diff options
120 files changed, 678 insertions, 426 deletions
@@ -153,6 +153,8 @@ Felipe Barriga Richards (https://github.com/fbarriga) | |||
153 | - --private-etc fix | 153 | - --private-etc fix |
154 | Franco (nextime) Lanza (https://github.com/nextime) | 154 | Franco (nextime) Lanza (https://github.com/nextime) |
155 | - added --private-template/--private-home | 155 | - added --private-template/--private-home |
156 | fuelflo (https://github.com/fuelflo) | ||
157 | - added rambox profile | ||
156 | Fred-Barclay (https://github.com/Fred-Barclay) | 158 | Fred-Barclay (https://github.com/Fred-Barclay) |
157 | - lots of profile fixes | 159 | - lots of profile fixes |
158 | - added Vivaldi, Atril profiles | 160 | - added Vivaldi, Atril profiles |
@@ -403,6 +405,7 @@ SpotComms (https://github.com/SpotComms) | |||
403 | - added Peek and silent profiles | 405 | - added Peek and silent profiles |
404 | - added IntelliJ IDEA and Android Studio profiles | 406 | - added IntelliJ IDEA and Android Studio profiles |
405 | - added arm profile | 407 | - added arm profile |
408 | - lots of profile improvements/tightening | ||
406 | SYN-cook (https://github.com/SYN-cook) | 409 | SYN-cook (https://github.com/SYN-cook) |
407 | - keepass/keepassx browser fixes | 410 | - keepass/keepassx browser fixes |
408 | - disable-common.inc fixes | 411 | - disable-common.inc fixes |
@@ -150,5 +150,5 @@ playing youtube videos on Firefox Nightly. | |||
150 | curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, Geary, Liferea, peek, silentarmy, | 150 | curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, Geary, Liferea, peek, silentarmy, |
151 | IntelliJ IDEA, Android Studio, electron, riot-web, | 151 | IntelliJ IDEA, Android Studio, electron, riot-web, |
152 | Extreme Tux Racer, Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux, | 152 | Extreme Tux Racer, Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux, |
153 | telegram-desktop, arm | 153 | telegram-desktop, arm, rambox |
154 | 154 | ||
@@ -11,7 +11,7 @@ firejail (0.9.49) baseline; urgency=low | |||
11 | * new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA, | 11 | * new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA, |
12 | * new profiles: Android Studio, electron, riot-web, Extreme Tux Racer, | 12 | * new profiles: Android Studio, electron, riot-web, Extreme Tux Racer, |
13 | * new profiles: Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux | 13 | * new profiles: Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux |
14 | * new profiles: telegram-desktop, arm | 14 | * new profiles: telegram-desktop, arm, rambox |
15 | * bugfixes | 15 | * bugfixes |
16 | -- netblue30 <netblue30@yahoo.com> Mon, 12 Jun 2017 20:00:00 -0500 | 16 | -- netblue30 <netblue30@yahoo.com> Mon, 12 Jun 2017 20:00:00 -0500 |
17 | 17 | ||
diff --git a/etc/0ad.profile b/etc/0ad.profile index a564d0a09..9f33af806 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile | |||
@@ -38,3 +38,6 @@ tracelog | |||
38 | private-dev | 38 | private-dev |
39 | private-tmp | 39 | private-tmp |
40 | disable-mnt | 40 | disable-mnt |
41 | |||
42 | noexec ${HOME} | ||
43 | noexec /tmp | ||
diff --git a/etc/2048-qt.profile b/etc/2048-qt.profile index 0dc54e675..2f3efe743 100644 --- a/etc/2048-qt.profile +++ b/etc/2048-qt.profile | |||
@@ -7,24 +7,27 @@ include /etc/firejail/2048-qt.local | |||
7 | 7 | ||
8 | noblacklist ~/.config/xiaoyong | 8 | noblacklist ~/.config/xiaoyong |
9 | noblacklist ~/.config/2048-qt | 9 | noblacklist ~/.config/2048-qt |
10 | |||
10 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
13 | 15 | ||
14 | caps.drop all | 16 | caps.drop all |
17 | #ipc-namespace | ||
15 | netfilter | 18 | netfilter |
19 | nogroups | ||
16 | nonewprivs | 20 | nonewprivs |
17 | noroot | 21 | noroot |
18 | protocol unix,inet,inet6 | 22 | nosound |
23 | novideo | ||
24 | protocol unix | ||
19 | seccomp | 25 | seccomp |
20 | |||
21 | # | ||
22 | # depending on your usage, you can enable some of the commands below: | ||
23 | # | ||
24 | nogroups | ||
25 | shell none | 26 | shell none |
26 | # private-bin program | 27 | |
27 | # private-etc none | 28 | private-dev |
28 | # private-dev | 29 | private-tmp |
29 | # private-tmp | 30 | disable-mnt |
30 | nosound | 31 | |
32 | noexec ${HOME} | ||
33 | noexec /tmp | ||
diff --git a/etc/Thunar.profile b/etc/Thunar.profile index ed8a37add..30db6f023 100644 --- a/etc/Thunar.profile +++ b/etc/Thunar.profile | |||
@@ -17,19 +17,13 @@ include /etc/firejail/disable-passwdmgr.inc | |||
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | netfilter | 19 | netfilter |
20 | no3d | ||
20 | nogroups | 21 | nogroups |
21 | nonewprivs | 22 | nonewprivs |
22 | noroot | 23 | noroot |
23 | nosound | 24 | nosound |
25 | novideo | ||
24 | protocol unix | 26 | protocol unix |
25 | seccomp | 27 | seccomp |
26 | shell none | 28 | shell none |
27 | tracelog | 29 | tracelog |
28 | |||
29 | # | ||
30 | # depending on your usage, you can enable some of the commands below: | ||
31 | # | ||
32 | # private-bin program | ||
33 | # private-etc none | ||
34 | # private-dev | ||
35 | # private-tmp | ||
diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile index 4b14b8ad2..22c0202ee 100644 --- a/etc/Xephyr.profile +++ b/etc/Xephyr.profile | |||
@@ -21,7 +21,6 @@ private | |||
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | # Xephyr needs to be allowed access to the abstract Unix socket namespace. | 23 | # Xephyr needs to be allowed access to the abstract Unix socket namespace. |
24 | #net none | ||
25 | nogroups | 24 | nogroups |
26 | nonewprivs | 25 | nonewprivs |
27 | # In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix. | 26 | # In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix. |
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile index 46f06871c..8eba82db1 100644 --- a/etc/Xvfb.profile +++ b/etc/Xvfb.profile | |||
@@ -22,7 +22,6 @@ private | |||
22 | 22 | ||
23 | caps.drop all | 23 | caps.drop all |
24 | # Xvfb needs to be allowed access to the abstract Unix socket namespace. | 24 | # Xvfb needs to be allowed access to the abstract Unix socket namespace. |
25 | #net none | ||
26 | nogroups | 25 | nogroups |
27 | nonewprivs | 26 | nonewprivs |
28 | # In noroot mode, Xvfb cannot create a socket in the real /tmp/.X11-unix. | 27 | # In noroot mode, Xvfb cannot create a socket in the real /tmp/.X11-unix. |
diff --git a/etc/akregator.profile b/etc/akregator.profile index 10279890e..ed79f0e94 100644 --- a/etc/akregator.profile +++ b/etc/akregator.profile | |||
@@ -5,28 +5,30 @@ include /etc/firejail/globals.local | |||
5 | # Persistent customizations should go in a .local file. | 5 | # Persistent customizations should go in a .local file. |
6 | include /etc/firejail/akregator.local | 6 | include /etc/firejail/akregator.local |
7 | 7 | ||
8 | ################################ | ||
9 | # Generic GUI application profile | ||
10 | ################################ | ||
11 | noblacklist ${HOME}/.config/akregatorrc | 8 | noblacklist ${HOME}/.config/akregatorrc |
12 | noblacklist ${HOME}/.local/share/akregator | 9 | noblacklist ${HOME}/.local/share/akregator |
10 | |||
13 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | ||
14 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
16 | 15 | ||
17 | caps.drop all | 16 | caps.drop all |
17 | #ipc-namespace | ||
18 | netfilter | 18 | netfilter |
19 | no3d | ||
20 | nogroups | ||
19 | nonewprivs | 21 | nonewprivs |
20 | noroot | 22 | noroot |
23 | #nosound | ||
24 | novideo | ||
21 | protocol unix,inet,inet6 | 25 | protocol unix,inet,inet6 |
22 | seccomp | 26 | seccomp |
27 | shell none | ||
28 | |||
29 | private-dev | ||
30 | private-tmp | ||
31 | disable-mnt | ||
23 | 32 | ||
24 | # | 33 | noexec ${HOME} |
25 | # depending on your usage, you can enable some of the commands below: | 34 | noexec /tmp |
26 | # | ||
27 | # nogroups | ||
28 | # shell none | ||
29 | # private-bin program | ||
30 | # private-etc none | ||
31 | # private-dev | ||
32 | # private-tmp | ||
diff --git a/etc/atool.profile b/etc/atool.profile index a66b4b1c5..49637aa21 100644 --- a/etc/atool.profile +++ b/etc/atool.profile | |||
@@ -12,6 +12,7 @@ include /etc/firejail/disable-programs.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | netfilter | ||
15 | nogroups | 16 | nogroups |
16 | nonewprivs | 17 | nonewprivs |
17 | noroot | 18 | noroot |
@@ -19,8 +20,6 @@ nosound | |||
19 | novideo | 20 | novideo |
20 | protocol unix | 21 | protocol unix |
21 | seccomp | 22 | seccomp |
22 | netfilter | ||
23 | net none | ||
24 | no3d | 23 | no3d |
25 | shell none | 24 | shell none |
26 | tracelog | 25 | tracelog |
diff --git a/etc/audacity.profile b/etc/audacity.profile index 5b38d84e8..7c2072960 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile | |||
@@ -16,7 +16,6 @@ include /etc/firejail/disable-programs.inc | |||
16 | caps.drop all | 16 | caps.drop all |
17 | #ipc-namespace | 17 | #ipc-namespace |
18 | net none | 18 | net none |
19 | netfilter | ||
20 | no3d | 19 | no3d |
21 | nogroups | 20 | nogroups |
22 | nonewprivs | 21 | nonewprivs |
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index 055be09a1..2ecc0c425 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile | |||
@@ -9,13 +9,23 @@ include /etc/firejail/bitlbee.local | |||
9 | noblacklist /sbin | 9 | noblacklist /sbin |
10 | noblacklist /usr/sbin | 10 | noblacklist /usr/sbin |
11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
13 | 15 | ||
14 | netfilter | 16 | netfilter |
17 | no3d | ||
15 | nonewprivs | 18 | nonewprivs |
16 | private | 19 | private |
17 | private-dev | 20 | private-dev |
18 | protocol unix,inet,inet6 | 21 | protocol unix,inet,inet6 |
19 | seccomp | 22 | seccomp |
20 | nosound | 23 | nosound |
24 | novideo | ||
21 | read-write /var/lib/bitlbee | 25 | read-write /var/lib/bitlbee |
26 | |||
27 | private-dev | ||
28 | private-tmp | ||
29 | disable-mnt | ||
30 | |||
31 | noexec /tmp | ||
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile index 345dd119a..f2553cd9c 100644 --- a/etc/bleachbit.profile +++ b/etc/bleachbit.profile | |||
@@ -14,7 +14,6 @@ include /etc/firejail/disable-passwdmgr.inc | |||
14 | caps.drop all | 14 | caps.drop all |
15 | #ipc-namespace | 15 | #ipc-namespace |
16 | net none | 16 | net none |
17 | netfilter | ||
18 | no3d | 17 | no3d |
19 | nogroups | 18 | nogroups |
20 | nonewprivs | 19 | nonewprivs |
@@ -30,5 +29,6 @@ shell none | |||
30 | # private-tmp | 29 | # private-tmp |
31 | # private-etc | 30 | # private-etc |
32 | 31 | ||
32 | memory-deny-write-execute | ||
33 | noexec ${HOME} | 33 | noexec ${HOME} |
34 | noexec /tmp | 34 | noexec /tmp |
diff --git a/etc/blender.profile b/etc/blender.profile index 6ee874ad0..b9757913d 100644 --- a/etc/blender.profile +++ b/etc/blender.profile | |||
@@ -7,25 +7,21 @@ include /etc/firejail/blender.local | |||
7 | 7 | ||
8 | noblacklist ~/.config/blender | 8 | noblacklist ~/.config/blender |
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-programs.inc | 11 | include /etc/firejail/disable-programs.inc |
11 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
12 | 13 | ||
13 | caps.drop all | 14 | caps.drop all |
14 | netfilter | 15 | netfilter |
16 | nogroups | ||
15 | nonewprivs | 17 | nonewprivs |
16 | noroot | 18 | noroot |
17 | protocol unix,inet,inet6,netlink | 19 | protocol unix,inet,inet6,netlink |
18 | seccomp | 20 | seccomp |
19 | |||
20 | # | ||
21 | # depending on your usage, you can enable some of the commands below: | ||
22 | # | ||
23 | nogroups | ||
24 | shell none | 21 | shell none |
25 | # private-bin program | ||
26 | # private-etc none | ||
27 | # private-dev | ||
28 | # private-tmp | ||
29 | 22 | ||
30 | # blender uses the sound system | 23 | private-dev |
31 | # nosound | 24 | private-tmp |
25 | |||
26 | noexec ${HOME} | ||
27 | noexec /tmp | ||
diff --git a/etc/bless.profile b/etc/bless.profile index c9ccfc02e..25881fa3d 100644 --- a/etc/bless.profile +++ b/etc/bless.profile | |||
@@ -22,7 +22,6 @@ include /etc/firejail/disable-devel.inc | |||
