diff options
153 files changed, 415 insertions, 120 deletions
@@ -117,6 +117,7 @@ bn0785ac (https://github.com/bn0785ac) | |||
117 | - chromium canary (inox-family) fixes | 117 | - chromium canary (inox-family) fixes |
118 | - allow multithreading for cin and natron | 118 | - allow multithreading for cin and natron |
119 | - fix dbus access for libreoffice on KDE | 119 | - fix dbus access for libreoffice on KDE |
120 | - fix inox, add snox profile | ||
120 | BogDan Vatra (https://github.com/bog-dan-ro) | 121 | BogDan Vatra (https://github.com/bog-dan-ro) |
121 | - zoom profile | 122 | - zoom profile |
122 | Bruno Nova (https://github.com/brunonova) | 123 | Bruno Nova (https://github.com/brunonova) |
@@ -310,6 +311,10 @@ Jean Lucas (https://github.com/flacks) | |||
310 | - add WebStorm profile | 311 | - add WebStorm profile |
311 | - add XMind profile | 312 | - add XMind profile |
312 | - add nvm to list of disabled interpreters | 313 | - add nvm to list of disabled interpreters |
314 | - fixes for tor-browser-* profiles | ||
315 | - alias for riot-desktop | ||
316 | - add gnome-mpv profile | ||
317 | - fix wire profile | ||
313 | Jericho (https://github.com/attritionorg) | 318 | Jericho (https://github.com/attritionorg) |
314 | - spelling | 319 | - spelling |
315 | Jesse Smith (https://github.com/slicer69) | 320 | Jesse Smith (https://github.com/slicer69) |
@@ -100,5 +100,38 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
100 | ````` | 100 | ````` |
101 | # Current development version: 0.9.55 | 101 | # Current development version: 0.9.55 |
102 | 102 | ||
103 | ## New commands: | ||
104 | ````` | ||
105 | (wireless support for --net) | ||
106 | --net=ethernet_interface|wireless_interface | ||
107 | Enable a new network namespace and connect it to this ethernet | ||
108 | interface using the standard Linux macvlan|ipvaln driver. | ||
109 | Unless specified with option --ip and --defaultgw, an IP | ||
110 | address and a default gateway will be assigned automatically to | ||
111 | the sandbox. The IP address is verified using ARP before | ||
112 | assignment. The address configured as default gateway is the | ||
113 | default gateway of the host. Up to four --net options can be | ||
114 | specified. Support for ipvlan driver was introduced in Linux | ||
115 | kernel 3.19. | ||
116 | |||
117 | Example: | ||
118 | $ firejail --net=eth0 --ip=192.168.1.80 --dns=8.8.8.8 firefox | ||
119 | $ firejail --net=wlan0 firefox | ||
120 | |||
121 | --nou2f | ||
122 | Disable U2F devices. | ||
123 | |||
124 | Example: | ||
125 | $ firejail --nou2f | ||
126 | |||
127 | --private-cache | ||
128 | Mount an empty temporary filesystem on top of the .cache | ||
129 | directory in user home. All modifications are discarded | ||
130 | when the sandbox is closed. | ||
131 | |||
132 | Example: | ||
133 | $ firejail --private-cache | ||
134 | ````` | ||
135 | |||
103 | ## New profiles | 136 | ## New profiles |
104 | Microsoft Office Online | 137 | Microsoft Office Online, riot-desktop, gnome-mpv, snox, |
@@ -1,10 +1,11 @@ | |||
1 | firejail (0.9.55) baseline; urgency=low | 1 | firejail (0.9.55) baseline; urgency=low |
2 | * work in progress | 2 | * work in progress |
3 | * modif: removed CFG_CHROOT_DESKTOP configuration option | 3 | * modif: removed CFG_CHROOT_DESKTOP configuration option |
4 | * add --private-cache to support private ~/.cache | ||
4 | * support full paths in private-lib | 5 | * support full paths in private-lib |
5 | * globbing support in private-lib | 6 | * globbing support in private-lib |
6 | * new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint | 7 | * new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint |
7 | * new profiles: ms-skype, ms-word | 8 | * new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox |
8 | -- netblue30 <netblue30@yahoo.com> Fri, 25 May 2018 08:00:00 -0500 | 9 | -- netblue30 <netblue30@yahoo.com> Fri, 25 May 2018 08:00:00 -0500 |
9 | 10 | ||
10 | firejail (0.9.54) baseline; urgency=low | 11 | firejail (0.9.54) baseline; urgency=low |
diff --git a/etc/7z.profile b/etc/7z.profile index 0330e4dbf..e3f27b93f 100644 --- a/etc/7z.profile +++ b/etc/7z.profile | |||
@@ -4,7 +4,8 @@ quiet | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/7z.local | 5 | include /etc/firejail/7z.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | # added by included default.profile |
8 | #include /etc/firejail/globals.local | ||
8 | 9 | ||
9 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
10 | 11 | ||
diff --git a/etc/7za.profile b/etc/7za.profile new file mode 100644 index 000000000..e035bf4f5 --- /dev/null +++ b/etc/7za.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for 7za | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/7za.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include /etc/firejail/globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include /etc/firejail/7z.profile | ||
diff --git a/etc/7zr.profile b/etc/7zr.profile new file mode 100644 index 000000000..e48c5494e --- /dev/null +++ b/etc/7zr.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for 7zr | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/7zr.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include /etc/firejail/globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include /etc/firejail/7z.profile | ||
diff --git a/etc/Cryptocat.profile b/etc/Cryptocat.profile index 08c2860b3..f1336be3e 100644 --- a/etc/Cryptocat.profile +++ b/etc/Cryptocat.profile | |||
@@ -25,5 +25,6 @@ protocol unix,inet,inet6,netlink | |||
25 | seccomp | 25 | seccomp |
26 | shell none | 26 | shell none |
27 | 27 | ||
28 | private-cache | ||
28 | private-dev | 29 | private-dev |
29 | private-tmp | 30 | private-tmp |
diff --git a/etc/android-studio.profile b/etc/android-studio.profile index 5ff0b7c3a..d845bd4b9 100644 --- a/etc/android-studio.profile +++ b/etc/android-studio.profile | |||
@@ -32,6 +32,7 @@ protocol unix,inet,inet6 | |||
32 | seccomp | 32 | seccomp |
33 | shell none | 33 | shell none |
34 | 34 | ||
35 | private-cache | ||
35 | # private-tmp | 36 | # private-tmp |
36 | 37 | ||
37 | # noexec /tmp breaks 'Android Profiler' | 38 | # noexec /tmp breaks 'Android Profiler' |
diff --git a/etc/apktool.profile b/etc/apktool.profile index d5063d79b..ded17ca58 100644 --- a/etc/apktool.profile +++ b/etc/apktool.profile | |||
@@ -26,6 +26,7 @@ seccomp | |||
26 | shell none | 26 | shell none |
27 | 27 | ||
28 | private-bin apktool,bash,java,dirname,basename,expr,sh | 28 | private-bin apktool,bash,java,dirname,basename,expr,sh |
29 | private-cache | ||
29 | private-dev | 30 | private-dev |
30 | 31 | ||
31 | noexec ${HOME} | 32 | noexec ${HOME} |
diff --git a/etc/arch-audit.profile b/etc/arch-audit.profile index 70e02fc7b..0987ce149 100644 --- a/etc/arch-audit.profile +++ b/etc/arch-audit.profile | |||
@@ -32,6 +32,7 @@ shell none | |||
32 | 32 | ||
33 | disable-mnt | 33 | disable-mnt |
34 | private | 34 | private |
35 | private-cache | ||
35 | private-bin arch-audit | 36 | private-bin arch-audit |
36 | private-dev | 37 | private-dev |
37 | private-tmp | 38 | private-tmp |
diff --git a/etc/ardour5.profile b/etc/ardour5.profile index df42dfaed..c2090af98 100644 --- a/etc/ardour5.profile +++ b/etc/ardour5.profile | |||
@@ -30,6 +30,7 @@ seccomp | |||
30 | shell none | 30 | shell none |
31 | 31 | ||
32 | #private-bin sh,ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm | 32 | #private-bin sh,ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm |
33 | private-cache | ||
33 | private-dev | 34 | private-dev |
34 | #private-etc pulse,X11,alternatives,ardour4,ardour5,fonts | 35 | #private-etc pulse,X11,alternatives,ardour4,ardour5,fonts |
