diff options
341 files changed, 3075 insertions, 3677 deletions
diff --git a/etc/0ad.profile b/etc/0ad.profile index 9f33af806..af6e32947 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile | |||
| @@ -1,28 +1,26 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for 0ad |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/0ad.local | 4 | include /etc/firejail/0ad.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for 0ad. | ||
| 9 | noblacklist ~/.cache/0ad | 8 | noblacklist ~/.cache/0ad |
| 10 | noblacklist ~/.config/0ad | 9 | noblacklist ~/.config/0ad |
| 11 | noblacklist ~/.local/share/0ad | 10 | noblacklist ~/.local/share/0ad |
| 11 | |||
| 12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
| 15 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
| 16 | 16 | ||
| 17 | # Whitelists | 17 | mkdir ~/.cache/0ad |
| 18 | mkdir ~/.config/0ad | 18 | mkdir ~/.config/0ad |
| 19 | whitelist ~/.config/0ad | ||
| 20 | |||
| 21 | mkdir ~/.local/share/0ad | 19 | mkdir ~/.local/share/0ad |
| 22 | whitelist ~/.local/share/0ad | ||
| 23 | |||
| 24 | mkdir ~/.cache/0ad | ||
| 25 | whitelist ~/.cache/0ad | 20 | whitelist ~/.cache/0ad |
| 21 | whitelist ~/.config/0ad | ||
| 22 | whitelist ~/.local/share/0ad | ||
| 23 | include /etc/firejail/whitelist-common.inc | ||
| 26 | 24 | ||
| 27 | caps.drop all | 25 | caps.drop all |
| 28 | netfilter | 26 | netfilter |
| @@ -35,9 +33,9 @@ seccomp | |||
| 35 | shell none | 33 | shell none |
| 36 | tracelog | 34 | tracelog |
| 37 | 35 | ||
| 36 | disable-mnt | ||
| 38 | private-dev | 37 | private-dev |
| 39 | private-tmp | 38 | private-tmp |
| 40 | disable-mnt | ||
| 41 | 39 | ||
| 42 | noexec ${HOME} | 40 | noexec ${HOME} |
| 43 | noexec /tmp | 41 | noexec /tmp |
diff --git a/etc/2048-qt.profile b/etc/2048-qt.profile index 2f3efe743..d8c402d34 100644 --- a/etc/2048-qt.profile +++ b/etc/2048-qt.profile | |||
| @@ -1,20 +1,19 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for 2048-qt |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/2048-qt.local | 4 | include /etc/firejail/2048-qt.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | noblacklist ~/.config/xiaoyong | ||
| 9 | noblacklist ~/.config/2048-qt | 8 | noblacklist ~/.config/2048-qt |
| 9 | noblacklist ~/.config/xiaoyong | ||
| 10 | 10 | ||
| 11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | 15 | ||
| 16 | caps.drop all | 16 | caps.drop all |
| 17 | #ipc-namespace | ||
| 18 | netfilter | 17 | netfilter |
| 19 | nogroups | 18 | nogroups |
| 20 | nonewprivs | 19 | nonewprivs |
| @@ -25,9 +24,9 @@ protocol unix | |||
| 25 | seccomp | 24 | seccomp |
| 26 | shell none | 25 | shell none |
| 27 | 26 | ||
| 27 | disable-mnt | ||
| 28 | private-dev | 28 | private-dev |
| 29 | private-tmp | 29 | private-tmp |
| 30 | disable-mnt | ||
| 31 | 30 | ||
| 32 | noexec ${HOME} | 31 | noexec ${HOME} |
| 33 | noexec /tmp | 32 | noexec /tmp |
diff --git a/etc/7z.profile b/etc/7z.profile index c7c857dc8..5e2b76f18 100644 --- a/etc/7z.profile +++ b/etc/7z.profile | |||
| @@ -1,23 +1,22 @@ | |||
| 1 | # Firejail profile for 7z | ||
| 2 | # This file is overwritten after every install/update | ||
| 1 | quiet | 3 | quiet |
| 2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
| 3 | include /etc/firejail/globals.local | ||
| 4 | |||
| 5 | # This file is overwritten during software install. | ||
| 6 | # Persistent customizations should go in a .local file. | ||
| 7 | include /etc/firejail/7z.local | 5 | include /etc/firejail/7z.local |
| 8 | 6 | # Persistent global definitions | |
| 9 | # 7zip crompression tool profile | 7 | include /etc/firejail/globals.local |
| 10 | ignore noroot | ||
| 11 | |||
| 12 | include /etc/firejail/default.profile | ||
| 13 | 8 | ||
| 14 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
| 15 | 10 | ||
| 16 | tracelog | 11 | ignore noroot |
| 17 | net none | 12 | net none |
| 13 | no3d | ||
| 14 | nosound | ||
| 18 | nosound | 15 | nosound |
| 19 | novideo | 16 | novideo |
| 20 | shell none | 17 | shell none |
| 18 | tracelog | ||
| 19 | |||
| 21 | private-dev | 20 | private-dev |
| 22 | nosound | 21 | |
| 23 | no3d | 22 | include /etc/firejail/default.profile |
diff --git a/etc/Cryptocat.profile b/etc/Cryptocat.profile index 7ee918bbe..dc45a32b7 100644 --- a/etc/Cryptocat.profile +++ b/etc/Cryptocat.profile | |||
| @@ -1,17 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for Cryptocat |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/Cryptocat.local | 4 | include /etc/firejail/Cryptocat.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for Cryptocat | ||
| 9 | noblacklist ${HOME}/.config/Cryptocat | 8 | noblacklist ${HOME}/.config/Cryptocat |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 17 | netfilter | 16 | netfilter |
diff --git a/etc/Cyberfox.profile b/etc/Cyberfox.profile index f188545d1..4d0f7cac8 100644 --- a/etc/Cyberfox.profile +++ b/etc/Cyberfox.profile | |||
| @@ -1,10 +1,5 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for cyberfox |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/Cyberfox.local | ||
| 7 | |||
| 8 | # Firejail profile for Cyberfox (based on Mozilla Firefox) | ||
| 9 | 4 | ||
| 10 | include /etc/firejail/cyberfox.profile | 5 | include /etc/firejail/cyberfox.profile |
diff --git a/etc/FossaMail.profile b/etc/FossaMail.profile index 6f5cd8cf0..3b8c093ef 100644 --- a/etc/FossaMail.profile +++ b/etc/FossaMail.profile | |||
| @@ -1,9 +1,5 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for fossamail |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/FossaMail.local | ||
| 7 | 4 | ||
| 8 | # Firejail profile for FossaMail | ||
| 9 | include /etc/firejail/fossamail.profile | 5 | include /etc/firejail/fossamail.profile |
diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile index e634a5d60..8f6e33f7b 100644 --- a/etc/Mathematica.profile +++ b/etc/Mathematica.profile | |||
| @@ -1,26 +1,25 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for Mathematica |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/Mathematica.local | 4 | include /etc/firejail/Mathematica.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Mathematica profile | ||
| 9 | noblacklist ${HOME}/.Mathematica | 8 | noblacklist ${HOME}/.Mathematica |
| 10 | noblacklist ${HOME}/.Wolfram Research | 9 | noblacklist ${HOME}/.Wolfram Research |
| 11 | 10 | ||
| 11 | include /etc/firejail/disable-common.inc | ||
| 12 | include /etc/firejail/disable-devel.inc | ||
| 13 | include /etc/firejail/disable-passwdmgr.inc | ||
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | |||
| 12 | mkdir ~/.Mathematica | 16 | mkdir ~/.Mathematica |
| 13 | whitelist ~/.Mathematica | ||
| 14 | mkdir ~/.Wolfram Research | 17 | mkdir ~/.Wolfram Research |
| 18 | whitelist ~/.Mathematica | ||
| 15 | whitelist ~/.Wolfram Research | 19 | whitelist ~/.Wolfram Research |
| 16 | whitelist ~/Documents/Wolfram Mathematica | 20 | whitelist ~/Documents/Wolfram Mathematica |
| 17 | include /etc/firejail/whitelist-common.inc | 21 | include /etc/firejail/whitelist-common.inc |
| 18 | 22 | ||
| 19 | include /etc/firejail/disable-common.inc | ||
| 20 | include /etc/firejail/disable-programs.inc | ||
| 21 | include /etc/firejail/disable-devel.inc | ||
| 22 | include /etc/firejail/disable-passwdmgr.inc | ||
| 23 | |||
| 24 | caps.drop all | 23 | caps.drop all |
| 25 | nonewprivs | 24 | nonewprivs |
| 26 | noroot | 25 | noroot |
diff --git a/etc/Telegram.profile b/etc/Telegram.profile index 7b44a62f1..844595b3f 100644 --- a/etc/Telegram.profile +++ b/etc/Telegram.profile | |||
| @@ -1,9 +1,5 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for telegram |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/Telegram.local | ||
| 7 | 4 | ||
| 8 | # Telegram profile | ||
| 9 | include /etc/firejail/telegram.profile | 5 | include /etc/firejail/telegram.profile |
diff --git a/etc/Thunar.profile b/etc/Thunar.profile index 30db6f023..7bb66240e 100644 --- a/etc/Thunar.profile +++ b/etc/Thunar.profile | |||
| @@ -1,19 +1,18 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for Thunar |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/Thunar.local | 4 | include /etc/firejail/Thunar.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for thunar | 8 | noblacklist ${HOME}/.local/share/Trash |
| 9 | noblacklist ~/.config/Thunar | 9 | noblacklist ~/.config/Thunar |
| 10 | noblacklist ~/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml | 10 | noblacklist ~/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml |
| 11 | noblacklist ${HOME}/.local/share/Trash | ||
| 12 | 11 | ||
| 13 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 14 | #include /etc/firejail/disable-programs.inc | ||
| 15 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
| 16 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
| 15 | # include /etc/firejail/disable-programs.inc | ||
| 17 | 16 | ||
| 18 | caps.drop all | 17 | caps.drop all |
| 19 | netfilter | 18 | netfilter |
diff --git a/etc/VirtualBox.profile b/etc/VirtualBox.profile index af5ee529b..706a3611b 100644 --- a/etc/VirtualBox.profile +++ b/etc/VirtualBox.profile | |||
| @@ -1,8 +1,5 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for virtualbox |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/VirtualBox.local | ||
| 7 | 4 | ||
| 8 | include /etc/firejail/virtualbox.profile | 5 | include /etc/firejail/virtualbox.profile |
diff --git a/etc/Wire.profile b/etc/Wire.profile index 3c8c02b52..a2c0f0099 100644 --- a/etc/Wire.profile +++ b/etc/Wire.profile | |||
| @@ -1,10 +1,5 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for wire |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/Wire.local | ||
| 7 | |||
| 8 | # wire messenger profile | ||
| 9 | 4 | ||
| 10 | include /etc/firejail/wire.profile | 5 | include /etc/firejail/wire.profile |
diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile index 22c0202ee..db3b3858c 100644 --- a/etc/Xephyr.profile +++ b/etc/Xephyr.profile | |||
| @@ -1,9 +1,9 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for Xephyr |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/Xephyr.local | 4 | include /etc/firejail/Xephyr.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # | 8 | # |
| 9 | # This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr. | 9 | # This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr. |
| @@ -15,26 +15,26 @@ include /etc/firejail/Xephyr.local | |||
| 15 | # | 15 | # |
| 16 | 16 | ||
| 17 | 17 | ||
| 18 | # using a private home directory | 18 | blacklist /media |
| 19 | private | ||
| 20 | 19 | ||
| 20 | whitelist /var/lib/xkb | ||
| 21 | include /etc/firejail/whitelist-common.inc | ||
| 21 | 22 | ||
| 22 | caps.drop all | 23 | caps.drop all |
| 23 | # Xephyr needs to be allowed access to the abstract Unix socket namespace. | 24 | # Xephyr needs to be allowed access to the abstract Unix socket namespace. |
| 24 | nogroups | 25 | nogroups |
| 25 | nonewprivs | 26 | nonewprivs |
| 26 | # In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix. | 27 | # In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix. |
| 27 | #noroot | 28 | # noroot |
| 28 | nosound | 29 | nosound |
| 29 | shell none | ||
| 30 | seccomp | ||
| 31 | protocol unix | 30 | protocol unix |
| 31 | seccomp | ||
| 32 | shell none | ||
| 32 | 33 | ||
| 34 | # using a private home directory | ||
| 35 | private | ||
| 36 | # private-bin Xephyr,sh,xkbcomp | ||
| 37 | # private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls | ||
| 33 | private-dev | 38 | private-dev |
| 39 | # private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname | ||
| 34 | private-tmp | 40 | private-tmp |
| 35 | #private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls | ||
| 36 | #private-bin Xephyr,sh,xkbcomp | ||
| 37 | #private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname | ||
| 38 | |||
| 39 | blacklist /media | ||
| 40 | whitelist /var/lib/xkb | ||
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile index 8eba82db1..ce17a9732 100644 --- a/etc/Xvfb.profile +++ b/etc/Xvfb.profile | |||
| @@ -1,10 +1,10 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for Xvfb |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/Xvfb.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/xvfb.local | ||
| 7 | |||
| 8 | # | 8 | # |
| 9 | # This profile will sandbox Xvfb server itself when used with firejail --x11=xvfb. | 9 | # This profile will sandbox Xvfb server itself when used with firejail --x11=xvfb. |
| 10 | # The target program is sandboxed with its own profile. By default the this functionality | 10 | # The target program is sandboxed with its own profile. By default the this functionality |
| @@ -16,9 +16,10 @@ include /etc/firejail/xvfb.local | |||
| 16 | # some Linux distributions. Also, older versions of Xpra use Xvfb. | 16 | # some Linux distributions. Also, older versions of Xpra use Xvfb. |
| 17 | # | 17 | # |
| 18 | 18 | ||
| 19 | blacklist /media | ||
| 19 | 20 | ||
| 20 | # using a private home directory | 21 | whitelist /var/lib/xkb |
| 21 | private | 22 | include /etc/firejail/whitelist-common.inc |
| 22 | 23 | ||
| 23 | caps.drop all | 24 | caps.drop all |
| 24 | # Xvfb needs to be allowed access to the abstract Unix socket namespace. | 25 | # Xvfb needs to be allowed access to the abstract Unix socket namespace. |
| @@ -27,15 +28,14 @@ nonewprivs | |||
| 27 | # In noroot mode, Xvfb cannot create a socket in the real /tmp/.X11-unix. | 28 | # In noroot mode, Xvfb cannot create a socket in the real /tmp/.X11-unix. |
| 28 | #noroot | 29 | #noroot |
| 29 | nosound | 30 | nosound |
| 30 | shell none | ||
| 31 | seccomp | ||
| 32 | protocol unix | 31 | protocol unix |
| 32 | seccomp | ||
| 33 | shell none | ||
| 33 | 34 | ||
| 35 | # using a private home directory | ||
| 36 | private | ||
| 37 | # private-bin Xvfb,sh,xkbcomp | ||
| 38 | # private-bin Xvfb,sh,xkbcomp,strace,bash,cat,ls | ||
| 34 | private-dev | 39 | private-dev |
| 35 | private-tmp | ||
| 36 | private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname | 40 | private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname |
| 37 | #private-bin Xvfb,sh,xkbcomp,strace,bash,cat,ls | 41 | private-tmp |
| 38 | #private-bin Xvfb,sh,xkbcomp | ||
| 39 | |||
| 40 | blacklist /media | ||
| 41 | whitelist /var/lib/xkb | ||
diff --git a/etc/abrowser.profile b/etc/abrowser.profile index f4470b327..a7fbb63d9 100644 --- a/etc/abrowser.profile +++ b/etc/abrowser.profile | |||
| @@ -1,50 +1,46 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for abrowser |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/abrowser.local | 4 | include /etc/firejail/abrowser.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for Abrowser | ||
| 9 | noblacklist ~/.mozilla | ||
| 10 | noblacklist ~/.cache/mozilla | 8 | noblacklist ~/.cache/mozilla |
| 9 | noblacklist ~/.mozilla | ||
| 11 | noblacklist ~/.pki | 10 | noblacklist ~/.pki |
| 11 | |||
| 12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | 15 | ||
| 16 | caps.drop all | ||
| 17 | netfilter | ||
| 18 | nonewprivs | ||
| 19 | noroot | ||
| 20 | protocol unix,inet,inet6,netlink | ||
| 21 | seccomp | ||
| 22 | tracelog | ||
| 23 | |||
| 24 | whitelist ${DOWNLOADS} | ||
| 25 | mkdir ~/.mozilla | ||
| 26 | whitelist ~/.mozilla | ||
| 27 | mkdir ~/.cache/mozilla/abrowser | 16 | mkdir ~/.cache/mozilla/abrowser |
| 17 | mkdir ~/.mozilla | ||
| 18 | whitelist ${DOWNLOADS} | ||
| 19 | whitelist ~/.cache/gnome-mplayer/plugin | ||
| 28 | whitelist ~/.cache/mozilla/abrowser | 20 | whitelist ~/.cache/mozilla/abrowser |
| 29 | whitelist ~/dwhelper | ||
| 30 | whitelist ~/.zotero | ||
| 31 | whitelist ~/.vimperatorrc | ||
| 32 | whitelist ~/.vimperator | ||
| 33 | whitelist ~/.pentadactylrc | ||
| 34 | whitelist ~/.pentadactyl | ||
| 35 | whitelist ~/.keysnail.js | ||
| 36 | whitelist ~/.config/gnome-mplayer | 21 | whitelist ~/.config/gnome-mplayer |
| 37 | whitelist ~/.cache/gnome-mplayer/plugin | 22 | whitelist ~/.config/pipelight-silverlight5.1 |
| 38 | whitelist ~/.pki | 23 | whitelist ~/.config/pipelight-widevine |
| 24 | whitelist ~/.keysnail.js | ||
| 39 | whitelist ~/.lastpass | 25 | whitelist ~/.lastpass |
| 40 | 26 | whitelist ~/.mozilla | |
| 41 | # silverlight | 27 | whitelist ~/.pentadactyl |
| 28 | whitelist ~/.pentadactylrc | ||
| 29 | whitelist ~/.pki | ||
| 30 | whitelist ~/.vimperator | ||
| 31 | whitelist ~/.vimperatorrc | ||
| 42 | whitelist ~/.wine-pipelight | 32 | whitelist ~/.wine-pipelight |
| 43 | whitelist ~/.wine-pipelight64 | 33 | whitelist ~/.wine-pipelight64 |
| 44 | whitelist ~/.config/pipelight-widevine | 34 | whitelist ~/.zotero |
| 45 | whitelist ~/.config/pipelight-silverlight5.1 | 35 | whitelist ~/dwhelper |
| 46 | |||
| 47 | include /etc/firejail/whitelist-common.inc | 36 | include /etc/firejail/whitelist-common.inc |
| 48 | 37 | ||
| 49 | # experimental features | 38 | caps.drop all |
| 50 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 39 | netfilter |
| 40 | nonewprivs | ||
| 41 | noroot | ||
| 42 | protocol unix,inet,inet6,netlink | ||
| 43 | seccomp | ||
| 44 | tracelog | ||
| 45 | |||
| 46 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | ||
diff --git a/etc/akregator.profile b/etc/akregator.profile index ed79f0e94..36886b961 100644 --- a/etc/akregator.profile +++ b/etc/akregator.profile | |||
| @@ -1,34 +1,32 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for akregator |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/akregator.local | 4 | include /etc/firejail/akregator.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.config/akregatorrc | 8 | noblacklist ${HOME}/.config/akregatorrc |
| 9 | noblacklist ${HOME}/.local/share/akregator | 9 | noblacklist ${HOME}/.local/share/akregator |
| 10 | 10 | ||
| 11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | 15 | ||
| 16 | caps.drop all | 16 | caps.drop all |
| 17 | #ipc-namespace | ||
| 18 | netfilter | 17 | netfilter |
| 19 | no3d | 18 | no3d |
| 20 | nogroups | 19 | nogroups |
| 21 | nonewprivs | 20 | nonewprivs |
| 22 | noroot | 21 | noroot |
| 23 | #nosound | ||
| 24 | novideo | 22 | novideo |
| 25 | protocol unix,inet,inet6 | 23 | protocol unix,inet,inet6 |
| 26 | seccomp | 24 | seccomp |
| 27 | shell none | 25 | shell none |
| 28 | 26 | ||
| 27 | disable-mnt | ||
| 29 | private-dev | 28 | private-dev |
| 30 | private-tmp | 29 | private-tmp |
| 31 | disable-mnt | ||
| 32 | 30 | ||
| 33 | noexec ${HOME} | 31 | noexec ${HOME} |
| 34 | noexec /tmp | 32 | noexec /tmp |
diff --git a/etc/amarok.profile b/etc/amarok.profile index d521b35b8..28398e2c1 100644 --- a/etc/amarok.profile +++ b/etc/amarok.profile | |||
| @@ -1,26 +1,26 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for amarok |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/amarok.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/amarok.local | ||
| 7 | 8 | ||
| 8 | # amarok profile | ||
| 9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-programs.inc | ||
| 11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | 13 | ||
| 14 | caps.drop all | 14 | caps.drop all |
| 15 | netfilter | 15 | netfilter |
| 16 | nogroups | 16 | nogroups |
| 17 | nonewprivs | 17 | nonewprivs |
| 18 | noroot | 18 | noroot |
| 19 | shell none | ||
| 20 | #seccomp | ||
| 21 | protocol unix,inet,inet6 | 19 | protocol unix,inet,inet6 |
| 20 | # seccomp | ||
| 21 | shell none | ||
| 22 | 22 | ||
| 23 | #private-bin amarok | 23 | # private-bin amarok |
| 24 | private-dev | 24 | private-dev |
| 25 | # private-etc none | ||
| 25 | private-tmp | 26 | private-tmp |
| 26 | #private-etc none | ||
diff --git a/etc/android-studio.profile b/etc/android-studio.profile index 68a3cdc85..3f4795195 100644 --- a/etc/android-studio.profile +++ b/etc/android-studio.profile | |||
| @@ -1,11 +1,9 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for android-studio |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/android-studio.local | 4 | include /etc/firejail/android-studio.local |
| 7 | 5 | # Persistent global definitions | |
| 8 | # Firejail profile for Android Studio | 6 | include /etc/firejail/globals.local |
| 9 | 7 | ||
| 10 | noblacklist ${HOME}/.AndroidStudio* | 8 | noblacklist ${HOME}/.AndroidStudio* |
| 11 | noblacklist ${HOME}/.android | 9 | noblacklist ${HOME}/.android |
| @@ -25,13 +23,12 @@ netfilter | |||
| 25 | nogroups | 23 | nogroups |
| 26 | nonewprivs | 24 | nonewprivs |
| 27 | noroot | 25 | noroot |
| 28 | #nosound | ||
| 29 | novideo | 26 | novideo |
| 30 | protocol unix,inet,inet6 | 27 | protocol unix,inet,inet6 |
| 31 | seccomp | 28 | seccomp |
| 32 | shell none | 29 | shell none |
| 33 | 30 | ||
| 34 | private-dev | 31 | private-dev |
| 35 | #private-tmp | 32 | # private-tmp |
| 36 | 33 | ||
| 37 | noexec /tmp | 34 | noexec /tmp |
diff --git a/etc/apktool.profile b/etc/apktool.profile index d0905e253..e057e4c0f 100644 --- a/etc/apktool.profile +++ b/etc/apktool.profile | |||
| @@ -1,12 +1,12 @@ | |||
| 1 | # Firejail profile for apktool | ||
| 2 | # This file is overwritten after every install/update | ||
| 1 | quiet | 3 | quiet |
| 2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
| 5 | include /etc/firejail/apktool.local | ||
| 6 | # Persistent global definitions | ||
| 3 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
| 4 | 8 | ||
| 5 | # This file is overwritten during software install. | ||
| 6 | # Persistent customizations should go in a .local file. | ||
| 7 | include /etc/firejail/apktool.local | ||
| 8 | 9 | ||
| 9 | # Firejail profile for apktool | ||
| 10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
| 12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/arduino.profile b/etc/arduino.profile index ff605501d..2734e59a4 100644 --- a/etc/arduino.profile +++ b/etc/arduino.profile | |||
| @@ -1,22 +1,20 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for arduino |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/arduino.local | 4 | include /etc/firejail/arduino.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for arduino | ||
| 9 | noblacklist ${HOME}/.arduino15 | 8 | noblacklist ${HOME}/.arduino15 |
| 10 | noblacklist ${HOME}/Arduino | ||
| 11 | noblacklist ${HOME}/.java | 9 | noblacklist ${HOME}/.java |
| 10 | noblacklist ${HOME}/Arduino | ||
| 12 | 11 | ||
| 13 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | include /etc/firejail/disable-passwdmgr.inc | ||
| 16 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | ||
| 15 | include /etc/firejail/disable-programs.inc | ||
| 17 | 16 | ||
| 18 | caps.drop all | 17 | caps.drop all |
| 19 | #ipc-namespace | ||
| 20 | netfilter | 18 | netfilter |
| 21 | no3d | 19 | no3d |
| 22 | nogroups | 20 | nogroups |
diff --git a/etc/ark.profile b/etc/ark.profile index 007748ed1..7c8574973 100644 --- a/etc/ark.profile +++ b/etc/ark.profile | |||
| @@ -1,17 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for ark |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/ark.local | 4 | include /etc/firejail/ark.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # ark profile | ||
| 9 | noblacklist ~/.config/arkrc | 8 | noblacklist ~/.config/arkrc |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 17 | netfilter | 16 | netfilter |
| @@ -19,11 +18,11 @@ nogroups | |||
| 19 | nonewprivs | 18 | nonewprivs |
| 20 | noroot | 19 | noroot |
| 21 | nosound | 20 | nosound |
| 22 | shell none | ||
| 23 | seccomp | ||
| 24 | protocol unix | 21 | protocol unix |
| 22 | seccomp | ||
| 23 | shell none | ||
| 25 | 24 | ||
| 26 | # private-bin | 25 | # private-bin |
| 27 | private-dev | 26 | private-dev |
| 28 | private-tmp | ||
| 29 | # private-etc | 27 | # private-etc |
| 28 | private-tmp | ||
diff --git a/etc/arm.profile b/etc/arm.profile index 3000c35d7..5686c3301 100644 --- a/etc/arm.profile +++ b/etc/arm.profile | |||
| @@ -1,11 +1,9 @@ | |||
| 1 | # Persistent global definitions go here | ||
| 2 | include /etc/firejail/globals.local | ||
| 3 | |||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/arm.local | ||
| 7 | |||
| 8 | # Firejail profile for arm | 1 | # Firejail profile for arm |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/arm.local | ||
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 9 | 7 | ||
| 10 | noblacklist ${HOME}/.arm | 8 | noblacklist ${HOME}/.arm |
| 11 | 9 | ||
| @@ -33,7 +31,7 @@ shell none | |||
| 33 | tracelog | 31 | tracelog |
| 34 | 32 | ||
| 35 | disable-mnt | 33 | disable-mnt |
| 36 | #private-bin arm,tor,sh,python2,python2.7,ps,lsof,ldconfig | 34 | # private-bin arm,tor,sh,python2,python2.7,ps,lsof,ldconfig |
| 37 | private-dev | 35 | private-dev |
| 38 | private-etc tor,passwd | 36 | private-etc tor,passwd |
| 39 | private-tmp | 37 | private-tmp |
diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile index 367aa5672..acce287c7 100644 --- a/etc/atom-beta.profile +++ b/etc/atom-beta.profile | |||
| @@ -1,17 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for atom-beta |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/atom-beta.local | 4 | include /etc/firejail/atom-beta.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for Atom Beta. | ||
| 9 | noblacklist ~/.atom | 8 | noblacklist ~/.atom |
| 10 | noblacklist ~/.config/Atom | 9 | noblacklist ~/.config/Atom |
| 11 | 10 | ||
| 12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 17 | netfilter | 16 | netfilter |
diff --git a/etc/atom.profile b/etc/atom.profile index 726682617..0b763997e 100644 --- a/etc/atom.profile +++ b/etc/atom.profile | |||
| @@ -1,17 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for atom |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/atom.local | 4 | include /etc/firejail/atom.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for Atom. | ||
| 9 | noblacklist ~/.atom | 8 | noblacklist ~/.atom |
| 10 | noblacklist ~/.config/Atom | 9 | noblacklist ~/.config/Atom |
| 11 | 10 | ||
| 12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 17 | netfilter | 16 | netfilter |
diff --git a/etc/atool.profile b/etc/atool.profile index 49637aa21..a1da26076 100644 --- a/etc/atool.profile +++ b/etc/atool.profile | |||
| @@ -1,18 +1,20 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for atool |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/atool.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | 8 | blacklist /tmp/.X11-unix |
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/atool.local | ||
| 7 | 9 | ||
| 8 | # atool profile | ||
| 9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-programs.inc | ||
| 11 | # include /etc/firejail/disable-devel.inc | 11 | # include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 13 | 14 | ||
| 14 | caps.drop all | 15 | caps.drop all |
| 15 | netfilter | 16 | netfilter |
| 17 | no3d | ||
| 16 | nogroups | 18 | nogroups |
| 17 | nonewprivs | 19 | nonewprivs |
| 18 | noroot | 20 | noroot |
| @@ -20,13 +22,10 @@ nosound | |||
| 20 | novideo | 22 | novideo |
| 21 | protocol unix | 23 | protocol unix |
| 22 | seccomp | 24 | seccomp |
| 23 | no3d | ||
| 24 | shell none | 25 | shell none |
| 25 | tracelog | 26 | tracelog |
| 26 | 27 | ||
| 27 | blacklist /tmp/.X11-unix | ||
| 28 | |||
| 29 | # private-bin atool | 28 | # private-bin atool |
| 30 | private-tmp | ||
| 31 | private-dev | 29 | private-dev |
| 32 | private-etc none | 30 | private-etc none |
| 31 | private-tmp | ||
diff --git a/etc/atril.profile b/etc/atril.profile index 0abad494a..5cac339ca 100644 --- a/etc/atril.profile +++ b/etc/atril.profile | |||
| @@ -1,17 +1,17 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for atril |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/atril.local | 4 | include /etc/firejail/atril.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Atril profile | ||
| 9 | noblacklist ~/.config/atril | 8 | noblacklist ~/.config/atril |
| 10 | noblacklist ~/.local/share | 9 | noblacklist ~/.local/share |
| 10 | |||
| 11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | 15 | ||
| 16 | caps.drop all | 16 | caps.drop all |
| 17 | nogroups | 17 | nogroups |
diff --git a/etc/audacious.profile b/etc/audacious.profile index a8379eb65..15bf6c013 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile | |||
| @@ -1,17 +1,17 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for audacious |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/audacious.local | 4 | include /etc/firejail/audacious.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Audacious media player profile | ||
| 9 | noblacklist ~/.config/audacious | ||
| 10 | noblacklist ~/.config/Audaciousrc | 8 | noblacklist ~/.config/Audaciousrc |
| 9 | noblacklist ~/.config/audacious | ||
| 10 | |||
| 11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | 15 | ||
| 16 | caps.drop all | 16 | caps.drop all |
| 17 | netfilter | 17 | netfilter |
diff --git a/etc/audacity.profile b/etc/audacity.profile index 7c2072960..0f88886e7 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile | |||
| @@ -1,11 +1,10 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for audacity |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/audacity.local | 4 | include /etc/firejail/audacity.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Audacity profile | ||
| 9 | noblacklist ~/.audacity-data | 8 | noblacklist ~/.audacity-data |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| @@ -14,7 +13,6 @@ include /etc/firejail/disable-passwdmgr.inc | |||
| 14 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 17 | #ipc-namespace | ||
| 18 | net none | 16 | net none |
| 19 | no3d | 17 | no3d |
| 20 | nogroups | 18 | nogroups |
diff --git a/etc/aweather.profile b/etc/aweather.profile index 9d8e336cd..9068c39c7 100644 --- a/etc/aweather.profile +++ b/etc/aweather.profile | |||
| @@ -1,20 +1,20 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for aweather |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/aweather.local | 4 | include /etc/firejail/aweather.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for aweather. | ||
| 9 | noblacklist ~/.config/aweather | 8 | noblacklist ~/.config/aweather |
| 9 | |||
| 10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 11 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
| 14 | 14 | ||
| 15 | # Whitelist | ||
| 16 | mkdir ~/.config/aweather | 15 | mkdir ~/.config/aweather |
| 17 | whitelist ~/.config/aweather | 16 | whitelist ~/.config/aweather |
| 17 | include /etc/firejail/whitelist-common.inc | ||
| 18 | 18 | ||
| 19 | caps.drop all | 19 | caps.drop all |
| 20 | netfilter | 20 | netfilter |
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile index 2fe6d1927..9c2909b0f 100644 --- a/etc/baloo_file.profile +++ b/etc/baloo_file.profile | |||
| @@ -1,21 +1,21 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for baloo_file |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/baloo_file.local | 4 | include /etc/firejail/baloo_file.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # KDE Baloo file daemon profile | 8 | noblacklist ${HOME}/.config/baloofilerc |
| 9 | noblacklist ${HOME}/.kde4/share/config/baloofilerc | ||
| 10 | noblacklist ${HOME}/.kde4/share/config/baloorc | ||
| 11 | noblacklist ${HOME}/.kde/share/config/baloofilerc | 9 | noblacklist ${HOME}/.kde/share/config/baloofilerc |
| 12 | noblacklist ${HOME}/.kde/share/config/baloorc | 10 | noblacklist ${HOME}/.kde/share/config/baloorc |
| 13 | noblacklist ${HOME}/.config/baloofilerc | 11 | noblacklist ${HOME}/.kde4/share/config/baloofilerc |
| 12 | noblacklist ${HOME}/.kde4/share/config/baloorc | ||
| 14 | noblacklist ${HOME}/.local/share/baloo | 13 | noblacklist ${HOME}/.local/share/baloo |
| 14 | |||
| 15 | include /etc/firejail/disable-common.inc | 15 | include /etc/firejail/disable-common.inc |
| 16 | include /etc/firejail/disable-programs.inc | ||
| 17 | include /etc/firejail/disable-devel.inc | 16 | include /etc/firejail/disable-devel.inc |
| 18 | include /etc/firejail/disable-passwdmgr.inc | 17 | include /etc/firejail/disable-passwdmgr.inc |
| 18 | include /etc/firejail/disable-programs.inc | ||
| 19 | 19 | ||
| 20 | caps.drop all | 20 | caps.drop all |
| 21 | nogroups | 21 | nogroups |
| @@ -26,7 +26,6 @@ novideo | |||
| 26 | protocol unix | 26 | protocol unix |
| 27 | # Baloo makes ioprio_set system calls, which are blacklisted by default. | 27 | # Baloo makes ioprio_set system calls, which are blacklisted by default. |
| 28 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old | 28 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old |
| 29 | |||
| 30 | x11 xorg | 29 | x11 xorg |
| 31 | 30 | ||
| 32 | private-dev | 31 | private-dev |
| @@ -37,6 +36,6 @@ noexec /tmp | |||
| 37 | 36 | ||
| 38 | # Make home directory read-only and allow writing only to ~/.local/share | 37 | # Make home directory read-only and allow writing only to ~/.local/share |
| 39 | # Note: Baloo will not be able to update the "first run" key in its configuration files. | 38 | # Note: Baloo will not be able to update the "first run" key in its configuration files. |
| 40 | #read-only ${HOME} | 39 | # noexec ${HOME}/.local/share |
| 41 | #read-write ${HOME}/.local/share | 40 | # read-only ${HOME} |
| 42 | #noexec ${HOME}/.local/share | 41 | # read-write ${HOME}/.local/share |
diff --git a/etc/baobab.profile b/etc/baobab.profile index 887e271e3..1336a220c 100644 --- a/etc/baobab.profile +++ b/etc/baobab.profile | |||
| @@ -1,15 +1,15 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for baobab |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/baobab.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/baobab.local | ||
| 7 | 8 | ||
| 8 | # Firejail profile for Baobab | ||
| 9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
| 11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
| 12 | #include /etc/firejail/disable-programs.inc | 12 | # include /etc/firejail/disable-programs.inc |
| 13 | 13 | ||
| 14 | caps.drop all | 14 | caps.drop all |
| 15 | net none | 15 | net none |
diff --git a/etc/bibletime.profile b/etc/bibletime.profile index 2162151a1..d59c8e05c 100644 --- a/etc/bibletime.profile +++ b/etc/bibletime.profile | |||
| @@ -1,11 +1,13 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for bibletime |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/bibletime.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | 8 | blacklist ~/.Xauthority |
| 5 | # Persistent customizations should go in a .local file. | 9 | blacklist ~/.bashrc |
| 6 | include /etc/firejail/bibletime.local | ||
| 7 | 10 | ||
| 8 | # Firejail profile for BibleTime | ||
| 9 | noblacklist ~/.bibletime | 11 | noblacklist ~/.bibletime |
| 10 | noblacklist ~/.config/qt5ct | 12 | noblacklist ~/.config/qt5ct |
| 11 | noblacklist ~/.sword | 13 | noblacklist ~/.sword |
| @@ -15,13 +17,10 @@ include /etc/firejail/disable-devel.inc | |||
| 15 | include /etc/firejail/disable-passwdmgr.inc | 17 | include /etc/firejail/disable-passwdmgr.inc |
| 16 | include /etc/firejail/disable-programs.inc | 18 | include /etc/firejail/disable-programs.inc |
| 17 | 19 | ||
| 18 | blacklist ~/.bashrc | ||
| 19 | blacklist ~/.Xauthority | ||
| 20 | |||
| 21 | whitelist ${HOME}/.bibletime | 20 | whitelist ${HOME}/.bibletime |
| 22 | whitelist ${HOME}/.config/qt5ct | 21 | whitelist ${HOME}/.config/qt5ct |
| 23 | whitelist ${HOME}/.sword | 22 | whitelist ${HOME}/.sword |
| 24 | 23 | include /etc/firejail/whitelist-common.inc | |
| 25 | 24 | ||
| 26 | caps.drop all | 25 | caps.drop all |
| 27 | netfilter | 26 | netfilter |
| @@ -35,7 +34,7 @@ seccomp | |||
| 35 | shell none | 34 | shell none |
| 36 | tracelog | 35 | tracelog |
| 37 | 36 | ||
| 38 | #private-bin bibletime,qt5ct | 37 | # private-bin bibletime,qt5ct |
| 39 | private-etc fonts,resolv.conf,sword,sword.conf,passwd | ||
| 40 | private-dev | 38 | private-dev |
| 39 | private-etc fonts,resolv.conf,sword,sword.conf,passwd | ||
| 41 | private-tmp | 40 | private-tmp |
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index 2ecc0c425..9c32cca44 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile | |||
| @@ -1,13 +1,13 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for bitlbee |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/bitlbee.local | 4 | include /etc/firejail/bitlbee.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # BitlBee instant messaging profile | ||
| 9 | noblacklist /sbin | 8 | noblacklist /sbin |
| 10 | noblacklist /usr/sbin | 9 | noblacklist /usr/sbin |
| 10 | |||
| 11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| @@ -16,16 +16,16 @@ include /etc/firejail/disable-programs.inc | |||
| 16 | netfilter | 16 | netfilter |
| 17 | no3d | 17 | no3d |
| 18 | nonewprivs | 18 | nonewprivs |
| 19 | private | ||
| 20 | private-dev | ||
| 21 | protocol unix,inet,inet6 | ||
| 22 | seccomp | ||
| 23 | nosound | 19 | nosound |
| 24 | novideo | 20 | novideo |
| 25 | read-write /var/lib/bitlbee | 21 | protocol unix,inet,inet6 |
| 22 | seccomp | ||
| 26 | 23 | ||
| 24 | disable-mnt | ||
| 25 | private | ||
| 26 | private-dev | ||
| 27 | private-dev | 27 | private-dev |
| 28 | private-tmp | 28 | private-tmp |
| 29 | disable-mnt | 29 | read-write /var/lib/bitlbee |
| 30 | 30 | ||
| 31 | noexec /tmp | 31 | noexec /tmp |
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile index f2553cd9c..dab328163 100644 --- a/etc/bleachbit.profile +++ b/etc/bleachbit.profile | |||
| @@ -1,18 +1,17 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for bleachbit |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/bleachbit.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/bleachbit.local | ||
| 7 | 8 | ||
| 8 | # bleachbit profile | ||
| 9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 10 | # include /etc/firejail/disable-programs.inc | ||
| 11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
| 12 | # include /etc/firejail/disable-programs.inc | ||
| 13 | 13 | ||
| 14 | caps.drop all | 14 | caps.drop all |
| 15 | #ipc-namespace | ||
| 16 | net none | 15 | net none |
| 17 | no3d | 16 | no3d |
| 18 | nogroups | 17 | nogroups |
| @@ -26,8 +25,8 @@ shell none | |||
| 26 | 25 | ||
| 27 | # private-bin | 26 | # private-bin |
| 28 | # private-dev | 27 | # private-dev |
| 29 | # private-tmp | ||
| 30 | # private-etc | 28 | # private-etc |
| 29 | # private-tmp | ||
| 31 | 30 | ||
| 32 | memory-deny-write-execute | 31 | memory-deny-write-execute |
| 33 | noexec ${HOME} | 32 | noexec ${HOME} |
diff --git a/etc/blender.profile b/etc/blender.profile index b9757913d..f4c566c0d 100644 --- a/etc/blender.profile +++ b/etc/blender.profile | |||
| @@ -1,15 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for blender |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/blender.local | 4 | include /etc/firejail/blender.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | noblacklist ~/.config/blender | 8 | noblacklist ~/.config/blender |
| 9 | |||
| 9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 11 | include /etc/firejail/disable-programs.inc | ||
| 12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 13 | 14 | ||
| 14 | caps.drop all | 15 | caps.drop all |
| 15 | netfilter | 16 | netfilter |
diff --git a/etc/bless.profile b/etc/bless.profile index 25881fa3d..6c6558b1c 100644 --- a/etc/bless.profile +++ b/etc/bless.profile | |||
| @@ -1,26 +1,18 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for bless |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/bless.local | 4 | include /etc/firejail/bless.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # | ||
| 9 | #Profile for bless | ||
| 10 | # | ||
| 11 | |||
| 12 | #No Blacklist Paths | ||
| 13 | noblacklist ${HOME}/.config/bless | 8 | noblacklist ${HOME}/.config/bless |
| 14 | 9 | ||
| 15 | #Blacklist Paths | ||
| 16 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 17 | include /etc/firejail/disable-programs.inc | ||
| 18 | include /etc/firejail/disable-passwdmgr.inc | ||
| 19 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | ||
| 13 | include /etc/firejail/disable-programs.inc | ||
| 20 | 14 | ||
| 21 | #Options | ||
| 22 | caps.drop all | 15 | caps.drop all |
| 23 | #ipc-namespace | ||
| 24 | net none | 16 | net none |
| 25 | no3d | 17 | no3d |
| 26 | nogroups | 18 | nogroups |
diff --git a/etc/brasero.profile b/etc/brasero.profile index cafb9f39a..ee7fe8efa 100644 --- a/etc/brasero.profile +++ b/etc/brasero.profile | |||
| @@ -1,20 +1,18 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for brasero |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/brasero.local | 4 | include /etc/firejail/brasero.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # brasero profile | ||
| 9 | noblacklist ~/.config/brasero | 8 | noblacklist ~/.config/brasero |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 17 | #ipc-namespace | ||
| 18 | nogroups | 16 | nogroups |
| 19 | nonewprivs | 17 | nonewprivs |
| 20 | noroot | 18 | noroot |
diff --git a/etc/brave.profile b/etc/brave.profile index e73dd37a2..20dbf6c52 100644 --- a/etc/brave.profile +++ b/etc/brave.profile | |||
| @@ -1,43 +1,36 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for brave |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/brave.local | 4 | include /etc/firejail/brave.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Profile for Brave browser | ||
| 9 | noblacklist ~/.config/brave | 8 | noblacklist ~/.config/brave |
| 10 | noblacklist ~/.pki | ||
| 11 | |||
| 12 | # brave uses gpg for built-in password manager | 9 | # brave uses gpg for built-in password manager |
| 13 | noblacklist ~/.gnupg | 10 | noblacklist ~/.gnupg |
| 11 | noblacklist ~/.pki | ||
| 14 | 12 | ||
| 15 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
| 16 | include /etc/firejail/disable-programs.inc | ||
| 17 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
| 18 | 15 | include /etc/firejail/disable-programs.inc | |
| 19 | #caps.drop all | ||
| 20 | netfilter | ||
| 21 | #nonewprivs | ||
| 22 | #noroot | ||
| 23 | #protocol unix,inet,inet6,netlink | ||
| 24 | #seccomp | ||
| 25 | |||
| 26 | #disable-mnt | ||
| 27 | |||
| 28 | whitelist ${DOWNLOADS} | ||
| 29 | 16 | ||
| 30 | mkdir ~/.config/brave | 17 | mkdir ~/.config/brave |
| 31 | whitelist ~/.config/brave | ||
| 32 | mkdir ~/.pki | 18 | mkdir ~/.pki |
| 33 | whitelist ~/.pki | 19 | whitelist ${DOWNLOADS} |
| 34 | |||
| 35 | # lastpass, keepass | ||
| 36 | # for keepass we additionally need to whitelist our .kdbx password database | ||
| 37 | whitelist ~/.keepass | ||
| 38 | whitelist ~/.config/keepass | ||
| 39 | whitelist ~/.config/KeePass | 20 | whitelist ~/.config/KeePass |
| 40 | whitelist ~/.lastpass | 21 | whitelist ~/.config/brave |
| 22 | whitelist ~/.config/keepass | ||
| 41 | whitelist ~/.config/lastpass | 23 | whitelist ~/.config/lastpass |
| 42 | 24 | whitelist ~/.keepass | |
| 25 | whitelist ~/.lastpass | ||
| 26 | whitelist ~/.pki | ||
| 43 | include /etc/firejail/whitelist-common.inc | 27 | include /etc/firejail/whitelist-common.inc |
| 28 | |||
| 29 | # caps.drop all | ||
| 30 | netfilter | ||
| 31 | # nonewprivs | ||
| 32 | # noroot | ||
| 33 | # protocol unix,inet,inet6,netlink | ||
| 34 | # seccomp | ||
| 35 | |||
| 36 | # disable-mnt | ||
diff --git a/etc/caja.profile b/etc/caja.profile index a724e76b1..1350b63dd 100644 --- a/etc/caja.profile +++ b/etc/caja.profile | |||
| @@ -1,24 +1,21 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for caja |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/caja.local | 4 | include /etc/firejail/caja.local |
| 7 | 5 | # Persistent global definitions | |
| 8 | # Caja profile for Firejail | 6 | include /etc/firejail/globals.local |
| 9 | 7 | ||
| 10 | # Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there | 8 | # Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there |
| 11 | # is already a caja process running on MATE desktops firejail will have no effect. | 9 | # is already a caja process running on MATE desktops firejail will have no effect. |
| 12 | 10 | ||
| 13 | noblacklist ~/.config/caja | 11 | noblacklist ~/.config/caja |
| 14 | noblacklist ~/.local/share/caja-python | ||
| 15 | noblacklist ~/.local/share/Trash | 12 | noblacklist ~/.local/share/Trash |
| 13 | noblacklist ~/.local/share/caja-python | ||
| 16 | 14 | ||
| 17 | include /etc/firejail/disable-common.inc | 15 | include /etc/firejail/disable-common.inc |
| 18 | # caja needs to be able to start arbitrary applications so we cannot blacklist their files | ||
| 19 | #include /etc/firejail/disable-programs.inc | ||
| 20 | include /etc/firejail/disable-devel.inc | 16 | include /etc/firejail/disable-devel.inc |
| 21 | include /etc/firejail/disable-passwdmgr.inc | 17 | include /etc/firejail/disable-passwdmgr.inc |
| 18 | # include /etc/firejail/disable-programs.inc | ||
| 22 | 19 | ||
| 23 | caps.drop all | 20 | caps.drop all |
| 24 | netfilter | 21 | netfilter |
| @@ -30,7 +27,8 @@ seccomp | |||
| 30 | shell none | 27 | shell none |
| 31 | tracelog | 28 | tracelog |
| 32 | 29 | ||
| 30 | # caja needs to be able to start arbitrary applications so we cannot blacklist their files | ||
| 33 | # private-bin caja | 31 | # private-bin caja |
| 34 | # private-tmp | ||
| 35 | # private-dev | 32 | # private-dev |
| 36 | # private-etc fonts | 33 | # private-etc fonts |
| 34 | # private-tmp | ||
diff --git a/etc/calibre.profile b/etc/calibre.profile index b75e0c276..726a33db8 100644 --- a/etc/calibre.profile +++ b/etc/calibre.profile | |||
| @@ -1,20 +1,19 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for calibre |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/calibre.local | 4 | include /etc/firejail/calibre.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | noblacklist ~/.config/calibre | ||
| 9 | noblacklist ~/.cache/calibre | 8 | noblacklist ~/.cache/calibre |
| 9 | noblacklist ~/.config/calibre | ||
| 10 | 10 | ||
| 11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | 12 | # include /etc/firejail/disable-devel.inc |
| 13 | #include /etc/firejail/disable-devel.inc | ||
| 14 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | 15 | ||
| 16 | caps.drop all | 16 | caps.drop all |
| 17 | #ipc-namespace | ||
| 18 | netfilter | 17 | netfilter |
| 19 | no3d | 18 | no3d |
| 20 | nogroups | 19 | nogroups |
| @@ -27,7 +26,7 @@ seccomp | |||
| 27 | shell none | 26 | shell none |
| 28 | tracelog | 27 | tracelog |
| 29 | 28 | ||
| 30 | #private-bin | 29 | # private-bin |
| 31 | private-dev | 30 | private-dev |
| 32 | private-tmp | 31 | private-tmp |
| 33 | 32 | ||
diff --git a/etc/catfish.profile b/etc/catfish.profile index 0deaca1b5..759b5e384 100644 --- a/etc/catfish.profile +++ b/etc/catfish.profile | |||
| @@ -1,15 +1,14 @@ | |||
| 1 | # Persistent global definitions go here | ||
| 2 | include /etc/firejail/globals.local | ||
| 3 | |||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/catfish.local | ||
| 7 | |||
| 8 | # Firejail profile for catfish | 1 | # Firejail profile for catfish |
| 9 | noblacklist ~/.config/catfish | 2 | # This file is overwritten after every install/update |
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/catfish.local | ||
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 10 | 7 | ||
| 11 | # We can't blacklist much since catfish | 8 | # We can't blacklist much since catfish |
| 12 | # is for finding files/content | 9 | # is for finding files/content |
| 10 | noblacklist ~/.config/catfish | ||
| 11 | |||
| 13 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 14 | 13 | ||
| 15 | caps.drop all | 14 | caps.drop all |
| @@ -27,6 +26,6 @@ tracelog | |||
| 27 | 26 | ||
| 28 | # These options work but are disabled in case | 27 | # These options work but are disabled in case |
| 29 | # a users wants to search in these directories. | 28 | # a users wants to search in these directories. |
| 30 | #private-bin bash,catfish,env,locate,ls,mlocate,python,python2,python2.7,python3,python3.5,python3.5m,python3m | 29 | # private-bin bash,catfish,env,locate,ls,mlocate,python,python2,python2.7,python3,python3.5,python3.5m,python3m |
| 31 | #private-dev | 30 | # private-dev |
| 32 | #private-tmp | 31 | # private-tmp |
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index b1acd78f2..fe0153959 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile | |||
| @@ -1,22 +1,20 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for cherrytree |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/cherrytree.local | 4 | include /etc/firejail/cherrytree.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # cherrytree note taking application | 8 | noblacklist ${HOME}/.config/cherrytree |
| 9 | noblacklist /usr/bin/python2* | 9 | noblacklist /usr/bin/python2* |
| 10 | noblacklist /usr/lib/python3* | 10 | noblacklist /usr/lib/python3* |
| 11 | noblacklist ${HOME}/.config/cherrytree | ||
| 12 | 11 | ||
| 13 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
| 16 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 17 | 16 | ||
| 18 | caps.drop all | 17 | caps.drop all |
| 19 | #ipc-namespace | ||
| 20 | netfilter | 18 | netfilter |
| 21 | no3d | 19 | no3d |
| 22 | nogroups | 20 | nogroups |
diff --git a/etc/chromium-browser.profile b/etc/chromium-browser.profile index 652976016..dcafbaaa9 100644 --- a/etc/chromium-browser.profile +++ b/etc/chromium-browser.profile | |||
| @@ -1,9 +1,5 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for chromium |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/chromium-browser.local | ||
| 7 | 4 | ||
| 8 | # Chromium browser profile | ||
| 9 | include /etc/firejail/chromium.profile | 5 | include /etc/firejail/chromium.profile |
diff --git a/etc/chromium.profile b/etc/chromium.profile index 8266770d7..cec5366d9 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
| @@ -1,41 +1,37 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for chromium |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/chromium.local | 4 | include /etc/firejail/chromium.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Chromium browser profile | ||
| 9 | noblacklist ~/.config/chromium | ||
| 10 | noblacklist ~/.cache/chromium | 8 | noblacklist ~/.cache/chromium |
| 11 | noblacklist ~/.pki | 9 | noblacklist ~/.config/chromium |
| 12 | # specific to Arch | ||
| 13 | noblacklist ~/.config/chromium-flags.conf | 10 | noblacklist ~/.config/chromium-flags.conf |
| 11 | noblacklist ~/.pki | ||
| 12 | |||
| 14 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 16 | # chromium is distributed with a perl script on Arch | 14 | # chromium is distributed with a perl script on Arch |
| 17 | # include /etc/firejail/disable-devel.inc | 15 | # include /etc/firejail/disable-devel.inc |
| 16 | include /etc/firejail/disable-programs.inc | ||
| 18 | 17 | ||
| 19 | whitelist ${DOWNLOADS} | ||
| 20 | mkdir ~/.config/chromium | ||
| 21 | whitelist ~/.config/chromium | ||
| 22 | mkdir ~/.cache/chromium | 18 | mkdir ~/.cache/chromium |
| 23 | whitelist ~/.cache/chromium | 19 | mkdir ~/.config/chromium |
| 24 | mkdir ~/.pki | 20 | mkdir ~/.pki |
| 25 | whitelist ~/.pki | 21 | whitelist ${DOWNLOADS} |
| 22 | whitelist ~/.cache/chromium | ||
| 23 | whitelist ~/.config/chromium | ||
| 26 | whitelist ~/.config/chromium-flags.conf | 24 | whitelist ~/.config/chromium-flags.conf |
| 27 | 25 | whitelist ~/.pki | |
| 28 | include /etc/firejail/whitelist-common.inc | 26 | include /etc/firejail/whitelist-common.inc |
| 29 | 27 | ||
| 30 | caps.keep sys_chroot,sys_admin | 28 | caps.keep sys_chroot,sys_admin |
| 31 | #ipc-namespace | ||
| 32 | netfilter | 29 | netfilter |
| 33 | nogroups | 30 | nogroups |
| 34 | shell none | 31 | shell none |
| 35 | 32 | ||
| 36 | private-dev | 33 | private-dev |
| 37 | #private-tmp - problems with multiple browser sessions | 34 | # private-tmp - problems with multiple browser sessions |
| 38 | #disable-mnt | ||
| 39 | 35 | ||
| 40 | noexec ${HOME} | 36 | noexec ${HOME} |
| 41 | noexec /tmp | 37 | noexec /tmp |
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile index c626e7b74..730e27e33 100644 --- a/etc/claws-mail.profile +++ b/etc/claws-mail.profile | |||
| @@ -1,25 +1,24 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for claws-mail |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/claws-mail.local | 4 | include /etc/firejail/claws-mail.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # claws-mail profile | ||
| 9 | noblacklist ~/.claws-mail | 8 | noblacklist ~/.claws-mail |
| 10 | noblacklist ~/.signature | ||
| 11 | noblacklist ~/.gnupg | 9 | noblacklist ~/.gnupg |
| 10 | noblacklist ~/.signature | ||
| 12 | 11 | ||
| 13 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
| 16 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 17 | 16 | ||
| 18 | caps.drop all | 17 | caps.drop all |
| 19 | netfilter | 18 | netfilter |
| 19 | nogroups | ||
| 20 | nonewprivs | 20 | nonewprivs |
| 21 | noroot | 21 | noroot |
| 22 | nogroups | ||
| 23 | nosound | 22 | nosound |
| 24 | protocol unix,inet,inet6 | 23 | protocol unix,inet,inet6 |
| 25 | seccomp | 24 | seccomp |
diff --git a/etc/clementine.profile b/etc/clementine.profile index ccacc632d..13a14af3b 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile | |||
| @@ -1,15 +1,15 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for clementine |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/clementine.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/clementine.local | ||