22 | caps.drop all | 22 | caps.drop all |
23 | #ipc-namespace | 23 | #ipc-namespace |
24 | net none | 24 | net none |
25 | netfilter | ||
26 | no3d | 25 | no3d |
27 | nogroups | 26 | nogroups |
28 | nonewprivs | 27 | nonewprivs |
diff --git a/etc/brasero.profile b/etc/brasero.profile index d013e0b8e..cafb9f39a 100644 --- a/etc/brasero.profile +++ b/etc/brasero.profile | |||
@@ -15,7 +15,6 @@ include /etc/firejail/disable-passwdmgr.inc | |||
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | #ipc-namespace | 17 | #ipc-namespace |
18 | net none | ||
19 | nogroups | 18 | nogroups |
20 | nonewprivs | 19 | nonewprivs |
21 | noroot | 20 | noroot |
@@ -31,5 +30,6 @@ tracelog | |||
31 | # private-etc fonts | 30 | # private-etc fonts |
32 | # private-tmp | 31 | # private-tmp |
33 | 32 | ||
33 | memory-deny-write-execute | ||
34 | noexec ${HOME} | 34 | noexec ${HOME} |
35 | noexec /tmp | 35 | noexec /tmp |
diff --git a/etc/caja.profile b/etc/caja.profile index 3a098379b..a724e76b1 100644 --- a/etc/caja.profile +++ b/etc/caja.profile | |||
@@ -21,12 +21,12 @@ include /etc/firejail/disable-devel.inc | |||
21 | include /etc/firejail/disable-passwdmgr.inc | 21 | include /etc/firejail/disable-passwdmgr.inc |
22 | 22 | ||
23 | caps.drop all | 23 | caps.drop all |
24 | netfilter | ||
24 | nogroups | 25 | nogroups |
25 | nonewprivs | 26 | nonewprivs |
26 | noroot | 27 | noroot |
27 | protocol unix | 28 | protocol unix |
28 | seccomp | 29 | seccomp |
29 | netfilter | ||
30 | shell none | 30 | shell none |
31 | tracelog | 31 | tracelog |
32 | 32 | ||
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 0ac71ca3c..b1acd78f2 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile | |||
@@ -9,18 +9,28 @@ include /etc/firejail/cherrytree.local | |||
9 | noblacklist /usr/bin/python2* | 9 | noblacklist /usr/bin/python2* |
10 | noblacklist /usr/lib/python3* | 10 | noblacklist /usr/lib/python3* |
11 | noblacklist ${HOME}/.config/cherrytree | 11 | noblacklist ${HOME}/.config/cherrytree |
12 | |||
12 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
14 | include /etc/firejail/disable-devel.inc | 15 | include /etc/firejail/disable-devel.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 16 | include /etc/firejail/disable-passwdmgr.inc |
16 | 17 | ||
17 | caps.drop all | 18 | caps.drop all |
19 | #ipc-namespace | ||
18 | netfilter | 20 | netfilter |
21 | no3d | ||
19 | nogroups | 22 | nogroups |
20 | nonewprivs | 23 | nonewprivs |
21 | noroot | 24 | noroot |
22 | nosound | 25 | nosound |
23 | novideo | 26 | novideo |
24 | seccomp | ||
25 | protocol unix,inet,inet6,netlink | 27 | protocol unix,inet,inet6,netlink |
28 | seccomp | ||
29 | shell none | ||
26 | tracelog | 30 | tracelog |
31 | |||
32 | private-dev | ||
33 | private-tmp | ||
34 | |||
35 | noexec ${HOME} | ||
36 | noexec /tmp | ||
diff --git a/etc/clipit.profile b/etc/clipit.profile index b671b253b..b44041cbf 100644 --- a/etc/clipit.profile +++ b/etc/clipit.profile | |||
@@ -8,26 +8,25 @@ include /etc/firejail/clipit.local | |||
8 | noblacklist ${HOME}/.local/share/clipit | 8 | noblacklist ${HOME}/.local/share/clipit |
9 | noblacklist ${HOME}/.config/clipit | 9 | noblacklist ${HOME}/.config/clipit |
10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
13 | 14 | ||
14 | caps.drop all | 15 | caps.drop all |
15 | netfilter | 16 | netfilter |
17 | no3d | ||
18 | nogroups | ||
16 | nonewprivs | 19 | nonewprivs |
17 | noroot | 20 | noroot |
21 | nosound | ||
18 | novideo | 22 | novideo |
19 | protocol unix,inet,inet6 | 23 | protocol unix |
20 | seccomp | 24 | seccomp |
25 | shell none | ||
21 | 26 | ||
27 | private-dev | ||
28 | private-tmp | ||
29 | disable-mnt | ||
22 | 30 | ||
23 | 31 | noexec ${HOME} | |
24 | # | 32 | noexec /tmp |
25 | # depending on your usage, you can enable some of the commands below: | ||
26 | # | ||
27 | nogroups | ||
28 | shell none | ||
29 | # private-bin program | ||
30 | # private-etc none | ||
31 | # private-dev | ||
32 | # private-tmp | ||
33 | nosound | ||
diff --git a/etc/cvlc.profile b/etc/cvlc.profile index a52d62f83..921d505a9 100644 --- a/etc/cvlc.profile +++ b/etc/cvlc.profile | |||
@@ -27,3 +27,5 @@ tracelog | |||
27 | #private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc | 27 | #private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc |
28 | private-dev | 28 | private-dev |
29 | private-tmp | 29 | private-tmp |
30 | |||
31 | memory-deny-write-execute | ||
diff --git a/etc/darktable.profile b/etc/darktable.profile index 29630a746..eca2ae6c5 100644 --- a/etc/darktable.profile +++ b/etc/darktable.profile | |||
@@ -8,23 +8,24 @@ include /etc/firejail/darktable.local | |||
8 | noblacklist ~/.cache/darktable | 8 | noblacklist ~/.cache/darktable |
9 | noblacklist ~/.config/darktable | 9 | noblacklist ~/.config/darktable |
10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
13 | 14 | ||
14 | caps.drop all | 15 | caps.drop all |
16 | #ipc-namespace | ||
15 | netfilter | 17 | netfilter |
18 | nogroups | ||
16 | nonewprivs | 19 | nonewprivs |
17 | noroot | 20 | noroot |
21 | nosound | ||
22 | novideo | ||
18 | protocol unix,inet,inet6 | 23 | protocol unix,inet,inet6 |
19 | seccomp | 24 | seccomp |
20 | |||
21 | # | ||
22 | # depending on your usage, you can enable some of the commands below: | ||
23 | # | ||
24 | # nogroups | ||
25 | shell none | 25 | shell none |
26 | # private-bin program | 26 | |
27 | # private-etc none | 27 | private-dev |
28 | # private-dev | ||
29 | private-tmp | 28 | private-tmp |
30 | nosound | 29 | |
30 | noexec ${HOME} | ||
31 | noexec /tmp | ||
diff --git a/etc/dia.profile b/etc/dia.profile index 4e009afd7..71d8a249b 100644 --- a/etc/dia.profile +++ b/etc/dia.profile | |||
@@ -7,23 +7,25 @@ include /etc/firejail/dia.local | |||
7 | 7 | ||
8 | noblacklist ~/.dia | 8 | noblacklist ~/.dia |
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-programs.inc | 11 | include /etc/firejail/disable-programs.inc |
11 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
12 | 13 | ||
13 | caps.drop all | 14 | caps.drop all |
14 | netfilter | 15 | netfilter |
16 | no3d | ||
17 | nogroups | ||
15 | nonewprivs | 18 | nonewprivs |
16 | noroot | 19 | noroot |
20 | nosound | ||
17 | novideo | 21 | novideo |
18 | protocol unix,inet,inet6 | 22 | protocol unix |
19 | seccomp | 23 | seccomp |
20 | |||
21 | # | ||
22 | # depending on your usage, you can enable some of the commands below: | ||
23 | # | ||
24 | nogroups | ||
25 | shell none | 24 | shell none |
26 | # private-bin program | 25 | |
27 | # private-etc none | ||
28 | private-dev | 26 | private-dev |
29 | private-tmp | 27 | private-tmp |
28 | disable-mnt | ||
29 | |||
30 | noexec ${HOME} | ||
31 | noexec /tmp | ||
diff --git a/etc/digikam.profile b/etc/digikam.profile index fd19953a0..d81d00ed3 100644 --- a/etc/digikam.profile +++ b/etc/digikam.profile | |||
@@ -31,3 +31,6 @@ shell none | |||
31 | # private-etc none | 31 | # private-etc none |
32 | # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device | 32 | # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device |
33 | private-tmp | 33 | private-tmp |
34 | |||
35 | noexec ${HOME} | ||
36 | noexec /tmp | ||
diff --git a/etc/display.profile b/etc/display.profile index 7cde8bd54..c2c46cba3 100644 --- a/etc/display.profile +++ b/etc/display.profile | |||
@@ -12,14 +12,13 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | seccomp | ||
16 | protocol unix | ||
17 | netfilter | ||
18 | net none | 15 | net none |
19 | nonewprivs | 16 | nonewprivs |
20 | noroot | ||
21 | nogroups | 17 | nogroups |
18 | noroot | ||
22 | nosound | 19 | nosound |
20 | protocol unix | ||
21 | seccomp | ||
23 | shell none | 22 | shell none |
24 | x11 xorg | 23 | x11 xorg |
25 | 24 | ||
diff --git a/etc/dragon.profile b/etc/dragon.profile index d099f1d9d..47d2c593a 100644 --- a/etc/dragon.profile +++ b/etc/dragon.profile | |||
@@ -27,3 +27,6 @@ private-bin dragon | |||
27 | private-dev | 27 | private-dev |
28 | private-tmp | 28 | private-tmp |
29 | # private-etc | 29 | # private-etc |
30 | |||
31 | noexec ${HOME} | ||
32 | noexec /tmp | ||
diff --git a/etc/dropbox.profile b/etc/dropbox.profile index f1d7fad82..2319b337b 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile | |||
@@ -9,16 +9,10 @@ include /etc/firejail/dropbox.local | |||
9 | noblacklist ~/.config/autostart | 9 | noblacklist ~/.config/autostart |
10 | noblacklist ~/.dropbox-dist | 10 | noblacklist ~/.dropbox-dist |
11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
14 | 15 | ||
15 | caps | ||
16 | nonewprivs | ||
17 | noroot | ||
18 | novideo | ||
19 | protocol unix,inet,inet6 | ||
20 | seccomp | ||
21 | |||
22 | mkdir ~/Dropbox | 16 | mkdir ~/Dropbox |
23 | whitelist ~/Dropbox | 17 | whitelist ~/Dropbox |
24 | mkdir ~/.dropbox | 18 | mkdir ~/.dropbox |
@@ -28,3 +22,20 @@ whitelist ~/.dropbox-dist | |||
28 | 22 | ||
29 | mkfile ~/.config/autostart/dropbox.desktop | 23 | mkfile ~/.config/autostart/dropbox.desktop |
30 | whitelist ~/.config/autostart/dropbox.desktop | 24 | whitelist ~/.config/autostart/dropbox.desktop |
25 | |||
26 | caps.drop all | ||
27 | netfilter | ||
28 | no3d | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | nosound | ||
33 | novideo | ||
34 | protocol unix,inet,inet6 | ||
35 | seccomp | ||
36 | shell none | ||
37 | |||
38 | private-dev | ||
39 | private-tmp | ||
40 | |||
41 | noexec /tmp | ||
diff --git a/etc/enchant.profile b/etc/enchant.profile index 9e2dee045..554ed5e28 100644 --- a/etc/enchant.profile +++ b/etc/enchant.profile | |||
@@ -14,13 +14,13 @@ include /etc/firejail/disable-devel.inc | |||
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | netfilter | ||
17 | nogroups | 18 | nogroups |
18 | nonewprivs | 19 | nonewprivs |
19 | noroot | 20 | noroot |
20 | nosound | 21 | nosound |
21 | protocol unix | 22 | protocol unix |
22 | seccomp | 23 | seccomp |
23 | netfilter | ||
24 | shell none | 24 | shell none |
25 | tracelog | 25 | tracelog |
26 | 26 | ||
diff --git a/etc/engrampa.profile b/etc/engrampa.profile index 081a5f6b0..605643472 100644 --- a/etc/engrampa.profile +++ b/etc/engrampa.profile | |||
@@ -12,6 +12,7 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | netfilter | ||
15 | nogroups | 16 | nogroups |
16 | nonewprivs | 17 | nonewprivs |
17 | noroot | 18 | noroot |
@@ -19,7 +20,6 @@ nosound | |||
19 | novideo | 20 | novideo |
20 | protocol unix | 21 | protocol unix |
21 | seccomp | 22 | seccomp |
22 | netfilter | ||
23 | shell none | 23 | shell none |
24 | tracelog | 24 | tracelog |
25 | 25 | ||
diff --git a/etc/eog.profile b/etc/eog.profile index 3abaaacef..e272a1935 100644 --- a/etc/eog.profile +++ b/etc/eog.profile | |||
@@ -19,7 +19,6 @@ include /etc/firejail/disable-passwdmgr.inc | |||
19 | caps.drop all | 19 | caps.drop all |
20 | #ipc-namespace | 20 | #ipc-namespace |
21 | net none | 21 | net none |
22 | netfilter | ||
23 | no3d | 22 | no3d |
24 | nogroups | 23 | nogroups |
25 | nonewprivs | 24 | nonewprivs |
@@ -35,5 +34,6 @@ private-dev | |||
35 | private-etc fonts | 34 | private-etc fonts |
36 | private-tmp | 35 | private-tmp |
37 | 36 | ||
37 | memory-deny-write-execute | ||
38 | noexec ${HOME} | 38 | noexec ${HOME} |
39 | noexec /tmp | 39 | noexec /tmp |
diff --git a/etc/evince.profile b/etc/evince.profile index 6719244da..9f1ebbf76 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -16,7 +16,6 @@ include /etc/firejail/disable-passwdmgr.inc | |||
16 | caps.drop all | 16 | caps.drop all |
17 | #ipc-namespace | 17 | #ipc-namespace |
18 | netfilter | 18 | netfilter |
19 | #net none - creates some problems on some distributions | ||
20 | no3d | 19 | no3d |
21 | nogroups | 20 | nogroups |
22 | nonewprivs | 21 | nonewprivs |
@@ -34,5 +33,6 @@ private-etc fonts | |||
34 | # evince needs access to /tmp/mozilla* to work in firefox | 33 | # evince needs access to /tmp/mozilla* to work in firefox |
35 | # private-tmp | 34 | # private-tmp |
36 | 35 | ||
36 | memory-deny-write-execute | ||
37 | noexec ${HOME} | 37 | noexec ${HOME} |