35 | private-tmp | 36 | private-tmp |
diff --git a/etc/arduino.profile b/etc/arduino.profile index 14741c964..c8850ccb0 100644 --- a/etc/arduino.profile +++ b/etc/arduino.profile | |||
@@ -35,6 +35,7 @@ protocol unix,inet,inet6 | |||
35 | seccomp | 35 | seccomp |
36 | shell none | 36 | shell none |
37 | 37 | ||
38 | private-cache | ||
38 | private-tmp | 39 | private-tmp |
39 | 40 | ||
40 | noexec ${HOME} | 41 | noexec ${HOME} |
diff --git a/etc/ark.profile b/etc/ark.profile index cd6e5d54f..0c7ef3dae 100644 --- a/etc/ark.profile +++ b/etc/ark.profile | |||
@@ -31,7 +31,7 @@ protocol unix | |||
31 | seccomp | 31 | seccomp |
32 | shell none | 32 | shell none |
33 | 33 | ||
34 | private-bin ark,unrar,rar,unzip,zip,zipinfo,7z,unar,lsar,lrzip,lzop,lz4 | 34 | private-bin ark,unrar,rar,unzip,zip,zipinfo,7z,p7zip,unar,lsar,lrzip,lzop,lz4,bash,dash,sh,tclsh |
35 | #private-etc smb.conf,samba,mtab,fonts,drirc,kde5rc,passwd,group,xdg | 35 | #private-etc smb.conf,samba,mtab,fonts,drirc,kde5rc,passwd,group,xdg |
36 | 36 | ||
37 | private-dev | 37 | private-dev |
diff --git a/etc/atom.profile b/etc/atom.profile index c513c7531..f7e30aeb4 100644 --- a/etc/atom.profile +++ b/etc/atom.profile | |||
@@ -27,6 +27,7 @@ protocol unix,inet,inet6,netlink | |||
27 | seccomp | 27 | seccomp |
28 | shell none | 28 | shell none |
29 | 29 | ||
30 | private-cache | ||
30 | private-dev | 31 | private-dev |
31 | private-tmp | 32 | private-tmp |
32 | 33 | ||
diff --git a/etc/atool.profile b/etc/atool.profile index 83b681437..06eace7d2 100644 --- a/etc/atool.profile +++ b/etc/atool.profile | |||
@@ -36,6 +36,7 @@ seccomp | |||
36 | shell none | 36 | shell none |
37 | tracelog | 37 | tracelog |
38 | 38 | ||
39 | private-cache | ||
39 | # private-bin atool | 40 | # private-bin atool |
40 | private-dev | 41 | private-dev |
41 | private-etc passwd,group | 42 | private-etc passwd,group |
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index 1cd5d6a69..6507aeadb 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile | |||
@@ -27,6 +27,7 @@ seccomp | |||
27 | 27 | ||
28 | disable-mnt | 28 | disable-mnt |
29 | private | 29 | private |
30 | private-cache | ||
30 | private-dev | 31 | private-dev |
31 | private-tmp | 32 | private-tmp |
32 | read-write /var/lib/bitlbee | 33 | read-write /var/lib/bitlbee |
diff --git a/etc/bless.profile b/etc/bless.profile index 3fd04cae6..1dd756153 100644 --- a/etc/bless.profile +++ b/etc/bless.profile | |||
@@ -29,6 +29,7 @@ seccomp | |||
29 | shell none | 29 | shell none |
30 | 30 | ||
31 | # private-bin bless,sh,bash,mono | 31 | # private-bin bless,sh,bash,mono |
32 | private-cache | ||
32 | private-dev | 33 | private-dev |
33 | private-etc fonts,mono | 34 | private-etc fonts,mono |
34 | private-tmp | 35 | private-tmp |
diff --git a/etc/brackets.profile b/etc/brackets.profile index 22a8dffea..8f1068506 100644 --- a/etc/brackets.profile +++ b/etc/brackets.profile | |||
@@ -26,4 +26,5 @@ protocol unix,inet,inet6,netlink | |||
26 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplic | 26 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplic |
27 | shell none | 27 | shell none |
28 | 28 | ||
29 | private-cache | ||
29 | private-dev | 30 | private-dev |
diff --git a/etc/brasero.profile b/etc/brasero.profile index 26074af22..a012d4715 100644 --- a/etc/brasero.profile +++ b/etc/brasero.profile | |||
@@ -27,6 +27,7 @@ shell none | |||
27 | tracelog | 27 | tracelog |
28 | 28 | ||
29 | # private-bin brasero | 29 | # private-bin brasero |
30 | private-cache | ||
30 | # private-dev | 31 | # private-dev |
31 | # private-etc fonts | 32 | # private-etc fonts |
32 | # private-tmp | 33 | # private-tmp |
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index e33e010aa..c63cfad8d 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile | |||
@@ -34,6 +34,7 @@ seccomp | |||
34 | shell none | 34 | shell none |
35 | tracelog | 35 | tracelog |
36 | 36 | ||
37 | private-cache | ||
37 | private-dev | 38 | private-dev |
38 | private-tmp | 39 | private-tmp |
39 | 40 | ||
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile index 8b25f4e60..c8132cd0f 100644 --- a/etc/chromium-common.profile +++ b/etc/chromium-common.profile | |||
@@ -3,7 +3,8 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/chromium-common.local | 4 | include /etc/firejail/chromium-common.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | # already included by caller profile |
7 | #include /etc/firejail/globals.local | ||
7 | 8 | ||
8 | noblacklist ${HOME}/.pki | 9 | noblacklist ${HOME}/.pki |
9 | 10 | ||
diff --git a/etc/cin.profile b/etc/cin.profile index e2410e3a5..92baef33a 100644 --- a/etc/cin.profile +++ b/etc/cin.profile | |||
@@ -29,6 +29,7 @@ seccomp | |||
29 | shell none | 29 | shell none |
30 | 30 | ||
31 | #private-bin cin,ffmpeg | 31 | #private-bin cin,ffmpeg |
32 | private-cache | ||
32 | private-dev | 33 | private-dev |
33 | 34 | ||
34 | noexec ${HOME} | 35 | noexec ${HOME} |
diff --git a/etc/clion.profile b/etc/clion.profile index 115df72c4..bcb18114e 100644 --- a/etc/clion.profile +++ b/etc/clion.profile | |||
@@ -28,6 +28,7 @@ protocol unix,inet,inet6 | |||
28 | seccomp | 28 | seccomp |
29 | shell none | 29 | shell none |
30 | 30 | ||
31 | private-cache | ||
31 | private-dev | 32 | private-dev |
32 | # private-tmp | 33 | # private-tmp |
33 | 34 | ||
diff --git a/etc/clipit.profile b/etc/clipit.profile index e5660f859..3134fdc3e 100644 --- a/etc/clipit.profile +++ b/etc/clipit.profile | |||
@@ -29,6 +29,7 @@ seccomp | |||
29 | shell none | 29 | shell none |
30 | 30 | ||
31 | disable-mnt | 31 | disable-mnt |
32 | private-cache | ||
32 | private-dev | 33 | private-dev |
33 | private-tmp | 34 | private-tmp |
34 | 35 | ||
diff --git a/etc/code.profile b/etc/code.profile index af7d379ed..ab69008f1 100644 --- a/etc/code.profile +++ b/etc/code.profile | |||
@@ -26,6 +26,7 @@ protocol unix,inet,inet6,netlink | |||
26 | seccomp | 26 | seccomp |
27 | shell none | 27 | shell none |
28 | 28 | ||
29 | private-cache | ||
29 | private-dev | 30 | private-dev |
30 | private-tmp | 31 | private-tmp |
31 | 32 | ||
diff --git a/etc/conky.profile b/etc/conky.profile index fe90ac099..af275b915 100644 --- a/etc/conky.profile +++ b/etc/conky.profile | |||
@@ -28,6 +28,7 @@ seccomp | |||
28 | shell none | 28 | shell none |
29 | 29 | ||
30 | disable-mnt | 30 | disable-mnt |
31 | private-cache | ||
31 | private-dev | 32 | private-dev |
32 | private-tmp | 33 | private-tmp |
33 | 34 | ||
diff --git a/etc/curl.profile b/etc/curl.profile index 521cd20cc..1d2515f51 100644 --- a/etc/curl.profile +++ b/etc/curl.profile | |||
@@ -29,6 +29,7 @@ seccomp | |||
29 | shell none | 29 | shell none |
30 | 30 | ||
31 | # private-bin curl | 31 | # private-bin curl |
32 | private-cache | ||
32 | private-dev | 33 | private-dev |
33 | # private-etc resolv.conf | 34 | # private-etc resolv.conf |
34 | private-tmp | 35 | private-tmp |
diff --git a/etc/default.profile b/etc/default.profile index 9a2fcae64..42c1056c5 100644 --- a/etc/default.profile +++ b/etc/default.profile | |||
@@ -33,6 +33,7 @@ seccomp | |||
33 | # disable-mnt | 33 | # disable-mnt |
34 | # private | 34 | # private |
35 | # private-bin program | 35 | # private-bin program |
36 | # private-cache | ||
36 | # private-dev | 37 | # private-dev |
37 | # private-etc none | 38 | # private-etc none |
38 | # private-lib | 39 | # private-lib |
diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile index 0634c0eaf..aeef46413 100644 --- a/etc/dex2jar.profile +++ b/etc/dex2jar.profile | |||
@@ -34,6 +34,7 @@ seccomp | |||
34 | shell none | 34 | shell none |
35 | 35 | ||
36 | private-bin dex2jar,java,sh,bash,expr,dirname,ls,uname,grep | 36 | private-bin dex2jar,java,sh,bash,expr,dirname,ls,uname,grep |
