229f8250 100644
--- a/etc/galculator.profile
+++ b/etc/galculator.profile
@@ -5,8 +5,6 @@ include /etc/firejail/galculator.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/galculator 8noblacklist ${HOME}/.config/galculator
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -22,6 +20,7 @@ include /etc/firejail/whitelist-var-common.inc
22apparmor 20apparmor
23caps.drop all 21caps.drop all
24net none 22net none
23nodbus
25nodvd 24nodvd
26nogroups 25nogroups
27nonewprivs 26nonewprivs
diff --git a/etc/gcloud.profile b/etc/gcloud.profile
new file mode 100644
index 000000000..195dc9302
--- /dev/null
+++ b/etc/gcloud.profile
@@ -0,0 +1,40 @@
1# Firejail profile for gcloud
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/gcloud.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8noblacklist ${HOME}/.boto
9noblacklist ${HOME}/.config/gcloud
10noblacklist /var/run/docker.sock
11
12include /etc/firejail/disable-common.inc
13include /etc/firejail/disable-devel.inc
14include /etc/firejail/disable-programs.inc
15
16apparmor
17caps.drop all
18machine-id
19netfilter
20nodbus
21nodvd
22# required for sudo-free docker
23#nogroups
24nonewprivs
25noroot
26notv
27protocol unix,inet,inet6
28seccomp
29shell none
30tracelog
31
32disable-mnt
33private-dev
34private-etc ca-certificates,ssl,hosts,localtime,nsswitch.conf,resolv.conf,pki,crypto-policies,ld.so.cache
35private-tmp
36
37noexec /tmp
38
39# will break user-local installs of gcloud tooling
40# noexec ${HOME}
diff --git a/etc/gedit.profile b/etc/gedit.profile
index 97eb692de..e78b8a708 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -5,8 +5,6 @@ include /etc/firejail/gedit.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus - makes settings immutable
9
10noblacklist ${HOME}/.config/enchant 8noblacklist ${HOME}/.config/enchant
11noblacklist ${HOME}/.config/gedit 9noblacklist ${HOME}/.config/gedit
12noblacklist ${HOME}/.gitconfig 10noblacklist ${HOME}/.gitconfig
@@ -18,10 +16,12 @@ include /etc/firejail/disable-programs.inc
18 16
19include /etc/firejail/whitelist-var-common.inc 17include /etc/firejail/whitelist-var-common.inc
20 18
19# apparmor - makes settings immutable
21caps.drop all 20caps.drop all
22# net none - makes settings immutable
23machine-id 21machine-id
22# net none - makes settings immutable
24no3d 23no3d
24# nodbus - makes settings immutable
25nodvd 25nodvd
26nogroups 26nogroups
27nonewprivs 27nonewprivs
diff --git a/etc/gimp.profile b/etc/gimp.profile
index 3cc012a88..49df54d1f 100644
--- a/etc/gimp.profile
+++ b/etc/gimp.profile
@@ -5,8 +5,6 @@ include /etc/firejail/gimp.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.gimp* 8noblacklist ${HOME}/.gimp*
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -18,6 +16,7 @@ include /etc/firejail/whitelist-var-common.inc
18apparmor 16apparmor
19caps.drop all 17caps.drop all
20net none 18net none
19nodbus
21nodvd 20nodvd
22nogroups 21nogroups
23nonewprivs 22nonewprivs
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
index a219ac644..dfb93c3b0 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@@ -13,10 +13,12 @@ include /etc/firejail/disable-programs.inc
13include /etc/firejail/whitelist-common.inc 13include /etc/firejail/whitelist-common.inc
14include /etc/firejail/whitelist-var-common.inc 14include /etc/firejail/whitelist-var-common.inc
15 15
16apparmor 16# apparmor - makes settings immutable
17caps.drop all 17caps.drop all
18# net none
18netfilter 19netfilter
19no3d 20no3d
21# nodbus - makes settings immutable
20nodvd 22nodvd
21nogroups 23nogroups
22nonewprivs 24nonewprivs
diff --git a/etc/gnome-logs.profile b/etc/gnome-logs.profile
new file mode 100644
index 000000000..7e7902dff
--- /dev/null
+++ b/etc/gnome-logs.profile
@@ -0,0 +1,40 @@
1# Firejail profile for gnome-logs
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/gnome-logs.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8include /etc/firejail/disable-common.inc
9include /etc/firejail/disable-devel.inc
10include /etc/firejail/disable-passwdmgr.inc
11include /etc/firejail/disable-programs.inc
12
13whitelist /var/log/journal
14include /etc/firejail/whitelist-var-common.inc
15
16caps.drop all
17net none
18no3d
19nodbus
20nodvd
21nogroups
22nonewprivs
23noroot
24nosound
25notv
26novideo
27protocol unix
28seccomp
29shell none
30
31disable-mnt
32private-bin gnome-logs
33private-dev
34#private-etc fonts
35#private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,librsvg-2.so.2
36private-tmp
37writable-var-log
38
39noexec ${HOME}
40noexec /tmp
diff --git a/etc/gnome-recipes.profile b/etc/gnome-recipes.profile
index 2392440a6..2f7657c0c 100644
--- a/etc/gnome-recipes.profile
+++ b/etc/gnome-recipes.profile
@@ -35,7 +35,7 @@ shell none
35disable-mnt 35disable-mnt
36private-bin gnome-recipes,tar 36private-bin gnome-recipes,tar
37private-dev 37private-dev
38private-etc ca-certificates,fonts,ssl 38private-etc ca-certificates,fonts,ssl,crypto-policies,pki
39# private-lib works for me with Gnome Shell 3.26.2, Mutter WM (Arch Linux) 39# private-lib works for me with Gnome Shell 3.26.2, Mutter WM (Arch Linux)
40# not widely tested though, leaving it to devs discretion to enable it later 40# not widely tested though, leaving it to devs discretion to enable it later
41#private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,libgnutls.so.30,libjpeg.so.8,libp11-kit.so.0,libproxy.so.1,librsvg-2.so.2 41#private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,libgnutls.so.30,libjpeg.so.8,libp11-kit.so.0,libproxy.so.1,librsvg-2.so.2
diff --git a/etc/gpicview.profile b/etc/gpicview.profile
index 8d47d9c31..c6453e972 100644
--- a/etc/gpicview.profile
+++ b/etc/gpicview.profile
@@ -5,8 +5,6 @@ include /etc/firejail/gpicview.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/gpicview 8noblacklist ${HOME}/.config/gpicview
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -18,6 +16,7 @@ include /etc/firejail/whitelist-var-common.inc
18 16
19caps.drop all 17caps.drop all
20net none 18net none
19nodbus
21nodvd 20nodvd
22nogroups 21nogroups
23nonewprivs 22nonewprivs
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
index d79b72152..d17be41cc 100644
--- a/etc/gwenview.profile
+++ b/etc/gwenview.profile
@@ -5,8 +5,6 @@ include /etc/firejail/gwenview.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/gwenviewrc 8noblacklist ${HOME}/.config/gwenviewrc
11noblacklist ${HOME}/.config/org.kde.gwenviewrc 9noblacklist ${HOME}/.config/org.kde.gwenviewrc
12noblacklist ${HOME}/.gimp* 10noblacklist ${HOME}/.gimp*
@@ -24,8 +22,10 @@ include /etc/firejail/disable-programs.inc
24 22
25include /etc/firejail/whitelist-var-common.inc 23include /etc/firejail/whitelist-var-common.inc
26 24
25apparmor
27caps.drop all 26caps.drop all
28# net none 27# net none
28# nodbus
29nodvd 29nodvd
30nogroups 30nogroups
31nonewprivs 31nonewprivs
diff --git a/etc/gzip.profile b/etc/gzip.profile
index 5187bb9f0..779067770 100644
--- a/etc/gzip.profile
+++ b/etc/gzip.profile
@@ -6,12 +6,12 @@ include /etc/firejail/gzip.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10blacklist /tmp/.X11-unix 9blacklist /tmp/.X11-unix
11 10
12ignore noroot 11ignore noroot
13net none 12net none
14no3d 13no3d
14nodbus
15nodvd 15nodvd
16nosound 16nosound
17notv 17notv
diff --git a/etc/handbrake.profile b/etc/handbrake.profile
index b99842d60..ff9dd248f 100644
--- a/etc/handbrake.profile
+++ b/etc/handbrake.profile
@@ -17,6 +17,7 @@ include /etc/firejail/whitelist-var-common.inc
17apparmor 17apparmor
18caps.drop all 18caps.drop all
19netfilter 19netfilter
20nodbus
20nogroups 21nogroups
21nonewprivs 22nonewprivs
22noroot 23noroot
diff --git a/etc/hashcat.profile b/etc/hashcat.profile
index ad1aae523..c8ab268c8 100644
--- a/etc/hashcat.profile
+++ b/etc/hashcat.profile
@@ -6,8 +6,6 @@ include /etc/firejail/hashcat.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10
11noblacklist ${HOME}/.hashcat 9noblacklist ${HOME}/.hashcat
12noblacklist /usr/include 10noblacklist /usr/include
13 11
@@ -18,6 +16,7 @@ include /etc/firejail/disable-programs.inc
18 16
19caps.drop all 17caps.drop all
20net none 18net none
19nodbus
21nodvd 20nodvd
22nogroups 21nogroups
23nonewprivs 22nonewprivs
diff --git a/etc/highlight.profile b/etc/highlight.profile
index a7c667ce1..781866f3b 100644
--- a/etc/highlight.profile
+++ b/etc/highlight.profile
@@ -5,7 +5,6 @@ include /etc/firejail/highlight.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9blacklist /tmp/.X11-unix 8blacklist /tmp/.X11-unix
10 9
11include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -16,6 +15,7 @@ include /etc/firejail/disable-programs.inc
16caps.drop all 15caps.drop all
17net none 16net none
18no3d 17no3d
18nodbus
19nodvd 19nodvd
20nogroups 20nogroups
21nonewprivs 21nonewprivs
diff --git a/etc/hugin.profile b/etc/hugin.profile
index bff074b74..3847a7daf 100644
--- a/etc/hugin.profile
+++ b/etc/hugin.profile
@@ -5,8 +5,6 @@ include /etc/firejail/hugin.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.hugin 8noblacklist ${HOME}/.hugin
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -16,6 +14,7 @@ include /etc/firejail/disable-programs.inc
16 14
17caps.drop all 15caps.drop all