38 | noexec /tmp | 38 | noexec /tmp |
diff --git a/etc/exiftool.profile b/etc/exiftool.profile index aba484718..e69a6206e 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile | |||
@@ -17,14 +17,13 @@ include /etc/firejail/disable-devel.inc | |||
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include /etc/firejail/disable-passwdmgr.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | net none | ||
20 | nogroups | 21 | nogroups |
21 | nonewprivs | 22 | nonewprivs |
22 | noroot | 23 | noroot |
23 | nosound | 24 | nosound |
24 | protocol unix | 25 | protocol unix |
25 | seccomp | 26 | seccomp |
26 | netfilter | ||
27 | net none | ||
28 | no3d | 27 | no3d |
29 | shell none | 28 | shell none |
30 | tracelog | 29 | tracelog |
diff --git a/etc/feh.profile b/etc/feh.profile index f71999155..8f40a0c3e 100644 --- a/etc/feh.profile +++ b/etc/feh.profile | |||
@@ -12,7 +12,6 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | netfilter | ||
16 | net none | 15 | net none |
17 | nogroups | 16 | nogroups |
18 | nonewprivs | 17 | nonewprivs |
diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 72d00b4ce..15d8d36c6 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile | |||
@@ -14,7 +14,6 @@ include /etc/firejail/disable-passwdmgr.inc | |||
14 | caps.drop all | 14 | caps.drop all |
15 | #ipc-namespace | 15 | #ipc-namespace |
16 | net none | 16 | net none |
17 | netfilter | ||
18 | no3d | 17 | no3d |
19 | nogroups | 18 | nogroups |
20 | nonewprivs | 19 | nonewprivs |
@@ -31,5 +30,6 @@ tracelog | |||
31 | private-dev | 30 | private-dev |
32 | # private-etc fonts | 31 | # private-etc fonts |
33 | 32 | ||
33 | memory-deny-write-execute | ||
34 | noexec ${HOME} | 34 | noexec ${HOME} |
35 | noexec /tmp | 35 | noexec /tmp |
diff --git a/etc/file.profile b/etc/file.profile index 915bf1088..51e35007f 100644 --- a/etc/file.profile +++ b/etc/file.profile | |||
@@ -13,7 +13,6 @@ include /etc/firejail/disable-passwdmgr.inc | |||
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | hostname file | 15 | hostname file |
16 | netfilter | ||
17 | net none | 16 | net none |
18 | no3d | 17 | no3d |
19 | nogroups | 18 | nogroups |
diff --git a/etc/flowblade.profile b/etc/flowblade.profile index 7f29a8719..f8d45424f 100644 --- a/etc/flowblade.profile +++ b/etc/flowblade.profile | |||
@@ -8,13 +8,23 @@ include /etc/firejail/flowblade.local | |||
8 | # FlowBlade profile | 8 | # FlowBlade profile |
9 | noblacklist ${HOME}/.flowblade | 9 | noblacklist ${HOME}/.flowblade |
10 | noblacklist ${HOME}/.config/flowblade | 10 | noblacklist ${HOME}/.config/flowblade |
11 | |||
11 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
14 | 16 | ||
15 | caps.drop all | 17 | caps.drop all |
16 | netfilter | 18 | netfilter |
19 | nogroups | ||
17 | nonewprivs | 20 | nonewprivs |
18 | noroot | 21 | noroot |
19 | protocol unix,inet,inet6,netlink | 22 | protocol unix,inet,inet6,netlink |
20 | seccomp | 23 | seccomp |
24 | shell none | ||
25 | |||
26 | private-dev | ||
27 | private-tmp | ||
28 | |||
29 | noexec ${HOME} | ||
30 | noexec /tmp | ||
diff --git a/etc/fontforge.profile b/etc/fontforge.profile index 967a617e2..e8e3df62b 100644 --- a/etc/fontforge.profile +++ b/etc/fontforge.profile | |||
@@ -6,23 +6,25 @@ include /etc/firejail/globals.local | |||
6 | include /etc/firejail/fontforge.local | 6 | include /etc/firejail/fontforge.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.FontForge | 8 | noblacklist ${HOME}/.FontForge |
9 | |||
9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
11 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
12 | 14 | ||
13 | caps.drop all | 15 | caps.drop all |
14 | netfilter | 16 | netfilter |
17 | nogroups | ||
15 | nonewprivs | 18 | nonewprivs |
16 | noroot | 19 | noroot |
17 | protocol unix,inet,inet6 | 20 | nosound |
21 | novideo | ||
22 | protocol unix | ||
18 | seccomp | 23 | seccomp |
19 | |||
20 | # | ||
21 | # depending on your usage, you can enable some of the commands below: | ||
22 | # | ||
23 | nogroups | ||
24 | shell none | 24 | shell none |
25 | # private-bin program | 25 | |
26 | # private-etc none | ||
27 | private-dev | 26 | private-dev |
28 | private-tmp | 27 | private-tmp |
28 | |||
29 | noexec ${HOME} | ||
30 | noexec /tmp | ||
diff --git a/etc/franz.profile b/etc/franz.profile index c68b47d80..c5e019947 100644 --- a/etc/franz.profile +++ b/etc/franz.profile | |||
@@ -13,14 +13,6 @@ include /etc/firejail/disable-common.inc | |||
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
15 | 15 | ||
16 | caps.drop all | ||
17 | netfilter | ||
18 | nonewprivs | ||
19 | noroot | ||
20 | protocol unix,inet,inet6,netlink | ||
21 | seccomp | ||
22 | #tracelog | ||
23 | |||
24 | whitelist ${DOWNLOADS} | 16 | whitelist ${DOWNLOADS} |
25 | mkdir ~/.config/Franz | 17 | mkdir ~/.config/Franz |
26 | whitelist ~/.config/Franz | 18 | whitelist ~/.config/Franz |
@@ -30,3 +22,21 @@ mkdir ~/.pki | |||
30 | whitelist ~/.pki | 22 | whitelist ~/.pki |
31 | 23 | ||
32 | include /etc/firejail/whitelist-common.inc | 24 | include /etc/firejail/whitelist-common.inc |
25 | |||
26 | caps.drop all | ||
27 | #ipc-namespace | ||
28 | netfilter | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | protocol unix,inet,inet6,netlink | ||
33 | seccomp | ||
34 | shell none | ||
35 | #tracelog | ||
36 | |||
37 | private-dev | ||
38 | private-tmp | ||
39 | disable-mnt | ||
40 | |||
41 | noexec ${HOME} | ||
42 | noexec /tmp | ||
diff --git a/etc/geany.profile b/etc/geany.profile index 7e0c6d2ad..083e9423f 100644 --- a/etc/geany.profile +++ b/etc/geany.profile | |||
@@ -12,17 +12,15 @@ include /etc/firejail/disable-passwdmgr.inc | |||
12 | 12 | ||
13 | caps.drop all | 13 | caps.drop all |
14 | netfilter | 14 | netfilter |
15 | no3d | ||
16 | nogroups | ||
15 | nonewprivs | 17 | nonewprivs |
16 | noroot | 18 | noroot |
19 | nosound | ||
20 | novideo | ||
17 | protocol unix,inet,inet6 | 21 | protocol unix,inet,inet6 |
18 | seccomp | 22 | seccomp |
19 | |||
20 | # | ||
21 | # depending on your usage, you can enable some of the commands below: | ||
22 | # | ||
23 | nogroups | ||
24 | shell none | 23 | shell none |
25 | # private-bin program | 24 | |
26 | # private-etc none | ||
27 | private-dev | 25 | private-dev |
28 | private-tmp | 26 | private-tmp |
diff --git a/etc/gedit.profile b/etc/gedit.profile index d871a9bed..3e78d939e 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile | |||
@@ -18,7 +18,6 @@ include /etc/firejail/disable-passwdmgr.inc | |||
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | #ipc-namespace | 20 | #ipc-namespace |
21 | netfilter | ||
22 | net none | 21 | net none |
23 | no3d | 22 | no3d |
24 | nogroups | 23 | nogroups |
diff --git a/etc/gimp.profile b/etc/gimp.profile index da521aa6c..0fe462912 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile | |||
@@ -12,7 +12,6 @@ include /etc/firejail/disable-programs.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | netfilter | ||
16 | net none | 15 | net none |
17 | nogroups | 16 | nogroups |
18 | nonewprivs | 17 | nonewprivs |
diff --git a/etc/globaltime.profile b/etc/globaltime.profile index 5662dba69..b9b2c008d 100644 --- a/etc/globaltime.profile +++ b/etc/globaltime.profile | |||
@@ -7,22 +7,25 @@ include /etc/firejail/globaltime.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.config/globaltime | 8 | noblacklist ${HOME}/.config/globaltime |
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-programs.inc | 11 | include /etc/firejail/disable-programs.inc |
11 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
12 | 13 | ||
13 | caps.drop all | 14 | caps.drop all |
14 | netfilter | 15 | netfilter |
16 | no3d | ||
17 | nogroups | ||
15 | nonewprivs | 18 | nonewprivs |
16 | noroot | 19 | noroot |
20 | nosound | ||
21 | novideo | ||
17 | protocol unix,inet,inet6 | 22 | protocol unix,inet,inet6 |
18 | seccomp | 23 | seccomp |
19 | |||
20 | # | ||
21 | # depending on your usage, you can enable some of the commands below: | ||
22 | # | ||
23 | nogroups | ||
24 | shell none | 24 | shell none |
25 | # private-bin program | 25 | |
26 | # private-etc none | ||
27 | private-dev | 26 | private-dev |
28 | # private-tmp | 27 | private-tmp |
28 | disable-mnt | ||
29 | |||
30 | noexec ${HOME} | ||
31 | noexec /tmp | ||
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile index af6da6cd4..e36294930 100644 --- a/etc/gnome-books.profile +++ b/etc/gnome-books.profile | |||
@@ -16,6 +16,7 @@ include /etc/firejail/disable-devel.inc | |||
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include /etc/firejail/disable-passwdmgr.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | netfilter | ||
19 | no3d | 20 | no3d |
20 | nogroups | 21 | nogroups |
21 | nonewprivs | 22 | nonewprivs |
@@ -24,7 +25,6 @@ nosound | |||
24 | novideo | 25 | novideo |
25 | protocol unix | 26 | protocol unix |
26 | seccomp | 27 | seccomp |
27 | netfilter | ||
28 | shell none | 28 | shell none |
29 | tracelog | 29 | tracelog |
30 | 30 | ||
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index e64f62b70..40328e5c3 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile | |||
@@ -30,11 +30,13 @@ protocol unix,inet,inet6 | |||
30 | seccomp | 30 | seccomp |
31 | shell none | 31 | shell none |
32 | 32 | ||
33 | private | ||
33 | private-bin gnome-calculator | 34 | private-bin gnome-calculator |
34 | private-dev | 35 | private-dev |
35 | #private-etc fonts | 36 | #private-etc fonts |
36 | private-tmp | 37 | private-tmp |
37 | disable-mnt | 38 | disable-mnt |
38 | 39 | ||
40 | memory-deny-write-execute | ||
39 | noexec ${HOME} | 41 | noexec ${HOME} |
40 | noexec /tmp | 42 | noexec /tmp |
diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile index 5d2a90b64..2d70bf7ef 100644 --- a/etc/gnome-documents.profile +++ b/etc/gnome-documents.profile | |||
@@ -17,6 +17,7 @@ include /etc/firejail/disable-devel.inc | |||
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include /etc/firejail/disable-passwdmgr.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | ||
20 | no3d | 21 | no3d |
21 | nogroups | 22 | nogroups |
22 | nonewprivs | 23 | nonewprivs |
@@ -25,7 +26,6 @@ nosound | |||
25 | novideo | 26 | novideo |
26 | protocol unix | 27 | protocol unix |
27 | seccomp | 28 | seccomp |
28 | netfilter | ||
29 | shell none | 29 | shell none |
30 | tracelog | 30 | tracelog |
31 | 31 | ||
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile index abdb6bfb5..8b569e563 100644 --- a/etc/gnome-music.profile +++ b/etc/gnome-music.profile | |||
@@ -14,6 +14,7 @@ include /etc/firejail/disable-devel.inc | |||
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | netfilter | ||
17 | no3d | 18 | no3d |
18 | nogroups | 19 | nogroups |
19 | nonewprivs | 20 | nonewprivs |
@@ -21,7 +22,6 @@ noroot | |||
21 | novideo | 22 | novideo |
22 | protocol unix | 23 | protocol unix |
23 | seccomp | 24 | seccomp |
24 | netfilter | ||
25 | shell none | 25 | shell none |
26 | tracelog | 26 | tracelog |
27 | 27 | ||
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile index 93823d0f4..ed9dc0a03 100644 --- a/etc/gnome-photos.profile +++ b/etc/gnome-photos.profile | |||
@@ -17,13 +17,13 @@ include /etc/firejail/disable-devel.inc | |||
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include /etc/firejail/disable-passwdmgr.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | ||
20 | nogroups | 21 | nogroups |
21 | nonewprivs | 22 | nonewprivs |
22 | noroot | 23 | noroot |
23 | nosound | 24 | nosound |
24 | protocol unix | 25 | protocol unix |
25 | seccomp | 26 | seccomp |
26 | netfilter | ||
27 | shell none | 27 | shell none |
28 | tracelog | 28 | tracelog |
29 | 29 | ||
diff --git a/etc/goobox.profile b/etc/goobox.profile index 0ba059365..129d17ae7 100644 --- a/etc/goobox.profile +++ b/etc/goobox.profile | |||
@@ -12,12 +12,12 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | netfilter | ||
15 | nogroups | 16 | nogroups |
16 | nonewprivs | 17 | nonewprivs |
17 | noroot | 18 | noroot |
18 | protocol unix | 19 | protocol unix |