37 | private-cache | ||
37 | private-dev | 38 | private-dev |
38 | 39 | ||
39 | noexec ${HOME} | 40 | noexec ${HOME} |
diff --git a/etc/dia.profile b/etc/dia.profile index 49c6727f9..fca14236f 100644 --- a/etc/dia.profile +++ b/etc/dia.profile | |||
@@ -30,6 +30,7 @@ shell none | |||
30 | 30 | ||
31 | disable-mnt | 31 | disable-mnt |
32 | #private-bin dia | 32 | #private-bin dia |
33 | private-cache | ||
33 | private-dev | 34 | private-dev |
34 | private-tmp | 35 | private-tmp |
35 | 36 | ||
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 71d4ad97b..56121809a 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -383,3 +383,12 @@ blacklist /vmlinuz* | |||
383 | 383 | ||
384 | # complement noexec ${HOME} and noexec /tmp | 384 | # complement noexec ${HOME} and noexec /tmp |
385 | noexec /tmp/.X11-unix | 385 | noexec /tmp/.X11-unix |
386 | |||
387 | # flatpak | ||
388 | blacklist ${HOME}/*.config/flatpak | ||
389 | blacklist ${HOME}/*.var | ||
390 | blacklist ${HOME}/*.local/share/flatpak | ||
391 | blacklist /var/lib/flatpak | ||
392 | blacklist /usr/share/flatpak | ||
393 | # most of the time bwrap is SUID binary | ||
394 | blacklist /usr/bin/bwrap \ No newline at end of file | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 7eaa1c2ba..f72b5a5c3 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -132,6 +132,7 @@ blacklist ${HOME}/.config/geeqie | |||
132 | blacklist ${HOME}/.config/ghb | 132 | blacklist ${HOME}/.config/ghb |
133 | blacklist ${HOME}/.config/globaltime | 133 | blacklist ${HOME}/.config/globaltime |
134 | blacklist ${HOME}/.config/gnome-mplayer | 134 | blacklist ${HOME}/.config/gnome-mplayer |
135 | blacklist ${HOME}/.config/gnome-mpv | ||
135 | blacklist ${HOME}/.config/google-chrome | 136 | blacklist ${HOME}/.config/google-chrome |
136 | blacklist ${HOME}/.config/google-chrome-beta | 137 | blacklist ${HOME}/.config/google-chrome-beta |
137 | blacklist ${HOME}/.config/google-chrome-unstable | 138 | blacklist ${HOME}/.config/google-chrome-unstable |
diff --git a/etc/discord-common.profile b/etc/discord-common.profile index 5cd8d6bb6..65a307681 100644 --- a/etc/discord-common.profile +++ b/etc/discord-common.profile | |||
@@ -3,7 +3,8 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/discord-common.local | 4 | include /etc/firejail/discord-common.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | # already included by caller profile |
7 | #include /etc/firejail/globals.local | ||
7 | 8 | ||
8 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
9 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index 4d0afc159..0971451c4 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile | |||
@@ -27,6 +27,7 @@ seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,i | |||
27 | 27 | ||
28 | disable-mnt | 28 | disable-mnt |
29 | private | 29 | private |
30 | private-cache | ||
30 | private-dev | 31 | private-dev |
31 | 32 | ||
32 | # mdwe can break modules/plugins | 33 | # mdwe can break modules/plugins |
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index f71f5bb02..fc1209c1e 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile | |||
@@ -28,4 +28,5 @@ seccomp | |||
28 | 28 | ||
29 | disable-mnt | 29 | disable-mnt |
30 | private | 30 | private |
31 | private-cache | ||
31 | private-dev | 32 | private-dev |
diff --git a/etc/elinks.profile b/etc/elinks.profile index 5d28ac0c8..6878c4fe0 100644 --- a/etc/elinks.profile +++ b/etc/elinks.profile | |||
@@ -31,6 +31,7 @@ shell none | |||
31 | tracelog | 31 | tracelog |
32 | 32 | ||
33 | # private-bin elinks | 33 | # private-bin elinks |
34 | private-cache | ||
34 | private-dev | 35 | private-dev |
35 | # private-etc none | 36 | # private-etc none |
36 | private-tmp | 37 | private-tmp |
diff --git a/etc/empathy.profile b/etc/empathy.profile index b9d682322..9d70afcb8 100644 --- a/etc/empathy.profile +++ b/etc/empathy.profile | |||
@@ -20,3 +20,6 @@ noroot | |||
20 | notv | 20 | notv |
21 | protocol unix,inet,inet6 | 21 | protocol unix,inet,inet6 |
22 | seccomp | 22 | seccomp |
23 | |||
24 | private-cache | ||
25 | private-tmp | ||
diff --git a/etc/enchant.profile b/etc/enchant.profile index 29472313d..a495122dc 100644 --- a/etc/enchant.profile +++ b/etc/enchant.profile | |||
@@ -30,6 +30,7 @@ shell none | |||
30 | tracelog | 30 | tracelog |
31 | 31 | ||
32 | # private-bin enchant, enchant-* | 32 | # private-bin enchant, enchant-* |
33 | private-cache | ||
33 | private-dev | 34 | private-dev |
34 | private-etc none | 35 | private-etc none |
35 | private-tmp | 36 | private-tmp |
diff --git a/etc/enox.profile b/etc/enox.profile index 460143ad7..46f409346 100644 --- a/etc/enox.profile +++ b/etc/enox.profile | |||
@@ -8,8 +8,8 @@ include /etc/firejail/globals.local | |||
8 | noblacklist ${HOME}/.cache/Enox | 8 | noblacklist ${HOME}/.cache/Enox |
9 | noblacklist ${HOME}/.config/Enox | 9 | noblacklist ${HOME}/.config/Enox |
10 | 10 | ||
11 | mkdir ${HOME}/.cache/dnox | 11 | #mkdir ${HOME}/.cache/dnox |
12 | mkdir ${HOME}/.config/dnox | 12 | #mkdir ${HOME}/.config/dnox |
13 | mkdir ${HOME}/.cache/Enox | 13 | mkdir ${HOME}/.cache/Enox |
14 | mkdir ${HOME}/.config/Enox | 14 | mkdir ${HOME}/.config/Enox |
15 | whitelist ${HOME}/.cache/Enox | 15 | whitelist ${HOME}/.cache/Enox |
diff --git a/etc/exiftool.profile b/etc/exiftool.profile index 2522a32a3..2666397f4 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile | |||
@@ -36,6 +36,7 @@ shell none | |||
36 | tracelog | 36 | tracelog |
37 | 37 | ||
38 | # private-bin exiftool,perl | 38 | # private-bin exiftool,perl |
39 | private-cache | ||
39 | private-dev | 40 | private-dev |
40 | private-etc none | 41 | private-etc none |
41 | private-tmp | 42 | private-tmp |
diff --git a/etc/feh.profile b/etc/feh.profile index 657f05f3c..c79e98d1c 100644 --- a/etc/feh.profile +++ b/etc/feh.profile | |||
@@ -27,6 +27,7 @@ seccomp | |||
27 | shell none | 27 | shell none |
28 | 28 | ||
29 | private-bin feh,jpegexiforient,jpegtran | 29 | private-bin feh,jpegexiforient,jpegtran |
30 | private-cache | ||
30 | private-dev | 31 | private-dev |
31 | private-etc feh | 32 | private-etc feh |
32 | private-tmp | 33 | private-tmp |
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index b0de1f1a3..818f24e7e 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile | |||
@@ -3,7 +3,8 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/firefox-common.local | 4 | include /etc/firejail/firefox-common.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | # already included by caller profile |
7 | #include /etc/firejail/globals.local | ||
7 | 8 | ||
8 | # uncomment the following line to allow access to common programs/addons/plugins | 9 | # uncomment the following line to allow access to common programs/addons/plugins |
9 | #include /etc/firejail/firefox-common-addons.inc | 10 | #include /etc/firejail/firefox-common-addons.inc |
diff --git a/etc/firejail.config b/etc/firejail.config index 42dfaf3c6..1f47f77d0 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -56,11 +56,6 @@ | |||
56 | # Remove /usr/local directories from private-bin list, default disabled. | 56 | # Remove /usr/local directories from private-bin list, default disabled. |
57 | # private-bin-no-local no | 57 | # private-bin-no-local no |
58 | 58 | ||
59 | # Mount an empty temporary filesystem on top of the .cache | ||
60 | # directory in user home. All modifications are discarded when | ||
61 | # the sandbox is closed. Default enabled. | ||
62 | # private-cache yes | ||
63 | |||
64 | # Enable or disable private-home feature, default enabled | 59 | # Enable or disable private-home feature, default enabled |