18net none 16net none
17nodbus
19nodvd 18nodvd
20nogroups 19nogroups
21nonewprivs 20nonewprivs
diff --git a/etc/imagej.profile b/etc/imagej.profile
index 058da2805..7396160af 100644
--- a/etc/imagej.profile
+++ b/etc/imagej.profile
@@ -5,8 +5,6 @@ include /etc/firejail/imagej.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.imagej 8noblacklist ${HOME}/.imagej
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 15caps.drop all
18ipc-namespace 16ipc-namespace
19net none 17net none
18nodbus
20nodvd 19nodvd
21nogroups 20nogroups
22nonewprivs 21nonewprivs
diff --git a/etc/img2txt.profile b/etc/img2txt.profile
index 5a19a75f1..8c157bf2a 100644
--- a/etc/img2txt.profile
+++ b/etc/img2txt.profile
@@ -5,8 +5,6 @@ include /etc/firejail/img2txt.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10include /etc/firejail/disable-common.inc 8include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 9include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 10include /etc/firejail/disable-passwdmgr.inc
@@ -14,6 +12,7 @@ include /etc/firejail/disable-programs.inc
14 12
15caps.drop all 13caps.drop all
16net none 14net none
15nodbus
17nodvd 16nodvd
18nogroups 17nogroups
19nonewprivs 18nonewprivs
diff --git a/etc/inkscape.profile b/etc/inkscape.profile
index 6e669ea2c..af24bc3e9 100644
--- a/etc/inkscape.profile
+++ b/etc/inkscape.profile
@@ -5,9 +5,9 @@ include /etc/firejail/inkscape.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8noblacklist ${HOME}/.inkscape 8noblacklist ${HOME}/.cache/inkscape
9noblacklist ${HOME}/.config/inkscape 9noblacklist ${HOME}/.config/inkscape
10 10noblacklist ${HOME}/.inkscape
11 11
12include /etc/firejail/disable-common.inc 12include /etc/firejail/disable-common.inc
13include /etc/firejail/disable-devel.inc 13include /etc/firejail/disable-devel.inc
@@ -18,7 +18,8 @@ include /etc/firejail/whitelist-var-common.inc
18 18
19apparmor 19apparmor
20caps.drop all 20caps.drop all
21netfilter 21net none
22nodbus
22nodvd 23nodvd
23nogroups 24nogroups
24nonewprivs 25nonewprivs
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile
index bf461b93d..f70eff3e4 100644
--- a/etc/jd-gui.profile
+++ b/etc/jd-gui.profile
@@ -5,8 +5,6 @@ include /etc/firejail/jd-gui.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/jd-gui.cfg 8noblacklist ${HOME}/.config/jd-gui.cfg
11noblacklist ${HOME}/.java 9noblacklist ${HOME}/.java
12 10
@@ -18,6 +16,7 @@ include /etc/firejail/disable-programs.inc
18caps.drop all 16caps.drop all
19net none 17net none
20no3d 18no3d
19nodbus
21nodvd 20nodvd
22nogroups 21nogroups
23nonewprivs 22nonewprivs
diff --git a/etc/kate.profile b/etc/kate.profile
index 5042077e5..b3c1e81d8 100644
--- a/etc/kate.profile
+++ b/etc/kate.profile
@@ -5,8 +5,7 @@ include /etc/firejail/kate.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus 8noblacklist ${HOME}/.config/katemetainfos
9
10noblacklist ${HOME}/.config/katepartrc 9noblacklist ${HOME}/.config/katepartrc
11noblacklist ${HOME}/.config/katerc 10noblacklist ${HOME}/.config/katerc
12noblacklist ${HOME}/.config/kateschemarc 11noblacklist ${HOME}/.config/kateschemarc
@@ -21,9 +20,10 @@ include /etc/firejail/disable-programs.inc
21 20
22include /etc/firejail/whitelist-var-common.inc 21include /etc/firejail/whitelist-var-common.inc
23 22
24apparmor 23# apparmor
25caps.drop all 24caps.drop all
26# net none 25# net none
26# nodbus
27netfilter 27netfilter
28nodvd 28nodvd
29nogroups 29nogroups
diff --git a/etc/kcalc.profile b/etc/kcalc.profile
index 3f024f3fa..86a3b1462 100644
--- a/etc/kcalc.profile
+++ b/etc/kcalc.profile
@@ -20,9 +20,11 @@ whitelist ${HOME}/.kde4/share/config/kcalcrc
20include /etc/firejail/whitelist-common.inc 20include /etc/firejail/whitelist-common.inc
21include /etc/firejail/whitelist-var-common.inc 21include /etc/firejail/whitelist-var-common.inc
22 22
23apparmor
23caps.drop all 24caps.drop all
24netfilter 25net none
25no3d 26no3d
27nodbus
26nodvd 28nodvd
27nogroups 29nogroups
28nonewprivs 30nonewprivs
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile
index 5c770856a..819279b10 100644
--- a/etc/kdenlive.profile
+++ b/etc/kdenlive.profile
@@ -5,7 +5,6 @@ include /etc/firejail/kdenlive.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus
9noblacklist ${HOME}/.cache/kdenlive 8noblacklist ${HOME}/.cache/kdenlive
10noblacklist ${HOME}/.config/kdenliverc 9noblacklist ${HOME}/.config/kdenliverc
11noblacklist ${HOME}/.local/share/kdenlive 10noblacklist ${HOME}/.local/share/kdenlive
@@ -18,6 +17,7 @@ include /etc/firejail/disable-programs.inc
18apparmor 17apparmor
19caps.drop all 18caps.drop all
20# net none 19# net none
20# nodbus
21nodvd 21nodvd
22nogroups 22nogroups
23nonewprivs 23nonewprivs
diff --git a/etc/keepassx.profile b/etc/keepassx.profile
index f7b0bd5d1..14af2682c 100644
--- a/etc/keepassx.profile
+++ b/etc/keepassx.profile
@@ -5,8 +5,6 @@ include /etc/firejail/keepassx.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/*.kdb 8noblacklist ${HOME}/*.kdb
11noblacklist ${HOME}/*.kdbx 9noblacklist ${HOME}/*.kdbx
12noblacklist ${HOME}/.config/keepassx 10noblacklist ${HOME}/.config/keepassx
@@ -23,6 +21,7 @@ caps.drop all
23machine-id 21machine-id
24net none 22net none
25no3d 23no3d
24nodbus
26nodvd 25nodvd
27nogroups 26nogroups
28nonewprivs 27nonewprivs
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile
index 66b524d29..0e464cbe4 100644
--- a/etc/keepassxc.profile
+++ b/etc/keepassxc.profile
@@ -5,8 +5,6 @@ include /etc/firejail/keepassxc.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/*.kdb 8noblacklist ${HOME}/*.kdb
11noblacklist ${HOME}/*.kdbx 9noblacklist ${HOME}/*.kdbx
12noblacklist ${HOME}/.config/keepassxc 10noblacklist ${HOME}/.config/keepassxc
@@ -22,9 +20,11 @@ include /etc/firejail/disable-programs.inc
22include /etc/firejail/whitelist-var-common.inc 20include /etc/firejail/whitelist-var-common.inc
23 21
24caps.drop all 22caps.drop all
23machine-id
25net none 24net none
26no3d 25no3d
27nodvd 26nodvd
27nodbus
28nogroups 28nogroups
29nonewprivs 29nonewprivs
30noroot 30noroot
diff --git a/etc/kmail.profile b/etc/kmail.profile
index e33eae84f..3e425b62e 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -9,6 +9,7 @@ include /etc/firejail/globals.local
9# one solution is to have akonadi already running when kmail is started 9# one solution is to have akonadi already running when kmail is started
10 10
11noblacklist ${HOME}/.cache/akonadi* 11noblacklist ${HOME}/.cache/akonadi*
12noblacklist ${HOME}/.cache/kmail2
12noblacklist ${HOME}/.config/akonadi* 13noblacklist ${HOME}/.config/akonadi*
13noblacklist ${HOME}/.config/baloorc 14noblacklist ${HOME}/.config/baloorc
14noblacklist ${HOME}/.config/emailidentities 15noblacklist ${HOME}/.config/emailidentities
@@ -27,6 +28,8 @@ include /etc/firejail/disable-devel.inc
27include /etc/firejail/disable-passwdmgr.inc 28include /etc/firejail/disable-passwdmgr.inc
28include /etc/firejail/disable-programs.inc 29include /etc/firejail/disable-programs.inc
29 30
31include /etc/firejail/whitelist-var-common.inc
32
30# apparmor 33# apparmor
31caps.drop all 34caps.drop all
32netfilter 35netfilter
diff --git a/etc/knotes.profile b/etc/knotes.profile
index 85b267f8b..4bbbd332d 100644
--- a/etc/knotes.profile
+++ b/etc/knotes.profile
@@ -5,34 +5,12 @@ include /etc/firejail/knotes.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8noblacklist ${HOME}/.config/akonadi* 8# knotes has problems launching akonadi in debian and ubuntu.
9noblacklist ${HOME}/.config/knotesrc 9# one solution is to have akonadi already running when knotes is started
10noblacklist ${HOME}/.local/share/akonadi*
11noblacklist /tmp/akonadi-*
12
13include /etc/firejail/disable-common.inc
14include /etc/firejail/disable-devel.inc
15include /etc/firejail/disable-passwdmgr.inc
16include /etc/firejail/disable-programs.inc
17 10
18include /etc/firejail/whitelist-var-common.inc 11noblacklist ${HOME}/.config/knotesrc
19 12noblacklist ${HOME}/.local/share/knotes
20caps.drop all
21netfilter
22nodvd
23nogroups
24nonewprivs
25noroot
26nosound
27notv
28novideo
29protocol unix
30seccomp
31shell none
32tracelog
33 13
34private-dev
35# private-tmp - interrupts connection to akonadi
36 14
37noexec ${HOME} 15# Redirect
38noexec /tmp 16include /etc/firejail/kmail.profile
diff --git a/etc/krita.profile b/etc/krita.profile
index 0f4c5210b..24948c584 100644
--- a/etc/krita.profile
+++ b/etc/krita.profile
@@ -5,7 +5,6 @@ include /etc/firejail/krita.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus
9noblacklist ${HOME}/.config/kritarc 8noblacklist ${HOME}/.config/kritarc
10noblacklist ${HOME}/.local/share/krita 9noblacklist ${HOME}/.local/share/krita
11 10
@@ -18,6 +17,7 @@ apparmor
18caps.drop all 17caps.drop all
19ipc-namespace 18ipc-namespace
20# net none 19# net none
20# nodbus
21nodvd 21nodvd
22nogroups 22nogroups
23nonewprivs 23nonewprivs
diff --git a/etc/krunner.profile b/etc/krunner.profile
index 1e97f4290..17526c4ea 100644
--- a/etc/krunner.profile
+++ b/etc/krunner.profile
@@ -10,10 +10,13 @@ include /etc/firejail/globals.local
10# with its own profile, if it is sandboxed automatically. 10# with its own profile, if it is sandboxed automatically.