19 | seccomp | 20 | seccomp |
20 | netfilter | ||
21 | shell none | 21 | shell none |
22 | tracelog | 22 | tracelog |
23 | 23 | ||
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index 3b884bd64..22a2e8f88 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile | |||
@@ -16,8 +16,6 @@ include /etc/firejail/disable-programs.inc | |||
16 | # include /etc/firejail/disable-devel.inc | 16 | # include /etc/firejail/disable-devel.inc |
17 | # | 17 | # |
18 | 18 | ||
19 | netfilter | ||
20 | |||
21 | whitelist ${DOWNLOADS} | 19 | whitelist ${DOWNLOADS} |
22 | mkdir ~/.config/google-chrome-beta | 20 | mkdir ~/.config/google-chrome-beta |
23 | whitelist ~/.config/google-chrome-beta | 21 | whitelist ~/.config/google-chrome-beta |
@@ -26,3 +24,16 @@ whitelist ~/.cache/google-chrome-beta | |||
26 | mkdir ~/.pki | 24 | mkdir ~/.pki |
27 | whitelist ~/.pki | 25 | whitelist ~/.pki |
28 | include /etc/firejail/whitelist-common.inc | 26 | include /etc/firejail/whitelist-common.inc |
27 | |||
28 | caps.keep sys_chroot,sys_admin | ||
29 | #ipc-namespace | ||
30 | netfilter | ||
31 | nogroups | ||
32 | shell none | ||
33 | |||
34 | private-dev | ||
35 | #private-tmp - problems with multiple browser sessions | ||
36 | #disable-mnt | ||
37 | |||
38 | noexec ${HOME} | ||
39 | noexec /tmp | ||
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index 18bcb94a6..0675d7b49 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile | |||
@@ -16,8 +16,6 @@ include /etc/firejail/disable-programs.inc | |||
16 | # include /etc/firejail/disable-devel.inc | 16 | # include /etc/firejail/disable-devel.inc |
17 | # | 17 | # |
18 | 18 | ||
19 | netfilter | ||
20 | |||
21 | whitelist ${DOWNLOADS} | 19 | whitelist ${DOWNLOADS} |
22 | mkdir ~/.config/google-chrome-unstable | 20 | mkdir ~/.config/google-chrome-unstable |
23 | whitelist ~/.config/google-chrome-unstable | 21 | whitelist ~/.config/google-chrome-unstable |
@@ -26,3 +24,16 @@ whitelist ~/.cache/google-chrome-unstable | |||
26 | mkdir ~/.pki | 24 | mkdir ~/.pki |
27 | whitelist ~/.pki | 25 | whitelist ~/.pki |
28 | include /etc/firejail/whitelist-common.inc | 26 | include /etc/firejail/whitelist-common.inc |
27 | |||
28 | caps.keep sys_chroot,sys_admin | ||
29 | #ipc-namespace | ||
30 | netfilter | ||
31 | nogroups | ||
32 | shell none | ||
33 | |||
34 | private-dev | ||
35 | #private-tmp - problems with multiple browser sessions | ||
36 | #disable-mnt | ||
37 | |||
38 | noexec ${HOME} | ||
39 | noexec /tmp | ||
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 84e0c6cdc..e6fceadec 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile | |||
@@ -16,9 +16,6 @@ include /etc/firejail/disable-programs.inc | |||
16 | # include /etc/firejail/disable-devel.inc | 16 | # include /etc/firejail/disable-devel.inc |
17 | # | 17 | # |
18 | 18 | ||
19 | caps.keep sys_chroot,sys_admin | ||
20 | netfilter | ||
21 | |||
22 | whitelist ${DOWNLOADS} | 19 | whitelist ${DOWNLOADS} |
23 | mkdir ~/.config/google-chrome | 20 | mkdir ~/.config/google-chrome |
24 | whitelist ~/.config/google-chrome | 21 | whitelist ~/.config/google-chrome |
@@ -27,3 +24,16 @@ whitelist ~/.cache/google-chrome | |||
27 | mkdir ~/.pki | 24 | mkdir ~/.pki |
28 | whitelist ~/.pki | 25 | whitelist ~/.pki |
29 | include /etc/firejail/whitelist-common.inc | 26 | include /etc/firejail/whitelist-common.inc |
27 | |||
28 | caps.keep sys_chroot,sys_admin | ||
29 | #ipc-namespace | ||
30 | netfilter | ||
31 | nogroups | ||
32 | shell none | ||
33 | |||
34 | private-dev | ||
35 | #private-tmp - problems with multiple browser sessions | ||
36 | #disable-mnt | ||
37 | |||
38 | noexec ${HOME} | ||
39 | noexec /tmp | ||
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile index ed6b11002..c373cc34c 100644 --- a/etc/google-play-music-desktop-player.profile +++ b/etc/google-play-music-desktop-player.profile | |||
@@ -13,13 +13,25 @@ include /etc/firejail/disable-programs.inc | |||
13 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | 15 | ||
16 | #whitelist ~/.pulse | ||
17 | #whitelist ~/.config/pulse | ||
18 | whitelist ~/.config/Google Play Music Desktop Player | ||
19 | |||
16 | caps.drop all | 20 | caps.drop all |
21 | #ipc-namespace | ||
22 | netfilter | ||
23 | no3d | ||
24 | nogroups | ||
17 | nonewprivs | 25 | nonewprivs |
18 | noroot | 26 | noroot |
19 | netfilter | 27 | novideo |
20 | protocol unix,inet,inet6,netlink | 28 | protocol unix,inet,inet6,netlink |
21 | seccomp | 29 | seccomp |
30 | shell none | ||
22 | 31 | ||
23 | #whitelist ~/.pulse | 32 | private-dev |
24 | #whitelist ~/.config/pulse | 33 | private-tmp |
25 | whitelist ~/.config/Google Play Music Desktop Player | 34 | disable-mnt |
35 | |||
36 | noexec ${HOME} | ||
37 | noexec /tmp | ||
diff --git a/etc/guayadeque.profile b/etc/guayadeque.profile index 5b3bc11f2..86f3d7838 100644 --- a/etc/guayadeque.profile +++ b/etc/guayadeque.profile | |||
@@ -24,3 +24,6 @@ shell none | |||
24 | private-bin guayadeque | 24 | private-bin guayadeque |
25 | private-dev | 25 | private-dev |
26 | private-tmp | 26 | private-tmp |
27 | |||
28 | noexec ${HOME} | ||
29 | noexec /tmp | ||
diff --git a/etc/gucharmap.profile b/etc/gucharmap.profile index 929888e88..4d6237067 100644 --- a/etc/gucharmap.profile +++ b/etc/gucharmap.profile | |||
@@ -5,25 +5,27 @@ include /etc/firejail/globals.local | |||
5 | # Persistent customizations should go in a .local file. | 5 | # Persistent customizations should go in a .local file. |
6 | include /etc/firejail/gucharmap.local | 6 | include /etc/firejail/gucharmap.local |
7 | 7 | ||
8 | private | 8 | include /etc/firejail/disable-common.inc |
9 | #include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-devel.inc |
10 | #include /etc/firejail/disable-programs.inc | 10 | include /etc/firejail/disable-passwdmgr.inc |
11 | #include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-programs.inc |
12 | 12 | ||
13 | caps.drop all | 13 | caps.drop all |
14 | netfilter | 14 | netfilter |
15 | no3d | ||
16 | nogroups | ||
15 | nonewprivs | 17 | nonewprivs |
16 | noroot | 18 | noroot |
17 | protocol unix,inet,inet6 | 19 | nosound |
20 | novideo | ||
21 | protocol unix | ||
18 | seccomp | 22 | seccomp |
19 | |||
20 | # | ||
21 | # depending on your usage, you can enable some of the commands below: | ||
22 | # | ||
23 | nogroups | ||
24 | shell none | 23 | shell none |
25 | # private-bin program | 24 | |
26 | # private-etc none | 25 | private |
27 | # private-dev | 26 | private-dev |
28 | # private-tmp | 27 | private-tmp |
29 | nosound | 28 | disable-mnt |
29 | |||
30 | noexec ${HOME} | ||
31 | noexec /tmp | ||
diff --git a/etc/gwenview.profile b/etc/gwenview.profile index 97227186a..047d2e32e 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile | |||
@@ -32,3 +32,6 @@ private-dev | |||
32 | 32 | ||
33 | # Experimental: | 33 | # Experimental: |
34 | #private-etc X11 | 34 | #private-etc X11 |
35 | |||
36 | noexec ${HOME} | ||
37 | noexec /tmp | ||
diff --git a/etc/handbrake.profile b/etc/handbrake.profile index 0f3f32250..ccff63708 100644 --- a/etc/handbrake.profile +++ b/etc/handbrake.profile | |||
@@ -7,24 +7,23 @@ include /etc/firejail/handbrake.local | |||
7 | 7 | ||
8 | noblacklist ~/.config/ghb | 8 | noblacklist ~/.config/ghb |
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-programs.inc | 11 | include /etc/firejail/disable-programs.inc |
11 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
12 | 13 | ||
13 | caps.drop all | 14 | caps.drop all |
14 | netfilter | 15 | netfilter |
16 | nogroups | ||
15 | nonewprivs | 17 | nonewprivs |
16 | noroot | 18 | noroot |
17 | # netlink required! | 19 | nosound |
20 | novideo | ||
18 | protocol unix,inet,inet6,netlink | 21 | protocol unix,inet,inet6,netlink |
19 | seccomp | 22 | seccomp |
20 | |||
21 | # | ||
22 | # depending on your usage, you can enable some of the commands below: | ||
23 | # | ||
24 | nogroups | ||
25 | shell none | 23 | shell none |
26 | # private-bin program | 24 | |
27 | # private-etc none | 25 | private-dev |
28 | #private-dev | ||
29 | private-tmp | 26 | private-tmp |
30 | nosound | 27 | |
28 | noexec ${HOME} | ||
29 | noexec /tmp | ||
diff --git a/etc/highlight.profile b/etc/highlight.profile index 58e7f89f5..fefbcc55d 100644 --- a/etc/highlight.profile +++ b/etc/highlight.profile | |||
@@ -12,14 +12,13 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | net none | ||
15 | nogroups | 16 | nogroups |
16 | nonewprivs | 17 | nonewprivs |
17 | noroot | 18 | noroot |
18 | nosound | 19 | nosound |
19 | protocol unix | 20 | protocol unix |
20 | seccomp | 21 | seccomp |
21 | netfilter | ||
22 | net none | ||
23 | no3d | 22 | no3d |
24 | shell none | 23 | shell none |
25 | tracelog | 24 | tracelog |
diff --git a/etc/hugin.profile b/etc/hugin.profile index 97a9cb1fd..26e696f0d 100644 --- a/etc/hugin.profile +++ b/etc/hugin.profile | |||
@@ -6,24 +6,25 @@ include /etc/firejail/globals.local | |||
6 | include /etc/firejail/hugin.local | 6 | include /etc/firejail/hugin.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.hugin | 8 | noblacklist ${HOME}/.hugin |
9 | |||
9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
11 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
12 | 14 | ||
13 | caps.drop all | 15 | caps.drop all |
14 | netfilter | 16 | netfilter |
17 | nogroups | ||
15 | nonewprivs | 18 | nonewprivs |
16 | noroot | 19 | noroot |
17 | protocol unix,inet,inet6 | 20 | nosound |
21 | novideo | ||
22 | protocol unix | ||
18 | seccomp | 23 | seccomp |
19 | |||
20 | # | ||
21 | # depending on your usage, you can enable some of the commands below: | ||
22 | # | ||
23 | nogroups | ||
24 | shell none | 24 | shell none |
25 | # private-bin program | 25 | |
26 | # private-etc none | ||
27 | private-dev | 26 | private-dev |
28 | private-tmp | 27 | private-tmp |
29 | nosound | 28 | |
29 | noexec ${HOME} | ||
30 | noexec /tmp | ||
diff --git a/etc/icecat.profile b/etc/icecat.profile index 7684cedbe..600263a2a 100644 --- a/etc/icecat.profile +++ b/etc/icecat.profile | |||
@@ -48,3 +48,6 @@ include /etc/firejail/whitelist-common.inc | |||
48 | 48 | ||
49 | # experimental features | 49 | # experimental features |
50 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 50 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse |
51 | |||
52 | noexec ${HOME} | ||
53 | noexec /tmp | ||
diff --git a/etc/img2txt.profile b/etc/img2txt.profile index 00d172f55..2ea359e72 100644 --- a/etc/img2txt.profile +++ b/etc/img2txt.profile | |||
@@ -12,14 +12,13 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | net none | ||
15 | nogroups | 16 | nogroups |
16 | nonewprivs | 17 | nonewprivs |
17 | noroot | 18 | noroot |
18 | nosound | 19 | nosound |
19 | protocol unix | 20 | protocol unix |
20 | seccomp | 21 | seccomp |
21 | netfilter | ||
22 | net none | ||
23 | shell none | 22 | shell none |
24 | tracelog | 23 | tracelog |
25 | 24 | ||
diff --git a/etc/inkscape.profile b/etc/inkscape.profile index 0a9d409b9..af1be565b 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile | |||
@@ -8,6 +8,7 @@ include /etc/firejail/inkscape.local | |||
8 | # inkscape | 8 | # inkscape |
9 | noblacklist ${HOME}/.inkscape | 9 | noblacklist ${HOME}/.inkscape |
10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
13 | 14 | ||
@@ -17,11 +18,13 @@ nogroups | |||
17 | nonewprivs | 18 | nonewprivs |
18 | noroot | 19 | noroot |
19 | nosound | 20 | nosound |
21 | novideo | ||
20 | protocol unix | 22 | protocol unix |
21 | seccomp | 23 | seccomp |
22 | 24 | shell none | |
23 | noexec ${HOME} | ||
24 | noexec /tmp | ||
25 | 25 | ||
26 | private-dev | 26 | private-dev |
27 | private-tmp | 27 | private-tmp |
28 | |||
29 | noexec ${HOME} | ||
30 | noexec /tmp | ||
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index 32b43cdf1..9cb845b50 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile | |||
@@ -22,7 +22,6 @@ include /etc/firejail/disable-devel.inc | |||
22 | caps.drop all | 22 | caps.drop all |
23 | #ipc-namespace | 23 | #ipc-namespace |