65 | # private-home yes | 60 | # private-home yes |
66 | 61 | ||
diff --git a/etc/flowblade.profile b/etc/flowblade.profile index e06107f0f..9d399931d 100644 --- a/etc/flowblade.profile +++ b/etc/flowblade.profile | |||
@@ -31,6 +31,7 @@ protocol unix,inet,inet6,netlink | |||
31 | seccomp | 31 | seccomp |
32 | shell none | 32 | shell none |
33 | 33 | ||
34 | private-cache | ||
34 | private-dev | 35 | private-dev |
35 | private-tmp | 36 | private-tmp |
36 | 37 | ||
diff --git a/etc/fontforge.profile b/etc/fontforge.profile index 088ed626b..c80588a8b 100644 --- a/etc/fontforge.profile +++ b/etc/fontforge.profile | |||
@@ -32,6 +32,7 @@ protocol unix | |||
32 | seccomp | 32 | seccomp |
33 | shell none | 33 | shell none |
34 | 34 | ||
35 | private-cache | ||
35 | private-dev | 36 | private-dev |
36 | private-tmp | 37 | private-tmp |
37 | 38 | ||
diff --git a/etc/freecad.profile b/etc/freecad.profile index dc5738e01..9ea4e0f2b 100644 --- a/etc/freecad.profile +++ b/etc/freecad.profile | |||
@@ -29,6 +29,7 @@ seccomp | |||
29 | shell none | 29 | shell none |
30 | 30 | ||
31 | private-bin freecad,freecadcmd | 31 | private-bin freecad,freecadcmd |
32 | private-cache | ||
32 | private-dev | 33 | private-dev |
33 | private-tmp | 34 | private-tmp |
34 | 35 | ||
diff --git a/etc/freshclam.profile b/etc/freshclam.profile index 08eac5595..4e224dd3e 100644 --- a/etc/freshclam.profile +++ b/etc/freshclam.profile | |||
@@ -24,6 +24,7 @@ tracelog | |||
24 | 24 | ||
25 | disable-mnt | 25 | disable-mnt |
26 | private | 26 | private |
27 | private-cache | ||
27 | private-dev | 28 | private-dev |
28 | private-tmp | 29 | private-tmp |
29 | writable-var | 30 | writable-var |
diff --git a/etc/geany.profile b/etc/geany.profile index 35e405319..9db533e8c 100644 --- a/etc/geany.profile +++ b/etc/geany.profile | |||
@@ -25,5 +25,6 @@ protocol unix,inet,inet6 | |||
25 | seccomp | 25 | seccomp |
26 | shell none | 26 | shell none |
27 | 27 | ||
28 | private-cache | ||
28 | private-dev | 29 | private-dev |
29 | private-tmp | 30 | private-tmp |
diff --git a/etc/git.profile b/etc/git.profile index 7dac03b1b..1bf9e8e4b 100644 --- a/etc/git.profile +++ b/etc/git.profile | |||
@@ -34,4 +34,5 @@ protocol unix,inet,inet6 | |||
34 | seccomp | 34 | seccomp |
35 | shell none | 35 | shell none |
36 | 36 | ||
37 | private-cache | ||
37 | private-dev | 38 | private-dev |
diff --git a/etc/gitg.profile b/etc/gitg.profile index 39cbdc53d..deee7c994 100644 --- a/etc/gitg.profile +++ b/etc/gitg.profile | |||
@@ -29,6 +29,7 @@ seccomp | |||
29 | shell none | 29 | shell none |
30 | 30 | ||
31 | private-bin gitg,git,ssh | 31 | private-bin gitg,git,ssh |
32 | private-cache | ||
32 | private-dev | 33 | private-dev |
33 | private-tmp | 34 | private-tmp |
34 | 35 | ||
diff --git a/etc/globaltime.profile b/etc/globaltime.profile index 19820ce85..0df6b5e63 100644 --- a/etc/globaltime.profile +++ b/etc/globaltime.profile | |||
@@ -28,6 +28,7 @@ seccomp | |||
28 | shell none | 28 | shell none |
29 | 29 | ||
30 | disable-mnt | 30 | disable-mnt |
31 | private-cache | ||
31 | private-dev | 32 | private-dev |
32 | private-tmp | 33 | private-tmp |
33 | 34 | ||
diff --git a/etc/gnome-builder.profile b/etc/gnome-builder.profile index dfee1ae08..4ddfc456a 100644 --- a/etc/gnome-builder.profile +++ b/etc/gnome-builder.profile | |||
@@ -23,4 +23,5 @@ protocol unix,inet,inet6 | |||
23 | seccomp | 23 | seccomp |
24 | shell none | 24 | shell none |
25 | 25 | ||
26 | private-cache | ||
26 | private-dev | 27 | private-dev |
diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile index 9089d7ee8..8a67d6e5c 100644 --- a/etc/gnome-documents.profile +++ b/etc/gnome-documents.profile | |||
@@ -30,6 +30,7 @@ seccomp | |||
30 | shell none | 30 | shell none |
31 | tracelog | 31 | tracelog |
32 | 32 | ||
33 | private-cache | ||
33 | private-dev | 34 | private-dev |
34 | private-tmp | 35 | private-tmp |
35 | 36 | ||
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index 7cf97a79f..f54219174 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile | |||
@@ -22,6 +22,7 @@ seccomp | |||
22 | shell none | 22 | shell none |
23 | 23 | ||
24 | # private-bin gnome-mplayer,mplayer | 24 | # private-bin gnome-mplayer,mplayer |
25 | private-cache | ||
25 | private-dev | 26 | private-dev |
26 | private-tmp | 27 | private-tmp |
27 | 28 | ||
diff --git a/etc/gnome-mpv.profile b/etc/gnome-mpv.profile new file mode 100644 index 000000000..e834e8ec7 --- /dev/null +++ b/etc/gnome-mpv.profile | |||
@@ -0,0 +1,32 @@ | |||
1 | # Firejail profile for gnome-mpv | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/gnome-mpv.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/gnome-mpv | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-interpreters.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | include /etc/firejail/whitelist-var-common.inc | ||
17 | |||
18 | caps.drop all | ||
19 | nodbus | ||
20 | nogroups | ||
21 | nonewprivs | ||
22 | noroot | ||
23 | protocol unix,inet,inet6 | ||
24 | seccomp | ||
25 | shell none | ||
26 | |||
27 | private-bin gnome-mpv | ||
28 | private-dev | ||
29 | private-tmp | ||
30 | |||
31 | noexec ${HOME} | ||
32 | noexec /tmp | ||
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile index 7f50e1e8d..85020fc2e 100644 --- a/etc/gpg-agent.profile +++ b/etc/gpg-agent.profile | |||
@@ -31,4 +31,5 @@ shell none | |||
31 | tracelog | 31 | tracelog |
32 | 32 | ||
33 | # private-bin gpg-agent,gpg | 33 | # private-bin gpg-agent,gpg |
34 | private-cache | ||
34 | private-dev | 35 | private-dev |
diff --git a/etc/gpg.profile b/etc/gpg.profile index 7eb8a3ac8..ab43152d8 100644 --- a/etc/gpg.profile +++ b/etc/gpg.profile | |||
@@ -31,4 +31,5 @@ shell none | |||
31 | tracelog | 31 | tracelog |
32 | 32 | ||
33 | # private-bin gpg,gpg-agent | 33 | # private-bin gpg,gpg-agent |
34 | private-cache | ||
34 | private-dev | 35 | private-dev |
diff --git a/etc/gthumb.profile b/etc/gthumb.profile index eb0c38ec2..77ce42b36 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile | |||
@@ -29,5 +29,6 @@ shell none | |||
29 | tracelog | 29 | tracelog |
30 | 30 | ||
31 | private-bin gthumb | 31 | private-bin gthumb |
32 | private-cache | ||
32 | private-dev | 33 | private-dev |
33 | private-tmp | 34 | private-tmp |
diff --git a/etc/gucharmap.profile b/etc/gucharmap.profile index 16ea2047d..60a13af3a 100644 --- a/etc/gucharmap.profile +++ b/etc/gucharmap.profile | |||
@@ -28,6 +28,7 @@ shell none | |||
28 | 28 | ||
29 | disable-mnt | 29 | disable-mnt |
30 | private | 30 | private |
31 | private-cache | ||
31 | private-dev | 32 | private-dev |
32 | private-tmp | 33 | private-tmp |
33 | 34 | ||
diff --git a/etc/gzip.profile b/etc/gzip.profile index 779067770..33892e5c9 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile | |||
@@ -4,7 +4,8 @@ quiet | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/gzip.local | 5 | include /etc/firejail/gzip.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | # added by included default.profile |
8 | #include /etc/firejail/globals.local | ||
8 | 9 | ||
9 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
10 | 11 | ||
diff --git a/etc/hashcat.profile b/etc/hashcat.profile index d61165a91..0fb8b8704 100644 --- a/etc/hashcat.profile +++ b/etc/hashcat.profile | |||
@@ -31,6 +31,7 @@ shell none | |||
31 | 31 | ||
32 | disable-mnt | 32 | disable-mnt |
33 | private-bin hashcat | 33 | private-bin hashcat |
34 | private-cache | ||
34 | private-dev | 35 | private-dev |
35 | private-tmp | 36 | private-tmp |
36 | 37 | ||
diff --git a/etc/highlight.profile b/etc/highlight.profile index a93019696..cd48df10c 100644 --- a/etc/highlight.profile +++ b/etc/highlight.profile | |||
@@ -30,6 +30,7 @@ shell none | |||