11 11
12# noblacklist ${HOME}/.cache/krunner 12# noblacklist ${HOME}/.cache/krunner
13# noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite
14# noblacklist ${HOME}/.config/chromium
13noblacklist ${HOME}/.config/krunnerrc 15noblacklist ${HOME}/.config/krunnerrc
14noblacklist ${HOME}/.kde/share/config/krunnerrc 16noblacklist ${HOME}/.kde/share/config/krunnerrc
15noblacklist ${HOME}/.kde4/share/config/krunnerrc 17noblacklist ${HOME}/.kde4/share/config/krunnerrc
16# noblacklist ${HOME}/.local/share/baloo 18# noblacklist ${HOME}/.local/share/baloo
19# noblacklist ${HOME}/.mozilla
17 20
18include /etc/firejail/disable-common.inc 21include /etc/firejail/disable-common.inc
19# include /etc/firejail/disable-devel.inc 22# include /etc/firejail/disable-devel.inc
diff --git a/etc/kwrite.profile b/etc/kwrite.profile
index 1c4e50b77..ac51259c0 100644
--- a/etc/kwrite.profile
+++ b/etc/kwrite.profile
@@ -5,8 +5,6 @@ include /etc/firejail/kwrite.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/katepartrc 8noblacklist ${HOME}/.config/katepartrc
11noblacklist ${HOME}/.config/katerc 9noblacklist ${HOME}/.config/katerc
12noblacklist ${HOME}/.config/kateschemarc 10noblacklist ${HOME}/.config/kateschemarc
@@ -26,6 +24,7 @@ apparmor
26caps.drop all 24caps.drop all
27# net none 25# net none
28netfilter 26netfilter
27# nodbus
29nodvd 28nodvd
30nogroups 29nogroups
31nonewprivs 30nonewprivs
diff --git a/etc/less.profile b/etc/less.profile
index 3b1c5d6bf..e2616ba4f 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -6,12 +6,12 @@ include /etc/firejail/less.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10blacklist /tmp/.X11-unix 9blacklist /tmp/.X11-unix
11 10
12ignore noroot 11ignore noroot
13net none 12net none
14no3d 13no3d
14nodbus
15nodvd 15nodvd
16nosound 16nosound
17notv 17notv
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
index ceb680951..15961321e 100644
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@@ -21,6 +21,7 @@ apparmor
21caps.drop all 21caps.drop all
22machine-id 22machine-id
23netfilter 23netfilter
24nodbus
24nodvd 25nodvd
25nogroups 26nogroups
26nonewprivs 27nonewprivs
diff --git a/etc/lmms.profile b/etc/lmms.profile
index b2bacb246..a9fecf5be 100644
--- a/etc/lmms.profile
+++ b/etc/lmms.profile
@@ -5,8 +5,6 @@ include /etc/firejail/lmms.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.lmmsrc.xml 8noblacklist ${HOME}/.lmmsrc.xml
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -18,6 +16,7 @@ caps.drop all
18ipc-namespace 16ipc-namespace
19net none 17net none
20no3d 18no3d
19nodbus
21nodvd 20nodvd
22nogroups 21nogroups
23nonewprivs 22nonewprivs
diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile
index f8c5c34ca..948c7226d 100644
--- a/etc/macrofusion.profile
+++ b/etc/macrofusion.profile
@@ -5,8 +5,6 @@ include /etc/firejail/macrofusion.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/mfusion 8noblacklist ${HOME}/.config/mfusion
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 15caps.drop all
18ipc-namespace 16ipc-namespace
19net none 17net none
18nodbus
20nodvd 19nodvd
21nogroups 20nogroups
22nonewprivs 21nonewprivs
diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile
index be5dac206..f452b751a 100644
--- a/etc/mate-calc.profile
+++ b/etc/mate-calc.profile
@@ -5,8 +5,6 @@ include /etc/firejail/mate-calc.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/mate-calc 8noblacklist ${HOME}/.config/mate-calc
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -24,6 +22,7 @@ whitelist ${HOME}/.themes
24caps.drop all 22caps.drop all
25net none 23net none
26no3d 24no3d
25nodbus
27nodvd 26nodvd
28nogroups 27nogroups
29nonewprivs 28nonewprivs
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile
index de9297174..c3c84ed39 100644
--- a/etc/mediainfo.profile
+++ b/etc/mediainfo.profile
@@ -5,7 +5,6 @@ include /etc/firejail/mediainfo.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9blacklist /tmp/.X11-unix 8blacklist /tmp/.X11-unix
10 9
11include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -16,6 +15,7 @@ include /etc/firejail/disable-programs.inc
16caps.drop all 15caps.drop all
17net none 16net none
18no3d 17no3d
18nodbus
19nodvd 19nodvd
20nogroups 20nogroups
21nonewprivs 21nonewprivs
diff --git a/etc/meld.profile b/etc/meld.profile
index 1a451ff57..78d9e0c76 100644
--- a/etc/meld.profile
+++ b/etc/meld.profile
@@ -5,8 +5,6 @@ include /etc/firejail/meld.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.local/share/meld 8noblacklist ${HOME}/.local/share/meld
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 15caps.drop all
18net none 16net none
19no3d 17no3d
18nodbus
20nodvd 19nodvd
21nogroups 20nogroups
22nonewprivs 21nonewprivs
diff --git a/etc/mpv.profile b/etc/mpv.profile
index a4dc679f4..dcd8b05e1 100644
--- a/etc/mpv.profile
+++ b/etc/mpv.profile
@@ -18,6 +18,7 @@ include /etc/firejail/whitelist-var-common.inc
18apparmor 18apparmor
19caps.drop all 19caps.drop all
20netfilter 20netfilter
21nodbus
21nogroups 22nogroups
22nonewprivs 23nonewprivs
23noroot 24noroot
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
index 9e04c3a81..af5859dbc 100644
--- a/etc/mupdf.profile
+++ b/etc/mupdf.profile
@@ -5,8 +5,6 @@ include /etc/firejail/mupdf.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10include /etc/firejail/disable-common.inc 8include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 9include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 10include /etc/firejail/disable-passwdmgr.inc
@@ -17,6 +15,7 @@ include /etc/firejail/whitelist-var-common.inc
17caps.drop all 15caps.drop all
18machine-id 16machine-id
19net none 17net none
18nodbus
20nodvd 19nodvd
21nogroups 20nogroups
22nonewprivs 21nonewprivs
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile
index e05babc91..2e3d7cfb8 100644
--- a/etc/mupen64plus.profile
+++ b/etc/mupen64plus.profile
@@ -5,8 +5,6 @@ include /etc/firejail/mupen64plus.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/mupen64plus 8noblacklist ${HOME}/.config/mupen64plus
11noblacklist ${HOME}/.local/share/mupen64plus 9noblacklist ${HOME}/.local/share/mupen64plus
12 10
@@ -24,6 +22,7 @@ include /etc/firejail/whitelist-common.inc
24 22
25caps.drop all 23caps.drop all
26net none 24net none
25nodbus
27nodvd 26nodvd
28nonewprivs 27nonewprivs
29noroot 28noroot
diff --git a/etc/natron.profile b/etc/natron.profile
index 413ea53f9..cf01c862c 100644
--- a/etc/natron.profile
+++ b/etc/natron.profile
@@ -5,8 +5,6 @@ include /etc/firejail/natron.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.Natron 8noblacklist ${HOME}/.Natron
11noblacklist ${HOME}/.cache/INRIA/Natron 9noblacklist ${HOME}/.cache/INRIA/Natron
12noblacklist ${HOME}/.config/INRIA 10noblacklist ${HOME}/.config/INRIA
@@ -19,6 +17,7 @@ include /etc/firejail/disable-programs.inc
19 17
20caps.drop all 18caps.drop all
21net none 19net none
20nodbus
22nodvd 21nodvd
23nogroups 22nogroups
24nonewprivs 23nonewprivs
diff --git a/etc/ncdu.profile b/etc/ncdu.profile
new file mode 100644
index 000000000..ab79a325e
--- /dev/null
+++ b/etc/ncdu.profile
@@ -0,0 +1,29 @@
1# Firejail profile for ncdu
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/ncdu.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8caps.drop all
9ipc-namespace
10nodbus
11net none
12no3d
13nodvd
14nogroups
15nonewprivs
16noroot
17nosound
18notv
19novideo
20protocol unix
21seccomp
22shell none
23
24private-dev
25# private-tmp
26
27memory-deny-write-execute
28noexec ${HOME}
29noexec /tmp
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile
index b6d4a63b5..c807a5399 100644
--- a/etc/odt2txt.profile
+++ b/etc/odt2txt.profile
@@ -5,7 +5,6 @@ include /etc/firejail/odt2txt.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9blacklist /tmp/.X11-unix 8blacklist /tmp/.X11-unix
10 9
11include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -16,6 +15,7 @@ include /etc/firejail/disable-programs.inc
16caps.drop all 15caps.drop all
17net none 16net none
18no3d 17no3d
18nodbus
19nodvd 19nodvd
20nogroups 20nogroups
21nonewprivs 21nonewprivs
diff --git a/etc/okular.profile b/etc/okular.profile
index ffe0d2bfb..f1f0b2c7e 100644
--- a/etc/okular.profile
+++ b/etc/okular.profile
@@ -5,8 +5,6 @@ include /etc/firejail/okular.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.cache/okular 8noblacklist ${HOME}/.cache/okular
11noblacklist ${HOME}/.config/okularpartrc 9noblacklist ${HOME}/.config/okularpartrc
12noblacklist ${HOME}/.config/okularrc 10noblacklist ${HOME}/.config/okularrc
@@ -30,6 +28,7 @@ caps.drop all
30machine-id 28machine-id
31# net none 29# net none
32netfilter 30netfilter
31# nodbus
33nodvd 32nodvd
34nogroups 33nogroups
35nonewprivs 34nonewprivs
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile
index 191f8d87b..3c3609dae 100644
--- a/etc/open-invaders.profile
+++ b/etc/open-invaders.profile
@@ -5,8 +5,6 @@ include /etc/firejail/open-invaders.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.openinvaders 8noblacklist ${HOME}/.openinvaders
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -20,6 +18,7 @@ include /etc/firejail/whitelist-common.inc
20 18
21caps.drop all 19caps.drop all
22net none 20net none
21nodbus
23nodvd 22nodvd
24nogroups 23nogroups
25nonewprivs 24nonewprivs
diff --git a/etc/openshot.profile b/etc/openshot.profile
index ca9110be6..b9eb29590 100644
--- a/etc/openshot.profile
+++ b/etc/openshot.profile
@@ -18,6 +18,7 @@ include /etc/firejail/whitelist-var-common.inc
18apparmor 18apparmor
19caps.drop all 19caps.drop all
20netfilter 20netfilter
21nodbus
21nodvd 22nodvd
22nogroups 23nogroups
23nonewprivs 24nonewprivs
diff --git a/etc/pcmanfm.profile b/etc/pcmanfm.profile
index 08c607020..0dcd21549 100644
--- a/etc/pcmanfm.profile
+++ b/etc/pcmanfm.profile
@@ -5,8 +5,6 @@ include /etc/firejail/pcmanfm.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.local/share/Trash 8noblacklist ${HOME}/.local/share/Trash
11# noblacklist ${HOME}/.config/libfm - disable-programs.inc is disabled, see below 9# noblacklist ${HOME}/.config/libfm - disable-programs.inc is disabled, see below
12# noblacklist ${HOME}/.config/pcmanfm 10# noblacklist ${HOME}/.config/pcmanfm
@@ -19,6 +17,7 @@ include /etc/firejail/disable-passwdmgr.inc
19caps.drop all 17caps.drop all
20# net none - see issue #1467, computer:/// location broken 18# net none - see issue #1467, computer:/// location broken
21no3d 19no3d
20# nodbus
22nodvd 21nodvd
23nonewprivs 22nonewprivs
24noroot 23noroot
diff --git a/etc/pdfchain.profile b/etc/pdfchain.profile
index d43c0911e..b4ccb6003 100755
--- a/etc/pdfchain.profile
+++ b/etc/pdfchain.profile
@@ -5,9 +5,6 @@ include /etc/firejail/pdfchain.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8
9blacklist /run/user/*/bus
10
11include /etc/firejail/disable-common.inc 8include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-programs.inc 9include /etc/firejail/disable-programs.inc
13include /etc/firejail/disable-devel.inc 10include /etc/firejail/disable-devel.inc
@@ -19,6 +16,7 @@ caps.drop all
19ipc-namespace 16ipc-namespace
20net none 17net none
21no3d 18no3d
19nodbus
22nogroups 20nogroups
23nonewprivs 21nonewprivs
24noroot 22noroot
diff --git a/etc/pdfmod.profile b/etc/pdfmod.profile
index 8ac09dcdc..9b08dfd84 100644
--- a/etc/pdfmod.profile
+++ b/etc/pdfmod.profile