24 | net none | 24 | net none |
25 | netfilter | ||
26 | no3d | 25 | no3d |
27 | nogroups | 26 | nogroups |
28 | nonewprivs | 27 | nonewprivs |
diff --git a/etc/kate.profile b/etc/kate.profile index 832f3614f..97372f752 100644 --- a/etc/kate.profile +++ b/etc/kate.profile | |||
@@ -19,13 +19,13 @@ include /etc/firejail/disable-programs.inc | |||
19 | include /etc/firejail/disable-passwdmgr.inc | 19 | include /etc/firejail/disable-passwdmgr.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | netfilter | ||
22 | nogroups | 23 | nogroups |
23 | nonewprivs | 24 | nonewprivs |
24 | noroot | 25 | noroot |
25 | nosound | 26 | nosound |
26 | protocol unix | 27 | protocol unix |
27 | seccomp | 28 | seccomp |
28 | netfilter | ||
29 | shell none | 29 | shell none |
30 | tracelog | 30 | tracelog |
31 | 31 | ||
diff --git a/etc/kcalc.profile b/etc/kcalc.profile index 0ea5dbcb3..1d425cf47 100644 --- a/etc/kcalc.profile +++ b/etc/kcalc.profile | |||
@@ -5,27 +5,27 @@ include /etc/firejail/globals.local | |||
5 | # Persistent customizations should go in a .local file. | 5 | # Persistent customizations should go in a .local file. |
6 | include /etc/firejail/kcalc.local | 6 | include /etc/firejail/kcalc.local |
7 | 7 | ||
8 | ################################ | ||
9 | # Generic GUI application profile | ||
10 | ################################ | ||
11 | include /etc/firejail/disable-common.inc | 8 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | 9 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 10 | include /etc/firejail/disable-passwdmgr.inc |
11 | include /etc/firejail/disable-programs.inc | ||
14 | 12 | ||
15 | caps.drop all | 13 | caps.drop all |
16 | netfilter | 14 | netfilter |
15 | no3d | ||
16 | nogroups | ||
17 | nonewprivs | 17 | nonewprivs |
18 | noroot | 18 | noroot |
19 | protocol unix,inet,inet6 | 19 | nosound |
20 | novideo | ||
21 | protocol unix | ||
20 | seccomp | 22 | seccomp |
23 | shell none | ||
21 | 24 | ||
22 | # | ||
23 | # depending on your usage, you can enable some of the commands below: | ||
24 | # | ||
25 | private | 25 | private |
26 | nogroups | ||
27 | shell none | ||
28 | # private-bin program | ||
29 | # private-etc none | ||
30 | private-dev | 26 | private-dev |
31 | private-tmp | 27 | private-tmp |
28 | disable-mnt | ||
29 | |||
30 | noexec ${HOME} | ||
31 | noexec /tmp | ||
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile index 4a5503944..3ab4115e6 100644 --- a/etc/keepassxc.profile +++ b/etc/keepassxc.profile | |||
@@ -16,7 +16,6 @@ include /etc/firejail/disable-programs.inc | |||
16 | include /etc/firejail/disable-devel.inc | 16 | include /etc/firejail/disable-devel.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include /etc/firejail/disable-passwdmgr.inc |
18 | 18 | ||
19 | # To use KeePassHTTP, comment out `net none` | ||
20 | caps.drop all | 19 | caps.drop all |
21 | #ipc-namespace | 20 | #ipc-namespace |
22 | net none | 21 | net none |
@@ -35,5 +34,6 @@ private-dev | |||
35 | private-etc fonts,ld.so.cache | 34 | private-etc fonts,ld.so.cache |
36 | private-tmp | 35 | private-tmp |
37 | 36 | ||
37 | memory-deny-write-execute | ||
38 | noexec ${HOME} | 38 | noexec ${HOME} |
39 | noexec /tmp | 39 | noexec /tmp |
diff --git a/etc/kino.profile b/etc/kino.profile index b37569340..bb37d56ab 100644 --- a/etc/kino.profile +++ b/etc/kino.profile | |||
@@ -5,28 +5,26 @@ include /etc/firejail/globals.local | |||
5 | # Persistent customizations should go in a .local file. | 5 | # Persistent customizations should go in a .local file. |
6 | include /etc/firejail/kino.local | 6 | include /etc/firejail/kino.local |
7 | 7 | ||
8 | ################################ | ||
9 | # Generic GUI application profile | ||
10 | ################################ | ||
11 | noblacklist ~/.kinorc | 8 | noblacklist ~/.kinorc |
12 | noblacklist ~/.kino-history | 9 | noblacklist ~/.kino-history |
10 | |||
13 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
14 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-devel.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
16 | 15 | ||
17 | caps.drop all | 16 | caps.drop all |
18 | netfilter | 17 | netfilter |
18 | nogroups | ||
19 | nonewprivs | 19 | nonewprivs |
20 | noroot | 20 | noroot |
21 | protocol unix,inet,inet6 | 21 | novideo |
22 | protocol unix | ||
22 | seccomp | 23 | seccomp |
24 | shell none | ||
25 | |||
26 | private-dev | ||
27 | private-tmp | ||
23 | 28 | ||
24 | # | 29 | noexec ${HOME} |
25 | # depending on your usage, you can enable some of the commands below: | 30 | noexec /tmp |
26 | # | ||
27 | # nogroups | ||
28 | # shell none | ||
29 | # private-bin program | ||
30 | # private-etc none | ||
31 | # private-dev | ||
32 | # private-tmp | ||
diff --git a/etc/knotes.profile b/etc/knotes.profile index e7da44215..b1883112c 100644 --- a/etc/knotes.profile +++ b/etc/knotes.profile | |||
@@ -14,13 +14,13 @@ include /etc/firejail/disable-programs.inc | |||
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | netfilter | ||
17 | nogroups | 18 | nogroups |
18 | nonewprivs | 19 | nonewprivs |
19 | noroot | 20 | noroot |
20 | nosound | 21 | nosound |
21 | protocol unix | 22 | protocol unix |
22 | seccomp | 23 | seccomp |
23 | netfilter | ||
24 | shell none | 24 | shell none |
25 | tracelog | 25 | tracelog |
26 | 26 | ||
diff --git a/etc/ktorrent.profile b/etc/ktorrent.profile index 59c2827cd..c19f1c5ef 100644 --- a/etc/ktorrent.profile +++ b/etc/ktorrent.profile | |||
@@ -5,16 +5,15 @@ include /etc/firejail/globals.local | |||
5 | # Persistent customizations should go in a .local file. | 5 | # Persistent customizations should go in a .local file. |
6 | include /etc/firejail/ktorrent.local | 6 | include /etc/firejail/ktorrent.local |
7 | 7 | ||
8 | ################################ | ||
9 | # Generic GUI application profile | ||
10 | ################################ | ||
11 | noblacklist ~/.config/ktorrentrc | 8 | noblacklist ~/.config/ktorrentrc |
12 | noblacklist ~/.local/share/ktorrent | 9 | noblacklist ~/.local/share/ktorrent |
13 | noblacklist ~/.kde/share/config/ktorrentrc | 10 | noblacklist ~/.kde/share/config/ktorrentrc |
14 | noblacklist ~/.kde4/share/config/ktorrentrc | 11 | noblacklist ~/.kde4/share/config/ktorrentrc |
15 | noblacklist ~/.kde/share/apps/ktorrent | 12 | noblacklist ~/.kde/share/apps/ktorrent |
16 | noblacklist ~/.kde4/share/apps/ktorrent | 13 | noblacklist ~/.kde4/share/apps/ktorrent |
14 | |||
17 | include /etc/firejail/disable-common.inc | 15 | include /etc/firejail/disable-common.inc |
16 | include /etc/firejail/disable-devel.inc | ||
18 | include /etc/firejail/disable-programs.inc | 17 | include /etc/firejail/disable-programs.inc |
19 | include /etc/firejail/disable-passwdmgr.inc | 18 | include /etc/firejail/disable-passwdmgr.inc |
20 | 19 | ||
@@ -36,17 +35,18 @@ include /etc/firejail/whitelist-common.inc | |||
36 | 35 | ||
37 | caps.drop all | 36 | caps.drop all |
38 | netfilter | 37 | netfilter |
38 | no3d | ||
39 | nogroups | ||
39 | nonewprivs | 40 | nonewprivs |
40 | noroot | 41 | noroot |
42 | nosound | ||
43 | novideo | ||
41 | protocol unix,inet,inet6 | 44 | protocol unix,inet,inet6 |
42 | seccomp | 45 | seccomp |
43 | |||
44 | # | ||
45 | # depending on your usage, you can enable some of the commands below: | ||
46 | # | ||
47 | nogroups | ||
48 | shell none | 46 | shell none |
49 | # private-bin program | 47 | |
50 | # private-etc none | ||
51 | private-dev | 48 | private-dev |
52 | # private-tmp | 49 | private-tmp |
50 | |||
51 | noexec ${HOME} | ||
52 | noexec /tmp | ||
diff --git a/etc/kwrite.profile b/etc/kwrite.profile index 1c4d09f67..7ac881f6a 100644 --- a/etc/kwrite.profile +++ b/etc/kwrite.profile | |||
@@ -19,13 +19,13 @@ include /etc/firejail/disable-programs.inc | |||
19 | include /etc/firejail/disable-passwdmgr.inc | 19 | include /etc/firejail/disable-passwdmgr.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | netfilter | ||
22 | nogroups | 23 | nogroups |
23 | nonewprivs | 24 | nonewprivs |
24 | noroot | 25 | noroot |
25 | #nosound - KWrite is using ALSA! | 26 | #nosound - KWrite is using ALSA! |
26 | protocol unix | 27 | protocol unix |
27 | seccomp | 28 | seccomp |
28 | netfilter | ||
29 | shell none | 29 | shell none |
30 | tracelog | 30 | tracelog |
31 | 31 | ||
diff --git a/etc/leafpad.profile b/etc/leafpad.profile index 5ae025d6d..fc2cc7e09 100644 --- a/etc/leafpad.profile +++ b/etc/leafpad.profile | |||
@@ -6,24 +6,25 @@ include /etc/firejail/globals.local | |||
6 | include /etc/firejail/leafpad.local | 6 | include /etc/firejail/leafpad.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/leafpad | 8 | noblacklist ${HOME}/.config/leafpad |
9 | |||
9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | 11 | include /etc/firejail/disable-devel.inc |
11 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
12 | 14 | ||
13 | caps.drop all | 15 | caps.drop all |
14 | netfilter | 16 | netfilter |
17 | no3d | ||
18 | nogroups | ||
15 | nonewprivs | 19 | nonewprivs |
16 | noroot | 20 | noroot |
17 | protocol unix,inet,inet6 | 21 | nosound |
22 | novideo | ||
23 | protocol unix | ||
18 | seccomp | 24 | seccomp |
19 | |||
20 | # | ||
21 | # depending on your usage, you can enable some of the commands below: | ||
22 | # | ||
23 | nogroups | ||
24 | shell none | 25 | shell none |
25 | # private-bin program | 26 | |
26 | # private-etc none | 27 | private-dev |
27 | # private-dev | 28 | |
28 | # private-tmp | 29 | noexec ${HOME} |
29 | nosound | 30 | noexec /tmp |
diff --git a/etc/less.profile b/etc/less.profile index 9d4eb3fcf..f8c26879e 100644 --- a/etc/less.profile +++ b/etc/less.profile | |||
@@ -21,5 +21,6 @@ blacklist /tmp/.X11-unix | |||
21 | 21 | ||
22 | private-dev | 22 | private-dev |
23 | 23 | ||
24 | memory-deny-write-execute | ||
24 | noexec ${HOME} | 25 | noexec ${HOME} |
25 | noexec /tmp | 26 | noexec /tmp |
diff --git a/etc/liferea.profile b/etc/liferea.profile index 92b3b8f88..f11137cdd 100644 --- a/etc/liferea.profile +++ b/etc/liferea.profile | |||
@@ -20,10 +20,28 @@ noblacklist ~/.cache/liferea | |||
20 | mkdir ~/.cache/liferea | 20 | mkdir ~/.cache/liferea |
21 | whitelist ~/.cache/liferea | 21 | whitelist ~/.cache/liferea |
22 | 22 | ||
23 | include /etc/firejail/disable-common.inc | ||
24 | include /etc/firejail/disable-devel.inc | ||
25 | include /etc/firejail/disable-passwdmgr.inc | ||
26 | include /etc/firejail/disable-programs.inc | ||
23 | include /etc/firejail/whitelist-common.inc | 27 | include /etc/firejail/whitelist-common.inc |
24 | include /etc/firejail/default.profile | ||
25 | 28 | ||
29 | caps.drop all | ||
30 | #ipc-namespace | ||
31 | netfilter | ||
32 | #no3d | ||
26 | nogroups | 33 | nogroups |
34 | nonewprivs | ||
35 | noroot | ||
36 | #nosound | ||
37 | novideo | ||
38 | protocol unix,inet,inet6 | ||
39 | seccomp | ||
27 | shell none | 40 | shell none |
41 | |||
28 | private-dev | 42 | private-dev |
29 | private-tmp | 43 | private-tmp |
44 | disable-mnt | ||
45 | |||
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile index 6ee118f76..f73c83cbd 100644 --- a/etc/luminance-hdr.profile +++ b/etc/luminance-hdr.profile | |||
@@ -7,7 +7,9 @@ include /etc/firejail/luminance-hdr.local | |||
7 | 7 | ||
8 | # luminance-hdr | 8 | # luminance-hdr |
9 | noblacklist ${HOME}/.config/Luminance | 9 | noblacklist ${HOME}/.config/Luminance |
10 | |||
10 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
13 | 15 | ||
@@ -18,13 +20,14 @@ nogroups | |||
18 | nonewprivs | 20 | nonewprivs |
19 | noroot | 21 | noroot |
20 | nosound | 22 | nosound |
23 | novideo | ||
21 | protocol unix | 24 | protocol unix |
22 | seccomp | 25 | seccomp |
23 | shell none | 26 | shell none |
24 | tracelog | 27 | tracelog |
25 | 28 | ||
26 | noexec ${HOME} | ||
27 | noexec /tmp | ||
28 | |||
29 | private-tmp | 29 | private-tmp |
30 | private-dev | 30 | private-dev |
31 | |||
32 | noexec ${HOME} | ||
33 | noexec /tmp | ||
diff --git a/etc/lximage-qt.profile b/etc/lximage-qt.profile index 28e674ebf..42996af04 100644 --- a/etc/lximage-qt.profile +++ b/etc/lximage-qt.profile | |||