30 | tracelog | 30 | tracelog |
31 | 31 | ||
32 | private-bin highlight | 32 | private-bin highlight |
33 | private-cache | ||
33 | private-dev | 34 | private-dev |
34 | # private-etc none | 35 | # private-etc none |
35 | private-tmp | 36 | private-tmp |
diff --git a/etc/hugin.profile b/etc/hugin.profile index 761c4e039..f92acac66 100644 --- a/etc/hugin.profile +++ b/etc/hugin.profile | |||
@@ -28,6 +28,7 @@ seccomp | |||
28 | shell none | 28 | shell none |
29 | 29 | ||
30 | private-bin PTBatcherGUI,calibrate_lens_gui,hugin,hugin_stitch_project,align_image_stack,autooptimiser,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,fulla,geocpset,hugin_executor,hugin_hdrmerge,hugin_lensdb,icpfind,linefind,nona,pano_modify,pano_trafo,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,tca_correct,verdandi,vig_optimize,enblend | 30 | private-bin PTBatcherGUI,calibrate_lens_gui,hugin,hugin_stitch_project,align_image_stack,autooptimiser,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,fulla,geocpset,hugin_executor,hugin_hdrmerge,hugin_lensdb,icpfind,linefind,nona,pano_modify,pano_trafo,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,tca_correct,verdandi,vig_optimize,enblend |
31 | private-cache | ||
31 | private-dev | 32 | private-dev |
32 | private-tmp | 33 | private-tmp |
33 | 34 | ||
diff --git a/etc/idea.sh.profile b/etc/idea.sh.profile index caec416e9..06328ccbf 100644 --- a/etc/idea.sh.profile +++ b/etc/idea.sh.profile | |||
@@ -32,6 +32,7 @@ protocol unix,inet,inet6 | |||
32 | seccomp | 32 | seccomp |
33 | shell none | 33 | shell none |
34 | 34 | ||
35 | private-cache | ||
35 | private-dev | 36 | private-dev |
36 | # private-tmp | 37 | # private-tmp |
37 | 38 | ||
diff --git a/etc/img2txt.profile b/etc/img2txt.profile index 1cc8d2953..bbefd8044 100644 --- a/etc/img2txt.profile +++ b/etc/img2txt.profile | |||
@@ -27,6 +27,7 @@ shell none | |||
27 | tracelog | 27 | tracelog |
28 | 28 | ||
29 | # private-bin img2txt | 29 | # private-bin img2txt |
30 | private-cache | ||
30 | private-dev | 31 | private-dev |
31 | # private-etc none | 32 | # private-etc none |
32 | private-tmp | 33 | private-tmp |
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index 9a325d18b..ca23cedfa 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile | |||
@@ -36,6 +36,7 @@ seccomp | |||
36 | shell none | 36 | shell none |
37 | 37 | ||
38 | private-bin jd-gui,sh,bash | 38 | private-bin jd-gui,sh,bash |
39 | private-cache | ||
39 | private-dev | 40 | private-dev |
40 | private-tmp | 41 | private-tmp |
41 | 42 | ||
diff --git a/etc/jitsi.profile b/etc/jitsi.profile index cb2f2092a..b3b09f4b1 100644 --- a/etc/jitsi.profile +++ b/etc/jitsi.profile | |||
@@ -31,4 +31,5 @@ shell none | |||
31 | tracelog | 31 | tracelog |
32 | 32 | ||
33 | disable-mnt | 33 | disable-mnt |
34 | private-cache | ||
34 | private-tmp | 35 | private-tmp |
diff --git a/etc/keepass.profile b/etc/keepass.profile index 9ae6abfb2..03f27d3fa 100644 --- a/etc/keepass.profile +++ b/etc/keepass.profile | |||
@@ -33,6 +33,7 @@ protocol unix,inet,inet6 | |||
33 | seccomp | 33 | seccomp |
34 | shell none | 34 | shell none |
35 | 35 | ||
36 | private-cache | ||
36 | private-dev | 37 | private-dev |
37 | private-tmp | 38 | private-tmp |
38 | 39 | ||
diff --git a/etc/kino.profile b/etc/kino.profile index 054b185dd..5144ce448 100644 --- a/etc/kino.profile +++ b/etc/kino.profile | |||
@@ -25,6 +25,7 @@ protocol unix | |||
25 | seccomp | 25 | seccomp |
26 | shell none | 26 | shell none |
27 | 27 | ||
28 | private-cache | ||
28 | private-dev | 29 | private-dev |
29 | private-tmp | 30 | private-tmp |
30 | 31 | ||
diff --git a/etc/krita.profile b/etc/krita.profile index 99fd235db..01f7b6ff8 100644 --- a/etc/krita.profile +++ b/etc/krita.profile | |||
@@ -36,6 +36,7 @@ protocol unix | |||
36 | seccomp | 36 | seccomp |
37 | shell none | 37 | shell none |
38 | 38 | ||
39 | private-cache | ||
39 | private-dev | 40 | private-dev |
40 | private-tmp | 41 | private-tmp |
41 | 42 | ||
diff --git a/etc/less.profile b/etc/less.profile index 9b04329f2..2b5449a7b 100644 --- a/etc/less.profile +++ b/etc/less.profile | |||
@@ -4,7 +4,8 @@ quiet | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/less.local | 5 | include /etc/firejail/less.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | # added by included default.profile |
8 | #include /etc/firejail/globals.local | ||
8 | 9 | ||
9 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
10 | 11 | ||
@@ -24,6 +25,7 @@ writable-var-log | |||
24 | # Enable private-bin and private-lib if you are not using any filter. | 25 | # Enable private-bin and private-lib if you are not using any filter. |
25 | # private-bin less | 26 | # private-bin less |
26 | # private-lib | 27 | # private-lib |
28 | private-cache | ||
27 | private-dev | 29 | private-dev |
28 | 30 | ||
29 | memory-deny-write-execute | 31 | memory-deny-write-execute |
diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile index 8d55f5de2..8104a2886 100644 --- a/etc/luminance-hdr.profile +++ b/etc/luminance-hdr.profile | |||
@@ -28,6 +28,7 @@ shell none | |||
28 | tracelog | 28 | tracelog |
29 | 29 | ||
30 | #private-bin luminance-hdr,luminance-hdr-cli,align_image_stack | 30 | #private-bin luminance-hdr,luminance-hdr-cli,align_image_stack |
31 | private-cache | ||
31 | private-dev | 32 | private-dev |
32 | private-tmp | 33 | private-tmp |
33 | 34 | ||
diff --git a/etc/lximage-qt.profile b/etc/lximage-qt.profile index 971d969ad..e50455532 100644 --- a/etc/lximage-qt.profile +++ b/etc/lximage-qt.profile | |||
@@ -27,6 +27,7 @@ protocol unix | |||
27 | seccomp | 27 | seccomp |
28 | shell none | 28 | shell none |
29 | 29 | ||
30 | private-cache | ||
30 | private-dev | 31 | private-dev |
31 | private-tmp | 32 | private-tmp |
32 | 33 | ||
diff --git a/etc/lynx.profile b/etc/lynx.profile index fec9661c6..ba5322787 100644 --- a/etc/lynx.profile +++ b/etc/lynx.profile | |||
@@ -29,6 +29,7 @@ shell none | |||
29 | tracelog | 29 | tracelog |
30 | 30 | ||
31 | # private-bin lynx | 31 | # private-bin lynx |
32 | private-cache | ||
32 | private-dev | 33 | private-dev |
33 | # private-etc none | 34 | # private-etc none |
34 | private-tmp | 35 | private-tmp |
diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile index bbef46567..6d20d7261 100644 --- a/etc/macrofusion.profile +++ b/etc/macrofusion.profile | |||
@@ -35,6 +35,7 @@ seccomp | |||
35 | shell none | 35 | shell none |
36 | 36 | ||
37 | private-bin python*,macrofusion,env,enfuse,exiftool,align_image_stack | 37 | private-bin python*,macrofusion,env,enfuse,exiftool,align_image_stack |
38 | private-cache | ||
38 | private-dev | 39 | private-dev |
39 | private-tmp | 40 | private-tmp |
40 | 41 | ||
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile index d79a0e886..48db03c27 100644 --- a/etc/mediainfo.profile +++ b/etc/mediainfo.profile | |||
@@ -30,6 +30,7 @@ shell none | |||
30 | tracelog | 30 | tracelog |
31 | 31 | ||
32 | private-bin mediainfo | 32 | private-bin mediainfo |
33 | private-cache | ||
33 | private-dev | 34 | private-dev |
34 | private-etc none | 35 | private-etc none |
35 | private-tmp | 36 | private-tmp |
diff --git a/etc/meld.profile b/etc/meld.profile index 78d9e0c76..1e85343df 100644 --- a/etc/meld.profile +++ b/etc/meld.profile | |||
@@ -28,6 +28,7 @@ seccomp | |||
28 | shell none | 28 | shell none |
29 | 29 | ||
30 | private-bin meld,python* | 30 | private-bin meld,python* |
31 | private-cache | ||
31 | private-dev | 32 | private-dev |
32 | private-tmp | 33 | private-tmp |
33 | 34 | ||
diff --git a/etc/mpd.profile b/etc/mpd.profile index 7f3e42e08..2ad520633 100644 --- a/etc/mpd.profile +++ b/etc/mpd.profile | |||