@@ -5,8 +5,6 @@ include /etc/firejail/pdfmod.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.cache/pdfmod 8noblacklist ${HOME}/.cache/pdfmod
11noblacklist ${HOME}/.config/pdfmod 9noblacklist ${HOME}/.config/pdfmod
12 10
@@ -22,6 +20,7 @@ ipc-namespace
22machine-id 20machine-id
23net none 21net none
24no3d 22no3d
23nodbus
25nodvd 24nodvd
26nogroups 25nogroups
27nonewprivs 26nonewprivs
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile
index c1515ab73..465f68fd6 100644
--- a/etc/pdfsam.profile
+++ b/etc/pdfsam.profile
@@ -5,8 +5,6 @@ include /etc/firejail/pdfsam.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.java 8noblacklist ${HOME}/.java
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -18,6 +16,7 @@ caps.drop all
18machine-id 16machine-id
19net none 17net none
20no3d 18no3d
19nodbus
21nodvd 20nodvd
22nogroups 21nogroups
23nonewprivs 22nonewprivs
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile
index 736faa5ea..a97063754 100644
--- a/etc/pdftotext.profile
+++ b/etc/pdftotext.profile
@@ -5,7 +5,6 @@ include /etc/firejail/pdftotext.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9blacklist /tmp/.X11-unix 8blacklist /tmp/.X11-unix
10 9
11include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -19,6 +18,7 @@ caps.drop all
19machine-id 18machine-id
20net none 19net none
21no3d 20no3d
21nodbus
22nodvd 22nodvd
23nogroups 23nogroups
24nonewprivs 24nonewprivs
diff --git a/etc/peek.profile b/etc/peek.profile
index 01db4fa08..7b7ab9470 100644
--- a/etc/peek.profile
+++ b/etc/peek.profile
@@ -5,8 +5,6 @@ include /etc/firejail/peek.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.cache/peek 8noblacklist ${HOME}/.cache/peek
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 15caps.drop all
18net none 16net none
19no3d 17no3d
18nodbus
20nodvd 19nodvd
21nogroups 20nogroups
22nonewprivs 21nonewprivs
diff --git a/etc/pingus.profile b/etc/pingus.profile
index ec7eff632..b287e7ee8 100644
--- a/etc/pingus.profile
+++ b/etc/pingus.profile
@@ -5,8 +5,6 @@ include /etc/firejail/pingus.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.pingus 8noblacklist ${HOME}/.pingus
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -20,6 +18,7 @@ include /etc/firejail/whitelist-common.inc
20 18
21caps.drop all 19caps.drop all
22net none 20net none
21nodbus
23nodvd 22nodvd
24nogroups 23nogroups
25nonewprivs 24nonewprivs
diff --git a/etc/pinta.profile b/etc/pinta.profile
index 4a8815a73..b51521ef7 100644
--- a/etc/pinta.profile
+++ b/etc/pinta.profile
@@ -5,8 +5,6 @@ include /etc/firejail/pinta.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/Pinta 8noblacklist ${HOME}/.config/Pinta
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 15caps.drop all
18ipc-namespace 16ipc-namespace
19net none 17net none
18nodbus
20nodvd 19nodvd
21nogroups 20nogroups
22nonewprivs 21nonewprivs
diff --git a/etc/pluma.profile b/etc/pluma.profile
index b50e3cbaf..d0acfeb1a 100644
--- a/etc/pluma.profile
+++ b/etc/pluma.profile
@@ -5,8 +5,6 @@ include /etc/firejail/pluma.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus - makes settings immutable
9
10noblacklist ${HOME}/.config/pluma 8noblacklist ${HOME}/.config/pluma
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -16,10 +14,12 @@ include /etc/firejail/disable-programs.inc
16 14
17include /etc/firejail/whitelist-var-common.inc 15include /etc/firejail/whitelist-var-common.inc
18 16
17# apparmor - makes settings immutable
19caps.drop all 18caps.drop all
20# net none - makes settings immutable
21machine-id 19machine-id
20# net none - makes settings immutable
22no3d 21no3d
22# nodbus - makes settings immutable
23nodvd 23nodvd
24nogroups 24nogroups
25nonewprivs 25nonewprivs
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index 8df8177eb..14a9e8adc 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -30,6 +30,7 @@ apparmor
30caps.drop all 30caps.drop all
31machine-id 31machine-id
32netfilter 32netfilter
33nodbus
33nodvd 34nodvd
34nogroups 35nogroups
35nonewprivs 36nonewprivs
diff --git a/etc/ranger.profile b/etc/ranger.profile
index 211a1b2d5..fd5bbf89c 100644
--- a/etc/ranger.profile
+++ b/etc/ranger.profile
@@ -5,8 +5,6 @@ include /etc/firejail/ranger.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10# noblacklist /usr/bin/cpan* 8# noblacklist /usr/bin/cpan*
11noblacklist /usr/bin/perl 9noblacklist /usr/bin/perl
12noblacklist /usr/lib/perl* 10noblacklist /usr/lib/perl*
@@ -20,6 +18,7 @@ include /etc/firejail/disable-programs.inc
20 18
21caps.drop all 19caps.drop all
22net none 20net none
21nodbus
23nodvd 22nodvd
24nogroups 23nogroups
25nonewprivs 24nonewprivs
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile
index a20bdb883..6322f8217 100644
--- a/etc/rhythmbox.profile
+++ b/etc/rhythmbox.profile
@@ -13,10 +13,11 @@ include /etc/firejail/disable-programs.inc
13 13
14include /etc/firejail/whitelist-var-common.inc 14include /etc/firejail/whitelist-var-common.inc
15 15
16apparmor 16# apparmor - makes settings immutable
17caps.drop all 17caps.drop all
18netfilter 18netfilter
19# no3d 19# no3d
20# nodbus - makes settings immutable
20nogroups 21nogroups
21nonewprivs 22nonewprivs
22noroot 23noroot
diff --git a/etc/scribus.profile b/etc/scribus.profile
index 8ce63fbf0..f9f585a20 100644
--- a/etc/scribus.profile
+++ b/etc/scribus.profile
@@ -5,8 +5,6 @@ include /etc/firejail/scribus.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10# Support for PDF readers comes with Scribus 1.5 and higher 8# Support for PDF readers comes with Scribus 1.5 and higher
11noblacklist ${HOME}/.cache/okular 9noblacklist ${HOME}/.cache/okular
12noblacklist ${HOME}/.config/okularpartrc 10noblacklist ${HOME}/.config/okularpartrc
@@ -33,6 +31,7 @@ include /etc/firejail/whitelist-var-common.inc
33 31
34caps.drop all 32caps.drop all
35net none 33net none
34nodbus
36nodvd 35nodvd
37nogroups 36nogroups
38nonewprivs 37nonewprivs
@@ -48,3 +47,6 @@ tracelog
48# private-bin scribus,gs,gimp* 47# private-bin scribus,gs,gimp*
49private-dev 48private-dev
50private-tmp 49private-tmp
50
51noexec ${HOME}
52noexec /tmp
diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile
index bc94ae2a0..2f3d94f01 100644
--- a/etc/sdat2img.profile
+++ b/etc/sdat2img.profile
@@ -6,8 +6,6 @@ include /etc/firejail/sdat2img.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10
11include /etc/firejail/disable-common.inc 9include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc 10include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc 11include /etc/firejail/disable-passwdmgr.inc
@@ -16,6 +14,7 @@ include /etc/firejail/disable-programs.inc
16caps.drop all 14caps.drop all
17net none 15net none
18no3d 16no3d
17nodbus
19nodvd 18nodvd
20nogroups 19nogroups
21nonewprivs 20nonewprivs
diff --git a/etc/shotcut.profile b/etc/shotcut.profile
index 3f2cc3d33..293a89ba3 100644
--- a/etc/shotcut.profile
+++ b/etc/shotcut.profile
@@ -5,8 +5,6 @@ include /etc/firejail/shotcut.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/Meltytech 8noblacklist ${HOME}/.config/Meltytech
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -16,6 +14,7 @@ include /etc/firejail/disable-programs.inc
16 14
17caps.drop all 15caps.drop all
18net none 16net none
17nodbus
19nodvd 18nodvd
20nogroups 19nogroups
21nonewprivs 20nonewprivs
diff --git a/etc/simutrans.profile b/etc/simutrans.profile
index 8b4113d2f..adde3f8ce 100644
--- a/etc/simutrans.profile
+++ b/etc/simutrans.profile
@@ -5,8 +5,6 @@ include /etc/firejail/simutrans.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.simutrans 8noblacklist ${HOME}/.simutrans
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -20,6 +18,7 @@ include /etc/firejail/whitelist-common.inc
20 18
21caps.drop all 19caps.drop all
22net none 20net none
21nodbus
23nodvd 22nodvd
24nogroups 23nogroups
25nonewprivs 24nonewprivs
diff --git a/etc/skanlite.profile b/etc/skanlite.profile
index 316cf5821..4fa649654 100644
--- a/etc/skanlite.profile
+++ b/etc/skanlite.profile
@@ -5,8 +5,6 @@ include /etc/firejail/skanlite.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus
9
10include /etc/firejail/disable-common.inc 8include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 9include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 10include /etc/firejail/disable-passwdmgr.inc
@@ -15,6 +13,7 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 13caps.drop all
16# net none 14# net none
17netfilter 15netfilter
16# nodbus
18nodvd 17nodvd
19nogroups 18nogroups
20nonewprivs 19nonewprivs
diff --git a/etc/smplayer.profile b/etc/smplayer.profile
index 64eff5670..187b0674a 100644
--- a/etc/smplayer.profile
+++ b/etc/smplayer.profile
@@ -18,6 +18,7 @@ include /etc/firejail/whitelist-var-common.inc
18apparmor 18apparmor
19caps.drop all 19caps.drop all
20netfilter 20netfilter
21# nodbus - problems with KDE
21# nogroups 22# nogroups
22nonewprivs 23nonewprivs
23noroot 24noroot
diff --git a/etc/spotify.profile b/etc/spotify.profile
index 5a6227a8a..dfd3bae7f 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -31,6 +31,7 @@ include /etc/firejail/whitelist-var-common.inc
31 31
32caps.drop all 32caps.drop all
33netfilter 33netfilter
34nodbus
34nodvd 35nodvd
35nogroups 36nogroups
36nonewprivs 37nonewprivs
diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile
index 933d55b79..22c37645d 100644
--- a/etc/sqlitebrowser.profile
+++ b/etc/sqlitebrowser.profile
@@ -5,8 +5,6 @@ include /etc/firejail/sqlitebrowser.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/sqlitebrowser 8noblacklist ${HOME}/.config/sqlitebrowser
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 15caps.drop all
18net none 16net none
19no3d 17no3d
18nodbus
20nodvd 19nodvd
21nogroups 20nogroups
22nonewprivs 21nonewprivs
diff --git a/etc/steam.profile b/etc/steam.profile
index 4965d3a54..bcdea9bc7 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -32,7 +32,10 @@ include /etc/firejail/disable-programs.inc
32include /etc/firejail/whitelist-var-common.inc 32include /etc/firejail/whitelist-var-common.inc
33 33
34caps.drop all 34caps.drop all
35#ipc-namespace
35netfilter 36netfilter
37# nodbus disabled as it breaks appindicator support
38#nodbus
36nodvd 39nodvd
37nogroups 40nogroups
38nonewprivs 41nonewprivs
@@ -44,10 +47,17 @@ protocol unix,inet,inet6,netlink
44seccomp 47seccomp
45shell none 48shell none
46# tracelog disabled as it breaks integrated browser 49# tracelog disabled as it breaks integrated browser
47# tracelog 50#tracelog
51
52# private-bin is disabled while in testing, but has been tested working with multiple games
53#private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lspci,lsof,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity
54# extra programs are available which might be needed for select games
55#private-bin java,java-config,mono,python*
56# picture viewers are are needed for viewing screenshots
57#private-bin eog,eom,gthumb,pix,viewnior,xviewer
48 58
49# private-dev should be commented for controllers 59# private-dev should be commented for controllers
50private-dev 60private-dev
51# private-etc breaks some games 61# private-etc breaks a small selection of games on some systems, comment to support those
52#private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies 62private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies,alternatives
53private-tmp 63private-tmp
diff --git a/etc/strings.profile b/etc/strings.profile