@@ -6,24 +6,26 @@ include /etc/firejail/globals.local | |||
6 | include /etc/firejail/lximage-qt.local | 6 | include /etc/firejail/lximage-qt.local |
7 | 7 | ||
8 | noblacklist .config/lximage-qt | 8 | noblacklist .config/lximage-qt |
9 | |||
9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | 11 | include /etc/firejail/disable-devel.inc |
11 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
12 | 14 | ||
13 | caps.drop all | 15 | caps.drop all |
14 | netfilter | 16 | netfilter |
17 | no3d | ||
18 | nogroups | ||
15 | nonewprivs | 19 | nonewprivs |
16 | noroot | 20 | noroot |
17 | protocol unix,inet,inet6 | 21 | nosound |
22 | novideo | ||
23 | protocol unix | ||
18 | seccomp | 24 | seccomp |
19 | |||
20 | # | ||
21 | # depending on your usage, you can enable some of the commands below: | ||
22 | # | ||
23 | nogroups | ||
24 | shell none | 25 | shell none |
25 | # private-bin program | 26 | |
26 | # private-etc none | 27 | private-dev |
27 | # private-dev | 28 | private-tmp |
28 | # private-tmp | 29 | |
29 | nosound | 30 | noexec ${HOME} |
31 | noexec /tmp | ||
diff --git a/etc/lxmusic.profile b/etc/lxmusic.profile index fd5136578..eac72c6db 100644 --- a/etc/lxmusic.profile +++ b/etc/lxmusic.profile | |||
@@ -7,24 +7,25 @@ include /etc/firejail/lxmusic.local | |||
7 | 7 | ||
8 | noblacklist ~/.cache/xmms2 | 8 | noblacklist ~/.cache/xmms2 |
9 | noblacklist ~/.config/xmms2 | 9 | noblacklist ~/.config/xmms2 |
10 | |||
10 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
13 | 15 | ||
14 | caps.drop all | 16 | caps.drop all |
15 | netfilter | 17 | netfilter |
18 | no3d | ||
19 | nogroups | ||
16 | nonewprivs | 20 | nonewprivs |
17 | noroot | 21 | noroot |
18 | protocol unix,inet,inet6 | 22 | novideo |
23 | protocol unix | ||
19 | seccomp | 24 | seccomp |
20 | |||
21 | # | ||
22 | # depending on your usage, you can enable some of the commands below: | ||
23 | # | ||
24 | nogroups | ||
25 | shell none | 25 | shell none |
26 | # private-bin program | 26 | |
27 | # private-etc none | 27 | private-dev |
28 | # private-dev | 28 | private-tmp |
29 | # private-tmp | 29 | |
30 | # nosound | 30 | noexec ${HOME} |
31 | noexec /tmp | ||
diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile index 76593df0b..e083e8b88 100644 --- a/etc/mate-calc.profile +++ b/etc/mate-calc.profile | |||
@@ -6,24 +6,27 @@ include /etc/firejail/globals.local | |||
6 | include /etc/firejail/mate-calc.local | 6 | include /etc/firejail/mate-calc.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/mate-calc | 8 | noblacklist ${HOME}/.config/mate-calc |
9 | |||
9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | 11 | include /etc/firejail/disable-devel.inc |
11 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
12 | 14 | ||
13 | caps.drop all | 15 | caps.drop all |
14 | netfilter | 16 | netfilter |
17 | no3d | ||
18 | nogroups | ||
15 | nonewprivs | 19 | nonewprivs |
16 | noroot | 20 | noroot |
17 | protocol unix,inet,inet6 | 21 | nosound |
22 | novideo | ||
23 | protocol unix | ||
18 | seccomp | 24 | seccomp |
19 | |||
20 | # | ||
21 | # depending on your usage, you can enable some of the commands below: | ||
22 | # | ||
23 | nogroups | ||
24 | shell none | 25 | shell none |
25 | # private-bin program | 26 | |
26 | # private-etc none | 27 | private-dev |
27 | # private-dev | 28 | private-tmp |
28 | # private-tmp | 29 | disable-mnt |
29 | nosound | 30 | |
31 | noexec ${HOME} | ||
32 | noexec /tmp | ||
diff --git a/etc/mate-color-select.profile b/etc/mate-color-select.profile index 6db3dd624..74fe4bd69 100644 --- a/etc/mate-color-select.profile +++ b/etc/mate-color-select.profile | |||
@@ -3,27 +3,29 @@ include /etc/firejail/globals.local | |||
3 | 3 | ||
4 | # This file is overwritten during software install. | 4 | # This file is overwritten during software install. |
5 | # Persistent customizations should go in a .local file. | 5 | # Persistent customizations should go in a .local file. |
6 | include /etc/firejail/default.local | 6 | include /etc/firejail/mate-color-select.local |
7 | 7 | ||
8 | private | 8 | include /etc/firejail/disable-common.inc |
9 | #include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-devel.inc |
10 | #include /etc/firejail/disable-programs.inc | 10 | include /etc/firejail/disable-passwdmgr.inc |
11 | #include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-programs.inc |
12 | 12 | ||
13 | caps.drop all | 13 | caps.drop all |
14 | netfilter | 14 | netfilter |
15 | no3d | ||
16 | nogroups | ||
15 | nonewprivs | 17 | nonewprivs |
16 | noroot | 18 | noroot |
17 | protocol unix,inet,inet6 | 19 | nosound |
20 | novideo | ||
21 | protocol unix | ||
18 | seccomp | 22 | seccomp |
19 | |||
20 | # | ||
21 | # depending on your usage, you can enable some of the commands below: | ||
22 | # | ||
23 | nogroups | ||
24 | shell none | 23 | shell none |
25 | # private-bin program | 24 | |
26 | # private-etc none | 25 | private |
27 | # private-dev | 26 | private-dev |
28 | # private-tmp | 27 | private-tmp |
29 | nosound | 28 | disable-mnt |
29 | |||
30 | noexec ${HOME} | ||
31 | noexec /tmp | ||
diff --git a/etc/mate-dictionary.profile b/etc/mate-dictionary.profile index fc4c1c425..4fe0795d2 100644 --- a/etc/mate-dictionary.profile +++ b/etc/mate-dictionary.profile | |||
@@ -6,24 +6,27 @@ include /etc/firejail/globals.local | |||
6 | include /etc/firejail/mate-dictionary.local | 6 | include /etc/firejail/mate-dictionary.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/mate/mate-dictionary | 8 | noblacklist ${HOME}/.config/mate/mate-dictionary |
9 | |||
9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | 11 | include /etc/firejail/disable-devel.inc |
11 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
12 | 14 | ||
13 | caps.drop all | 15 | caps.drop all |
14 | netfilter | 16 | netfilter |
17 | no3d | ||
18 | nogroups | ||
15 | nonewprivs | 19 | nonewprivs |
16 | noroot | 20 | noroot |
21 | nosound | ||
22 | novideo | ||
17 | protocol unix,inet,inet6 | 23 | protocol unix,inet,inet6 |
18 | seccomp | 24 | seccomp |
19 | |||
20 | # | ||
21 | # depending on your usage, you can enable some of the commands below: | ||
22 | # | ||
23 | nogroups | ||
24 | shell none | 25 | shell none |
25 | # private-bin program | 26 | |
26 | # private-etc none | 27 | private-dev |
27 | # private-dev | 28 | private-tmp |
28 | # private-tmp | 29 | disable-mnt |
29 | nosound | 30 | |
31 | noexec ${HOME} | ||
32 | noexec /tmp | ||
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile index 59cb080d3..8758d66b9 100644 --- a/etc/mediainfo.profile +++ b/etc/mediainfo.profile | |||
@@ -12,15 +12,14 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | nogroups | 15 | net none |
16 | nonewprivs | 16 | nonewprivs |
17 | nogroups | ||
17 | noroot | 18 | noroot |
18 | nosound | 19 | nosound |
19 | no3d | 20 | no3d |
20 | protocol unix | 21 | protocol unix |
21 | seccomp | 22 | seccomp |
22 | netfilter | ||
23 | net none | ||
24 | shell none | 23 | shell none |
25 | tracelog | 24 | tracelog |
26 | 25 | ||
diff --git a/etc/meld.profile b/etc/meld.profile index bc4cd8356..503f6d07c 100644 --- a/etc/meld.profile +++ b/etc/meld.profile | |||
@@ -16,7 +16,6 @@ include /etc/firejail/disable-programs.inc | |||
16 | caps.drop all | 16 | caps.drop all |
17 | #ipc-namespace | 17 | #ipc-namespace |
18 | net none | 18 | net none |
19 | netfilter | ||
20 | no3d | 19 | no3d |
21 | nogroups | 20 | nogroups |
22 | nonewprivs | 21 | nonewprivs |
diff --git a/etc/mumble.profile b/etc/mumble.profile index 7303ac65a..a2104957d 100644 --- a/etc/mumble.profile +++ b/etc/mumble.profile | |||
@@ -35,5 +35,6 @@ private-bin mumble | |||
35 | private-tmp | 35 | private-tmp |
36 | disable-mnt | 36 | disable-mnt |
37 | 37 | ||
38 | memory-deny-write-execute | ||
38 | noexec ${HOME} | 39 | noexec ${HOME} |
39 | noexec /tmp | 40 | noexec /tmp |
diff --git a/etc/mupdf.profile b/etc/mupdf.profile index e6652e688..ca61edfdd 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile | |||
@@ -12,14 +12,13 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | net none | ||
15 | nogroups | 16 | nogroups |
16 | nonewprivs | 17 | nonewprivs |
17 | noroot | 18 | noroot |
18 | nosound | 19 | nosound |
19 | protocol unix | 20 | protocol unix |
20 | seccomp | 21 | seccomp |
21 | netfilter | ||
22 | net none | ||
23 | shell none | 22 | shell none |
24 | tracelog | 23 | tracelog |
25 | 24 | ||
diff --git a/etc/nautilus.profile b/etc/nautilus.profile index ef3203eb5..4f2f50d9f 100644 --- a/etc/nautilus.profile +++ b/etc/nautilus.profile | |||
@@ -22,12 +22,12 @@ include /etc/firejail/disable-devel.inc | |||
22 | include /etc/firejail/disable-passwdmgr.inc | 22 | include /etc/firejail/disable-passwdmgr.inc |
23 | 23 | ||
24 | caps.drop all | 24 | caps.drop all |
25 | netfilter | ||
25 | nogroups | 26 | nogroups |
26 | nonewprivs | 27 | nonewprivs |
27 | noroot | 28 | noroot |
28 | protocol unix | 29 | protocol unix |
29 | seccomp | 30 | seccomp |
30 | netfilter | ||
31 | shell none | 31 | shell none |
32 | tracelog | 32 | tracelog |
33 | 33 | ||
diff --git a/etc/nemo.profile b/etc/nemo.profile index 1d9124d19..5e6f4936f 100644 --- a/etc/nemo.profile +++ b/etc/nemo.profile | |||
@@ -16,18 +16,15 @@ include /etc/firejail/disable-devel.inc | |||
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | netfilter | 18 | netfilter |
19 | no3d | ||
20 | nogroups | ||
19 | nonewprivs | 21 | nonewprivs |
20 | noroot | 22 | noroot |
23 | nosound | ||
24 | novideo | ||
21 | protocol unix,inet,inet6 | 25 | protocol unix,inet,inet6 |
22 | seccomp | 26 | seccomp |
23 | |||
24 | # | ||
25 | # depending on your usage, you can enable some of the commands below: | ||
26 | # | ||
27 | nogroups | ||
28 | shell none | 27 | shell none |
29 | # private-bin program | 28 | |
30 | # private-etc none | 29 | noexec ${HOME} |
31 | # private-dev | 30 | noexec /tmp |
32 | # private-tmp | ||
33 | # nosound | ||
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile index abec7dde2..8cfadd9ac 100644 --- a/etc/odt2txt.profile +++ b/etc/odt2txt.profile | |||
@@ -12,14 +12,13 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | net none | ||
15 | nogroups | 16 | nogroups |
16 | nonewprivs | 17 | nonewprivs |
17 | noroot | 18 | noroot |
18 | nosound | 19 | nosound |
19 | protocol unix | 20 | protocol unix |
20 | seccomp | 21 | seccomp |
21 | netfilter | ||
22 | net none | ||
23 | no3d | 22 | no3d |
24 | shell none | 23 | shell none |
25 | tracelog | 24 | tracelog |
diff --git a/etc/okular.profile b/etc/okular.profile index 982f524fa..578f01915 100644 --- a/etc/okular.profile +++ b/etc/okular.profile | |||
@@ -35,3 +35,6 @@ tracelog | |||
35 | # private-etc fonts,X11 | 35 | # private-etc fonts,X11 |
36 | private-dev | 36 | private-dev |
37 | private-tmp | 37 | private-tmp |
38 | |||
39 | noexec ${HOME} | ||
40 | noexec /tmp | ||
diff --git a/etc/openshot.profile b/etc/openshot.profile index bc4ccc46a..25c803512 100644 --- a/etc/openshot.profile +++ b/etc/openshot.profile | |||
@@ -8,13 +8,23 @@ include /etc/firejail/openshot.local | |||
8 | # OpenShot profile | 8 | # OpenShot profile |
9 | noblacklist ${HOME}/.openshot | 9 | noblacklist ${HOME}/.openshot |
10 | noblacklist ${HOME}/.openshot_qt | 10 | noblacklist ${HOME}/.openshot_qt |
11 | |||
11 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | ||
14 | 16 | ||
15 | caps.drop all | 17 | caps.drop all |
16 | netfilter | 18 | netfilter |
19 | nogroups | ||
17 | nonewprivs | 20 | nonewprivs |
18 | noroot | 21 | noroot |
19 | protocol unix,inet,inet6,netlink | 22 | protocol unix,inet,inet6,netlink |
20 | seccomp | 23 | seccomp |
24 | shell none | ||
25 | |||
26 | private-dev | ||
27 | private-tmp | ||
28 | |||
29 | noexec ${HOME} | ||
30 | noexec /tmp | ||
diff --git a/etc/orage.profile b/etc/orage.profile index ea577f873..c9977d002 100644 --- a/etc/orage.profile +++ b/etc/orage.profile | |||