| 7 | 8 | ||
| 8 | # Clementine media player profile | ||
| 9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-programs.inc | ||
| 11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | 13 | ||
| 14 | caps.drop all | 14 | caps.drop all |
| 15 | nonewprivs | 15 | nonewprivs |
diff --git a/etc/clipit.profile b/etc/clipit.profile index b44041cbf..444943061 100644 --- a/etc/clipit.profile +++ b/etc/clipit.profile | |||
| @@ -1,16 +1,17 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for clipit |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/clipit.local | 4 | include /etc/firejail/clipit.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.local/share/clipit | ||
| 9 | noblacklist ${HOME}/.config/clipit | 8 | noblacklist ${HOME}/.config/clipit |
| 9 | noblacklist ${HOME}/.local/share/clipit | ||
| 10 | |||
| 10 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 11 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 14 | 15 | ||
| 15 | caps.drop all | 16 | caps.drop all |
| 16 | netfilter | 17 | netfilter |
| @@ -24,9 +25,9 @@ protocol unix | |||
| 24 | seccomp | 25 | seccomp |
| 25 | shell none | 26 | shell none |
| 26 | 27 | ||
| 28 | disable-mnt | ||
| 27 | private-dev | 29 | private-dev |
| 28 | private-tmp | 30 | private-tmp |
| 29 | disable-mnt | ||
| 30 | 31 | ||
| 31 | noexec ${HOME} | 32 | noexec ${HOME} |
| 32 | noexec /tmp | 33 | noexec /tmp |
diff --git a/etc/cmus.profile b/etc/cmus.profile index 399e81160..fc6476267 100644 --- a/etc/cmus.profile +++ b/etc/cmus.profile | |||
| @@ -1,17 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for cmus |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/cmus.local | 4 | include /etc/firejail/cmus.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # cmus profile | ||
| 9 | noblacklist ${HOME}/.config/cmus | 8 | noblacklist ${HOME}/.config/cmus |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 17 | netfilter | 16 | netfilter |
| @@ -19,7 +18,7 @@ nonewprivs | |||
| 19 | noroot | 18 | noroot |
| 20 | protocol unix,inet,inet6 | 19 | protocol unix,inet,inet6 |
| 21 | seccomp | 20 | seccomp |
| 21 | shell none | ||
| 22 | 22 | ||
| 23 | private-bin cmus | 23 | private-bin cmus |
| 24 | private-etc group | 24 | private-etc group |
| 25 | shell none | ||
diff --git a/etc/conkeror.profile b/etc/conkeror.profile index ccff4317d..b4cd3369a 100644 --- a/etc/conkeror.profile +++ b/etc/conkeror.profile | |||
| @@ -1,31 +1,31 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for conkeror |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/conkeror.local | 4 | include /etc/firejail/conkeror.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for Conkeror web browser profile | ||
| 9 | noblacklist ${HOME}/.conkeror.mozdev.org | 8 | noblacklist ${HOME}/.conkeror.mozdev.org |
| 9 | |||
| 10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 11 | include /etc/firejail/disable-programs.inc | 11 | include /etc/firejail/disable-programs.inc |
| 12 | 12 | ||
| 13 | whitelist ~/.conkeror.mozdev.org | ||
| 14 | whitelist ~/.conkerorrc | ||
| 15 | whitelist ~/.gtkrc-2.0 | ||
| 16 | whitelist ~/.lastpass | ||
| 17 | whitelist ~/.pentadactyl | ||
| 18 | whitelist ~/.pentadactylrc | ||
| 19 | whitelist ~/.vimperator | ||
| 20 | whitelist ~/.vimperatorrc | ||
| 21 | whitelist ~/.zotero | ||
| 22 | whitelist ~/Downloads | ||
| 23 | whitelist ~/dwhelper | ||
| 24 | include /etc/firejail/whitelist-common.inc | ||
| 25 | |||
| 13 | caps.drop all | 26 | caps.drop all |
| 14 | netfilter | 27 | netfilter |
| 15 | nonewprivs | 28 | nonewprivs |
| 16 | noroot | 29 | noroot |
| 17 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
| 18 | seccomp | 31 | seccomp |
| 19 | |||
| 20 | whitelist ~/.conkeror.mozdev.org | ||
| 21 | whitelist ~/Downloads | ||
| 22 | whitelist ~/dwhelper | ||
| 23 | whitelist ~/.zotero | ||
| 24 | whitelist ~/.lastpass | ||
| 25 | whitelist ~/.gtkrc-2.0 | ||
| 26 | whitelist ~/.vimperatorrc | ||
| 27 | whitelist ~/.vimperator | ||
| 28 | whitelist ~/.pentadactylrc | ||
| 29 | whitelist ~/.pentadactyl | ||
| 30 | whitelist ~/.conkerorrc | ||
| 31 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/corebird.profile b/etc/corebird.profile index 9ecfb36a5..62941164f 100644 --- a/etc/corebird.profile +++ b/etc/corebird.profile | |||
| @@ -1,15 +1,15 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for corebird |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/corebird.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/corebird.local | ||
| 7 | 8 | ||
| 8 | # Firejail corebird profile | ||
| 9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-programs.inc | ||
| 11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | 13 | ||
| 14 | caps.drop all | 14 | caps.drop all |
| 15 | netfilter | 15 | netfilter |
diff --git a/etc/cpio.profile b/etc/cpio.profile index fe1dc0408..c5d7680a3 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile | |||
| @@ -1,28 +1,27 @@ | |||
| 1 | # Firejail profile for cpio | ||
| 2 | # This file is overwritten after every install/update | ||
| 1 | quiet | 3 | quiet |
| 2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
| 5 | include /etc/firejail/cpio.local | ||
| 6 | # Persistent global definitions | ||
| 3 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
| 4 | 8 | ||
| 5 | # This file is overwritten during software install. | 9 | blacklist /tmp/.X11-unix |
| 6 | # Persistent customizations should go in a .local file. | ||
| 7 | include /etc/firejail/cpio.local | ||
| 8 | 10 | ||
| 9 | # cpio profile | ||
| 10 | # /sbin and /usr/sbin are visible inside the sandbox | ||
| 11 | # /boot is not visible and /var is heavily modified | ||
| 12 | noblacklist /sbin | 11 | noblacklist /sbin |
| 13 | noblacklist /usr/sbin | 12 | noblacklist /usr/sbin |
| 13 | |||
| 14 | include /etc/firejail/disable-common.inc | 14 | include /etc/firejail/disable-common.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 16 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
| 16 | include /etc/firejail/disable-programs.inc | ||
| 17 | 17 | ||
| 18 | private-dev | ||
| 19 | seccomp | ||
| 20 | caps.drop all | 18 | caps.drop all |
| 21 | net none | 19 | net none |
| 22 | shell none | ||
| 23 | tracelog | ||
| 24 | net none | 20 | net none |
| 25 | nosound | ||
| 26 | no3d | 21 | no3d |
| 22 | nosound | ||
| 23 | seccomp | ||
| 24 | shell none | ||
| 25 | tracelog | ||
| 27 | 26 | ||
| 28 | blacklist /tmp/.X11-unix | 27 | private-dev |
diff --git a/etc/cryptocat.profile b/etc/cryptocat.profile index 1f6366a3d..021ce32d4 100644 --- a/etc/cryptocat.profile +++ b/etc/cryptocat.profile | |||
| @@ -1,8 +1,5 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for Cryptocat |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/cryptocat.local | ||
| 7 | 4 | ||
| 8 | include /etc/Cryptocat.profile | 5 | include /etc/Cryptocat.profile |
diff --git a/etc/curl.profile b/etc/curl.profile index 58b5f050a..34874d270 100644 --- a/etc/curl.profile +++ b/etc/curl.profile | |||
| @@ -1,19 +1,20 @@ | |||
| 1 | # Firejail profile for curl | ||
| 2 | # This file is overwritten after every install/update | ||
| 1 | quiet | 3 | quiet |
| 2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
| 5 | include /etc/firejail/curl.local | ||
| 6 | # Persistent global definitions | ||
| 3 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
| 4 | 8 | ||
| 5 | # This file is overwritten during software install. | 9 | blacklist /tmp/.X11-unix |
| 6 | # Persistent customizations should go in a .local file. | ||
| 7 | include /etc/firejail/curl.local | ||
| 8 | 10 | ||
| 9 | # curl profile | ||
| 10 | noblacklist ~/.curlrc | 11 | noblacklist ~/.curlrc |
| 12 | |||
| 11 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 14 | 16 | ||
| 15 | caps.drop all | 17 | caps.drop all |
| 16 | #ipc-namespace | ||
| 17 | netfilter | 18 | netfilter |
| 18 | no3d | 19 | no3d |
| 19 | nogroups | 20 | nogroups |
| @@ -24,8 +25,6 @@ protocol unix,inet,inet6 | |||
| 24 | seccomp | 25 | seccomp |
| 25 | shell none | 26 | shell none |
| 26 | 27 | ||
| 27 | blacklist /tmp/.X11-unix | ||
| 28 | |||
| 29 | # private-bin curl | 28 | # private-bin curl |
| 30 | private-dev | 29 | private-dev |
| 31 | # private-etc resolv.conf | 30 | # private-etc resolv.conf |
diff --git a/etc/cvlc.profile b/etc/cvlc.profile index 921d505a9..460966321 100644 --- a/etc/cvlc.profile +++ b/etc/cvlc.profile | |||
| @@ -1,17 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for cvlc |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/cvlc.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/vlc.local | ||
| 7 | |||
| 8 | # Firejail profile for CVLC | ||
| 9 | noblacklist ${HOME}/.config/vlc | 8 | noblacklist ${HOME}/.config/vlc |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 17 | netfilter | 16 | netfilter |
| @@ -24,7 +23,7 @@ shell none | |||
| 24 | tracelog | 23 | tracelog |
| 25 | 24 | ||
| 26 | # clvc doesn't like private-bin | 25 | # clvc doesn't like private-bin |
| 27 | #private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc | 26 | # private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc |
| 28 | private-dev | 27 | private-dev |
| 29 | private-tmp | 28 | private-tmp |
| 30 | 29 | ||
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile index 45fc00d6f..3c18ef002 100644 --- a/etc/cyberfox.profile +++ b/etc/cyberfox.profile | |||
| @@ -1,75 +1,69 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for cyberfox |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/cyberfox.local | 4 | include /etc/firejail/cyberfox.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for Cyberfox (based on Mozilla Firefox) | ||
| 9 | noblacklist ~/.8pecxstudios | 8 | noblacklist ~/.8pecxstudios |
| 10 | noblacklist ~/.cache/8pecxstudios | 9 | noblacklist ~/.cache/8pecxstudios |
| 10 | noblacklist ~/.config/okularpartrc | ||
| 11 | noblacklist ~/.config/okularrc | ||
| 11 | noblacklist ~/.config/qpdfview | 12 | noblacklist ~/.config/qpdfview |
| 12 | noblacklist ~/.local/share/qpdfview | ||
| 13 | noblacklist ~/.kde4/share/apps/okular | ||
| 14 | noblacklist ~/.kde/share/apps/okular | 13 | noblacklist ~/.kde/share/apps/okular |
| 14 | noblacklist ~/.kde4/share/apps/okular | ||
| 15 | noblacklist ~/.local/share/okular | 15 | noblacklist ~/.local/share/okular |
| 16 | noblacklist ~/.config/okularpartrc | 16 | noblacklist ~/.local/share/qpdfview |
| 17 | noblacklist ~/.config/okularrc | ||
| 18 | noblacklist ~/.pki | 17 | noblacklist ~/.pki |
| 19 | 18 | ||
| 20 | include /etc/firejail/disable-common.inc | 19 | include /etc/firejail/disable-common.inc |
| 21 | include /etc/firejail/disable-programs.inc | ||
| 22 | include /etc/firejail/disable-devel.inc | 20 | include /etc/firejail/disable-devel.inc |
| 21 | include /etc/firejail/disable-programs.inc | ||
| 23 | 22 | ||
| 24 | caps.drop all | ||
| 25 | # ipc-namespace crashes cyberfox on some setups | ||
| 26 | netfilter | ||
| 27 | nogroups | ||
| 28 | nonewprivs | ||
| 29 | noroot | ||
| 30 | protocol unix,inet,inet6,netlink | ||
| 31 | seccomp | ||
| 32 | shell none | ||
| 33 | tracelog | ||
| 34 | |||
| 35 | whitelist ${DOWNLOADS} | ||
| 36 | mkdir ~/.8pecxstudios | 23 | mkdir ~/.8pecxstudios |
| 37 | whitelist ~/.8pecxstudios | ||
| 38 | mkdir ~/.cache/8pecxstudios | 24 | mkdir ~/.cache/8pecxstudios |
| 25 | mkdir ~/.pki | ||
| 26 | whitelist ${DOWNLOADS} | ||
| 27 | whitelist ~/.8pecxstudios | ||
| 39 | whitelist ~/.cache/8pecxstudios | 28 | whitelist ~/.cache/8pecxstudios |
| 40 | whitelist ~/dwhelper | ||
| 41 | whitelist ~/.zotero | ||
| 42 | whitelist ~/.vimperatorrc | ||
| 43 | whitelist ~/.vimperator | ||
| 44 | whitelist ~/.pentadactylrc | ||
| 45 | whitelist ~/.pentadactyl | ||
| 46 | whitelist ~/.keysnail.js | ||
| 47 | whitelist ~/.config/gnome-mplayer | ||
| 48 | whitelist ~/.cache/gnome-mplayer/plugin | 29 | whitelist ~/.cache/gnome-mplayer/plugin |
| 49 | mkdir ~/.pki | 30 | whitelist ~/.config/gnome-mplayer |
| 50 | whitelist ~/.pki | ||
| 51 | whitelist ~/.lastpass | ||
| 52 | whitelist ~/.config/qpdfview | ||
| 53 | whitelist ~/.local/share/qpdfview | ||
| 54 | whitelist ~/.config/okularrc | ||
| 55 | whitelist ~/.config/okularpartrc | 31 | whitelist ~/.config/okularpartrc |
| 56 | whitelist ~/.kde4/share/apps/okular | 32 | whitelist ~/.config/okularrc |
| 33 | whitelist ~/.config/pipelight-silverlight5.1 | ||
| 34 | whitelist ~/.config/pipelight-widevine | ||
| 35 | whitelist ~/.config/qpdfview | ||
| 57 | whitelist ~/.kde/share/apps/okular | 36 | whitelist ~/.kde/share/apps/okular |
| 37 | whitelist ~/.kde4/share/apps/okular | ||
| 38 | whitelist ~/.keysnail.js | ||
| 39 | whitelist ~/.lastpass | ||
| 58 | whitelist ~/.local/share/okular | 40 | whitelist ~/.local/share/okular |
| 59 | 41 | whitelist ~/.local/share/qpdfview | |
| 60 | # silverlight | 42 | whitelist ~/.pentadactyl |
| 43 | whitelist ~/.pentadactylrc | ||
| 44 | whitelist ~/.pki | ||
| 45 | whitelist ~/.vimperator | ||
| 46 | whitelist ~/.vimperatorrc | ||
| 61 | whitelist ~/.wine-pipelight | 47 | whitelist ~/.wine-pipelight |
| 62 | whitelist ~/.wine-pipelight64 | 48 | whitelist ~/.wine-pipelight64 |
| 63 | whitelist ~/.config/pipelight-widevine | 49 | whitelist ~/.zotero |
| 64 | whitelist ~/.config/pipelight-silverlight5.1 | 50 | whitelist ~/dwhelper |
| 65 | |||
| 66 | include /etc/firejail/whitelist-common.inc | 51 | include /etc/firejail/whitelist-common.inc |
| 67 | 52 | ||
| 68 | # experimental features | 53 | caps.drop all |
| 69 | #private-bin cyberfox,which,sh,dbus-launch,dbus-send,env | 54 | netfilter |
| 70 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,cyberfox,mime.types,mailcap,asound.conf,pulse | 55 | nogroups |
| 71 | # private-dev might prevent video calls going out | 56 | nonewprivs |
| 57 | noroot | ||
| 58 | protocol unix,inet,inet6,netlink | ||
| 59 | seccomp | ||
| 60 | shell none | ||
| 61 | tracelog | ||
| 62 | |||
| 63 | # private-bin cyberfox,which,sh,dbus-launch,dbus-send,env | ||
| 72 | private-dev | 64 | private-dev |
| 65 | # private-dev might prevent video calls going out | ||
| 66 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,cyberfox,mime.types,mailcap,asound.conf,pulse | ||
| 73 | private-tmp | 67 | private-tmp |
| 74 | 68 | ||
| 75 | noexec ${HOME} | 69 | noexec ${HOME} |
diff --git a/etc/darktable.profile b/etc/darktable.profile index eca2ae6c5..47d4710ad 100644 --- a/etc/darktable.profile +++ b/etc/darktable.profile | |||
| @@ -1,19 +1,19 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for darktable |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/darktable.local | 4 | include /etc/firejail/darktable.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | noblacklist ~/.cache/darktable | 8 | noblacklist ~/.cache/darktable |
| 9 | noblacklist ~/.config/darktable | 9 | noblacklist ~/.config/darktable |
| 10 | |||
| 10 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 11 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 14 | 15 | ||
| 15 | caps.drop all | 16 | caps.drop all |
| 16 | #ipc-namespace | ||
| 17 | netfilter | 17 | netfilter |
| 18 | nogroups | 18 | nogroups |
| 19 | nonewprivs | 19 | nonewprivs |
diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile index 486df1d99..905920d42 100644 --- a/etc/deadbeef.profile +++ b/etc/deadbeef.profile | |||
| @@ -1,20 +1,18 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for deadbeef |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/deadbeef.local | 4 | include /etc/firejail/deadbeef.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # DeaDBeeF media player profile | ||
| 9 | noblacklist ${HOME}/.config/deadbeef | 8 | noblacklist ${HOME}/.config/deadbeef |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 17 | #ipc-namespace | ||
| 18 | netfilter | 16 | netfilter |
| 19 | no3d | 17 | no3d |
| 20 | nogroups | 18 | nogroups |
diff --git a/etc/default.profile b/etc/default.profile index 44a9e548b..693f89ad3 100644 --- a/etc/default.profile +++ b/etc/default.profile | |||
| @@ -1,31 +1,38 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for default |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/default.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | 8 | # generic gui profile |
| 5 | # Persistent customizations should go in a .local file. | 9 | # depending on your usage, you can enable some of the commands below: |
| 6 | include /etc/firejail/default.local | ||
| 7 | 10 | ||
| 8 | ################################ | ||
| 9 | # Generic GUI application profile | ||
| 10 | ################################ | ||
| 11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | 12 | # include /etc/firejail/disable-devel.inc |
| 13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 14 | 15 | ||
| 15 | caps.drop all | 16 | caps.drop all |
| 17 | # ipc-namespace | ||
| 16 | netfilter | 18 | netfilter |
| 19 | # nogroups | ||
| 17 | nonewprivs | 20 | nonewprivs |
| 18 | noroot | 21 | noroot |
| 22 | # nosound | ||
| 23 | # novideo | ||
| 19 | protocol unix,inet,inet6 | 24 | protocol unix,inet,inet6 |
| 20 | seccomp | 25 | seccomp |
| 21 | |||
| 22 | # | ||
| 23 | # depending on your usage, you can enable some of the commands below: | ||
| 24 | # | ||
| 25 | # nogroups | ||
| 26 | # shell none | 26 | # shell none |
| 27 | |||
| 28 | # disable-mnt | ||
| 29 | # private | ||
| 27 | # private-bin program | 30 | # private-bin program |
| 28 | # private-etc none | ||
| 29 | # private-dev | 31 | # private-dev |
| 32 | # private-etc none | ||
| 33 | # private-lib | ||
| 30 | # private-tmp | 34 | # private-tmp |
| 31 | # nosound | 35 | |
| 36 | # memory-deny-write-execute | ||
| 37 | # noexec ${HOME} | ||
| 38 | # noexec /tmp | ||
diff --git a/etc/deluge.profile b/etc/deluge.profile index 4e7d90e53..bb45c4371 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile | |||
| @@ -1,22 +1,20 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for deluge |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/deluge.local | 4 | include /etc/firejail/deluge.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # deluge bittorrent client profile | ||
| 9 | noblacklist ${HOME}/.config/deluge | 8 | noblacklist ${HOME}/.config/deluge |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | 11 | # include /etc/firejail/disable-devel.inc |
| 13 | # deluge is using python on Debian | ||
| 14 | #include /etc/firejail/disable-devel.inc | ||
| 15 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 16 | 14 | ||
| 17 | mkdir ${HOME}/.config/deluge | 15 | mkdir ${HOME}/.config/deluge |
| 18 | whitelist ${HOME}/.config/deluge | ||
| 19 | whitelist ${DOWNLOADS} | 16 | whitelist ${DOWNLOADS} |
| 17 | whitelist ${HOME}/.config/deluge | ||
| 20 | include /etc/firejail/whitelist-common.inc | 18 | include /etc/firejail/whitelist-common.inc |
| 21 | 19 | ||
| 22 | caps.drop all | 20 | caps.drop all |
| @@ -27,8 +25,9 @@ nosound | |||
| 27 | novideo | 25 | novideo |
| 28 | protocol unix,inet,inet6 | 26 | protocol unix,inet,inet6 |
| 29 | seccomp | 27 | seccomp |
| 30 | |||
| 31 | shell none | 28 | shell none |
| 32 | #private-bin deluge,sh,python,uname | 29 | |
| 30 | # deluge is using python on Debian | ||
| 31 | # private-bin deluge,sh,python,uname | ||
| 33 | private-dev | 32 | private-dev |
| 34 | private-tmp | 33 | private-tmp |
diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile index 6d3aaa224..5e971a5d4 100644 --- a/etc/dex2jar.profile +++ b/etc/dex2jar.profile | |||
| @@ -1,12 +1,12 @@ | |||
| 1 | # Firejail profile for dex2jar | ||
| 2 | # This file is overwritten after every install/update | ||
| 1 | quiet | 3 | quiet |
| 2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
| 5 | include /etc/firejail/dex2jar.local | ||
| 6 | # Persistent global definitions | ||
| 3 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
| 4 | 8 | ||
| 5 | # This file is overwritten during software install. | ||
| 6 | # Persistent customizations should go in a .local file. | ||
| 7 | include /etc/firejail/dex2jar.local | ||
| 8 | 9 | ||
| 9 | # Firejail profile for dex2jar | ||
| 10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 11 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
diff --git a/etc/dia.profile b/etc/dia.profile index 71d8a249b..2072314cb 100644 --- a/etc/dia.profile +++ b/etc/dia.profile | |||
| @@ -1,15 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for dia |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/dia.local | 4 | include /etc/firejail/dia.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | noblacklist ~/.dia | 8 | noblacklist ~/.dia |
| 9 | |||
| 9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 11 | include /etc/firejail/disable-programs.inc | ||
| 12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 13 | 14 | ||
| 14 | caps.drop all | 15 | caps.drop all |
| 15 | netfilter | 16 | netfilter |
| @@ -23,9 +24,9 @@ protocol unix | |||
| 23 | seccomp | 24 | seccomp |
| 24 | shell none | 25 | shell none |
| 25 | 26 | ||
| 27 | disable-mnt | ||
| 26 | private-dev | 28 | private-dev |
| 27 | private-tmp | 29 | private-tmp |
| 28 | disable-mnt | ||
| 29 | 30 | ||
| 30 | noexec ${HOME} | 31 | noexec ${HOME} |
| 31 | noexec /tmp | 32 | noexec /tmp |
diff --git a/etc/digikam.profile b/etc/digikam.profile index d81d00ed3..35365984e 100644 --- a/etc/digikam.profile +++ b/etc/digikam.profile | |||
| @@ -1,35 +1,32 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for digikam |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/digikam.local | 4 | include /etc/firejail/digikam.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.kde4/share/apps/digikam | ||
| 9 | noblacklist ${HOME}/.kde/share/apps/digikam | ||
| 10 | noblacklist ${HOME}/.config/digikamrc | 8 | noblacklist ${HOME}/.config/digikamrc |
| 9 | noblacklist ${HOME}/.kde/share/apps/digikam | ||
| 10 | noblacklist ${HOME}/.kde4/share/apps/digikam | ||
| 11 | 11 | ||
| 12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-passwdmgr.inc | ||
| 15 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | ||
| 15 | include /etc/firejail/disable-programs.inc | ||
| 16 | 16 | ||
| 17 | caps.drop all | 17 | caps.drop all |
| 18 | netfilter | 18 | netfilter |
| 19 | nogroups | ||
| 19 | nonewprivs | 20 | nonewprivs |
| 20 | noroot | 21 | noroot |
| 21 | protocol unix,inet,inet6,netlink | 22 | protocol unix,inet,inet6,netlink |
| 22 | |||
| 23 | # This is a seccomp whitelist profile for Debian jessie, Kubuntu 17.04. | ||
| 24 | # Uncomment seccomp.keep line and try it out. By default only the regular seccomp blacklist profile is enabled. | ||
| 25 | #seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group | ||
| 26 | seccomp | 23 | seccomp |
| 27 | 24 | # seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group | |
| 28 | nogroups | ||
| 29 | shell none | 25 | shell none |
| 26 | |||
| 30 | # private-bin program | 27 | # private-bin program |
| 31 | # private-etc none | ||
| 32 | # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device | 28 | # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device |
| 29 | # private-etc none | ||
| 33 | private-tmp | 30 | private-tmp |
| 34 | 31 | ||
| 35 | noexec ${HOME} | 32 | noexec ${HOME} |
diff --git a/etc/dillo.profile b/etc/dillo.profile index e11a6f13b..4601be8dc 100644 --- a/etc/dillo.profile +++ b/etc/dillo.profile | |||
| @@ -1,16 +1,23 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for dillo |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/dillo.local | 4 | include /etc/firejail/dillo.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for Dillo web browser | ||
| 9 | noblacklist ~/.dillo | 8 | noblacklist ~/.dillo |
| 9 | |||
| 10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 11 | include /etc/firejail/disable-programs.inc | ||
| 12 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 13 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | |||
| 15 | mkdir ~/.dillo | ||
| 16 | mkdir ~/.fltk | ||
| 17 | whitelist ${DOWNLOADS} | ||
| 18 | whitelist ~/.dillo | ||
| 19 | whitelist ~/.fltk | ||
| 20 | include /etc/firejail/whitelist-common.inc | ||
| 14 | 21 | ||
| 15 | caps.drop all | 22 | caps.drop all |
| 16 | netfilter | 23 | netfilter |
| @@ -19,11 +26,3 @@ noroot | |||
| 19 | protocol unix,inet,inet6 | 26 | protocol unix,inet,inet6 |
| 20 | seccomp | 27 | seccomp |
| 21 | tracelog | 28 | tracelog |
| 22 | |||
| 23 | whitelist ${DOWNLOADS} | ||
| 24 | mkdir ~/.dillo | ||
| 25 | whitelist ~/.dillo | ||
| 26 | mkdir ~/.fltk | ||
| 27 | whitelist ~/.fltk | ||
| 28 | |||
| 29 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/dino.profile b/etc/dino.profile index 94563fa1d..0501cd408 100644 --- a/etc/dino.profile +++ b/etc/dino.profile | |||
| @@ -1,11 +1,10 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for dino |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/dino.local | 4 | include /etc/firejail/dino.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for Dino | ||
| 9 | noblacklist ${HOME}/.local/share/dino | 8 | noblacklist ${HOME}/.local/share/dino |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| @@ -13,13 +12,12 @@ include /etc/firejail/disable-devel.inc | |||
| 13 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
| 15 | 14 | ||
| 16 | whitelist ${HOME}/Downloads | ||
| 17 | mkdir ${HOME}/.local/share/dino | 15 | mkdir ${HOME}/.local/share/dino |
| 18 | whitelist ${HOME}/.local/share/dino | 16 | whitelist ${HOME}/.local/share/dino |
| 17 | whitelist ${HOME}/Downloads | ||
| 19 | include /etc/firejail/whitelist-common.inc | 18 | include /etc/firejail/whitelist-common.inc |
| 20 | 19 | ||
| 21 | caps.drop all | 20 | caps.drop all |
| 22 | #ipc-namespace | ||
| 23 | netfilter | 21 | netfilter |
| 24 | no3d | 22 | no3d |
| 25 | nogroups | 23 | nogroups |
| @@ -31,11 +29,11 @@ protocol unix,inet,inet6 | |||
| 31 | seccomp | 29 | seccomp |
| 32 | shell none | 30 | shell none |
| 33 | 31 | ||
| 32 | disable-mnt | ||
| 34 | private-bin dino | 33 | private-bin dino |
| 35 | #private-etc fonts #breaks server connection | ||
| 36 | private-dev | 34 | private-dev |
| 35 | # private-etc fonts # breaks server connection | ||
| 37 | private-tmp | 36 | private-tmp |
| 38 | disable-mnt | ||
| 39 | 37 | ||
| 40 | noexec ${HOME} | 38 | noexec ${HOME} |
| 41 | noexec /tmp | 39 | noexec /tmp |
diff --git a/etc/display.profile b/etc/display.profile index c2c46cba3..ff5d3d2b9 100644 --- a/etc/display.profile +++ b/etc/display.profile | |||
| @@ -1,20 +1,20 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for display |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/display.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/display.local | ||
| 7 | 8 | ||
| 8 | # display (ImageMagick tool) image viewer profile | ||
| 9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-programs.inc | ||
| 11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | 13 | ||
| 14 | caps.drop all | 14 | caps.drop all |
| 15 | net none | 15 | net none |
| 16 | nonewprivs | ||
| 17 | nogroups | 16 | nogroups |
| 17 | nonewprivs | ||
| 18 | noroot | 18 | noroot |
| 19 | nosound | 19 | nosound |
| 20 | protocol unix | 20 | protocol unix |
| @@ -23,6 +23,6 @@ shell none | |||
| 23 | x11 xorg | 23 | x11 xorg |
| 24 | 24 | ||
| 25 | private-bin display | 25 | private-bin display |
| 26 | private-tmp | ||
| 27 | private-dev | 26 | private-dev |
| 28 | private-etc none | 27 | private-etc none |
| 28 | private-tmp | ||
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index 81199a22d..075b7ea15 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile | |||
| @@ -1,20 +1,21 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for dnscrypt-proxy |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/dnscrypt-proxy.local | 4 | include /etc/firejail/dnscrypt-proxy.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # security profile for dnscrypt-proxy | ||
| 9 | noblacklist /sbin | 8 | noblacklist /sbin |
| 10 | noblacklist /usr/sbin | 9 | noblacklist /usr/sbin |
| 10 | |||
| 11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | 15 | ||
| 16 | private | ||
| 17 | private-dev | ||
| 18 | nosound | ||
| 19 | no3d | 16 | no3d |
| 17 | nosound | ||
| 20 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 18 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open |
| 19 | |||
| 20 | private | ||
| 21 | private-dev | ||
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index 797f093a1..834805af9 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile | |||
| @@ -1,26 +1,26 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for dnsmasq |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/dnsmasq.local | 4 | include /etc/firejail/dnsmasq.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # dnsmasq profile | ||
| 9 | noblacklist /sbin | 8 | noblacklist /sbin |
| 10 | noblacklist /usr/sbin | 9 | noblacklist /usr/sbin |
| 10 | |||
| 11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-passwdmgr.inc | ||
| 14 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 13 | include /etc/firejail/disable-passwdmgr.inc | ||
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | 15 | ||
| 16 | caps | 16 | caps |
| 17 | netfilter | 17 | netfilter |
| 18 | no3d | ||
| 18 | nonewprivs | 19 | nonewprivs |
| 19 | private | ||
| 20 | private-dev | ||
| 21 | nosound | 20 | nosound |
| 22 | no3d | ||
| 23 | protocol unix,inet,inet6,netlink | 21 | protocol unix,inet,inet6,netlink |
| 24 | seccomp | 22 | seccomp |
| 25 | 23 | ||
| 26 | disable-mnt | 24 | disable-mnt |
| 25 | private | ||
| 26 | private-dev | ||
diff --git a/etc/dolphin.profile b/etc/dolphin.profile index aac358d38..93acbd09e 100644 --- a/etc/dolphin.profile +++ b/etc/dolphin.profile | |||
| @@ -1,34 +1,32 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for dolphin |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/dolphin.local | 4 | include /etc/firejail/dolphin.local |
| 7 | 5 | # Persistent global definitions | |
| 8 | # dolphin profile | 6 | include /etc/firejail/globals.local |
| 9 | 7 | ||
| 10 | # warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5 | 8 | # warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5 |
| 11 | 9 | ||
| 10 | noblacklist ${HOME}/.local/share/Trash | ||
| 12 | noblacklist ~/.config/dolphinrc | 11 | noblacklist ~/.config/dolphinrc |
| 13 | noblacklist ~/.local/share/dolphin | 12 | noblacklist ~/.local/share/dolphin |
| 14 | noblacklist ${HOME}/.local/share/Trash | ||
| 15 | 13 | ||
| 16 | include /etc/firejail/disable-common.inc | 14 | include /etc/firejail/disable-common.inc |
| 17 | # dolphin needs to be able to start arbitrary applications so we cannot blacklist their files | ||
| 18 | #include /etc/firejail/disable-programs.inc | ||
| 19 | include /etc/firejail/disable-devel.inc | 15 | include /etc/firejail/disable-devel.inc |
| 20 | include /etc/firejail/disable-passwdmgr.inc | 16 | include /etc/firejail/disable-passwdmgr.inc |
| 17 | # include /etc/firejail/disable-programs.inc | ||
| 21 | 18 | ||
| 22 | caps.drop all | 19 | caps.drop all |
| 23 | netfilter | 20 | netfilter |
| 24 | nogroups | 21 | nogroups |
| 25 | nonewprivs | 22 | nonewprivs |
| 26 | noroot | 23 | noroot |
| 27 | shell none | ||
| 28 | seccomp | ||
| 29 | protocol unix | 24 | protocol unix |
| 25 | seccomp | ||
| 26 | shell none | ||
| 30 | 27 | ||
| 28 | # dolphin needs to be able to start arbitrary applications so we cannot blacklist their files | ||
| 31 | # private-bin | 29 | # private-bin |
| 32 | # private-dev | 30 | # private-dev |
| 33 | # private-tmp | ||
| 34 | # private-etc | 31 | # private-etc |
| 32 | # private-tmp | ||
diff --git a/etc/dosbox.profile b/etc/dosbox.profile index ed4e5f345..ff8e26bf9 100644 --- a/etc/dosbox.profile +++ b/etc/dosbox.profile | |||
| @@ -1,17 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for dosbox |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/dosbox.local | 4 | include /etc/firejail/dosbox.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for dosbox | ||
| 9 | noblacklist ~/.dosbox | 8 | noblacklist ~/.dosbox |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 17 | netfilter | 16 | netfilter |
diff --git a/etc/dragon.profile b/etc/dragon.profile index 47d2c593a..e8d82363b 100644 --- a/etc/dragon.profile +++ b/etc/dragon.profile | |||
| @@ -1,17 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for dragon |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/dragon.local | 4 | include /etc/firejail/dragon.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # dragon player profile | ||
| 9 | noblacklist ~/.config/dragonplayerrc | 8 | noblacklist ~/.config/dragonplayerrc |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 17 | netfilter | 16 | netfilter |
| @@ -19,14 +18,14 @@ nogroups | |||
| 19 | nonewprivs | 18 | nonewprivs |
| 20 | noroot | 19 | noroot |
| 21 | novideo | 20 | novideo |
| 22 | shell none | ||
| 23 | seccomp | ||
| 24 | protocol unix,inet,inet6 | 21 | protocol unix,inet,inet6 |
| 22 | seccomp | ||
| 23 | shell none | ||
| 25 | 24 | ||
| 26 | private-bin dragon | 25 | private-bin dragon |
| 27 | private-dev | 26 | private-dev |
| 28 | private-tmp | ||
| 29 | # private-etc | 27 | # private-etc |
| 28 | private-tmp | ||
| 30 | 29 | ||
| 31 | noexec ${HOME} | 30 | noexec ${HOME} |
| 32 | noexec /tmp | 31 | noexec /tmp |
diff --git a/etc/dropbox.profile b/etc/dropbox.profile index 2319b337b..564a4054d 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile | |||
| @@ -1,27 +1,27 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for dropbox |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/dropbox.local | 4 | include /etc/firejail/dropbox.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # dropbox profile | ||
| 9 | noblacklist ~/.config/autostart | 8 | noblacklist ~/.config/autostart |
| 10 | noblacklist ~/.dropbox-dist | 9 | noblacklist ~/.dropbox-dist |
| 10 | |||
| 11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | 15 | ||
| 16 | mkdir ~/Dropbox | ||
| 17 | whitelist ~/Dropbox | ||
| 18 | mkdir ~/.dropbox | 16 | mkdir ~/.dropbox |
| 19 | whitelist ~/.dropbox | ||
| 20 | mkdir ~/.dropbox-dist | 17 | mkdir ~/.dropbox-dist |
| 21 | whitelist ~/.dropbox-dist | 18 | mkdir ~/Dropbox |
| 22 | |||
| 23 | mkfile ~/.config/autostart/dropbox.desktop | 19 | mkfile ~/.config/autostart/dropbox.desktop |
| 24 | whitelist ~/.config/autostart/dropbox.desktop | 20 | whitelist ~/.config/autostart/dropbox.desktop |
| 21 | whitelist ~/.dropbox | ||
| 22 | whitelist ~/.dropbox-dist | ||
| 23 | whitelist ~/Dropbox | ||
| 24 | include /etc/firejail/whitelist-common.inc | ||
| 25 | 25 | ||
| 26 | caps.drop all | 26 | caps.drop all |
| 27 | netfilter | 27 | netfilter |
diff --git a/etc/ebook-viewer.profile b/etc/ebook-viewer.profile index ba28e3550..1e8e7bb6c 100644 --- a/etc/ebook-viewer.profile +++ b/etc/ebook-viewer.profile | |||
| @@ -1,10 +1,7 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for calibre |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/ebook-viewer.local | ||
| 7 | 4 | ||
| 8 | # Firejail profile for ebook-viewer (Calibre) | ||
| 9 | include /etc/firejail/calibre.profile | ||
| 10 | net none | 5 | net none |
| 6 | |||
| 7 | include /etc/firejail/calibre.profile | ||
diff --git a/etc/electron.profile b/etc/electron.profile index efaecf029..0377ac073 100644 --- a/etc/electron.profile +++ b/etc/electron.profile | |||
| @@ -1,7 +1,14 @@ | |||
| 1 | # Generic Firejail profile for Electron applications. | 1 | # Firejail profile for electron |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/electron.local | ||
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | |||
| 8 | |||
| 2 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 3 | include /etc/firejail/disable-programs.inc | ||
| 4 | include /etc/firejail/disable-passwdmgr.inc | 10 | include /etc/firejail/disable-passwdmgr.inc |
| 11 | include /etc/firejail/disable-programs.inc | ||
| 5 | 12 | ||
| 6 | caps.drop all | 13 | caps.drop all |
| 7 | netfilter | 14 | netfilter |
diff --git a/etc/elinks.profile b/etc/elinks.profile index 597e43fb8..bd2c090a6 100644 --- a/etc/elinks.profile +++ b/etc/elinks.profile | |||
| @@ -1,19 +1,21 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for elinks |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/elinks.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | 8 | blacklist /tmp/.X11-unix |
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/elinks.local | ||
| 7 | 9 | ||
| 8 | # elinks profile | ||
| 9 | noblacklist ~/.elinks | 10 | noblacklist ~/.elinks |
| 10 | 11 | ||
| 11 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 15 | 16 | ||
| 16 | caps.drop all | 17 | caps.drop all |
| 18 | netfilter | ||
| 17 | no3d | 19 | no3d |
| 18 | nogroups | 20 | nogroups |
| 19 | nonewprivs | 21 | nonewprivs |
| @@ -22,13 +24,10 @@ nosound | |||
| 22 | novideo | 24 | novideo |
| 23 | protocol unix,inet,inet6 | 25 | protocol unix,inet,inet6 |
| 24 | seccomp | 26 | seccomp |
| 25 | netfilter | ||
| 26 | shell none | 27 | shell none |
| 27 | tracelog | 28 | tracelog |
| 28 | 29 | ||
| 29 | blacklist /tmp/.X11-unix | ||
| 30 | |||
| 31 | # private-bin elinks | 30 | # private-bin elinks |
| 32 | private-tmp | ||
| 33 | private-dev | 31 | private-dev |
| 34 | # private-etc none | 32 | # private-etc none |
| 33 | private-tmp | ||
diff --git a/etc/emacs.profile b/etc/emacs.profile index 4f9d27215..db823c029 100644 --- a/etc/emacs.profile +++ b/etc/emacs.profile | |||
| @@ -1,23 +1,21 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for emacs |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/emacs.local | 4 | include /etc/firejail/emacs.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # emacs profile | ||
| 9 | noblacklist ~/.emacs | 8 | noblacklist ~/.emacs |
| 10 | noblacklist ~/.emacs.d | 9 | noblacklist ~/.emacs.d |
| 11 | 10 | ||
| 12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 15 | 13 | include /etc/firejail/disable-programs.inc | |
| 16 | 14 | ||
| 17 | caps.drop all | 15 | caps.drop all |
| 18 | netfilter | 16 | netfilter |
| 17 | nogroups | ||
| 19 | nonewprivs | 18 | nonewprivs |
| 20 | noroot | 19 | noroot |
| 21 | nogroups | ||
| 22 | protocol unix,inet,inet6 | 20 | protocol unix,inet,inet6 |
| 23 | seccomp | 21 | seccomp |
diff --git a/etc/empathy.profile b/etc/empathy.profile index 415f752bf..5eb8d6868 100644 --- a/etc/empathy.profile +++ b/etc/empathy.profile | |||
| @@ -1,19 +1,19 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for empathy |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/empathy.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/empathy.local | ||
| 7 | 8 | ||
| 8 | # Empathy instant messaging profile | ||
| 9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-programs.inc | ||
| 11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
| 11 | include /etc/firejail/disable-programs.inc | ||
| 12 | 12 | ||
| 13 | caps.drop all | 13 | caps.drop all |
| 14 | netfilter | 14 | netfilter |
| 15 | nonewprivs | ||
| 16 | nogroups | 15 | nogroups |
| 16 | nonewprivs | ||
| 17 | noroot | 17 | noroot |
| 18 | protocol unix,inet,inet6 | 18 | protocol unix,inet,inet6 |
| 19 | seccomp | 19 | seccomp |
diff --git a/etc/enchant.profile b/etc/enchant.profile index 554ed5e28..5b0d190fa 100644 --- a/etc/enchant.profile +++ b/etc/enchant.profile | |||
| @@ -1,17 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for enchant |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/enchant.local | 4 | include /etc/firejail/enchant.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # enchant profile | ||
| 9 | noblacklist ~/.config/enchant | 8 | noblacklist ~/.config/enchant |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 17 | netfilter | 16 | netfilter |
| @@ -25,6 +24,6 @@ shell none | |||
| 25 | tracelog | 24 | tracelog |
| 26 | 25 | ||
| 27 | # private-bin enchant | 26 | # private-bin enchant |
| 28 | # private-tmp | ||
| 29 | # private-dev | 27 | # private-dev |
| 30 | # private-etc fonts | 28 | # private-etc fonts |
| 29 | # private-tmp | ||
diff --git a/etc/engrampa.profile b/etc/engrampa.profile index 605643472..b6d8e501f 100644 --- a/etc/engrampa.profile +++ b/etc/engrampa.profile | |||
| @@ -1,15 +1,15 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for engrampa |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/engrampa.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/engrampa.local | ||
| 7 | 8 | ||
| 8 | # engrampa profile | ||
| 9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-programs.inc | ||
| 11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | 13 | ||
| 14 | caps.drop all | 14 | caps.drop all |
| 15 | netfilter | 15 | netfilter |
| @@ -24,6 +24,6 @@ shell none | |||
| 24 | tracelog | 24 | tracelog |
| 25 | 25 | ||
| 26 | # private-bin engrampa | 26 | # private-bin engrampa |
| 27 | # private-tmp | ||
| 28 | private-dev | 27 | private-dev |
| 29 | # private-etc fonts | 28 | # private-etc fonts |
| 29 | # private-tmp | ||
diff --git a/etc/eog.profile b/etc/eog.profile index e272a1935..452bb1a36 100644 --- a/etc/eog.profile +++ b/etc/eog.profile | |||
| @@ -1,23 +1,21 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for eog |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/eog.local | 4 | include /etc/firejail/eog.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # eog (gnome image viewer) profile | ||
| 9 | noblacklist ~/.config/eog | ||
| 10 | noblacklist ~/.Steam | 8 | noblacklist ~/.Steam |
| 11 | noblacklist ~/.steam | 9 | noblacklist ~/.config/eog |
| 12 | noblacklist ~/.local/share/Trash | 10 | noblacklist ~/.local/share/Trash |
| 11 | noblacklist ~/.steam | ||
| 13 | 12 | ||
| 14 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 16 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
| 17 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
| 16 | include /etc/firejail/disable-programs.inc | ||
| 18 | 17 | ||
| 19 | caps.drop all | 18 | caps.drop all |
| 20 | #ipc-namespace | ||
| 21 | net none | 19 | net none |
| 22 | no3d | 20 | no3d |
| 23 | nogroups | 21 | nogroups |
diff --git a/etc/eom.profile b/etc/eom.profile index 28cb525c1..75a9e6764 100644 --- a/etc/eom.profile +++ b/etc/eom.profile | |||
| @@ -1,20 +1,19 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for eom |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/eom.local | 4 | include /etc/firejail/eom.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for Eye of Mate (eom) | ||
| 9 | noblacklist ~/.config/mate/eom | ||
| 10 | noblacklist ~/.Steam | 8 | noblacklist ~/.Steam |
| 11 | noblacklist ~/.steam | 9 | noblacklist ~/.config/mate/eom |
| 12 | noblacklist ~/.local/share/Trash | 10 | noblacklist ~/.local/share/Trash |
| 11 | noblacklist ~/.steam | ||
| 13 | 12 | ||
| 14 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 16 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
| 17 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
| 16 | include /etc/firejail/disable-programs.inc | ||
| 18 | 17 | ||
| 19 | caps.drop all | 18 | caps.drop all |
| 20 | nogroups | 19 | nogroups |
diff --git a/etc/epiphany.profile b/etc/epiphany.profile index 90e07def9..86fddace0 100644 --- a/etc/epiphany.profile +++ b/etc/epiphany.profile | |||
| @@ -1,26 +1,25 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for epiphany |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/epiphany.local | 4 | include /etc/firejail/epiphany.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Epiphany browser profile | 8 | noblacklist ${HOME}/.cache/epiphany |
| 9 | noblacklist ${HOME}/.config/epiphany | 9 | noblacklist ${HOME}/.config/epiphany |
| 10 | noblacklist ${HOME}/.local/share/epiphany | 10 | noblacklist ${HOME}/.local/share/epiphany |
| 11 | noblacklist ${HOME}/.cache/epiphany | ||
| 12 | 11 | ||
| 13 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 16 | 15 | ||
| 17 | whitelist ${DOWNLOADS} | ||
| 18 | mkdir ${HOME}/.local/share/epiphany | ||
| 19 | whitelist ${HOME}/.local/share/epiphany | ||
| 20 | mkdir ${HOME}/.config/epiphany | ||
| 21 | whitelist ${HOME}/.config/epiphany | ||
| 22 | mkdir ${HOME}/.cache/epiphany | 16 | mkdir ${HOME}/.cache/epiphany |
| 17 | mkdir ${HOME}/.config/epiphany | ||
| 18 | mkdir ${HOME}/.local/share/epiphany | ||
| 19 | whitelist ${DOWNLOADS} | ||
| 23 | whitelist ${HOME}/.cache/epiphany | 20 | whitelist ${HOME}/.cache/epiphany |
| 21 | whitelist ${HOME}/.config/epiphany | ||
| 22 | whitelist ${HOME}/.local/share/epiphany | ||
| 24 | include /etc/firejail/whitelist-common.inc | 23 | include /etc/firejail/whitelist-common.inc |
| 25 | 24 | ||
| 26 | caps.drop all | 25 | caps.drop all |
diff --git a/etc/etr.profile b/etc/etr.profile index d7b747995..dedc1e224 100644 --- a/etc/etr.profile +++ b/etc/etr.profile | |||
| @@ -1,41 +1,30 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for etr |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/etr.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | 8 | noblacklist ~/.etr |
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/etr.local | ||
| 7 | 9 | ||
| 8 | ################################ | 10 | include /etc/firejail/disable-common.inc |
| 9 | # Extreme Tux Racer profile | 11 | include /etc/firejail/disable-passwdmgr.inc |
| 10 | ################################ | 12 | include /etc/firejail/disable-programs.inc |
| 11 | 13 | ||
| 12 | noblacklist ~/.etr | ||
| 13 | mkdir ~/.etr | 14 | mkdir ~/.etr |
| 14 | whitelist ~/.etr | 15 | whitelist ~/.etr |
| 15 | include /etc/firejail/whitelist-common.inc | 16 | include /etc/firejail/whitelist-common.inc |
| 16 | 17 | ||
| 17 | include /etc/firejail/disable-common.inc | ||
| 18 | include /etc/firejail/disable-programs.inc | ||
| 19 | include /etc/firejail/disable-passwdmgr.inc | ||
| 20 | |||
| 21 | caps.drop all | 18 | caps.drop all |
| 19 | net none | ||
| 20 | nogroups | ||
| 22 | nonewprivs | 21 | nonewprivs |
| 23 | noroot | 22 | noroot |
| 24 | protocol unix,netlink | 23 | protocol unix,netlink |
| 25 | seccomp | 24 | seccomp |
| 26 | |||
| 27 | # | ||
| 28 | # depending on your usage, you can enable some of the commands below: | ||
| 29 | # | ||
| 30 | net none | ||
| 31 | nogroups | ||
| 32 | shell none | 25 | shell none |
| 33 | #private-bin etr | 26 | |
| 34 | # private-etc none | 27 | # private-bin etr |
| 35 | private-dev | 28 | private-dev |
| 29 | # private-etc none | ||
| 36 | private-tmp | 30 | private-tmp |
| 37 | # nosound | ||
| 38 | |||
| 39 | |||
| 40 | |||
| 41 | |||
diff --git a/etc/evince.profile b/etc/evince.profile index 9f1ebbf76..1a2b04160 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
| @@ -1,20 +1,18 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for evince |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/evince.local | 4 | include /etc/firejail/evince.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # evince pdf reader profile | ||
| 9 | noblacklist ~/.config/evince | 8 | noblacklist ~/.config/evince |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 17 | #ipc-namespace | ||
| 18 | netfilter | 16 | netfilter |
| 19 | no3d | 17 | no3d |
| 20 | nogroups | 18 | nogroups |
diff --git a/etc/evolution.profile b/etc/evolution.profile index ee8e02e8f..d41ef965a 100644 --- a/etc/evolution.profile +++ b/etc/evolution.profile | |||
| @@ -1,29 +1,26 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for evolution |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/evolution.local | 4 | include /etc/firejail/evolution.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # evolution profile | 8 | noblacklist /var/mail |
| 9 | noblacklist /var/spool/mail | ||
| 10 | noblacklist ~/.bogofilter | ||
| 11 | noblacklist ~/.cache/evolution | ||
| 9 | noblacklist ~/.config/evolution | 12 | noblacklist ~/.config/evolution |
| 13 | noblacklist ~/.gnupg | ||
| 10 | noblacklist ~/.local/share/evolution | 14 | noblacklist ~/.local/share/evolution |
| 11 | noblacklist ~/.cache/evolution | ||
| 12 | noblacklist ~/.pki | 15 | noblacklist ~/.pki |
| 13 | noblacklist ~/.pki/nssdb | 16 | noblacklist ~/.pki/nssdb |
| 14 | noblacklist ~/.gnupg | ||
| 15 | noblacklist ~/.bogofilter | ||
| 16 | |||
| 17 | noblacklist /var/spool/mail | ||
| 18 | noblacklist /var/mail | ||
| 19 | 17 | ||
| 20 | include /etc/firejail/disable-common.inc | 18 | include /etc/firejail/disable-common.inc |
| 21 | include /etc/firejail/disable-programs.inc | ||
| 22 | include /etc/firejail/disable-devel.inc | 19 | include /etc/firejail/disable-devel.inc |
| 23 | include /etc/firejail/disable-passwdmgr.inc | 20 | include /etc/firejail/disable-passwdmgr.inc |
| 21 | include /etc/firejail/disable-programs.inc | ||
| 24 | 22 | ||
| 25 | caps.drop all | 23 | caps.drop all |
| 26 | #ipc-namespace | ||
| 27 | netfilter | 24 | netfilter |
| 28 | no3d | 25 | no3d |
| 29 | nogroups | 26 | nogroups |
diff --git a/etc/exiftool.profile b/etc/exiftool.profile index e69a6206e..3637fc989 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile | |||
| @@ -1,36 +1,35 @@ | |||
| 1 | # Firejail profile for exiftool | ||
| 2 | # This file is overwritten after every install/update | ||
| 1 | quiet | 3 | quiet |
| 2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
| 5 | include /etc/firejail/exiftool.local | ||
| 6 | # Persistent global definitions | ||
| 3 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
| 4 | 8 | ||
| 5 | # This file is overwritten during software install. | 9 | blacklist /tmp/.X11-unix |
| 6 | # Persistent customizations should go in a .local file. | ||
| 7 | include /etc/firejail/exiftool.local | ||
| 8 | 10 | ||
| 9 | # exiftool profile | ||
| 10 | noblacklist /usr/bin/perl | 11 | noblacklist /usr/bin/perl |
| 11 | noblacklist /usr/share/perl* | ||
| 12 | noblacklist /usr/lib/perl* | 12 | noblacklist /usr/lib/perl* |
| 13 | noblacklist /usr/share/perl* | ||
| 13 | 14 | ||
| 14 | include /etc/firejail/disable-common.inc | 15 | include /etc/firejail/disable-common.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 16 | include /etc/firejail/disable-devel.inc | 16 | include /etc/firejail/disable-devel.inc |
| 17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include /etc/firejail/disable-passwdmgr.inc |
| 18 | include /etc/firejail/disable-programs.inc | ||
| 18 | 19 | ||
| 19 | caps.drop all | 20 | caps.drop all |
| 20 | net none | 21 | net none |
| 22 | no3d | ||
| 21 | nogroups | 23 | nogroups |
| 22 | nonewprivs | 24 | nonewprivs |
| 23 | noroot | 25 | noroot |
| 24 | nosound | 26 | nosound |
| 25 | protocol unix | 27 | protocol unix |
| 26 | seccomp | 28 | seccomp |
| 27 | no3d | ||
| 28 | shell none | 29 | shell none |
| 29 | tracelog | 30 | tracelog |
| 30 | 31 | ||
| 31 | blacklist /tmp/.X11-unix | ||
| 32 | |||
| 33 | # private-bin exiftool,perl | 32 | # private-bin exiftool,perl |
| 34 | private-tmp | ||
| 35 | private-dev | 33 | private-dev |
| 36 | private-etc none | 34 | private-etc none |
| 35 | private-tmp | ||
diff --git a/etc/fbreader.profile b/etc/fbreader.profile index 41edbb50b..663ee3bbb 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile | |||
| @@ -1,17 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for fbreader |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/fbreader.local | 4 | include /etc/firejail/fbreader.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # fbreader ebook reader profile | ||
| 9 | noblacklist ${HOME}/.FBReader | 8 | noblacklist ${HOME}/.FBReader |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 17 | netfilter | 16 | netfilter |
| @@ -20,8 +19,8 @@ noroot | |||
| 20 | nosound | 19 | nosound |
| 21 | protocol unix,inet,inet6 | 20 | protocol unix,inet,inet6 |
| 22 | seccomp | 21 | seccomp |
| 23 | |||
| 24 | shell none | 22 | shell none |
| 23 | |||
| 25 | private-bin fbreader,FBReader | 24 | private-bin fbreader,FBReader |
| 26 | private-dev | 25 | private-dev |
| 27 | private-tmp | 26 | private-tmp |
diff --git a/etc/feh.profile b/etc/feh.profile index 8f40a0c3e..1e0d7acc7 100644 --- a/etc/feh.profile +++ b/etc/feh.profile | |||
| @@ -1,15 +1,15 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for feh |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/feh.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/feh.local | ||
| 7 | 8 | ||
| 8 | # feh image viewer profile | ||
| 9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-programs.inc | ||
| 11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | 13 | ||
| 14 | caps.drop all | 14 | caps.drop all |
| 15 | net none | 15 | net none |
diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 15d8d36c6..173bb344f 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile | |||
| @@ -1,18 +1,17 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for file-roller |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/file-roller.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/file-roller.local | ||
| 7 | 8 | ||
| 8 | # file-roller profile | ||
| 9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-programs.inc | ||
| 11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | 13 | ||