@@ -28,6 +28,7 @@ seccomp | |||
28 | shell none | 28 | shell none |
29 | 29 | ||
30 | #private-bin mpd,bash | 30 | #private-bin mpd,bash |
31 | private-cache | ||
31 | private-dev | 32 | private-dev |
32 | private-tmp | 33 | private-tmp |
33 | 34 | ||
diff --git a/etc/obs.profile b/etc/obs.profile index 9a0fab3f8..7529dd1bb 100644 --- a/etc/obs.profile +++ b/etc/obs.profile | |||
@@ -25,6 +25,7 @@ shell none | |||
25 | tracelog | 25 | tracelog |
26 | 26 | ||
27 | private-bin obs | 27 | private-bin obs |
28 | private-cache | ||
28 | private-dev | 29 | private-dev |
29 | private-tmp | 30 | private-tmp |
30 | 31 | ||
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile index 32d51f478..aea6b79d2 100644 --- a/etc/odt2txt.profile +++ b/etc/odt2txt.profile | |||
@@ -30,6 +30,7 @@ shell none | |||
30 | tracelog | 30 | tracelog |
31 | 31 | ||
32 | private-bin odt2txt | 32 | private-bin odt2txt |
33 | private-cache | ||
33 | private-dev | 34 | private-dev |
34 | private-etc none | 35 | private-etc none |
35 | private-tmp | 36 | private-tmp |
diff --git a/etc/orage.profile b/etc/orage.profile index 8e218eb2d..2ac420f05 100644 --- a/etc/orage.profile +++ b/etc/orage.profile | |||
@@ -29,6 +29,7 @@ seccomp | |||
29 | shell none | 29 | shell none |
30 | 30 | ||
31 | disable-mnt | 31 | disable-mnt |
32 | private-cache | ||
32 | private-dev | 33 | private-dev |
33 | private-tmp | 34 | private-tmp |
34 | 35 | ||
diff --git a/etc/p7zip.profile b/etc/p7zip.profile new file mode 100644 index 000000000..b813bfda5 --- /dev/null +++ b/etc/p7zip.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for p7zip | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/p7zip.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include /etc/firejail/globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include /etc/firejail/7z.profile | ||
diff --git a/etc/parole.profile b/etc/parole.profile index c659614e3..36ae97726 100644 --- a/etc/parole.profile +++ b/etc/parole.profile | |||
@@ -22,4 +22,5 @@ seccomp | |||
22 | shell none | 22 | shell none |
23 | 23 | ||
24 | private-bin parole,dbus-launch | 24 | private-bin parole,dbus-launch |
25 | private-cache | ||
25 | private-etc passwd,group,fonts | 26 | private-etc passwd,group,fonts |
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index a5d9c2d65..fbd7ec179 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile | |||
@@ -37,6 +37,7 @@ seccomp | |||
37 | shell none | 37 | shell none |
38 | 38 | ||
39 | private-bin pdfsam,sh,bash,java,archlinux-java,grep,awk,dirname,uname,which,sort,find,readlink,expr,ls,java-config | 39 | private-bin pdfsam,sh,bash,java,archlinux-java,grep,awk,dirname,uname,which,sort,find,readlink,expr,ls,java-config |
40 | private-cache | ||
40 | private-dev | 41 | private-dev |
41 | private-tmp | 42 | private-tmp |
42 | 43 | ||
diff --git a/etc/pidgin.profile b/etc/pidgin.profile index ac2597a68..e0fd270af 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile | |||
@@ -26,6 +26,7 @@ shell none | |||
26 | tracelog | 26 | tracelog |
27 | 27 | ||
28 | private-bin pidgin | 28 | private-bin pidgin |
29 | private-cache | ||
29 | private-dev | 30 | private-dev |
30 | private-tmp | 31 | private-tmp |
31 | 32 | ||
diff --git a/etc/pinta.profile b/etc/pinta.profile index 73fabb95f..010de0d3e 100644 --- a/etc/pinta.profile +++ b/etc/pinta.profile | |||
@@ -29,6 +29,7 @@ seccomp | |||
29 | shell none | 29 | shell none |
30 | 30 | ||
31 | private-dev | 31 | private-dev |
32 | private-cache | ||
32 | private-tmp | 33 | private-tmp |
33 | 34 | ||
34 | noexec ${HOME} | 35 | noexec ${HOME} |
diff --git a/etc/pix.profile b/etc/pix.profile index ec495269d..dfc6d780e 100644 --- a/etc/pix.profile +++ b/etc/pix.profile | |||
@@ -30,5 +30,6 @@ shell none | |||
30 | tracelog | 30 | tracelog |
31 | 31 | ||
32 | private-bin pix | 32 | private-bin pix |
33 | private-cache | ||
33 | private-dev | 34 | private-dev |
34 | private-tmp | 35 | private-tmp |
diff --git a/etc/pycharm-community.profile b/etc/pycharm-community.profile index bbb907577..89bb9dadf 100644 --- a/etc/pycharm-community.profile +++ b/etc/pycharm-community.profile | |||
@@ -32,6 +32,7 @@ tracelog | |||
32 | 32 | ||
33 | # private-etc fonts,passwd - minimal required to run but will probably break | 33 | # private-etc fonts,passwd - minimal required to run but will probably break |
34 | # program! | 34 | # program! |
35 | private-cache | ||
35 | private-dev | 36 | private-dev |
36 | private-tmp | 37 | private-tmp |
37 | 38 | ||
diff --git a/etc/qemu-launcher.profile b/etc/qemu-launcher.profile index 20b14c0ca..263c71535 100644 --- a/etc/qemu-launcher.profile +++ b/etc/qemu-launcher.profile | |||
@@ -23,6 +23,7 @@ seccomp | |||
23 | shell none | 23 | shell none |
24 | tracelog | 24 | tracelog |
25 | 25 | ||
26 | private-cache | ||
26 | private-tmp | 27 | private-tmp |
27 | 28 | ||
28 | noexec /tmp | 29 | noexec /tmp |
diff --git a/etc/qemu-system-x86_64.profile b/etc/qemu-system-x86_64.profile index 7a60007fe..3ab25e92e 100644 --- a/etc/qemu-system-x86_64.profile +++ b/etc/qemu-system-x86_64.profile | |||
@@ -22,6 +22,7 @@ seccomp | |||
22 | shell none | 22 | shell none |
23 | tracelog | 23 | tracelog |
24 | 24 | ||
25 | private-cache | ||
25 | private-tmp | 26 | private-tmp |
26 | 27 | ||
27 | noexec /tmp | 28 | noexec /tmp |
diff --git a/etc/qlipper.profile b/etc/qlipper.profile index 237cd240b..079270909 100644 --- a/etc/qlipper.profile +++ b/etc/qlipper.profile | |||
@@ -28,6 +28,7 @@ seccomp | |||
28 | shell none | 28 | shell none |
29 | 29 | ||
30 | disable-mnt | 30 | disable-mnt |
31 | private-cache | ||
31 | private-dev | 32 | private-dev |
32 | private-tmp | 33 | private-tmp |
33 | 34 | ||
diff --git a/etc/quassel.profile b/etc/quassel.profile index 6783d5a43..9c5bbe1d3 100644 --- a/etc/quassel.profile +++ b/etc/quassel.profile | |||
@@ -19,3 +19,6 @@ noroot | |||
19 | notv | 19 | notv |
20 | protocol unix,inet,inet6 | 20 | protocol unix,inet,inet6 |
21 | seccomp | 21 | seccomp |
22 | |||
23 | private-cache | ||
24 | private-tmp | ||
diff --git a/etc/remmina.profile b/etc/remmina.profile index 4cd93b567..50746c60e 100644 --- a/etc/remmina.profile +++ b/etc/remmina.profile | |||
@@ -28,6 +28,7 @@ seccomp | |||
28 | # seccomp.keep access,arch_prctl,brk,chmod,clock_getres,clock_gettime,clone,close,connect,dup3,eventfd2,execve,fadvise64,fallocate,fcntl,flock,fstat,fstatfs,fsync,ftruncate,futex,getdents,getegid,geteuid,getgid,getpeername,getpid,getrandom,getresgid,getresuid,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,memfd_create,mmap,mprotect,mremap,munmap,nanosleep,open,openat,pipe,pipe2,poll,prctl,prlimit64,pwrite64,read,readlink,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,sendmmsg,sendmsg,sendto,set_robust_list,setsockopt,set_tid_address,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,tgkill,uname,utimensat,write,writev | 28 | # seccomp.keep access,arch_prctl,brk,chmod,clock_getres,clock_gettime,clone,close,connect,dup3,eventfd2,execve,fadvise64,fallocate,fcntl,flock,fstat,fstatfs,fsync,ftruncate,futex,getdents,getegid,geteuid,getgid,getpeername,getpid,getrandom,getresgid,getresuid,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,memfd_create,mmap,mprotect,mremap,munmap,nanosleep,open,openat,pipe,pipe2,poll,prctl,prlimit64,pwrite64,read,readlink,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,sendmmsg,sendmsg,sendto,set_robust_list,setsockopt,set_tid_address,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,tgkill,uname,utimensat,write,writev |
29 | shell none | 29 | shell none |
30 | 30 | ||
31 | private-cache | ||
31 | private-dev | 32 | private-dev |
32 | private-tmp | 33 | private-tmp |
33 | 34 | ||