@@ -7,24 +7,27 @@ include /etc/firejail/orage.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.config/orage | 8 | noblacklist ${HOME}/.config/orage |
9 | noblacklist ${HOME}/.local/share/orage | 9 | noblacklist ${HOME}/.local/share/orage |
10 | |||
10 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
13 | 15 | ||
14 | caps.drop all | 16 | caps.drop all |
15 | netfilter | 17 | netfilter |
18 | no3d | ||
19 | nogroups | ||
16 | nonewprivs | 20 | nonewprivs |
17 | noroot | 21 | noroot |
18 | protocol unix,inet,inet6 | 22 | nosound |
23 | novideo | ||
24 | protocol unix | ||
19 | seccomp | 25 | seccomp |
20 | |||
21 | # | ||
22 | # depending on your usage, you can enable some of the commands below: | ||
23 | # | ||
24 | nogroups | ||
25 | shell none | 26 | shell none |
26 | # private-bin program | 27 | |
27 | # private-etc none | ||
28 | private-dev | 28 | private-dev |
29 | # private-tmp | 29 | private-tmp |
30 | disable-mnt | ||
30 | 31 | ||
32 | noexec ${HOME} | ||
33 | noexec /tmp | ||
diff --git a/etc/pcmanfm.profile b/etc/pcmanfm.profile index 68d002f2d..654904f17 100644 --- a/etc/pcmanfm.profile +++ b/etc/pcmanfm.profile | |||
@@ -15,21 +15,13 @@ include /etc/firejail/disable-devel.inc | |||
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | netfilter | 18 | net none |
19 | nogroups | 19 | no3d |
20 | nonewprivs | 20 | nonewprivs |
21 | noroot | 21 | noroot |
22 | nosound | 22 | nosound |
23 | novideo | ||
23 | protocol unix | 24 | protocol unix |
24 | seccomp | 25 | seccomp |
25 | shell none | 26 | shell none |
26 | tracelog | 27 | tracelog |
27 | |||
28 | # | ||
29 | # depending on your usage, you can enable some of the commands below: | ||
30 | # | ||
31 | # private-bin program | ||
32 | # private-etc none | ||
33 | # private-dev | ||
34 | # private-tmp | ||
35 | |||
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index b46ac9294..2465be252 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile | |||
@@ -20,7 +20,6 @@ include /etc/firejail/disable-devel.inc | |||
20 | caps.drop all | 20 | caps.drop all |
21 | #ipc-namespace | 21 | #ipc-namespace |
22 | net none | 22 | net none |
23 | netfilter | ||
24 | no3d | 23 | no3d |
25 | nogroups | 24 | nogroups |
26 | nonewprivs | 25 | nonewprivs |
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile index a6b2b2f78..e5dab840f 100644 --- a/etc/pdftotext.profile +++ b/etc/pdftotext.profile | |||
@@ -12,14 +12,13 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | net none | ||
15 | nogroups | 16 | nogroups |
16 | nonewprivs | 17 | nonewprivs |
17 | noroot | 18 | noroot |
18 | nosound | 19 | nosound |
19 | protocol unix | 20 | protocol unix |
20 | seccomp | 21 | seccomp |
21 | netfilter | ||
22 | net none | ||
23 | no3d | 22 | no3d |
24 | shell none | 23 | shell none |
25 | tracelog | 24 | tracelog |
diff --git a/etc/peek.profile b/etc/peek.profile index bac3e0a99..811eb701b 100644 --- a/etc/peek.profile +++ b/etc/peek.profile | |||
@@ -29,5 +29,6 @@ shell none | |||
29 | private-dev | 29 | private-dev |
30 | private-tmp | 30 | private-tmp |
31 | 31 | ||
32 | memory-deny-write-execute | ||
32 | noexec ${HOME} | 33 | noexec ${HOME} |
33 | noexec /tmp | 34 | noexec /tmp |
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile index e3ffad9a1..9500731fe 100644 --- a/etc/psi-plus.profile +++ b/etc/psi-plus.profile | |||
@@ -8,7 +8,9 @@ include /etc/firejail/psi-plus.local | |||
8 | # Firejail profile for Psi+ | 8 | # Firejail profile for Psi+ |
9 | noblacklist ${HOME}/.config/psi+ | 9 | noblacklist ${HOME}/.config/psi+ |
10 | noblacklist ${HOME}/.local/share/psi+ | 10 | noblacklist ${HOME}/.local/share/psi+ |
11 | |||
11 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
14 | 16 | ||
@@ -20,10 +22,22 @@ whitelist ~/.local/share/psi+ | |||
20 | mkdir ~/.cache/psi+ | 22 | mkdir ~/.cache/psi+ |
21 | whitelist ~/.cache/psi+ | 23 | whitelist ~/.cache/psi+ |
22 | 24 | ||
25 | include /etc/firejail/whitelist-common.inc | ||
26 | |||
23 | caps.drop all | 27 | caps.drop all |
24 | netfilter | 28 | netfilter |
29 | no3d | ||
30 | nogroups | ||
31 | nonewprivs | ||
25 | noroot | 32 | noroot |
33 | novideo | ||
26 | protocol unix,inet,inet6 | 34 | protocol unix,inet,inet6 |
27 | seccomp | 35 | seccomp |
36 | shell none | ||
28 | 37 | ||
29 | include /etc/firejail/whitelist-common.inc | 38 | private-dev |
39 | private-tmp | ||
40 | disable-mnt | ||
41 | |||
42 | noexec ${HOME} | ||
43 | noexec /tmp | ||
diff --git a/etc/qemu-launcher.profile b/etc/qemu-launcher.profile index bc92e50ea..f6458de86 100644 --- a/etc/qemu-launcher.profile +++ b/etc/qemu-launcher.profile | |||
@@ -23,3 +23,5 @@ shell none | |||
23 | tracelog | 23 | tracelog |
24 | 24 | ||
25 | private-tmp | 25 | private-tmp |
26 | |||
27 | noexec /tmp | ||
diff --git a/etc/qemu-system-x86_64.profile b/etc/qemu-system-x86_64.profile index 907de5e8f..fdfd7ab72 100644 --- a/etc/qemu-system-x86_64.profile +++ b/etc/qemu-system-x86_64.profile | |||
@@ -21,3 +21,5 @@ shell none | |||
21 | tracelog | 21 | tracelog |
22 | 22 | ||
23 | private-tmp | 23 | private-tmp |
24 | |||
25 | noexec /tmp | ||
diff --git a/etc/qlipper.profile b/etc/qlipper.profile index a5ef53112..d57856c1a 100644 --- a/etc/qlipper.profile +++ b/etc/qlipper.profile | |||
@@ -6,26 +6,27 @@ include /etc/firejail/globals.local | |||
6 | include /etc/firejail/qlipper.local | 6 | include /etc/firejail/qlipper.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/Qlipper | 8 | noblacklist ${HOME}/.config/Qlipper |
9 | |||
9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | 11 | include /etc/firejail/disable-devel.inc |
11 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
12 | 14 | ||
13 | caps.drop all | 15 | caps.drop all |
14 | netfilter | 16 | netfilter |
17 | no3d | ||
18 | nogroups | ||
15 | nonewprivs | 19 | nonewprivs |
16 | noroot | 20 | noroot |
17 | protocol unix,inet,inet6 | 21 | nosound |
22 | novideo | ||
23 | protocol unix | ||
18 | seccomp | 24 | seccomp |
25 | shell none | ||
19 | 26 | ||
27 | private-dev | ||
28 | private-tmp | ||
29 | disable-mnt | ||
20 | 30 | ||
21 | 31 | noexec ${HOME} | |
22 | # | 32 | noexec /tmp |
23 | # depending on your usage, you can enable some of the commands below: | ||
24 | # | ||
25 | nogroups | ||
26 | shell none | ||
27 | # private-bin program | ||
28 | # private-etc none | ||
29 | # private-dev | ||
30 | # private-tmp | ||
31 | nosound | ||
diff --git a/etc/quiterss.profile b/etc/quiterss.profile index c8112f064..aa17693cd 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile | |||
@@ -42,3 +42,6 @@ private-dev | |||
42 | disable-mnt | 42 | disable-mnt |
43 | 43 | ||
44 | include /etc/firejail/whitelist-common.inc | 44 | include /etc/firejail/whitelist-common.inc |
45 | |||
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
diff --git a/etc/rambox.profile b/etc/rambox.profile new file mode 100644 index 000000000..2c70fbd13 --- /dev/null +++ b/etc/rambox.profile | |||
@@ -0,0 +1,31 @@ | |||
1 | #Persistent global definitions go here | ||
2 | include /etc/firejail/globals.local | ||
3 | |||
4 | #This file is overwritten during software install. | ||
5 | #Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/rambox.local | ||
7 | |||
8 | # Rambox profile for firejail | ||
9 | noblacklist ~/.config/Rambox | ||
10 | noblacklist ~/.pki | ||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | ||
14 | |||
15 | caps.drop all | ||
16 | netfilter | ||
17 | nogroups | ||
18 | nonewprivs | ||
19 | noroot | ||
20 | protocol unix,inet,inet6,netlink | ||
21 | seccomp | ||
22 | #tracelog | ||
23 | |||
24 | whitelist ${DOWNLOADS} | ||
25 | mkdir ~/.config/Rambox | ||
26 | whitelist ~/.config/Rambox | ||
27 | mkdir ~/.pki | ||
28 | whitelist ~/.pki | ||
29 | |||
30 | include /etc/firejail/whitelist-common.inc | ||
31 | |||
diff --git a/etc/ranger.profile b/etc/ranger.profile index 7103f821d..ab0545aaf 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile | |||
@@ -18,7 +18,6 @@ include /etc/firejail/disable-devel.inc | |||
18 | include /etc/firejail/disable-passwdmgr.inc | 18 | include /etc/firejail/disable-passwdmgr.inc |
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | netfilter | ||
22 | net none | 21 | net none |
23 | nogroups | 22 | nogroups |
24 | nonewprivs | 23 | nonewprivs |
@@ -27,5 +26,4 @@ protocol unix | |||
27 | seccomp | 26 | seccomp |
28 | nosound | 27 | nosound |
29 | 28 | ||
30 | private-tmp | ||
31 | private-dev | 29 | private-dev |
diff --git a/etc/ristretto.profile b/etc/ristretto.profile index ca4b1a64d..3d3491658 100644 --- a/etc/ristretto.profile +++ b/etc/ristretto.profile | |||
@@ -10,22 +10,24 @@ noblacklist ~/.Steam | |||
10 | noblacklist ~/.steam | 10 | noblacklist ~/.steam |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | ||
15 | 16 | ||
16 | caps.drop all | 17 | caps.drop all |
17 | netfilter | 18 | netfilter |
19 | no3d | ||
20 | nogroups | ||
18 | nonewprivs | 21 | nonewprivs |
19 | noroot | 22 | noroot |
20 | protocol unix,inet,inet6 | 23 | nosound |
24 | novideo | ||
25 | protocol unix | ||
21 | seccomp | 26 | seccomp |
22 | |||
23 | # | ||
24 | # depending on your usage, you can enable some of the commands below: | ||
25 | # | ||
26 | nogroups | ||
27 | shell none | 27 | shell none |
28 | # private-bin program | 28 | |
29 | # private-etc none | ||
30 | private-dev | 29 | private-dev |
31 | # private-tmp | 30 | private-tmp |
31 | |||
32 | noexec ${HOME} | ||
33 | noexec /tmp | ||
diff --git a/etc/skype.profile b/etc/skype.profile index 8b97c7152..7c7a4eb17 100644 --- a/etc/skype.profile +++ b/etc/skype.profile | |||
@@ -7,17 +7,22 @@ include /etc/firejail/skype.local | |||
7 | 7 | ||
8 | # Skype profile | 8 | # Skype profile |
9 | noblacklist ${HOME}/.Skype | 9 | noblacklist ${HOME}/.Skype |
10 | |||
10 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
12 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
13 | 15 | ||
14 | caps.drop all | 16 | caps.drop all |
15 | netfilter | 17 | netfilter |
18 | nogroups | ||
16 | nonewprivs | 19 | nonewprivs |
17 | noroot | 20 | noroot |
18 | protocol unix,inet,inet6 | 21 | protocol unix,inet,inet6 |
19 | seccomp | 22 | seccomp |
23 | shell none | ||
20 | 24 | ||
25 | private-dev | ||
21 | private-tmp | 26 | private-tmp |
22 | disable-mnt | 27 | disable-mnt |
23 | 28 | ||
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile index 71bc1b9a6..a2f693945 100644 --- a/etc/skypeforlinux.profile +++ b/etc/skypeforlinux.profile | |||
@@ -7,16 +7,22 @@ include /etc/firejail/skypeforlinux.local | |||
7 | 7 | ||
8 | # skypeforlinux profile | 8 | # skypeforlinux profile |
9 | noblacklist ${HOME}/.config/skypeforlinux | 9 | noblacklist ${HOME}/.config/skypeforlinux |
10 | |||
10 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
13 | 15 | ||
14 | caps.drop all | 16 | caps.drop all |
15 | netfilter | 17 | netfilter |
18 | nogroups | ||
19 | nonewprivs | ||
16 | noroot | 20 | noroot |
17 | seccomp | ||
18 | protocol unix,inet,inet6,netlink | 21 | protocol unix,inet,inet6,netlink |
22 | seccomp | ||
23 | shell none | ||
19 | 24 | ||
25 | private-dev | ||
20 | private-tmp | 26 | private-tmp |
21 | disable-mnt | 27 | disable-mnt |
22 | 28 | ||
diff --git a/etc/ssh.profile b/etc/ssh.profile index e592841a1..466abdc88 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile | |||
@@ -31,5 +31,6 @@ tracelog | |||
31 | private-dev | 31 | private-dev |
32 | #private-tmp #Breaks when exiting | 32 | #private-tmp #Breaks when exiting |
33 | 33 | ||
34 | memory-deny-write-execute | ||
34 | noexec ${HOME} | 35 | noexec ${HOME} |
35 | noexec /tmp | 36 | noexec /tmp |
diff --git a/etc/strings.profile b/etc/strings.profile index af49feb04..a83e3a801 100644 --- a/etc/strings.profile +++ b/etc/strings.profile | |||
@@ -18,3 +18,5 @@ shell none | |||
18 | tracelog | 18 | tracelog |
19 | private-dev | 19 | private-dev |
20 | blacklist /tmp/.X11-unix | 20 | blacklist /tmp/.X11-unix |
21 | |||
22 | memory-deny-write-execute | ||
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index ffabdef76..bcb42f624 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile | |||