| 14 | caps.drop all | 14 | caps.drop all |
| 15 | #ipc-namespace | ||
| 16 | net none | 15 | net none |
| 17 | no3d | 16 | no3d |
| 18 | nogroups | 17 | nogroups |
| @@ -26,9 +25,9 @@ shell none | |||
| 26 | tracelog | 25 | tracelog |
| 27 | 26 | ||
| 28 | # private-bin file-roller | 27 | # private-bin file-roller |
| 29 | # private-tmp | ||
| 30 | private-dev | 28 | private-dev |
| 31 | # private-etc fonts | 29 | # private-etc fonts |
| 30 | # private-tmp | ||
| 32 | 31 | ||
| 33 | memory-deny-write-execute | 32 | memory-deny-write-execute |
| 34 | noexec ${HOME} | 33 | noexec ${HOME} |
diff --git a/etc/file.profile b/etc/file.profile index 51e35007f..99d2fd865 100644 --- a/etc/file.profile +++ b/etc/file.profile | |||
| @@ -1,15 +1,16 @@ | |||
| 1 | # Firejail profile for file | ||
| 2 | # This file is overwritten after every install/update | ||
| 1 | quiet | 3 | quiet |
| 2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
| 5 | include /etc/firejail/file.local | ||
| 6 | # Persistent global definitions | ||
| 3 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
| 4 | 8 | ||
| 5 | # This file is overwritten during software install. | 9 | blacklist /tmp/.X11-unix |
| 6 | # Persistent customizations should go in a .local file. | ||
| 7 | include /etc/firejail/file.local | ||
| 8 | 10 | ||
| 9 | # file profile | ||
| 10 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 11 | include /etc/firejail/disable-programs.inc | ||
| 12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 13 | 14 | ||
| 14 | caps.drop all | 15 | caps.drop all |
| 15 | hostname file | 16 | hostname file |
| @@ -17,7 +18,6 @@ net none | |||
| 17 | no3d | 18 | no3d |
| 18 | nogroups | 19 | nogroups |
| 19 | nonewprivs | 20 | nonewprivs |
| 20 | #noroot | ||
| 21 | nosound | 21 | nosound |
| 22 | protocol unix | 22 | protocol unix |
| 23 | seccomp | 23 | seccomp |
| @@ -25,8 +25,6 @@ shell none | |||
| 25 | tracelog | 25 | tracelog |
| 26 | x11 none | 26 | x11 none |
| 27 | 27 | ||
| 28 | blacklist /tmp/.X11-unix | ||
| 29 | |||
| 30 | private-dev | ||
| 31 | private-bin file | 28 | private-bin file |
| 29 | private-dev | ||
| 32 | private-etc magic.mgc,magic,localtime | 30 | private-etc magic.mgc,magic,localtime |
diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 3cc6fd601..c349a9e94 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile | |||
| @@ -1,17 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for filezilla |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/filezilla.local | 4 | include /etc/firejail/filezilla.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # FileZilla ftp profile | ||
| 9 | noblacklist ${HOME}/.filezilla | ||
| 10 | noblacklist ${HOME}/.config/filezilla | 8 | noblacklist ${HOME}/.config/filezilla |
| 9 | noblacklist ${HOME}/.filezilla | ||
| 11 | 10 | ||
| 12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 17 | netfilter | 16 | netfilter |
diff --git a/etc/firefox-esr.profile b/etc/firefox-esr.profile index 33d4a87ad..f3400b1e1 100644 --- a/etc/firefox-esr.profile +++ b/etc/firefox-esr.profile | |||
| @@ -1,9 +1,9 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for firefox-esr |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/firefox-esr.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/firefox-esr.local | ||
| 7 | 8 | ||
| 8 | # Firejail profile for Mozilla Firefox ESR | ||
| 9 | include /etc/firejail/firefox.profile | 9 | include /etc/firejail/firefox.profile |
diff --git a/etc/firefox.profile b/etc/firefox.profile index aff6e8334..27f436c4f 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
| @@ -1,77 +1,70 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for firefox |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/firefox.local | 4 | include /etc/firejail/firefox.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for Mozilla Firefox (Iceweasel in Debian) | ||
| 9 | noblacklist ~/.mozilla | ||
| 10 | noblacklist ~/.cache/mozilla | 8 | noblacklist ~/.cache/mozilla |
| 9 | noblacklist ~/.config/okularpartrc | ||
| 10 | noblacklist ~/.config/okularrc | ||
| 11 | noblacklist ~/.config/qpdfview | 11 | noblacklist ~/.config/qpdfview |
| 12 | noblacklist ~/.local/share/qpdfview | ||
| 13 | noblacklist ~/.kde4/share/apps/okular | ||
| 14 | noblacklist ~/.kde/share/apps/okular | 12 | noblacklist ~/.kde/share/apps/okular |
| 13 | noblacklist ~/.kde4/share/apps/okular | ||
| 15 | noblacklist ~/.local/share/okular | 14 | noblacklist ~/.local/share/okular |
| 16 | noblacklist ~/.config/okularpartrc | 15 | noblacklist ~/.local/share/qpdfview |
| 17 | noblacklist ~/.config/okularrc | 16 | noblacklist ~/.mozilla |
| 18 | noblacklist ~/.pki | 17 | noblacklist ~/.pki |
| 19 | 18 | ||
| 20 | include /etc/firejail/disable-common.inc | 19 | include /etc/firejail/disable-common.inc |
| 21 | include /etc/firejail/disable-programs.inc | ||
| 22 | include /etc/firejail/disable-devel.inc | 20 | include /etc/firejail/disable-devel.inc |
| 21 | include /etc/firejail/disable-programs.inc | ||
| 23 | 22 | ||
| 24 | caps.drop all | ||
| 25 | # ipc-namespace crashes firefox on some setups | ||
| 26 | netfilter | ||
| 27 | nogroups | ||
| 28 | nonewprivs | ||
| 29 | noroot | ||
| 30 | protocol unix,inet,inet6,netlink | ||
| 31 | seccomp | ||
| 32 | shell none | ||
| 33 | tracelog | ||
| 34 | |||
| 35 | whitelist ${DOWNLOADS} | ||
| 36 | mkdir ~/.mozilla | ||
| 37 | whitelist ~/.mozilla | ||
| 38 | mkdir ~/.cache/mozilla/firefox | 23 | mkdir ~/.cache/mozilla/firefox |
| 24 | mkdir ~/.mozilla | ||
| 25 | mkdir ~/.pki | ||
| 26 | whitelist ${DOWNLOADS} | ||
| 27 | whitelist ~/.cache/gnome-mplayer/plugin | ||
| 39 | whitelist ~/.cache/mozilla/firefox | 28 | whitelist ~/.cache/mozilla/firefox |
| 40 | whitelist ~/dwhelper | ||
| 41 | whitelist ~/.zotero | ||
| 42 | whitelist ~/.vimperatorrc | ||
| 43 | whitelist ~/.vimperator | ||
| 44 | whitelist ~/.pentadactylrc | ||
| 45 | whitelist ~/.pentadactyl | ||
| 46 | whitelist ~/.keysnail.js | ||
| 47 | whitelist ~/.config/gnome-mplayer | 29 | whitelist ~/.config/gnome-mplayer |
| 48 | whitelist ~/.cache/gnome-mplayer/plugin | ||
| 49 | mkdir ~/.pki | ||
| 50 | whitelist ~/.pki | ||
| 51 | whitelist ~/.lastpass | ||
| 52 | whitelist ~/.config/qpdfview | ||
| 53 | whitelist ~/.local/share/qpdfview | ||
| 54 | whitelist ~/.config/okularrc | ||
| 55 | whitelist ~/.config/okularpartrc | 30 | whitelist ~/.config/okularpartrc |
| 56 | whitelist ~/.kde4/share/apps/okular | 31 | whitelist ~/.config/okularrc |
| 32 | whitelist ~/.config/pipelight-silverlight5.1 | ||
| 33 | whitelist ~/.config/pipelight-widevine | ||
| 34 | whitelist ~/.config/qpdfview | ||
| 57 | whitelist ~/.kde/share/apps/okular | 35 | whitelist ~/.kde/share/apps/okular |
| 36 | whitelist ~/.kde4/share/apps/okular | ||
| 37 | whitelist ~/.keysnail.js | ||
| 38 | whitelist ~/.lastpass | ||
| 58 | whitelist ~/.local/share/okular | 39 | whitelist ~/.local/share/okular |
| 59 | 40 | whitelist ~/.local/share/qpdfview | |
| 60 | # silverlight | 41 | whitelist ~/.mozilla |
| 42 | whitelist ~/.pentadactyl | ||
| 43 | whitelist ~/.pentadactylrc | ||
| 44 | whitelist ~/.pki | ||
| 45 | whitelist ~/.vimperator | ||
| 46 | whitelist ~/.vimperatorrc | ||
| 61 | whitelist ~/.wine-pipelight | 47 | whitelist ~/.wine-pipelight |
| 62 | whitelist ~/.wine-pipelight64 | 48 | whitelist ~/.wine-pipelight64 |
| 63 | whitelist ~/.config/pipelight-widevine | 49 | whitelist ~/.zotero |
| 64 | whitelist ~/.config/pipelight-silverlight5.1 | 50 | whitelist ~/dwhelper |
| 65 | |||
| 66 | include /etc/firejail/whitelist-common.inc | 51 | include /etc/firejail/whitelist-common.inc |
| 67 | 52 | ||
| 68 | # experimental features | 53 | caps.drop all |
| 69 | #private-bin firefox,which,sh,dbus-launch,dbus-send,env | 54 | netfilter |
| 70 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse | 55 | nogroups |
| 71 | # private-dev might prevent video calls going out | 56 | nonewprivs |
| 57 | noroot | ||
| 58 | protocol unix,inet,inet6,netlink | ||
| 59 | seccomp | ||
| 60 | shell none | ||
| 61 | tracelog | ||
| 62 | |||
| 63 | # private-bin firefox,which,sh,dbus-launch,dbus-send,env | ||
| 72 | private-dev | 64 | private-dev |
| 65 | # private-dev might prevent video calls going out | ||
| 66 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse | ||
| 73 | private-tmp | 67 | private-tmp |
| 74 | #disable-mnt | ||
| 75 | 68 | ||
| 76 | noexec ${HOME} | 69 | noexec ${HOME} |
| 77 | noexec /tmp | 70 | noexec /tmp |
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile index b9bf493b6..be06dc460 100644 --- a/etc/flashpeak-slimjet.profile +++ b/etc/flashpeak-slimjet.profile | |||
| @@ -1,26 +1,32 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for flashpeak-slimjet |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/flashpeak-slimjet.local | 4 | include /etc/firejail/flashpeak-slimjet.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # SlimJet browser profile | ||
| 9 | # This is a whitelisted profile, the internal browser sandbox | 8 | # This is a whitelisted profile, the internal browser sandbox |
| 10 | # is disabled because it requires sudo password. The command | 9 | # is disabled because it requires sudo password. The command |
| 11 | # to run it is as follows: | 10 | # to run it is as follows: |
| 12 | # | ||
| 13 | # firejail flashpeak-slimjet --no-sandbox | 11 | # firejail flashpeak-slimjet --no-sandbox |
| 14 | # | 12 | |
| 15 | noblacklist ~/.config/slimjet | ||
| 16 | noblacklist ~/.cache/slimjet | 13 | noblacklist ~/.cache/slimjet |
| 14 | noblacklist ~/.config/slimjet | ||
| 17 | noblacklist ~/.pki | 15 | noblacklist ~/.pki |
| 18 | include /etc/firejail/disable-common.inc | ||
| 19 | include /etc/firejail/disable-programs.inc | ||
| 20 | 16 | ||
| 17 | include /etc/firejail/disable-common.inc | ||
| 21 | # chromium is distributed with a perl script on Arch | 18 | # chromium is distributed with a perl script on Arch |
| 22 | # include /etc/firejail/disable-devel.inc | 19 | # include /etc/firejail/disable-devel.inc |
| 23 | # | 20 | include /etc/firejail/disable-programs.inc |
| 21 | |||
| 22 | mkdir ~/.cache/slimjet | ||
| 23 | mkdir ~/.config/slimjet | ||
| 24 | mkdir ~/.pki | ||
| 25 | whitelist ${DOWNLOADS} | ||
| 26 | whitelist ~/.cache/slimjet | ||
| 27 | whitelist ~/.config/slimjet | ||
| 28 | whitelist ~/.pki | ||
| 29 | include /etc/firejail/whitelist-common.inc | ||
| 24 | 30 | ||
| 25 | caps.drop all | 31 | caps.drop all |
| 26 | netfilter | 32 | netfilter |
| @@ -28,13 +34,3 @@ nonewprivs | |||
| 28 | noroot | 34 | noroot |
| 29 | protocol unix,inet,inet6,netlink | 35 | protocol unix,inet,inet6,netlink |
| 30 | seccomp | 36 | seccomp |
| 31 | |||
| 32 | whitelist ${DOWNLOADS} | ||
| 33 | mkdir ~/.config/slimjet | ||
| 34 | whitelist ~/.config/slimjet | ||
| 35 | mkdir ~/.cache/slimjet | ||
| 36 | whitelist ~/.cache/slimjet | ||
| 37 | mkdir ~/.pki | ||
| 38 | whitelist ~/.pki | ||
| 39 | |||
| 40 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/flowblade.profile b/etc/flowblade.profile index f8d45424f..b5cc8160b 100644 --- a/etc/flowblade.profile +++ b/etc/flowblade.profile | |||
| @@ -1,18 +1,17 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for flowblade |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/flowblade.local | 4 | include /etc/firejail/flowblade.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # FlowBlade profile | ||
| 9 | noblacklist ${HOME}/.flowblade | ||
| 10 | noblacklist ${HOME}/.config/flowblade | 8 | noblacklist ${HOME}/.config/flowblade |
| 9 | noblacklist ${HOME}/.flowblade | ||
| 11 | 10 | ||
| 12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 16 | 15 | ||
| 17 | caps.drop all | 16 | caps.drop all |
| 18 | netfilter | 17 | netfilter |
diff --git a/etc/fontforge.profile b/etc/fontforge.profile index e8e3df62b..4b43602b8 100644 --- a/etc/fontforge.profile +++ b/etc/fontforge.profile | |||
| @@ -1,16 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for fontforge |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/fontforge.local | 4 | include /etc/firejail/fontforge.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.FontForge | 8 | noblacklist ${HOME}/.FontForge |
| 9 | 9 | ||
| 10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 11 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | 14 | ||
| 15 | caps.drop all | 15 | caps.drop all |
| 16 | netfilter | 16 | netfilter |
diff --git a/etc/fossamail.profile b/etc/fossamail.profile index 43968cf7a..d49027917 100644 --- a/etc/fossamail.profile +++ b/etc/fossamail.profile | |||
| @@ -1,22 +1,20 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for fossamail |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/fossamail.local | 4 | include /etc/firejail/fossamail.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for FossaMail | 8 | noblacklist ~/.cache/fossamail |
| 9 | |||
| 10 | noblacklist ~/.gnupg | ||
| 11 | mkdir ~/.gnupg | ||
| 12 | whitelist ~/.gnupg | ||
| 13 | |||
| 14 | noblacklist ~/.fossamail | 9 | noblacklist ~/.fossamail |
| 15 | mkdir ~/.fossamail | 10 | noblacklist ~/.gnupg |
| 16 | whitelist ~/.fossamail | ||
| 17 | 11 | ||
| 18 | noblacklist ~/.cache/fossamail | ||
| 19 | mkdir ~/.cache/fossamail | 12 | mkdir ~/.cache/fossamail |
| 13 | mkdir ~/.fossamail | ||
| 14 | mkdir ~/.gnupg | ||
| 20 | whitelist ~/.cache/fossamail | 15 | whitelist ~/.cache/fossamail |
| 16 | whitelist ~/.fossamail | ||
| 17 | whitelist ~/.gnupg | ||
| 18 | include /etc/firejail/whitelist-common.inc | ||
| 21 | 19 | ||
| 22 | include /etc/firejail/firefox.profile | 20 | include /etc/firejail/firefox.profile |
diff --git a/etc/franz.profile b/etc/franz.profile index c5e019947..82bdabfcd 100644 --- a/etc/franz.profile +++ b/etc/franz.profile | |||
| @@ -1,30 +1,28 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for franz |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/franz.local | 4 | include /etc/firejail/franz.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Franz profile | ||
| 9 | noblacklist ~/.config/Franz | ||
| 10 | noblacklist ~/.cache/Franz | 8 | noblacklist ~/.cache/Franz |
| 9 | noblacklist ~/.config/Franz | ||
| 11 | noblacklist ~/.pki | 10 | noblacklist ~/.pki |
| 11 | |||
| 12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | 15 | ||
| 16 | whitelist ${DOWNLOADS} | ||
| 17 | mkdir ~/.config/Franz | ||
| 18 | whitelist ~/.config/Franz | ||
| 19 | mkdir ~/.cache/Franz | 16 | mkdir ~/.cache/Franz |
| 20 | whitelist ~/.cache/Franz | 17 | mkdir ~/.config/Franz |
| 21 | mkdir ~/.pki | 18 | mkdir ~/.pki |
| 19 | whitelist ${DOWNLOADS} | ||
| 20 | whitelist ~/.cache/Franz | ||
| 21 | whitelist ~/.config/Franz | ||
| 22 | whitelist ~/.pki | 22 | whitelist ~/.pki |
| 23 | |||
| 24 | include /etc/firejail/whitelist-common.inc | 23 | include /etc/firejail/whitelist-common.inc |
| 25 | 24 | ||
| 26 | caps.drop all | 25 | caps.drop all |
| 27 | #ipc-namespace | ||
| 28 | netfilter | 26 | netfilter |
| 29 | nogroups | 27 | nogroups |
| 30 | nonewprivs | 28 | nonewprivs |
| @@ -32,11 +30,10 @@ noroot | |||
| 32 | protocol unix,inet,inet6,netlink | 30 | protocol unix,inet,inet6,netlink |
| 33 | seccomp | 31 | seccomp |
| 34 | shell none | 32 | shell none |
| 35 | #tracelog | ||
| 36 | 33 | ||
| 34 | disable-mnt | ||
| 37 | private-dev | 35 | private-dev |
| 38 | private-tmp | 36 | private-tmp |
| 39 | disable-mnt | ||
| 40 | 37 | ||
| 41 | noexec ${HOME} | 38 | noexec ${HOME} |
| 42 | noexec /tmp | 39 | noexec /tmp |
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile index 52f8e5b3e..b1d9798bc 100644 --- a/etc/frozen-bubble.profile +++ b/etc/frozen-bubble.profile | |||
| @@ -1,38 +1,30 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for frozen-bubble |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/frozen-bubble.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | 8 | noblacklist ~/.frozen-bubble |
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/frozen-bubble.local | ||
| 7 | 9 | ||
| 8 | ################################ | 10 | include /etc/firejail/disable-common.inc |
| 9 | # Frozen Bubble profile | 11 | include /etc/firejail/disable-passwdmgr.inc |
| 10 | ################################ | 12 | include /etc/firejail/disable-programs.inc |
| 11 | 13 | ||
| 12 | noblacklist ~/.frozen-bubble | ||
| 13 | mkdir ~/.frozen-bubble | 14 | mkdir ~/.frozen-bubble |
| 14 | whitelist ~/.frozen-bubble | 15 | whitelist ~/.frozen-bubble |
| 15 | include /etc/firejail/whitelist-common.inc | 16 | include /etc/firejail/whitelist-common.inc |
| 16 | 17 | ||
| 17 | include /etc/firejail/disable-common.inc | ||
| 18 | include /etc/firejail/disable-programs.inc | ||
| 19 | include /etc/firejail/disable-passwdmgr.inc | ||
| 20 | |||
| 21 | caps.drop all | 18 | caps.drop all |
| 19 | net none | ||
| 20 | nogroups | ||
| 22 | nonewprivs | 21 | nonewprivs |
| 23 | noroot | 22 | noroot |
| 24 | protocol unix,netlink | 23 | protocol unix,netlink |
| 25 | seccomp | 24 | seccomp |
| 26 | |||
| 27 | # | ||
| 28 | # depending on your usage, you can enable some of the commands below: | ||
| 29 | # | ||
| 30 | net none | ||
| 31 | nogroups | ||
| 32 | shell none | 25 | shell none |
| 33 | #private-bin frozen-bubble | 26 | |
| 34 | # private-etc none | 27 | # private-bin frozen-bubble |
| 35 | private-dev | 28 | private-dev |
| 29 | # private-etc none | ||
| 36 | private-tmp | 30 | private-tmp |
| 37 | # nosound | ||
| 38 | |||
diff --git a/etc/gajim.profile b/etc/gajim.profile index a3deb2c73..451a93c31 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile | |||
| @@ -1,34 +1,30 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for gajim |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/gajim.local | 4 | include /etc/firejail/gajim.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for Gajim | ||
| 9 | noblacklist ${HOME}/.local/share/gajim | ||
| 10 | noblacklist ${HOME}/.config/gajim | ||
| 11 | noblacklist ${HOME}/.cache/gajim | 8 | noblacklist ${HOME}/.cache/gajim |
| 9 | noblacklist ${HOME}/.config/gajim | ||
| 10 | noblacklist ${HOME}/.local/share/gajim | ||
| 11 | |||
| 12 | include /etc/firejail/disable-common.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | ||
| 14 | include /etc/firejail/disable-passwdmgr.inc | ||
| 15 | include /etc/firejail/disable-programs.inc | ||
| 12 | 16 | ||
| 13 | mkdir ${HOME}/.cache/gajim | 17 | mkdir ${HOME}/.cache/gajim |
| 14 | mkdir ${HOME}/.local/share/gajim | ||
| 15 | mkdir ${HOME}/.config/gajim | 18 | mkdir ${HOME}/.config/gajim |
| 16 | mkdir ${HOME}/Downloads | ||
| 17 | |||
| 18 | # Allow the local python 2.7 site packages, in case any plugins are using these | ||
| 19 | mkdir ${HOME}/.local/lib/python2.7/site-packages/ | 19 | mkdir ${HOME}/.local/lib/python2.7/site-packages/ |
| 20 | whitelist ${HOME}/.local/lib/python2.7/site-packages/ | 20 | mkdir ${HOME}/.local/share/gajim |
| 21 | read-only ${HOME}/.local/lib/python2.7/site-packages/ | 21 | mkdir ${HOME}/Downloads |
| 22 | |||
| 23 | whitelist ${HOME}/.cache/gajim | 22 | whitelist ${HOME}/.cache/gajim |
| 24 | whitelist ${HOME}/.local/share/gajim | ||
| 25 | whitelist ${HOME}/.config/gajim | 23 | whitelist ${HOME}/.config/gajim |
| 24 | whitelist ${HOME}/.local/lib/python2.7/site-packages/ | ||
| 25 | whitelist ${HOME}/.local/share/gajim | ||
| 26 | whitelist ${HOME}/Downloads | 26 | whitelist ${HOME}/Downloads |
| 27 | 27 | include /etc/firejail/whitelist-common.inc | |
| 28 | include /etc/firejail/disable-common.inc | ||
| 29 | include /etc/firejail/disable-passwdmgr.inc | ||
| 30 | include /etc/firejail/disable-programs.inc | ||
| 31 | include /etc/firejail/disable-devel.inc | ||
| 32 | 28 | ||
| 33 | caps.drop all | 29 | caps.drop all |
| 34 | netfilter | 30 | netfilter |
| @@ -39,8 +35,10 @@ protocol unix,inet,inet6 | |||
| 39 | seccomp | 35 | seccomp |
| 40 | shell none | 36 | shell none |
| 41 | 37 | ||
| 42 | #private-bin python2.7 gajim | ||
| 43 | #private-etc fonts | ||
| 44 | private-dev | ||
| 45 | #private-tmp | ||
| 46 | disable-mnt | 38 | disable-mnt |
| 39 | # private-bin python2.7 gajim | ||
| 40 | private-dev | ||
| 41 | # private-etc fonts | ||
| 42 | # private-tmp | ||
| 43 | # Allow the local python 2.7 site packages, in case any plugins are using these | ||
| 44 | read-only ${HOME}/.local/lib/python2.7/site-packages/ | ||
diff --git a/etc/galculator.profile b/etc/galculator.profile index 897946e7a..48ecccd59 100644 --- a/etc/galculator.profile +++ b/etc/galculator.profile | |||
| @@ -1,20 +1,20 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for galculator |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/galculator.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/firejail.local | ||
| 7 | |||
| 8 | # Firejail profile for XYZ | ||
| 9 | noblacklist ~/.config/galculator | 8 | noblacklist ~/.config/galculator |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | mkdir ~/.config/galculator | 15 | mkdir ~/.config/galculator |
| 17 | whitelist ~/.config/galculator | 16 | whitelist ~/.config/galculator |
| 17 | include /etc/firejail/whitelist-common.inc | ||
| 18 | 18 | ||
| 19 | caps.drop all | 19 | caps.drop all |
| 20 | net none | 20 | net none |
diff --git a/etc/geany.profile b/etc/geany.profile index 083e9423f..9ec334fc0 100644 --- a/etc/geany.profile +++ b/etc/geany.profile | |||
| @@ -1,14 +1,15 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for geany |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/geany.local | 4 | include /etc/firejail/geany.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.config/geany | 8 | noblacklist ${HOME}/.config/geany |
| 9 | |||
| 9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-programs.inc | ||
| 11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 12 | 13 | ||
| 13 | caps.drop all | 14 | caps.drop all |
| 14 | netfilter | 15 | netfilter |
diff --git a/etc/geary.profile b/etc/geary.profile index f655f0efe..3f9faf058 100644 --- a/etc/geary.profile +++ b/etc/geary.profile | |||
| @@ -1,28 +1,28 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for geary |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/geary.local | 4 | include /etc/firejail/geary.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for Gnome Geary | ||
| 9 | # Users have Geary set to open a browser by clicking a link in an email | 8 | # Users have Geary set to open a browser by clicking a link in an email |
| 10 | # We are not allowed to blacklist browser-specific directories | 9 | # We are not allowed to blacklist browser-specific directories |
| 11 | 10 | ||
| 12 | noblacklist ~/.gnupg | 11 | noblacklist ~/.gnupg |
| 13 | mkdir ~/.gnupg | ||
| 14 | whitelist ~/.gnupg | ||
| 15 | |||
| 16 | noblacklist ~/.local/share/geary | 12 | noblacklist ~/.local/share/geary |
| 13 | |||
| 14 | mkdir ~/.gnupg | ||
| 17 | mkdir ~/.local/share/geary | 15 | mkdir ~/.local/share/geary |
| 16 | whitelist ~/.config/mimeapps.list | ||
| 17 | whitelist ~/.gnupg | ||
| 18 | whitelist ~/.local/share/applications | ||
| 18 | whitelist ~/.local/share/geary | 19 | whitelist ~/.local/share/geary |
| 20 | include /etc/firejail/whitelist-common.inc | ||
| 21 | |||
| 22 | ignore private-tmp | ||
| 19 | 23 | ||
| 20 | whitelist ~/.config/mimeapps.list | ||
| 21 | read-only ~/.config/mimeapps.list | 24 | read-only ~/.config/mimeapps.list |
| 22 | whitelist ~/.local/share/applications | ||
| 23 | read-only ~/.local/share/applications | 25 | read-only ~/.local/share/applications |
| 24 | 26 | ||
| 25 | # allow browsers | 27 | # allow browsers |
| 26 | ignore private-tmp | ||
| 27 | include /etc/firejail/firefox.profile | 28 | include /etc/firejail/firefox.profile |
| 28 | #include /etc/firejail/chromium.profile - chromium runs as suid! | ||
diff --git a/etc/gedit.profile b/etc/gedit.profile index 3e78d939e..aa91d9518 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile | |||
| @@ -1,23 +1,20 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for gedit |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/gedit.local | 4 | include /etc/firejail/gedit.local |
| 7 | 5 | # Persistent global definitions | |
| 8 | # gedit profile | 6 | include /etc/firejail/globals.local |
| 9 | 7 | ||
| 10 | # when gedit is started via gnome-shell, firejail is not applied because systemd will start it | 8 | # when gedit is started via gnome-shell, firejail is not applied because systemd will start it |
| 11 | 9 | ||
| 12 | noblacklist ~/.config/gedit | 10 | noblacklist ~/.config/gedit |
| 13 | 11 | ||
| 14 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 15 | include /etc/firejail/disable-programs.inc | 13 | # include /etc/firejail/disable-devel.inc |
| 16 | #include /etc/firejail/disable-devel.inc | ||
| 17 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 18 | 16 | ||
| 19 | caps.drop all | 17 | caps.drop all |
| 20 | #ipc-namespace | ||
| 21 | net none | 18 | net none |
| 22 | no3d | 19 | no3d |
| 23 | nogroups | 20 | nogroups |
diff --git a/etc/geeqie.profile b/etc/geeqie.profile index 194b76674..5936787dd 100644 --- a/etc/geeqie.profile +++ b/etc/geeqie.profile | |||
| @@ -1,30 +1,28 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for geeqie |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/geeqie.local | 4 | include /etc/firejail/geeqie.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for Geeqie | 8 | noblacklist ~/.cache/geeqie |
| 9 | noblacklist ~/.config/geeqie | 9 | noblacklist ~/.config/geeqie |
| 10 | noblacklist ~/.local/share/geeqie | 10 | noblacklist ~/.local/share/geeqie |
| 11 | noblacklist ~/.cache/geeqie | 11 | |
| 12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
| 15 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 16 | 16 | ||
| 17 | caps.drop all | 17 | caps.drop all |
| 18 | nogroups | 18 | nogroups |
| 19 | nonewprivs | 19 | nonewprivs |
| 20 | noroot | 20 | noroot |
| 21 | nosound | ||
| 21 | protocol unix | 22 | protocol unix |
| 22 | seccomp | 23 | seccomp |
| 23 | nosound | 24 | shell none |
| 24 | 25 | ||
| 26 | # private-bin geeqie | ||
| 25 | private-dev | 27 | private-dev |
| 26 | 28 | # private-etc X11 | |
| 27 | #Experimental: | ||
| 28 | shell none | ||
| 29 | #private-bin geeqie | ||
| 30 | #private-etc X11 | ||
diff --git a/etc/ghb.profile b/etc/ghb.profile index 2068c3136..9437cea9e 100644 --- a/etc/ghb.profile +++ b/etc/ghb.profile | |||
| @@ -1,9 +1,5 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for handbrake |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/ghb.local | ||
| 7 | 4 | ||
| 8 | # HandBrake | ||
| 9 | include /etc/firejail/handbrake.profile | 5 | include /etc/firejail/handbrake.profile |
diff --git a/etc/gimp-2.8.profile b/etc/gimp-2.8.profile index ce6cee7a5..5228078d9 100644 --- a/etc/gimp-2.8.profile +++ b/etc/gimp-2.8.profile | |||
| @@ -1,8 +1,5 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for gimp |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/gimp-2.8.local | ||
| 7 | 4 | ||
| 8 | include /etc/firejail/gimp.profile | 5 | include /etc/firejail/gimp.profile |
diff --git a/etc/gimp.profile b/etc/gimp.profile index 0fe462912..d77c4df8d 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile | |||
| @@ -1,15 +1,15 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for gimp |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/gimp.local | 4 | include /etc/firejail/gimp.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # gimp | ||
| 9 | noblacklist ${HOME}/.gimp* | 8 | noblacklist ${HOME}/.gimp* |
| 9 | |||
| 10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 11 | include /etc/firejail/disable-programs.inc | ||
| 12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | 13 | ||
| 14 | caps.drop all | 14 | caps.drop all |
| 15 | net none | 15 | net none |
| @@ -21,11 +21,10 @@ protocol unix | |||
| 21 | seccomp | 21 | seccomp |
| 22 | shell none | 22 | shell none |
| 23 | 23 | ||
| 24 | private-dev | ||
| 25 | private-tmp | ||
| 26 | |||
| 24 | # gimp plugins are installed by the user in ~/.gimp-2.8/plug-ins/ directory | 27 | # gimp plugins are installed by the user in ~/.gimp-2.8/plug-ins/ directory |
| 25 | # if you are not using external plugins, you can enable noexec statement below | 28 | # if you are not using external plugins, you can enable noexec statement below |
| 26 | # noexec ${HOME} | 29 | # noexec ${HOME} |
| 27 | |||
| 28 | noexec /tmp | 30 | noexec /tmp |
| 29 | |||
| 30 | private-dev | ||
| 31 | private-tmp | ||
diff --git a/etc/git.profile b/etc/git.profile index 5fa3ef95e..a565f3b5a 100644 --- a/etc/git.profile +++ b/etc/git.profile | |||
| @@ -1,35 +1,34 @@ | |||
| 1 | # Firejail profile for git | ||
| 2 | # This file is overwritten after every install/update | ||
| 1 | quiet | 3 | quiet |
| 2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
| 5 | include /etc/firejail/git.local | ||
| 6 | # Persistent global definitions | ||
| 3 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
| 4 | 8 | ||
| 5 | # This file is overwritten during software install. | 9 | blacklist /tmp/.X11-unix |
| 6 | # Persistent customizations should go in a .local file. | ||
| 7 | include /etc/firejail/git.local | ||
| 8 | 10 | ||
| 9 | # git profile | ||
| 10 | noblacklist ~/.gitconfig | ||
| 11 | noblacklist ~/.ssh | ||
| 12 | noblacklist ~/.gnupg | ||
| 13 | noblacklist ~/.emacs | 11 | noblacklist ~/.emacs |
| 14 | noblacklist ~/.emacs.d | 12 | noblacklist ~/.emacs.d |
| 15 | noblacklist ~/.viminfo | 13 | noblacklist ~/.gitconfig |
| 14 | noblacklist ~/.gnupg | ||
| 15 | noblacklist ~/.ssh | ||
| 16 | noblacklist ~/.vim | 16 | noblacklist ~/.vim |
| 17 | noblacklist ~/.viminfo | ||
| 17 | 18 | ||
| 18 | include /etc/firejail/disable-common.inc | 19 | include /etc/firejail/disable-common.inc |
| 19 | include /etc/firejail/disable-programs.inc | ||
| 20 | include /etc/firejail/disable-passwdmgr.inc | 20 | include /etc/firejail/disable-passwdmgr.inc |
| 21 | include /etc/firejail/disable-programs.inc | ||
| 21 | 22 | ||
| 22 | caps.drop all | 23 | caps.drop all |
| 23 | netfilter | 24 | netfilter |
| 25 | no3d | ||
| 24 | nogroups | 26 | nogroups |
| 25 | nonewprivs | 27 | nonewprivs |
| 26 | noroot | 28 | noroot |
| 27 | nosound | 29 | nosound |
| 28 | no3d | ||
| 29 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
| 30 | seccomp | 31 | seccomp |
| 31 | shell none | 32 | shell none |
| 32 | 33 | ||
| 33 | blacklist /tmp/.X11-unix | ||
| 34 | |||
| 35 | private-dev | 34 | private-dev |
diff --git a/etc/gitg.profile b/etc/gitg.profile index 427cbe92c..a66ef1f92 100644 --- a/etc/gitg.profile +++ b/etc/gitg.profile | |||
| @@ -1,14 +1,13 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for gitg |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/gitg.local | 4 | include /etc/firejail/gitg.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for gitg | ||
| 9 | noblacklist ${HOME}/.gitconfig | 8 | noblacklist ${HOME}/.gitconfig |
| 10 | noblacklist ${HOME}/.ssh | ||
| 11 | noblacklist ${HOME}/.local/share/gitg | 9 | noblacklist ${HOME}/.local/share/gitg |
| 10 | noblacklist ${HOME}/.ssh | ||
| 12 | 11 | ||
| 13 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 14 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/gitter.profile b/etc/gitter.profile index d85b4f660..1864044d8 100644 --- a/etc/gitter.profile +++ b/etc/gitter.profile | |||
| @@ -1,16 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for gitter |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/gitter.local | 4 | include /etc/firejail/gitter.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for Gitter | ||
| 9 | noblacklist ~/.config/Gitter | 8 | noblacklist ~/.config/Gitter |
| 9 | |||
| 10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 11 | include /etc/firejail/disable-devel.inc | ||
| 11 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 12 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
| 13 | include /etc/firejail/disable-devel.inc | ||
| 14 | 14 | ||
| 15 | caps.drop all | 15 | caps.drop all |
| 16 | netfilter | 16 | netfilter |
diff --git a/etc/gjs.profile b/etc/gjs.profile index f1def3f16..739100888 100644 --- a/etc/gjs.profile +++ b/etc/gjs.profile | |||
| @@ -1,35 +1,33 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for gjs |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/gjs.local | 4 | include /etc/firejail/gjs.local |
| 7 | 5 | # Persistent global definitions | |
| 8 | # gjs (gnome javascript bindings) profile | 6 | include /etc/firejail/globals.local |
| 9 | 7 | ||
| 10 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | 8 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them |
| 11 | 9 | ||
| 10 | noblacklist ~/.cache/libgweather | ||
| 11 | noblacklist ~/.cache/org.gnome.Books | ||
| 12 | noblacklist ~/.config/libreoffice | 12 | noblacklist ~/.config/libreoffice |
| 13 | noblacklist ~/.local/share/gnome-photos | 13 | noblacklist ~/.local/share/gnome-photos |
| 14 | noblacklist ~/.cache/org.gnome.Books | ||
| 15 | noblacklist ~/.cache/libgweather | ||
| 16 | 14 | ||
| 17 | include /etc/firejail/disable-common.inc | 15 | include /etc/firejail/disable-common.inc |
| 18 | include /etc/firejail/disable-programs.inc | ||
| 19 | include /etc/firejail/disable-devel.inc | 16 | include /etc/firejail/disable-devel.inc |
| 20 | include /etc/firejail/disable-passwdmgr.inc | 17 | include /etc/firejail/disable-passwdmgr.inc |
| 18 | include /etc/firejail/disable-programs.inc | ||
| 21 | 19 | ||
| 22 | caps.drop all | 20 | caps.drop all |
| 21 | netfilter | ||
| 23 | nogroups | 22 | nogroups |
| 24 | nonewprivs | 23 | nonewprivs |
| 25 | noroot | 24 | noroot |
| 26 | protocol unix,inet,inet6 | 25 | protocol unix,inet,inet6 |
| 27 | seccomp | 26 | seccomp |
| 28 | netfilter | ||
| 29 | shell none | 27 | shell none |
| 30 | tracelog | 28 | tracelog |
| 31 | 29 | ||
| 32 | # private-bin gjs,gnome-books,gnome-documents,gnome-photos,gnome-maps,gnome-weather | 30 | # private-bin gjs,gnome-books,gnome-documents,gnome-photos,gnome-maps,gnome-weather |
| 33 | private-tmp | ||
| 34 | private-dev | 31 | private-dev |
| 35 | # private-etc fonts | 32 | # private-etc fonts |
| 33 | private-tmp | ||
diff --git a/etc/globaltime.profile b/etc/globaltime.profile index b9b2c008d..726619f26 100644 --- a/etc/globaltime.profile +++ b/etc/globaltime.profile | |||
| @@ -1,15 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for globaltime |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/globaltime.local | 4 | include /etc/firejail/globaltime.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.config/globaltime | 8 | noblacklist ${HOME}/.config/globaltime |
| 9 | |||
| 9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 11 | include /etc/firejail/disable-programs.inc | ||
| 12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 13 | 14 | ||
| 14 | caps.drop all | 15 | caps.drop all |
| 15 | netfilter | 16 | netfilter |
| @@ -23,9 +24,9 @@ protocol unix,inet,inet6 | |||
| 23 | seccomp | 24 | seccomp |
| 24 | shell none | 25 | shell none |
| 25 | 26 | ||
| 27 | disable-mnt | ||
| 26 | private-dev | 28 | private-dev |
| 27 | private-tmp | 29 | private-tmp |
| 28 | disable-mnt | ||
| 29 | 30 | ||
| 30 | noexec ${HOME} | 31 | noexec ${HOME} |
| 31 | noexec /tmp | 32 | noexec /tmp |
diff --git a/etc/gnome-2048.profile b/etc/gnome-2048.profile index 5e0dfc2a1..996c8e1f4 100644 --- a/etc/gnome-2048.profile +++ b/etc/gnome-2048.profile | |||
| @@ -1,42 +1,33 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for gnome-2048 |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/gnome-2048.local | 4 | include /etc/firejail/gnome-2048.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # | ||
| 9 | #Profile for gnome-2048 | ||
| 10 | # | ||
| 11 | |||
| 12 | #No Blacklist Paths | ||
| 13 | noblacklist ${HOME}/.local/share/gnome-2048 | 8 | noblacklist ${HOME}/.local/share/gnome-2048 |
| 14 | 9 | ||
| 15 | #Blacklist Paths | ||
| 16 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 17 | include /etc/firejail/disable-programs.inc | ||
| 18 | include /etc/firejail/disable-passwdmgr.inc | ||
| 19 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | ||
| 13 | include /etc/firejail/disable-programs.inc | ||
| 20 | 14 | ||
| 21 | #Whitelist Paths | ||
| 22 | mkdir ${HOME}/.local/share/gnome-2048 | 15 | mkdir ${HOME}/.local/share/gnome-2048 |
| 23 | whitelist ${HOME}/.local/share/gnome-2048 | 16 | whitelist ${HOME}/.local/share/gnome-2048 |
| 24 | include /etc/firejail/whitelist-common.inc | 17 | include /etc/firejail/whitelist-common.inc |
| 25 | 18 | ||
| 26 | #Options | ||
| 27 | caps.drop all | 19 | caps.drop all |
| 28 | netfilter | 20 | netfilter |
| 29 | no3d | 21 | no3d |
| 30 | nonewprivs | 22 | nonewprivs |
| 31 | noroot | 23 | noroot |
| 32 | #nosound | ||
| 33 | novideo | 24 | novideo |
| 34 | protocol unix,inet,inet6 | 25 | protocol unix,inet,inet6 |
| 35 | seccomp | 26 | seccomp |
| 36 | 27 | ||
| 28 | disable-mnt | ||
| 37 | private-dev | 29 | private-dev |
| 38 | private-tmp | 30 | private-tmp |
| 39 | disable-mnt | ||
| 40 | 31 | ||
| 41 | noexec ${HOME} | 32 | noexec ${HOME} |
| 42 | noexec /tmp | 33 | noexec /tmp |
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile index e36294930..60bd2f68d 100644 --- a/etc/gnome-books.profile +++ b/etc/gnome-books.profile | |||
| @@ -1,19 +1,18 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for gnome-books |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/gnome-books.local | 4 | include /etc/firejail/gnome-books.local |
| 7 | 5 | # Persistent global definitions | |
| 8 | # gnome-books profile | 6 | include /etc/firejail/globals.local |
| 9 | 7 | ||
| 10 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | 8 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them |
| 9 | |||
| 11 | noblacklist ~/.cache/org.gnome.Books | 10 | noblacklist ~/.cache/org.gnome.Books |
| 12 | 11 | ||
| 13 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
| 16 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 17 | 16 | ||
| 18 | caps.drop all | 17 | caps.drop all |
| 19 | netfilter | 18 | netfilter |
| @@ -29,9 +28,9 @@ shell none | |||
| 29 | tracelog | 28 | tracelog |
| 30 | 29 | ||
| 31 | # private-bin gjs gnome-books | 30 | # private-bin gjs gnome-books |
| 32 | private-tmp | ||
| 33 | private-dev | 31 | private-dev |
| 34 | #private-etc fonts | 32 | # private-etc fonts |
| 33 | private-tmp | ||
| 35 | 34 | ||
| 36 | noexec ${HOME} | 35 | noexec ${HOME} |
| 37 | noexec /tmp | 36 | noexec /tmp |
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index 40328e5c3..995415edc 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile | |||
| @@ -1,26 +1,19 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for gnome-calculator |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/gnome-calculator.local | 4 | include /etc/firejail/gnome-calculator.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # | ||
| 9 | #Profile for gnome-calculator | ||
| 10 | # | ||
| 11 | 8 | ||
| 12 | #Blacklist Paths | ||
| 13 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | include /etc/firejail/disable-passwdmgr.inc | ||
| 16 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
| 17 | 11 | include /etc/firejail/disable-passwdmgr.inc | |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 18 | include /etc/firejail/whitelist-common.inc | 13 | include /etc/firejail/whitelist-common.inc |
| 19 | 14 | ||
| 20 | #Options | ||
| 21 | caps.drop all | 15 | caps.drop all |
| 22 | netfilter | 16 | netfilter |
| 23 | #net none | ||
| 24 | no3d | 17 | no3d |
| 25 | nogroups | 18 | nogroups |
| 26 | nonewprivs | 19 | nonewprivs |
| @@ -30,12 +23,12 @@ protocol unix,inet,inet6 | |||
| 30 | seccomp | 23 | seccomp |
| 31 | shell none | 24 | shell none |
| 32 | 25 | ||
| 26 | disable-mnt | ||
| 33 | private | 27 | private |
| 34 | private-bin gnome-calculator | 28 | private-bin gnome-calculator |
| 35 | private-dev | 29 | private-dev |
| 36 | #private-etc fonts | 30 | # private-etc fonts |
| 37 | private-tmp | 31 | private-tmp |
| 38 | disable-mnt | ||
| 39 | 32 | ||
| 40 | memory-deny-write-execute | 33 | memory-deny-write-execute |
| 41 | noexec ${HOME} | 34 | noexec ${HOME} |
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile index 8c098d592..8fd6a2eca 100644 --- a/etc/gnome-chess.profile +++ b/etc/gnome-chess.profile | |||
| @@ -1,17 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for gnome-chess |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/gnome-chess.local | 4 | include /etc/firejail/gnome-chess.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for gnome-chess | ||
| 9 | noblacklist ~/.local/share/gnome-chess | 8 | noblacklist ~/.local/share/gnome-chess |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 17 | no3d | 16 | no3d |
| @@ -25,11 +24,11 @@ seccomp | |||
| 25 | shell none | 24 | shell none |
| 26 | tracelog | 25 | tracelog |
| 27 | 26 | ||
| 27 | disable-mnt | ||
| 28 | private-bin fairymax,gnome-chess,hoichess | 28 | private-bin fairymax,gnome-chess,hoichess |
| 29 | private-dev | 29 | private-dev |
| 30 | private-etc fonts,gnome-chess | 30 | private-etc fonts,gnome-chess |
| 31 | private-tmp | 31 | private-tmp |
| 32 | disable-mnt | ||
| 33 | 32 | ||
| 34 | noexec ${HOME} | 33 | noexec ${HOME} |
| 35 | noexec /tmp | 34 | noexec /tmp |
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile index 129bd6e71..e20cbd9fe 100644 --- a/etc/gnome-clocks.profile +++ b/etc/gnome-clocks.profile | |||
| @@ -1,17 +1,18 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for gnome-clocks |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/gnome-clocks.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/gnome-clocks.local | ||
| 7 | 8 | ||
| 8 | # gnome-clocks profile | ||
| 9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-programs.inc | ||
| 11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | 13 | ||
| 14 | caps.drop all | 14 | caps.drop all |
| 15 | netfilter | ||
| 15 | no3d | 16 | no3d |
| 16 | nogroups | 17 | nogroups |
| 17 | nonewprivs | 18 | nonewprivs |
| @@ -19,15 +20,14 @@ noroot | |||
| 19 | novideo | 20 | novideo |
| 20 | protocol unix,inet,inet6 | 21 | protocol unix,inet,inet6 |
| 21 | seccomp | 22 | seccomp |
| 22 | netfilter | ||
| 23 | shell none | 23 | shell none |
| 24 | tracelog | 24 | tracelog |
| 25 | 25 | ||
| 26 | disable-mnt | ||
| 26 | # private-bin gnome-clocks | 27 | # private-bin gnome-clocks |
| 27 | private-tmp | ||
| 28 | private-dev | 28 | private-dev |
| 29 | # private-etc fonts | 29 | # private-etc fonts |
| 30 | disable-mnt | 30 | private-tmp |
| 31 | 31 | ||
| 32 | noexec ${HOME} | 32 | noexec ${HOME} |
| 33 | noexec /tmp | 33 | noexec /tmp |
diff --git a/etc/gnome-contacts.profile b/etc/gnome-contacts.profile index 9164f6360..1be74bfd3 100644 --- a/etc/gnome-contacts.profile +++ b/etc/gnome-contacts.profile | |||
| @@ -1,23 +1,17 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for gnome-contacts |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/gnome-contacts.local | 4 | include /etc/firejail/gnome-contacts.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # | ||
| 9 | #Profile for gnome-contacts | ||
| 10 | # | ||
| 11 | 8 | ||
| 12 | #Blacklist Paths | ||
| 13 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | include /etc/firejail/disable-passwdmgr.inc | ||
| 16 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
| 17 | 11 | include /etc/firejail/disable-passwdmgr.inc | |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 18 | include /etc/firejail/whitelist-common.inc | 13 | include /etc/firejail/whitelist-common.inc |
| 19 | 14 | ||
| 20 | #Options | ||
| 21 | caps.drop all | 15 | caps.drop all |
| 22 | netfilter | 16 | netfilter |
| 23 | no3d | 17 | no3d |
| @@ -28,9 +22,9 @@ novideo | |||
| 28 | protocol unix,inet,inet6 | 22 | protocol unix,inet,inet6 |
| 29 | seccomp | 23 | seccomp |
| 30 | 24 | ||
| 25 | disable-mnt | ||
| 31 | private-dev | 26 | private-dev |
| 32 | private-tmp | 27 | private-tmp |
| 33 | disable-mnt | ||
| 34 | 28 | ||
| 35 | noexec ${HOME} | 29 | noexec ${HOME} |
| 36 | noexec /tmp | 30 | noexec /tmp |
diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile index 2d70bf7ef..e56a32a4a 100644 --- a/etc/gnome-documents.profile +++ b/etc/gnome-documents.profile | |||
| @@ -1,20 +1,18 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for gnome-documents |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/gnome-documents.local | 4 | include /etc/firejail/gnome-documents.local |
| 7 | 5 | # Persistent global definitions | |
| 8 | # gnome-documents profile | 6 | include /etc/firejail/globals.local |
| 9 | 7 | ||
| 10 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | 8 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them |
| 11 | 9 | ||
| 12 | noblacklist ~/.config/libreoffice | 10 | noblacklist ~/.config/libreoffice |
| 13 | 11 | ||
| 14 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 16 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
| 17 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 18 | 16 | ||
| 19 | caps.drop all | 17 | caps.drop all |
| 20 | netfilter | 18 | netfilter |
| @@ -29,8 +27,8 @@ seccomp | |||
| 29 | shell none | 27 | shell none |
| 30 | tracelog | 28 | tracelog |
| 31 | 29 | ||
| 32 | private-tmp | ||
| 33 | private-dev | 30 | private-dev |
| 31 | private-tmp | ||
| 34 | 32 | ||
| 35 | noexec ${HOME} | 33 | noexec ${HOME} |
| 36 | noexec /tmp | 34 | noexec /tmp |
diff --git a/etc/gnome-font-viewer.profile b/etc/gnome-font-viewer.profile index 605dafc62..f122f066a 100644 --- a/etc/gnome-font-viewer.profile +++ b/etc/gnome-font-viewer.profile | |||
| @@ -1,17 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for gnome-font-viewer |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/gnome-font-viewer.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/gnome-font-viewer.local | ||
| 7 | 8 | ||
| 8 | #Blacklist Paths | ||
| 9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-programs.inc | ||
| 11 | include /etc/firejail/disable-passwdmgr.inc | ||
| 12 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
| 11 | include /etc/firejail/disable-passwdmgr.inc | ||
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | 13 | ||
| 14 | #Options | ||
| 15 | caps.drop all | 14 | caps.drop all |
| 16 | netfilter | 15 | netfilter |
| 17 | no3d | 16 | no3d |
| @@ -22,9 +21,9 @@ novideo | |||
| 22 | protocol unix,inet,inet6 | 21 | protocol unix,inet,inet6 |
| 23 | seccomp | 22 | seccomp |
| 24 | 23 | ||
| 24 | disable-mnt | ||
| 25 | private-dev | 25 | private-dev |
| 26 | private-tmp | 26 | private-tmp |
| 27 | disable-mnt | ||
| 28 | 27 | ||
| 29 | noexec ${HOME} | 28 | noexec ${HOME} |
| 30 | noexec /tmp | 29 | noexec /tmp |
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile index 8c7310fa9..1e60c4470 100644 --- a/etc/gnome-maps.profile +++ b/etc/gnome-maps.profile | |||
| @@ -1,20 +1,21 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for gnome-maps |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/gnome-maps.local | 4 | include /etc/firejail/gnome-maps.local |
| 7 | 5 | # Persistent global definitions | |
| 8 | # gnome-maps profile | 6 | include /etc/firejail/globals.local |
| 9 | 7 | ||
| 10 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | 8 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them |
| 9 | |||
| 11 | noblacklist ${HOME}/.cache/champlain | 10 | noblacklist ${HOME}/.cache/champlain |
| 11 | |||
| 12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
| 15 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 16 | 16 | ||
| 17 | caps.drop all | 17 | caps.drop all |
| 18 | netfilter | ||
| 18 | nogroups | 19 | nogroups |
| 19 | nonewprivs | 20 | nonewprivs |
| 20 | noroot | 21 | noroot |
| @@ -22,15 +23,14 @@ nosound | |||
| 22 | novideo | 23 | novideo |
| 23 | protocol unix,inet,inet6 | 24 | protocol unix,inet,inet6 |
| 24 | seccomp | 25 | seccomp |
| 25 | netfilter | ||
| 26 | shell none | 26 | shell none |
| 27 | tracelog | 27 | tracelog |
| 28 | 28 | ||
| 29 | disable-mnt | ||
| 29 | # private-bin gjs gnome-maps | 30 | # private-bin gjs gnome-maps |
| 30 | private-tmp | ||
| 31 | private-dev | 31 | private-dev |
| 32 | # private-etc fonts | 32 | # private-etc fonts |
| 33 | disable-mnt | 33 | private-tmp |
| 34 | 34 | ||
| 35 | noexec ${HOME} | 35 | noexec ${HOME} |
| 36 | noexec /tmp | 36 | noexec /tmp |
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index 51b3279f3..d63cc4500 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile | |||
| @@ -1,15 +1,15 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for gnome-mplayer |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/gnome-mplayer.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/gnome-mplayer.local | ||
| 7 | 8 | ||
| 8 | # GNOME MPlayer profile | ||
| 9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-programs.inc | ||
| 11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | 13 | ||
| 14 | caps.drop all | 14 | caps.drop all |
| 15 | nogroups | 15 | nogroups |
| @@ -23,6 +23,5 @@ shell none | |||
| 23 | private-dev | 23 | private-dev |
| 24 | private-tmp | 24 | private-tmp |
| 25 | 25 | ||
| 26 | |||
| 27 | noexec ${HOME} | 26 | noexec ${HOME} |
| 28 | noexec /tmp | 27 | noexec /tmp |
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile index 8b569e563..9d7b878cd 100644 --- a/etc/gnome-music.profile +++ b/etc/gnome-music.profile | |||
| @@ -1,17 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for gnome-music |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/gnome-music.local | 4 | include /etc/firejail/gnome-music.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # gnome-music profile | ||
| 9 | noblacklist ~/.local/share/gnome-music | 8 | noblacklist ~/.local/share/gnome-music |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 17 | netfilter | 16 | netfilter |
| @@ -26,10 +25,9 @@ shell none | |||
| 26 | tracelog | 25 | tracelog |
| 27 | 26 | ||
| 28 | # private-bin gnome-music,python3 | 27 | # private-bin gnome-music,python3 |
| 29 | private-tmp | ||
| 30 | private-dev | 28 | private-dev |
| 31 | # private-etc fonts | 29 | # private-etc fonts |
| 32 | 30 | private-tmp | |
| 33 | 31 | ||
| 34 | noexec ${HOME} | 32 | noexec ${HOME} |
| 35 | noexec /tmp | 33 | noexec /tmp |
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile index ed9dc0a03..5982b9dbd 100644 --- a/etc/gnome-photos.profile +++ b/etc/gnome-photos.profile | |||
| @@ -1,20 +1,18 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for gnome-photos |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/gnome-photos.local | 4 | include /etc/firejail/gnome-photos.local |
| 7 | 5 | # Persistent global definitions | |
| 8 | # gnome-photos profile | 6 | include /etc/firejail/globals.local |
| 9 | 7 | ||
| 10 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | 8 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them |
| 11 | 9 | ||
| 12 | noblacklist ~/.local/share/gnome-photos | 10 | noblacklist ~/.local/share/gnome-photos |
| 13 | 11 | ||
| 14 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 16 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
| 17 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 18 | 16 | ||
| 19 | caps.drop all | 17 | caps.drop all |
| 20 | netfilter | 18 | netfilter |
| @@ -28,9 +26,9 @@ shell none | |||
| 28 | tracelog | 26 | tracelog |
| 29 | 27 | ||
| 30 | # private-bin gjs gnome-photos | 28 | # private-bin gjs gnome-photos |
| 31 | private-tmp | ||
| 32 | private-dev | 29 | private-dev |
| 33 | # private-etc fonts | 30 | # private-etc fonts |
| 31 | private-tmp | ||
| 34 | 32 | ||
| 35 | noexec ${HOME} | 33 | noexec ${HOME} |
| 36 | noexec /tmp | 34 | noexec /tmp |
diff --git a/etc/gnome-twitch.profile b/etc/gnome-twitch.profile index 7c215df5d..9ef09a87b 100644 --- a/etc/gnome-twitch.profile +++ b/etc/gnome-twitch.profile | |||
| @@ -1,11 +1,10 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for gnome-twitch |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/gnome-twitch.local | 4 | include /etc/firejail/gnome-twitch.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for Gnome Twitch | ||
| 9 | noblacklist ${HOME}/.cache/gnome-twitch | 8 | noblacklist ${HOME}/.cache/gnome-twitch |
| 10 | noblacklist ${HOME}/.local/share/gnome-twitch | 9 | noblacklist ${HOME}/.local/share/gnome-twitch |
| 11 | 10 | ||
| @@ -15,8 +14,8 @@ include /etc/firejail/disable-passwdmgr.inc | |||
| 15 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
| 16 | 15 | ||
| 17 | mkdir ${HOME}/.cache/gnome-twitch | 16 | mkdir ${HOME}/.cache/gnome-twitch |
| 18 | whitelist ${HOME}/.cache/gnome-twitch | ||
| 19 | mkdir ${HOME}/.local/share/gnome-twitch | 17 | mkdir ${HOME}/.local/share/gnome-twitch |
| 18 | whitelist ${HOME}/.cache/gnome-twitch | ||
| 20 | whitelist ${HOME}/.local/share/gnome-twitch | 19 | whitelist ${HOME}/.local/share/gnome-twitch |
| 21 | include /etc/firejail/whitelist-common.inc | 20 | include /etc/firejail/whitelist-common.inc |
| 22 | 21 | ||
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile index 815fba7ca..514ef6f15 100644 --- a/etc/gnome-weather.profile +++ b/etc/gnome-weather.profile | |||