index 09273f35d..8995ad2a6 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -6,12 +6,12 @@ include /etc/firejail/strings.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10blacklist /tmp/.X11-unix 9blacklist /tmp/.X11-unix
11 10
12ignore noroot 11ignore noroot
13net none 12net none
14no3d 13no3d
14nodbus
15nodvd 15nodvd
16nosound 16nosound
17notv 17notv
diff --git a/etc/supertux2.profile b/etc/supertux2.profile
index d60d7fa5f..24f42c276 100644
--- a/etc/supertux2.profile
+++ b/etc/supertux2.profile
@@ -5,8 +5,6 @@ include /etc/firejail/supertux2.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.local/share/supertux2 8noblacklist ${HOME}/.local/share/supertux2
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -21,6 +19,7 @@ include /etc/firejail/whitelist-var-common.inc
21 19
22caps.drop all 20caps.drop all
23net none 21net none
22nodbus
24nodvd 23nodvd
25nogroups 24nogroups
26nonewprivs 25nonewprivs
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile
index 415a42cf5..be9c2aa64 100644
--- a/etc/synfigstudio.profile
+++ b/etc/synfigstudio.profile
@@ -5,8 +5,6 @@ include /etc/firejail/synfigstudio.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/synfig 8noblacklist ${HOME}/.config/synfig
11noblacklist ${HOME}/.synfig 9noblacklist ${HOME}/.synfig
12 10
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
17 15
18caps.drop all 16caps.drop all
19net none 17net none
18nodbus
20nodvd 19nodvd
21nogroups 20nogroups
22nonewprivs 21nonewprivs
diff --git a/etc/tar.profile b/etc/tar.profile
index bd7973abf..5f54bf02d 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -6,13 +6,13 @@ include /etc/firejail/tar.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10blacklist /tmp/.X11-unix 9blacklist /tmp/.X11-unix
11 10
12hostname tar 11hostname tar
13ignore noroot 12ignore noroot
14net none 13net none
15no3d 14no3d
15nodbus
16nodvd 16nodvd
17nosound 17nosound
18notv 18notv
diff --git a/etc/terasology.profile b/etc/terasology.profile
index ea25938d3..e671c4dc3 100644
--- a/etc/terasology.profile
+++ b/etc/terasology.profile
@@ -5,8 +5,6 @@ include /etc/firejail/terasology.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.java 8noblacklist ${HOME}/.java
11noblacklist ${HOME}/.local/share/terasology 9noblacklist ${HOME}/.local/share/terasology
12 10
@@ -25,6 +23,7 @@ caps.drop all
25ipc-namespace 23ipc-namespace
26net none 24net none
27netfilter 25netfilter
26nodbus
28nodvd 27nodvd
29nogroups 28nogroups
30nonewprivs 29nonewprivs
diff --git a/etc/totem.profile b/etc/totem.profile
index 6dbc5f0c2..ad3845d90 100644
--- a/etc/totem.profile
+++ b/etc/totem.profile
@@ -15,9 +15,10 @@ include /etc/firejail/disable-programs.inc
15 15
16include /etc/firejail/whitelist-var-common.inc 16include /etc/firejail/whitelist-var-common.inc
17 17
18apparmor 18# apparmor - makes settings immutable
19caps.drop all 19caps.drop all
20netfilter 20netfilter
21# nodbus - makes settings immutable
21nogroups 22nogroups
22nonewprivs 23nonewprivs
23noroot 24noroot
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index 3d249748d..ee044aa0d 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -25,6 +25,7 @@ apparmor
25caps.drop all 25caps.drop all
26machine-id 26machine-id
27netfilter 27netfilter
28nodbus
28nodvd 29nodvd
29nonewprivs 30nonewprivs
30noroot 31noroot
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index 4f4d9bac1..a8fb80fd8 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -25,6 +25,7 @@ apparmor
25caps.drop all 25caps.drop all
26machine-id 26machine-id
27netfilter 27netfilter
28nodbus
28nodvd 29nodvd
29nonewprivs 30nonewprivs
30noroot 31noroot
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile
index 135371747..575bf77dc 100644
--- a/etc/transmission-show.profile
+++ b/etc/transmission-show.profile
@@ -5,8 +5,6 @@ include /etc/firejail/transmission-show.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.cache/transmission 8noblacklist ${HOME}/.cache/transmission
11noblacklist ${HOME}/.config/transmission 9noblacklist ${HOME}/.config/transmission
12 10
@@ -18,6 +16,7 @@ include /etc/firejail/disable-programs.inc
18caps.drop all 16caps.drop all
19machine-id 17machine-id
20net none 18net none
19nodbus
21nodvd 20nodvd
22nonewprivs 21nonewprivs
23noroot 22noroot
diff --git a/etc/uefitool.profile b/etc/uefitool.profile
index 6cff5249c..a10b44fb1 100644
--- a/etc/uefitool.profile
+++ b/etc/uefitool.profile
@@ -5,8 +5,6 @@ include /etc/firejail/uefitool.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10include /etc/firejail/disable-common.inc 8include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 9include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 10include /etc/firejail/disable-passwdmgr.inc
@@ -16,6 +14,7 @@ caps.drop all
16ipc-namespace 14ipc-namespace
17net none 15net none
18no3d 16no3d
17nodbus
19nodvd 18nodvd
20nogroups 19nogroups
21nonewprivs 20nonewprivs
diff --git a/etc/unrar.profile b/etc/unrar.profile
index f7e25d5d7..ba2a86f4c 100644
--- a/etc/unrar.profile
+++ b/etc/unrar.profile
@@ -6,13 +6,13 @@ include /etc/firejail/unrar.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10blacklist /tmp/.X11-unix 9blacklist /tmp/.X11-unix
11 10
12hostname unrar 11hostname unrar
13ignore noroot 12ignore noroot
14net none 13net none
15no3d 14no3d
15nodbus
16nodvd 16nodvd
17nosound 17nosound
18notv 18notv
diff --git a/etc/unzip.profile b/etc/unzip.profile
index fe16c670d..fddc79260 100644
--- a/etc/unzip.profile
+++ b/etc/unzip.profile
@@ -6,13 +6,13 @@ include /etc/firejail/unzip.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10blacklist /tmp/.X11-unix 9blacklist /tmp/.X11-unix
11 10
12hostname unzip 11hostname unzip
13ignore noroot 12ignore noroot
14net none 13net none
15no3d 14no3d
15nodbus
16nodvd 16nodvd
17nosound 17nosound
18notv 18notv
diff --git a/etc/uudeview.profile b/etc/uudeview.profile
index f7699552d..b64ecaa3e 100644
--- a/etc/uudeview.profile
+++ b/etc/uudeview.profile
@@ -6,11 +6,10 @@ include /etc/firejail/uudeview.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10
11hostname uudeview 9hostname uudeview
12ignore noroot 10ignore noroot
13net none 11net none
12nodbus
14nodvd 13nodvd
15nosound 14nosound
16notv 15notv
diff --git a/etc/viewnior.profile b/etc/viewnior.profile
index 39bf3f7ce..135147266 100644
--- a/etc/viewnior.profile
+++ b/etc/viewnior.profile
@@ -5,7 +5,6 @@ include /etc/firejail/viewnior.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9blacklist ${HOME}/.bashrc 8blacklist ${HOME}/.bashrc
10 9
11noblacklist ${HOME}/.Steam 10noblacklist ${HOME}/.Steam
@@ -20,6 +19,7 @@ include /etc/firejail/disable-programs.inc
20caps.drop all 19caps.drop all
21net none 20net none
22no3d 21no3d
22nodbus
23nodvd 23nodvd
24nogroups 24nogroups
25nonewprivs 25nonewprivs
diff --git a/etc/vlc.profile b/etc/vlc.profile
index dad9a9ae1..c8c84b992 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -5,6 +5,7 @@ include /etc/firejail/vlc.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8noblacklist ${HOME}/.cache/vlc
8noblacklist ${HOME}/.config/vlc 9noblacklist ${HOME}/.config/vlc
9noblacklist ${HOME}/.local/share/vlc 10noblacklist ${HOME}/.local/share/vlc
10 11
@@ -18,6 +19,7 @@ include /etc/firejail/whitelist-var-common.inc
18apparmor 19apparmor
19caps.drop all 20caps.drop all
20netfilter 21netfilter
22# nodbus - problems with KDE
21# nogroups 23# nogroups
22nonewprivs 24nonewprivs
23noroot 25noroot
diff --git a/etc/x-terminal-emulator.profile b/etc/x-terminal-emulator.profile
index 67707ffb8..ac8f0fe2a 100644
--- a/etc/x-terminal-emulator.profile
+++ b/etc/x-terminal-emulator.profile
@@ -5,12 +5,11 @@ include /etc/firejail/x-terminal-emulator.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10caps.drop all 8caps.drop all
11ipc-namespace 9ipc-namespace
12net none 10net none
13netfilter 11netfilter
12nodbus
14nogroups 13nogroups
15noroot 14noroot
16protocol unix 15protocol unix
diff --git a/etc/xcalc.profile b/etc/xcalc.profile
index 467f96003..8493fe658 100644
--- a/etc/xcalc.profile
+++ b/etc/xcalc.profile
@@ -5,8 +5,6 @@ include /etc/firejail/xcalc.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10include /etc/firejail/disable-common.inc 8include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 9include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 10include /etc/firejail/disable-passwdmgr.inc
@@ -18,6 +16,7 @@ caps.drop all
18net none 16net none
19netfilter 17netfilter
20no3d 18no3d
19nodbus
21nodvd 20nodvd
22nogroups 21nogroups
23nonewprivs 22nonewprivs
diff --git a/etc/xed.profile b/etc/xed.profile
index e4ab673e8..5d46560b7 100644
--- a/etc/xed.profile
+++ b/etc/xed.profile
@@ -5,8 +5,6 @@ include /etc/firejail/xed.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus - makes settings immutable
9
10noblacklist ${HOME}/.config/xed 8noblacklist ${HOME}/.config/xed
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -16,10 +14,12 @@ include /etc/firejail/disable-programs.inc
16 14
17include /etc/firejail/whitelist-var-common.inc 15include /etc/firejail/whitelist-var-common.inc
18 16
17# apparmor - makes settings immutable
19caps.drop all 18caps.drop all
20# net none - makes settings immutable
21machine-id 19machine-id
20# net none - makes settings immutable
22no3d 21no3d
22# nodbus - makes settings immutable
23nodvd 23nodvd
24nogroups 24nogroups
25nonewprivs 25nonewprivs
diff --git a/etc/xpdf.profile b/etc/xpdf.profile
index 7b8042e5c..9eeda4d29 100644
--- a/etc/xpdf.profile
+++ b/etc/xpdf.profile
@@ -5,8 +5,6 @@ include /etc/firejail/xpdf.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.xpdfrc 8noblacklist ${HOME}/.xpdfrc
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -20,6 +18,7 @@ caps.drop all
20machine-id 18machine-id
21net none 19net none
22no3d 20no3d
21nodbus
23nodvd 22nodvd
24nogroups 23nogroups
25nonewprivs 24nonewprivs
diff --git a/etc/xplayer.profile b/etc/xplayer.profile
index 8ea361d79..7e475bd58 100644
--- a/etc/xplayer.profile
+++ b/etc/xplayer.profile
@@ -15,8 +15,10 @@ include /etc/firejail/disable-programs.inc
15 15
16include /etc/firejail/whitelist-var-common.inc 16include /etc/firejail/whitelist-var-common.inc
17 17
18# apparmor - makes settings immutable
18caps.drop all 19caps.drop all
19netfilter 20netfilter
21# nodbus - makes settings immutable
20nogroups 22nogroups
21nonewprivs 23nonewprivs
22noroot 24noroot
diff --git a/etc/xreader.profile b/etc/xreader.profile
index 00bd1ee2f..1ddfad26f 100644
--- a/etc/xreader.profile
+++ b/etc/xreader.profile
@@ -16,6 +16,7 @@ include /etc/firejail/disable-programs.inc
16 16
17include /etc/firejail/whitelist-var-common.inc 17include /etc/firejail/whitelist-var-common.inc
18 18
19# apparmor
19caps.drop all 20caps.drop all
20no3d 21no3d
21nodvd 22nodvd
diff --git a/etc/xviewer.profile b/etc/xviewer.profile
index 7c4ede111..26f9f0238 100644
--- a/etc/xviewer.profile
+++ b/etc/xviewer.profile
@@ -5,8 +5,6 @@ include /etc/firejail/xviewer.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus - makes settings immutable
9
10noblacklist ${HOME}/.Steam 8noblacklist ${HOME}/.Steam
11noblacklist ${HOME}/.config/xviewer 9noblacklist ${HOME}/.config/xviewer
12noblacklist ${HOME}/.local/share/Trash 10noblacklist ${HOME}/.local/share/Trash
@@ -19,9 +17,11 @@ include /etc/firejail/disable-programs.inc
19 17
20include /etc/firejail/whitelist-var-common.inc 18include /etc/firejail/whitelist-var-common.inc