diff --git a/etc/riot-desktop.profile b/etc/riot-desktop.profile new file mode 100644 index 000000000..d38ab6876 --- /dev/null +++ b/etc/riot-desktop.profile | |||
@@ -0,0 +1,9 @@ | |||
1 | # Firejail profile for riot-desktop | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/riot-desktop.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | # Redirect | ||
9 | include /etc/firejail/riot-web.profile | ||
diff --git a/etc/riot-web.profile b/etc/riot-web.profile index 06dbbe9d9..1779d0b7c 100644 --- a/etc/riot-web.profile +++ b/etc/riot-web.profile | |||
@@ -7,6 +7,7 @@ include /etc/firejail/globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.config/Riot | 8 | noblacklist ${HOME}/.config/Riot |
9 | 9 | ||
10 | mkdir ${HOME}/.config/Riot | ||
10 | whitelist ${HOME}/.config/Riot | 11 | whitelist ${HOME}/.config/Riot |
11 | include /etc/firejail/whitelist-common.inc | 12 | include /etc/firejail/whitelist-common.inc |
12 | 13 | ||
diff --git a/etc/ristretto.profile b/etc/ristretto.profile index 7628d386f..08c9dbf2d 100644 --- a/etc/ristretto.profile +++ b/etc/ristretto.profile | |||
@@ -29,6 +29,7 @@ protocol unix | |||
29 | seccomp | 29 | seccomp |
30 | shell none | 30 | shell none |
31 | 31 | ||
32 | private-cache | ||
32 | private-dev | 33 | private-dev |
33 | private-tmp | 34 | private-tmp |
34 | 35 | ||
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 57e933467..b4a2921ff 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile | |||
@@ -26,5 +26,6 @@ seccomp | |||
26 | shell none | 26 | shell none |
27 | 27 | ||
28 | private-bin rtorrent | 28 | private-bin rtorrent |
29 | private-cache | ||
29 | private-dev | 30 | private-dev |
30 | private-tmp | 31 | private-tmp |
diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile index a0674acbc..fbe1b2de5 100644 --- a/etc/sdat2img.profile +++ b/etc/sdat2img.profile | |||
@@ -34,6 +34,7 @@ seccomp | |||
34 | shell none | 34 | shell none |
35 | 35 | ||
36 | private-bin sdat2img,env,python* | 36 | private-bin sdat2img,env,python* |
37 | private-cache | ||
37 | private-dev | 38 | private-dev |
38 | 39 | ||
39 | noexec ${HOME} | 40 | noexec ${HOME} |
diff --git a/etc/shotcut.profile b/etc/shotcut.profile index d76c486ea..e5a8ce4df 100644 --- a/etc/shotcut.profile +++ b/etc/shotcut.profile | |||
@@ -26,6 +26,7 @@ seccomp | |||
26 | shell none | 26 | shell none |
27 | 27 | ||
28 | #private-bin shotcut,melt,qmelt,nice | 28 | #private-bin shotcut,melt,qmelt,nice |
29 | private-cache | ||
29 | private-dev | 30 | private-dev |
30 | 31 | ||
31 | #noexec ${HOME} | 32 | #noexec ${HOME} |
diff --git a/etc/skype.profile b/etc/skype.profile index f08542079..04f15b454 100644 --- a/etc/skype.profile +++ b/etc/skype.profile | |||
@@ -26,6 +26,7 @@ shell none | |||
26 | 26 | ||
27 | disable-mnt | 27 | disable-mnt |
28 | #private-bin skype,bash | 28 | #private-bin skype,bash |
29 | private-cache | ||
29 | private-dev | 30 | private-dev |
30 | private-tmp | 31 | private-tmp |
31 | 32 | ||
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile index c2270ce39..c675f0345 100644 --- a/etc/skypeforlinux.profile +++ b/etc/skypeforlinux.profile | |||
@@ -25,6 +25,7 @@ seccomp | |||
25 | shell none | 25 | shell none |
26 | 26 | ||
27 | disable-mnt | 27 | disable-mnt |
28 | private-cache | ||
28 | # private-dev - needs /dev/disk | 29 | # private-dev - needs /dev/disk |
29 | private-tmp | 30 | private-tmp |
30 | 31 | ||
diff --git a/etc/snox.profile b/etc/snox.profile new file mode 100644 index 000000000..22bb0cdb0 --- /dev/null +++ b/etc/snox.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Firejail profile for snox | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/snox.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.cache/snox | ||
9 | noblacklist ${HOME}/.config/snox | ||
10 | |||
11 | #mkdir ${HOME}/.cache/dnox | ||
12 | #mkdir ${HOME}/.config/dnox | ||
13 | mkdir ${HOME}/.cache/snox | ||
14 | mkdir ${HOME}/.config/snox | ||
15 | whitelist ${HOME}/.cache/snox | ||
16 | whitelist ${HOME}/.config/snox | ||
17 | |||
18 | # Redirect | ||
19 | include /etc/firejail/chromium-common.profile | ||
diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile index 3d231cf5b..b15ba266b 100644 --- a/etc/soundconverter.profile +++ b/etc/soundconverter.profile | |||
@@ -31,6 +31,7 @@ protocol unix | |||
31 | seccomp | 31 | seccomp |
32 | shell none | 32 | shell none |
33 | 33 | ||
34 | private-cache | ||
34 | private-dev | 35 | private-dev |
35 | private-tmp | 36 | private-tmp |
36 | 37 | ||
diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile index 9711276c8..7bb7080e3 100644 --- a/etc/sqlitebrowser.profile +++ b/etc/sqlitebrowser.profile | |||
@@ -29,6 +29,7 @@ seccomp | |||
29 | shell none | 29 | shell none |
30 | 30 | ||
31 | private-bin sqlitebrowser | 31 | private-bin sqlitebrowser |
32 | private-cache | ||
32 | private-dev | 33 | private-dev |
33 | private-tmp | 34 | private-tmp |
34 | 35 | ||
diff --git a/etc/ssh.profile b/etc/ssh.profile index df86a276e..dfaeb9688 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile | |||
@@ -29,6 +29,7 @@ seccomp | |||
29 | shell none | 29 | shell none |
30 | tracelog | 30 | tracelog |
31 | 31 | ||
32 | private-cache | ||
32 | private-dev | 33 | private-dev |
33 | # private-tmp # Breaks when exiting | 34 | # private-tmp # Breaks when exiting |
34 | 35 | ||
diff --git a/etc/strings.profile b/etc/strings.profile index 8995ad2a6..5bea9525f 100644 --- a/etc/strings.profile +++ b/etc/strings.profile | |||
@@ -4,7 +4,8 @@ quiet | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/strings.local | 5 | include /etc/firejail/strings.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | # added by included default.profile |
8 | #include /etc/firejail/globals.local | ||
8 | 9 | ||
9 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
10 | 11 | ||
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index 677920266..dcfd730ee 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile | |||
@@ -29,6 +29,7 @@ seccomp | |||
29 | shell none | 29 | shell none |
30 | 30 | ||
31 | #private-bin synfigstudio,synfig,ffmpeg | 31 | #private-bin synfigstudio,synfig,ffmpeg |
32 | private-cache | ||
32 | private-dev | 33 | private-dev |
33 | private-tmp | 34 | private-tmp |
34 | 35 | ||
diff --git a/etc/tar.profile b/etc/tar.profile index 5f54bf02d..35dbb3378 100644 --- a/etc/tar.profile +++ b/etc/tar.profile | |||
@@ -4,7 +4,8 @@ quiet | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/tar.local | 5 | include /etc/firejail/tar.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | # added by included default.profile |
8 | #include /etc/firejail/globals.local | ||
8 | 9 | ||
9 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
10 | 11 | ||
diff --git a/etc/telegram.profile b/etc/telegram.profile index db055a898..9ffb9f287 100644 --- a/etc/telegram.profile +++ b/etc/telegram.profile | |||
@@ -23,6 +23,7 @@ protocol unix,inet,inet6 | |||
23 | seccomp | 23 | seccomp |
24 | 24 | ||
25 | disable-mnt | 25 | disable-mnt |
26 | private-cache | ||
26 | private-tmp | 27 | private-tmp |
27 | 28 | ||
28 | noexec ${HOME} | 29 | noexec ${HOME} |
diff --git a/etc/tilp.profile b/etc/tilp.profile index a9cccbd7b..7d63df630 100644 --- a/etc/tilp.profile +++ b/etc/tilp.profile | |||
@@ -28,6 +28,7 @@ tracelog | |||
28 | 28 | ||
29 | disable-mnt | 29 | disable-mnt |
30 | private-bin tilp | 30 | private-bin tilp |
31 | private-cache | ||
31 | private-etc fonts | 32 | private-etc fonts |
32 | private-tmp | 33 | private-tmp |
33 | 34 | ||
diff --git a/etc/tor-browser-ar.profile b/etc/tor-browser-ar.profile index 36eda5704..a668a05d4 100644 --- a/etc/tor-browser-ar.profile +++ b/etc/tor-browser-ar.profile | |||