| @@ -1,21 +1,21 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for gnome-weather |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/gnome-weather.local | 4 | include /etc/firejail/gnome-weather.local |
| 7 | 5 | # Persistent global definitions | |
| 8 | # gnome-weather profile | 6 | include /etc/firejail/globals.local |
| 9 | 7 | ||
| 10 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | 8 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them |
| 9 | |||
| 11 | noblacklist ~/.cache/libgweather | 10 | noblacklist ~/.cache/libgweather |
| 12 | 11 | ||
| 13 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
| 16 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 17 | 16 | ||
| 18 | caps.drop all | 17 | caps.drop all |
| 18 | netfilter | ||
| 19 | no3d | 19 | no3d |
| 20 | nogroups | 20 | nogroups |
| 21 | nonewprivs | 21 | nonewprivs |
| @@ -24,15 +24,14 @@ nosound | |||
| 24 | novideo | 24 | novideo |
| 25 | protocol unix,inet,inet6 | 25 | protocol unix,inet,inet6 |
| 26 | seccomp | 26 | seccomp |
| 27 | netfilter | ||
| 28 | shell none | 27 | shell none |
| 29 | tracelog | 28 | tracelog |
| 30 | 29 | ||
| 30 | disable-mnt | ||
| 31 | # private-bin gjs gnome-weather | 31 | # private-bin gjs gnome-weather |
| 32 | private-tmp | ||
| 33 | private-dev | 32 | private-dev |
| 34 | # private-etc fonts | 33 | # private-etc fonts |
| 35 | disable-mnt | 34 | private-tmp |
| 36 | 35 | ||
| 37 | noexec ${HOME} | 36 | noexec ${HOME} |
| 38 | noexec /tmp | 37 | noexec /tmp |
diff --git a/etc/goobox.profile b/etc/goobox.profile index 129d17ae7..45715f9ce 100644 --- a/etc/goobox.profile +++ b/etc/goobox.profile | |||
| @@ -1,15 +1,15 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for goobox |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/goobox.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/goobox.local | ||
| 7 | 8 | ||
| 8 | # goobox profile | ||
| 9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-programs.inc | ||
| 11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | 13 | ||
| 14 | caps.drop all | 14 | caps.drop all |
| 15 | netfilter | 15 | netfilter |
| @@ -22,6 +22,6 @@ shell none | |||
| 22 | tracelog | 22 | tracelog |
| 23 | 23 | ||
| 24 | # private-bin goobox | 24 | # private-bin goobox |
| 25 | # private-tmp | ||
| 26 | # private-dev | 25 | # private-dev |
| 27 | # private-etc fonts | 26 | # private-etc fonts |
| 27 | # private-tmp | ||
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index 22a2e8f88..b6c39bfd2 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile | |||
| @@ -1,39 +1,35 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for google-chrome-beta |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/google-chrome-beta.local | 4 | include /etc/firejail/google-chrome-beta.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Google Chrome beta browser profile | ||
| 9 | noblacklist ~/.config/google-chrome-beta | ||
| 10 | noblacklist ~/.cache/google-chrome-beta | 8 | noblacklist ~/.cache/google-chrome-beta |
| 9 | noblacklist ~/.config/google-chrome-beta | ||
| 11 | noblacklist ~/.pki | 10 | noblacklist ~/.pki |
| 12 | include /etc/firejail/disable-common.inc | ||
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | 11 | ||
| 12 | include /etc/firejail/disable-common.inc | ||
| 15 | # chromium is distributed with a perl script on Arch | 13 | # chromium is distributed with a perl script on Arch |
| 16 | # include /etc/firejail/disable-devel.inc | 14 | # include /etc/firejail/disable-devel.inc |
| 17 | # | 15 | include /etc/firejail/disable-programs.inc |
| 18 | 16 | ||
| 19 | whitelist ${DOWNLOADS} | ||
| 20 | mkdir ~/.config/google-chrome-beta | ||
| 21 | whitelist ~/.config/google-chrome-beta | ||
| 22 | mkdir ~/.cache/google-chrome-beta | 17 | mkdir ~/.cache/google-chrome-beta |
| 23 | whitelist ~/.cache/google-chrome-beta | 18 | mkdir ~/.config/google-chrome-beta |
| 24 | mkdir ~/.pki | 19 | mkdir ~/.pki |
| 20 | whitelist ${DOWNLOADS} | ||
| 21 | whitelist ~/.cache/google-chrome-beta | ||
| 22 | whitelist ~/.config/google-chrome-beta | ||
| 25 | whitelist ~/.pki | 23 | whitelist ~/.pki |
| 26 | include /etc/firejail/whitelist-common.inc | 24 | include /etc/firejail/whitelist-common.inc |
| 27 | 25 | ||
| 28 | caps.keep sys_chroot,sys_admin | 26 | caps.keep sys_chroot,sys_admin |
| 29 | #ipc-namespace | ||
| 30 | netfilter | 27 | netfilter |
| 31 | nogroups | 28 | nogroups |
| 32 | shell none | 29 | shell none |
| 33 | 30 | ||
| 34 | private-dev | 31 | private-dev |
| 35 | #private-tmp - problems with multiple browser sessions | 32 | # private-tmp - problems with multiple browser sessions |
| 36 | #disable-mnt | ||
| 37 | 33 | ||
| 38 | noexec ${HOME} | 34 | noexec ${HOME} |
| 39 | noexec /tmp | 35 | noexec /tmp |
diff --git a/etc/google-chrome-stable.profile b/etc/google-chrome-stable.profile index 776cc06e0..df4bd001f 100644 --- a/etc/google-chrome-stable.profile +++ b/etc/google-chrome-stable.profile | |||
| @@ -1,9 +1,5 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for google-chrome |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/google-chrome-stable.local | ||
| 7 | 4 | ||
| 8 | # Google Chrome browser profile | ||
| 9 | include /etc/firejail/google-chrome.profile | 5 | include /etc/firejail/google-chrome.profile |
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index 0675d7b49..ea111c7f6 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile | |||
| @@ -1,39 +1,35 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for google-chrome-unstable |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/google-chrome-unstable.local | 4 | include /etc/firejail/google-chrome-unstable.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Google Chrome unstable browser profile | ||
| 9 | noblacklist ~/.config/google-chrome-unstable | ||
| 10 | noblacklist ~/.cache/google-chrome-unstable | 8 | noblacklist ~/.cache/google-chrome-unstable |
| 9 | noblacklist ~/.config/google-chrome-unstable | ||
| 11 | noblacklist ~/.pki | 10 | noblacklist ~/.pki |
| 12 | include /etc/firejail/disable-common.inc | ||
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | 11 | ||
| 12 | include /etc/firejail/disable-common.inc | ||
| 15 | # chromium is distributed with a perl script on Arch | 13 | # chromium is distributed with a perl script on Arch |
| 16 | # include /etc/firejail/disable-devel.inc | 14 | # include /etc/firejail/disable-devel.inc |
| 17 | # | 15 | include /etc/firejail/disable-programs.inc |
| 18 | 16 | ||
| 19 | whitelist ${DOWNLOADS} | ||
| 20 | mkdir ~/.config/google-chrome-unstable | ||
| 21 | whitelist ~/.config/google-chrome-unstable | ||
| 22 | mkdir ~/.cache/google-chrome-unstable | 17 | mkdir ~/.cache/google-chrome-unstable |
| 23 | whitelist ~/.cache/google-chrome-unstable | 18 | mkdir ~/.config/google-chrome-unstable |
| 24 | mkdir ~/.pki | 19 | mkdir ~/.pki |
| 20 | whitelist ${DOWNLOADS} | ||
| 21 | whitelist ~/.cache/google-chrome-unstable | ||
| 22 | whitelist ~/.config/google-chrome-unstable | ||
| 25 | whitelist ~/.pki | 23 | whitelist ~/.pki |
| 26 | include /etc/firejail/whitelist-common.inc | 24 | include /etc/firejail/whitelist-common.inc |
| 27 | 25 | ||
| 28 | caps.keep sys_chroot,sys_admin | 26 | caps.keep sys_chroot,sys_admin |
| 29 | #ipc-namespace | ||
| 30 | netfilter | 27 | netfilter |
| 31 | nogroups | 28 | nogroups |
| 32 | shell none | 29 | shell none |
| 33 | 30 | ||
| 34 | private-dev | 31 | private-dev |
| 35 | #private-tmp - problems with multiple browser sessions | 32 | # private-tmp - problems with multiple browser sessions |
| 36 | #disable-mnt | ||
| 37 | 33 | ||
| 38 | noexec ${HOME} | 34 | noexec ${HOME} |
| 39 | noexec /tmp | 35 | noexec /tmp |
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index e6fceadec..f0d452841 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile | |||
| @@ -1,39 +1,35 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for google-chrome |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/google-chrome.local | 4 | include /etc/firejail/google-chrome.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Google Chrome browser profile | ||
| 9 | noblacklist ~/.config/google-chrome | ||
| 10 | noblacklist ~/.cache/google-chrome | 8 | noblacklist ~/.cache/google-chrome |
| 9 | noblacklist ~/.config/google-chrome | ||
| 11 | noblacklist ~/.pki | 10 | noblacklist ~/.pki |
| 12 | include /etc/firejail/disable-common.inc | ||
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | 11 | ||
| 12 | include /etc/firejail/disable-common.inc | ||
| 15 | # chromium is distributed with a perl script on Arch | 13 | # chromium is distributed with a perl script on Arch |
| 16 | # include /etc/firejail/disable-devel.inc | 14 | # include /etc/firejail/disable-devel.inc |
| 17 | # | 15 | include /etc/firejail/disable-programs.inc |
| 18 | 16 | ||
| 19 | whitelist ${DOWNLOADS} | ||
| 20 | mkdir ~/.config/google-chrome | ||
| 21 | whitelist ~/.config/google-chrome | ||
| 22 | mkdir ~/.cache/google-chrome | 17 | mkdir ~/.cache/google-chrome |
| 23 | whitelist ~/.cache/google-chrome | 18 | mkdir ~/.config/google-chrome |
| 24 | mkdir ~/.pki | 19 | mkdir ~/.pki |
| 20 | whitelist ${DOWNLOADS} | ||
| 21 | whitelist ~/.cache/google-chrome | ||
| 22 | whitelist ~/.config/google-chrome | ||
| 25 | whitelist ~/.pki | 23 | whitelist ~/.pki |
| 26 | include /etc/firejail/whitelist-common.inc | 24 | include /etc/firejail/whitelist-common.inc |
| 27 | 25 | ||
| 28 | caps.keep sys_chroot,sys_admin | 26 | caps.keep sys_chroot,sys_admin |
| 29 | #ipc-namespace | ||
| 30 | netfilter | 27 | netfilter |
| 31 | nogroups | 28 | nogroups |
| 32 | shell none | 29 | shell none |
| 33 | 30 | ||
| 34 | private-dev | 31 | private-dev |
| 35 | #private-tmp - problems with multiple browser sessions | 32 | # private-tmp - problems with multiple browser sessions |
| 36 | #disable-mnt | ||
| 37 | 33 | ||
| 38 | noexec ${HOME} | 34 | noexec ${HOME} |
| 39 | noexec /tmp | 35 | noexec /tmp |
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile index c373cc34c..9c6c70f9f 100644 --- a/etc/google-play-music-desktop-player.profile +++ b/etc/google-play-music-desktop-player.profile | |||
| @@ -1,24 +1,23 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for google-play-music-desktop-player |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/google-play-music-desktop-player.local | 4 | include /etc/firejail/google-play-music-desktop-player.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Google Play Music desktop player profile | ||
| 9 | noblacklist ~/.config/Google Play Music Desktop Player | 8 | noblacklist ~/.config/Google Play Music Desktop Player |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | #whitelist ~/.pulse | 15 | # whitelist ~/.config/pulse |
| 17 | #whitelist ~/.config/pulse | 16 | # whitelist ~/.pulse |
| 18 | whitelist ~/.config/Google Play Music Desktop Player | 17 | whitelist ~/.config/Google Play Music Desktop Player |
| 18 | include /etc/firejail/whitelist-common.inc | ||
| 19 | 19 | ||
| 20 | caps.drop all | 20 | caps.drop all |
| 21 | #ipc-namespace | ||
| 22 | netfilter | 21 | netfilter |
| 23 | no3d | 22 | no3d |
| 24 | nogroups | 23 | nogroups |
| @@ -29,9 +28,9 @@ protocol unix,inet,inet6,netlink | |||
| 29 | seccomp | 28 | seccomp |
| 30 | shell none | 29 | shell none |
| 31 | 30 | ||
| 31 | disable-mnt | ||
| 32 | private-dev | 32 | private-dev |
| 33 | private-tmp | 33 | private-tmp |
| 34 | disable-mnt | ||
| 35 | 34 | ||
| 36 | noexec ${HOME} | 35 | noexec ${HOME} |
| 37 | noexec /tmp | 36 | noexec /tmp |
diff --git a/etc/gpa.profile b/etc/gpa.profile index 9230c8b3a..9ffb3abd3 100644 --- a/etc/gpa.profile +++ b/etc/gpa.profile | |||
| @@ -1,26 +1,25 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for gpa |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/gpa.local | 4 | include /etc/firejail/gpa.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # gpa profile | ||
| 9 | noblacklist ~/.gnupg | 8 | noblacklist ~/.gnupg |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 16 | netfilter | ||
| 17 | nogroups | 17 | nogroups |
| 18 | nonewprivs | 18 | nonewprivs |
| 19 | noroot | 19 | noroot |
| 20 | nosound | 20 | nosound |
| 21 | protocol unix,inet,inet6 | 21 | protocol unix,inet,inet6 |
| 22 | seccomp | 22 | seccomp |
| 23 | netfilter | ||
| 24 | shell none | 23 | shell none |
| 25 | tracelog | 24 | tracelog |
| 26 | 25 | ||
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile index 7c1a05c6f..0592bd113 100644 --- a/etc/gpg-agent.profile +++ b/etc/gpg-agent.profile | |||
| @@ -1,31 +1,30 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for gpg-agent |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/gpg-agent.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | 8 | blacklist /tmp/.X11-unix |
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/gpg-agent.local | ||
| 7 | 9 | ||
| 8 | # gpg-agent profile | ||
| 9 | noblacklist ~/.gnupg | 10 | noblacklist ~/.gnupg |
| 10 | 11 | ||
| 11 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 15 | 16 | ||
| 16 | caps.drop all | 17 | caps.drop all |
| 18 | netfilter | ||
| 19 | no3d | ||
| 17 | nogroups | 20 | nogroups |
| 18 | nonewprivs | 21 | nonewprivs |
| 19 | noroot | 22 | noroot |
| 20 | nosound | 23 | nosound |
| 21 | protocol unix,inet,inet6 | 24 | protocol unix,inet,inet6 |
| 22 | seccomp | 25 | seccomp |
| 23 | netfilter | ||
| 24 | no3d | ||
| 25 | shell none | 26 | shell none |
| 26 | tracelog | 27 | tracelog |
| 27 | 28 | ||
| 28 | blacklist /tmp/.X11-unix | ||
| 29 | |||
| 30 | # private-bin gpg-agent,gpg | 29 | # private-bin gpg-agent,gpg |
| 31 | private-dev | 30 | private-dev |
diff --git a/etc/gpg.profile b/etc/gpg.profile index 9ecc0a753..2d745b435 100644 --- a/etc/gpg.profile +++ b/etc/gpg.profile | |||
| @@ -1,31 +1,30 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for gpg |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/gpg.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | 8 | blacklist /tmp/.X11-unix |
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/gpg.local | ||
| 7 | 9 | ||
| 8 | # gpg profile | ||
| 9 | noblacklist ~/.gnupg | 10 | noblacklist ~/.gnupg |
| 10 | 11 | ||
| 11 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 15 | 16 | ||
| 16 | caps.drop all | 17 | caps.drop all |
| 18 | netfilter | ||
| 19 | no3d | ||
| 17 | nogroups | 20 | nogroups |
| 18 | nonewprivs | 21 | nonewprivs |
| 19 | noroot | 22 | noroot |
| 20 | nosound | 23 | nosound |
| 21 | protocol unix,inet,inet6 | 24 | protocol unix,inet,inet6 |
| 22 | seccomp | 25 | seccomp |
| 23 | netfilter | ||
| 24 | no3d | ||
| 25 | shell none | 26 | shell none |
| 26 | tracelog | 27 | tracelog |
| 27 | 28 | ||
| 28 | blacklist /tmp/.X11-unix | ||
| 29 | |||
| 30 | # private-bin gpg,gpg-agent | 29 | # private-bin gpg,gpg-agent |
| 31 | private-dev | 30 | private-dev |
diff --git a/etc/gpicview.profile b/etc/gpicview.profile index f457f0590..f9c56b7ad 100644 --- a/etc/gpicview.profile +++ b/etc/gpicview.profile | |||
| @@ -1,17 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for gpicview |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/gpicview.local | 4 | include /etc/firejail/gpicview.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for GPicView | ||
| 9 | noblacklist ~/.config/gpicview | 8 | noblacklist ~/.config/gpicview |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 17 | net none | 16 | net none |
diff --git a/etc/gpredict.profile b/etc/gpredict.profile index 0abf60314..475f3deef 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile | |||
| @@ -1,19 +1,19 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for gpredict |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/gpredict.local | 4 | include /etc/firejail/gpredict.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for gpredict. | ||
| 9 | noblacklist ~/.config/Gpredict | 8 | noblacklist ~/.config/Gpredict |
| 9 | |||
| 10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 11 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
| 14 | 14 | ||
| 15 | # Whitelist | ||
| 16 | whitelist ~/.config/Gpredict | 15 | whitelist ~/.config/Gpredict |
| 16 | include /etc/firejail/whitelist-common.inc | ||
| 17 | 17 | ||
| 18 | caps.drop all | 18 | caps.drop all |
| 19 | netfilter | 19 | netfilter |
| @@ -26,10 +26,10 @@ seccomp | |||
| 26 | shell none | 26 | shell none |
| 27 | tracelog | 27 | tracelog |
| 28 | 28 | ||
| 29 | noexec ${HOME} | ||
| 30 | noexec /tmp | ||
| 31 | |||
| 32 | private-bin gpredict | 29 | private-bin gpredict |
| 33 | private-etc fonts,resolv.conf | ||
| 34 | private-dev | 30 | private-dev |
| 31 | private-etc fonts,resolv.conf | ||
| 35 | private-tmp | 32 | private-tmp |
| 33 | |||
| 34 | noexec ${HOME} | ||
| 35 | noexec /tmp | ||
diff --git a/etc/gtar.profile b/etc/gtar.profile index 9a4325082..9d28393bf 100644 --- a/etc/gtar.profile +++ b/etc/gtar.profile | |||
| @@ -1,10 +1,5 @@ | |||
| 1 | quiet | 1 | # Firejail profile alias for tar |
| 2 | # Persistent global definitions go here | 2 | # This file is overwritten after every install/update |
| 3 | include /etc/firejail/globals.local | ||
| 4 | 3 | ||
| 5 | # This file is overwritten during software install. | ||
| 6 | # Persistent customizations should go in a .local file. | ||
| 7 | include /etc/firejail/gtar.local | ||
| 8 | 4 | ||
| 9 | # gtar profile | ||
| 10 | include /etc/firejail/tar.profile | 5 | include /etc/firejail/tar.profile |
diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 75d341d99..2e1503970 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile | |||
| @@ -1,19 +1,18 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for gthumb |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/gthumb.local | 4 | include /etc/firejail/gthumb.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # gthumb profile | ||
| 9 | noblacklist ${HOME}/.config/gthumb | 8 | noblacklist ${HOME}/.config/gthumb |
| 10 | noblacklist ~/.Steam | 9 | noblacklist ~/.Steam |
| 11 | noblacklist ~/.steam | 10 | noblacklist ~/.steam |
| 12 | 11 | ||
| 13 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
| 16 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 17 | 16 | ||
| 18 | caps.drop all | 17 | caps.drop all |
| 19 | nogroups | 18 | nogroups |
diff --git a/etc/guayadeque.profile b/etc/guayadeque.profile index 86f3d7838..22adb9e65 100644 --- a/etc/guayadeque.profile +++ b/etc/guayadeque.profile | |||
| @@ -1,16 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for guayadeque |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/guayadeque.local | 4 | include /etc/firejail/guayadeque.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.guayadeque | 8 | noblacklist ${HOME}/.guayadeque |
| 9 | 9 | ||
| 10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 11 | include /etc/firejail/disable-programs.inc | ||
| 12 | include /etc/firejail/disable-passwdmgr.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | ||
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | 14 | ||
| 15 | caps.drop all | 15 | caps.drop all |
| 16 | netfilter | 16 | netfilter |
diff --git a/etc/gucharmap.profile b/etc/gucharmap.profile index 4d6237067..96bf783c4 100644 --- a/etc/gucharmap.profile +++ b/etc/gucharmap.profile | |||
| @@ -1,9 +1,10 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for gucharmap |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/gucharmap.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/gucharmap.local | ||
| 7 | 8 | ||
| 8 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 9 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
| @@ -22,10 +23,10 @@ protocol unix | |||
| 22 | seccomp | 23 | seccomp |
| 23 | shell none | 24 | shell none |
| 24 | 25 | ||
| 26 | disable-mnt | ||
| 25 | private | 27 | private |
| 26 | private-dev | 28 | private-dev |
| 27 | private-tmp | 29 | private-tmp |
| 28 | disable-mnt | ||
| 29 | 30 | ||
| 30 | noexec ${HOME} | 31 | noexec ${HOME} |
| 31 | noexec /tmp | 32 | noexec /tmp |
diff --git a/etc/gwenview.profile b/etc/gwenview.profile index fffc3e3e9..0f2be604b 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile | |||
| @@ -1,23 +1,23 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for gwenview |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/gwenview.local | 4 | include /etc/firejail/gwenview.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # KDE gwenview profile | ||
| 9 | noblacklist ~/.kde4/share/apps/gwenview | ||
| 10 | noblacklist ~/.kde4/share/config/gwenviewrc | ||
| 11 | noblacklist ~/.kde/share/apps/gwenview | ||
| 12 | noblacklist ~/.kde/share/config/gwenviewrc | ||
| 13 | noblacklist ~/.config/gwenviewrc | 8 | noblacklist ~/.config/gwenviewrc |
| 14 | noblacklist ~/.config/org.kde.gwenviewrc | 9 | noblacklist ~/.config/org.kde.gwenviewrc |
| 10 | noblacklist ~/.kde/share/apps/gwenview | ||
| 11 | noblacklist ~/.kde/share/config/gwenviewrc | ||
| 12 | noblacklist ~/.kde4/share/apps/gwenview | ||
| 13 | noblacklist ~/.kde4/share/config/gwenviewrc | ||
| 15 | noblacklist ~/.local/share/gwenview | 14 | noblacklist ~/.local/share/gwenview |
| 16 | noblacklist ~/.local/share/org.kde.gwenview | 15 | noblacklist ~/.local/share/org.kde.gwenview |
| 16 | |||
| 17 | include /etc/firejail/disable-common.inc | 17 | include /etc/firejail/disable-common.inc |
| 18 | include /etc/firejail/disable-programs.inc | ||
| 19 | include /etc/firejail/disable-devel.inc | 18 | include /etc/firejail/disable-devel.inc |
| 20 | include /etc/firejail/disable-passwdmgr.inc | 19 | include /etc/firejail/disable-passwdmgr.inc |
| 20 | include /etc/firejail/disable-programs.inc | ||
| 21 | 21 | ||
| 22 | caps.drop all | 22 | caps.drop all |
| 23 | nogroups | 23 | nogroups |
| @@ -30,9 +30,7 @@ tracelog | |||
| 30 | 30 | ||
| 31 | private-bin gwenview,kbuildsycoca4,gimp,gimp-2.8 | 31 | private-bin gwenview,kbuildsycoca4,gimp,gimp-2.8 |
| 32 | private-dev | 32 | private-dev |
| 33 | 33 | # private-etc X11 | |
| 34 | # Experimental: | ||
| 35 | #private-etc X11 | ||
| 36 | 34 | ||
| 37 | noexec ${HOME} | 35 | noexec ${HOME} |
| 38 | noexec /tmp | 36 | noexec /tmp |
diff --git a/etc/gzip.profile b/etc/gzip.profile index 5a2a5d26e..13960eda0 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile | |||
| @@ -1,17 +1,14 @@ | |||
| 1 | # Firejail profile for gzip | ||
| 2 | # This file is overwritten after every install/update | ||
| 1 | quiet | 3 | quiet |
| 2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
| 3 | include /etc/firejail/globals.local | ||
| 4 | |||
| 5 | # This file is overwritten during software install. | ||
| 6 | # Persistent customizations should go in a .local file. | ||
| 7 | include /etc/firejail/gzip.local | 5 | include /etc/firejail/gzip.local |
| 8 | 6 | # Persistent global definitions | |
| 9 | # gzip profile | 7 | include /etc/firejail/globals.local |
| 10 | ignore noroot | ||
| 11 | include /etc/firejail/default.profile | ||
| 12 | 8 | ||
| 13 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
| 14 | 10 | ||
| 11 | ignore noroot | ||
| 15 | net none | 12 | net none |
| 16 | no3d | 13 | no3d |
| 17 | nosound | 14 | nosound |
| @@ -19,3 +16,5 @@ shell none | |||
| 19 | tracelog | 16 | tracelog |
| 20 | 17 | ||
| 21 | private-dev | 18 | private-dev |
| 19 | |||
| 20 | include /etc/firejail/default.profile | ||
diff --git a/etc/handbrake-gtk.profile b/etc/handbrake-gtk.profile index a162352de..9437cea9e 100644 --- a/etc/handbrake-gtk.profile +++ b/etc/handbrake-gtk.profile | |||
| @@ -1,9 +1,5 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for handbrake |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/handbrake-gtk.local | ||
| 7 | 4 | ||
| 8 | # HandBrake | ||
| 9 | include /etc/firejail/handbrake.profile | 5 | include /etc/firejail/handbrake.profile |
diff --git a/etc/handbrake.profile b/etc/handbrake.profile index ccff63708..2b33051e2 100644 --- a/etc/handbrake.profile +++ b/etc/handbrake.profile | |||
| @@ -1,15 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for handbrake |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/handbrake.local | 4 | include /etc/firejail/handbrake.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | noblacklist ~/.config/ghb | 8 | noblacklist ~/.config/ghb |
| 9 | |||
| 9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 11 | include /etc/firejail/disable-programs.inc | ||
| 12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 13 | 14 | ||
| 14 | caps.drop all | 15 | caps.drop all |
| 15 | netfilter | 16 | netfilter |
diff --git a/etc/hashcat.profile b/etc/hashcat.profile index 1e9540f87..662b8a06c 100644 --- a/etc/hashcat.profile +++ b/etc/hashcat.profile | |||
| @@ -1,12 +1,11 @@ | |||
| 1 | # Firejail profile for hashcat | ||
| 2 | # This file is overwritten after every install/update | ||
| 1 | quiet | 3 | quiet |
| 2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
| 3 | include /etc/firejail/globals.local | ||
| 4 | |||
| 5 | # This file is overwritten during software install. | ||
| 6 | # Persistent customizations should go in a .local file. | ||
| 7 | include /etc/firejail/hashcat.local | 5 | include /etc/firejail/hashcat.local |
| 6 | # Persistent global definitions | ||
| 7 | include /etc/firejail/globals.local | ||
| 8 | 8 | ||
| 9 | # Firejail profile for Hashcat | ||
| 10 | noblacklist ${HOME}/.hashcat | 9 | noblacklist ${HOME}/.hashcat |
| 11 | 10 | ||
| 12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile index a5c23d0aa..b6dc1f945 100644 --- a/etc/hedgewars.profile +++ b/etc/hedgewars.profile | |||
| @@ -1,17 +1,20 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for hedgewars |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/hedgewars.local | 4 | include /etc/firejail/hedgewars.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # whitelist profile for Hedgewars (game) | ||
| 9 | noblacklist ${HOME}/.hedgewars | 8 | noblacklist ${HOME}/.hedgewars |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | |||
| 15 | mkdir ~/.hedgewars | ||
| 16 | whitelist ~/.hedgewars | ||
| 17 | include /etc/firejail/whitelist-common.inc | ||
| 15 | 18 | ||
| 16 | caps.drop all | 19 | caps.drop all |
| 17 | netfilter | 20 | netfilter |
| @@ -21,10 +24,6 @@ noroot | |||
| 21 | seccomp | 24 | seccomp |
| 22 | tracelog | 25 | tracelog |
| 23 | 26 | ||
| 27 | disable-mnt | ||
| 24 | private-dev | 28 | private-dev |
| 25 | private-tmp | 29 | private-tmp |
| 26 | disable-mnt | ||
| 27 | |||
| 28 | mkdir ~/.hedgewars | ||
| 29 | whitelist ~/.hedgewars | ||
| 30 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 36ddb9e89..ceebb6d18 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile | |||
| @@ -1,21 +1,23 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for hexchat |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/hexchat.local | 4 | include /etc/firejail/hexchat.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # HexChat instant messaging profile | ||
| 9 | # Currently in testing (may not work for all users) | ||
| 10 | noblacklist ${HOME}/.config/hexchat | 8 | noblacklist ${HOME}/.config/hexchat |
| 11 | #noblacklist /usr/lib/python2* | 9 | # noblacklist /usr/lib/python2* |
| 12 | #noblacklist /usr/lib/python3* | 10 | # noblacklist /usr/lib/python3* |
| 11 | |||
| 13 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | |||
| 16 | mkdir ~/.config/hexchat | ||
| 17 | whitelist ~/.config/hexchat | ||
| 18 | include /etc/firejail/whitelist-common.inc | ||
| 16 | 19 | ||
| 17 | caps.drop all | 20 | caps.drop all |
| 18 | #ipc-namespace | ||
| 19 | netfilter | 21 | netfilter |
| 20 | no3d | 22 | no3d |
| 21 | nogroups | 23 | nogroups |
| @@ -28,15 +30,11 @@ seccomp | |||
| 28 | shell none | 30 | shell none |
| 29 | tracelog | 31 | tracelog |
| 30 | 32 | ||
| 31 | mkdir ~/.config/hexchat | 33 | disable-mnt |
| 32 | whitelist ~/.config/hexchat | 34 | # debug note: private-bin requires perl, python, etc on some systems |
| 33 | include /etc/firejail/whitelist-common.inc | ||
| 34 | |||
| 35 | private-bin hexchat | 35 | private-bin hexchat |
| 36 | #debug note: private-bin requires perl, python, etc on some systems | ||
| 37 | private-dev | 36 | private-dev |
| 38 | private-tmp | 37 | private-tmp |
| 39 | disable-mnt | ||
| 40 | 38 | ||
| 41 | noexec ${HOME} | 39 | noexec ${HOME} |
| 42 | noexec /tmp | 40 | noexec /tmp |
diff --git a/etc/highlight.profile b/etc/highlight.profile index fefbcc55d..c314d34cb 100644 --- a/etc/highlight.profile +++ b/etc/highlight.profile | |||
| @@ -1,31 +1,30 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for highlight |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/highlight.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | 8 | blacklist /tmp/.X11-unix |
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/highlight.local | ||
| 7 | 9 | ||
| 8 | # highlight profile | ||
| 9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-programs.inc | ||
| 11 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 13 | 14 | ||
| 14 | caps.drop all | 15 | caps.drop all |
| 15 | net none | 16 | net none |
| 17 | no3d | ||
| 16 | nogroups | 18 | nogroups |
| 17 | nonewprivs | 19 | nonewprivs |
| 18 | noroot | 20 | noroot |
| 19 | nosound | 21 | nosound |
| 20 | protocol unix | 22 | protocol unix |
| 21 | seccomp | 23 | seccomp |
| 22 | no3d | ||
| 23 | shell none | 24 | shell none |
| 24 | tracelog | 25 | tracelog |
| 25 | 26 | ||
| 26 | blacklist /tmp/.X11-unix | ||
| 27 | |||
| 28 | private-bin highlight | 27 | private-bin highlight |
| 28 | private-dev | ||
| 29 | # private-etc none | 29 | # private-etc none |
| 30 | private-tmp | 30 | private-tmp |
| 31 | private-dev | ||
diff --git a/etc/hugin.profile b/etc/hugin.profile index 26e696f0d..8eb7410ff 100644 --- a/etc/hugin.profile +++ b/etc/hugin.profile | |||
| @@ -1,16 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for hugin |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/hugin.local | 4 | include /etc/firejail/hugin.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.hugin | 8 | noblacklist ${HOME}/.hugin |
| 9 | 9 | ||
| 10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 11 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | 14 | ||
| 15 | caps.drop all | 15 | caps.drop all |
| 16 | netfilter | 16 | netfilter |
diff --git a/etc/icecat.profile b/etc/icecat.profile index 600263a2a..b8b267dff 100644 --- a/etc/icecat.profile +++ b/etc/icecat.profile | |||
| @@ -1,53 +1,49 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for icecat |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/icecat.local | 4 | include /etc/firejail/icecat.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for GNU Icecat | ||
| 9 | noblacklist ~/.mozilla | ||
| 10 | noblacklist ~/.cache/mozilla | 8 | noblacklist ~/.cache/mozilla |
| 9 | noblacklist ~/.mozilla | ||
| 11 | noblacklist ~/.pki | 10 | noblacklist ~/.pki |
| 11 | |||
| 12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | 15 | ||
| 16 | caps.drop all | ||
| 17 | netfilter | ||
| 18 | nonewprivs | ||
| 19 | noroot | ||
| 20 | protocol unix,inet,inet6,netlink | ||
| 21 | seccomp | ||
| 22 | tracelog | ||
| 23 | |||
| 24 | whitelist ${DOWNLOADS} | ||
| 25 | mkdir ~/.mozilla | ||
| 26 | whitelist ~/.mozilla | ||
| 27 | mkdir ~/.cache/mozilla/icecat | 16 | mkdir ~/.cache/mozilla/icecat |
| 17 | mkdir ~/.mozilla | ||
| 18 | whitelist ${DOWNLOADS} | ||
| 19 | whitelist ~/.cache/gnome-mplayer/plugin | ||
| 28 | whitelist ~/.cache/mozilla/icecat | 20 | whitelist ~/.cache/mozilla/icecat |
| 29 | whitelist ~/dwhelper | ||
| 30 | whitelist ~/.zotero | ||
| 31 | whitelist ~/.vimperatorrc | ||
| 32 | whitelist ~/.vimperator | ||
| 33 | whitelist ~/.pentadactylrc | ||
| 34 | whitelist ~/.pentadactyl | ||
| 35 | whitelist ~/.keysnail.js | ||
| 36 | whitelist ~/.config/gnome-mplayer | 21 | whitelist ~/.config/gnome-mplayer |
| 37 | whitelist ~/.cache/gnome-mplayer/plugin | 22 | whitelist ~/.config/pipelight-silverlight5.1 |
| 38 | whitelist ~/.pki | 23 | whitelist ~/.config/pipelight-widevine |
| 24 | whitelist ~/.keysnail.js | ||
| 39 | whitelist ~/.lastpass | 25 | whitelist ~/.lastpass |
| 40 | 26 | whitelist ~/.mozilla | |
| 41 | # silverlight | 27 | whitelist ~/.pentadactyl |
| 28 | whitelist ~/.pentadactylrc | ||
| 29 | whitelist ~/.pki | ||
| 30 | whitelist ~/.vimperator | ||
| 31 | whitelist ~/.vimperatorrc | ||
| 42 | whitelist ~/.wine-pipelight | 32 | whitelist ~/.wine-pipelight |
| 43 | whitelist ~/.wine-pipelight64 | 33 | whitelist ~/.wine-pipelight64 |
| 44 | whitelist ~/.config/pipelight-widevine | 34 | whitelist ~/.zotero |
| 45 | whitelist ~/.config/pipelight-silverlight5.1 | 35 | whitelist ~/dwhelper |
| 46 | |||
| 47 | include /etc/firejail/whitelist-common.inc | 36 | include /etc/firejail/whitelist-common.inc |
| 48 | 37 | ||
| 49 | # experimental features | 38 | caps.drop all |
| 50 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 39 | netfilter |
| 40 | nonewprivs | ||
| 41 | noroot | ||
| 42 | protocol unix,inet,inet6,netlink | ||
| 43 | seccomp | ||
| 44 | tracelog | ||
| 45 | |||
| 46 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | ||
| 51 | 47 | ||
| 52 | noexec ${HOME} | 48 | noexec ${HOME} |
| 53 | noexec /tmp | 49 | noexec /tmp |
diff --git a/etc/icedove.profile b/etc/icedove.profile index a3192c491..3931fd0c0 100644 --- a/etc/icedove.profile +++ b/etc/icedove.profile | |||
| @@ -1,27 +1,26 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for icedove |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/icedove.local | 4 | include /etc/firejail/icedove.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for Mozilla Thunderbird (Icedove in Debian Stable) | ||
| 9 | # Users have icedove set to open a browser by clicking a link in an email | 8 | # Users have icedove set to open a browser by clicking a link in an email |
| 10 | # We are not allowed to blacklist browser-specific directories | 9 | # We are not allowed to blacklist browser-specific directories |
| 11 | 10 | ||
| 11 | noblacklist ~/.cache/icedove | ||
| 12 | noblacklist ~/.gnupg | 12 | noblacklist ~/.gnupg |
| 13 | mkdir ~/.gnupg | ||
| 14 | whitelist ~/.gnupg | ||
| 15 | |||
| 16 | noblacklist ~/.icedove | 13 | noblacklist ~/.icedove |
| 17 | mkdir ~/.icedove | ||
| 18 | whitelist ~/.icedove | ||
| 19 | 14 | ||
| 20 | noblacklist ~/.cache/icedove | ||
| 21 | mkdir ~/.cache/icedove | 15 | mkdir ~/.cache/icedove |
| 16 | mkdir ~/.gnupg | ||
| 17 | mkdir ~/.icedove | ||
| 22 | whitelist ~/.cache/icedove | 18 | whitelist ~/.cache/icedove |
| 19 | whitelist ~/.gnupg | ||
| 20 | whitelist ~/.icedove | ||
| 21 | include /etc/firejail/whitelist-common.inc | ||
| 23 | 22 | ||
| 24 | # allow browsers | ||
| 25 | ignore private-tmp | 23 | ignore private-tmp |
| 24 | |||
| 25 | # allow browsers | ||
| 26 | include /etc/firejail/firefox.profile | 26 | include /etc/firejail/firefox.profile |
| 27 | #include /etc/firejail/chromium.profile - chromium runs as suid! | ||
diff --git a/etc/iceweasel.profile b/etc/iceweasel.profile index 5558e317d..62671cb67 100644 --- a/etc/iceweasel.profile +++ b/etc/iceweasel.profile | |||
| @@ -1,9 +1,9 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for iceweasel |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/iceweasel.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/iceweasel.local | ||
| 7 | 8 | ||
| 8 | # Firejail profile for Mozilla Firefox (Iceweasel in Debian) | ||
| 9 | include /etc/firejail/firefox.profile | 9 | include /etc/firejail/firefox.profile |
diff --git a/etc/idea.sh.profile b/etc/idea.sh.profile index 771131262..f0f0637d9 100644 --- a/etc/idea.sh.profile +++ b/etc/idea.sh.profile | |||
| @@ -1,16 +1,14 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for idea.sh |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/idea.sh.local | 4 | include /etc/firejail/idea.sh.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for IntelliJ IDEA Community Edition | 8 | noblacklist ${HOME}/.IdeaIC* |
| 9 | |||
| 10 | noblacklist ${HOME}/.android | 9 | noblacklist ${HOME}/.android |
| 11 | noblacklist ${HOME}/.gitconfig | 10 | noblacklist ${HOME}/.gitconfig |
| 12 | noblacklist ${HOME}/.gradle | 11 | noblacklist ${HOME}/.gradle |
| 13 | noblacklist ${HOME}/.IdeaIC* | ||
| 14 | noblacklist ${HOME}/.java | 12 | noblacklist ${HOME}/.java |
| 15 | noblacklist ${HOME}/.local/share/JetBrains | 13 | noblacklist ${HOME}/.local/share/JetBrains |
| 16 | noblacklist ${HOME}/.ssh | 14 | noblacklist ${HOME}/.ssh |
| @@ -25,13 +23,12 @@ netfilter | |||
| 25 | nogroups | 23 | nogroups |
| 26 | nonewprivs | 24 | nonewprivs |
| 27 | noroot | 25 | noroot |
| 28 | #nosound | ||
| 29 | novideo | 26 | novideo |
| 30 | protocol unix,inet,inet6 | 27 | protocol unix,inet,inet6 |
| 31 | seccomp | 28 | seccomp |
| 32 | shell none | 29 | shell none |
| 33 | 30 | ||
| 34 | private-dev | 31 | private-dev |
| 35 | #private-tmp | 32 | # private-tmp |
| 36 | 33 | ||
| 37 | noexec /tmp | 34 | noexec /tmp |
diff --git a/etc/img2txt.profile b/etc/img2txt.profile index 2ea359e72..5117e887b 100644 --- a/etc/img2txt.profile +++ b/etc/img2txt.profile | |||
| @@ -1,15 +1,15 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for img2txt |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/img2txt.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/img2txt.local | ||
| 7 | 8 | ||
| 8 | # img2txt profile | ||
| 9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-programs.inc | ||
| 11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | 13 | ||
| 14 | caps.drop all | 14 | caps.drop all |
| 15 | net none | 15 | net none |
| @@ -22,7 +22,7 @@ seccomp | |||
| 22 | shell none | 22 | shell none |
| 23 | tracelog | 23 | tracelog |
| 24 | 24 | ||
| 25 | #private-bin img2txt | 25 | # private-bin img2txt |
| 26 | private-tmp | ||
| 27 | private-dev | 26 | private-dev |
| 28 | #private-etc none | 27 | # private-etc none |
| 28 | private-tmp | ||
diff --git a/etc/inkscape.profile b/etc/inkscape.profile index af1be565b..6bba90d14 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile | |||
| @@ -1,16 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for inkscape |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/inkscape.local | 4 | include /etc/firejail/inkscape.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # inkscape | ||
| 9 | noblacklist ${HOME}/.inkscape | 8 | noblacklist ${HOME}/.inkscape |
| 9 | |||
| 10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 11 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | 14 | ||
| 15 | caps.drop all | 15 | caps.drop all |
| 16 | netfilter | 16 | netfilter |
diff --git a/etc/inox.profile b/etc/inox.profile index 49adf141b..98a1ea6a9 100644 --- a/etc/inox.profile +++ b/etc/inox.profile | |||
| @@ -1,25 +1,24 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for inox |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/inox.local | 4 | include /etc/firejail/inox.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Inox browser profile | ||
| 9 | noblacklist ~/.config/inox | ||
| 10 | noblacklist ~/.cache/inox | 8 | noblacklist ~/.cache/inox |
| 9 | noblacklist ~/.config/inox | ||
| 11 | noblacklist ~/.pki | 10 | noblacklist ~/.pki |
| 11 | |||
| 12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
| 14 | 14 | ||
| 15 | netfilter | ||
| 16 | |||
| 17 | whitelist ${DOWNLOADS} | ||
| 18 | mkdir ~/.config/inox | ||
| 19 | whitelist ~/.config/inox | ||
| 20 | mkdir ~/.cache/inox | 15 | mkdir ~/.cache/inox |
| 21 | whitelist ~/.cache/inox | 16 | mkdir ~/.config/inox |
| 22 | mkdir ~/.pki | 17 | mkdir ~/.pki |
| 18 | whitelist ${DOWNLOADS} | ||
| 19 | whitelist ~/.cache/inox | ||
| 20 | whitelist ~/.config/inox | ||
| 23 | whitelist ~/.pki | 21 | whitelist ~/.pki |
| 24 | |||
| 25 | include /etc/firejail/whitelist-common.inc | 22 | include /etc/firejail/whitelist-common.inc |
| 23 | |||
| 24 | netfilter | ||
diff --git a/etc/iridium-browser.profile b/etc/iridium-browser.profile index 5b035dd79..9e1a4fcc2 100644 --- a/etc/iridium-browser.profile +++ b/etc/iridium-browser.profile | |||
| @@ -1,9 +1,5 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for iridium |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/iridium-browser.local | ||
| 7 | 4 | ||
| 8 | include /etc/firejail/iridium.profile | 5 | include /etc/firejail/iridium.profile |
| 9 | |||
diff --git a/etc/iridium.profile b/etc/iridium.profile index 0dd6695bf..95e94cbf9 100644 --- a/etc/iridium.profile +++ b/etc/iridium.profile | |||
| @@ -1,28 +1,25 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for iridium |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/iridium.local | 4 | include /etc/firejail/iridium.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Iridium browser profile | ||
| 9 | noblacklist ~/.config/iridium | ||
| 10 | noblacklist ~/.cache/iridium | 8 | noblacklist ~/.cache/iridium |
| 11 | include /etc/firejail/disable-common.inc | 9 | noblacklist ~/.config/iridium |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | 10 | ||
| 11 | include /etc/firejail/disable-common.inc | ||
| 14 | # chromium/iridium is distributed with a perl script on Arch | 12 | # chromium/iridium is distributed with a perl script on Arch |
| 15 | # include /etc/firejail/disable-devel.inc | 13 | # include /etc/firejail/disable-devel.inc |
| 16 | # | 14 | include /etc/firejail/disable-programs.inc |
| 17 | |||
| 18 | netfilter | ||
| 19 | 15 | ||
| 20 | whitelist ${DOWNLOADS} | ||
| 21 | mkdir ~/.config/iridium | ||
| 22 | whitelist ~/.config/iridium | ||
| 23 | mkdir ~/.cache/iridium | 16 | mkdir ~/.cache/iridium |
| 24 | whitelist ~/.cache/iridium | 17 | mkdir ~/.config/iridium |
| 25 | mkdir ~/.pki | 18 | mkdir ~/.pki |
| 19 | whitelist ${DOWNLOADS} | ||
| 20 | whitelist ~/.cache/iridium | ||
| 21 | whitelist ~/.config/iridium | ||
| 26 | whitelist ~/.pki | 22 | whitelist ~/.pki |
| 27 | |||
| 28 | include /etc/firejail/whitelist-common.inc | 23 | include /etc/firejail/whitelist-common.inc |
| 24 | |||
| 25 | netfilter | ||
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index 9cb845b50..96d4a57ce 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile | |||
| @@ -1,26 +1,19 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for jd-gui |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/jd-gui.local | 4 | include /etc/firejail/jd-gui.local |
| 7 | 5 | # Persistent global definitions | |
| 8 | # | 6 | include /etc/firejail/globals.local |
| 9 | #Profile for jd-gui | ||
| 10 | # | ||
| 11 | 7 | ||
| 12 | noblacklist ${HOME}/.config/jd-gui.cfg | 8 | noblacklist ${HOME}/.config/jd-gui.cfg |
| 13 | noblacklist ${HOME}/.java | 9 | noblacklist ${HOME}/.java |
| 14 | 10 | ||
| 15 | #Blacklist Paths | ||
| 16 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 17 | include /etc/firejail/disable-programs.inc | ||
| 18 | include /etc/firejail/disable-passwdmgr.inc | ||
| 19 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 13 | include /etc/firejail/disable-passwdmgr.inc | ||
| 14 | include /etc/firejail/disable-programs.inc | ||
| 20 | 15 | ||
| 21 | #Options | ||
| 22 | caps.drop all | 16 | caps.drop all |
| 23 | #ipc-namespace | ||
| 24 | net none | 17 | net none |
| 25 | no3d | 18 | no3d |
| 26 | nogroups | 19 | nogroups |
diff --git a/etc/jitsi.profile b/etc/jitsi.profile index 59459b5e9..72f9b5f5b 100644 --- a/etc/jitsi.profile +++ b/etc/jitsi.profile | |||
| @@ -1,12 +1,12 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for jitsi |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/jitsi.local | 4 | include /etc/firejail/jitsi.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for jitsi | ||
| 9 | noblacklist ~/.jitsi | 8 | noblacklist ~/.jitsi |
| 9 | |||
| 10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 11 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| @@ -21,5 +21,5 @@ seccomp | |||
| 21 | shell none | 21 | shell none |
| 22 | tracelog | 22 | tracelog |
| 23 | 23 | ||
| 24 | private-tmp | ||
| 25 | disable-mnt | 24 | disable-mnt |
| 25 | private-tmp | ||
diff --git a/etc/k3b.profile b/etc/k3b.profile index 8c2d60107..c2aed68c9 100644 --- a/etc/k3b.profile +++ b/etc/k3b.profile | |||
| @@ -1,29 +1,29 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for k3b |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/k3b.local | 4 | include /etc/firejail/k3b.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # k3b profile | ||
| 9 | noblacklist ~/.kde4/share/config/k3brc | ||
| 10 | noblacklist ~/.kde/share/config/k3brc | ||
| 11 | noblacklist ~/.config/k3brc | 8 | noblacklist ~/.config/k3brc |
| 9 | noblacklist ~/.kde/share/config/k3brc | ||
| 10 | noblacklist ~/.kde4/share/config/k3brc | ||
| 11 | |||
| 12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
| 15 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 16 | 16 | ||
| 17 | caps.drop all | 17 | caps.drop all |
| 18 | no3d | 18 | no3d |
| 19 | nonewprivs | 19 | nonewprivs |
| 20 | noroot | 20 | noroot |
| 21 | nosound | 21 | nosound |
| 22 | shell none | ||
| 23 | seccomp | ||
| 24 | protocol unix | 22 | protocol unix |
| 23 | seccomp | ||
| 24 | shell none | ||
| 25 | tracelog | 25 | tracelog |
| 26 | 26 | ||
| 27 | # private-bin | 27 | # private-bin |
| 28 | # private-tmp | ||
| 29 | # private-etc | 28 | # private-etc |
| 29 | # private-tmp | ||
diff --git a/etc/kate.profile b/etc/kate.profile index 97372f752..12d9127b4 100644 --- a/etc/kate.profile +++ b/etc/kate.profile | |||
| @@ -1,22 +1,21 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for kate |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/kate.local | 4 | include /etc/firejail/kate.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # kate profile | ||
| 9 | noblacklist ~/.local/share/kate | ||
| 10 | noblacklist ~/.config/katerc | ||
| 11 | noblacklist ~/.config/katepartrc | 8 | noblacklist ~/.config/katepartrc |
| 9 | noblacklist ~/.config/katerc | ||
| 12 | noblacklist ~/.config/kateschemarc | 10 | noblacklist ~/.config/kateschemarc |
| 13 | noblacklist ~/.config/katesyntaxhighlightingrc | 11 | noblacklist ~/.config/katesyntaxhighlightingrc |
| 14 | noblacklist ~/.config/katevirc | 12 | noblacklist ~/.config/katevirc |
| 13 | noblacklist ~/.local/share/kate | ||
| 15 | 14 | ||
| 16 | include /etc/firejail/disable-common.inc | 15 | include /etc/firejail/disable-common.inc |
| 17 | include /etc/firejail/disable-programs.inc | 16 | # include /etc/firejail/disable-devel.inc |
| 18 | #include /etc/firejail/disable-devel.inc | ||
| 19 | include /etc/firejail/disable-passwdmgr.inc | 17 | include /etc/firejail/disable-passwdmgr.inc |
| 18 | include /etc/firejail/disable-programs.inc | ||
| 20 | 19 | ||
| 21 | caps.drop all | 20 | caps.drop all |
| 22 | netfilter | 21 | netfilter |
| @@ -30,6 +29,6 @@ shell none | |||
| 30 | tracelog | 29 | tracelog |
| 31 | 30 | ||
| 32 | # private-bin kate | 31 | # private-bin kate |
| 33 | private-tmp | ||
| 34 | private-dev | 32 | private-dev |
| 35 | # private-etc fonts | 33 | # private-etc fonts |
| 34 | private-tmp | ||
diff --git a/etc/kcalc.profile b/etc/kcalc.profile index 1d425cf47..ac4e11195 100644 --- a/etc/kcalc.profile +++ b/etc/kcalc.profile | |||
| @@ -1,9 +1,10 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for kcalc |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/kcalc.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/kcalc.local | ||
| 7 | 8 | ||
| 8 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 9 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
| @@ -22,10 +23,10 @@ protocol unix | |||
| 22 | seccomp | 23 | seccomp |
| 23 | shell none | 24 | shell none |
| 24 | 25 | ||
| 26 | disable-mnt | ||
| 25 | private | 27 | private |
| 26 | private-dev | 28 | private-dev |
| 27 | private-tmp | 29 | private-tmp |
| 28 | disable-mnt | ||
| 29 | 30 | ||
| 30 | noexec ${HOME} | 31 | noexec ${HOME} |
| 31 | noexec /tmp | 32 | noexec /tmp |
diff --git a/etc/keepass.profile b/etc/keepass.profile index 48574f3dc..543bc01eb 100644 --- a/etc/keepass.profile +++ b/etc/keepass.profile | |||
| @@ -1,26 +1,24 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for keepass |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/keepass.local | 4 | include /etc/firejail/keepass.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # keepass password manager profile | 8 | noblacklist ${HOME}/*.kdb |
| 9 | noblacklist ${HOME}/.keepass | 9 | noblacklist ${HOME}/*.kdbx |
| 10 | noblacklist ${HOME}/.config/keepass | ||
| 11 | noblacklist ${HOME}/.config/KeePass | 10 | noblacklist ${HOME}/.config/KeePass |
| 12 | noblacklist ${HOME}/.local/share/keepass | 11 | noblacklist ${HOME}/.config/keepass |
| 12 | noblacklist ${HOME}/.keepass | ||
| 13 | noblacklist ${HOME}/.local/share/KeePass | 13 | noblacklist ${HOME}/.local/share/KeePass |
| 14 | noblacklist ${HOME}/*.kdbx | 14 | noblacklist ${HOME}/.local/share/keepass |
| 15 | noblacklist ${HOME}/*.kdb | ||
| 16 | 15 | ||
| 17 | include /etc/firejail/disable-common.inc | 16 | include /etc/firejail/disable-common.inc |
| 18 | include /etc/firejail/disable-programs.inc | ||
| 19 | include /etc/firejail/disable-devel.inc | 17 | include /etc/firejail/disable-devel.inc |
| 20 | include /etc/firejail/disable-passwdmgr.inc | 18 | include /etc/firejail/disable-passwdmgr.inc |
| 19 | include /etc/firejail/disable-programs.inc | ||
| 21 | 20 | ||
| 22 | caps.drop all | 21 | caps.drop all |
| 23 | #ipc-namespace | ||
| 24 | netfilter | 22 | netfilter |
| 25 | no3d | 23 | no3d |
| 26 | nogroups | 24 | nogroups |
diff --git a/etc/keepass2.profile b/etc/keepass2.profile index 6ac601fc0..7d2881099 100644 --- a/etc/keepass2.profile +++ b/etc/keepass2.profile | |||
| @@ -1,9 +1,5 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for keepass |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/keepass2.local | ||
| 7 | 4 | ||
| 8 | # keepass password manager profile | ||
| 9 | include /etc/firejail/keepass.profile | 5 | include /etc/firejail/keepass.profile |
diff --git a/etc/keepassx.profile b/etc/keepassx.profile index 34e260f8f..892dd7053 100644 --- a/etc/keepassx.profile +++ b/etc/keepassx.profile | |||
| @@ -1,20 +1,19 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for keepassx |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/keepassx.local | 4 | include /etc/firejail/keepassx.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # keepassx password manager profile | 8 | noblacklist ${HOME}/*.kdb |
| 9 | noblacklist ${HOME}/*.kdbx | ||
| 9 | noblacklist ${HOME}/.config/keepassx | 10 | noblacklist ${HOME}/.config/keepassx |
| 10 | noblacklist ${HOME}/.keepassx | 11 | noblacklist ${HOME}/.keepassx |
| 11 | noblacklist ${HOME}/*.kdbx | ||
| 12 | noblacklist ${HOME}/*.kdb | ||
| 13 | 12 | ||
| 14 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 16 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
| 17 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
| 16 | include /etc/firejail/disable-programs.inc | ||
| 18 | 17 | ||
| 19 | caps.drop all | 18 | caps.drop all |
| 20 | machine-id | 19 | machine-id |
| @@ -30,8 +29,8 @@ shell none | |||
| 30 | tracelog | 29 | tracelog |
| 31 | 30 | ||
| 32 | private-bin keepassx,keepassx2 | 31 | private-bin keepassx,keepassx2 |
| 33 | private-etc fonts,machine-id | ||
| 34 | private-dev | 32 | private-dev |
| 33 | private-etc fonts,machine-id | ||
| 35 | private-tmp | 34 | private-tmp |
| 36 | 35 | ||
| 37 | noexec ${HOME} | 36 | noexec ${HOME} |
diff --git a/etc/keepassx2.profile b/etc/keepassx2.profile index 0536866fb..ab56e0317 100644 --- a/etc/keepassx2.profile +++ b/etc/keepassx2.profile | |||
| @@ -1,20 +1,19 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for keepassx2 |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/keepassx2.local | 4 | include /etc/firejail/keepassx2.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # keepassx password manager profile | 8 | noblacklist ${HOME}/*.kdb |
| 9 | noblacklist ${HOME}/*.kdbx | ||
| 9 | noblacklist ${HOME}/.config/keepassx | 10 | noblacklist ${HOME}/.config/keepassx |
| 10 | noblacklist ${HOME}/.keepassx | 11 | noblacklist ${HOME}/.keepassx |
| 11 | noblacklist ${HOME}/*.kdbx | ||
| 12 | noblacklist ${HOME}/*.kdb | ||
| 13 | 12 | ||
| 14 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 16 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
| 17 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
| 16 | include /etc/firejail/disable-programs.inc | ||
| 18 | 17 | ||
| 19 | caps.drop all | 18 | caps.drop all |
| 20 | net none | 19 | net none |
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile index 3ab4115e6..c8a494361 100644 --- a/etc/keepassxc.profile +++ b/etc/keepassxc.profile | |||
| @@ -1,23 +1,21 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for keepassxc |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/keepassxc.local | 4 | include /etc/firejail/keepassxc.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for KeepassXC | 8 | noblacklist ${HOME}/*.kdb |
| 9 | noblacklist ${HOME}/*.kdbx | ||
| 9 | noblacklist ${HOME}/.config/keepassxc | 10 | noblacklist ${HOME}/.config/keepassxc |
| 10 | noblacklist ${HOME}/.keepassxc | 11 | noblacklist ${HOME}/.keepassxc |