21 19
20# apparmor - makes settings immutable
22caps.drop all 21caps.drop all
23# net none - makes settings immutable 22# net none - makes settings immutable
24no3d 23no3d
24# nodbus - makes settings immutable
25nodvd 25nodvd
26nogroups 26nogroups
27nonewprivs 27nonewprivs
diff --git a/etc/xzdec.profile b/etc/xzdec.profile
index 1136a6535..5913fd07a 100644
--- a/etc/xzdec.profile
+++ b/etc/xzdec.profile
@@ -6,12 +6,12 @@ include /etc/firejail/xzdec.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10blacklist /tmp/.X11-unix 9blacklist /tmp/.X11-unix
11 10
12ignore noroot 11ignore noroot
13net none 12net none
14no3d 13no3d
14nodbus
15nodvd 15nodvd
16nosound 16nosound
17notv 17notv
diff --git a/etc/zart.profile b/etc/zart.profile
index e9fd9b3bd..60eb09c71 100644
--- a/etc/zart.profile
+++ b/etc/zart.profile
@@ -5,8 +5,6 @@ include /etc/firejail/zart.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10include /etc/firejail/disable-common.inc 8include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 9include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 10include /etc/firejail/disable-passwdmgr.inc
@@ -15,6 +13,7 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 13caps.drop all
16ipc-namespace 14ipc-namespace
17net none 15net none
16nodbus
18nodvd 17nodvd
19nogroups 18nogroups
20nonewprivs 19nonewprivs
diff --git a/etc/zathura.profile b/etc/zathura.profile
index 288abb8ec..3edece779 100644
--- a/etc/zathura.profile
+++ b/etc/zathura.profile
@@ -5,8 +5,6 @@ include /etc/firejail/zathura.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/zathura 8noblacklist ${HOME}/.config/zathura
11noblacklist ${HOME}/.local/share/zathura 9noblacklist ${HOME}/.local/share/zathura
12 10
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
17 15
18caps.drop all 16caps.drop all
19# net none 17# net none
18# nodbus
20nodvd 19nodvd
21nogroups 20nogroups
22nonewprivs 21nonewprivs
@@ -31,5 +30,6 @@ private-bin zathura
31private-dev 30private-dev
32private-etc fonts 31private-etc fonts
33private-tmp 32private-tmp
33
34read-only ${HOME}/ 34read-only ${HOME}/
35read-write ${HOME}/.local/share/zathura/ 35read-write ${HOME}/.local/share/zathura/
diff --git a/gcov.sh b/gcov.sh
index df1fcb51b..ff910cbe0 100755
--- a/gcov.sh
+++ b/gcov.sh
@@ -10,11 +10,18 @@ gcov_init() {
10 /usr/lib/firejail/fcopy --help > /dev/null 10 /usr/lib/firejail/fcopy --help > /dev/null
11 /usr/lib/firejail/fldd --help > /dev/null 11 /usr/lib/firejail/fldd --help > /dev/null
12 firecfg --help > /dev/null 12 firecfg --help > /dev/null
13
14 /usr/lib/firejail/fnetfilter --help > /dev/null
15 /usr/lib/firejail/fsec-print --help > /dev/null
16 /usr/lib/firejail/fsec-optimize --help > /dev/null
17 /usr/lib/firejail/faudit --help > /dev/null
18 /usr/lib/firejail/fbuilder --help > /dev/null
19
13 sudo chown $USER:$USER `find .` 20 sudo chown $USER:$USER `find .`
14} 21}
15 22
16generate() { 23generate() {
17 lcov -q --capture -d src/firejail -d src/firemon -d src/fcopy -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-new 24 lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-new
18 lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new --output-file gcov-file 25 lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new --output-file gcov-file
19 rm -fr gcov-dir 26 rm -fr gcov-dir
20 genhtml -q gcov-file --output-directory gcov-dir 27 genhtml -q gcov-file --output-directory gcov-dir
@@ -25,7 +32,7 @@ generate() {
25 32
26 33
27gcov_init 34gcov_init
28lcov -q --capture -d src/firejail -d src/firemon -d src/fcopy -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-old 35lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-old
29 36
30#make test-environment 37#make test-environment
31#generate 38#generate
diff --git a/src/common.mk.in b/src/common.mk.in
new file mode 100644
index 000000000..1d4dbe304
--- /dev/null
+++ b/src/common.mk.in
@@ -0,0 +1,37 @@
1# common definitions for all makefiles
2
3CC=@CC@
4prefix=@prefix@
5exec_prefix=@exec_prefix@
6libdir=@libdir@
7sysconfdir=@sysconfdir@
8
9VERSION=@PACKAGE_VERSION@
10NAME=@PACKAGE_NAME@
11HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12HAVE_SECCOMP=@HAVE_SECCOMP@
13HAVE_CHROOT=@HAVE_CHROOT@
14HAVE_BIND=@HAVE_BIND@
15HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16HAVE_NETWORK=@HAVE_NETWORK@
17HAVE_USERNS=@HAVE_USERNS@
18HAVE_X11=@HAVE_X11@
19HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
20HAVE_WHITELIST=@HAVE_WHITELIST@
21HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
22HAVE_APPARMOR=@HAVE_APPARMOR@
23HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
24HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
25HAVE_GCOV=@HAVE_GCOV@
26HAVE_GIT_INSTALL=@HAVE_GIT_INSTALL@
27
28H_FILE_LIST = $(sort $(wildcard *.[h]))
29C_FILE_LIST = $(sort $(wildcard *.c))
30OBJS = $(C_FILE_LIST:.c=.o)
31BINOBJS = $(foreach file, $(OBJS), $file)
32
33CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) $(HAVE_GIT_INSTALL) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
34LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
35EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
36EXTRA_CFLAGS +=@EXTRA_CFLAGS@
37
diff --git a/src/faudit/Makefile.in b/src/faudit/Makefile.in
index a3b505c39..26df0fe51 100644
--- a/src/faudit/Makefile.in
+++ b/src/faudit/Makefile.in
@@ -1,25 +1,14 @@
1all: faudit 1all: faudit
2 2
3CC=@CC@ 3include ../common.mk
4PREFIX=@prefix@
5VERSION=@PACKAGE_VERSION@
6NAME=@PACKAGE_NAME@
7HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
8
9H_FILE_LIST = $(sort $(wildcard *.[h]))
10C_FILE_LIST = $(sort $(wildcard *.c))
11OBJS = $(C_FILE_LIST:.c=.o)
12BINOBJS = $(foreach file, $(OBJS), $file)
13CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(PREFIX)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
14LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
15 4
16%.o : %.c $(H_FILE_LIST) 5%.o : %.c $(H_FILE_LIST)
17 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
18 7
19faudit: $(OBJS) 8faudit: $(OBJS)
20 $(CC) $(LDFLAGS) -o $@ $(OBJS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
21 10
22clean:; rm -f *.o faudit 11clean:; rm -f *.o faudit *.gcov *.gcda *.gcno
23 12
24distclean: clean 13distclean: clean
25 rm -fr Makefile 14 rm -fr Makefile
diff --git a/src/fbuilder/Makefile.in b/src/fbuilder/Makefile.in
index 5bf78f92a..7a606c872 100644
--- a/src/fbuilder/Makefile.in
+++ b/src/fbuilder/Makefile.in
@@ -1,37 +1,6 @@
1all: fbuilder 1all: fbuilder
2 2
3CC=@CC@ 3include ../common.mk
4prefix=@prefix@
5exec_prefix=@exec_prefix@
6libdir=@libdir@
7sysconfdir=@sysconfdir@
8
9VERSION=@PACKAGE_VERSION@
10NAME=@PACKAGE_NAME@
11HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12HAVE_SECCOMP=@HAVE_SECCOMP@
13HAVE_CHROOT=@HAVE_CHROOT@
14HAVE_BIND=@HAVE_BIND@
15HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16HAVE_NETWORK=@HAVE_NETWORK@
17HAVE_USERNS=@HAVE_USERNS@
18HAVE_X11=@HAVE_X11@
19HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
20HAVE_WHITELIST=@HAVE_WHITELIST@
21HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
22HAVE_APPARMOR=@HAVE_APPARMOR@
23HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
24HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
25HAVE_GCOV=@HAVE_GCOV@
26EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
27EXTRA_CFLAGS +=@EXTRA_CFLAGS@
28
29H_FILE_LIST = $(sort $(wildcard *.[h]))
30C_FILE_LIST = $(sort $(wildcard *.c))
31OBJS = $(C_FILE_LIST:.c=.o)
32BINOBJS = $(foreach file, $(OBJS), $file)
33CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
34LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
35 4
36%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
37 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
diff --git a/src/fcopy/Makefile.in b/src/fcopy/Makefile.in
index 519240c3d..c9e7d87ab 100644
--- a/src/fcopy/Makefile.in
+++ b/src/fcopy/Makefile.in
@@ -1,38 +1,6 @@
1all: fcopy 1all: fcopy
2 2
3CC=@CC@ 3include ../common.mk
4prefix=@prefix@
5exec_prefix=@exec_prefix@
6libdir=@libdir@
7sysconfdir=@sysconfdir@
8
9VERSION=@PACKAGE_VERSION@
10NAME=@PACKAGE_NAME@
11HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12HAVE_SECCOMP=@HAVE_SECCOMP@
13HAVE_CHROOT=@HAVE_CHROOT@
14HAVE_BIND=@HAVE_BIND@
15HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16HAVE_NETWORK=@HAVE_NETWORK@
17HAVE_USERNS=@HAVE_USERNS@
18HAVE_X11=@HAVE_X11@
19HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
20HAVE_WHITELIST=@HAVE_WHITELIST@
21HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
22HAVE_APPARMOR=@HAVE_APPARMOR@
23HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
24HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
25EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
26HAVE_GCOV=@HAVE_GCOV@
27EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
28EXTRA_CFLAGS +=@EXTRA_CFLAGS@
29
30H_FILE_LIST = $(sort $(wildcard *.[h]))
31C_FILE_LIST = $(sort $(wildcard *.c))
32OBJS = $(C_FILE_LIST:.c=.o)
33BINOBJS = $(foreach file, $(OBJS), $file)
34CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
35LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
36 4
37%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
38 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
diff --git a/src/firecfg/Makefile.in b/src/firecfg/Makefile.in
index f0d389e36..b6dbb039d 100644
--- a/src/firecfg/Makefile.in
+++ b/src/firecfg/Makefile.in
@@ -1,33 +1,6 @@
1all: firecfg 1all: firecfg
2 2
3CC=@CC@ 3include ../common.mk
4prefix=@prefix@
5exec_prefix=@exec_prefix@
6libdir=@libdir@
7sysconfdir=@sysconfdir@
8
9VERSION=@PACKAGE_VERSION@
10NAME=@PACKAGE_NAME@
11HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12HAVE_SECCOMP=@HAVE_SECCOMP@
13HAVE_CHROOT=@HAVE_CHROOT@
14HAVE_BIND=@HAVE_BIND@
15HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16HAVE_NETWORK=@HAVE_NETWORK@
17HAVE_USERNS=@HAVE_USERNS@
18HAVE_X11=@HAVE_X11@
19HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
20HAVE_GCOV=@HAVE_GCOV@
21EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
22EXTRA_CFLAGS +=@EXTRA_CFLAGS@
23
24
25H_FILE_LIST = $(sort $(wildcard *.[h]))
26C_FILE_LIST = $(sort $(wildcard *.c))
27OBJS = $(C_FILE_LIST:.c=.o)
28BINOBJS = $(foreach file, $(OBJS), $file)
29CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
30LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
31 4
32%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h
33 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
@@ -35,7 +8,7 @@ LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
35firecfg: $(OBJS) ../lib/common.o 8firecfg: $(OBJS) ../lib/common.o
36 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
37 10
38clean:; rm -f *.o firecfg firecfg.1 firecfg.1.gz *.gcov *.gcda *.gcno 11clean:; rm -f *.o firecfg *.gcov *.gcda *.gcno
39 12
40distclean: clean 13distclean: clean
41 rm -fr Makefile 14 rm -fr Makefile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index f2409d67b..1f56e2532 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -134,6 +134,7 @@ freshclam
134frozen-bubble 134frozen-bubble
135gajim 135gajim
136galculator 136galculator
137gcloud
137geany 138geany
138geary 139geary
139gedit 140gedit
@@ -154,6 +155,7 @@ gnome-clocks
154gnome-contacts 155gnome-contacts
155gnome-documents 156gnome-documents
156gnome-font-viewer 157gnome-font-viewer
158gnome-logs
157gnome-maps 159gnome-maps