@@ -8,19 +8,25 @@ include /etc/firejail/synfigstudio.local | |||
8 | # synfigstudio | 8 | # synfigstudio |
9 | noblacklist ${HOME}/.config/synfig | 9 | noblacklist ${HOME}/.config/synfig |
10 | noblacklist ${HOME}/.synfig | 10 | noblacklist ${HOME}/.synfig |
11 | |||
11 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | ||
14 | 16 | ||
15 | caps.drop all | 17 | caps.drop all |
16 | netfilter | 18 | netfilter |
19 | nogroups | ||
17 | nonewprivs | 20 | nonewprivs |
18 | noroot | 21 | noroot |
22 | nosound | ||
23 | novideo | ||
19 | protocol unix | 24 | protocol unix |
20 | seccomp | 25 | seccomp |
21 | 26 | shell none | |
22 | noexec ${HOME} | ||
23 | noexec /tmp | ||
24 | 27 | ||
25 | private-dev | 28 | private-dev |
26 | private-tmp | 29 | private-tmp |
30 | |||
31 | noexec ${HOME} | ||
32 | noexec /tmp | ||
diff --git a/etc/tracker.profile b/etc/tracker.profile index f2c91be86..b87bebf43 100644 --- a/etc/tracker.profile +++ b/etc/tracker.profile | |||
@@ -15,6 +15,7 @@ include /etc/firejail/disable-devel.inc | |||
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | netfilter | ||
18 | nogroups | 19 | nogroups |
19 | nonewprivs | 20 | nonewprivs |
20 | noroot | 21 | noroot |
@@ -22,7 +23,6 @@ nosound | |||
22 | no3d | 23 | no3d |
23 | protocol unix | 24 | protocol unix |
24 | seccomp | 25 | seccomp |
25 | netfilter | ||
26 | shell none | 26 | shell none |
27 | tracelog | 27 | tracelog |
28 | 28 | ||
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile index 0502bbfb4..5b7e6e7c8 100644 --- a/etc/transmission-cli.profile +++ b/etc/transmission-cli.profile | |||
@@ -28,3 +28,5 @@ tracelog | |||
28 | private-tmp | 28 | private-tmp |
29 | private-dev | 29 | private-dev |
30 | private-etc none | 30 | private-etc none |
31 | |||
32 | memory-deny-write-execute | ||
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 84d01179c..7f85aa69c 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
@@ -34,3 +34,5 @@ tracelog | |||
34 | private-bin transmission-gtk | 34 | private-bin transmission-gtk |
35 | private-dev | 35 | private-dev |
36 | private-tmp | 36 | private-tmp |
37 | |||
38 | memory-deny-write-execute | ||
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile index 8d1e1eac2..743f9ff4f 100644 --- a/etc/transmission-show.profile +++ b/etc/transmission-show.profile | |||
@@ -15,7 +15,6 @@ include /etc/firejail/disable-devel.inc | |||
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | netfilter | ||
19 | net none | 18 | net none |
20 | nonewprivs | 19 | nonewprivs |
21 | noroot | 20 | noroot |
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile index 25d78439d..fab620499 100644 --- a/etc/vivaldi.profile +++ b/etc/vivaldi.profile | |||
@@ -14,7 +14,6 @@ include /etc/firejail/disable-common.inc | |||
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | include /etc/firejail/disable-devel.inc | 15 | include /etc/firejail/disable-devel.inc |
16 | 16 | ||
17 | netfilter | ||
18 | 17 | ||
19 | whitelist ${DOWNLOADS} | 18 | whitelist ${DOWNLOADS} |
20 | mkdir ~/.config/vivaldi | 19 | mkdir ~/.config/vivaldi |
@@ -22,3 +21,16 @@ whitelist ~/.config/vivaldi | |||
22 | mkdir ~/.cache/vivaldi | 21 | mkdir ~/.cache/vivaldi |
23 | whitelist ~/.cache/vivaldi | 22 | whitelist ~/.cache/vivaldi |
24 | include /etc/firejail/whitelist-common.inc | 23 | include /etc/firejail/whitelist-common.inc |
24 | |||
25 | caps.keep sys_chroot,sys_admin | ||
26 | #ipc-namespace | ||
27 | netfilter | ||
28 | nogroups | ||
29 | shell none | ||
30 | |||
31 | private-dev | ||
32 | #private-tmp - problems with multiple browser sessions | ||
33 | #disable-mnt | ||
34 | |||
35 | noexec ${HOME} | ||
36 | noexec /tmp | ||
diff --git a/etc/vlc.profile b/etc/vlc.profile index b36e844ff..34f4aa5ff 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -27,5 +27,6 @@ private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc | |||
27 | private-dev | 27 | private-dev |
28 | private-tmp | 28 | private-tmp |
29 | 29 | ||
30 | memory-deny-write-execute | ||
30 | noexec ${HOME} | 31 | noexec ${HOME} |
31 | noexec /tmp | 32 | noexec /tmp |
diff --git a/etc/vym.profile b/etc/vym.profile index 4139ea901..d3058fa64 100644 --- a/etc/vym.profile +++ b/etc/vym.profile | |||
@@ -6,25 +6,27 @@ include /etc/firejail/globals.local | |||
6 | include /etc/firejail/vym.local | 6 | include /etc/firejail/vym.local |
7 | 7 | ||
8 | noblacklist ./.config/InSilmaril | 8 | noblacklist ./.config/InSilmaril |
9 | |||
9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | 11 | include /etc/firejail/disable-devel.inc |
11 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
12 | 14 | ||
13 | caps.drop all | 15 | caps.drop all |
14 | netfilter | 16 | netfilter |
17 | no3d | ||
18 | nogroups | ||
15 | nonewprivs | 19 | nonewprivs |
16 | noroot | 20 | noroot |
17 | # no network connectivity | 21 | nosound |
22 | novideo | ||
18 | protocol unix | 23 | protocol unix |
19 | seccomp | 24 | seccomp |
20 | |||
21 | # | ||
22 | # depending on your usage, you can enable some of the commands below: | ||
23 | # | ||
24 | nogroups | ||
25 | shell none | 25 | shell none |
26 | # private-bin vym | 26 | |
27 | # private-etc none | ||
28 | private-dev | 27 | private-dev |
29 | private-tmp | 28 | private-tmp |
30 | nosound | 29 | disable-mnt |
30 | |||
31 | noexec ${HOME} | ||
32 | noexec /tmp | ||
diff --git a/etc/xfburn.profile b/etc/xfburn.profile index 7a6d620cf..7bfeba2b1 100644 --- a/etc/xfburn.profile +++ b/etc/xfburn.profile | |||
@@ -14,13 +14,13 @@ include /etc/firejail/disable-devel.inc | |||
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | netfilter | ||
17 | nogroups | 18 | nogroups |
18 | nonewprivs | 19 | nonewprivs |
19 | noroot | 20 | noroot |
20 | nosound | 21 | nosound |
21 | protocol unix | 22 | protocol unix |
22 | seccomp | 23 | seccomp |
23 | netfilter | ||
24 | shell none | 24 | shell none |
25 | tracelog | 25 | tracelog |
26 | 26 | ||
diff --git a/etc/xfce4-dict.profile b/etc/xfce4-dict.profile index 4e466352d..08ae17a55 100644 --- a/etc/xfce4-dict.profile +++ b/etc/xfce4-dict.profile | |||
@@ -6,24 +6,27 @@ include /etc/firejail/globals.local | |||
6 | include /etc/firejail/xfce4-dict.local | 6 | include /etc/firejail/xfce4-dict.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/xfce4-dict | 8 | noblacklist ${HOME}/.config/xfce4-dict |
9 | |||
9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | 11 | include /etc/firejail/disable-devel.inc |
11 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
12 | 14 | ||
13 | caps.drop all | 15 | caps.drop all |
14 | netfilter | 16 | netfilter |
17 | no3d | ||
18 | nogroups | ||
15 | nonewprivs | 19 | nonewprivs |
16 | noroot | 20 | noroot |
21 | nosound | ||
22 | novideo | ||
17 | protocol unix,inet,inet6 | 23 | protocol unix,inet,inet6 |
18 | seccomp | 24 | seccomp |
19 | |||
20 | # | ||
21 | # depending on your usage, you can enable some of the commands below: | ||
22 | # | ||
23 | nogroups | ||
24 | shell none | 25 | shell none |
25 | # private-bin program | 26 | |
26 | # private-etc none | ||
27 | private-dev | 27 | private-dev |
28 | # private-tmp | 28 | private-tmp |
29 | disable-mnt | ||
29 | 30 | ||
31 | noexec ${HOME} | ||
32 | noexec /tmp | ||
diff --git a/etc/xfce4-notes.profile b/etc/xfce4-notes.profile index 737bb0a23..e3215d6ea 100644 --- a/etc/xfce4-notes.profile +++ b/etc/xfce4-notes.profile | |||
@@ -8,23 +8,27 @@ include /etc/firejail/xfce4-notes.local | |||
8 | noblacklist ${HOME}/.config/xfce4/xfce4-notes.rc | 8 | noblacklist ${HOME}/.config/xfce4/xfce4-notes.rc |
9 | noblacklist ${HOME}/.config/xfce4/xfce4-notes.gtkrc | 9 | noblacklist ${HOME}/.config/xfce4/xfce4-notes.gtkrc |
10 | noblacklist ${HOME}/.local/share/notes | 10 | noblacklist ${HOME}/.local/share/notes |
11 | |||
11 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | ||
14 | 16 | ||
15 | caps.drop all | 17 | caps.drop all |
16 | netfilter | 18 | netfilter |
19 | no3d | ||
20 | nogroups | ||
17 | nonewprivs | 21 | nonewprivs |
18 | noroot | 22 | noroot |
19 | protocol unix,inet,inet6 | 23 | nosound |
24 | novideo | ||
25 | protocol unix | ||
20 | seccomp | 26 | seccomp |
21 | |||
22 | # | ||
23 | # depending on your usage, you can enable some of the commands below: | ||
24 | # | ||
25 | nogroups | ||
26 | shell none | 27 | shell none |
27 | # private-bin program | 28 | |
28 | # private-etc none | ||
29 | private-dev | 29 | private-dev |
30 | # private-tmp | 30 | private-tmp |
31 | disable-mnt | ||
32 | |||
33 | noexec ${HOME} | ||
34 | noexec /tmp | ||
diff --git a/etc/xonotic.profile b/etc/xonotic.profile index 611c7b379..957636124 100644 --- a/etc/xonotic.profile +++ b/etc/xonotic.profile | |||
@@ -30,6 +30,7 @@ netfilter | |||
30 | nogroups | 30 | nogroups |
31 | nonewprivs | 31 | nonewprivs |
32 | noroot | 32 | noroot |
33 | novideo | ||
33 | protocol unix,inet,inet6 | 34 | protocol unix,inet,inet6 |
34 | seccomp | 35 | seccomp |
35 | shell none | 36 | shell none |
diff --git a/etc/xpdf.profile b/etc/xpdf.profile index 5b3018ce8..ce8cd2459 100644 --- a/etc/xpdf.profile +++ b/etc/xpdf.profile | |||
@@ -9,17 +9,26 @@ include /etc/firejail/xpdf.local | |||
9 | # xpdf application profile | 9 | # xpdf application profile |
10 | ################################ | 10 | ################################ |
11 | noblacklist ${HOME}/.xpdfrc | 11 | noblacklist ${HOME}/.xpdfrc |
12 | |||
12 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | ||
15 | 17 | ||
16 | caps.drop all | 18 | caps.drop all |
17 | net none | 19 | net none |
20 | no3d | ||
21 | nogroups | ||
18 | nonewprivs | 22 | nonewprivs |
19 | noroot | 23 | noroot |
24 | nosound | ||
25 | novideo | ||
20 | protocol unix | 26 | protocol unix |
21 | shell none | ||
22 | seccomp | 27 | seccomp |
28 | shell none | ||
23 | 29 | ||
24 | private-dev | 30 | private-dev |
25 | private-tmp | 31 | private-tmp |
32 | |||
33 | noexec ${HOME} | ||
34 | noexec /tmp | ||
diff --git a/etc/xpra.profile b/etc/xpra.profile index a41ee2613..c8bb3ef52 100644 --- a/etc/xpra.profile +++ b/etc/xpra.profile | |||
@@ -23,7 +23,6 @@ include /etc/firejail/disable-passwdmgr.inc | |||
23 | 23 | ||
24 | caps.drop all | 24 | caps.drop all |
25 | # xpra needs to be allowed access to the abstract Unix socket namespace. | 25 | # xpra needs to be allowed access to the abstract Unix socket namespace. |
26 | #net none | ||
27 | nogroups | 26 | nogroups |
28 | nonewprivs | 27 | nonewprivs |
29 | # In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix. | 28 | # In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix. |
diff --git a/etc/zathura.profile b/etc/zathura.profile index 18afe3bfa..502e066c8 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile | |||
@@ -14,7 +14,6 @@ include /etc/firejail/disable-devel.inc | |||
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | netfilter | ||
18 | net none | 17 | net none |
19 | nogroups | 18 | nogroups |
20 | nonewprivs | 19 | nonewprivs |
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 54bd2f697..03dd65327 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -230,6 +230,7 @@ | |||
230 | /etc/firejail/quiterss.profile | 230 | /etc/firejail/quiterss.profile |
231 | /etc/firejail/qupzilla.profile | 231 | /etc/firejail/qupzilla.profile |
232 | /etc/firejail/qutebrowser.profile | 232 | /etc/firejail/qutebrowser.profile |
233 | /etc/firejail/rambox.profile | ||
233 | /etc/firejail/ranger.profile | 234 | /etc/firejail/ranger.profile |
234 | /etc/firejail/rhythmbox.profile | 235 | /etc/firejail/rhythmbox.profile |
235 | /etc/firejail/riot-web.profile | 236 | /etc/firejail/riot-web.profile |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index a6472a604..299b165f6 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -212,6 +212,7 @@ quassel | |||
212 | quiterss | 212 | quiterss |
213 | qupzilla | 213 | qupzilla |
214 | qutebrowser | 214 | qutebrowser |
215 | rambox | ||
215 | ranger | 216 | ranger |
216 | rhythmbox | 217 | rhythmbox |
217 | ristretto | 218 | ristretto |