| 11 | noblacklist ${HOME}/*.kdbx | ||
| 12 | noblacklist ${HOME}/*.kdb | ||
| 13 | 12 | ||
| 14 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 16 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
| 17 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
| 16 | include /etc/firejail/disable-programs.inc | ||
| 18 | 17 | ||
| 19 | caps.drop all | 18 | caps.drop all |
| 20 | #ipc-namespace | ||
| 21 | net none | 19 | net none |
| 22 | no3d | 20 | no3d |
| 23 | nogroups | 21 | nogroups |
diff --git a/etc/kino.profile b/etc/kino.profile index bb37d56ab..c64f2d599 100644 --- a/etc/kino.profile +++ b/etc/kino.profile | |||
| @@ -1,12 +1,12 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for kino |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/kino.local | 4 | include /etc/firejail/kino.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | noblacklist ~/.kinorc | ||
| 9 | noblacklist ~/.kino-history | 8 | noblacklist ~/.kino-history |
| 9 | noblacklist ~/.kinorc | ||
| 10 | 10 | ||
| 11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/kmail.profile b/etc/kmail.profile index 38fbf6bc3..876e80cbb 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
| @@ -1,17 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for kmail |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/kmail.local | 4 | include /etc/firejail/kmail.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # kmail profile | ||
| 9 | noblacklist ${HOME}/.gnupg | 8 | noblacklist ${HOME}/.gnupg |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 17 | netfilter | 16 | netfilter |
diff --git a/etc/knotes.profile b/etc/knotes.profile index b1883112c..26b607257 100644 --- a/etc/knotes.profile +++ b/etc/knotes.profile | |||
| @@ -1,17 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for knotes |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/knotes.local | 4 | include /etc/firejail/knotes.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # kate profile | ||
| 9 | noblacklist ~/.config/knotesrc | 8 | noblacklist ~/.config/knotesrc |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | 11 | # include /etc/firejail/disable-devel.inc |
| 13 | #include /etc/firejail/disable-devel.inc | ||
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 17 | netfilter | 16 | netfilter |
| @@ -25,6 +24,6 @@ shell none | |||
| 25 | tracelog | 24 | tracelog |
| 26 | 25 | ||
| 27 | # private-bin kate | 26 | # private-bin kate |
| 28 | private-tmp | ||
| 29 | private-dev | 27 | private-dev |
| 30 | # private-etc fonts | 28 | # private-etc fonts |
| 29 | private-tmp | ||
diff --git a/etc/kodi.profile b/etc/kodi.profile index ea4020232..06db44132 100644 --- a/etc/kodi.profile +++ b/etc/kodi.profile | |||
| @@ -1,25 +1,22 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for kodi |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/kodi.local | 4 | include /etc/firejail/kodi.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for kodi | ||
| 9 | noblacklist ${HOME}/.kodi | 8 | noblacklist ${HOME}/.kodi |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 11 | include /etc/firejail/disable-devel.inc | ||
| 12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
| 14 | include /etc/firejail/disable-devel.inc | ||
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 17 | #ipc-namespace | ||
| 18 | netfilter | 16 | netfilter |
| 19 | nogroups | 17 | nogroups |
| 20 | nonewprivs | 18 | nonewprivs |
| 21 | noroot | 19 | noroot |
| 22 | #novideo | ||
| 23 | protocol unix,inet,inet6,netlink | 20 | protocol unix,inet,inet6,netlink |
| 24 | seccomp | 21 | seccomp |
| 25 | shell none | 22 | shell none |
diff --git a/etc/konversation.profile b/etc/konversation.profile index 51382df28..d1c78afbe 100644 --- a/etc/konversation.profile +++ b/etc/konversation.profile | |||
| @@ -1,21 +1,21 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for konversation |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/konversation.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/konversation.local | ||
| 7 | 8 | ||
| 8 | # Firejail konversation profile | ||
| 9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-programs.inc | ||
| 11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | 13 | ||
| 14 | caps.drop all | 14 | caps.drop all |
| 15 | netfilter | 15 | netfilter |
| 16 | nogroups | 16 | nogroups |
| 17 | noroot | 17 | noroot |
| 18 | seccomp | ||
| 19 | protocol unix,inet,inet6 | 18 | protocol unix,inet,inet6 |
| 19 | seccomp | ||
| 20 | 20 | ||
| 21 | private-tmp | 21 | private-tmp |
diff --git a/etc/ktorrent.profile b/etc/ktorrent.profile index c19f1c5ef..8e396a464 100644 --- a/etc/ktorrent.profile +++ b/etc/ktorrent.profile | |||
| @@ -1,38 +1,37 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for ktorrent |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/ktorrent.local | 4 | include /etc/firejail/ktorrent.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | noblacklist ~/.config/ktorrentrc | 8 | noblacklist ~/.config/ktorrentrc |
| 9 | noblacklist ~/.local/share/ktorrent | ||
| 10 | noblacklist ~/.kde/share/config/ktorrentrc | ||
| 11 | noblacklist ~/.kde4/share/config/ktorrentrc | ||
| 12 | noblacklist ~/.kde/share/apps/ktorrent | 9 | noblacklist ~/.kde/share/apps/ktorrent |
| 10 | noblacklist ~/.kde/share/config/ktorrentrc | ||
| 13 | noblacklist ~/.kde4/share/apps/ktorrent | 11 | noblacklist ~/.kde4/share/apps/ktorrent |
| 12 | noblacklist ~/.kde4/share/config/ktorrentrc | ||
| 13 | noblacklist ~/.local/share/ktorrent | ||
| 14 | 14 | ||
| 15 | include /etc/firejail/disable-common.inc | 15 | include /etc/firejail/disable-common.inc |
| 16 | include /etc/firejail/disable-devel.inc | 16 | include /etc/firejail/disable-devel.inc |
| 17 | include /etc/firejail/disable-programs.inc | ||
| 18 | include /etc/firejail/disable-passwdmgr.inc | 17 | include /etc/firejail/disable-passwdmgr.inc |
| 18 | include /etc/firejail/disable-programs.inc | ||
| 19 | 19 | ||
| 20 | mkfile ~/.config/ktorrentrc | 20 | mkdir ~/.kde/share/apps/ktorrent |
| 21 | whitelist ~/.config/ktorrentrc | ||
| 22 | mkdir ~/.local/share/ktorrent | ||
| 23 | whitelist ~/.local/share/ktorrent | ||
| 24 | mkdir ~/.kde/share/config/ktorrentrc | 21 | mkdir ~/.kde/share/config/ktorrentrc |
| 25 | whitelist ~/.kde/share/config/ktorrentrc | 22 | mkdir ~/.kde4/share/apps/ktorrent |
| 26 | mkdir ~/.kde4/share/config/ktorrentrc | 23 | mkdir ~/.kde4/share/config/ktorrentrc |
| 27 | whitelist ~/.kde4/share/config/ktorrentrc | 24 | mkdir ~/.local/share/ktorrent |
| 28 | mkdir ~/.kde/share/apps/ktorrent | 25 | mkfile ~/.config/ktorrentrc |
| 26 | whitelist ${DOWNLOADS} | ||
| 27 | whitelist ~/.config/ktorrentrc | ||
| 29 | whitelist ~/.kde/share/apps/ktorrent | 28 | whitelist ~/.kde/share/apps/ktorrent |
| 30 | mkdir ~/.kde4/share/apps/ktorrent | 29 | whitelist ~/.kde/share/config/ktorrentrc |
| 31 | whitelist ~/.kde4/share/apps/ktorrent | 30 | whitelist ~/.kde4/share/apps/ktorrent |
| 32 | whitelist ${DOWNLOADS} | 31 | whitelist ~/.kde4/share/config/ktorrentrc |
| 32 | whitelist ~/.local/share/ktorrent | ||
| 33 | include /etc/firejail/whitelist-common.inc | 33 | include /etc/firejail/whitelist-common.inc |
| 34 | 34 | ||
| 35 | |||
| 36 | caps.drop all | 35 | caps.drop all |
| 37 | netfilter | 36 | netfilter |
| 38 | no3d | 37 | no3d |
diff --git a/etc/kwrite.profile b/etc/kwrite.profile index 7ac881f6a..b6406cc0d 100644 --- a/etc/kwrite.profile +++ b/etc/kwrite.profile | |||
| @@ -1,35 +1,34 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for kwrite |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/kwrite.local | 4 | include /etc/firejail/kwrite.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # kate profile | ||
| 9 | noblacklist ~/.local/share/kwrite | ||
| 10 | noblacklist ~/.config/katerc | ||
| 11 | noblacklist ~/.config/katepartrc | 8 | noblacklist ~/.config/katepartrc |
| 9 | noblacklist ~/.config/katerc | ||
| 12 | noblacklist ~/.config/kateschemarc | 10 | noblacklist ~/.config/kateschemarc |
| 13 | noblacklist ~/.config/katesyntaxhighlightingrc | 11 | noblacklist ~/.config/katesyntaxhighlightingrc |
| 14 | noblacklist ~/.config/katevirc | 12 | noblacklist ~/.config/katevirc |
| 13 | noblacklist ~/.local/share/kwrite | ||
| 15 | 14 | ||
| 16 | include /etc/firejail/disable-common.inc | 15 | include /etc/firejail/disable-common.inc |
| 17 | include /etc/firejail/disable-programs.inc | 16 | # include /etc/firejail/disable-devel.inc |
| 18 | #include /etc/firejail/disable-devel.inc | ||
| 19 | include /etc/firejail/disable-passwdmgr.inc | 17 | include /etc/firejail/disable-passwdmgr.inc |
| 18 | include /etc/firejail/disable-programs.inc | ||
| 20 | 19 | ||
| 21 | caps.drop all | 20 | caps.drop all |
| 22 | netfilter | 21 | netfilter |
| 23 | nogroups | 22 | nogroups |
| 24 | nonewprivs | 23 | nonewprivs |
| 25 | noroot | 24 | noroot |
| 26 | #nosound - KWrite is using ALSA! | 25 | # nosound - KWrite is using ALSA! |
| 27 | protocol unix | 26 | protocol unix |
| 28 | seccomp | 27 | seccomp |
| 29 | shell none | 28 | shell none |
| 30 | tracelog | 29 | tracelog |
| 31 | 30 | ||
| 32 | # private-bin kwrite | 31 | # private-bin kwrite |
| 33 | private-tmp | ||
| 34 | private-dev | 32 | private-dev |
| 35 | # private-etc fonts | 33 | # private-etc fonts |
| 34 | private-tmp | ||
diff --git a/etc/leafpad.profile b/etc/leafpad.profile index fc2cc7e09..de44a6771 100644 --- a/etc/leafpad.profile +++ b/etc/leafpad.profile | |||
| @@ -1,9 +1,9 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for leafpad |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/leafpad.local | 4 | include /etc/firejail/leafpad.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.config/leafpad | 8 | noblacklist ${HOME}/.config/leafpad |
| 9 | 9 | ||
diff --git a/etc/less.profile b/etc/less.profile index f8c26879e..fe8a8fa24 100644 --- a/etc/less.profile +++ b/etc/less.profile | |||
| @@ -1,15 +1,14 @@ | |||
| 1 | # Firejail profile for less | ||
| 2 | # This file is overwritten after every install/update | ||
| 1 | quiet | 3 | quiet |
| 2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
| 5 | include /etc/firejail/less.local | ||
| 6 | # Persistent global definitions | ||
| 3 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
| 4 | 8 | ||
| 5 | # This file is overwritten during software install. | 9 | blacklist /tmp/.X11-unix |
| 6 | # Persistent customizations should go in a .local file. | ||
| 7 | include /etc/firejail/less.local | ||
| 8 | 10 | ||
| 9 | # less profile | ||
| 10 | ignore noroot | 11 | ignore noroot |
| 11 | include /etc/firejail/default.profile | ||
| 12 | |||
| 13 | net none | 12 | net none |
| 14 | no3d | 13 | no3d |
| 15 | nosound | 14 | nosound |
| @@ -17,10 +16,10 @@ novideo | |||
| 17 | shell none | 16 | shell none |
| 18 | tracelog | 17 | tracelog |
| 19 | 18 | ||
| 20 | blacklist /tmp/.X11-unix | ||
| 21 | |||
| 22 | private-dev | 19 | private-dev |
| 23 | 20 | ||
| 24 | memory-deny-write-execute | 21 | memory-deny-write-execute |
| 25 | noexec ${HOME} | 22 | noexec ${HOME} |
| 26 | noexec /tmp | 23 | noexec /tmp |
| 24 | |||
| 25 | include /etc/firejail/default.profile | ||
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index fe5861e4a..8387fef98 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile | |||
| @@ -1,18 +1,18 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for libreoffice |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/libreoffice.local | 4 | include /etc/firejail/libreoffice.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for LibreOffice | ||
| 9 | noblacklist ~/.config/libreoffice | ||
| 10 | noblacklist ${HOME}/.java | 8 | noblacklist ${HOME}/.java |
| 11 | noblacklist /usr/local/sbin | 9 | noblacklist /usr/local/sbin |
| 10 | noblacklist ~/.config/libreoffice | ||
| 11 | |||
| 12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
| 15 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 16 | 16 | ||
| 17 | caps.drop all | 17 | caps.drop all |
| 18 | netfilter | 18 | netfilter |
| @@ -25,7 +25,6 @@ shell none | |||
| 25 | tracelog | 25 | tracelog |
| 26 | 26 | ||
| 27 | private-dev | 27 | private-dev |
| 28 | # whitelist /tmp/.X11-unix/ | ||
| 29 | 28 | ||
| 30 | noexec ${HOME} | 29 | noexec ${HOME} |
| 31 | noexec /tmp | 30 | noexec /tmp |
diff --git a/etc/liferea.profile b/etc/liferea.profile index f11137cdd..f9c050acb 100644 --- a/etc/liferea.profile +++ b/etc/liferea.profile | |||
| @@ -1,47 +1,42 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for liferea |
| 2 | include /etc/firejail/global.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/liferea.local | 4 | include /etc/firejail/liferea.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | ####################### | 8 | noblacklist ~/.cache/liferea |
| 9 | # profile for Liferea # | ||
| 10 | ####################### | ||
| 11 | noblacklist ~/.config/liferea | 9 | noblacklist ~/.config/liferea |
| 12 | mkdir ~/.config/liferea | ||
| 13 | whitelist ~/.config/liferea | ||
| 14 | |||
| 15 | noblacklist ~/.local/share/liferea | 10 | noblacklist ~/.local/share/liferea |
| 16 | mkdir ~/.local/share/liferea | ||
| 17 | whitelist ~/.local/share/liferea | ||
| 18 | |||
| 19 | noblacklist ~/.cache/liferea | ||
| 20 | mkdir ~/.cache/liferea | ||
| 21 | whitelist ~/.cache/liferea | ||
| 22 | 11 | ||
| 23 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 24 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
| 25 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
| 26 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
| 16 | |||
| 17 | mkdir ~/.cache/liferea | ||
| 18 | mkdir ~/.config/liferea | ||
| 19 | mkdir ~/.local/share/liferea | ||
| 20 | whitelist ~/.cache/liferea | ||
| 21 | whitelist ~/.config/liferea | ||
| 22 | whitelist ~/.local/share/liferea | ||
| 27 | include /etc/firejail/whitelist-common.inc | 23 | include /etc/firejail/whitelist-common.inc |
| 28 | 24 | ||
| 29 | caps.drop all | 25 | caps.drop all |
| 30 | #ipc-namespace | ||
| 31 | netfilter | 26 | netfilter |
| 32 | #no3d | 27 | # no3d |
| 33 | nogroups | 28 | nogroups |
| 34 | nonewprivs | 29 | nonewprivs |
| 35 | noroot | 30 | noroot |
| 36 | #nosound | 31 | # nosound |
| 37 | novideo | 32 | novideo |
| 38 | protocol unix,inet,inet6 | 33 | protocol unix,inet,inet6 |
| 39 | seccomp | 34 | seccomp |
| 40 | shell none | 35 | shell none |
| 41 | 36 | ||
| 37 | disable-mnt | ||
| 42 | private-dev | 38 | private-dev |
| 43 | private-tmp | 39 | private-tmp |
| 44 | disable-mnt | ||
| 45 | 40 | ||
| 46 | noexec ${HOME} | 41 | noexec ${HOME} |
| 47 | noexec /tmp | 42 | noexec /tmp |
diff --git a/etc/localc.profile b/etc/localc.profile index 35ff153cd..c30bb5550 100644 --- a/etc/localc.profile +++ b/etc/localc.profile | |||
| @@ -1,11 +1,5 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for libreoffice |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/localc.local | ||
| 7 | 4 | ||
| 8 | ################################ | ||
| 9 | # LibreOffice profile | ||
| 10 | ################################ | ||
| 11 | include /etc/firejail/libreoffice.profile | 5 | include /etc/firejail/libreoffice.profile |
diff --git a/etc/lodraw.profile b/etc/lodraw.profile index af8234b9b..c30bb5550 100644 --- a/etc/lodraw.profile +++ b/etc/lodraw.profile | |||
| @@ -1,11 +1,5 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for libreoffice |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/lodraw.local | ||
| 7 | 4 | ||
| 8 | ################################ | ||
| 9 | # LibreOffice profile | ||
| 10 | ################################ | ||
| 11 | include /etc/firejail/libreoffice.profile | 5 | include /etc/firejail/libreoffice.profile |
diff --git a/etc/loffice.profile b/etc/loffice.profile index ad6b28fb6..c30bb5550 100644 --- a/etc/loffice.profile +++ b/etc/loffice.profile | |||
| @@ -1,11 +1,5 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for libreoffice |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/loffice.local | ||
| 7 | 4 | ||
| 8 | ################################ | ||
| 9 | # LibreOffice profile | ||
| 10 | ################################ | ||
| 11 | include /etc/firejail/libreoffice.profile | 5 | include /etc/firejail/libreoffice.profile |
diff --git a/etc/lofromtemplate.profile b/etc/lofromtemplate.profile index 4a729bd71..c30bb5550 100644 --- a/etc/lofromtemplate.profile +++ b/etc/lofromtemplate.profile | |||
| @@ -1,11 +1,5 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for libreoffice |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/lofromtemplate.local | ||
| 7 | 4 | ||
| 8 | ################################ | ||
| 9 | # LibreOffice profile | ||
| 10 | ################################ | ||
| 11 | include /etc/firejail/libreoffice.profile | 5 | include /etc/firejail/libreoffice.profile |
diff --git a/etc/loimpress.profile b/etc/loimpress.profile index f8da5da18..c30bb5550 100644 --- a/etc/loimpress.profile +++ b/etc/loimpress.profile | |||
| @@ -1,11 +1,5 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for libreoffice |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/loimpress.local | ||
| 7 | 4 | ||
| 8 | ################################ | ||
| 9 | # LibreOffice profile | ||
| 10 | ################################ | ||
| 11 | include /etc/firejail/libreoffice.profile | 5 | include /etc/firejail/libreoffice.profile |
diff --git a/etc/lollypop.profile b/etc/lollypop.profile index 4be7721e3..22004d95e 100644 --- a/etc/lollypop.profile +++ b/etc/lollypop.profile | |||
| @@ -1,26 +1,18 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for lollypop |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/lollypop.local | 4 | include /etc/firejail/lollypop.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # | ||
| 9 | #Profile for lollypop | ||
| 10 | # | ||
| 11 | |||
| 12 | #No Blacklist Paths | ||
| 13 | noblacklist ${HOME}/.local/share/lollypop | 8 | noblacklist ${HOME}/.local/share/lollypop |
| 14 | 9 | ||
| 15 | #Blacklist Paths | ||
| 16 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 17 | include /etc/firejail/disable-programs.inc | ||
| 18 | include /etc/firejail/disable-passwdmgr.inc | ||
| 19 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | ||
| 13 | include /etc/firejail/disable-programs.inc | ||
| 20 | 14 | ||
| 21 | #Options | ||
| 22 | caps.drop all | 15 | caps.drop all |
| 23 | #ipc-namespace | ||
| 24 | netfilter | 16 | netfilter |
| 25 | no3d | 17 | no3d |
| 26 | nogroups | 18 | nogroups |
diff --git a/etc/lomath.profile b/etc/lomath.profile index 7ebdf9fe9..c30bb5550 100644 --- a/etc/lomath.profile +++ b/etc/lomath.profile | |||
| @@ -1,11 +1,5 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for libreoffice |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/lomath.local | ||
| 7 | 4 | ||
| 8 | ################################ | ||
| 9 | # LibreOffice profile | ||
| 10 | ################################ | ||
| 11 | include /etc/firejail/libreoffice.profile | 5 | include /etc/firejail/libreoffice.profile |
diff --git a/etc/loweb.profile b/etc/loweb.profile index b504d0a86..c30bb5550 100644 --- a/etc/loweb.profile +++ b/etc/loweb.profile | |||
| @@ -1,11 +1,5 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for libreoffice |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/loweb.local | ||
| 7 | 4 | ||
| 8 | ################################ | ||
| 9 | # LibreOffice profile | ||
| 10 | ################################ | ||
| 11 | include /etc/firejail/libreoffice.profile | 5 | include /etc/firejail/libreoffice.profile |
diff --git a/etc/lowriter.profile b/etc/lowriter.profile index 567cf91ec..c30bb5550 100644 --- a/etc/lowriter.profile +++ b/etc/lowriter.profile | |||
| @@ -1,11 +1,5 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for libreoffice |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/lowriter.local | ||
| 7 | 4 | ||
| 8 | ################################ | ||
| 9 | # LibreOffice profile | ||
| 10 | ################################ | ||
| 11 | include /etc/firejail/libreoffice.profile | 5 | include /etc/firejail/libreoffice.profile |
diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile index f73c83cbd..bbceee7c7 100644 --- a/etc/luminance-hdr.profile +++ b/etc/luminance-hdr.profile | |||
| @@ -1,20 +1,18 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for luminance-hdr |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/luminance-hdr.local | 4 | include /etc/firejail/luminance-hdr.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # luminance-hdr | ||
| 9 | noblacklist ${HOME}/.config/Luminance | 8 | noblacklist ${HOME}/.config/Luminance |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 17 | #ipc-namespace | ||
| 18 | netfilter | 16 | netfilter |
| 19 | nogroups | 17 | nogroups |
| 20 | nonewprivs | 18 | nonewprivs |
| @@ -26,8 +24,8 @@ seccomp | |||
| 26 | shell none | 24 | shell none |
| 27 | tracelog | 25 | tracelog |
| 28 | 26 | ||
| 29 | private-tmp | ||
| 30 | private-dev | 27 | private-dev |
| 28 | private-tmp | ||
| 31 | 29 | ||
| 32 | noexec ${HOME} | 30 | noexec ${HOME} |
| 33 | noexec /tmp | 31 | noexec /tmp |
diff --git a/etc/lximage-qt.profile b/etc/lximage-qt.profile index 42996af04..f0eda6fbe 100644 --- a/etc/lximage-qt.profile +++ b/etc/lximage-qt.profile | |||
| @@ -1,9 +1,9 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for lximage-qt |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/lximage-qt.local | 4 | include /etc/firejail/lximage-qt.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | noblacklist .config/lximage-qt | 8 | noblacklist .config/lximage-qt |
| 9 | 9 | ||
diff --git a/etc/lxmusic.profile b/etc/lxmusic.profile index eac72c6db..230ceaafb 100644 --- a/etc/lxmusic.profile +++ b/etc/lxmusic.profile | |||
| @@ -1,9 +1,9 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for lxmusic |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/lxmusic.local | 4 | include /etc/firejail/lxmusic.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | noblacklist ~/.cache/xmms2 | 8 | noblacklist ~/.cache/xmms2 |
| 9 | noblacklist ~/.config/xmms2 | 9 | noblacklist ~/.config/xmms2 |
diff --git a/etc/lxterminal.profile b/etc/lxterminal.profile index 08293647e..771211b31 100644 --- a/etc/lxterminal.profile +++ b/etc/lxterminal.profile | |||
| @@ -1,17 +1,17 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for lxterminal |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/lxterminal.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/lxterminal.local | ||
| 7 | 8 | ||
| 8 | # lxterminal (LXDE) profile | ||
| 9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-programs.inc | ||
| 11 | include /etc/firejail/disable-passwdmgr.inc | 10 | include /etc/firejail/disable-passwdmgr.inc |
| 11 | include /etc/firejail/disable-programs.inc | ||
| 12 | 12 | ||
| 13 | caps.drop all | 13 | caps.drop all |
| 14 | netfilter | 14 | netfilter |
| 15 | # noroot - somehow this breaks on Debian Jessie! | ||
| 15 | protocol unix,inet,inet6 | 16 | protocol unix,inet,inet6 |
| 16 | seccomp | 17 | seccomp |
| 17 | #noroot - somehow this breaks on Debian Jessie! | ||
diff --git a/etc/lynx.profile b/etc/lynx.profile index f7e83649a..8ff1f88b3 100644 --- a/etc/lynx.profile +++ b/etc/lynx.profile | |||
| @@ -1,31 +1,30 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for lynx |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/lynx.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | 8 | blacklist /tmp/.X11-unix |
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/lynx.local | ||
| 7 | 9 | ||
| 8 | # lynx profile | ||
| 9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-programs.inc | ||
| 11 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 13 | 14 | ||
| 14 | caps.drop all | 15 | caps.drop all |
| 16 | netfilter | ||
| 17 | no3d | ||
| 15 | nogroups | 18 | nogroups |
| 16 | nonewprivs | 19 | nonewprivs |
| 17 | noroot | 20 | noroot |
| 18 | nosound | 21 | nosound |
| 19 | no3d | ||
| 20 | protocol unix,inet,inet6 | 22 | protocol unix,inet,inet6 |
| 21 | seccomp | 23 | seccomp |
| 22 | netfilter | ||
| 23 | shell none | 24 | shell none |
| 24 | tracelog | 25 | tracelog |
| 25 | 26 | ||
| 26 | blacklist /tmp/.X11-unix | ||
| 27 | |||
| 28 | # private-bin lynx | 27 | # private-bin lynx |
| 29 | private-tmp | ||
| 30 | private-dev | 28 | private-dev |
| 31 | # private-etc none | 29 | # private-etc none |
| 30 | private-tmp | ||
diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile index e083e8b88..220807447 100644 --- a/etc/mate-calc.profile +++ b/etc/mate-calc.profile | |||
| @@ -1,9 +1,9 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for mate-calc |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/mate-calc.local | 4 | include /etc/firejail/mate-calc.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.config/mate-calc | 8 | noblacklist ${HOME}/.config/mate-calc |
| 9 | 9 | ||
| @@ -24,9 +24,9 @@ protocol unix | |||
| 24 | seccomp | 24 | seccomp |
| 25 | shell none | 25 | shell none |
| 26 | 26 | ||
| 27 | disable-mnt | ||
| 27 | private-dev | 28 | private-dev |
| 28 | private-tmp | 29 | private-tmp |
| 29 | disable-mnt | ||
| 30 | 30 | ||
| 31 | noexec ${HOME} | 31 | noexec ${HOME} |
| 32 | noexec /tmp | 32 | noexec /tmp |
diff --git a/etc/mate-calculator.profile b/etc/mate-calculator.profile index acc687b81..155ccfe7e 100644 --- a/etc/mate-calculator.profile +++ b/etc/mate-calculator.profile | |||
| @@ -1,8 +1,7 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for mate-calculator |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/mate-calculator.local | 4 | include /etc/firejail/mate-calculator.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | #include /etc/firejail/mate-calc.profile | ||
diff --git a/etc/mate-color-select.profile b/etc/mate-color-select.profile index 74fe4bd69..42456d1f6 100644 --- a/etc/mate-color-select.profile +++ b/etc/mate-color-select.profile | |||
| @@ -1,9 +1,10 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for mate-color-select |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/mate-color-select.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/mate-color-select.local | ||
| 7 | 8 | ||
| 8 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 9 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
| @@ -22,10 +23,10 @@ protocol unix | |||
| 22 | seccomp | 23 | seccomp |
| 23 | shell none | 24 | shell none |
| 24 | 25 | ||
| 26 | disable-mnt | ||
| 25 | private | 27 | private |
| 26 | private-dev | 28 | private-dev |
| 27 | private-tmp | 29 | private-tmp |
| 28 | disable-mnt | ||
| 29 | 30 | ||
| 30 | noexec ${HOME} | 31 | noexec ${HOME} |
| 31 | noexec /tmp | 32 | noexec /tmp |
diff --git a/etc/mate-dictionary.profile b/etc/mate-dictionary.profile index 4fe0795d2..bc148fba3 100644 --- a/etc/mate-dictionary.profile +++ b/etc/mate-dictionary.profile | |||
| @@ -1,9 +1,9 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for mate-dictionary |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/mate-dictionary.local | 4 | include /etc/firejail/mate-dictionary.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.config/mate/mate-dictionary | 8 | noblacklist ${HOME}/.config/mate/mate-dictionary |
| 9 | 9 | ||
| @@ -24,9 +24,9 @@ protocol unix,inet,inet6 | |||
| 24 | seccomp | 24 | seccomp |
| 25 | shell none | 25 | shell none |
| 26 | 26 | ||
| 27 | disable-mnt | ||
| 27 | private-dev | 28 | private-dev |
| 28 | private-tmp | 29 | private-tmp |
| 29 | disable-mnt | ||
| 30 | 30 | ||
| 31 | noexec ${HOME} | 31 | noexec ${HOME} |
| 32 | noexec /tmp | 32 | noexec /tmp |
diff --git a/etc/mathematica.profile b/etc/mathematica.profile index b44d0407d..64cae12dd 100644 --- a/etc/mathematica.profile +++ b/etc/mathematica.profile | |||
| @@ -1,9 +1,5 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for Mathematica |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/mathematica.local | ||
| 7 | 4 | ||
| 8 | # Mathematica profile | ||
| 9 | include /etc/firejail/Mathematica.profile | 5 | include /etc/firejail/Mathematica.profile |
diff --git a/etc/mcabber.profile b/etc/mcabber.profile index 603b5f5a0..8563201ac 100644 --- a/etc/mcabber.profile +++ b/etc/mcabber.profile | |||
| @@ -1,28 +1,27 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for mcabber |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/mcabber.local | 4 | include /etc/firejail/mcabber.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # mcabber profile | ||
| 9 | noblacklist ${HOME}/.mcabber | 8 | noblacklist ${HOME}/.mcabber |
| 10 | noblacklist ${HOME}/.mcabberrc | 9 | noblacklist ${HOME}/.mcabberrc |
| 11 | 10 | ||
| 12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 15 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 16 | 15 | ||
| 17 | caps.drop all | 16 | caps.drop all |
| 18 | netfilter | 17 | netfilter |
| 19 | nonewprivs | 18 | nonewprivs |
| 20 | noroot | 19 | noroot |
| 20 | nosound | ||
| 21 | protocol inet,inet6 | 21 | protocol inet,inet6 |
| 22 | seccomp | 22 | seccomp |
| 23 | shell none | ||
| 23 | 24 | ||
| 24 | private-bin mcabber | 25 | private-bin mcabber |
| 25 | private-etc null | ||
| 26 | private-dev | 26 | private-dev |
| 27 | shell none | 27 | private-etc null |
| 28 | nosound | ||
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile index 8758d66b9..4a2e9246e 100644 --- a/etc/mediainfo.profile +++ b/etc/mediainfo.profile | |||
| @@ -1,31 +1,30 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for mediainfo |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/mediainfo.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | 8 | blacklist /tmp/.X11-unix |
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/mediainfo.local | ||
| 7 | 9 | ||
| 8 | # mediainfo profile | ||
| 9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-programs.inc | ||
| 11 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 13 | 14 | ||
| 14 | caps.drop all | 15 | caps.drop all |
| 15 | net none | 16 | net none |
| 16 | nonewprivs | 17 | no3d |
| 17 | nogroups | 18 | nogroups |
| 19 | nonewprivs | ||
| 18 | noroot | 20 | noroot |
| 19 | nosound | 21 | nosound |
| 20 | no3d | ||
| 21 | protocol unix | 22 | protocol unix |
| 22 | seccomp | 23 | seccomp |
| 23 | shell none | 24 | shell none |
| 24 | tracelog | 25 | tracelog |
| 25 | 26 | ||
| 26 | blacklist /tmp/.X11-unix | ||
| 27 | |||
| 28 | private-bin mediainfo | 27 | private-bin mediainfo |
| 29 | private-tmp | ||
| 30 | private-dev | 28 | private-dev |
| 31 | private-etc none | 29 | private-etc none |
| 30 | private-tmp | ||
diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile index 8bf4eda13..5e980909b 100644 --- a/etc/mediathekview.profile +++ b/etc/mediathekview.profile | |||
| @@ -1,17 +1,17 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for mediathekview |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/mediathekview.local | 4 | include /etc/firejail/mediathekview.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # MediathekView profile | ||
| 9 | noblacklist ~/.mediathek3 | ||
| 10 | noblacklist ~/.config/vlc | 8 | noblacklist ~/.config/vlc |
| 9 | noblacklist ~/.mediathek3 | ||
| 10 | |||
| 11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | 15 | ||
| 16 | caps.drop all | 16 | caps.drop all |
| 17 | netfilter | 17 | netfilter |
| @@ -21,8 +21,8 @@ protocol unix,inet,inet6 | |||
| 21 | seccomp | 21 | seccomp |
| 22 | tracelog | 22 | tracelog |
| 23 | 23 | ||
| 24 | noexec ${HOME} | ||
| 25 | noexec /tmp | ||
| 26 | |||
| 27 | private-dev | 24 | private-dev |
| 28 | private-tmp | 25 | private-tmp |
| 26 | |||
| 27 | noexec ${HOME} | ||
| 28 | noexec /tmp | ||
diff --git a/etc/meld.profile b/etc/meld.profile index 503f6d07c..4aeca3771 100644 --- a/etc/meld.profile +++ b/etc/meld.profile | |||
| @@ -1,11 +1,10 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for meld |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/meld.local | 4 | include /etc/firejail/meld.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for meld | ||
| 9 | noblacklist ${HOME}/.local/share/meld | 8 | noblacklist ${HOME}/.local/share/meld |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| @@ -14,7 +13,6 @@ include /etc/firejail/disable-passwdmgr.inc | |||
| 14 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 17 | #ipc-namespace | ||
| 18 | net none | 16 | net none |
| 19 | no3d | 17 | no3d |
| 20 | nogroups | 18 | nogroups |
diff --git a/etc/midori.profile b/etc/midori.profile index 8a02fb738..5b390a170 100644 --- a/etc/midori.profile +++ b/etc/midori.profile | |||
| @@ -1,49 +1,42 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for midori |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/midori.local | 4 | include /etc/firejail/midori.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Midori profile | ||
| 9 | noblacklist ~/.config/midori | 8 | noblacklist ~/.config/midori |
| 10 | noblacklist ~/.local/share/midori | 9 | noblacklist ~/.local/share/midori |
| 11 | noblacklist ~/.local/share/webkit | 10 | noblacklist ~/.local/share/webkit |
| 12 | noblacklist ~/.local/share/webkitgtk | 11 | noblacklist ~/.local/share/webkitgtk |
| 13 | noblacklist ~/.pki | 12 | noblacklist ~/.pki |
| 13 | |||
| 14 | include /etc/firejail/disable-common.inc | 14 | include /etc/firejail/disable-common.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 16 | include /etc/firejail/disable-devel.inc | 15 | include /etc/firejail/disable-devel.inc |
| 17 | 16 | include /etc/firejail/disable-programs.inc | |
| 18 | mkdir ~/.config/midori | ||
| 19 | whitelist ~/.config/midori | ||
| 20 | 17 | ||
| 21 | mkdir ~/.cache/midori | 18 | mkdir ~/.cache/midori |
| 22 | whitelist ~/.cache/midori | 19 | mkdir ~/.config/midori |
| 23 | |||
| 24 | mkdir ~/.local/share/midori | 20 | mkdir ~/.local/share/midori |
| 25 | whitelist ~/.local/share/midori | ||
| 26 | |||
| 27 | mkdir ~/.local/share/webkit | 21 | mkdir ~/.local/share/webkit |
| 28 | whitelist ~/.local/share/webkit | ||
| 29 | |||
| 30 | mkdir ~/.local/share/webkitgtk | 22 | mkdir ~/.local/share/webkitgtk |
| 31 | whitelist ~/.local/share/webkitgtk | 23 | mkdir ~/.pki |
| 32 | |||
| 33 | whitelist ${DOWNLOADS} | 24 | whitelist ${DOWNLOADS} |
| 34 | whitelist ~/.config/gnome-mplayer | ||
| 35 | whitelist ~/.cache/gnome-mplayer/plugin | 25 | whitelist ~/.cache/gnome-mplayer/plugin |
| 36 | mkdir ~/.pki | 26 | whitelist ~/.cache/midori |
| 37 | whitelist ~/.pki | 27 | whitelist ~/.config/gnome-mplayer |
| 28 | whitelist ~/.config/midori | ||
| 38 | whitelist ~/.lastpass | 29 | whitelist ~/.lastpass |
| 39 | 30 | whitelist ~/.local/share/midori | |
| 31 | whitelist ~/.local/share/webkit | ||
| 32 | whitelist ~/.local/share/webkitgtk | ||
| 33 | whitelist ~/.pki | ||
| 34 | include /etc/firejail/whitelist-common.inc | ||
| 40 | 35 | ||
| 41 | caps.drop all | 36 | caps.drop all |
| 42 | netfilter | 37 | netfilter |
| 43 | nonewprivs | 38 | nonewprivs |
| 44 | # noroot - porblems on Ubuntu 14.04 | 39 | # noroot - problems on Ubuntu 14.04 |
| 45 | protocol unix,inet,inet6,netlink | 40 | protocol unix,inet,inet6,netlink |
| 46 | seccomp | 41 | seccomp |
| 47 | tracelog | 42 | tracelog |
| 48 | |||
| 49 | |||
diff --git a/etc/mousepad.profile b/etc/mousepad.profile index c3e85d55f..5a54afb5b 100644 --- a/etc/mousepad.profile +++ b/etc/mousepad.profile | |||
| @@ -1,17 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for mousepad |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/mousepad.local | 4 | include /etc/firejail/mousepad.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for mousepad | ||
| 9 | noblacklist ~/.config/Mousepad | 8 | noblacklist ~/.config/Mousepad |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 17 | netfilter | 16 | netfilter |
diff --git a/etc/mplayer.profile b/etc/mplayer.profile index 879223e1a..b431e4695 100644 --- a/etc/mplayer.profile +++ b/etc/mplayer.profile | |||
| @@ -1,20 +1,18 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for mplayer |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/mplayer.local | 4 | include /etc/firejail/mplayer.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # mplayer profile | ||
| 9 | noblacklist ${HOME}/.mplayer | 8 | noblacklist ${HOME}/.mplayer |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 17 | #ipc-namespace | ||
| 18 | netfilter | 16 | netfilter |
| 19 | # nogroups | 17 | # nogroups |
| 20 | nonewprivs | 18 | nonewprivs |
| @@ -23,9 +21,9 @@ protocol unix,inet,inet6,netlink | |||
| 23 | seccomp | 21 | seccomp |
| 24 | shell none | 22 | shell none |
| 25 | 23 | ||
| 24 | private-bin mplayer | ||
| 26 | private-dev | 25 | private-dev |
| 27 | private-tmp | 26 | private-tmp |
| 28 | private-bin mplayer | ||
| 29 | 27 | ||
| 30 | noexec ${HOME} | 28 | noexec ${HOME} |
| 31 | noexec /tmp | 29 | noexec /tmp |
diff --git a/etc/mpv.profile b/etc/mpv.profile index 0cda3e4e1..56192ac17 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile | |||
| @@ -1,18 +1,17 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for mpv |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/mpv.local | 4 | include /etc/firejail/mpv.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # mpv media player profile | ||
| 9 | noblacklist ${HOME}/.config/mpv | 8 | noblacklist ${HOME}/.config/mpv |
| 10 | noblacklist ${HOME}/.netrc | 9 | noblacklist ${HOME}/.netrc |
| 11 | 10 | ||
| 12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 15 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 16 | 15 | ||
| 17 | caps.drop all | 16 | caps.drop all |
| 18 | netfilter | 17 | netfilter |
| @@ -21,10 +20,8 @@ nonewprivs | |||
| 21 | noroot | 20 | noroot |
| 22 | protocol unix,inet,inet6 | 21 | protocol unix,inet,inet6 |
| 23 | seccomp | 22 | seccomp |
| 23 | shell none | ||
| 24 | tracelog | 24 | tracelog |
| 25 | 25 | ||
| 26 | # to test | ||
| 27 | # ipc-namespace | ||
| 28 | shell none | ||
| 29 | private-bin mpv,youtube-dl,python,python2.7,python3.6,env | 26 | private-bin mpv,youtube-dl,python,python2.7,python3.6,env |
| 30 | private-dev | 27 | private-dev |
diff --git a/etc/multimc5.profile b/etc/multimc5.profile index 6b0696064..a2f5d46b4 100644 --- a/etc/multimc5.profile +++ b/etc/multimc5.profile | |||
| @@ -1,47 +1,38 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for multimc5 |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/multimc5.local | 4 | include /etc/firejail/multimc5.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # | ||
| 9 | #Profile for multimc5 | ||
| 10 | # | ||
| 11 | |||
| 12 | #No Blacklist Paths | ||
| 13 | noblacklist ${HOME}/.java | 8 | noblacklist ${HOME}/.java |
| 14 | noblacklist ${HOME}/.local/share/multimc5 | 9 | noblacklist ${HOME}/.local/share/multimc5 |
| 15 | noblacklist ${HOME}/.multimc5 | 10 | noblacklist ${HOME}/.multimc5 |
| 16 | 11 | ||
| 17 | #Blacklist Paths | ||
| 18 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 19 | include /etc/firejail/disable-programs.inc | ||
| 20 | include /etc/firejail/disable-passwdmgr.inc | ||
| 21 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | ||
| 15 | include /etc/firejail/disable-programs.inc | ||
| 22 | 16 | ||
| 23 | #Whitelist Paths | ||
| 24 | mkdir ${HOME}/.local/share/multimc5 | 17 | mkdir ${HOME}/.local/share/multimc5 |
| 25 | whitelist ${HOME}/.local/share/multimc5 | ||
| 26 | mkdir ${HOME}/.multimc5 | 18 | mkdir ${HOME}/.multimc5 |
| 19 | whitelist ${HOME}/.local/share/multimc5 | ||
| 27 | whitelist ${HOME}/.multimc5 | 20 | whitelist ${HOME}/.multimc5 |
| 28 | include /etc/firejail/whitelist-common.inc | 21 | include /etc/firejail/whitelist-common.inc |
| 29 | 22 | ||
| 30 | #Options | ||
| 31 | caps.drop all | 23 | caps.drop all |
| 32 | #ipc-namespace | ||
| 33 | netfilter | 24 | netfilter |
| 34 | nogroups | 25 | nogroups |
| 35 | nonewprivs | 26 | nonewprivs |
| 36 | noroot | 27 | noroot |
| 37 | novideo | 28 | novideo |
| 38 | protocol unix,inet,inet6 | 29 | protocol unix,inet,inet6 |
| 39 | #seccomp | 30 | # seccomp |
| 40 | shell none | 31 | shell none |
| 41 | 32 | ||
| 33 | disable-mnt | ||
| 42 | private-dev | 34 | private-dev |
| 43 | private-tmp | 35 | private-tmp |
| 44 | disable-mnt | ||
| 45 | 36 | ||
| 46 | noexec ${HOME} | 37 | noexec ${HOME} |
| 47 | noexec /tmp | 38 | noexec /tmp |
diff --git a/etc/mumble.profile b/etc/mumble.profile index a2104957d..048b31b81 100644 --- a/etc/mumble.profile +++ b/etc/mumble.profile | |||
| @@ -1,17 +1,17 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for mumble |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/mumble.local | 4 | include /etc/firejail/mumble.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # mumble profile | ||
| 9 | noblacklist ${HOME}/.config/Mumble | 8 | noblacklist ${HOME}/.config/Mumble |
| 10 | noblacklist ${HOME}/.local/share/data/Mumble | 9 | noblacklist ${HOME}/.local/share/data/Mumble |
| 10 | |||
| 11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | 15 | ||
| 16 | mkdir ${HOME}/.config/Mumble | 16 | mkdir ${HOME}/.config/Mumble |
| 17 | mkdir ${HOME}/.local/share/data/Mumble | 17 | mkdir ${HOME}/.local/share/data/Mumble |
| @@ -20,20 +20,19 @@ whitelist ${HOME}/.local/share/data/Mumble | |||
| 20 | include /etc/firejail/whitelist-common.inc | 20 | include /etc/firejail/whitelist-common.inc |
| 21 | 21 | ||
| 22 | caps.drop all | 22 | caps.drop all |
| 23 | #ipc-namespace | ||
| 24 | netfilter | 23 | netfilter |
| 25 | no3d | 24 | no3d |
| 26 | nonewprivs | ||
| 27 | nogroups | 25 | nogroups |
| 26 | nonewprivs | ||
| 28 | noroot | 27 | noroot |
| 29 | protocol unix,inet,inet6 | 28 | protocol unix,inet,inet6 |
| 30 | seccomp | 29 | seccomp |
| 31 | shell none | 30 | shell none |
| 32 | tracelog | 31 | tracelog |
| 33 | 32 | ||
| 33 | disable-mnt | ||
| 34 | private-bin mumble | 34 | private-bin mumble |
| 35 | private-tmp | 35 | private-tmp |
| 36 | disable-mnt | ||
| 37 | 36 | ||
| 38 | memory-deny-write-execute | 37 | memory-deny-write-execute |
| 39 | noexec ${HOME} | 38 | noexec ${HOME} |
diff --git a/etc/mupdf.profile b/etc/mupdf.profile index ca61edfdd..4b98552c4 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile | |||
| @@ -1,15 +1,15 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for mupdf |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/mupdf.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/mupdf.local | ||
| 7 | 8 | ||
| 8 | # mupdf reader profile | ||
| 9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-programs.inc | ||
| 11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | 13 | ||
| 14 | caps.drop all | 14 | caps.drop all |
| 15 | net none | 15 | net none |
| @@ -19,18 +19,13 @@ noroot | |||
| 19 | nosound | 19 | nosound |
| 20 | protocol unix | 20 | protocol unix |
| 21 | seccomp | 21 | seccomp |
| 22 | # seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev | ||
| 22 | shell none | 23 | shell none |
| 23 | tracelog | 24 | tracelog |
| 24 | 25 | ||
| 25 | private-tmp | 26 | # private-bin mupdf,sh,tempfile,rm |
| 26 | private-dev | 27 | private-dev |
| 27 | private-etc fonts | 28 | private-etc fonts |
| 28 | 29 | private-tmp | |
| 29 | # mupdf will never write anything | 30 | # mupdf will never write anything |
| 30 | read-only ${HOME} | 31 | read-only ${HOME} |
| 31 | |||
| 32 | # | ||
| 33 | # Experimental: | ||
| 34 | # | ||
| 35 | #seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev | ||
| 36 | # private-bin mupdf,sh,tempfile,rm | ||
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile index 5705eb645..f0680c4ce 100644 --- a/etc/mupen64plus.profile +++ b/etc/mupen64plus.profile | |||
| @@ -1,24 +1,24 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for mupen64plus |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/mupen64plus.local | 4 | include /etc/firejail/mupen64plus.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # mupen64plus profile | ||
| 9 | # manually whitelist ROM files | ||
| 10 | noblacklist ${HOME}/.config/mupen64plus | 8 | noblacklist ${HOME}/.config/mupen64plus |
| 11 | noblacklist ${HOME}/.local/share/mupen64plus | 9 | noblacklist ${HOME}/.local/share/mupen64plus |
| 12 | 10 | ||
| 13 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 16 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 17 | 15 | ||
| 18 | mkdir ${HOME}/.local/share/mupen64plus | 16 | # you'll need to manually whitelist ROM files |
| 19 | whitelist ${HOME}/.local/share/mupen64plus/ | ||
| 20 | mkdir ${HOME}/.config/mupen64plus | 17 | mkdir ${HOME}/.config/mupen64plus |
| 18 | mkdir ${HOME}/.local/share/mupen64plus | ||
| 21 | whitelist ${HOME}/.config/mupen64plus/ | 19 | whitelist ${HOME}/.config/mupen64plus/ |
| 20 | whitelist ${HOME}/.local/share/mupen64plus/ | ||
| 21 | include /etc/firejail/whitelist-common.inc | ||
| 22 | 22 | ||
| 23 | caps.drop all | 23 | caps.drop all |
| 24 | net none | 24 | net none |
diff --git a/etc/mutt.profile b/etc/mutt.profile index bf8323070..e2b9b38ec 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile | |||
| @@ -1,50 +1,49 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for mutt |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/mutt.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | 8 | blacklist /tmp/.X11-unix |
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/mutt.local | ||
| 7 | 9 | ||
| 8 | # mutt email client profile | ||
| 9 | noblacklist ~/.muttrc | ||
| 10 | noblacklist ~/.mutt | ||
| 11 | noblacklist ~/.mutt/muttrc | ||
| 12 | noblacklist ~/.mailcap | ||
| 13 | noblacklist ~/.gnupg | ||
| 14 | noblacklist ~/.mail | ||
| 15 | noblacklist ~/.Mail | 10 | noblacklist ~/.Mail |
| 16 | noblacklist ~/mail | 11 | noblacklist ~/.bogofilter |
| 17 | noblacklist ~/Mail | ||
| 18 | noblacklist ~/sent | ||
| 19 | noblacklist ~/postponed | ||
| 20 | noblacklist ~/.cache/mutt | 12 | noblacklist ~/.cache/mutt |
| 21 | noblacklist ~/.w3m | ||
| 22 | noblacklist ~/.elinks | 13 | noblacklist ~/.elinks |
| 23 | noblacklist ~/.vim | ||
| 24 | noblacklist ~/.vimrc | ||
| 25 | noblacklist ~/.viminfo | ||
| 26 | noblacklist ~/.emacs | 14 | noblacklist ~/.emacs |
| 27 | noblacklist ~/.emacs.d | 15 | noblacklist ~/.emacs.d |
| 28 | noblacklist ~/.signature | 16 | noblacklist ~/.gnupg |
| 29 | noblacklist ~/.bogofilter | 17 | noblacklist ~/.mail |
| 18 | noblacklist ~/.mailcap | ||
| 30 | noblacklist ~/.msmtprc | 19 | noblacklist ~/.msmtprc |
| 20 | noblacklist ~/.mutt | ||
| 21 | noblacklist ~/.mutt/muttrc | ||
| 22 | noblacklist ~/.muttrc | ||
| 23 | noblacklist ~/.signature | ||
| 24 | noblacklist ~/.vim | ||
| 25 | noblacklist ~/.viminfo | ||
| 26 | noblacklist ~/.vimrc | ||
| 27 | noblacklist ~/.w3m | ||
| 28 | noblacklist ~/Mail | ||
| 29 | noblacklist ~/mail | ||
| 30 | noblacklist ~/postponed | ||
| 31 | noblacklist ~/sent | ||
| 31 | 32 | ||
| 32 | include /etc/firejail/disable-common.inc | 33 | include /etc/firejail/disable-common.inc |
| 33 | include /etc/firejail/disable-programs.inc | ||
| 34 | include /etc/firejail/disable-passwdmgr.inc | ||
| 35 | include /etc/firejail/disable-devel.inc | 34 | include /etc/firejail/disable-devel.inc |
| 35 | include /etc/firejail/disable-passwdmgr.inc | ||
| 36 | include /etc/firejail/disable-programs.inc | ||
| 36 | 37 | ||
| 37 | caps.drop all | 38 | caps.drop all |
| 38 | netfilter | 39 | netfilter |
| 40 | no3d | ||
| 39 | nogroups | 41 | nogroups |
| 40 | nonewprivs | 42 | nonewprivs |
| 41 | noroot | 43 | noroot |
| 42 | nosound | 44 | nosound |
| 43 | no3d | ||
| 44 | protocol unix,inet,inet6 | 45 | protocol unix,inet,inet6 |
| 45 | seccomp | 46 | seccomp |
| 46 | shell none | 47 | shell none |
| 47 | 48 | ||
| 48 | blacklist /tmp/.X11-unix | ||
| 49 | |||
| 50 | private-dev | 49 | private-dev |
diff --git a/etc/nautilus.profile b/etc/nautilus.profile index 4f2f50d9f..2da8f32d7 100644 --- a/etc/nautilus.profile +++ b/etc/nautilus.profile | |||
| @@ -1,25 +1,22 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for nautilus |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/nautilus.local | 4 | include /etc/firejail/nautilus.local |
| 7 | 5 | # Persistent global definitions | |
| 8 | # nautilus profile | 6 | include /etc/firejail/globals.local |
| 9 | 7 | ||
| 10 | # Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there | 8 | # Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there |
| 11 | # is already a nautilus process running on gnome desktops firejail will have no effect. | 9 | # is already a nautilus process running on gnome desktops firejail will have no effect. |
| 12 | 10 | ||
| 13 | noblacklist ~/.config/nautilus | 11 | noblacklist ~/.config/nautilus |
| 12 | noblacklist ~/.local/share/Trash | ||
| 14 | noblacklist ~/.local/share/nautilus | 13 | noblacklist ~/.local/share/nautilus |
| 15 | noblacklist ~/.local/share/nautilus-python | 14 | noblacklist ~/.local/share/nautilus-python |
| 16 | noblacklist ~/.local/share/Trash | ||
| 17 | 15 | ||
| 18 | include /etc/firejail/disable-common.inc | 16 | include /etc/firejail/disable-common.inc |
| 19 | # nautilus needs to be able to start arbitrary applications so we cannot blacklist their files | ||
| 20 | #include /etc/firejail/disable-programs.inc | ||
| 21 | include /etc/firejail/disable-devel.inc | 17 | include /etc/firejail/disable-devel.inc |
| 22 | include /etc/firejail/disable-passwdmgr.inc | 18 | include /etc/firejail/disable-passwdmgr.inc |
| 19 | # include /etc/firejail/disable-programs.inc | ||
| 23 | 20 | ||
| 24 | caps.drop all | 21 | caps.drop all |
| 25 | netfilter | 22 | netfilter |
| @@ -31,7 +28,8 @@ seccomp | |||
| 31 | shell none | 28 | shell none |
| 32 | tracelog | 29 | tracelog |
| 33 | 30 | ||
| 31 | # nautilus needs to be able to start arbitrary applications so we cannot blacklist their files | ||
| 34 | # private-bin nautilus | 32 | # private-bin nautilus |
| 35 | # private-tmp | ||
| 36 | # private-dev | 33 | # private-dev |
| 37 | # private-etc fonts | 34 | # private-etc fonts |
| 35 | # private-tmp | ||
diff --git a/etc/nemo.profile b/etc/nemo.profile index 5e6f4936f..e2219825a 100644 --- a/etc/nemo.profile +++ b/etc/nemo.profile | |||
| @@ -1,18 +1,18 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for nemo |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/nemo.local | 4 | include /etc/firejail/nemo.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.config/nemo | 8 | noblacklist ${HOME}/.config/nemo |
| 9 | noblacklist ${HOME}/.local/share/Trash | ||
| 9 | noblacklist ${HOME}/.local/share/nemo | 10 | noblacklist ${HOME}/.local/share/nemo |
| 10 | noblacklist ${HOME}/.local/share/nemo-python | 11 | noblacklist ${HOME}/.local/share/nemo-python |
| 11 | noblacklist ${HOME}/.local/share/Trash | ||
| 12 | 12 | ||
| 13 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | ||
| 15 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
| 15 | include /etc/firejail/disable-passwdmgr.inc | ||
| 16 | 16 | ||
| 17 | caps.drop all | 17 | caps.drop all |
| 18 | netfilter | 18 | netfilter |
diff --git a/etc/netsurf.profile b/etc/netsurf.profile index 82cd4d59b..68df57539 100644 --- a/etc/netsurf.profile +++ b/etc/netsurf.profile | |||
| @@ -1,16 +1,23 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for netsurf |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/netsurf.local | 4 | include /etc/firejail/netsurf.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for Mozilla Firefox (Iceweasel in Debian) | ||
| 9 | noblacklist ~/.config/netsurf | ||
| 10 | noblacklist ~/.cache/netsurf | 8 | noblacklist ~/.cache/netsurf |
| 9 | noblacklist ~/.config/netsurf | ||
| 10 | |||
| 11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | |||
| 15 | mkdir ~/.cache/netsurf | ||
| 16 | mkdir ~/.config/netsurf | ||
| 17 | whitelist ${DOWNLOADS} | ||
| 18 | whitelist ~/.cache/netsurf | ||
| 19 | whitelist ~/.config/netsurf | ||
| 20 | include /etc/firejail/whitelist-common.inc | ||
| 14 | 21 | ||
| 15 | caps.drop all | 22 | caps.drop all |
| 16 | netfilter | 23 | netfilter |
| @@ -19,11 +26,3 @@ noroot | |||
| 19 | protocol unix,inet,inet6,netlink | 26 | protocol unix,inet,inet6,netlink |
| 20 | seccomp | 27 | seccomp |
| 21 | tracelog | 28 | tracelog |
| 22 | |||
| 23 | whitelist ${DOWNLOADS} | ||
| 24 | mkdir ~/.config/netsurf | ||
| 25 | whitelist ~/.config/netsurf | ||
| 26 | mkdir ~/.cache/netsurf | ||
| 27 | whitelist ~/.cache/netsurf | ||
| 28 | |||
| 29 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/nylas.profile b/etc/nylas.profile index ac2f1120a..6b6697522 100644 --- a/etc/nylas.profile +++ b/etc/nylas.profile | |||
| @@ -1,22 +1,21 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for nylas |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/nylas.local | 4 | include /etc/firejail/nylas.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for Nylas Mail | ||
| 9 | noblacklist ~/.config/Nylas Mail | 8 | noblacklist ~/.config/Nylas Mail |
| 10 | noblacklist ~/.nylas-mail | 9 | noblacklist ~/.nylas-mail |
| 11 | 10 | ||
| 12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 15 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 16 | 15 | ||
| 16 | whitelist ${DOWNLOADS} | ||
| 17 | whitelist ~/.config/Nylas Mail | 17 | whitelist ~/.config/Nylas Mail |