158gnome-mplayer 160gnome-mplayer
159gnome-music 161gnome-music
@@ -263,6 +265,7 @@ musescore
263mutt 265mutt
264natron 266natron
265nautilus 267nautilus
268ncdu
266netsurf 269netsurf
267neverball 270neverball
268nheko 271nheko
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index 543924103..9bd2f9c22 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -1,38 +1,6 @@
1all: firejail 1all: firejail
2 2
3CC=@CC@ 3include ../common.mk
4prefix=@prefix@
5exec_prefix=@exec_prefix@
6libdir=@libdir@
7sysconfdir=@sysconfdir@
8
9VERSION=@PACKAGE_VERSION@
10NAME=@PACKAGE_NAME@
11HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12HAVE_SECCOMP=@HAVE_SECCOMP@
13HAVE_CHROOT=@HAVE_CHROOT@
14HAVE_BIND=@HAVE_BIND@
15HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16HAVE_NETWORK=@HAVE_NETWORK@
17HAVE_USERNS=@HAVE_USERNS@
18HAVE_X11=@HAVE_X11@
19HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
20HAVE_WHITELIST=@HAVE_WHITELIST@
21HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
22HAVE_APPARMOR=@HAVE_APPARMOR@
23HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
24HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
25HAVE_GCOV=@HAVE_GCOV@
26HAVE_GIT_INSTALL=@HAVE_GIT_INSTALL@
27EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
28EXTRA_CFLAGS +=@EXTRA_CFLAGS@
29
30H_FILE_LIST = $(sort $(wildcard *.[h]))
31C_FILE_LIST = $(sort $(wildcard *.c))
32OBJS = $(C_FILE_LIST:.c=.o)
33BINOBJS = $(foreach file, $(OBJS), $file)
34CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) $(HAVE_GIT_INSTALL) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
35LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
36 4
37%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h
38 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
@@ -40,7 +8,7 @@ LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
40firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o 8firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o
41 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS)
42 10
43clean:; rm -f *.o firejail firejail.1 firejail.1.gz *.gcov *.gcda *.gcno 11clean:; rm -f *.o firejail *.gcov *.gcda *.gcno
44 12
45distclean: clean 13distclean: clean
46 rm -fr Makefile 14 rm -fr Makefile
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 0d77c199b..20845270e 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -85,6 +85,15 @@ int checkcfg(int val) {
85 else 85 else
86 goto errout; 86 goto errout;
87 } 87 }
88 // dbus
89 else if (strncmp(ptr, "dbus ", 5) == 0) {
90 if (strcmp(ptr + 5, "yes") == 0)
91 cfg_val[CFG_DBUS] = 1;
92 else if (strcmp(ptr + 5, "no") == 0)
93 cfg_val[CFG_DBUS] = 0;
94 else
95 goto errout;
96 }
88 // join 97 // join
89 else if (strncmp(ptr, "join ", 5) == 0) { 98 else if (strncmp(ptr, "join ", 5) == 0) {
90 if (strcmp(ptr + 5, "yes") == 0) 99 if (strcmp(ptr + 5, "yes") == 0)
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c
index eee3e2a35..6c122c6d0 100644
--- a/src/firejail/dbus.c
+++ b/src/firejail/dbus.c
@@ -20,6 +20,11 @@
20#include "firejail.h" 20#include "firejail.h"
21 21
22void dbus_session_disable(void) { 22void dbus_session_disable(void) {
23 if (!checkcfg(CFG_DBUS)) {
24 fwarning("D-Bus handling is disabled in Firejail configuration file\n");
25 return;
26 }
27
23 char *path; 28 char *path;
24 if (asprintf(&path, "/run/user/%d/bus", getuid()) == -1) 29 if (asprintf(&path, "/run/user/%d/bus", getuid()) == -1)
25 errExit("asprintf"); 30 errExit("asprintf");
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 6141d6223..fdb5745cb 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -744,6 +744,7 @@ enum {
744 CFG_XPRA_ATTACH, 744 CFG_XPRA_ATTACH,
745 CFG_PRIVATE_LIB, 745 CFG_PRIVATE_LIB,
746 CFG_APPARMOR, 746 CFG_APPARMOR,
747 CFG_DBUS,
747 CFG_MAX // this should always be the last entry 748 CFG_MAX // this should always be the last entry
748}; 749};
749extern char *xephyr_screen; 750extern char *xephyr_screen;
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 15b548d20..d0292f524 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -132,7 +132,9 @@ void usage(void) {
132#endif 132#endif
133 printf(" --nice=value - set nice value.\n"); 133 printf(" --nice=value - set nice value.\n");
134 printf(" --no3d - disable 3D hardware acceleration.\n"); 134 printf(" --no3d - disable 3D hardware acceleration.\n");
135 printf(" --noblacklist=filename - disable blacklist for file or directory .\n"); 135 printf(" --noblacklist=filename - disable blacklist for file or directory.\n");
136 printf(" --nodbus - disable D-Bus access.\n");
137 printf(" --nodvd - disable DVD and audio CD devices.\n");
136 printf(" --noexec=filename - remount the file or directory noexec nosuid and nodev.\n"); 138 printf(" --noexec=filename - remount the file or directory noexec nosuid and nodev.\n");
137 printf(" --nogroups - disable supplementary groups.\n"); 139 printf(" --nogroups - disable supplementary groups.\n");
138 printf(" --nonewprivs - sets the NO_NEW_PRIVS prctl.\n"); 140 printf(" --nonewprivs - sets the NO_NEW_PRIVS prctl.\n");
diff --git a/src/firemon/Makefile.in b/src/firemon/Makefile.in
index ede25f6b5..d3ffe5d3f 100644
--- a/src/firemon/Makefile.in
+++ b/src/firemon/Makefile.in
@@ -1,24 +1,6 @@
1all: firemon 1all: firemon
2 2
3CC=@CC@ 3include ../common.mk
4prefix=@prefix@
5VERSION=@PACKAGE_VERSION@
6NAME=@PACKAGE_NAME@
7HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
8HAVE_GCOV=@HAVE_GCOV@
9HAVE_APPARMOR=@HAVE_APPARMOR@
10EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
11
12H_FILE_LIST = $(sort $(wildcard *.[h]))
13C_FILE_LIST = $(sort $(wildcard *.c))
14OBJS = $(C_FILE_LIST:.c=.o)
15BINOBJS = $(foreach file, $(OBJS), $file)
16CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' $(HAVE_APPARMOR) $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
17LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now
18HAVE_GCOV=@HAVE_GCOV@
19EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
20EXTRA_CFLAGS +=@EXTRA_CFLAGS@
21
22 4
23%.o : %.c $(H_FILE_LIST) 5%.o : %.c $(H_FILE_LIST)
24 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
diff --git a/src/fldd/Makefile.in b/src/fldd/Makefile.in
index e199d517d..5af37cfbd 100644
--- a/src/fldd/Makefile.in
+++ b/src/fldd/Makefile.in
@@ -1,37 +1,6 @@
1all: fldd 1all: fldd
2 2
3CC=@CC@ 3include ../common.mk
4prefix=@prefix@
5exec_prefix=@exec_prefix@
6libdir=@libdir@
7sysconfdir=@sysconfdir@
8
9VERSION=@PACKAGE_VERSION@
10NAME=@PACKAGE_NAME@
11HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12HAVE_SECCOMP=@HAVE_SECCOMP@
13HAVE_CHROOT=@HAVE_CHROOT@
14HAVE_BIND=@HAVE_BIND@
15HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16HAVE_NETWORK=@HAVE_NETWORK@
17HAVE_USERNS=@HAVE_USERNS@
18HAVE_X11=@HAVE_X11@
19HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
20HAVE_WHITELIST=@HAVE_WHITELIST@
21HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
22HAVE_APPARMOR=@HAVE_APPARMOR@
23HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
24HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
25EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
26HAVE_GCOV=@HAVE_GCOV@
27EXTRA_CFLAGS +=@EXTRA_CFLAGS@
28
29H_FILE_LIST = $(sort $(wildcard *.[h]))
30C_FILE_LIST = $(sort $(wildcard *.c))
31OBJS = $(C_FILE_LIST:.c=.o)
32BINOBJS = $(foreach file, $(OBJS), $file)
33CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
34LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
35 4
36%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h ../include/ldd_utils.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h ../include/ldd_utils.h
37 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
diff --git a/src/fnet/Makefile.in b/src/fnet/Makefile.in
index 06b8bbee7..06b3981a9 100644
--- a/src/fnet/Makefile.in
+++ b/src/fnet/Makefile.in
@@ -1,37 +1,6 @@
1all: fnet 1all: fnet
2 2
3CC=@CC@ 3include ../common.mk
4prefix=@prefix@
5exec_prefix=@exec_prefix@
6libdir=@libdir@
7sysconfdir=@sysconfdir@
8
9VERSION=@PACKAGE_VERSION@
10NAME=@PACKAGE_NAME@
11HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12HAVE_SECCOMP=@HAVE_SECCOMP@
13HAVE_CHROOT=@HAVE_CHROOT@
14HAVE_BIND=@HAVE_BIND@
15HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16HAVE_NETWORK=@HAVE_NETWORK@
17HAVE_USERNS=@HAVE_USERNS@
18HAVE_X11=@HAVE_X11@
19HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
20HAVE_WHITELIST=@HAVE_WHITELIST@
21HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
22HAVE_APPARMOR=@HAVE_APPARMOR@
23HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
24HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
25HAVE_GCOV=@HAVE_GCOV@
26EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
27EXTRA_CFLAGS +=@EXTRA_CFLAGS@
28
29H_FILE_LIST = $(sort $(wildcard *.[h]))
30C_FILE_LIST = $(sort $(wildcard *.c))
31OBJS = $(C_FILE_LIST:.c=.o)
32BINOBJS = $(foreach file, $(OBJS), $file)
33CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
34LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
35 4
36%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h
37 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
diff --git a/src/fnetfilter/Makefile.in b/src/fnetfilter/Makefile.in
index 0a0a8acc0..2e263cc2b 100644
--- a/src/fnetfilter/Makefile.in
+++ b/src/fnetfilter/Makefile.in
@@ -1,37 +1,6 @@
1all: fnetfilter 1all: fnetfilter
2 2
3CC=@CC@ 3include ../common.mk
4prefix=@prefix@
5exec_prefix=@exec_prefix@
6libdir=@libdir@
7sysconfdir=@sysconfdir@
8
9VERSION=@PACKAGE_VERSION@
10NAME=@PACKAGE_NAME@
11HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12HAVE_SECCOMP=@HAVE_SECCOMP@
13HAVE_CHROOT=@HAVE_CHROOT@
14HAVE_BIND=@HAVE_BIND@
15HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16HAVE_NETWORK=@HAVE_NETWORK@
17HAVE_USERNS=@HAVE_USERNS@
18HAVE_X11=@HAVE_X11@
19HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
20HAVE_WHITELIST=@HAVE_WHITELIST@
21HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
22HAVE_APPARMOR=@HAVE_APPARMOR@
23HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
24HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
25EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
26HAVE_GCOV=@HAVE_GCOV@
27EXTRA_CFLAGS +=@EXTRA_CFLAGS@
28
29H_FILE_LIST = $(sort $(wildcard *.[h]))
30C_FILE_LIST = $(sort $(wildcard *.c))
31OBJS = $(C_FILE_LIST:.c=.o)
32BINOBJS = $(foreach file, $(OBJS), $file)
33CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
34LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
35 4
36%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
37 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
diff --git a/src/fsec-optimize/Makefile.in b/src/fsec-optimize/Makefile.in
index faa1aa476..e5e14a6a6 100644
--- a/src/fsec-optimize/Makefile.in
+++ b/src/fsec-optimize/Makefile.in
@@ -1,37 +1,6 @@
1all: fsec-optimize 1all: fsec-optimize
2 2
3CC=@CC@ 3include ../common.mk
4prefix=@prefix@
5exec_prefix=@exec_prefix@
6libdir=@libdir@
7sysconfdir=@sysconfdir@
8
9VERSION=@PACKAGE_VERSION@
10NAME=@PACKAGE_NAME@
11HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12HAVE_SECCOMP=@HAVE_SECCOMP@
13HAVE_CHROOT=@HAVE_CHROOT@
14HAVE_BIND=@HAVE_BIND@
15HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16HAVE_NETWORK=@HAVE_NETWORK@
17HAVE_USERNS=@HAVE_USERNS@
18HAVE_X11=@HAVE_X11@
19HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
20HAVE_WHITELIST=@HAVE_WHITELIST@
21HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
22HAVE_APPARMOR=@HAVE_APPARMOR@
23HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
24HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
25HAVE_GCOV=@HAVE_GCOV@
26EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
27EXTRA_CFLAGS +=@EXTRA_CFLAGS@
28
29H_FILE_LIST = $(sort $(wildcard *.[h]))
30C_FILE_LIST = $(sort $(wildcard *.c))
31OBJS = $(C_FILE_LIST:.c=.o)
32BINOBJS = $(foreach file, $(OBJS), $file)
33CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
34LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
35 4
36%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h
37 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
diff --git a/src/fsec-print/Makefile.in b/src/fsec-print/Makefile.in
index 177b23f06..3db4406f4 100644
--- a/src/fsec-print/Makefile.in
+++ b/src/fsec-print/Makefile.in
@@ -1,38 +1,6 @@
1all: fsec-print 1all: fsec-print
2 2
3CC=@CC@ 3include ../common.mk
4prefix=@prefix@
5exec_prefix=@exec_prefix@
6libdir=@libdir@
7sysconfdir=@sysconfdir@
8
9VERSION=@PACKAGE_VERSION@
10NAME=@PACKAGE_NAME@
11HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12HAVE_SECCOMP=@HAVE_SECCOMP@
13HAVE_CHROOT=@HAVE_CHROOT@
14HAVE_BIND=@HAVE_BIND@
15HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16HAVE_NETWORK=@HAVE_NETWORK@
17HAVE_USERNS=@HAVE_USERNS@
18HAVE_X11=@HAVE_X11@
19HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
20HAVE_WHITELIST=@HAVE_WHITELIST@
21HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
22HAVE_APPARMOR=@HAVE_APPARMOR@
23HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
24HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
25EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
26HAVE_GCOV=@HAVE_GCOV@
27EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
28EXTRA_CFLAGS +=@EXTRA_CFLAGS@
29
30H_FILE_LIST = $(sort $(wildcard *.[h]))
31C_FILE_LIST = $(sort $(wildcard *.c))
32OBJS = $(C_FILE_LIST:.c=.o)
33BINOBJS = $(foreach file, $(OBJS), $file)
34CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
35LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
36 4
37%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h
38 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
diff --git a/src/fseccomp/Makefile.in b/src/fseccomp/Makefile.in
index 3fd73bc5c..2c99096bb 100644
--- a/src/fseccomp/Makefile.in
+++ b/src/fseccomp/Makefile.in
@@ -1,37 +1,6 @@
1all: fseccomp 1all: fseccomp
2 2
3CC=@CC@ 3include ../common.mk
4prefix=@prefix@
5exec_prefix=@exec_prefix@
6libdir=@libdir@
7sysconfdir=@sysconfdir@
8
9VERSION=@PACKAGE_VERSION@
10NAME=@PACKAGE_NAME@
11HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12HAVE_SECCOMP=@HAVE_SECCOMP@
13HAVE_CHROOT=@HAVE_CHROOT@
14HAVE_BIND=@HAVE_BIND@
15HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16HAVE_NETWORK=@HAVE_NETWORK@
17HAVE_USERNS=@HAVE_USERNS@
18HAVE_X11=@HAVE_X11@
19HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
20HAVE_WHITELIST=@HAVE_WHITELIST@
21HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
22HAVE_APPARMOR=@HAVE_APPARMOR@
23HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
24HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
25HAVE_GCOV=@HAVE_GCOV@
26EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
27EXTRA_CFLAGS +=@EXTRA_CFLAGS@
28
29H_FILE_LIST = $(sort $(wildcard *.[h]))
30C_FILE_LIST = $(sort $(wildcard *.c))
31OBJS = $(C_FILE_LIST:.c=.o)
32BINOBJS = $(foreach file, $(OBJS), $file)
33CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
34LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
35 4
36%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
37 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
diff --git a/src/ftee/Makefile.in b/src/ftee/Makefile.in
index 8846126f8..d3b92362c 100644
--- a/src/ftee/Makefile.in
+++ b/src/ftee/Makefile.in
@@ -1,26 +1,12 @@
1all: ftee 1all: ftee
2 2
3CC=@CC@ 3include ../common.mk
4PREFIX=@prefix@
5VERSION=@PACKAGE_VERSION@
6NAME=@PACKAGE_NAME@
7HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
8HAVE_GCOV=@HAVE_GCOV@
9EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
10EXTRA_CFLAGS +=@EXTRA_CFLAGS@
11
12H_FILE_LIST = $(sort $(wildcard *.[h]))
13C_FILE_LIST = $(sort $(wildcard *.c))
14OBJS = $(C_FILE_LIST:.c=.o)
15BINOBJS = $(foreach file, $(OBJS), $file)
16CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(PREFIX)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
17LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
18 4
19%.o : %.c $(H_FILE_LIST) 5%.o : %.c $(H_FILE_LIST)
20 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
21 7
22ftee: $(OBJS) 8ftee: $(OBJS)
23 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
24 10
25clean:; rm -f *.o ftee *.gcov *.gcda *.gcno 11clean:; rm -f *.o ftee *.gcov *.gcda *.gcno
26 12
diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in
index a25014c74..a744b8d80 100644
--- a/src/lib/Makefile.in
+++ b/src/lib/Makefile.in
@@ -1,18 +1,4 @@
1CC=@CC@ 1include ../common.mk
2PREFIX=@prefix@
3VERSION=@PACKAGE_VERSION@
4NAME=@PACKAGE_NAME@
5HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
6HAVE_GCOV=@HAVE_GCOV@
7EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
8EXTRA_CFLAGS +=@EXTRA_CFLAGS@
9
10H_FILE_LIST = $(sort $(wildcard *.[h]))
11C_FILE_LIST = $(sort $(wildcard *.c))
12OBJS = $(C_FILE_LIST:.c=.o)
13BINOBJS = $(foreach file, $(OBJS), $file)
14CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DLIBDIR='"$(libdir)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
15LDFLAGS:=-pic -Wl,-z,relro -Wl,-z,now
16 2
17all: $(OBJS) 3all: $(OBJS)
18 4
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 34e4102f6..f080c8c7b 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1064,6 +1064,17 @@ $ nc dict.org 2628
1064220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64 1064220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64
1065.br 1065.br
1066.TP 1066.TP
1067\fB\-\-nodbus
1068Disable D-Bus access. Only the regular UNIX socket is handled by this command. To
1069disable the abstract socket you would need to request a new network namespace using
1070\-\-net command. Another option is to remove unix from \-\-protocol set.
1071.br
1072
1073.br
1074Example:
1075.br
1076$ firejail \-\-nodbus \-\-net=none
1077.TP
1067\fB\-\-nodvd 1078\fB\-\-nodvd
1068Disable DVD and audio CD devices. 1079Disable DVD and audio CD devices.
1069.br 1080.br
diff --git a/test/root/firecfg.exp b/test/root/firecfg.exp
index 02f2323a0..656b8e215 100755
--- a/test/root/firecfg.exp
+++ b/test/root/firecfg.exp
@@ -13,7 +13,7 @@ sleep 1
13send -- "firecfg --clean\r" 13send -- "firecfg --clean\r"
14expect { 14expect {
15 timeout {puts "TESTING ERROR 0\n";exit} 15 timeout {puts "TESTING ERROR 0\n";exit}
16 "/usr/local/bin/firefox removed" 16 "less removed"
17} 17}
18sleep 1 18sleep 1
19 19
@@ -30,11 +30,11 @@ sleep 1
30send -- "firecfg\r" 30send -- "firecfg\r"
31expect { 31expect {
32 timeout {puts "TESTING ERROR 3\n";exit} 32 timeout {puts "TESTING ERROR 3\n";exit}
33 "firefox created" 33 "less created"
34} 34}
35sleep 1 35sleep 1
36 36
37send -- "file /usr/local/bin/firefox\r" 37send -- "file /usr/local/bin/less\r"
38expect { 38expect {
39 timeout {puts "TESTING ERROR 4\n";exit} 39 timeout {puts "TESTING ERROR 4\n";exit}
40 "symbolic link to /usr/bin/firejail" 40 "symbolic link to /usr/bin/firejail"
@@ -44,7 +44,7 @@ sleep 1
44send -- "firecfg --list\r" 44send -- "firecfg --list\r"
45expect { 45expect {
46 timeout {puts "TESTING ERROR 5\n";exit} 46 timeout {puts "TESTING ERROR 5\n";exit}
47 "/usr/local/bin/firefox" 47 "/usr/local/bin/less"
48} 48}
49sleep 1 49sleep 1
50 50
diff --git a/test/root/root.sh b/test/root/root.sh
index 912ae23f0..22b12cf86 100755
--- a/test/root/root.sh
+++ b/test/root/root.sh
@@ -110,13 +110,13 @@ echo "TESTING: firemon events (test/root/firemon-events.exp)"
110#******************************** 110#********************************
111# firecfg 111# firecfg
112#******************************** 112#********************************
113which firefox 113which less
114if [ "$?" -eq 0 ]; 114if [ "$?" -eq 0 ];
115then 115then
116 echo "TESTING: firecfg (test/root/firecfg.exp)" 116 echo "TESTING: firecfg (test/root/firecfg.exp)"
117 ./firecfg.exp 117 ./firecfg.exp
118else 118else
119 echo "TESTING SKIP: firecfg, firefox not found" 119 echo "TESTING SKIP: firecfg, less not found"
120fi 120fi
121 121
122# restore the default config file 122# restore the default config file
diff --git a/test/utils/audit.exp b/test/utils/audit.exp
index c68ee387c..684886af7 100755
--- a/test/utils/audit.exp
+++ b/test/utils/audit.exp
@@ -76,4 +76,24 @@ expect {
76} 76}
77after 100 77after 100
78 78
79# run audit executable without a sandbox
80send -- "faudit\r"
81expect {
82 timeout {puts "TESTING ERROR 13\n";exit}
83 "is not running in a PID namespace"
84}
85expect {
86 timeout {puts "TESTING ERROR 14\n";exit}
87 "BAD: seccomp disabled"
88}
89expect {
90 timeout {puts "TESTING ERROR 15\n";exit}
91 "BAD: the capability map is"
92}
93expect {
94 timeout {puts "TESTING ERROR 16\n";exit}
95 "MAYBE: /dev directory seems to be fully populated"
96}
97after 100
98
79puts "\nall done\n" 99puts "\nall done\n"
diff --git a/test/utils/build.exp b/test/utils/build.exp
new file mode 100755
index 000000000..de2a9b6ae
--- /dev/null
+++ b/test/utils/build.exp
@@ -0,0 +1,58 @@
1#!/usr/bin/expect -f
2# This file is part of Firejail project
3# Copyright (C) 2014-2018 Firejail Authors
4# License GPL v2
5
6set timeout 10
7spawn $env(SHELL)
8match_max 100000
9
10send -- "firejail --build cat ~/firejail-test-file-7699\r"
11expect {
12 timeout {puts "TESTING ERROR 0\n";exit}
13 "whitelist ~/firejail-test-file-7699"
14}
15expect {
16 timeout {puts "TESTING ERROR 0.1\n";exit}
17 "include /etc/firejail/whitelist-common.inc"
18}
19expect {
20 timeout {puts "TESTING ERROR 1\n";exit}
21 "private-tmp"
22}
23expect {
24 timeout {puts "TESTING ERROR 2\n";exit}
25 "private-dev"
26}
27expect {
28 timeout {puts "TESTING ERROR 3\n";exit}
29 "blacklist /var"
30}
31expect {
32 timeout {puts "TESTING ERROR 4\n";exit}
33 "private-bin cat,"
34}
35expect {
36 timeout {puts "TESTING ERROR 5\n";exit}
37 "caps.drop all"
38}
39expect {
40 timeout {puts "TESTING ERROR 6\n";exit}
41 "nonewprivs"
42}
43expect {
44 timeout {puts "TESTING ERROR 7\n";exit}
45 "seccomp"
46}
47expect {
48 timeout {puts "TESTING ERROR 8\n";exit}
49 "net none"
50}
51expect {
52 timeout {puts "TESTING ERROR 9\n";exit}
53 "shell none"
54}
55after 100
56
57
58puts "all done\n"
diff --git a/test/utils/utils.sh b/test/utils/utils.sh
index 9dd3b67a3..d72cc2269 100755
--- a/test/utils/utils.sh
+++ b/test/utils/utils.sh
@@ -6,6 +6,17 @@
6export MALLOC_CHECK_=3 6export MALLOC_CHECK_=3
7export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) 7export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
8 8
9if [ -f /etc/debian_version ]; then
10 libdir=$(dirname "$(dpkg -L firejail | grep faudit)")
11 export PATH="$PATH:$libdir"
12fi
13export PATH="$PATH:/usr/lib/firejail"
14
15echo "testing" > ~/firejail-test-file-7699
16echo "TESTING: build (test/utils/build.exp)"
17./build.exp
18rm -f ~/firejail-test-file-7699
19
9echo "TESTING: audit (test/utils/audit.exp)" 20echo "TESTING: audit (test/utils/audit.exp)"
10./audit.exp 21./audit.exp
11 22
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-05 12:33:52 +0000