| 18 | whitelist ~/.nylas-mail | 18 | whitelist ~/.nylas-mail |
| 19 | whitelist ${DOWNLOADS} | ||
| 20 | include /etc/firejail/whitelist-common.inc | 19 | include /etc/firejail/whitelist-common.inc |
| 21 | 20 | ||
| 22 | caps.drop all | 21 | caps.drop all |
diff --git a/etc/obs.profile b/etc/obs.profile index 8316551f9..3dbacbf57 100644 --- a/etc/obs.profile +++ b/etc/obs.profile | |||
| @@ -1,11 +1,10 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for obs |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/obs.local | 4 | include /etc/firejail/obs.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for OBS Studio | ||
| 9 | noblacklist ${HOME}/.config/obs-studio | 8 | noblacklist ${HOME}/.config/obs-studio |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile index 8cfadd9ac..06b4c16e0 100644 --- a/etc/odt2txt.profile +++ b/etc/odt2txt.profile | |||
| @@ -1,33 +1,31 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for odt2txt |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/odt2txt.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | 8 | blacklist /tmp/.X11-unix |
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/odt2txt.local | ||
| 7 | 9 | ||
| 8 | # odt2txt profile | ||
| 9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-programs.inc | ||
| 11 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 13 | 14 | ||
| 14 | caps.drop all | 15 | caps.drop all |
| 15 | net none | 16 | net none |
| 17 | no3d | ||
| 16 | nogroups | 18 | nogroups |
| 17 | nonewprivs | 19 | nonewprivs |
| 18 | noroot | 20 | noroot |
| 19 | nosound | 21 | nosound |
| 20 | protocol unix | 22 | protocol unix |
| 21 | seccomp | 23 | seccomp |
| 22 | no3d | ||
| 23 | shell none | 24 | shell none |
| 24 | tracelog | 25 | tracelog |
| 25 | 26 | ||
| 26 | blacklist /tmp/.X11-unix | ||
| 27 | |||
| 28 | private-bin odt2txt | 27 | private-bin odt2txt |
| 29 | private-tmp | ||
| 30 | private-dev | 28 | private-dev |
| 31 | private-etc none | 29 | private-etc none |
| 32 | 30 | private-tmp | |
| 33 | read-only ${HOME} | 31 | read-only ${HOME} |
diff --git a/etc/okular.profile b/etc/okular.profile index 578f01915..331b625b8 100644 --- a/etc/okular.profile +++ b/etc/okular.profile | |||
| @@ -1,29 +1,29 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for okular |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/okular.local | 4 | include /etc/firejail/okular.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # KDE okular profile | 8 | noblacklist ~/.config/okularpartrc |
| 9 | noblacklist ~/.kde4/share/apps/okular | 9 | noblacklist ~/.config/okularrc |
| 10 | noblacklist ~/.kde4/share/config/okularrc | ||
| 11 | noblacklist ~/.kde4/share/config/okularpartrc | ||
| 12 | noblacklist ~/.kde/share/apps/okular | 10 | noblacklist ~/.kde/share/apps/okular |
| 13 | noblacklist ~/.kde/share/config/okularrc | ||
| 14 | noblacklist ~/.kde/share/config/okularpartrc | 11 | noblacklist ~/.kde/share/config/okularpartrc |
| 12 | noblacklist ~/.kde/share/config/okularrc | ||
| 13 | noblacklist ~/.kde4/share/apps/okular | ||
| 14 | noblacklist ~/.kde4/share/config/okularpartrc | ||
| 15 | noblacklist ~/.kde4/share/config/okularrc | ||
| 15 | noblacklist ~/.local/share/okular | 16 | noblacklist ~/.local/share/okular |
| 16 | noblacklist ~/.config/okularrc | 17 | |
| 17 | noblacklist ~/.config/okularpartrc | ||
| 18 | include /etc/firejail/disable-common.inc | 18 | include /etc/firejail/disable-common.inc |
| 19 | include /etc/firejail/disable-programs.inc | ||
| 20 | include /etc/firejail/disable-devel.inc | 19 | include /etc/firejail/disable-devel.inc |
| 21 | include /etc/firejail/disable-passwdmgr.inc | 20 | include /etc/firejail/disable-passwdmgr.inc |
| 21 | include /etc/firejail/disable-programs.inc | ||
| 22 | 22 | ||
| 23 | caps.drop all | 23 | caps.drop all |
| 24 | netfilter | 24 | netfilter |
| 25 | nonewprivs | ||
| 26 | nogroups | 25 | nogroups |
| 26 | nonewprivs | ||
| 27 | noroot | 27 | noroot |
| 28 | nosound | 28 | nosound |
| 29 | protocol unix | 29 | protocol unix |
| @@ -32,8 +32,8 @@ shell none | |||
| 32 | tracelog | 32 | tracelog |
| 33 | 33 | ||
| 34 | # private-bin okular,kbuildsycoca4,lpr | 34 | # private-bin okular,kbuildsycoca4,lpr |
| 35 | # private-etc fonts,X11 | ||
| 36 | private-dev | 35 | private-dev |
| 36 | # private-etc fonts,X11 | ||
| 37 | private-tmp | 37 | private-tmp |
| 38 | 38 | ||
| 39 | noexec ${HOME} | 39 | noexec ${HOME} |
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile index f95b0f5a2..2587027ab 100644 --- a/etc/open-invaders.profile +++ b/etc/open-invaders.profile | |||
| @@ -1,41 +1,30 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for open-invaders |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/open-invaders.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | 8 | noblacklist ~/.openinvaders |
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/open-invaders.local | ||
| 7 | 9 | ||
| 8 | ################################ | 10 | include /etc/firejail/disable-common.inc |
| 9 | # open-invaders profile | 11 | include /etc/firejail/disable-passwdmgr.inc |
| 10 | ################################ | 12 | include /etc/firejail/disable-programs.inc |
| 11 | 13 | ||
| 12 | noblacklist ~/.openinvaders | ||
| 13 | mkdir ~/.openinvaders | 14 | mkdir ~/.openinvaders |
| 14 | whitelist ~/.openinvaders | 15 | whitelist ~/.openinvaders |
| 15 | include /etc/firejail/whitelist-common.inc | 16 | include /etc/firejail/whitelist-common.inc |
| 16 | 17 | ||
| 17 | include /etc/firejail/disable-common.inc | ||
| 18 | include /etc/firejail/disable-programs.inc | ||
| 19 | include /etc/firejail/disable-passwdmgr.inc | ||
| 20 | |||
| 21 | caps.drop all | 18 | caps.drop all |
| 19 | net none | ||
| 20 | nogroups | ||
| 22 | nonewprivs | 21 | nonewprivs |
| 23 | noroot | 22 | noroot |
| 24 | protocol unix,netlink | 23 | protocol unix,netlink |
| 25 | seccomp | 24 | seccomp |
| 26 | |||
| 27 | # | ||
| 28 | # depending on your usage, you can enable some of the commands below: | ||
| 29 | # | ||
| 30 | net none | ||
| 31 | nogroups | ||
| 32 | shell none | 25 | shell none |
| 33 | #private-bin open-invaders | 26 | |
| 34 | # private-etc none | 27 | # private-bin open-invaders |
| 35 | private-dev | 28 | private-dev |
| 29 | # private-etc none | ||
| 36 | private-tmp | 30 | private-tmp |
| 37 | # nosound | ||
| 38 | |||
| 39 | |||
| 40 | |||
| 41 | |||
diff --git a/etc/openbox.profile b/etc/openbox.profile index 4104e1e08..99c579c37 100644 --- a/etc/openbox.profile +++ b/etc/openbox.profile | |||
| @@ -1,14 +1,12 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for openbox |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/openbox.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | 8 | # all applications started in OpenBox will run in this profile |
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/openbox.local | ||
| 7 | 9 | ||
| 8 | ####################################### | ||
| 9 | # OpenBox window manager profile | ||
| 10 | # - all applications started in OpenBox will run in this profile | ||
| 11 | ####################################### | ||
| 12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 13 | 11 | ||
| 14 | caps.drop all | 12 | caps.drop all |
diff --git a/etc/openshot.profile b/etc/openshot.profile index 25c803512..b5ace455e 100644 --- a/etc/openshot.profile +++ b/etc/openshot.profile | |||
| @@ -1,11 +1,10 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for openshot |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/openshot.local | 4 | include /etc/firejail/openshot.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # OpenShot profile | ||
| 9 | noblacklist ${HOME}/.openshot | 8 | noblacklist ${HOME}/.openshot |
| 10 | noblacklist ${HOME}/.openshot_qt | 9 | noblacklist ${HOME}/.openshot_qt |
| 11 | 10 | ||
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile index 4fc2235c1..078f5a0dd 100644 --- a/etc/opera-beta.profile +++ b/etc/opera-beta.profile | |||
| @@ -1,24 +1,24 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for opera-beta |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/opera-beta.local | 4 | include /etc/firejail/opera-beta.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Opera-beta browser profile | ||
| 9 | noblacklist ~/.config/opera-beta | 8 | noblacklist ~/.config/opera-beta |
| 10 | noblacklist ~/.pki | 9 | noblacklist ~/.pki |
| 10 | |||
| 11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | 14 | ||
| 15 | netfilter | ||
| 16 | |||
| 17 | whitelist ${DOWNLOADS} | ||
| 18 | mkdir ~/.config/opera-beta | ||
| 19 | whitelist ~/.config/opera-beta | ||
| 20 | mkdir ~/.cache/opera | 15 | mkdir ~/.cache/opera |
| 21 | whitelist ~/.cache/opera | 16 | mkdir ~/.config/opera-beta |
| 22 | mkdir ~/.pki | 17 | mkdir ~/.pki |
| 18 | whitelist ${DOWNLOADS} | ||
| 19 | whitelist ~/.cache/opera | ||
| 20 | whitelist ~/.config/opera-beta | ||
| 23 | whitelist ~/.pki | 21 | whitelist ~/.pki |
| 24 | include /etc/firejail/whitelist-common.inc | 22 | include /etc/firejail/whitelist-common.inc |
| 23 | |||
| 24 | netfilter | ||
diff --git a/etc/opera.profile b/etc/opera.profile index b6c4ab7bd..7802a124a 100644 --- a/etc/opera.profile +++ b/etc/opera.profile | |||
| @@ -1,28 +1,28 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for opera |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/opera.local | 4 | include /etc/firejail/opera.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Opera browser profile | 8 | noblacklist ~/.cache/opera |
| 9 | noblacklist ~/.config/opera | 9 | noblacklist ~/.config/opera |
| 10 | noblacklist ~/.opera | 10 | noblacklist ~/.opera |
| 11 | noblacklist ~/.cache/opera | ||
| 12 | noblacklist ~/.pki | 11 | noblacklist ~/.pki |
| 12 | |||
| 13 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 16 | 16 | ||
| 17 | netfilter | 17 | mkdir ~/.cache/opera |
| 18 | |||
| 19 | whitelist ${DOWNLOADS} | ||
| 20 | mkdir ~/.config/opera | 18 | mkdir ~/.config/opera |
| 21 | whitelist ~/.config/opera | ||
| 22 | mkdir ~/.opera | 19 | mkdir ~/.opera |
| 23 | mkdir ~/.cache/opera | 20 | mkdir ~/.pki |
| 21 | whitelist ${DOWNLOADS} | ||
| 24 | whitelist ~/.cache/opera | 22 | whitelist ~/.cache/opera |
| 23 | whitelist ~/.config/opera | ||
| 25 | whitelist ~/.opera | 24 | whitelist ~/.opera |
| 26 | mkdir ~/.pki | ||
| 27 | whitelist ~/.pki | 25 | whitelist ~/.pki |
| 28 | include /etc/firejail/whitelist-common.inc | 26 | include /etc/firejail/whitelist-common.inc |
| 27 | |||
| 28 | netfilter | ||
diff --git a/etc/orage.profile b/etc/orage.profile index c9977d002..132b526b4 100644 --- a/etc/orage.profile +++ b/etc/orage.profile | |||
| @@ -1,9 +1,9 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for orage |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/orage.local | 4 | include /etc/firejail/orage.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.config/orage | 8 | noblacklist ${HOME}/.config/orage |
| 9 | noblacklist ${HOME}/.local/share/orage | 9 | noblacklist ${HOME}/.local/share/orage |
| @@ -25,9 +25,9 @@ protocol unix | |||
| 25 | seccomp | 25 | seccomp |
| 26 | shell none | 26 | shell none |
| 27 | 27 | ||
| 28 | disable-mnt | ||
| 28 | private-dev | 29 | private-dev |
| 29 | private-tmp | 30 | private-tmp |
| 30 | disable-mnt | ||
| 31 | 31 | ||
| 32 | noexec ${HOME} | 32 | noexec ${HOME} |
| 33 | noexec /tmp | 33 | noexec /tmp |
diff --git a/etc/palemoon.profile b/etc/palemoon.profile index b3b57f931..e3e498195 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile | |||
| @@ -1,37 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for palemoon |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/palemoon.local | 4 | include /etc/firejail/palemoon.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for Pale Moon | ||
| 9 | noblacklist ~/.moonchild productions/pale moon | ||
| 10 | noblacklist ~/.cache/moonchild productions/pale moon | 8 | noblacklist ~/.cache/moonchild productions/pale moon |
| 9 | noblacklist ~/.moonchild productions/pale moon | ||
| 10 | |||
| 11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/whitelist-common.inc | 13 | include /etc/firejail/disable-programs.inc |
| 15 | |||
| 16 | whitelist ${DOWNLOADS} | ||
| 17 | mkdir ~/.moonchild productions | ||
| 18 | whitelist ~/.moonchild productions | ||
| 19 | mkdir ~/.cache/moonchild productions/pale moon | ||
| 20 | whitelist ~/.cache/moonchild productions/pale moon | ||
| 21 | |||
| 22 | caps.drop all | ||
| 23 | netfilter | ||
| 24 | nogroups | ||
| 25 | nonewprivs | ||
| 26 | noroot | ||
| 27 | protocol unix,inet,inet6,netlink | ||
| 28 | seccomp | ||
| 29 | shell none | ||
| 30 | tracelog | ||
| 31 | |||
| 32 | #private-bin palemoon | ||
| 33 | #private-opt palemoon | ||
| 34 | private-tmp | ||
| 35 | 14 | ||
| 36 | # These are uncommented in the Firefox profile. If you run into trouble you may | 15 | # These are uncommented in the Firefox profile. If you run into trouble you may |
| 37 | # want to uncomment (some of) them. | 16 | # want to uncomment (some of) them. |
| @@ -53,6 +32,25 @@ private-tmp | |||
| 53 | #whitelist ~/.config/pipelight-widevine | 32 | #whitelist ~/.config/pipelight-widevine |
| 54 | #whitelist ~/.config/pipelight-silverlight5.1 | 33 | #whitelist ~/.config/pipelight-silverlight5.1 |
| 55 | 34 | ||
| 56 | # experimental features | 35 | mkdir ~/.cache/moonchild productions/pale moon |
| 57 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 36 | mkdir ~/.moonchild productions |
| 58 | #private-dev (disabled for now as it will interfere with webcam use in palemoon) | 37 | whitelist ${DOWNLOADS} |
| 38 | whitelist ~/.cache/moonchild productions/pale moon | ||
| 39 | whitelist ~/.moonchild productions | ||
| 40 | include /etc/firejail/whitelist-common.inc | ||
| 41 | |||
| 42 | caps.drop all | ||
| 43 | netfilter | ||
| 44 | nogroups | ||
| 45 | nonewprivs | ||
| 46 | noroot | ||
| 47 | protocol unix,inet,inet6,netlink | ||
| 48 | seccomp | ||
| 49 | shell none | ||
| 50 | tracelog | ||
| 51 | |||
| 52 | # private-bin palemoon | ||
| 53 | # private-dev (disabled for now as it will interfere with webcam use in palemoon) | ||
| 54 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | ||
| 55 | # private-opt palemoon | ||
| 56 | private-tmp | ||
diff --git a/etc/parole.profile b/etc/parole.profile index e6a9d4ef5..00a12afd9 100644 --- a/etc/parole.profile +++ b/etc/parole.profile | |||
| @@ -1,18 +1,15 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for parole |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/parole.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/parole.local | ||
| 7 | 8 | ||
| 8 | # Profile for Parole, the default XFCE4 media player | ||
| 9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-programs.inc | ||
| 11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | 12 | include /etc/firejail/disable-programs.inc | |
| 14 | private-etc passwd,group,fonts | ||
| 15 | private-bin parole,dbus-launch | ||
| 16 | 13 | ||
| 17 | caps.drop all | 14 | caps.drop all |
| 18 | netfilter | 15 | netfilter |
| @@ -21,3 +18,6 @@ noroot | |||
| 21 | protocol unix,inet,inet6 | 18 | protocol unix,inet,inet6 |
| 22 | seccomp | 19 | seccomp |
| 23 | shell none | 20 | shell none |
| 21 | |||
| 22 | private-bin parole,dbus-launch | ||
| 23 | private-etc passwd,group,fonts | ||
diff --git a/etc/pcmanfm.profile b/etc/pcmanfm.profile index 654904f17..f2bc908df 100644 --- a/etc/pcmanfm.profile +++ b/etc/pcmanfm.profile | |||
| @@ -1,18 +1,18 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for pcmanfm |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/pcmanfm.local | 4 | include /etc/firejail/pcmanfm.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | noblacklist ~/.config/pcmanfm | ||
| 9 | noblacklist ~/.config/libfm | ||
| 10 | noblacklist ${HOME}/.local/share/Trash | 8 | noblacklist ${HOME}/.local/share/Trash |
| 9 | noblacklist ~/.config/libfm | ||
| 10 | noblacklist ~/.config/pcmanfm | ||
| 11 | 11 | ||
| 12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 13 | #include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
| 15 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
| 15 | # include /etc/firejail/disable-programs.inc | ||
| 16 | 16 | ||
| 17 | caps.drop all | 17 | caps.drop all |
| 18 | net none | 18 | net none |
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index 2465be252..0f25f1fa5 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile | |||
| @@ -1,24 +1,18 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for pdfsam |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/pdfsam.local | 4 | include /etc/firejail/pdfsam.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # | ||
| 9 | #Profile for pdfsam | ||
| 10 | # | ||
| 11 | noblacklist ${HOME}/.java | 8 | noblacklist ${HOME}/.java |
| 12 | 9 | ||
| 13 | #Blacklist Paths | ||
| 14 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 16 | include /etc/firejail/disable-passwdmgr.inc | ||
| 17 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | ||
| 13 | include /etc/firejail/disable-programs.inc | ||
| 18 | 14 | ||
| 19 | #Options | ||
| 20 | caps.drop all | 15 | caps.drop all |
| 21 | #ipc-namespace | ||
| 22 | net none | 16 | net none |
| 23 | no3d | 17 | no3d |
| 24 | nogroups | 18 | nogroups |
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile index e5dab840f..89fb295dd 100644 --- a/etc/pdftotext.profile +++ b/etc/pdftotext.profile | |||
| @@ -1,31 +1,30 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for pdftotext |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/pdftotext.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | 8 | blacklist /tmp/.X11-unix |
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/pdftotext.local | ||
| 7 | 9 | ||
| 8 | # pdftotext profile | ||
| 9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-programs.inc | ||
| 11 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 13 | 14 | ||
| 14 | caps.drop all | 15 | caps.drop all |
| 15 | net none | 16 | net none |
| 17 | no3d | ||
| 16 | nogroups | 18 | nogroups |
| 17 | nonewprivs | 19 | nonewprivs |
| 18 | noroot | 20 | noroot |
| 19 | nosound | 21 | nosound |
| 20 | protocol unix | 22 | protocol unix |
| 21 | seccomp | 23 | seccomp |
| 22 | no3d | ||
| 23 | shell none | 24 | shell none |
| 24 | tracelog | 25 | tracelog |
| 25 | 26 | ||
| 26 | blacklist /tmp/.X11-unix | ||
| 27 | |||
| 28 | private-bin pdftotext | 27 | private-bin pdftotext |
| 29 | private-tmp | ||
| 30 | private-dev | 28 | private-dev |
| 31 | private-etc none | 29 | private-etc none |
| 30 | private-tmp | ||
diff --git a/etc/peek.profile b/etc/peek.profile index 811eb701b..2860d3663 100644 --- a/etc/peek.profile +++ b/etc/peek.profile | |||
| @@ -1,11 +1,10 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for peek |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/peek.local | 4 | include /etc/firejail/peek.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for Peek | ||
| 9 | noblacklist ${HOME}/.cache/peek | 8 | noblacklist ${HOME}/.cache/peek |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| @@ -25,7 +24,7 @@ protocol unix | |||
| 25 | seccomp | 24 | seccomp |
| 26 | shell none | 25 | shell none |
| 27 | 26 | ||
| 28 | #private-bin peek,convert,ffmpeg | 27 | # private-bin peek,convert,ffmpeg |
| 29 | private-dev | 28 | private-dev |
| 30 | private-tmp | 29 | private-tmp |
| 31 | 30 | ||
diff --git a/etc/picard.profile b/etc/picard.profile index 0c99e6b3e..ccdbc5116 100644 --- a/etc/picard.profile +++ b/etc/picard.profile | |||
| @@ -1,11 +1,10 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for picard |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/picard.local | 4 | include /etc/firejail/picard.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for MusicBrainz Picard | ||
| 9 | noblacklist ${HOME}/.cache/MusicBrainz | 8 | noblacklist ${HOME}/.cache/MusicBrainz |
| 10 | noblacklist ${HOME}/.config/MusicBrainz | 9 | noblacklist ${HOME}/.config/MusicBrainz |
| 11 | 10 | ||
diff --git a/etc/pidgin.profile b/etc/pidgin.profile index 5c0b5de04..7bc88a814 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile | |||
| @@ -1,11 +1,10 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for pidgin |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/pidgin.local | 4 | include /etc/firejail/pidgin.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Pidgin profile | ||
| 9 | noblacklist ${HOME}/.purple | 8 | noblacklist ${HOME}/.purple |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
diff --git a/etc/pingus.profile b/etc/pingus.profile index b3b479046..848bf88ad 100644 --- a/etc/pingus.profile +++ b/etc/pingus.profile | |||
| @@ -1,41 +1,30 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for pingus |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/pingus.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | 8 | noblacklist ~/.pingus |
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/pingus.local | ||
| 7 | 9 | ||
| 8 | ################################ | 10 | include /etc/firejail/disable-common.inc |
| 9 | # Pinugs profile | 11 | include /etc/firejail/disable-passwdmgr.inc |
| 10 | ################################ | 12 | include /etc/firejail/disable-programs.inc |
| 11 | 13 | ||
| 12 | noblacklist ~/.pingus | ||
| 13 | mkdir ~/.pingus | 14 | mkdir ~/.pingus |
| 14 | whitelist ~/.pingus | 15 | whitelist ~/.pingus |
| 15 | include /etc/firejail/whitelist-common.inc | 16 | include /etc/firejail/whitelist-common.inc |
| 16 | 17 | ||
| 17 | include /etc/firejail/disable-common.inc | ||
| 18 | include /etc/firejail/disable-programs.inc | ||
| 19 | include /etc/firejail/disable-passwdmgr.inc | ||
| 20 | |||
| 21 | caps.drop all | 18 | caps.drop all |
| 19 | net none | ||
| 20 | nogroups | ||
| 22 | nonewprivs | 21 | nonewprivs |
| 23 | noroot | 22 | noroot |
| 24 | protocol unix,netlink | 23 | protocol unix,netlink |
| 25 | seccomp | 24 | seccomp |
| 26 | |||
| 27 | # | ||
| 28 | # depending on your usage, you can enable some of the commands below: | ||
| 29 | # | ||
| 30 | net none | ||
| 31 | nogroups | ||
| 32 | shell none | 25 | shell none |
| 33 | #private-bin pingus | 26 | |
| 34 | # private-etc none | 27 | # private-bin pingus |
| 35 | private-dev | 28 | private-dev |
| 29 | # private-etc none | ||
| 36 | private-tmp | 30 | private-tmp |
| 37 | # nosound | ||
| 38 | |||
| 39 | |||
| 40 | |||
| 41 | |||
diff --git a/etc/pithos.profile b/etc/pithos.profile index c08f27f17..7eea5d8c2 100644 --- a/etc/pithos.profile +++ b/etc/pithos.profile | |||
| @@ -1,25 +1,18 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for pithos |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/pithos.local | 4 | include /etc/firejail/pithos.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # | ||
| 9 | #Profile for pithos | ||
| 10 | # | ||
| 11 | 8 | ||
| 12 | #Blacklist Paths | ||
| 13 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | include /etc/firejail/disable-passwdmgr.inc | ||
| 16 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
| 17 | 11 | include /etc/firejail/disable-passwdmgr.inc | |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 18 | include /etc/firejail/whitelist-common.inc | 13 | include /etc/firejail/whitelist-common.inc |
| 19 | 14 | ||
| 20 | #Options | ||
| 21 | caps.drop all | 15 | caps.drop all |
| 22 | #ipc-namespace | ||
| 23 | netfilter | 16 | netfilter |
| 24 | no3d | 17 | no3d |
| 25 | nogroups | 18 | nogroups |
| @@ -30,9 +23,9 @@ protocol unix,inet,inet6 | |||
| 30 | seccomp | 23 | seccomp |
| 31 | shell none | 24 | shell none |
| 32 | 25 | ||
| 26 | disable-mnt | ||
| 33 | private-dev | 27 | private-dev |
| 34 | private-tmp | 28 | private-tmp |
| 35 | disable-mnt | ||
| 36 | 29 | ||
| 37 | noexec ${HOME} | 30 | noexec ${HOME} |
| 38 | noexec /tmp | 31 | noexec /tmp |
diff --git a/etc/pix.profile b/etc/pix.profile index f6e3d4ae3..0d1d46fd6 100644 --- a/etc/pix.profile +++ b/etc/pix.profile | |||
| @@ -1,20 +1,19 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for pix |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/pix.local | 4 | include /etc/firejail/pix.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for pix | ||
| 9 | noblacklist ${HOME}/.config/pix | 8 | noblacklist ${HOME}/.config/pix |
| 10 | noblacklist ${HOME}/.local/share/pix | 9 | noblacklist ${HOME}/.local/share/pix |
| 11 | noblacklist ~/.Steam | 10 | noblacklist ~/.Steam |
| 12 | noblacklist ~/.steam | 11 | noblacklist ~/.steam |
| 13 | 12 | ||
| 14 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 16 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
| 17 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
| 16 | include /etc/firejail/disable-programs.inc | ||
| 18 | 17 | ||
| 19 | caps.drop all | 18 | caps.drop all |
| 20 | nogroups | 19 | nogroups |
diff --git a/etc/pluma.profile b/etc/pluma.profile index c2a30b2c3..75bdeadc4 100644 --- a/etc/pluma.profile +++ b/etc/pluma.profile | |||
| @@ -1,17 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for pluma |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/pluma.local | 4 | include /etc/firejail/pluma.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for Xed | ||
| 9 | noblacklist ${HOME}/.config/pluma | 8 | noblacklist ${HOME}/.config/pluma |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 17 | net none | 16 | net none |
diff --git a/etc/polari.profile b/etc/polari.profile index 657139b6b..e2788b7d0 100644 --- a/etc/polari.profile +++ b/etc/polari.profile | |||
| @@ -1,26 +1,26 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for polari |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/polari.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/polari.local | ||
| 7 | 8 | ||
| 8 | # Polari IRC profile | ||
| 9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-programs.inc | ||
| 11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
| 11 | include /etc/firejail/disable-programs.inc | ||
| 12 | 12 | ||
| 13 | mkdir ${HOME}/.cache/telepathy | ||
| 14 | mkdir ${HOME}/.config/telepathy-account-widgets | ||
| 13 | mkdir ${HOME}/.local/share/Empathy | 15 | mkdir ${HOME}/.local/share/Empathy |
| 14 | whitelist ${HOME}/.local/share/Empathy | ||
| 15 | mkdir ${HOME}/.local/share/telepathy | ||
| 16 | whitelist ${HOME}/.local/share/telepathy | ||
| 17 | mkdir ${HOME}/.local/share/TpLogger | 16 | mkdir ${HOME}/.local/share/TpLogger |
| 18 | whitelist ${HOME}/.local/share/TpLogger | 17 | mkdir ${HOME}/.local/share/telepathy |
| 19 | mkdir ${HOME}/.config/telepathy-account-widgets | ||
| 20 | whitelist ${HOME}/.config/telepathy-account-widgets | ||
| 21 | mkdir ${HOME}/.cache/telepathy | ||
| 22 | whitelist ${HOME}/.cache/telepathy | ||
| 23 | mkdir ${HOME}/.purple | 18 | mkdir ${HOME}/.purple |
| 19 | whitelist ${HOME}/.cache/telepathy | ||
| 20 | whitelist ${HOME}/.config/telepathy-account-widgets | ||
| 21 | whitelist ${HOME}/.local/share/Empathy | ||
| 22 | whitelist ${HOME}/.local/share/TpLogger | ||
| 23 | whitelist ${HOME}/.local/share/telepathy | ||
| 24 | whitelist ${HOME}/.purple | 24 | whitelist ${HOME}/.purple |
| 25 | include /etc/firejail/whitelist-common.inc | 25 | include /etc/firejail/whitelist-common.inc |
| 26 | 26 | ||
| @@ -36,9 +36,9 @@ seccomp | |||
| 36 | shell none | 36 | shell none |
| 37 | tracelog | 37 | tracelog |
| 38 | 38 | ||
| 39 | disable-mnt | ||
| 39 | private-dev | 40 | private-dev |
| 40 | private-tmp | 41 | private-tmp |
| 41 | disable-mnt | ||
| 42 | 42 | ||
| 43 | noexec ${HOME} | 43 | noexec ${HOME} |
| 44 | noexec /tmp | 44 | noexec /tmp |
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile index 9500731fe..27ee2500c 100644 --- a/etc/psi-plus.profile +++ b/etc/psi-plus.profile | |||
| @@ -1,27 +1,25 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for psi-plus |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/psi-plus.local | 4 | include /etc/firejail/psi-plus.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for Psi+ | ||
| 9 | noblacklist ${HOME}/.config/psi+ | 8 | noblacklist ${HOME}/.config/psi+ |
| 10 | noblacklist ${HOME}/.local/share/psi+ | 9 | noblacklist ${HOME}/.local/share/psi+ |
| 11 | 10 | ||
| 12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 16 | 15 | ||
| 17 | whitelist ${DOWNLOADS} | 16 | mkdir ~/.cache/psi+ |
| 18 | mkdir ~/.config/psi+ | 17 | mkdir ~/.config/psi+ |
| 19 | whitelist ~/.config/psi+ | ||
| 20 | mkdir ~/.local/share/psi+ | 18 | mkdir ~/.local/share/psi+ |
| 21 | whitelist ~/.local/share/psi+ | 19 | whitelist ${DOWNLOADS} |
| 22 | mkdir ~/.cache/psi+ | ||
| 23 | whitelist ~/.cache/psi+ | 20 | whitelist ~/.cache/psi+ |
| 24 | 21 | whitelist ~/.config/psi+ | |
| 22 | whitelist ~/.local/share/psi+ | ||
| 25 | include /etc/firejail/whitelist-common.inc | 23 | include /etc/firejail/whitelist-common.inc |
| 26 | 24 | ||
| 27 | caps.drop all | 25 | caps.drop all |
| @@ -35,9 +33,9 @@ protocol unix,inet,inet6 | |||
| 35 | seccomp | 33 | seccomp |
| 36 | shell none | 34 | shell none |
| 37 | 35 | ||
| 36 | disable-mnt | ||
| 38 | private-dev | 37 | private-dev |
| 39 | private-tmp | 38 | private-tmp |
| 40 | disable-mnt | ||
| 41 | 39 | ||
| 42 | noexec ${HOME} | 40 | noexec ${HOME} |
| 43 | noexec /tmp | 41 | noexec /tmp |
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 7ae8a22d4..025a6fa61 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
| @@ -1,30 +1,29 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for qbittorrent |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/qbittorrent.local | 4 | include /etc/firejail/qbittorrent.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # qbittorrent bittorrent profile | 8 | noblacklist ~/.cache/qBittorrent |
| 9 | noblacklist ~/.config/qt5ct | ||
| 10 | noblacklist ~/.config/qBittorrent | 9 | noblacklist ~/.config/qBittorrent |
| 11 | noblacklist ~/.config/qBittorrentrc | 10 | noblacklist ~/.config/qBittorrentrc |
| 12 | noblacklist ~/.cache/qBittorrent | 11 | noblacklist ~/.config/qt5ct |
| 13 | 12 | ||
| 14 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 16 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
| 17 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
| 16 | include /etc/firejail/disable-programs.inc | ||
| 18 | 17 | ||
| 19 | mkdir ~/.local/share/data/qBittorrent | 18 | mkdir ~/.cache/qBittorrent |
| 20 | whitelist ~/.local/share/data/qBittorrent | ||
| 21 | whitelist ~/.config/qt5ct | ||
| 22 | mkdir ~/.config/qBittorrent | 19 | mkdir ~/.config/qBittorrent |
| 20 | mkdir ~/.local/share/data/qBittorrent | ||
| 21 | whitelist ${DOWNLOADS} | ||
| 22 | whitelist ~/.cache/qBittorrent | ||
| 23 | whitelist ~/.config/qBittorrent | 23 | whitelist ~/.config/qBittorrent |
| 24 | whitelist ~/.config/qBittorrentrc | 24 | whitelist ~/.config/qBittorrentrc |
| 25 | mkdir ~/.cache/qBittorrent | 25 | whitelist ~/.config/qt5ct |
| 26 | whitelist ~/.cache/qBittorrent | 26 | whitelist ~/.local/share/data/qBittorrent |
| 27 | whitelist ${DOWNLOADS} | ||
| 28 | include /etc/firejail/whitelist-common.inc | 27 | include /etc/firejail/whitelist-common.inc |
| 29 | 28 | ||
| 30 | caps.drop all | 29 | caps.drop all |
| @@ -36,10 +35,9 @@ noroot | |||
| 36 | nosound | 35 | nosound |
| 37 | protocol unix,inet,inet6,netlink | 36 | protocol unix,inet,inet6,netlink |
| 38 | seccomp | 37 | seccomp |
| 38 | # shell none | ||
| 39 | 39 | ||
| 40 | # there are some problems with "Open destination folder", see bug #536 | 40 | # private-bin qbittorrent |
| 41 | #shell none | ||
| 42 | #private-bin qbittorrent | ||
| 43 | private-dev | 41 | private-dev |
| 44 | # private-etc X11,fonts,xdg,resolv.conf | 42 | # private-etc X11,fonts,xdg,resolv.conf |
| 45 | private-tmp | 43 | private-tmp |
diff --git a/etc/qemu-launcher.profile b/etc/qemu-launcher.profile index f6458de86..0f3235266 100644 --- a/etc/qemu-launcher.profile +++ b/etc/qemu-launcher.profile | |||
| @@ -1,16 +1,15 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for qemu-launcher |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/qemu-launcher.local | 4 | include /etc/firejail/qemu-launcher.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # qemu-launcher profile | ||
| 9 | noblacklist ~/.qemu-launcher | 8 | noblacklist ~/.qemu-launcher |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 14 | 13 | ||
| 15 | caps.drop all | 14 | caps.drop all |
| 16 | netfilter | 15 | netfilter |
diff --git a/etc/qemu-system-x86_64.profile b/etc/qemu-system-x86_64.profile index fdfd7ab72..b1b8e9319 100644 --- a/etc/qemu-system-x86_64.profile +++ b/etc/qemu-system-x86_64.profile | |||
| @@ -1,14 +1,14 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for qemu-system-x86_64 |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/qemu-system-x86_64.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/qemu-system-x86_64.local | ||
| 7 | 8 | ||
| 8 | # qemu profile | ||
| 9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-programs.inc | ||
| 11 | include /etc/firejail/disable-passwdmgr.inc | 10 | include /etc/firejail/disable-passwdmgr.inc |
| 11 | include /etc/firejail/disable-programs.inc | ||
| 12 | 12 | ||
| 13 | caps.drop all | 13 | caps.drop all |
| 14 | netfilter | 14 | netfilter |
diff --git a/etc/qlipper.profile b/etc/qlipper.profile index d57856c1a..98c794624 100644 --- a/etc/qlipper.profile +++ b/etc/qlipper.profile | |||
| @@ -1,9 +1,9 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for qlipper |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/qlipper.local | 4 | include /etc/firejail/qlipper.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.config/Qlipper | 8 | noblacklist ${HOME}/.config/Qlipper |
| 9 | 9 | ||
| @@ -24,9 +24,9 @@ protocol unix | |||
| 24 | seccomp | 24 | seccomp |
| 25 | shell none | 25 | shell none |
| 26 | 26 | ||
| 27 | disable-mnt | ||
| 27 | private-dev | 28 | private-dev |
| 28 | private-tmp | 29 | private-tmp |
| 29 | disable-mnt | ||
| 30 | 30 | ||
| 31 | noexec ${HOME} | 31 | noexec ${HOME} |
| 32 | noexec /tmp | 32 | noexec /tmp |
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile index 97bd2b0b1..596171420 100644 --- a/etc/qpdfview.profile +++ b/etc/qpdfview.profile | |||
| @@ -1,19 +1,18 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for qpdfview |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/qpdfview.local | 4 | include /etc/firejail/qpdfview.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # qpdfview profile | ||
| 9 | noblacklist ${HOME}/.config/qt5ct | ||
| 10 | noblacklist ${HOME}/.config/qpdfview | 8 | noblacklist ${HOME}/.config/qpdfview |
| 9 | noblacklist ${HOME}/.config/qt5ct | ||
| 11 | noblacklist ${HOME}/.local/share/qpdfview | 10 | noblacklist ${HOME}/.local/share/qpdfview |
| 12 | 11 | ||
| 13 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
| 16 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 17 | 16 | ||
| 18 | caps.drop all | 17 | caps.drop all |
| 19 | nogroups | 18 | nogroups |
diff --git a/etc/qtox.profile b/etc/qtox.profile index cc2a45bb2..08cbcd332 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile | |||
| @@ -1,23 +1,24 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for qtox |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/qtox.local | 4 | include /etc/firejail/qtox.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # qTox instant messaging profile | ||
| 9 | noblacklist ~/.config/tox | ||
| 10 | noblacklist ~/.config/qt5ct | 8 | noblacklist ~/.config/qt5ct |
| 9 | noblacklist ~/.config/tox | ||
| 10 | |||
| 11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | 15 | ||
| 16 | mkdir ${HOME}/.config/tox | ||
| 17 | whitelist ${HOME}/.config/tox | ||
| 18 | mkdir ${HOME}/.config/qt5ct | 16 | mkdir ${HOME}/.config/qt5ct |
| 19 | whitelist ${HOME}/.config/qt5ct | 17 | mkdir ${HOME}/.config/tox |
| 20 | whitelist ${DOWNLOADS} | 18 | whitelist ${DOWNLOADS} |
| 19 | whitelist ${HOME}/.config/qt5ct | ||
| 20 | whitelist ${HOME}/.config/tox | ||
| 21 | include /etc/firejail/whitelist-common.inc | ||
| 21 | 22 | ||
| 22 | caps.drop all | 23 | caps.drop all |
| 23 | netfilter | 24 | netfilter |
| @@ -29,9 +30,9 @@ seccomp | |||
| 29 | shell none | 30 | shell none |
| 30 | tracelog | 31 | tracelog |
| 31 | 32 | ||
| 32 | noexec ${HOME} | 33 | disable-mnt |
| 33 | noexec /tmp | ||
| 34 | |||
| 35 | private-bin qtox | 34 | private-bin qtox |
| 36 | private-tmp | 35 | private-tmp |
| 37 | disable-mnt | 36 | |
| 37 | noexec ${HOME} | ||
| 38 | noexec /tmp | ||
diff --git a/etc/quassel.profile b/etc/quassel.profile index 6a8988941..9e9ecfce9 100644 --- a/etc/quassel.profile +++ b/etc/quassel.profile | |||
| @@ -1,18 +1,18 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for quassel |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/quassel.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/quassel.local | ||
| 7 | 8 | ||
| 8 | # Quassel IRC profile | ||
| 9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-programs.inc | ||
| 11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
| 11 | include /etc/firejail/disable-programs.inc | ||
| 12 | 12 | ||
| 13 | caps.drop all | 13 | caps.drop all |
| 14 | netfilter | ||
| 14 | nonewprivs | 15 | nonewprivs |
| 15 | noroot | 16 | noroot |
| 16 | netfilter | ||
| 17 | protocol unix,inet,inet6 | 17 | protocol unix,inet,inet6 |
| 18 | seccomp | 18 | seccomp |
diff --git a/etc/quiterss.profile b/etc/quiterss.profile index aa17693cd..934763a25 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile | |||
| @@ -1,9 +1,9 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for quiterss |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/quiterss.local | 4 | include /etc/firejail/quiterss.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.cache/QuiteRss | 8 | noblacklist ${HOME}/.cache/QuiteRss |
| 9 | noblacklist ${HOME}/.config/QuiteRss | 9 | noblacklist ${HOME}/.config/QuiteRss |
| @@ -11,19 +11,20 @@ noblacklist ${HOME}/.config/QuiteRssrc | |||
| 11 | noblacklist ${HOME}/.local/share/QuiteRss | 11 | noblacklist ${HOME}/.local/share/QuiteRss |
| 12 | 12 | ||
| 13 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | include /etc/firejail/disable-passwdmgr.inc | ||
| 16 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
| 15 | include /etc/firejail/disable-passwdmgr.inc | ||
| 16 | include /etc/firejail/disable-programs.inc | ||
| 17 | 17 | ||
| 18 | whitelist ${HOME}/quiterssfeeds.opml | 18 | mkdir ~/.cache/QuiteRss |
| 19 | mkdir ~/.config/QuiteRss | 19 | mkdir ~/.config/QuiteRss |
| 20 | whitelist ${HOME}/.config/QuiteRss/ | ||
| 21 | whitelist ${HOME}/.config/QuiteRssrc | ||
| 22 | mkdir ~/.local/share/data | 20 | mkdir ~/.local/share/data |
| 23 | mkdir ~/.local/share/data/QuiteRss | 21 | mkdir ~/.local/share/data/QuiteRss |
| 24 | whitelist ${HOME}/.local/share/data/QuiteRss | ||
| 25 | mkdir ~/.cache/QuiteRss | ||
| 26 | whitelist ${HOME}/.cache/QuiteRss | 22 | whitelist ${HOME}/.cache/QuiteRss |
| 23 | whitelist ${HOME}/.config/QuiteRss/ | ||
| 24 | whitelist ${HOME}/.config/QuiteRssrc | ||
| 25 | whitelist ${HOME}/.local/share/data/QuiteRss | ||
| 26 | whitelist ${HOME}/quiterssfeeds.opml | ||
| 27 | include /etc/firejail/whitelist-common.inc | ||
| 27 | 28 | ||
| 28 | caps.drop all | 29 | caps.drop all |
| 29 | netfilter | 30 | netfilter |
| @@ -36,12 +37,10 @@ seccomp | |||
| 36 | shell none | 37 | shell none |
| 37 | tracelog | 38 | tracelog |
| 38 | 39 | ||
| 40 | disable-mnt | ||
| 39 | private-bin quiterss | 41 | private-bin quiterss |
| 40 | private-dev | 42 | private-dev |
| 41 | #private-etc X11,ssl | 43 | # private-etc X11,ssl |
| 42 | disable-mnt | ||
| 43 | |||
| 44 | include /etc/firejail/whitelist-common.inc | ||
| 45 | 44 | ||
| 46 | noexec ${HOME} | 45 | noexec ${HOME} |
| 47 | noexec /tmp | 46 | noexec /tmp |
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile index 5dfeeb281..6d0c16785 100644 --- a/etc/qupzilla.profile +++ b/etc/qupzilla.profile | |||
| @@ -1,27 +1,28 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for qupzilla |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/qupzilla.local | 4 | include /etc/firejail/qupzilla.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for Qupzilla web browser | ||
| 9 | noblacklist ${HOME}/.config/qupzilla | ||
| 10 | noblacklist ${HOME}/.cache/qupzilla | 8 | noblacklist ${HOME}/.cache/qupzilla |
| 9 | noblacklist ${HOME}/.config/qupzilla | ||
| 10 | |||
| 11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
| 15 | caps.drop all | 15 | |
| 16 | seccomp | ||
| 17 | protocol unix,inet,inet6,netlink | ||
| 18 | netfilter | ||
| 19 | tracelog | ||
| 20 | noroot | ||
| 21 | whitelist ${DOWNLOADS} | 16 | whitelist ${DOWNLOADS} |
| 22 | whitelist ~/.config/qupzilla | ||
| 23 | whitelist ~/.cache/qupzilla | 17 | whitelist ~/.cache/qupzilla |
| 18 | whitelist ~/.config/qupzilla | ||
| 24 | include /etc/firejail/whitelist-common.inc | 19 | include /etc/firejail/whitelist-common.inc |
| 25 | 20 | ||
| 26 | # experimental features | 21 | caps.drop all |
| 27 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 22 | netfilter |
| 23 | noroot | ||
| 24 | protocol unix,inet,inet6,netlink | ||
| 25 | seccomp | ||
| 26 | tracelog | ||
| 27 | |||
| 28 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | ||
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index aec5e4ad4..9eb0c9075 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile | |||
| @@ -1,16 +1,25 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for qutebrowser |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/qutebrowser.local | 4 | include /etc/firejail/qutebrowser.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for Qutebrowser (Qt5-Webkit+Python) browser | ||
| 9 | noblacklist ~/.config/qutebrowser | ||
| 10 | noblacklist ~/.cache/qutebrowser | 8 | noblacklist ~/.cache/qutebrowser |
| 9 | noblacklist ~/.config/qutebrowser | ||
| 10 | |||
| 11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | |||
| 15 | mkdir ~/.cache/qutebrowser | ||
| 16 | mkdir ~/.config/qutebrowser | ||
| 17 | mkdir ~/.local/share/qutebrowser | ||
| 18 | whitelist ${DOWNLOADS} | ||
| 19 | whitelist ~/.cache/qutebrowser | ||
| 20 | whitelist ~/.config/qutebrowser | ||
| 21 | whitelist ~/.local/share/qutebrowser | ||
| 22 | include /etc/firejail/whitelist-common.inc | ||
| 14 | 23 | ||
| 15 | caps.drop all | 24 | caps.drop all |
| 16 | netfilter | 25 | netfilter |
| @@ -19,12 +28,3 @@ noroot | |||
| 19 | protocol unix,inet,inet6,netlink | 28 | protocol unix,inet,inet6,netlink |
| 20 | seccomp | 29 | seccomp |
| 21 | tracelog | 30 | tracelog |
| 22 | |||
| 23 | whitelist ${DOWNLOADS} | ||
| 24 | mkdir ~/.config/qutebrowser | ||
| 25 | whitelist ~/.config/qutebrowser | ||
| 26 | mkdir ~/.cache/qutebrowser | ||
| 27 | whitelist ~/.cache/qutebrowser | ||
| 28 | mkdir ~/.local/share/qutebrowser | ||
| 29 | whitelist ~/.local/share/qutebrowser | ||
| 30 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/rambox.profile b/etc/rambox.profile index 2c70fbd13..a5b87e901 100644 --- a/etc/rambox.profile +++ b/etc/rambox.profile | |||
| @@ -1,16 +1,23 @@ | |||
| 1 | #Persistent global definitions go here | 1 | # Firejail profile for rambox |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | #This file is overwritten during software install. | ||
| 5 | #Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/rambox.local | 4 | include /etc/firejail/rambox.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Rambox profile for firejail | ||
| 9 | noblacklist ~/.config/Rambox | 8 | noblacklist ~/.config/Rambox |
| 10 | noblacklist ~/.pki | 9 | noblacklist ~/.pki |
| 10 | |||
| 11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | |||
| 15 | mkdir ~/.config/Rambox | ||
| 16 | mkdir ~/.pki | ||
| 17 | whitelist ${DOWNLOADS} | ||
| 18 | whitelist ~/.config/Rambox | ||
| 19 | whitelist ~/.pki | ||
| 20 | include /etc/firejail/whitelist-common.inc | ||
| 14 | 21 | ||
| 15 | caps.drop all | 22 | caps.drop all |
| 16 | netfilter | 23 | netfilter |
| @@ -19,13 +26,4 @@ nonewprivs | |||
| 19 | noroot | 26 | noroot |
| 20 | protocol unix,inet,inet6,netlink | 27 | protocol unix,inet,inet6,netlink |
| 21 | seccomp | 28 | seccomp |
| 22 | #tracelog | 29 | # tracelog |
| 23 | |||
| 24 | whitelist ${DOWNLOADS} | ||
| 25 | mkdir ~/.config/Rambox | ||
| 26 | whitelist ~/.config/Rambox | ||
| 27 | mkdir ~/.pki | ||
| 28 | whitelist ~/.pki | ||
| 29 | |||
| 30 | include /etc/firejail/whitelist-common.inc | ||
| 31 | |||
diff --git a/etc/ranger.profile b/etc/ranger.profile index ab0545aaf..3767c7ba8 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile | |||
| @@ -1,29 +1,28 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for ranger |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/ranger.local | 4 | include /etc/firejail/ranger.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # ranger file manager profile | 8 | # noblacklist /usr/bin/cpan* |
| 9 | noblacklist /usr/bin/perl | 9 | noblacklist /usr/bin/perl |
| 10 | #noblacklist /usr/bin/cpan* | ||
| 11 | noblacklist /usr/share/perl* | ||
| 12 | noblacklist /usr/lib/perl* | 10 | noblacklist /usr/lib/perl* |
| 11 | noblacklist /usr/share/perl* | ||
| 13 | noblacklist ~/.config/ranger | 12 | noblacklist ~/.config/ranger |
| 14 | 13 | ||
| 15 | include /etc/firejail/disable-common.inc | 14 | include /etc/firejail/disable-common.inc |
| 16 | include /etc/firejail/disable-programs.inc | ||
| 17 | include /etc/firejail/disable-devel.inc | 15 | include /etc/firejail/disable-devel.inc |
| 18 | include /etc/firejail/disable-passwdmgr.inc | 16 | include /etc/firejail/disable-passwdmgr.inc |
| 17 | include /etc/firejail/disable-programs.inc | ||
| 19 | 18 | ||
| 20 | caps.drop all | 19 | caps.drop all |
| 21 | net none | 20 | net none |
| 22 | nogroups | 21 | nogroups |
| 23 | nonewprivs | 22 | nonewprivs |
| 24 | noroot | 23 | noroot |
| 24 | nosound | ||
| 25 | protocol unix | 25 | protocol unix |
| 26 | seccomp | 26 | seccomp |
| 27 | nosound | ||
| 28 | 27 | ||
| 29 | private-dev | 28 | private-dev |
diff --git a/etc/remmina.profile b/etc/remmina.profile index 5aff10fe3..39b5b2acd 100644 --- a/etc/remmina.profile +++ b/etc/remmina.profile | |||
| @@ -1,14 +1,13 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for remmina |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/remmina.local | 4 | include /etc/firejail/remmina.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for Remmina | ||
| 9 | noblacklist ${HOME}/.ssh | ||
| 10 | noblacklist ${HOME}/.config/remmina | 8 | noblacklist ${HOME}/.config/remmina |
| 11 | noblacklist ${HOME}/.local/share/remmina | 9 | noblacklist ${HOME}/.local/share/remmina |
| 10 | noblacklist ${HOME}/.ssh | ||
| 12 | 11 | ||
| 13 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 14 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 930a8fed5..ac8882165 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile | |||
| @@ -1,19 +1,19 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for rhythmbox |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/rhythmbox.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/rhythmbox.local | ||
| 7 | 8 | ||
| 8 | # Rhythmbox media player profile | ||
| 9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-programs.inc | ||
| 11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | 13 | ||
| 14 | caps.drop all | 14 | caps.drop all |
| 15 | netfilter | 15 | netfilter |
| 16 | #no3d | 16 | # no3d |
| 17 | nogroups | 17 | nogroups |
| 18 | nonewprivs | 18 | nonewprivs |
| 19 | noroot | 19 | noroot |
diff --git a/etc/riot-web.profile b/etc/riot-web.profile index 4814dadf7..93f389bbc 100644 --- a/etc/riot-web.profile +++ b/etc/riot-web.profile | |||
| @@ -1,5 +1,13 @@ | |||
| 1 | # Firejail profile for Riot. | 1 | # Firejail profile for riot-web |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/riot-web.local | ||
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | |||
| 2 | noblacklist ~/.config/Riot | 8 | noblacklist ~/.config/Riot |
| 9 | |||
| 3 | whitelist ~/.config/Riot | 10 | whitelist ~/.config/Riot |
| 11 | include /etc/firejail/whitelist-common.inc | ||
| 4 | 12 | ||
| 5 | include /etc/firejail/electron.profile | 13 | include /etc/firejail/electron.profile |
diff --git a/etc/ristretto.profile b/etc/ristretto.profile index 3d3491658..8070254ac 100644 --- a/etc/ristretto.profile +++ b/etc/ristretto.profile | |||
| @@ -1,10 +1,10 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for ristretto |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/ristretto.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/risretto.local | ||
| 7 | |||
| 8 | noblacklist ${HOME}/.config/ristretto | 8 | noblacklist ${HOME}/.config/ristretto |
| 9 | noblacklist ~/.Steam | 9 | noblacklist ~/.Steam |
| 10 | noblacklist ~/.steam | 10 | noblacklist ~/.steam |
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 93416c248..b9f9960f4 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile | |||
| @@ -1,15 +1,15 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for rtorrent |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/rtorrent.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/rtorrent.local | ||
| 7 | 8 | ||
| 8 | # rtorrent bittorrent profile | ||
| 9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-programs.inc | ||
| 11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | 13 | ||
| 14 | caps.drop all | 14 | caps.drop all |
| 15 | netfilter | 15 | netfilter |
| @@ -18,8 +18,8 @@ noroot | |||
| 18 | nosound | 18 | nosound |
| 19 | protocol unix,inet,inet6 | 19 | protocol unix,inet,inet6 |
| 20 | seccomp | 20 | seccomp |
| 21 | |||
| 22 | shell none | 21 | shell none |
| 22 | |||
| 23 | private-bin rtorrent | 23 | private-bin rtorrent |
| 24 | private-dev | 24 | private-dev |
| 25 | private-tmp | 25 | private-tmp |
diff --git a/etc/scribus.profile b/etc/scribus.profile index 5cd1768a0..7e117dcd1 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile | |||
| @@ -1,32 +1,30 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for scribus |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/scribus.local | 4 | include /etc/firejail/scribus.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for Scribus | 8 | # Support for PDF readers (Scribus 1.5 and higher) |
| 9 | noblacklist ~/.scribus | 9 | noblacklist ~/.config/okularpartrc |
| 10 | noblacklist ~/.config/okularrc | ||
| 10 | noblacklist ~/.config/scribus | 11 | noblacklist ~/.config/scribus |
| 11 | noblacklist ~/.config/scribusrc | 12 | noblacklist ~/.config/scribusrc |
| 12 | noblacklist ~/.local/share/scribus | ||
| 13 | noblacklist ~/.gimp* | 13 | noblacklist ~/.gimp* |
| 14 | |||
| 15 | # Support for PDF readers (Scribus 1.5 and higher) | ||
| 16 | noblacklist ~/.kde4/share/apps/okular | ||
| 17 | noblacklist ~/.kde4/share/config/okularrc | ||
| 18 | noblacklist ~/.kde4/share/config/okularpartrc | ||
| 19 | noblacklist ~/.kde/share/apps/okular | 14 | noblacklist ~/.kde/share/apps/okular |
| 20 | noblacklist ~/.kde/share/config/okularrc | ||
| 21 | noblacklist ~/.kde/share/config/okularpartrc | 15 | noblacklist ~/.kde/share/config/okularpartrc |
| 16 | noblacklist ~/.kde/share/config/okularrc | ||
| 17 | noblacklist ~/.kde4/share/apps/okular | ||
| 18 | noblacklist ~/.kde4/share/config/okularpartrc | ||
| 19 | noblacklist ~/.kde4/share/config/okularrc | ||
| 22 | noblacklist ~/.local/share/okular | 20 | noblacklist ~/.local/share/okular |
| 23 | noblacklist ~/.config/okularrc | 21 | noblacklist ~/.local/share/scribus |
| 24 | noblacklist ~/.config/okularpartrc | 22 | noblacklist ~/.scribus |
| 25 | 23 | ||
| 26 | include /etc/firejail/disable-common.inc | 24 | include /etc/firejail/disable-common.inc |
| 27 | include /etc/firejail/disable-programs.inc | ||
| 28 | include /etc/firejail/disable-devel.inc | 25 | include /etc/firejail/disable-devel.inc |
| 29 | include /etc/firejail/disable-passwdmgr.inc | 26 | include /etc/firejail/disable-passwdmgr.inc |
| 27 | include /etc/firejail/disable-programs.inc | ||
| 30 | 28 | ||
| 31 | caps.drop all | 29 | caps.drop all |
| 32 | nonewprivs | 30 | nonewprivs |
| @@ -37,4 +35,4 @@ seccomp | |||
| 37 | tracelog | 35 | tracelog |
| 38 | 36 | ||
| 39 | private-dev | 37 | private-dev |
| 40 | #private-tmp | 38 | # private-tmp |
diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile index 855eae5b1..7311594c0 100644 --- a/etc/sdat2img.profile +++ b/etc/sdat2img.profile | |||
| @@ -1,20 +1,20 @@ | |||
| 1 | # Firejail profile for sdat2img | ||
| 2 | # This file is overwritten after every install/update | ||
| 1 | quiet | 3 | quiet |
| 2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
| 5 | include /etc/firejail/sdat2img.local | ||
| 6 | # Persistent global definitions | ||
| 3 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
| 4 | 8 | ||
| 5 | # This file is overwritten during software install. | ||
| 6 | # Persistent customizations should go in a .local file. | ||
| 7 | include /etc/firejail/sdat2img.local | ||
| 8 | 9 | ||
| 9 | # Firejail profile for sdat2img | ||
| 10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 11 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
| 14 | 14 | ||
| 15 | caps.drop all | 15 | caps.drop all |
| 16 | no3d | ||
| 17 | net none | 16 | net none |
| 17 | no3d | ||
| 18 | nogroups | 18 | nogroups |
| 19 | nonewprivs | 19 | nonewprivs |
| 20 | noroot | 20 | noroot |
diff --git a/etc/seamonkey-bin.profile b/etc/seamonkey-bin.profile index f01810671..25e882b32 100644 --- a/etc/seamonkey-bin.profile +++ b/etc/seamonkey-bin.profile | |||
| @@ -1,9 +1,5 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for seamonkey |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/seamonkey-bin.local | ||
| 7 | 4 | ||
| 8 | # Firejail profile for Seamonkey based off Mozilla Firefox | ||
| 9 | include /etc/firejail/seamonkey.profile | 5 | include /etc/firejail/seamonkey.profile |
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index b674897a8..072a9fef5 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile | |||
| @@ -1,17 +1,39 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for seamonkey |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/seamonkey.local | 4 | include /etc/firejail/seamonkey.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for Seamoneky based off Mozilla Firefox | ||
| 9 | noblacklist ~/.mozilla | ||
| 10 | noblacklist ~/.cache/mozilla | 8 | noblacklist ~/.cache/mozilla |
| 9 | noblacklist ~/.mozilla | ||
| 11 | noblacklist ~/.pki | 10 | noblacklist ~/.pki |
| 11 | |||
| 12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | |||
| 16 | mkdir ~/.cache/mozilla | ||
| 17 | mkdir ~/.mozilla | ||
| 18 | whitelist ${DOWNLOADS} | ||
| 19 | whitelist ~/.cache/gnome-mplayer/plugin | ||
| 20 | whitelist ~/.cache/mozilla | ||
| 21 | whitelist ~/.config/gnome-mplayer | ||
| 22 | whitelist ~/.config/pipelight-silverlight5.1 | ||
| 23 | whitelist ~/.config/pipelight-widevine | ||
| 24 | whitelist ~/.keysnail.js | ||
| 25 | whitelist ~/.lastpass | ||
| 26 | whitelist ~/.mozilla | ||
| 27 | whitelist ~/.pentadactyl | ||
| 28 | whitelist ~/.pentadactylrc | ||
| 29 | whitelist ~/.pki | ||
| 30 | whitelist ~/.vimperator | ||
| 31 | whitelist ~/.vimperatorrc | ||
| 32 | whitelist ~/.wine-pipelight | ||
| 33 | whitelist ~/.wine-pipelight64 | ||
| 34 | whitelist ~/.zotero | ||
| 35 | whitelist ~/dwhelper | ||
| 36 | include /etc/firejail/whitelist-common.inc | ||
| 15 | 37 | ||
| 16 | caps.drop all | 38 | caps.drop all |
| 17 | netfilter | 39 | netfilter |
| @@ -21,29 +43,4 @@ protocol unix,inet,inet6,netlink | |||
| 21 | seccomp | 43 | seccomp |
| 22 | tracelog | 44 | tracelog |
| 23 | 45 | ||
| 24 | whitelist ${DOWNLOADS} | 46 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse |
| 25 | mkdir ~/.mozilla | ||
| 26 | whitelist ~/.mozilla | ||
| 27 | mkdir ~/.cache/mozilla | ||
| 28 | whitelist ~/.cache/mozilla | ||
| 29 | whitelist ~/dwhelper | ||
| 30 | whitelist ~/.zotero | ||
| 31 | whitelist ~/.vimperatorrc | ||
| 32 | whitelist ~/.vimperator | ||
| 33 | whitelist ~/.pentadactylrc | ||
| 34 | whitelist ~/.pentadactyl | ||
| 35 | whitelist ~/.keysnail.js | ||
| 36 | whitelist ~/.config/gnome-mplayer | ||
| 37 | whitelist ~/.cache/gnome-mplayer/plugin | ||
| 38 | whitelist ~/.pki | ||
| 39 | whitelist ~/.lastpass | ||
| 40 | include /etc/firejail/whitelist-common.inc | ||
| 41 | |||
| 42 | # silverlight | ||
| 43 | whitelist ~/.wine-pipelight | ||
| 44 | whitelist ~/.wine-pipelight64 | ||
| 45 | whitelist ~/.config/pipelight-widevine | ||
| 46 | whitelist ~/.config/pipelight-silverlight5.1 | ||
| 47 | |||
| 48 | # experimental features | ||
| 49 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | ||
diff --git a/etc/server.profile b/etc/server.profile index 2d79fa1c8..b0dd13f80 100644 --- a/etc/server.profile +++ b/etc/server.profile | |||
| @@ -1,25 +1,37 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for server |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/server.local | 4 | include /etc/firejail/server.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # generic server profile | 8 | # generic server profile |
| 9 | # it allows /sbin and /usr/sbin directories - this is where servers are installed | 9 | # it allows /sbin and /usr/sbin directories - this is where servers are installed |
| 10 | # depending on your usage, you can enable some of the commands below: | ||
| 11 | |||
| 12 | blacklist /tmp/.X11-unix | ||
| 13 | |||
| 10 | noblacklist /sbin | 14 | noblacklist /sbin |
| 11 | noblacklist /usr/sbin | 15 | noblacklist /usr/sbin |
| 16 | |||
| 12 | include /etc/firejail/disable-common.inc | 17 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-programs.inc | 18 | # include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 19 | include /etc/firejail/disable-passwdmgr.inc |
| 20 | include /etc/firejail/disable-programs.inc | ||
| 15 | 21 | ||
| 16 | blacklist /tmp/.X11-unix | 22 | caps |
| 17 | |||
| 18 | no3d | 23 | no3d |
| 19 | nosound | 24 | nosound |
| 20 | seccomp | 25 | seccomp |
| 21 | caps | ||
| 22 | 26 | ||
| 27 | # disable-mnt | ||
| 23 | private | 28 | private |
| 29 | # private-bin program | ||
| 24 | private-dev | 30 | private-dev |
| 31 | # private-etc none | ||
| 32 | # private-lib | ||
| 25 | private-tmp | 33 | private-tmp |
| 34 | |||
| 35 | # memory-deny-write-execute | ||
| 36 | # noexec ${HOME} | ||
| 37 | # noexec /tmp | ||
diff --git a/etc/silentarmy.profile b/etc/silentarmy.profile index bcad82b5d..d5d92670b 100644 --- a/etc/silentarmy.profile +++ b/etc/silentarmy.profile | |||
| @@ -1,14 +1,13 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for silentarmy |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/silentarmy.local | 4 | include /etc/firejail/silentarmy.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for SILENTARMY | ||
| 9 | 8 | ||
| 10 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 11 | #include /etc/firejail/disable-devel.inc | 10 | # include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
| 14 | 13 | ||
| @@ -25,7 +24,7 @@ shell none | |||
| 25 | 24 | ||
| 26 | disable-mnt | 25 | disable-mnt |
| 27 | private | 26 | private |
| 28 | #private-bin silentarmy,sa-solver,python3 | 27 | # private-bin silentarmy,sa-solver,python3 |
| 29 | private-dev | 28 | private-dev |
| 30 | private-tmp | 29 | private-tmp |
| 31 | 30 | ||
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile index 19e400d4f..a55388fee 100644 --- a/etc/simple-scan.profile +++ b/etc/simple-scan.profile | |||
| @@ -1,30 +1,29 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for simple-scan |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/simple-scan.local | 4 | include /etc/firejail/simple-scan.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # simple-scan profile | ||
| 9 | noblacklist ~/.cache/simple-scan | 8 | noblacklist ~/.cache/simple-scan |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 16 | netfilter | ||
| 17 | nogroups | 17 | nogroups |
| 18 | nonewprivs | 18 | nonewprivs |
| 19 | noroot | 19 | noroot |
| 20 | nosound | 20 | nosound |
| 21 | protocol unix,inet,inet6 | 21 | protocol unix,inet,inet6 |
| 22 | #seccomp | ||
| 23 | netfilter | ||
| 24 | shell none | 22 | shell none |
| 23 | # seccomp | ||
| 25 | tracelog | 24 | tracelog |
| 26 | 25 | ||
| 27 | # private-bin simple-scan | 26 | # private-bin simple-scan |
| 28 | # private-tmp | ||
| 29 | # private-dev | 27 | # private-dev |
| 30 | # private-etc fonts | 28 | # private-etc fonts |
| 29 | # private-tmp | ||
diff --git a/etc/simutrans.profile b/etc/simutrans.profile index b1df0ba28..d67d2a575 100644 --- a/etc/simutrans.profile +++ b/etc/simutrans.profile | |||
| @@ -1,41 +1,30 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for simutrans |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/simutrans.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | 8 | noblacklist ~/.simutrans |
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/simutrans.local | ||
| 7 | 9 | ||
| 8 | ################################ | 10 | include /etc/firejail/disable-common.inc |
| 9 | # simutrans profile | 11 | include /etc/firejail/disable-passwdmgr.inc |
| 10 | ################################ | 12 | include /etc/firejail/disable-programs.inc |
| 11 | 13 | ||
| 12 | noblacklist ~/.simutrans | ||
| 13 | mkdir ~/.simutrans | 14 | mkdir ~/.simutrans |
| 14 | whitelist ~/.simutrans | 15 | whitelist ~/.simutrans |
| 15 | include /etc/firejail/whitelist-common.inc | 16 | include /etc/firejail/whitelist-common.inc |
| 16 | 17 | ||
| 17 | include /etc/firejail/disable-common.inc | ||
| 18 | include /etc/firejail/disable-programs.inc | ||
| 19 | include /etc/firejail/disable-passwdmgr.inc | ||
| 20 | |||
| 21 | caps.drop all | 18 | caps.drop all |
| 19 | net none | ||
| 20 | nogroups | ||
| 22 | nonewprivs | 21 | nonewprivs |
| 23 | noroot | 22 | noroot |
| 24 | protocol unix | 23 | protocol unix |
| 25 | seccomp | 24 | seccomp |
| 26 | |||
| 27 | # | ||
| 28 | # depending on your usage, you can enable some of the commands below: | ||
| 29 | # | ||
| 30 | net none | ||
| 31 | nogroups | ||
| 32 | shell none | 25 | shell none |
| 33 | #private-bin simutrans | 26 | |
| 34 | # private-etc none | 27 | # private-bin simutrans |
| 35 | private-dev | 28 | private-dev |
| 29 | # private-etc none | ||
| 36 | private-tmp | 30 | private-tmp |
| 37 | # nosound | ||
| 38 | |||
| 39 | |||
| 40 | |||
| 41 | |||
diff --git a/etc/skanlite.profile b/etc/skanlite.profile index 87698f575..25f0107f8 100644 --- a/etc/skanlite.profile +++ b/etc/skanlite.profile | |||
| @@ -1,15 +1,15 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for skanlite |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/skanlite.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/skanlite.local | ||
| 7 | 8 | ||
| 8 | # skanlite profile | ||
| 9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-programs.inc | ||
| 11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | 13 | ||
| 14 | caps.drop all | 14 | caps.drop all |
| 15 | netfilter | 15 | netfilter |
| @@ -17,11 +17,11 @@ nogroups | |||
| 17 | nonewprivs | 17 | nonewprivs |
| 18 | noroot | 18 | noroot |
| 19 | nosound | 19 | nosound |
| 20 | shell none | ||
| 21 | seccomp | ||
| 22 | # protocol unix,inet,inet6 | 20 | # protocol unix,inet,inet6 |
| 21 | seccomp | ||
| 22 | shell none | ||
| 23 | 23 | ||
| 24 | # private-bin skanlite | 24 | # private-bin skanlite |
| 25 | # private-dev | 25 | # private-dev |
| 26 | # private-tmp | ||
| 27 | # private-etc | 26 | # private-etc |
| 27 | # private-tmp | ||
diff --git a/etc/skype.profile b/etc/skype.profile index 7c7a4eb17..396563f0c 100644 --- a/etc/skype.profile +++ b/etc/skype.profile | |||
| @@ -1,17 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for skype |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/skype.local | 4 | include /etc/firejail/skype.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Skype profile | ||
| 9 | noblacklist ${HOME}/.Skype | 8 | noblacklist ${HOME}/.Skype |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 17 | netfilter | 16 | netfilter |
| @@ -22,9 +21,9 @@ protocol unix,inet,inet6 | |||
| 22 | seccomp | 21 | seccomp |
| 23 | shell none | 22 | shell none |
| 24 | 23 | ||
| 24 | disable-mnt | ||
| 25 | private-dev | 25 | private-dev |
| 26 | private-tmp | 26 | private-tmp |
| 27 | disable-mnt | ||
| 28 | 27 | ||
| 29 | noexec ${HOME} | 28 | noexec ${HOME} |
| 30 | noexec /tmp | 29 | noexec /tmp |
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile index a2f693945..7037961f8 100644 --- a/etc/skypeforlinux.profile +++ b/etc/skypeforlinux.profile | |||
| @@ -1,17 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for skypeforlinux |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/skypeforlinux.local | 4 | include /etc/firejail/skypeforlinux.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # skypeforlinux profile | ||
| 9 | noblacklist ${HOME}/.config/skypeforlinux | 8 | noblacklist ${HOME}/.config/skypeforlinux |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 17 | netfilter | 16 | netfilter |
| @@ -22,9 +21,9 @@ protocol unix,inet,inet6,netlink | |||
| 22 | seccomp | 21 | seccomp |
| 23 | shell none | 22 | shell none |
| 24 | 23 | ||
| 24 | disable-mnt | ||
| 25 | private-dev | 25 | private-dev |
| 26 | private-tmp | 26 | private-tmp |
| 27 | disable-mnt | ||
| 28 | 27 | ||
| 29 | noexec ${HOME} | 28 | noexec ${HOME} |
| 30 | noexec /tmp | 29 | noexec /tmp |
diff --git a/etc/slack.profile b/etc/slack.profile index a68717ea3..d2fb74af8 100644 --- a/etc/slack.profile +++ b/etc/slack.profile | |||
| @@ -1,20 +1,25 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for slack |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/slack.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | 8 | blacklist /var |
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/slack.local | ||
| 7 | 9 | ||
| 8 | # Firejail profile for Slack | ||
| 9 | noblacklist ${HOME}/.config/Slack | 10 | noblacklist ${HOME}/.config/Slack |
| 10 | noblacklist ${HOME}/Downloads | 11 | noblacklist ${HOME}/Downloads |
| 11 | 12 | ||
| 12 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
| 15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
| 16 | include /etc/firejail/disable-programs.inc | ||
| 16 | 17 | ||
| 17 | blacklist /var | 18 | mkdir ${HOME}/.config |
| 19 | mkdir ${HOME}/.config/Slack | ||
| 20 | whitelist ${HOME}/.config/Slack | ||
| 21 | whitelist ${HOME}/Downloads | ||
| 22 | include /etc/firejail/whitelist-common.inc | ||
| 18 | 23 | ||
| 19 | caps.drop all | 24 | caps.drop all |
| 20 | name slack | 25 | name slack |
| @@ -26,14 +31,8 @@ protocol unix,inet,inet6,netlink | |||
| 26 | seccomp | 31 | seccomp |
| 27 | shell none | 32 | shell none |
| 28 | 33 | ||
| 34 | disable-mnt | ||
| 29 | private-bin slack | 35 | private-bin slack |
| 30 | private-dev | 36 | private-dev |
| 31 | private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime | 37 | private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime |
| 32 | private-tmp | 38 | private-tmp |
| 33 | disable-mnt | ||
| 34 | |||
| 35 | mkdir ${HOME}/.config | ||
| 36 | mkdir ${HOME}/.config/Slack | ||
| 37 | whitelist ${HOME}/.config/Slack | ||
| 38 | whitelist ${HOME}/Downloads | ||
| 39 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/smplayer.profile b/etc/smplayer.profile index 6a5c115b7..d8861f937 100644 --- a/etc/smplayer.profile +++ b/etc/smplayer.profile | |||
| @@ -1,21 +1,19 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for smplayer |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/smplayer.local | 4 | include /etc/firejail/smplayer.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # smplayer profile | ||
| 9 | noblacklist ${HOME}/.config/smplayer | 8 | noblacklist ${HOME}/.config/smplayer |
| 10 | noblacklist ${HOME}/.mplayer | 9 | noblacklist ${HOME}/.mplayer |
| 11 | 10 | ||
| 12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 15 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 16 | 15 | ||
| 17 | caps.drop all | 16 | caps.drop all |
| 18 | #ipc-namespace | ||
| 19 | netfilter | 17 | netfilter |
| 20 | # nogroups | 18 | # nogroups |
| 21 | nonewprivs | 19 | nonewprivs |
| @@ -24,9 +22,9 @@ protocol unix,inet,inet6,netlink | |||
| 24 | seccomp | 22 | seccomp |
| 25 | shell none | 23 | shell none |
| 26 | 24 | ||
| 25 | private-bin smplayer,mplayer | ||
| 27 | private-dev | 26 | private-dev |
| 28 | private-tmp | 27 | private-tmp |
| 29 | private-bin smplayer,mplayer | ||
| 30 | 28 | ||
| 31 | noexec ${HOME} | 29 | noexec ${HOME} |
| 32 | noexec /tmp | 30 | noexec /tmp |
diff --git a/etc/snap.profile b/etc/snap.profile index 8493fcbd3..38aef7c23 100644 --- a/etc/snap.profile +++ b/etc/snap.profile | |||
| @@ -1,17 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for snap |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/snap.local | 4 | include /etc/firejail/snap.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | ################################ | ||
| 9 | # Generic Ubuntu snap application profile | 8 | # Generic Ubuntu snap application profile |
| 10 | ################################ | 9 | |
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 14 | 13 | ||
| 15 | whitelist ~/snap | ||
| 16 | whitelist ${DOWNLOADS} | 14 | whitelist ${DOWNLOADS} |
| 15 | whitelist ~/snap | ||
| 17 | include /etc/firejail/whitelist-common.inc | 16 | include /etc/firejail/whitelist-common.inc |
diff --git a/etc/soffice.profile b/etc/soffice.profile index 9fca8e4c9..c30bb5550 100644 --- a/etc/soffice.profile +++ b/etc/soffice.profile | |||
| @@ -1,11 +1,5 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for libreoffice |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/soffice.local | ||
| 7 | 4 | ||
| 8 | ################################ | ||
| 9 | # LibreOffice profile | ||
| 10 | ################################ | ||
| 11 | include /etc/firejail/libreoffice.profile | 5 | include /etc/firejail/libreoffice.profile |
diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile index 642612a52..12ae63cf9 100644 --- a/etc/soundconverter.profile +++ b/etc/soundconverter.profile | |||
| @@ -1,11 +1,11 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for soundconverter |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/soundconverter.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/soundconverter.local | ||
| 7 | 8 | ||
| 8 | # Firejail profile for Sound Converter | ||
| 9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
| 11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
diff --git a/etc/spotify.profile b/etc/spotify.profile index 07103b112..64805153c 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile | |||
| @@ -1,26 +1,35 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for spotify |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/spotify.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | 8 | blacklist ${HOME}/.bashrc |
| 5 | # Persistent customizations should go in a .local file. | 9 | blacklist /boot |
| 6 | include /etc/firejail/spotify.local | 10 | blacklist /lost+found |
| 11 | blacklist /opt | ||
| 12 | blacklist /root | ||
| 13 | blacklist /sbin | ||
| 14 | blacklist /srv | ||
| 15 | blacklist /sys | ||
| 7 | 16 | ||
| 8 | # Spotify media player profile | ||
| 9 | noblacklist ${HOME}/.config/spotify | ||
| 10 | noblacklist ${HOME}/.cache/spotify | 17 | noblacklist ${HOME}/.cache/spotify |
| 18 | noblacklist ${HOME}/.config/spotify | ||
| 11 | noblacklist ${HOME}/.local/share/spotify | 19 | noblacklist ${HOME}/.local/share/spotify |
| 20 | |||
| 12 | include /etc/firejail/disable-common.inc | 21 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-devel.inc | 22 | include /etc/firejail/disable-devel.inc |
| 15 | include /etc/firejail/disable-passwdmgr.inc | 23 | include /etc/firejail/disable-passwdmgr.inc |
| 24 | include /etc/firejail/disable-programs.inc | ||
| 16 | 25 | ||
| 17 | # Whitelist the folders needed by Spotify | 26 | mkdir ${HOME}/.cache/spotify |
| 18 | mkdir ${HOME}/.config/spotify | 27 | mkdir ${HOME}/.config/spotify |
| 19 | whitelist ${HOME}/.config/spotify | ||
| 20 | mkdir ${HOME}/.local/share/spotify | 28 | mkdir ${HOME}/.local/share/spotify |
| 21 | whitelist ${HOME}/.local/share/spotify | ||
| 22 | mkdir ${HOME}/.cache/spotify | ||
| 23 | whitelist ${HOME}/.cache/spotify | 29 | whitelist ${HOME}/.cache/spotify |
| 30 | whitelist ${HOME}/.config/spotify | ||
| 31 | whitelist ${HOME}/.local/share/spotify | ||
| 32 | include /etc/firejail/whitelist-common.inc | ||
| 24 | 33 | ||
| 25 | caps.drop all | 34 | caps.drop all |
| 26 | netfilter | 35 | netfilter |
| @@ -31,20 +40,11 @@ protocol unix,inet,inet6,netlink | |||
| 31 | seccomp | 40 | seccomp |
| 32 | shell none | 41 | shell none |
| 33 | 42 | ||
| 34 | noexec ${HOME} | 43 | disable-mnt |
| 35 | noexec /tmp | ||
| 36 | |||
| 37 | private-bin spotify,bash,sh,dash | 44 | private-bin spotify,bash,sh,dash |
| 38 | private-etc fonts,machine-id,pulse,resolv.conf | ||
| 39 | private-dev | 45 | private-dev |
| 46 | private-etc fonts,machine-id,pulse,resolv.conf | ||
| 40 | private-tmp | 47 | private-tmp |
| 41 | disable-mnt | ||
| 42 | 48 | ||
| 43 | blacklist ${HOME}/.bashrc | 49 | noexec ${HOME} |
| 44 | blacklist /boot | 50 | noexec /tmp |
| 45 | blacklist /lost+found | ||
| 46 | blacklist /opt | ||
| 47 | blacklist /root | ||
| 48 | blacklist /sbin | ||
| 49 | blacklist /srv | ||
| 50 | blacklist /sys | ||
diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile index a08064d8c..ac7daa873 100644 --- a/etc/sqlitebrowser.profile +++ b/etc/sqlitebrowser.profile | |||
| @@ -1,11 +1,10 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for sqlitebrowser |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/sqlitebrowser.local | 4 | include /etc/firejail/sqlitebrowser.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for SQLiteBrowser | ||
| 9 | noblacklist ${HOME}/.config/sqlitebrowser | 8 | noblacklist ${HOME}/.config/sqlitebrowser |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile index ab47067f1..f2c88c943 100644 --- a/etc/ssh-agent.profile +++ b/etc/ssh-agent.profile | |||
| @@ -1,26 +1,25 @@ | |||
| 1 | # Firejail profile for ssh-agent | ||
| 2 | # This file is overwritten after every install/update | ||
| 1 | quiet | 3 | quiet |
| 2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
| 5 | include /etc/firejail/ssh-agent.local | ||
| 6 | # Persistent global definitions | ||
| 3 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
| 4 | 8 | ||
| 5 | # This file is overwritten during software install. | 9 | blacklist /tmp/.X11-unix |
| 6 | # Persistent customizations should go in a .local file. | ||
| 7 | include /etc/firejail/ssh-agent.local | ||
| 8 | 10 | ||
| 9 | # ssh-agent | ||
| 10 | noblacklist ~/.ssh | ||
| 11 | noblacklist /tmp/ssh-* | ||
| 12 | noblacklist /etc/ssh | 11 | noblacklist /etc/ssh |
| 12 | noblacklist /tmp/ssh-* | ||
| 13 | noblacklist ~/.ssh | ||
| 13 | 14 | ||
| 14 | include /etc/firejail/disable-common.inc | 15 | include /etc/firejail/disable-common.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include /etc/firejail/disable-passwdmgr.inc |
| 17 | include /etc/firejail/disable-programs.inc | ||
| 17 | 18 | ||
| 18 | caps.drop all | 19 | caps.drop all |
| 19 | netfilter | 20 | netfilter |
| 21 | no3d | ||
| 20 | nonewprivs | 22 | nonewprivs |
| 21 | noroot | 23 | noroot |
| 22 | no3d | ||
| 23 | protocol unix,inet,inet6 | 24 | protocol unix,inet,inet6 |
| 24 | seccomp | 25 | seccomp |
| 25 | |||
| 26 | blacklist /tmp/.X11-unix | ||
diff --git a/etc/ssh.profile b/etc/ssh.profile index 466abdc88..ac3b7a0ba 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile | |||
| @@ -1,19 +1,18 @@ | |||
| 1 | # Firejail profile for ssh | ||
| 2 | # This file is overwritten after every install/update | ||
| 1 | quiet | 3 | quiet |
| 2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
| 3 | include /etc/firejail/globals.local | ||
| 4 | |||
| 5 | # This file is overwritten during software install. | ||
| 6 | # Persistent customizations should go in a .local file. | ||
| 7 | include /etc/firejail/ssh.local | 5 | include /etc/firejail/ssh.local |
| 6 | # Persistent global definitions | ||
| 7 | include /etc/firejail/globals.local | ||
| 8 | 8 | ||
| 9 | # ssh client | ||
| 10 | noblacklist ~/.ssh | ||
| 11 | noblacklist /tmp/ssh-* | ||
| 12 | noblacklist /etc/ssh | 9 | noblacklist /etc/ssh |
| 10 | noblacklist /tmp/ssh-* | ||
| 11 | noblacklist ~/.ssh | ||
| 13 | 12 | ||
| 14 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 16 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 17 | 16 | ||
| 18 | caps.drop all | 17 | caps.drop all |
| 19 | ipc-namespace | 18 | ipc-namespace |
| @@ -29,7 +28,7 @@ shell none | |||
| 29 | tracelog | 28 | tracelog |
| 30 | 29 | ||
| 31 | private-dev | 30 | private-dev |
| 32 | #private-tmp #Breaks when exiting | 31 | # private-tmp # Breaks when exiting |
| 33 | 32 | ||
| 34 | memory-deny-write-execute | 33 | memory-deny-write-execute |
| 35 | noexec ${HOME} | 34 | noexec ${HOME} |
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile index f15e5d8ac..26154508a 100644 --- a/etc/start-tor-browser.profile +++ b/etc/start-tor-browser.profile | |||
| @@ -1,11 +1,11 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for start-tor-browser |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/start-tor-browser.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/start-tor-browser.local | ||
| 7 | 8 | ||
| 8 | # Firejail profile for the Tor Brower Bundle | ||
| 9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 10 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
| 11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
| @@ -22,6 +22,6 @@ shell none | |||
| 22 | tracelog | 22 | tracelog |
| 23 | 23 | ||
| 24 | private-bin bash,dash,sh,grep,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf | 24 | private-bin bash,dash,sh,grep,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf |
| 25 | private-etc fonts | ||
| 26 | private-dev | 25 | private-dev |
| 26 | private-etc fonts | ||
| 27 | private-tmp | 27 | private-tmp |
diff --git a/etc/steam.profile b/etc/steam.profile index 856824b5d..d928e660d 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
| @@ -1,41 +1,38 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for steam |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/steam.local | 4 | include /etc/firejail/steam.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # with >=llvm-4 mesa drivers need llvm stuff | ||
| 9 | noblacklist /usr/lib/llvm* | ||
| 10 | |||
| 11 | # Steam profile (applies to games/apps launched from Steam as well) | ||
| 12 | noblacklist ${HOME}/.java | ||
| 13 | noblacklist ${HOME}/.Steam | 8 | noblacklist ${HOME}/.Steam |
| 14 | noblacklist ${HOME}/.steam | ||
| 15 | noblacklist ${HOME}/.Steampath | 9 | noblacklist ${HOME}/.Steampath |
| 16 | noblacklist ${HOME}/.steampath | ||
| 17 | noblacklist ${HOME}/.Steampid | 10 | noblacklist ${HOME}/.Steampid |
| 18 | noblacklist ${HOME}/.steampid | 11 | noblacklist ${HOME}/.java |
| 19 | noblacklist ${HOME}/.local/share/Steam | 12 | noblacklist ${HOME}/.local/share/Steam |
| 20 | noblacklist ${HOME}/.local/share/steam | 13 | noblacklist ${HOME}/.local/share/steam |
| 14 | noblacklist ${HOME}/.steam | ||
| 15 | noblacklist ${HOME}/.steampath | ||
| 16 | noblacklist ${HOME}/.steampid | ||
| 17 | # with >=llvm-4 mesa drivers need llvm stuff | ||
| 18 | noblacklist /usr/lib/llvm* | ||
| 19 | |||
| 21 | include /etc/firejail/disable-common.inc | 20 | include /etc/firejail/disable-common.inc |
| 22 | include /etc/firejail/disable-programs.inc | ||
| 23 | include /etc/firejail/disable-devel.inc | 21 | include /etc/firejail/disable-devel.inc |
| 24 | include /etc/firejail/disable-passwdmgr.inc | 22 | include /etc/firejail/disable-passwdmgr.inc |
| 23 | include /etc/firejail/disable-programs.inc | ||
| 25 | 24 | ||
| 26 | caps.drop all | 25 | caps.drop all |
| 27 | #ipc-namespace | ||
| 28 | netfilter | 26 | netfilter |
| 29 | nogroups | 27 | nogroups |
| 30 | nonewprivs | 28 | nonewprivs |
| 31 | noroot | 29 | noroot |
| 32 | #novideo | 30 | # novideo |
| 33 | protocol unix,inet,inet6,netlink | 31 | protocol unix,inet,inet6,netlink |
| 34 | seccomp | 32 | seccomp |
| 35 | shell none | 33 | shell none |
| 36 | |||
| 37 | # tracelog disabled as it breaks integrated browser | 34 | # tracelog disabled as it breaks integrated browser |
| 38 | #tracelog | 35 | # tracelog |
| 39 | 36 | ||
| 40 | private-dev | 37 | private-dev |
| 41 | private-tmp | 38 | private-tmp |
diff --git a/etc/stellarium.profile b/etc/stellarium.profile index 00579f8fd..768fbd082 100644 --- a/etc/stellarium.profile +++ b/etc/stellarium.profile | |||
| @@ -1,23 +1,23 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for stellarium |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/stellarium.local | 4 | include /etc/firejail/stellarium.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for Stellarium. | ||
| 9 | noblacklist ~/.stellarium | ||
| 10 | noblacklist ~/.config/stellarium | 8 | noblacklist ~/.config/stellarium |
| 9 | noblacklist ~/.stellarium | ||
| 10 | |||
| 11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
| 15 | 15 | ||
| 16 | # Whitelist | ||
| 17 | mkdir ~/.stellarium | ||
| 18 | whitelist ~/.stellarium | ||
| 19 | mkdir ~/.config/stellarium | 16 | mkdir ~/.config/stellarium |
| 17 | mkdir ~/.stellarium | ||
| 20 | whitelist ~/.config/stellarium | 18 | whitelist ~/.config/stellarium |
| 19 | whitelist ~/.stellarium | ||
| 20 | include /etc/firejail/whitelist-common.inc | ||
| 21 | 21 | ||
| 22 | caps.drop all | 22 | caps.drop all |
| 23 | netfilter | 23 | netfilter |
| @@ -30,7 +30,7 @@ seccomp | |||
| 30 | shell none | 30 | shell none |
| 31 | tracelog | 31 | tracelog |
| 32 | 32 | ||
| 33 | disable-mnt | ||
| 33 | private-bin stellarium | 34 | private-bin stellarium |
| 34 | private-dev | 35 | private-dev |
| 35 | private-tmp | 36 | private-tmp |
| 36 | disable-mnt | ||
diff --git a/etc/strings.profile b/etc/strings.profile index a83e3a801..09957ae09 100644 --- a/etc/strings.profile +++ b/etc/strings.profile | |||
| @@ -1,22 +1,23 @@ | |||
| 1 | # Firejail profile for strings | ||
| 2 | # This file is overwritten after every install/update | ||
| 1 | quiet | 3 | quiet |
| 2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
| 5 | include /etc/firejail/strings.local | ||
| 6 | # Persistent global definitions | ||
| 3 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
| 4 | 8 | ||
| 5 | # This file is overwritten during software install. | 9 | blacklist /tmp/.X11-unix |
| 6 | # Persistent customizations should go in a .local file. | ||
| 7 | include /etc/firejail/strings.local | ||
| 8 | 10 | ||
| 9 | # strings profile | ||
| 10 | ignore noroot | 11 | ignore noroot |
| 11 | include /etc/firejail/default.profile | ||
| 12 | |||
| 13 | net none | 12 | net none |
| 14 | no3d | 13 | no3d |
| 15 | nosound | 14 | nosound |
| 16 | novideo | 15 | novideo |
| 17 | shell none | 16 | shell none |
| 18 | tracelog | 17 | tracelog |
| 18 | |||
| 19 | private-dev | 19 | private-dev |
| 20 | blacklist /tmp/.X11-unix | ||
| 21 | 20 | ||
| 22 | memory-deny-write-execute | 21 | memory-deny-write-execute |
| 22 | |||
| 23 | include /etc/firejail/default.profile | ||
diff --git a/etc/supertux2.profile b/etc/supertux2.profile index 276e91b05..4e70f9e8c 100644 --- a/etc/supertux2.profile +++ b/etc/supertux2.profile | |||
| @@ -1,41 +1,30 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for supertux2 |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/supertux2.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | 8 | noblacklist ~/.local/share/supertux2 |
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/supertux2.local | ||
| 7 | 9 | ||
| 8 | ################################ | 10 | include /etc/firejail/disable-common.inc |
| 9 | # SuperTux profile | 11 | include /etc/firejail/disable-passwdmgr.inc |
| 10 | ################################ | 12 | include /etc/firejail/disable-programs.inc |
| 11 | 13 | ||
| 12 | noblacklist ~/.local/share/supertux2 | ||
| 13 | mkdir ~/.local/share/supertux2 | 14 | mkdir ~/.local/share/supertux2 |
| 14 | whitelist ~/.local/share/supertux2 | 15 | whitelist ~/.local/share/supertux2 |
| 15 | include /etc/firejail/whitelist-common.inc | 16 | include /etc/firejail/whitelist-common.inc |
| 16 | 17 | ||
| 17 | include /etc/firejail/disable-common.inc | ||
| 18 | include /etc/firejail/disable-programs.inc | ||
| 19 | include /etc/firejail/disable-passwdmgr.inc | ||
| 20 | |||
| 21 | caps.drop all | 18 | caps.drop all |
| 19 | net none | ||
| 20 | nogroups | ||
| 22 | nonewprivs | 21 | nonewprivs |
| 23 | noroot | 22 | noroot |
| 24 | protocol unix,netlink | 23 | protocol unix,netlink |
| 25 | seccomp | 24 | seccomp |
| 26 | |||
| 27 | # | ||
| 28 | # depending on your usage, you can enable some of the commands below: | ||
| 29 | # | ||
| 30 | net none | ||
| 31 | nogroups | ||
| 32 | shell none | 25 | shell none |
| 33 | #private-bin supertux2 | 26 | |
| 34 | # private-etc none | 27 | # private-bin supertux2 |
| 35 | private-dev | 28 | private-dev |
| 29 | # private-etc none | ||
| 36 | private-tmp | 30 | private-tmp |
| 37 | # nosound | ||
| 38 | |||
| 39 | |||
| 40 | |||
| 41 | |||
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index bcb42f624..6861e6efb 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile | |||
| @@ -1,11 +1,10 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for synfigstudio |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/synfigstudio.local | 4 | include /etc/firejail/synfigstudio.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # synfigstudio | ||
| 9 | noblacklist ${HOME}/.config/synfig | 8 | noblacklist ${HOME}/.config/synfig |
| 10 | noblacklist ${HOME}/.synfig | 9 | noblacklist ${HOME}/.synfig |
| 11 | 10 | ||
diff --git a/etc/tar.profile b/etc/tar.profile index c2d089e71..817e51542 100644 --- a/etc/tar.profile +++ b/etc/tar.profile | |||
| @@ -1,18 +1,15 @@ | |||
| 1 | # Firejail profile for tar | ||
| 2 | # This file is overwritten after every install/update | ||
| 1 | quiet | 3 | quiet |
| 2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
| 3 | include /etc/firejail/globals.local | ||
| 4 | |||
| 5 | # This file is overwritten during software install. | ||
| 6 | # Persistent customizations should go in a .local file. | ||
| 7 | include /etc/firejail/tar.local | 5 | include /etc/firejail/tar.local |
| 8 | 6 | # Persistent global definitions | |
| 9 | # tar profile | 7 | include /etc/firejail/globals.local |
| 10 | ignore noroot | ||
| 11 | include /etc/firejail/default.profile | ||
| 12 | 8 | ||
| 13 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
| 14 | 10 | ||
| 15 | hostname tar | 11 | hostname tar |
| 12 | ignore noroot | ||
| 16 | net none | 13 | net none |
| 17 | no3d | 14 | no3d |
| 18 | nosound | 15 | nosound |
| @@ -23,3 +20,5 @@ tracelog | |||
| 23 | private-bin sh,bash,dash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop | 20 | private-bin sh,bash,dash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop |
| 24 | private-dev | 21 | private-dev |
| 25 | private-etc passwd,group,localtime | 22 | private-etc passwd,group,localtime |
| 23 | |||
| 24 | include /etc/firejail/default.profile | ||
diff --git a/etc/telegram-desktop.profile b/etc/telegram-desktop.profile index db5c2bdbb..844595b3f 100644 --- a/etc/telegram-desktop.profile +++ b/etc/telegram-desktop.profile | |||
| @@ -1,9 +1,5 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for telegram |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/telegram-desktop.local | ||
| 7 | 4 | ||
| 8 | # Telegram profile | ||
| 9 | include /etc/firejail/telegram.profile | 5 | include /etc/firejail/telegram.profile |
diff --git a/etc/telegram.profile b/etc/telegram.profile index db00e8082..e40233c35 100644 --- a/etc/telegram.profile +++ b/etc/telegram.profile | |||
| @@ -1,15 +1,15 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for telegram |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/telegram.local | 4 | include /etc/firejail/telegram.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Telegram profile | ||
| 9 | noblacklist ${HOME}/.TelegramDesktop | 8 | noblacklist ${HOME}/.TelegramDesktop |
| 9 | |||
| 10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 11 | include /etc/firejail/disable-programs.inc | ||
| 12 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | 13 | ||
| 14 | caps.drop all | 14 | caps.drop all |
| 15 | netfilter | 15 | netfilter |
| @@ -18,8 +18,8 @@ noroot | |||
| 18 | protocol unix,inet,inet6 | 18 | protocol unix,inet,inet6 |
| 19 | seccomp | 19 | seccomp |
| 20 | 20 | ||
| 21 | private-tmp | ||
| 22 | disable-mnt | 21 | disable-mnt |
| 22 | private-tmp | ||
| 23 | 23 | ||
| 24 | noexec ${HOME} | 24 | noexec ${HOME} |
| 25 | noexec /tmp | 25 | noexec /tmp |
diff --git a/etc/thunar.profile b/etc/thunar.profile index d8389ebc8..044f22d29 100644 --- a/etc/thunar.profile +++ b/etc/thunar.profile | |||
| @@ -1,8 +1,5 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for Thunar |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/thunar.local | ||
| 7 | 4 | ||
| 8 | include /etc/firejail/Thunar.profile | 5 | include /etc/firejail/Thunar.profile |
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index c693a53b3..d3b7ee871 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile | |||
| @@ -1,36 +1,34 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for thunderbird |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/thunderbird.local | 4 | include /etc/firejail/thunderbird.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for Mozilla Thunderbird | ||
| 9 | # Users have thunderbird set to open a browser by clicking a link in an email | 8 | # Users have thunderbird set to open a browser by clicking a link in an email |
| 10 | # We are not allowed to blacklist browser-specific directories | 9 | # We are not allowed to blacklist browser-specific directories |
| 11 | 10 | ||
| 11 | noblacklist ~/.cache/thunderbird | ||
| 12 | noblacklist ~/.gnupg | 12 | noblacklist ~/.gnupg |
| 13 | mkdir ~/.gnupg | 13 | noblacklist ~/.icedove |
| 14 | whitelist ~/.gnupg | ||
| 15 | |||
| 16 | noblacklist ~/.thunderbird | 14 | noblacklist ~/.thunderbird |
| 17 | mkdir ~/.thunderbird | ||
| 18 | whitelist ~/.thunderbird | ||
| 19 | 15 | ||
| 20 | noblacklist ~/.icedove | 16 | mkdir ~/.cache/thunderbird |
| 17 | mkdir ~/.gnupg | ||
| 21 | mkdir ~/.icedove | 18 | mkdir ~/.icedove |
| 19 | mkdir ~/.thunderbird | ||
| 20 | whitelist ~/.cache/thunderbird | ||
| 21 | whitelist ~/.config/mimeapps.list | ||
| 22 | whitelist ~/.gnupg | ||
| 22 | whitelist ~/.icedove | 23 | whitelist ~/.icedove |
| 24 | whitelist ~/.local/share/applications | ||
| 25 | whitelist ~/.thunderbird | ||
| 26 | include /etc/firejail/whitelist-common.inc | ||
| 23 | 27 | ||
| 24 | noblacklist ~/.cache/thunderbird | 28 | ignore private-tmp |
| 25 | mkdir ~/.cache/thunderbird | ||
| 26 | whitelist ~/.cache/thunderbird | ||
| 27 | 29 | ||
| 28 | whitelist ~/.config/mimeapps.list | ||
| 29 | read-only ~/.config/mimeapps.list | 30 | read-only ~/.config/mimeapps.list |
| 30 | whitelist ~/.local/share/applications | ||
| 31 | read-only ~/.local/share/applications | 31 | read-only ~/.local/share/applications |
| 32 | 32 | ||
| 33 | # allow browsers | 33 | # allow browsers |
| 34 | ignore private-tmp | ||
| 35 | include /etc/firejail/firefox.profile | 34 | include /etc/firejail/firefox.profile |
| 36 | #include /etc/firejail/chromium.profile - chromium runs as suid! | ||
diff --git a/etc/totem.profile b/etc/totem.profile index 7ae082760..a364e4c02 100644 --- a/etc/totem.profile +++ b/etc/totem.profile | |||
| @@ -1,21 +1,19 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for totem |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/totem.local | 4 | include /etc/firejail/totem.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Totem media player profile | ||
| 9 | noblacklist ~/.config/totem | 8 | noblacklist ~/.config/totem |
| 10 | noblacklist ~/.local/share/totem | 9 | noblacklist ~/.local/share/totem |
| 11 | 10 | ||
| 12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 15 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 16 | 15 | ||
| 17 | caps.drop all | 16 | caps.drop all |
| 18 | #ipc-namespace | ||
| 19 | netfilter | 17 | netfilter |
| 20 | nogroups | 18 | nogroups |
| 21 | nonewprivs | 19 | nonewprivs |
| @@ -26,7 +24,7 @@ shell none | |||
| 26 | 24 | ||
| 27 | private-bin totem | 25 | private-bin totem |
| 28 | private-dev | 26 | private-dev |
| 29 | #private-etc fonts | 27 | # private-etc fonts |
| 30 | private-tmp | 28 | private-tmp |
| 31 | 29 | ||
| 32 | noexec ${HOME} | 30 | noexec ${HOME} |
diff --git a/etc/tracker.profile b/etc/tracker.profile index b87bebf43..feb8b4fd3 100644 --- a/etc/tracker.profile +++ b/etc/tracker.profile | |||
| @@ -1,34 +1,32 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for tracker |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/tracker.local | 4 | include /etc/firejail/tracker.local |
| 7 | 5 | # Persistent global definitions | |
| 8 | # tracker profile | 6 | include /etc/firejail/globals.local |
| 9 | 7 | ||
| 10 | # Tracker is started by systemd on most systems. Therefore it is not firejailed by default | 8 | # Tracker is started by systemd on most systems. Therefore it is not firejailed by default |
| 11 | 9 | ||
| 10 | blacklist /tmp/.X11-unix | ||
| 11 | |||
| 12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
| 15 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 16 | 16 | ||
| 17 | caps.drop all | 17 | caps.drop all |
| 18 | netfilter | 18 | netfilter |
| 19 | no3d | ||
| 19 | nogroups | 20 | nogroups |
| 20 | nonewprivs | 21 | nonewprivs |
| 21 | noroot | 22 | noroot |
| 22 | nosound | 23 | nosound |
| 23 | no3d | ||
| 24 | protocol unix | 24 | protocol unix |
| 25 | seccomp | 25 | seccomp |
| 26 | shell none | 26 | shell none |
| 27 | tracelog | 27 | tracelog |
| 28 | 28 | ||
| 29 | blacklist /tmp/.X11-unix | ||
| 30 | |||
| 31 | # private-bin tracker | 29 | # private-bin tracker |
| 32 | # private-tmp | ||
| 33 | # private-dev | 30 | # private-dev |
| 34 | # private-etc fonts | 31 | # private-etc fonts |
| 32 | # private-tmp | ||
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile index 5b7e6e7c8..e8fdd81d7 100644 --- a/etc/transmission-cli.profile +++ b/etc/transmission-cli.profile | |||
| @@ -1,18 +1,17 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for transmission-cli |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/transmission-cli.local | 4 | include /etc/firejail/transmission-cli.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # transmission-cli bittorrent profile | ||
| 9 | noblacklist ${HOME}/.config/transmission | ||
| 10 | noblacklist ${HOME}/.cache/transmission | 8 | noblacklist ${HOME}/.cache/transmission |
| 9 | noblacklist ${HOME}/.config/transmission | ||
| 11 | 10 | ||
| 12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 15 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 16 | 15 | ||
| 17 | caps.drop all | 16 | caps.drop all |
| 18 | netfilter | 17 | netfilter |
| @@ -24,9 +23,9 @@ seccomp | |||
| 24 | shell none | 23 | shell none |
| 25 | tracelog | 24 | tracelog |
| 26 | 25 | ||
| 27 | #private-bin transmission-cli | 26 | # private-bin transmission-cli |
| 28 | private-tmp | ||
| 29 | private-dev | 27 | private-dev |
| 30 | private-etc none | 28 | private-etc none |
| 29 | private-tmp | ||
| 31 | 30 | ||
| 32 | memory-deny-write-execute | 31 | memory-deny-write-execute |
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 7f85aa69c..b3cf5213a 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
| @@ -1,24 +1,23 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for transmission-gtk |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/transmission-gtk.local | 4 | include /etc/firejail/transmission-gtk.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # transmission-gtk bittorrent profile | ||
| 9 | noblacklist ${HOME}/.config/transmission | ||
| 10 | noblacklist ${HOME}/.cache/transmission | 8 | noblacklist ${HOME}/.cache/transmission |
| 9 | noblacklist ${HOME}/.config/transmission | ||
| 11 | 10 | ||
| 12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 15 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 16 | 15 | ||
| 17 | mkdir ~/.config/transmission | ||
| 18 | whitelist ~/.config/transmission | ||
| 19 | mkdir ~/.cache/transmission | 16 | mkdir ~/.cache/transmission |
| 20 | whitelist ~/.cache/transmission | 17 | mkdir ~/.config/transmission |
| 21 | whitelist ${DOWNLOADS} | 18 | whitelist ${DOWNLOADS} |
| 19 | whitelist ~/.cache/transmission | ||
| 20 | whitelist ~/.config/transmission | ||
| 22 | include /etc/firejail/whitelist-common.inc | 21 | include /etc/firejail/whitelist-common.inc |
| 23 | 22 | ||
| 24 | caps.drop all | 23 | caps.drop all |
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 70a5af575..433fb716e 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile | |||
| @@ -1,24 +1,23 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for transmission-qt |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/transmission-qt.local | 4 | include /etc/firejail/transmission-qt.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # transmission-qt bittorrent profile | ||
| 9 | noblacklist ${HOME}/.config/transmission | ||
| 10 | noblacklist ${HOME}/.cache/transmission | 8 | noblacklist ${HOME}/.cache/transmission |
| 9 | noblacklist ${HOME}/.config/transmission | ||
| 11 | 10 | ||
| 12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 15 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 16 | 15 | ||
| 17 | mkdir ~/.config/transmission | ||
| 18 | whitelist ~/.config/transmission | ||
| 19 | mkdir ~/.cache/transmission | 16 | mkdir ~/.cache/transmission |
| 20 | whitelist ~/.cache/transmission | 17 | mkdir ~/.config/transmission |
| 21 | whitelist ${DOWNLOADS} | 18 | whitelist ${DOWNLOADS} |
| 19 | whitelist ~/.cache/transmission | ||
| 20 | whitelist ~/.config/transmission | ||
| 22 | include /etc/firejail/whitelist-common.inc | 21 | include /etc/firejail/whitelist-common.inc |
| 23 | 22 | ||
| 24 | caps.drop all | 23 | caps.drop all |
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile index 743f9ff4f..e87ab51df 100644 --- a/etc/transmission-show.profile +++ b/etc/transmission-show.profile | |||
| @@ -1,18 +1,17 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for transmission-show |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/transmission-show.local | 4 | include /etc/firejail/transmission-show.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # transmission-show profile | ||
| 9 | noblacklist ${HOME}/.config/transmission | ||
| 10 | noblacklist ${HOME}/.cache/transmission | 8 | noblacklist ${HOME}/.cache/transmission |
| 9 | noblacklist ${HOME}/.config/transmission | ||
| 11 | 10 | ||
| 12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 15 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 16 | 15 | ||
| 17 | caps.drop all | 16 | caps.drop all |
| 18 | net none | 17 | net none |
| @@ -25,6 +24,6 @@ shell none | |||
| 25 | tracelog | 24 | tracelog |
| 26 | 25 | ||
| 27 | # private-bin | 26 | # private-bin |
| 28 | private-tmp | ||
| 29 | private-dev | 27 | private-dev |
| 30 | private-etc none | 28 | private-etc none |
| 29 | private-tmp | ||
diff --git a/etc/truecraft.profile b/etc/truecraft.profile index 20435c30f..850845c95 100644 --- a/etc/truecraft.profile +++ b/etc/truecraft.profile | |||
| @@ -1,11 +1,10 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for truecraft |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/truecraft.local | 4 | include /etc/firejail/truecraft.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for TrueCraft | ||
| 9 | noblacklist ${HOME}/.config/mono | 8 | noblacklist ${HOME}/.config/mono |
| 10 | noblacklist ${HOME}/.config/truecraft | 9 | noblacklist ${HOME}/.config/truecraft |
| 11 | 10 | ||
| @@ -15,8 +14,8 @@ include /etc/firejail/disable-passwdmgr.inc | |||
| 15 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
| 16 | 15 | ||
| 17 | mkdir ${HOME}/.config/mono | 16 | mkdir ${HOME}/.config/mono |
| 18 | whitelist ${HOME}/.config/mono | ||
| 19 | mkdir ${HOME}/.config/truecraft | 17 | mkdir ${HOME}/.config/truecraft |
| 18 | whitelist ${HOME}/.config/mono | ||
| 20 | whitelist ${HOME}/.config/truecraft | 19 | whitelist ${HOME}/.config/truecraft |
| 21 | include /etc/firejail/whitelist-common.inc | 20 | include /etc/firejail/whitelist-common.inc |
| 22 | 21 | ||
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 5b65b8c41..775ac8a96 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile | |||
| @@ -1,16 +1,20 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for uget-gtk |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/uget-gtk.local | 4 | include /etc/firejail/uget-gtk.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # uGet profile | ||
| 9 | noblacklist ${HOME}/.config/uGet | 8 | noblacklist ${HOME}/.config/uGet |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | |||
| 14 | mkdir ~/.config/uGet | ||
| 15 | whitelist ${DOWNLOADS} | ||
| 16 | whitelist ~/.config/uGet | ||
| 17 | include /etc/firejail/whitelist-common.inc | ||
| 14 | 18 | ||
| 15 | caps.drop all | 19 | caps.drop all |
| 16 | netfilter | 20 | netfilter |
| @@ -24,8 +28,3 @@ shell none | |||
| 24 | private-bin uget-gtk | 28 | private-bin uget-gtk |
| 25 | private-dev | 29 | private-dev |
| 26 | private-tmp | 30 | private-tmp |
| 27 | |||
| 28 | whitelist ${DOWNLOADS} | ||
| 29 | mkdir ~/.config/uGet | ||
| 30 | whitelist ~/.config/uGet | ||
| 31 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/unbound.profile b/etc/unbound.profile index 7431ee27a..091d59c1a 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile | |||
| @@ -1,20 +1,21 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for unbound |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/unbound.local | 4 | include /etc/firejail/unbound.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # security profile for unbound (https://unbound.net) | ||
| 9 | noblacklist /sbin | 8 | noblacklist /sbin |
| 10 | noblacklist /usr/sbin | 9 | noblacklist /usr/sbin |
| 10 | |||
| 11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | 15 | ||
| 16 | private | ||
| 17 | private-dev | ||
| 18 | nosound | ||
| 19 | no3d | 16 | no3d |
| 17 | nosound | ||
| 20 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 18 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open |
| 19 | |||
| 20 | private | ||
| 21 | private-dev | ||
diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile index c4e535070..e09b65632 100644 --- a/etc/unknown-horizons.profile +++ b/etc/unknown-horizons.profile | |||
| @@ -1,40 +1,29 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for unknown-horizons |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/unknown-horizons.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | 8 | noblacklist ~/.unknown-horizons |
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/unknown-horizons.local | ||
| 7 | 9 | ||
| 8 | ################################ | 10 | include /etc/firejail/disable-common.inc |
| 9 | # Extreme Tux Racer profile | 11 | include /etc/firejail/disable-passwdmgr.inc |
| 10 | ################################ | 12 | include /etc/firejail/disable-programs.inc |
| 11 | 13 | ||
| 12 | noblacklist ~/.unknown-horizons | ||
| 13 | mkdir ~/.unknown-horizons | 14 | mkdir ~/.unknown-horizons |
| 14 | whitelist ~/.unknown-horizons | 15 | whitelist ~/.unknown-horizons |
| 15 | include /etc/firejail/whitelist-common.inc | 16 | include /etc/firejail/whitelist-common.inc |
| 16 | 17 | ||
| 17 | include /etc/firejail/disable-common.inc | ||
| 18 | include /etc/firejail/disable-programs.inc | ||
| 19 | include /etc/firejail/disable-passwdmgr.inc | ||
| 20 | |||
| 21 | caps.drop all | 18 | caps.drop all |
| 19 | nogroups | ||
| 22 | nonewprivs | 20 | nonewprivs |
| 23 | noroot | 21 | noroot |
| 24 | protocol unix,netlink,inet,inet6 | 22 | protocol unix,netlink,inet,inet6 |
| 25 | seccomp | 23 | seccomp |
| 26 | |||
| 27 | # | ||
| 28 | # depending on your usage, you can enable some of the commands below: | ||
| 29 | # | ||
| 30 | nogroups | ||
| 31 | shell none | 24 | shell none |
| 32 | #private-bin unknown-horizons | 25 | |
| 33 | # private-etc none | 26 | # private-bin unknown-horizons |
| 34 | private-dev | 27 | private-dev |
| 28 | # private-etc none | ||
| 35 | private-tmp | 29 | private-tmp |
| 36 | # nosound | ||
| 37 | |||
| 38 | |||
| 39 | |||
| 40 | |||
diff --git a/etc/unrar.profile b/etc/unrar.profile index 62d6665ec..8d8fda952 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile | |||
| @@ -1,18 +1,15 @@ | |||
| 1 | # Firejail profile for unrar | ||
| 2 | # This file is overwritten after every install/update | ||
| 1 | quiet | 3 | quiet |
| 2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
| 3 | include /etc/firejail/globals.local | ||
| 4 | |||
| 5 | # This file is overwritten during software install. | ||
| 6 | # Persistent customizations should go in a .local file. | ||
| 7 | include /etc/firejail/unrar.local | 5 | include /etc/firejail/unrar.local |
| 8 | 6 | # Persistent global definitions | |
| 9 | # unrar profile | 7 | include /etc/firejail/globals.local |
| 10 | ignore noroot | ||
| 11 | include /etc/firejail/default.profile | ||
| 12 | 8 | ||
| 13 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
| 14 | 10 | ||
| 15 | hostname unrar | 11 | hostname unrar |
| 12 | ignore noroot | ||
| 16 | net none | 13 | net none |
| 17 | no3d | 14 | no3d |
| 18 | nosound | 15 | nosound |
| @@ -23,3 +20,5 @@ private-bin unrar | |||
| 23 | private-dev | 20 | private-dev |
| 24 | private-etc passwd,group,localtime | 21 | private-etc passwd,group,localtime |
| 25 | private-tmp | 22 | private-tmp |
| 23 | |||
| 24 | include /etc/firejail/default.profile | ||
diff --git a/etc/unzip.profile b/etc/unzip.profile index 130e57ae9..6556b4f56 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile | |||
| @@ -1,17 +1,15 @@ | |||
| 1 | # Firejail profile for unzip | ||
| 2 | # This file is overwritten after every install/update | ||
| 1 | quiet | 3 | quiet |
| 2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
| 3 | include /etc/firejail/globals.local | ||
| 4 | |||
| 5 | # This file is overwritten during software install. | ||
| 6 | # Persistent customizations should go in a .local file. | ||
| 7 | include /etc/firejail/unzip.local | 5 | include /etc/firejail/unzip.local |
| 6 | # Persistent global definitions | ||
| 7 | include /etc/firejail/globals.local | ||
| 8 | 8 | ||
| 9 | # unzip profile | ||
| 10 | ignore noroot | ||
| 11 | include /etc/firejail/default.profile | ||
| 12 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
| 13 | 10 | ||
| 14 | hostname unzip | 11 | hostname unzip |
| 12 | ignore noroot | ||
| 15 | net none | 13 | net none |
| 16 | no3d | 14 | no3d |
| 17 | nosound | 15 | nosound |
| @@ -21,3 +19,5 @@ tracelog | |||
| 21 | private-bin unzip | 19 | private-bin unzip |
| 22 | private-dev | 20 | private-dev |
| 23 | private-etc passwd,group,localtime | 21 | private-etc passwd,group,localtime |
| 22 | |||
| 23 | include /etc/firejail/default.profile | ||
diff --git a/etc/uudeview.profile b/etc/uudeview.profile index 46f28179b..22457bf2c 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile | |||
| @@ -1,17 +1,14 @@ | |||
| 1 | # Firejail profile for uudeview | ||
| 2 | # This file is overwritten after every install/update | ||
| 1 | quiet | 3 | quiet |
| 2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
| 3 | include /etc/firejail/globals.local | ||
| 4 | |||
| 5 | # This file is overwritten during software install. | ||
| 6 | # Persistent customizations should go in a .local file. | ||
| 7 | include /etc/firejail/uudeview.local | 5 | include /etc/firejail/uudeview.local |
| 8 | 6 | # Persistent global definitions | |
| 9 | # uudeview profile | 7 | include /etc/firejail/globals.local |
| 10 | ignore noroot | ||
| 11 | include /etc/firejail/default.profile | ||
| 12 | 8 | ||
| 13 | 9 | ||
| 14 | hostname uudeview | 10 | hostname uudeview |
| 11 | ignore noroot | ||
| 15 | net none | 12 | net none |
| 16 | nosound | 13 | nosound |
| 17 | shell none | 14 | shell none |
| @@ -20,3 +17,5 @@ tracelog | |||
| 20 | private-bin uudeview | 17 | private-bin uudeview |
| 21 | private-dev | 18 | private-dev |
| 22 | private-etc ld.so.preload | 19 | private-etc ld.so.preload |
| 20 | |||
| 21 | include /etc/firejail/default.profile | ||
diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile index 4ab4ce0f4..caae3659e 100644 --- a/etc/uzbl-browser.profile +++ b/etc/uzbl-browser.profile | |||
| @@ -1,17 +1,27 @@ | |||
| 1 | # Persistent global definitions go here | ||
| 2 | include /etc/firejail/globals.local | ||
| 3 | |||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/uzbl-browser.local | ||
| 7 | |||
| 8 | # Firejail profile for uzbl-browser | 1 | # Firejail profile for uzbl-browser |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/uzbl-browser.local | ||
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 9 | 7 | ||
| 10 | noblacklist ~/.config/uzbl | 8 | noblacklist ~/.config/uzbl |
| 11 | noblacklist ~/.gnupg | 9 | noblacklist ~/.gnupg |
| 10 | |||
| 12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | |||
| 15 | mkdir ~/.config/uzbl | ||
| 16 | mkdir ~/.gnupg | ||
| 17 | mkdir ~/.local/share/uzbl | ||
| 18 | mkdir ~/.password-store | ||
| 19 | whitelist ${DOWNLOADS} | ||
| 20 | whitelist ~/.config/uzbl | ||
| 21 | whitelist ~/.gnupg | ||
| 22 | whitelist ~/.local/share/uzbl | ||
| 23 | whitelist ~/.password-store | ||
| 24 | include /etc/firejail/whitelist-common.inc | ||
| 15 | 25 | ||
| 16 | caps.drop all | 26 | caps.drop all |
| 17 | netfilter | 27 | netfilter |
| @@ -20,17 +30,3 @@ noroot | |||
| 20 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
| 21 | seccomp | 31 | seccomp |
| 22 | tracelog | 32 | tracelog |
| 23 | |||
| 24 | mkdir ~/.config/uzbl | ||
| 25 | whitelist ~/.config/uzbl | ||
| 26 | mkdir ~/.local/share/uzbl | ||
| 27 | whitelist ~/.local/share/uzbl | ||
| 28 | |||
| 29 | whitelist ${DOWNLOADS} | ||
| 30 | |||
| 31 | mkdir ~/.gnupg | ||
| 32 | whitelist ~/.gnupg | ||
| 33 | mkdir ~/.password-store | ||
| 34 | whitelist ~/.password-store | ||
| 35 | |||
| 36 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/viewnior.profile b/etc/viewnior.profile index 20f738d42..9235d149c 100644 --- a/etc/viewnior.profile +++ b/etc/viewnior.profile | |||
| @@ -1,22 +1,21 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for viewnior |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/viewnior.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | 8 | blacklist ~/.Xauthority |
| 5 | # Persistent customizations should go in a .local file. | 9 | blacklist ~/.bashrc |
| 6 | include /etc/firejail/viewnior.local | ||
| 7 | 10 | ||
| 8 | # Firejail profile for viewnior | ||
| 9 | noblacklist ~/.config/viewnior | ||
| 10 | noblacklist ~/.Steam | 11 | noblacklist ~/.Steam |
| 12 | noblacklist ~/.config/viewnior | ||
| 11 | noblacklist ~/.steam | 13 | noblacklist ~/.steam |
| 12 | 14 | ||
| 13 | include /etc/firejail/disable-common.inc | 15 | include /etc/firejail/disable-common.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | include /etc/firejail/disable-devel.inc | 16 | include /etc/firejail/disable-devel.inc |
| 16 | include /etc/firejail/disable-passwdmgr.inc | 17 | include /etc/firejail/disable-passwdmgr.inc |
| 17 | 18 | include /etc/firejail/disable-programs.inc | |
| 18 | blacklist ~/.bashrc | ||
| 19 | blacklist ~/.Xauthority | ||
| 20 | 19 | ||
| 21 | caps.drop all | 20 | caps.drop all |
| 22 | net none | 21 | net none |
diff --git a/etc/viking.profile b/etc/viking.profile index e34bdc3f7..aa26388f8 100644 --- a/etc/viking.profile +++ b/etc/viking.profile | |||
| @@ -1,22 +1,19 @@ | |||
| 1 | # Persistent global definitions go here | ||
| 2 | include /etc/firejail/globals.local | ||
| 3 | |||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/viking.local | ||
| 7 | |||
| 8 | # Firejail profile for viking | 1 | # Firejail profile for viking |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/viking.local | ||
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 9 | 7 | ||
| 10 | noblacklist ${HOME}/.viking | 8 | noblacklist ${HOME}/.viking |
| 11 | noblacklist ${HOME}/.viking-maps | 9 | noblacklist ${HOME}/.viking-maps |
| 12 | 10 | ||
| 13 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | include /etc/firejail/disable-passwdmgr.inc | ||
| 16 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 13 | include /etc/firejail/disable-passwdmgr.inc | ||
| 14 | include /etc/firejail/disable-programs.inc | ||
| 17 | 15 | ||
| 18 | caps.drop all | 16 | caps.drop all |
| 19 | #ipc-namespace | ||
| 20 | netfilter | 17 | netfilter |
| 21 | no3d | 18 | no3d |
| 22 | nogroups | 19 | nogroups |
diff --git a/etc/vim.profile b/etc/vim.profile index abe86e375..815676da8 100644 --- a/etc/vim.profile +++ b/etc/vim.profile | |||
| @@ -1,18 +1,17 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for vim |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/vim.local | 4 | include /etc/firejail/vim.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # vim profile | ||
| 9 | noblacklist ~/.vim | 8 | noblacklist ~/.vim |
| 10 | noblacklist ~/.vimrc | ||
| 11 | noblacklist ~/.viminfo | 9 | noblacklist ~/.viminfo |
| 10 | noblacklist ~/.vimrc | ||
| 12 | 11 | ||
| 13 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 16 | 15 | ||
| 17 | caps.drop all | 16 | caps.drop all |
| 18 | netfilter | 17 | netfilter |
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile index 374c73da2..e94dec35c 100644 --- a/etc/virtualbox.profile +++ b/etc/virtualbox.profile | |||
| @@ -1,26 +1,25 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for virtualbox |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/virtualbox.local | 4 | include /etc/firejail/virtualbox.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # virtualbox profile | ||
| 9 | noblacklist ${HOME}/.VirtualBox | 8 | noblacklist ${HOME}/.VirtualBox |
| 10 | noblacklist ${HOME}/VirtualBox VMs | ||
| 11 | noblacklist ${HOME}/.config/VirtualBox | 9 | noblacklist ${HOME}/.config/VirtualBox |
| 12 | 10 | noblacklist ${HOME}/VirtualBox VMs | |
| 13 | mkdir ~/VirtualBox VMs | ||
| 14 | whitelist ~/VirtualBox VMs | ||
| 15 | mkdir ~/.config/VirtualBox | ||
| 16 | whitelist ~/.config/VirtualBox | ||
| 17 | |||
| 18 | # noblacklist /usr/bin/virtualbox | 11 | # noblacklist /usr/bin/virtualbox |
| 19 | noblacklist /usr/lib/virtualbox | 12 | noblacklist /usr/lib/virtualbox |
| 20 | noblacklist /usr/lib64/virtualbox | 13 | noblacklist /usr/lib64/virtualbox |
| 14 | |||
| 21 | include /etc/firejail/disable-common.inc | 15 | include /etc/firejail/disable-common.inc |
| 22 | include /etc/firejail/disable-programs.inc | ||
| 23 | include /etc/firejail/disable-passwdmgr.inc | 16 | include /etc/firejail/disable-passwdmgr.inc |
| 17 | include /etc/firejail/disable-programs.inc | ||
| 18 | |||
| 19 | mkdir ~/.config/VirtualBox | ||
| 20 | mkdir ~/VirtualBox VMs | ||
| 21 | whitelist ~/.config/VirtualBox | ||
| 22 | whitelist ~/VirtualBox VMs | ||
| 24 | include /etc/firejail/whitelist-common.inc | 23 | include /etc/firejail/whitelist-common.inc |
| 25 | 24 | ||
| 26 | caps.drop all | 25 | caps.drop all |
diff --git a/etc/vivaldi-beta.profile b/etc/vivaldi-beta.profile index f2c2f4cc0..4fa8a877c 100644 --- a/etc/vivaldi-beta.profile +++ b/etc/vivaldi-beta.profile | |||
| @@ -1,9 +1,5 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for vivaldi |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/vivaldi-beta.local | ||
| 7 | 4 | ||
| 8 | # Vivaldi Beta browser profile | ||
| 9 | include /etc/firejail/vivaldi.profile | 5 | include /etc/firejail/vivaldi.profile |
diff --git a/etc/vivaldi-stable.profile b/etc/vivaldi-stable.profile index 9b2ccd4f3..4fa8a877c 100644 --- a/etc/vivaldi-stable.profile +++ b/etc/vivaldi-stable.profile | |||
| @@ -1,8 +1,5 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for vivaldi |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/vivaldi.local | ||
| 7 | 4 | ||
| 8 | include /etc/firejail/vivaldi.profile | 5 | include /etc/firejail/vivaldi.profile |
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile index fab620499..ae9b49e8c 100644 --- a/etc/vivaldi.profile +++ b/etc/vivaldi.profile | |||
| @@ -1,36 +1,31 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for vivaldi |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/vivaldi.local | 4 | include /etc/firejail/vivaldi.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Vivaldi browser profile | ||
| 9 | noblacklist ~/.cache/vivaldi | 8 | noblacklist ~/.cache/vivaldi |
| 10 | |||
| 11 | # Vivaldi browser profile | ||
| 12 | noblacklist ~/.config/vivaldi | 9 | noblacklist ~/.config/vivaldi |
| 10 | |||
| 13 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 16 | 14 | ||
| 17 | |||
| 18 | whitelist ${DOWNLOADS} | ||
| 19 | mkdir ~/.config/vivaldi | ||
| 20 | whitelist ~/.config/vivaldi | ||
| 21 | mkdir ~/.cache/vivaldi | 15 | mkdir ~/.cache/vivaldi |
| 16 | mkdir ~/.config/vivaldi | ||
| 17 | whitelist ${DOWNLOADS} | ||
| 22 | whitelist ~/.cache/vivaldi | 18 | whitelist ~/.cache/vivaldi |
| 19 | whitelist ~/.config/vivaldi | ||
| 23 | include /etc/firejail/whitelist-common.inc | 20 | include /etc/firejail/whitelist-common.inc |
| 24 | 21 | ||
| 25 | caps.keep sys_chroot,sys_admin | 22 | caps.keep sys_chroot,sys_admin |
| 26 | #ipc-namespace | ||
| 27 | netfilter | 23 | netfilter |
| 28 | nogroups | 24 | nogroups |
| 29 | shell none | 25 | shell none |
| 30 | 26 | ||
| 31 | private-dev | 27 | private-dev |
| 32 | #private-tmp - problems with multiple browser sessions | 28 | # private-tmp - problems with multiple browser sessions |
| 33 | #disable-mnt | ||
| 34 | 29 | ||
| 35 | noexec ${HOME} | 30 | noexec ${HOME} |
| 36 | noexec /tmp | 31 | noexec /tmp |
diff --git a/etc/vlc.profile b/etc/vlc.profile index 6ae8b0d15..a41f367dd 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
| @@ -1,20 +1,18 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for vlc |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/vlc.local | 4 | include /etc/firejail/vlc.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # VLC media player profile | ||
| 9 | noblacklist ${HOME}/.config/vlc | 8 | noblacklist ${HOME}/.config/vlc |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 17 | #ipc-namespace | ||
| 18 | netfilter | 16 | netfilter |
| 19 | # nogroups | 17 | # nogroups |
| 20 | nonewprivs | 18 | nonewprivs |
| @@ -27,6 +25,5 @@ private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc | |||
| 27 | private-dev | 25 | private-dev |
| 28 | private-tmp | 26 | private-tmp |
| 29 | 27 | ||
| 30 | # memory-deny-write-execute - breaks playing videos | ||
| 31 | noexec ${HOME} | 28 | noexec ${HOME} |
| 32 | noexec /tmp | 29 | noexec /tmp |
diff --git a/etc/vym.profile b/etc/vym.profile index d3058fa64..f769dda16 100644 --- a/etc/vym.profile +++ b/etc/vym.profile | |||
| @@ -1,9 +1,9 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for vym |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/vym.local | 4 | include /etc/firejail/vym.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | noblacklist ./.config/InSilmaril | 8 | noblacklist ./.config/InSilmaril |
| 9 | 9 | ||
| @@ -24,9 +24,9 @@ protocol unix | |||
| 24 | seccomp | 24 | seccomp |
| 25 | shell none | 25 | shell none |
| 26 | 26 | ||
| 27 | disable-mnt | ||
| 27 | private-dev | 28 | private-dev |
| 28 | private-tmp | 29 | private-tmp |
| 29 | disable-mnt | ||
| 30 | 30 | ||
| 31 | noexec ${HOME} | 31 | noexec ${HOME} |
| 32 | noexec /tmp | 32 | noexec /tmp |
diff --git a/etc/w3m.profile b/etc/w3m.profile index 6f7957992..fc5ee2bad 100644 --- a/etc/w3m.profile +++ b/etc/w3m.profile | |||
| @@ -1,33 +1,32 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for w3m |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/w3m.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | 8 | blacklist /tmp/.X11-unix |
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/w3m.local | ||
| 7 | 9 | ||
| 8 | # w3m profile | ||
| 9 | noblacklist ~/.w3m | 10 | noblacklist ~/.w3m |
| 10 | 11 | ||
| 11 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 15 | 16 | ||
| 16 | caps.drop all | 17 | caps.drop all |
| 18 | netfilter | ||
| 19 | no3d | ||
| 17 | nogroups | 20 | nogroups |
| 18 | nonewprivs | 21 | nonewprivs |
| 19 | noroot | 22 | noroot |
| 20 | nosound | 23 | nosound |
| 21 | no3d | ||
| 22 | protocol unix,inet,inet6 | 24 | protocol unix,inet,inet6 |
| 23 | seccomp | 25 | seccomp |
| 24 | netfilter | ||
| 25 | shell none | 26 | shell none |
| 26 | tracelog | 27 | tracelog |
| 27 | 28 | ||
| 28 | blacklist /tmp/.X11-unix | ||
| 29 | |||
| 30 | # private-bin w3m | 29 | # private-bin w3m |
| 31 | private-tmp | ||
| 32 | private-dev | 30 | private-dev |
| 33 | private-etc none | 31 | private-etc none |
| 32 | private-tmp | ||
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile index 767824d8d..9569226aa 100644 --- a/etc/warzone2100.profile +++ b/etc/warzone2100.profile | |||
| @@ -1,24 +1,23 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for warzone2100 |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/warzone2100.local | 4 | include /etc/firejail/warzone2100.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for warzone2100 | ||
| 9 | noblacklist ~/.warzone2100-3.* | 8 | noblacklist ~/.warzone2100-3.* |
| 9 | |||
| 10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 11 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
| 14 | 14 | ||
| 15 | # Whitelist | 15 | # mkdir ~/.warzone2100-3.1 |
| 16 | #mkdir ~/.warzone2100-3.1 | 16 | # mkdir ~/.warzone2100-3.2 |
| 17 | whitelist ~/.warzone2100-3.1 | 17 | whitelist ~/.warzone2100-3.1 |
| 18 | #mkdir ~/.warzone2100-3.2 | ||
| 19 | whitelist ~/.warzone2100-3.2 | 18 | whitelist ~/.warzone2100-3.2 |
| 19 | include /etc/firejail/whitelist-common.inc | ||
| 20 | 20 | ||
| 21 | # Call these options | ||
| 22 | caps.drop all | 21 | caps.drop all |
| 23 | netfilter | 22 | netfilter |
| 24 | nogroups | 23 | nogroups |
| @@ -29,7 +28,7 @@ seccomp | |||
| 29 | shell none | 28 | shell none |
| 30 | tracelog | 29 | tracelog |
| 31 | 30 | ||
| 31 | disable-mnt | ||
| 32 | private-bin warzone2100 | 32 | private-bin warzone2100 |
| 33 | private-dev | 33 | private-dev |
| 34 | private-tmp | 34 | private-tmp |
| 35 | disable-mnt | ||
diff --git a/etc/waterfox.profile b/etc/waterfox.profile index ff2ede8f9..893d45719 100644 --- a/etc/waterfox.profile +++ b/etc/waterfox.profile | |||
| @@ -1,75 +1,69 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for waterfox |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/waterfox.local | 4 | include /etc/firejail/waterfox.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for Waterfox (based on Mozilla Firefox) | ||
| 9 | noblacklist ~/.mozilla | ||
| 10 | noblacklist ~/.cache/mozilla | 8 | noblacklist ~/.cache/mozilla |
| 9 | noblacklist ~/.config/okularpartrc | ||
| 10 | noblacklist ~/.config/okularrc | ||
| 11 | noblacklist ~/.config/qpdfview | 11 | noblacklist ~/.config/qpdfview |
| 12 | noblacklist ~/.local/share/qpdfview | ||
| 13 | noblacklist ~/.kde4/share/apps/okular | ||
| 14 | noblacklist ~/.kde/share/apps/okular | 12 | noblacklist ~/.kde/share/apps/okular |
| 13 | noblacklist ~/.kde4/share/apps/okular | ||
| 15 | noblacklist ~/.local/share/okular | 14 | noblacklist ~/.local/share/okular |
| 16 | noblacklist ~/.config/okularpartrc | 15 | noblacklist ~/.local/share/qpdfview |
| 17 | noblacklist ~/.config/okularrc | 16 | noblacklist ~/.mozilla |
| 18 | noblacklist ~/.pki | 17 | noblacklist ~/.pki |
| 19 | 18 | ||
| 20 | include /etc/firejail/disable-common.inc | 19 | include /etc/firejail/disable-common.inc |
| 21 | include /etc/firejail/disable-programs.inc | ||
| 22 | include /etc/firejail/disable-devel.inc | 20 | include /etc/firejail/disable-devel.inc |
| 21 | include /etc/firejail/disable-programs.inc | ||
| 23 | 22 | ||
| 24 | caps.drop all | ||
| 25 | # ipc-namespace crashes waterfox on some setups | ||
| 26 | netfilter | ||
| 27 | nogroups | ||
| 28 | nonewprivs | ||
| 29 | noroot | ||
| 30 | protocol unix,inet,inet6,netlink | ||
| 31 | seccomp | ||
| 32 | shell none | ||
| 33 | tracelog | ||
| 34 | |||
| 35 | whitelist ${DOWNLOADS} | ||
| 36 | mkdir ~/.mozilla | ||
| 37 | whitelist ~/.mozilla | ||
| 38 | mkdir ~/.cache/mozilla/firefox | 23 | mkdir ~/.cache/mozilla/firefox |
| 24 | mkdir ~/.mozilla | ||
| 25 | mkdir ~/.pki | ||
| 26 | whitelist ${DOWNLOADS} | ||
| 27 | whitelist ~/.cache/gnome-mplayer/plugin | ||
| 39 | whitelist ~/.cache/mozilla/firefox | 28 | whitelist ~/.cache/mozilla/firefox |
| 40 | whitelist ~/dwhelper | ||
| 41 | whitelist ~/.zotero | ||
| 42 | whitelist ~/.vimperatorrc | ||
| 43 | whitelist ~/.vimperator | ||
| 44 | whitelist ~/.pentadactylrc | ||
| 45 | whitelist ~/.pentadactyl | ||
| 46 | whitelist ~/.keysnail.js | ||
| 47 | whitelist ~/.config/gnome-mplayer | 29 | whitelist ~/.config/gnome-mplayer |
| 48 | whitelist ~/.cache/gnome-mplayer/plugin | ||
| 49 | mkdir ~/.pki | ||
| 50 | whitelist ~/.pki | ||
| 51 | whitelist ~/.lastpass | ||
| 52 | whitelist ~/.config/qpdfview | ||
| 53 | whitelist ~/.local/share/qpdfview | ||
| 54 | whitelist ~/.config/okularrc | ||
| 55 | whitelist ~/.config/okularpartrc | 30 | whitelist ~/.config/okularpartrc |
| 56 | whitelist ~/.kde4/share/apps/okular | 31 | whitelist ~/.config/okularrc |
| 32 | whitelist ~/.config/pipelight-silverlight5.1 | ||
| 33 | whitelist ~/.config/pipelight-widevine | ||
| 34 | whitelist ~/.config/qpdfview | ||
| 57 | whitelist ~/.kde/share/apps/okular | 35 | whitelist ~/.kde/share/apps/okular |
| 36 | whitelist ~/.kde4/share/apps/okular | ||
| 37 | whitelist ~/.keysnail.js | ||
| 38 | whitelist ~/.lastpass | ||
| 58 | whitelist ~/.local/share/okular | 39 | whitelist ~/.local/share/okular |
| 59 | 40 | whitelist ~/.local/share/qpdfview | |
| 60 | # silverlight | 41 | whitelist ~/.mozilla |
| 42 | whitelist ~/.pentadactyl | ||
| 43 | whitelist ~/.pentadactylrc | ||
| 44 | whitelist ~/.pki | ||
| 45 | whitelist ~/.vimperator | ||
| 46 | whitelist ~/.vimperatorrc | ||
| 61 | whitelist ~/.wine-pipelight | 47 | whitelist ~/.wine-pipelight |
| 62 | whitelist ~/.wine-pipelight64 | 48 | whitelist ~/.wine-pipelight64 |
| 63 | whitelist ~/.config/pipelight-widevine | 49 | whitelist ~/.zotero |
| 64 | whitelist ~/.config/pipelight-silverlight5.1 | 50 | whitelist ~/dwhelper |
| 65 | |||
| 66 | include /etc/firejail/whitelist-common.inc | 51 | include /etc/firejail/whitelist-common.inc |
| 67 | 52 | ||
| 68 | # experimental features | 53 | caps.drop all |
| 69 | #private-bin waterfox,which,sh,dbus-launch,dbus-send,env | 54 | netfilter |
| 70 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse | 55 | nogroups |
| 71 | # private-dev might prevent video calls going out | 56 | nonewprivs |
| 57 | noroot | ||
| 58 | protocol unix,inet,inet6,netlink | ||
| 59 | seccomp | ||
| 60 | shell none | ||
| 61 | tracelog | ||
| 62 | |||
| 63 | # private-bin waterfox,which,sh,dbus-launch,dbus-send,env | ||
| 72 | private-dev | 64 | private-dev |
| 65 | # private-dev might prevent video calls going out | ||
| 66 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse | ||
| 73 | private-tmp | 67 | private-tmp |
| 74 | 68 | ||
| 75 | noexec ${HOME} | 69 | noexec ${HOME} |
diff --git a/etc/weechat-curses.profile b/etc/weechat-curses.profile index 32038f99f..2d3f6c963 100644 --- a/etc/weechat-curses.profile +++ b/etc/weechat-curses.profile | |||
| @@ -1,9 +1,5 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for weechat |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/weechat-curses.local | ||
| 7 | 4 | ||
| 8 | # Weechat IRC profile (Debian) | ||
| 9 | include /etc/firejail/weechat.profile | 5 | include /etc/firejail/weechat.profile |
diff --git a/etc/weechat.profile b/etc/weechat.profile index 452823681..833414f3e 100644 --- a/etc/weechat.profile +++ b/etc/weechat.profile | |||
| @@ -1,12 +1,12 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for weechat |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/weechat.local | 4 | include /etc/firejail/weechat.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Weechat IRC profile | ||
| 9 | noblacklist ${HOME}/.weechat | 8 | noblacklist ${HOME}/.weechat |
| 9 | |||
| 10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 11 | include /etc/firejail/disable-programs.inc | 11 | include /etc/firejail/disable-programs.inc |
| 12 | 12 | ||
diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index a13f80bb6..9798e0ace 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile | |||
| @@ -1,19 +1,26 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for wesnoth |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/wesnoth.local | 4 | include /etc/firejail/wesnoth.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Whitelist-based profile for "Battle for Wesnoth" (game). | ||
| 9 | noblacklist ${HOME}/.config/wesnoth | ||
| 10 | noblacklist ${HOME}/.cache/wesnoth | 8 | noblacklist ${HOME}/.cache/wesnoth |
| 9 | noblacklist ${HOME}/.config/wesnoth | ||
| 11 | noblacklist ${HOME}/.local/share/wesnoth | 10 | noblacklist ${HOME}/.local/share/wesnoth |
| 12 | 11 | ||
| 13 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
| 16 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 16 | |||
| 17 | mkdir ${HOME}/.cache/wesnoth | ||
| 18 | mkdir ${HOME}/.config/wesnoth | ||
| 19 | mkdir ${HOME}/.local/share/wesnoth | ||
| 20 | whitelist ${HOME}/.cache/wesnoth | ||
| 21 | whitelist ${HOME}/.config/wesnoth | ||
| 22 | whitelist ${HOME}/.local/share/wesnoth | ||
| 23 | include /etc/firejail/whitelist-common.inc | ||
| 17 | 24 | ||
| 18 | caps.drop all | 25 | caps.drop all |
| 19 | nonewprivs | 26 | nonewprivs |
| @@ -23,11 +30,3 @@ seccomp | |||
| 23 | 30 | ||
| 24 | private-dev | 31 | private-dev |
| 25 | private-tmp | 32 | private-tmp |
| 26 | |||
| 27 | mkdir ${HOME}/.local/share/wesnoth | ||
| 28 | mkdir ${HOME}/.config/wesnoth | ||
| 29 | mkdir ${HOME}/.cache/wesnoth | ||
| 30 | whitelist ${HOME}/.local/share/wesnoth | ||
| 31 | whitelist ${HOME}/.config/wesnoth | ||
| 32 | whitelist ${HOME}/.cache/wesnoth | ||
| 33 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/wget.profile b/etc/wget.profile index 1b09eac26..7ab24aa8f 100644 --- a/etc/wget.profile +++ b/etc/wget.profile | |||
| @@ -1,19 +1,20 @@ | |||
| 1 | # Firejail profile for wget | ||
| 2 | # This file is overwritten after every install/update | ||
| 1 | quiet | 3 | quiet |
| 2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
| 5 | include /etc/firejail/wget.local | ||
| 6 | # Persistent global definitions | ||
| 3 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
| 4 | 8 | ||
| 5 | # This file is overwritten during software install. | 9 | blacklist /tmp/.X11-unix |
| 6 | # Persistent customizations should go in a .local file. | ||
| 7 | include /etc/firejail/wget.local | ||
| 8 | 10 | ||
| 9 | # wget profile | ||
| 10 | noblacklist ~/.wgetrc | 11 | noblacklist ~/.wgetrc |
| 12 | |||
| 11 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 14 | 16 | ||
| 15 | caps.drop all | 17 | caps.drop all |
| 16 | #ipc-namespace | ||
| 17 | netfilter | 18 | netfilter |
| 18 | no3d | 19 | no3d |
| 19 | nogroups | 20 | nogroups |
| @@ -25,8 +26,6 @@ protocol unix,inet,inet6 | |||
| 25 | seccomp | 26 | seccomp |
| 26 | shell none | 27 | shell none |
| 27 | 28 | ||
| 28 | blacklist /tmp/.X11-unix | ||
| 29 | |||
| 30 | # private-bin wget | 29 | # private-bin wget |
| 31 | private-dev | 30 | private-dev |
| 32 | # private-etc resolv.conf | 31 | # private-etc resolv.conf |
diff --git a/etc/wine.profile b/etc/wine.profile index 5ee8bae38..00eea2b7c 100644 --- a/etc/wine.profile +++ b/etc/wine.profile | |||
| @@ -1,20 +1,19 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for wine |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/wine.local | 4 | include /etc/firejail/wine.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # wine profile | ||
| 9 | noblacklist ${HOME}/.Steam | 8 | noblacklist ${HOME}/.Steam |
| 10 | noblacklist ${HOME}/.steam | ||
| 11 | noblacklist ${HOME}/.local/share/Steam | 9 | noblacklist ${HOME}/.local/share/Steam |
| 12 | noblacklist ${HOME}/.local/share/steam | 10 | noblacklist ${HOME}/.local/share/steam |
| 11 | noblacklist ${HOME}/.steam | ||
| 13 | noblacklist ${HOME}/.wine | 12 | noblacklist ${HOME}/.wine |
| 14 | 13 | ||
| 15 | include /etc/firejail/disable-common.inc | 14 | include /etc/firejail/disable-common.inc |
| 16 | include /etc/firejail/disable-programs.inc | ||
| 17 | include /etc/firejail/disable-devel.inc | 15 | include /etc/firejail/disable-devel.inc |
| 16 | include /etc/firejail/disable-programs.inc | ||
| 18 | 17 | ||
| 19 | caps.drop all | 18 | caps.drop all |
| 20 | netfilter | 19 | netfilter |
diff --git a/etc/wire.profile b/etc/wire.profile index 71147ebc1..aacea9940 100644 --- a/etc/wire.profile +++ b/etc/wire.profile | |||
| @@ -1,31 +1,30 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for wire |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/wire.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | 8 | # Note: the current beta version of wire is located in /opt/Wire/wire and therefore not in PATH. |
| 5 | # Persistent customizations should go in a .local file. | 9 | # To use wire with firejail run "firejail /opt/Wire/wire" |
| 6 | include /etc/firejail/wire.local | ||
| 7 | 10 | ||
| 8 | # wire messenger profile | ||
| 9 | noblacklist ~/.config/Wire | 11 | noblacklist ~/.config/Wire |
| 10 | noblacklist ~/.config/wire | 12 | noblacklist ~/.config/wire |
| 11 | 13 | ||
| 12 | include /etc/firejail/disable-common.inc | 14 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-devel.inc | 15 | include /etc/firejail/disable-devel.inc |
| 15 | include /etc/firejail/disable-passwdmgr.inc | 16 | include /etc/firejail/disable-passwdmgr.inc |
| 17 | include /etc/firejail/disable-programs.inc | ||
| 16 | 18 | ||
| 17 | caps.drop all | 19 | caps.drop all |
| 18 | netfilter | 20 | netfilter |
| 19 | nonewprivs | ||
| 20 | nogroups | 21 | nogroups |
| 22 | nonewprivs | ||
| 21 | noroot | 23 | noroot |
| 22 | protocol unix,inet,inet6,netlink | 24 | protocol unix,inet,inet6,netlink |
| 23 | seccomp | 25 | seccomp |
| 24 | shell none | 26 | shell none |
| 25 | 27 | ||
| 26 | private-tmp | ||
| 27 | private-dev | ||
| 28 | disable-mnt | 28 | disable-mnt |
| 29 | 29 | private-dev | |
| 30 | # Note: the current beta version of wire is located in /opt/Wire/wire and therefore not in PATH. | 30 | private-tmp |
| 31 | # To use wire with firejail run "firejail /opt/Wire/wire" | ||
diff --git a/etc/wireshark-gtk.profile b/etc/wireshark-gtk.profile index 5cc2ae2a1..35a76a978 100644 --- a/etc/wireshark-gtk.profile +++ b/etc/wireshark-gtk.profile | |||
| @@ -1,8 +1,5 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for wireshark |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/wireshark-gtk.local | ||
| 7 | 4 | ||
| 8 | include /etc/firejail/wireshark.profile | 5 | include /etc/firejail/wireshark.profile |
diff --git a/etc/wireshark-qt.profile b/etc/wireshark-qt.profile index f6f26a6b3..35a76a978 100644 --- a/etc/wireshark-qt.profile +++ b/etc/wireshark-qt.profile | |||
| @@ -1,8 +1,5 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for wireshark |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/wireshark-qt.local | ||
| 7 | 4 | ||
| 8 | include /etc/firejail/wireshark.profile | 5 | include /etc/firejail/wireshark.profile |
diff --git a/etc/wireshark.profile b/etc/wireshark.profile index d5f3b8c4b..8a25ec011 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile | |||
| @@ -1,38 +1,32 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for wireshark |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/wireshark.local | 4 | include /etc/firejail/wireshark.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for | ||
| 9 | noblacklist ${HOME}/.config/wireshark | 8 | noblacklist ${HOME}/.config/wireshark |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | # | 15 | # caps.drop all |
| 17 | # The profile allows users to run wireshark as root | ||
| 18 | # | ||
| 19 | #caps.drop all | ||
| 20 | #noroot | ||
| 21 | #protocol unix,inet,inet6,netlink | ||
| 22 | |||
| 23 | #ipc-namespace | ||
| 24 | netfilter | 16 | netfilter |
| 25 | no3d | 17 | no3d |
| 26 | # nogroups - breaks unprivileged wireshark usage | 18 | # nogroups - breaks unprivileged wireshark usage |
| 27 | # nonewprivs - breaks unprivileged wireshark usage | 19 | # nonewprivs - breaks unprivileged wireshark usage |
| 20 | # noroot | ||
| 28 | nosound | 21 | nosound |
| 22 | # protocol unix,inet,inet6,netlink | ||
| 29 | # seccomp - breaks unprivileged wireshark usage | 23 | # seccomp - breaks unprivileged wireshark usage |
| 30 | shell none | 24 | shell none |
| 31 | tracelog | 25 | tracelog |
| 32 | 26 | ||
| 33 | #private-bin wireshark | 27 | # private-bin wireshark |
| 34 | # private-etc fonts,group,hosts,machine-id,passwd | ||
| 35 | private-dev | 28 | private-dev |
| 29 | # private-etc fonts,group,hosts,machine-id,passwd | ||
| 36 | private-tmp | 30 | private-tmp |
| 37 | 31 | ||
| 38 | noexec ${HOME} | 32 | noexec ${HOME} |
diff --git a/etc/xchat.profile b/etc/xchat.profile index efed5c995..795e7ecd6 100644 --- a/etc/xchat.profile +++ b/etc/xchat.profile | |||
| @@ -1,16 +1,15 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for xchat |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/xchat.local | 4 | include /etc/firejail/xchat.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # XChat IRC profile | ||
| 9 | noblacklist ${HOME}/.config/xchat | 8 | noblacklist ${HOME}/.config/xchat |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 14 | 13 | ||
| 15 | caps.drop all | 14 | caps.drop all |
| 16 | nonewprivs | 15 | nonewprivs |
diff --git a/etc/xed.profile b/etc/xed.profile index 1b5fdd57a..17d0ad9d9 100644 --- a/etc/xed.profile +++ b/etc/xed.profile | |||
| @@ -1,17 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for xed |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/xed.local | 4 | include /etc/firejail/xed.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for Xed | ||
| 9 | noblacklist ${HOME}/.config/xed | 8 | noblacklist ${HOME}/.config/xed |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 17 | net none | 16 | net none |
diff --git a/etc/xfburn.profile b/etc/xfburn.profile index 7bfeba2b1..dbacf6462 100644 --- a/etc/xfburn.profile +++ b/etc/xfburn.profile | |||
| @@ -1,17 +1,16 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for xfburn |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/xfburn.local | 4 | include /etc/firejail/xfburn.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # xfburn profile | ||
| 9 | noblacklist ~/.config/xfburn | 8 | noblacklist ~/.config/xfburn |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 17 | netfilter | 16 | netfilter |
| @@ -25,6 +24,6 @@ shell none | |||
| 25 | tracelog | 24 | tracelog |
| 26 | 25 | ||
| 27 | # private-bin xfburn | 26 | # private-bin xfburn |
| 28 | # private-tmp | ||
| 29 | # private-dev | 27 | # private-dev |
| 30 | # private-etc fonts | 28 | # private-etc fonts |
| 29 | # private-tmp | ||
diff --git a/etc/xfce4-dict.profile b/etc/xfce4-dict.profile index 08ae17a55..26f65ee1c 100644 --- a/etc/xfce4-dict.profile +++ b/etc/xfce4-dict.profile | |||
| @@ -1,9 +1,9 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for xfce4-dict |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/xfce4-dict.local | 4 | include /etc/firejail/xfce4-dict.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.config/xfce4-dict | 8 | noblacklist ${HOME}/.config/xfce4-dict |
| 9 | 9 | ||
| @@ -24,9 +24,9 @@ protocol unix,inet,inet6 | |||
| 24 | seccomp | 24 | seccomp |
| 25 | shell none | 25 | shell none |
| 26 | 26 | ||
| 27 | disable-mnt | ||
| 27 | private-dev | 28 | private-dev |
| 28 | private-tmp | 29 | private-tmp |
| 29 | disable-mnt | ||
| 30 | 30 | ||
| 31 | noexec ${HOME} | 31 | noexec ${HOME} |
| 32 | noexec /tmp | 32 | noexec /tmp |
diff --git a/etc/xfce4-notes.profile b/etc/xfce4-notes.profile index e3215d6ea..6f026c2e7 100644 --- a/etc/xfce4-notes.profile +++ b/etc/xfce4-notes.profile | |||
| @@ -1,12 +1,12 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for xfce4-notes |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/xfce4-notes.local | 4 | include /etc/firejail/xfce4-notes.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.config/xfce4/xfce4-notes.rc | ||
| 9 | noblacklist ${HOME}/.config/xfce4/xfce4-notes.gtkrc | 8 | noblacklist ${HOME}/.config/xfce4/xfce4-notes.gtkrc |
| 9 | noblacklist ${HOME}/.config/xfce4/xfce4-notes.rc | ||
| 10 | noblacklist ${HOME}/.local/share/notes | 10 | noblacklist ${HOME}/.local/share/notes |
| 11 | 11 | ||
| 12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| @@ -26,9 +26,9 @@ protocol unix | |||
| 26 | seccomp | 26 | seccomp |
| 27 | shell none | 27 | shell none |
| 28 | 28 | ||
| 29 | disable-mnt | ||
| 29 | private-dev | 30 | private-dev |
| 30 | private-tmp | 31 | private-tmp |
| 31 | disable-mnt | ||
| 32 | 32 | ||
| 33 | noexec ${HOME} | 33 | noexec ${HOME} |
| 34 | noexec /tmp | 34 | noexec /tmp |
diff --git a/etc/xiphos.profile b/etc/xiphos.profile index f3171cd8d..eb894d8b5 100644 --- a/etc/xiphos.profile +++ b/etc/xiphos.profile | |||
| @@ -1,11 +1,13 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for xiphos |
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/xiphos.local | ||
| 5 | # Persistent global definitions | ||
| 2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 3 | 7 | ||
| 4 | # This file is overwritten during software install. | 8 | blacklist ~/.Xauthority |
| 5 | # Persistent customizations should go in a .local file. | 9 | blacklist ~/.bashrc |
| 6 | include /etc/firejail/xiphos.local | ||
| 7 | 10 | ||
| 8 | # Firejail profile for xiphos | ||
| 9 | noblacklist ~/.sword | 11 | noblacklist ~/.sword |
| 10 | noblacklist ~/.xiphos | 12 | noblacklist ~/.xiphos |
| 11 | 13 | ||
| @@ -14,8 +16,9 @@ include /etc/firejail/disable-devel.inc | |||
| 14 | include /etc/firejail/disable-passwdmgr.inc | 16 | include /etc/firejail/disable-passwdmgr.inc |
| 15 | include /etc/firejail/disable-programs.inc | 17 | include /etc/firejail/disable-programs.inc |
| 16 | 18 | ||
| 17 | blacklist ~/.bashrc | 19 | whitelist ${HOME}/.sword |
| 18 | blacklist ~/.Xauthority | 20 | whitelist ${HOME}/.xiphos |
| 21 | include /etc/firejail/whitelist-common.inc | ||
| 19 | 22 | ||
| 20 | caps.drop all | 23 | caps.drop all |
| 21 | netfilter | 24 | netfilter |
| @@ -29,9 +32,6 @@ shell none | |||
| 29 | tracelog | 32 | tracelog |
| 30 | 33 | ||
| 31 | private-bin xiphos | 34 | private-bin xiphos |
| 32 | private-etc fonts,resolv.conf,sword | ||
| 33 | private-dev | 35 | private-dev |
| 36 | private-etc fonts,resolv.conf,sword | ||
| 34 | private-tmp | 37 | private-tmp |
| 35 | |||
| 36 | whitelist ${HOME}/.sword | ||
| 37 | whitelist ${HOME}/.xiphos | ||
diff --git a/etc/xmms.profile b/etc/xmms.profile index 5b99924bc..d2cf00a36 100644 --- a/etc/xmms.profile +++ b/etc/xmms.profile | |||
| @@ -1,26 +1,25 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for xmms |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/xmms.local | 4 | include /etc/firejail/xmms.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for XMMS | ||
| 9 | noblacklist ${HOME}/.xmms | 8 | noblacklist ${HOME}/.xmms |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 15 | 14 | ||
| 16 | caps.drop all | 15 | caps.drop all |
| 17 | netfilter | 16 | netfilter |
| 17 | no3d | ||
| 18 | nonewprivs | 18 | nonewprivs |
| 19 | noroot | 19 | noroot |
| 20 | protocol unix,inet,inet6 | 20 | protocol unix,inet,inet6 |
| 21 | seccomp | 21 | seccomp |
| 22 | shell none | 22 | shell none |
| 23 | no3d | ||
| 24 | 23 | ||
| 25 | private-bin xmms | 24 | private-bin xmms |
| 26 | private-dev | 25 | private-dev |
diff --git a/etc/xonotic-glx.profile b/etc/xonotic-glx.profile index f5f802158..8be8b2d7b 100644 --- a/etc/xonotic-glx.profile +++ b/etc/xonotic-glx.profile | |||
| @@ -1,12 +1,5 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for xonotic |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/xonotic-glx.local | ||
| 7 | |||
| 8 | # | ||
| 9 | #Profile for xonotic:xonotic-glx | ||
| 10 | # | ||
| 11 | 4 | ||
| 12 | include /etc/firejail/xonotic.profile | 5 | include /etc/firejail/xonotic.profile |
diff --git a/etc/xonotic-sdl.profile b/etc/xonotic-sdl.profile index 85c48151b..8be8b2d7b 100644 --- a/etc/xonotic-sdl.profile +++ b/etc/xonotic-sdl.profile | |||
| @@ -1,12 +1,5 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile alias for xonotic |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | ||
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/xonotic-sdl.local | ||
| 7 | |||
| 8 | # | ||
| 9 | #Profile for xonotic:xonotic-sdl | ||
| 10 | # | ||
| 11 | 4 | ||
| 12 | include /etc/firejail/xonotic.profile | 5 | include /etc/firejail/xonotic.profile |
diff --git a/etc/xonotic.profile b/etc/xonotic.profile index 957636124..95a2a2dbd 100644 --- a/etc/xonotic.profile +++ b/etc/xonotic.profile | |||
| @@ -1,31 +1,22 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for xonotic |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/xonotic.local | 4 | include /etc/firejail/xonotic.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # | ||
| 9 | #Profile for xonotic | ||
| 10 | # | ||
| 11 | |||
| 12 | #No Blacklist Paths | ||
| 13 | noblacklist ${HOME}/.xonotic | 8 | noblacklist ${HOME}/.xonotic |
| 14 | 9 | ||
| 15 | #Blacklist Paths | ||
| 16 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 17 | include /etc/firejail/disable-programs.inc | ||
| 18 | include /etc/firejail/disable-passwdmgr.inc | ||
| 19 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | ||
| 13 | include /etc/firejail/disable-programs.inc | ||
| 20 | 14 | ||
| 21 | #Whitelist Paths | ||
| 22 | mkdir ${HOME}/.xonotic | 15 | mkdir ${HOME}/.xonotic |
| 23 | whitelist ${HOME}/.xonotic | 16 | whitelist ${HOME}/.xonotic |
| 24 | include /etc/firejail/whitelist-common.inc | 17 | include /etc/firejail/whitelist-common.inc |
| 25 | 18 | ||
| 26 | #Options | ||
| 27 | caps.drop all | 19 | caps.drop all |
| 28 | #ipc-namespace | ||
| 29 | netfilter | 20 | netfilter |
| 30 | nogroups | 21 | nogroups |
| 31 | nonewprivs | 22 | nonewprivs |
| @@ -35,10 +26,10 @@ protocol unix,inet,inet6 | |||
| 35 | seccomp | 26 | seccomp |
| 36 | shell none | 27 | shell none |
| 37 | 28 | ||
| 29 | disable-mnt | ||
| 38 | private-bin xonotic-sdl,xonotic-glx,blind-id | 30 | private-bin xonotic-sdl,xonotic-glx,blind-id |
| 39 | private-dev | 31 | private-dev |
| 40 | private-tmp | 32 | private-tmp |
| 41 | disable-mnt | ||
| 42 | 33 | ||
| 43 | noexec ${HOME} | 34 | noexec ${HOME} |
| 44 | noexec /tmp | 35 | noexec /tmp |
diff --git a/etc/xpdf.profile b/etc/xpdf.profile index ce8cd2459..be69ebe1a 100644 --- a/etc/xpdf.profile +++ b/etc/xpdf.profile | |||
| @@ -1,13 +1,10 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for xpdf |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/xpdf.local | 4 | include /etc/firejail/xpdf.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | ################################ | ||
| 9 | # xpdf application profile | ||
| 10 | ################################ | ||
| 11 | noblacklist ${HOME}/.xpdfrc | 8 | noblacklist ${HOME}/.xpdfrc |
| 12 | 9 | ||
| 13 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
diff --git a/etc/xplayer.profile b/etc/xplayer.profile index 0b6acf9d2..afa3deac6 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile | |||
| @@ -1,18 +1,17 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for xplayer |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/xplayer.local | 4 | include /etc/firejail/xplayer.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Xplayer profile | ||
| 9 | noblacklist ~/.config/xplayer | 8 | noblacklist ~/.config/xplayer |
| 10 | noblacklist ~/.local/share/xplayer | 9 | noblacklist ~/.local/share/xplayer |
| 11 | 10 | ||
| 12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 15 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 16 | 15 | ||
| 17 | caps.drop all | 16 | caps.drop all |
| 18 | netfilter | 17 | netfilter |
diff --git a/etc/xpra.profile b/etc/xpra.profile index c8bb3ef52..ed393d70b 100644 --- a/etc/xpra.profile +++ b/etc/xpra.profile | |||
| @@ -1,10 +1,9 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for xpra |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/xpra.local | 4 | include /etc/firejail/xpra.local |
| 7 | 5 | # Persistent global definitions | |
| 6 | include /etc/firejail/globals.local | ||
| 8 | 7 | ||
| 9 | # | 8 | # |
| 10 | # This profile will sandbox Xpra server itself when used with firejail --x11=xpra. | 9 | # This profile will sandbox Xpra server itself when used with firejail --x11=xpra. |
| @@ -14,12 +13,15 @@ include /etc/firejail/xpra.local | |||
| 14 | # | 13 | # |
| 15 | # or run "sudo firecfg" | 14 | # or run "sudo firecfg" |
| 16 | 15 | ||
| 17 | # private home directory doesn't work on some distros, so we go for a regular home | 16 | blacklist /media |
| 18 | #private | 17 | |
| 19 | include /etc/firejail/disable-common.inc | 18 | include /etc/firejail/disable-common.inc |
| 20 | include /etc/firejail/disable-programs.inc | ||
| 21 | include /etc/firejail/disable-devel.inc | 19 | include /etc/firejail/disable-devel.inc |
| 22 | include /etc/firejail/disable-passwdmgr.inc | 20 | include /etc/firejail/disable-passwdmgr.inc |
| 21 | include /etc/firejail/disable-programs.inc | ||
| 22 | |||
| 23 | whitelist /var/lib/xkb | ||
| 24 | include /etc/firejail/whitelist-common.inc | ||
| 23 | 25 | ||
| 24 | caps.drop all | 26 | caps.drop all |
| 25 | # xpra needs to be allowed access to the abstract Unix socket namespace. | 27 | # xpra needs to be allowed access to the abstract Unix socket namespace. |
| @@ -28,17 +30,14 @@ nonewprivs | |||
| 28 | # In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix. | 30 | # In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix. |
| 29 | #noroot | 31 | #noroot |
| 30 | nosound | 32 | nosound |
| 31 | shell none | ||
| 32 | seccomp | ||
| 33 | protocol unix | 33 | protocol unix |
| 34 | seccomp | ||
| 35 | shell none | ||
| 34 | 36 | ||
| 35 | 37 | # private home directory doesn't work on some distros, so we go for a regular home | |
| 38 | # private | ||
| 39 | # older Xpra versions also use Xvfb | ||
| 40 | # private-bin xpra,python,Xvfb,Xorg,sh,xkbcomp,xauth,dbus-launch,pactl,ldconfig,which,strace,bash,cat,ls | ||
| 36 | private-dev | 41 | private-dev |
| 42 | # private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11 | ||
| 37 | private-tmp | 43 | private-tmp |
| 38 | # older Xpra versions also use Xvfb | ||
| 39 | #private-bin xpra,python,Xvfb,Xorg,sh,xkbcomp,xauth,dbus-launch,pactl,ldconfig,which,strace,bash,cat,ls | ||
| 40 | #private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11 | ||
| 41 | |||
| 42 | blacklist /media | ||
| 43 | whitelist /var/lib/xkb | ||
| 44 | |||
diff --git a/etc/xreader.profile b/etc/xreader.profile index ec7488ed8..2abe569c5 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile | |||
| @@ -1,19 +1,18 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for xreader |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/xreader.local | 4 | include /etc/firejail/xreader.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Xreader profile | 8 | noblacklist ~/.cache/xreader |
| 9 | noblacklist ~/.config/xreader | 9 | noblacklist ~/.config/xreader |
| 10 | noblacklist ~/.local/share | 10 | noblacklist ~/.local/share |
| 11 | noblacklist ~/.cache/xreader | ||
| 12 | 11 | ||
| 13 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
| 16 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 17 | 16 | ||
| 18 | caps.drop all | 17 | caps.drop all |
| 19 | nogroups | 18 | nogroups |
diff --git a/etc/xviewer.profile b/etc/xviewer.profile index 906bcb814..7c9886b29 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile | |||
| @@ -1,20 +1,19 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for xviewer |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/xviewer.local | 4 | include /etc/firejail/xviewer.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # xviewer profile | ||
| 9 | noblacklist ~/.config/xviewer | ||
| 10 | noblacklist ~/.Steam | 8 | noblacklist ~/.Steam |
| 11 | noblacklist ~/.steam | 9 | noblacklist ~/.config/xviewer |
| 12 | noblacklist ~/.local/share/Trash | 10 | noblacklist ~/.local/share/Trash |
| 11 | noblacklist ~/.steam | ||
| 13 | 12 | ||
| 14 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
| 15 | include /etc/firejail/disable-programs.inc | ||
| 16 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
| 17 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
| 16 | include /etc/firejail/disable-programs.inc | ||
| 18 | 17 | ||
| 19 | caps.drop all | 18 | caps.drop all |
| 20 | nogroups | 19 | nogroups |
| @@ -26,8 +25,8 @@ seccomp | |||
| 26 | shell none | 25 | shell none |
| 27 | tracelog | 26 | tracelog |
| 28 | 27 | ||
| 29 | private-dev | ||
| 30 | private-bin xviewer | 28 | private-bin xviewer |
| 29 | private-dev | ||
| 31 | private-tmp | 30 | private-tmp |
| 32 | 31 | ||
| 33 | noexec ${HOME} | 32 | noexec ${HOME} |
diff --git a/etc/xz.profile b/etc/xz.profile index a3c1ab3ca..b552f59c0 100644 --- a/etc/xz.profile +++ b/etc/xz.profile | |||
| @@ -1,10 +1,5 @@ | |||
| 1 | quiet | 1 | # Firejail profile alias for cpio |
| 2 | # Persistent global definitions go here | 2 | # This file is overwritten after every install/update |
| 3 | include /etc/firejail/globals.local | ||
| 4 | 3 | ||
| 5 | # This file is overwritten during software install. | ||
| 6 | # Persistent customizations should go in a .local file. | ||
| 7 | include /etc/firejail/xz.local | ||
| 8 | 4 | ||
| 9 | # xz profile | ||
| 10 | include /etc/firejail/cpio.profile | 5 | include /etc/firejail/cpio.profile |
diff --git a/etc/xzdec.profile b/etc/xzdec.profile index 2a84bf0ee..0d5b8dda6 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile | |||
| @@ -1,17 +1,14 @@ | |||
| 1 | # Firejail profile for xzdec | ||
| 2 | # This file is overwritten after every install/update | ||
| 1 | quiet | 3 | quiet |
| 2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
| 3 | include /etc/firejail/globals.local | ||
| 4 | |||
| 5 | # This file is overwritten during software install. | ||
| 6 | # Persistent customizations should go in a .local file. | ||
| 7 | include /etc/firejail/xzdec.local | 5 | include /etc/firejail/xzdec.local |
| 8 | 6 | # Persistent global definitions | |
| 9 | # xzdec profile | 7 | include /etc/firejail/globals.local |
| 10 | ignore noroot | ||
| 11 | include /etc/firejail/default.profile | ||
| 12 | 8 | ||
| 13 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
| 14 | 10 | ||
| 11 | ignore noroot | ||
| 15 | net none | 12 | net none |
| 16 | no3d | 13 | no3d |
| 17 | nosound | 14 | nosound |
| @@ -19,3 +16,5 @@ shell none | |||
| 19 | tracelog | 16 | tracelog |
| 20 | 17 | ||
| 21 | private-dev | 18 | private-dev |
| 19 | |||
| 20 | include /etc/firejail/default.profile | ||
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index a58617ddf..fea7284c8 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile | |||
| @@ -1,18 +1,17 @@ | |||
| 1 | # Firejail profile for youtube-dl | ||
| 2 | # This file is overwritten after every install/update | ||
| 1 | quiet | 3 | quiet |
| 2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
| 3 | include /etc/firejail/globals.local | ||
| 4 | |||
| 5 | # This file is overwritten during software install. | ||
| 6 | # Persistent customizations should go in a .local file. | ||
| 7 | include /etc/firejail/youtube-dl.local | 5 | include /etc/firejail/youtube-dl.local |
| 6 | # Persistent global definitions | ||
| 7 | include /etc/firejail/globals.local | ||
| 8 | 8 | ||
| 9 | # Firejail profile for youtube-dl | ||
| 10 | noblacklist ${HOME}/.netrc | 9 | noblacklist ${HOME}/.netrc |
| 11 | 10 | ||
| 12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | include /etc/firejail/disable-passwdmgr.inc | ||
| 15 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 13 | include /etc/firejail/disable-passwdmgr.inc | ||
| 14 | include /etc/firejail/disable-programs.inc | ||
| 16 | 15 | ||
| 17 | caps.drop all | 16 | caps.drop all |
| 18 | ipc-namespace | 17 | ipc-namespace |
diff --git a/etc/zathura.profile b/etc/zathura.profile index 502e066c8..0552f85a9 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile | |||
| @@ -1,17 +1,17 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for zathura |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/zathura.local | 4 | include /etc/firejail/zathura.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # zathura document viewer profile | ||
| 9 | noblacklist ~/.config/zathura | 8 | noblacklist ~/.config/zathura |
| 10 | noblacklist ~/.local/share/zathura | 9 | noblacklist ~/.local/share/zathura |
| 10 | |||
| 11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
| 14 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | 15 | ||
| 16 | caps.drop all | 16 | caps.drop all |
| 17 | net none | 17 | net none |
| @@ -19,14 +19,13 @@ nogroups | |||
| 19 | nonewprivs | 19 | nonewprivs |
| 20 | noroot | 20 | noroot |
| 21 | nosound | 21 | nosound |
| 22 | shell none | ||
| 23 | seccomp | ||
| 24 | protocol unix | 22 | protocol unix |
| 23 | seccomp | ||
| 24 | shell none | ||
| 25 | 25 | ||
| 26 | private-bin zathura | 26 | private-bin zathura |
| 27 | private-dev | 27 | private-dev |
| 28 | private-etc fonts | 28 | private-etc fonts |
| 29 | private-tmp | 29 | private-tmp |
| 30 | |||
| 31 | read-only ~/ | 30 | read-only ~/ |
| 32 | read-write ~/.local/share/zathura/ | 31 | read-write ~/.local/share/zathura/ |
diff --git a/etc/zoom.profile b/etc/zoom.profile index bf71aa5ce..4ef756d9f 100644 --- a/etc/zoom.profile +++ b/etc/zoom.profile | |||
| @@ -1,23 +1,20 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for zoom |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/zoom.local | 4 | include /etc/firejail/zoom.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # Firejail profile for zoom.us | ||
| 9 | noblacklist ~/.config/zoomus.conf | 8 | noblacklist ~/.config/zoomus.conf |
| 10 | 9 | ||
| 11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 14 | 12 | include /etc/firejail/disable-programs.inc | |
| 15 | |||
| 16 | # Whitelists | ||
| 17 | 13 | ||
| 18 | mkdir ~/.zoom | 14 | mkdir ~/.zoom |
| 19 | whitelist ~/.zoom | ||
| 20 | whitelist ~/.cache/zoom | 15 | whitelist ~/.cache/zoom |
| 16 | whitelist ~/.zoom | ||
| 17 | include /etc/firejail/whitelist-common.inc | ||
| 21 | 18 | ||
| 22 | caps.drop all | 19 | caps.drop all |
| 23 | netfilter | 20 | netfilter |