@@ -2,6 +2,8 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | noblacklist ${HOME}/.tor-browser-ar | 4 | noblacklist ${HOME}/.tor-browser-ar |
5 | |||
6 | mkdir ${HOME}/.tor-browser-ar | ||
5 | whitelist ${HOME}/.tor-browser-ar | 7 | whitelist ${HOME}/.tor-browser-ar |
6 | 8 | ||
7 | # Redirect | 9 | # Redirect |
diff --git a/etc/tor-browser-en-us.profile b/etc/tor-browser-en-us.profile index f3ca8a74d..195377f0f 100644 --- a/etc/tor-browser-en-us.profile +++ b/etc/tor-browser-en-us.profile | |||
@@ -2,6 +2,8 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | noblacklist ${HOME}/.tor-browser-en-us | 4 | noblacklist ${HOME}/.tor-browser-en-us |
5 | |||
6 | mkdir ${HOME}/.tor-browser-en-us | ||
5 | whitelist ${HOME}/.tor-browser-en-us | 7 | whitelist ${HOME}/.tor-browser-en-us |
6 | 8 | ||
7 | # Redirect | 9 | # Redirect |
diff --git a/etc/tor-browser-en.profile b/etc/tor-browser-en.profile index fb2c2f9c9..75aad1a09 100644 --- a/etc/tor-browser-en.profile +++ b/etc/tor-browser-en.profile | |||
@@ -2,6 +2,8 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | noblacklist ${HOME}/.tor-browser-en | 4 | noblacklist ${HOME}/.tor-browser-en |
5 | |||
6 | mkdir ${HOME}/.tor-browser-en | ||
5 | whitelist ${HOME}/.tor-browser-en | 7 | whitelist ${HOME}/.tor-browser-en |
6 | 8 | ||
7 | # Redirect | 9 | # Redirect |
diff --git a/etc/tor-browser-es-es.profile b/etc/tor-browser-es-es.profile index c6c0d6e92..b6e5dedbc 100644 --- a/etc/tor-browser-es-es.profile +++ b/etc/tor-browser-es-es.profile | |||
@@ -1,8 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | noblacklist ${HOME}/.tor-browser-en-es | 4 | noblacklist ${HOME}/.tor-browser-es-es |
5 | whitelist ${HOME}/.tor-browser-en-es | 5 | |
6 | mkdir ${HOME}/.tor-browser-es-es | ||
7 | whitelist ${HOME}/.tor-browser-es-es | ||
6 | 8 | ||
7 | # Redirect | 9 | # Redirect |
8 | include /etc/firejail/torbrowser-launcher.profile | 10 | include /etc/firejail/torbrowser-launcher.profile |
diff --git a/etc/tor-browser-es.profile b/etc/tor-browser-es.profile index 1fe940f72..c607c93e3 100644 --- a/etc/tor-browser-es.profile +++ b/etc/tor-browser-es.profile | |||
@@ -2,6 +2,8 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | noblacklist ${HOME}/.tor-browser-es | 4 | noblacklist ${HOME}/.tor-browser-es |
5 | |||
6 | mkdir ${HOME}/.tor-browser-es | ||
5 | whitelist ${HOME}/.tor-browser-es | 7 | whitelist ${HOME}/.tor-browser-es |
6 | 8 | ||
7 | # Redirect | 9 | # Redirect |
diff --git a/etc/tor-browser-fa.profile b/etc/tor-browser-fa.profile index 292c82de0..3ce689c21 100644 --- a/etc/tor-browser-fa.profile +++ b/etc/tor-browser-fa.profile | |||
@@ -2,6 +2,8 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | noblacklist ${HOME}/.tor-browser-fa | 4 | noblacklist ${HOME}/.tor-browser-fa |
5 | |||
6 | mkdir ${HOME}/.tor-browser-fa | ||
5 | whitelist ${HOME}/.tor-browser-fa | 7 | whitelist ${HOME}/.tor-browser-fa |
6 | 8 | ||
7 | # Redirect | 9 | # Redirect |
diff --git a/etc/tor-browser-fr.profile b/etc/tor-browser-fr.profile index b7b5a3d26..369184aba 100644 --- a/etc/tor-browser-fr.profile +++ b/etc/tor-browser-fr.profile | |||
@@ -2,6 +2,8 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | noblacklist ${HOME}/.tor-browser-fr | 4 | noblacklist ${HOME}/.tor-browser-fr |
5 | |||
6 | mkdir ${HOME}/.tor-browser-fr | ||
5 | whitelist ${HOME}/.tor-browser-fr | 7 | whitelist ${HOME}/.tor-browser-fr |
6 | 8 | ||
7 | # Redirect | 9 | # Redirect |
diff --git a/etc/tor-browser-it.profile b/etc/tor-browser-it.profile index bcaff3305..e5d54617d 100644 --- a/etc/tor-browser-it.profile +++ b/etc/tor-browser-it.profile | |||
@@ -2,6 +2,8 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | noblacklist ${HOME}/.tor-browser-it | 4 | noblacklist ${HOME}/.tor-browser-it |
5 | |||
6 | mkdir ${HOME}/.tor-browser-it | ||
5 | whitelist ${HOME}/.tor-browser-it | 7 | whitelist ${HOME}/.tor-browser-it |
6 | 8 | ||
7 | # Redirect | 9 | # Redirect |
diff --git a/etc/tor-browser-ja.profile b/etc/tor-browser-ja.profile index ffb98b874..a3cfa1987 100644 --- a/etc/tor-browser-ja.profile +++ b/etc/tor-browser-ja.profile | |||
@@ -2,6 +2,8 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | noblacklist ${HOME}/.tor-browser-ja | 4 | noblacklist ${HOME}/.tor-browser-ja |
5 | |||
6 | mkdir ${HOME}/.tor-browser-ja | ||
5 | whitelist ${HOME}/.tor-browser-ja | 7 | whitelist ${HOME}/.tor-browser-ja |
6 | 8 | ||
7 | # Redirect | 9 | # Redirect |
diff --git a/etc/tor-browser-ko.profile b/etc/tor-browser-ko.profile index c1a29f84e..6a7fe905c 100644 --- a/etc/tor-browser-ko.profile +++ b/etc/tor-browser-ko.profile | |||
@@ -2,6 +2,8 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | noblacklist ${HOME}/.tor-browser-ko | 4 | noblacklist ${HOME}/.tor-browser-ko |
5 | |||
6 | mkdir ${HOME}/.tor-browser-ko | ||
5 | whitelist ${HOME}/.tor-browser-ko | 7 | whitelist ${HOME}/.tor-browser-ko |
6 | 8 | ||
7 | # Redirect | 9 | # Redirect |
diff --git a/etc/tor-browser-pl.profile b/etc/tor-browser-pl.profile index d2b8ea3bc..e72d64a3e 100644 --- a/etc/tor-browser-pl.profile +++ b/etc/tor-browser-pl.profile | |||
@@ -2,6 +2,8 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | noblacklist ${HOME}/.tor-browser-pl | 4 | noblacklist ${HOME}/.tor-browser-pl |
5 | |||
6 | mkdir ${HOME}/.tor-browser-pl | ||
5 | whitelist ${HOME}/.tor-browser-pl | 7 | whitelist ${HOME}/.tor-browser-pl |
6 | 8 | ||
7 | # Redirect | 9 | # Redirect |
diff --git a/etc/tor-browser-pt-br.profile b/etc/tor-browser-pt-br.profile index 55794401e..d3a5d1b79 100644 --- a/etc/tor-browser-pt-br.profile +++ b/etc/tor-browser-pt-br.profile | |||
@@ -2,6 +2,8 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | noblacklist ${HOME}/.tor-browser-pt-br | 4 | noblacklist ${HOME}/.tor-browser-pt-br |
5 | |||
6 | mkdir ${HOME}/.tor-browser-pt-br | ||
5 | whitelist ${HOME}/.tor-browser-pt-br | 7 | whitelist ${HOME}/.tor-browser-pt-br |
6 | 8 | ||
7 | # Redirect | 9 | # Redirect |
diff --git a/etc/tor-browser-ru.profile b/etc/tor-browser-ru.profile index 21c6bc042..22b772b28 100644 --- a/etc/tor-browser-ru.profile +++ b/etc/tor-browser-ru.profile | |||
@@ -2,6 +2,8 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | noblacklist ${HOME}/.tor-browser-ru | 4 | noblacklist ${HOME}/.tor-browser-ru |
5 | |||
6 | mkdir ${HOME}/.tor-browser-ru | ||
5 | whitelist ${HOME}/.tor-browser-ru | 7 | whitelist ${HOME}/.tor-browser-ru |
6 | 8 | ||
7 | # Redirect | 9 | # Redirect |
diff --git a/etc/tor-browser-vi.profile b/etc/tor-browser-vi.profile index b0284814c..cd1c5b0b3 100644 --- a/etc/tor-browser-vi.profile +++ b/etc/tor-browser-vi.profile | |||
@@ -2,6 +2,8 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | noblacklist ${HOME}/.tor-browser-vi | 4 | noblacklist ${HOME}/.tor-browser-vi |
5 | |||
6 | mkdir ${HOME}/.tor-browser-vi | ||
5 | whitelist ${HOME}/.tor-browser-vi | 7 | whitelist ${HOME}/.tor-browser-vi |
6 | 8 | ||
7 | # Redirect | 9 | # Redirect |
diff --git a/etc/tor-browser-zh-cn.profile b/etc/tor-browser-zh-cn.profile index 330574dd3..bf1bc75d6 100644 --- a/etc/tor-browser-zh-cn.profile +++ b/etc/tor-browser-zh-cn.profile | |||
@@ -2,6 +2,8 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | noblacklist ${HOME}/.tor-browser-zh-cn | 4 | noblacklist ${HOME}/.tor-browser-zh-cn |
5 | |||
6 | mkdir ${HOME}/.tor-browser-zh-cn | ||
5 | whitelist ${HOME}/.tor-browser-zh-cn | 7 | whitelist ${HOME}/.tor-browser-zh-cn |
6 | 8 | ||
7 | # Redirect | 9 | # Redirect |
diff --git a/etc/tor.profile b/etc/tor.profile index 5029cf9b1..e37fd232c 100644 --- a/etc/tor.profile +++ b/etc/tor.profile | |||
@@ -41,6 +41,7 @@ writable-var | |||
41 | disable-mnt | 41 | disable-mnt |
42 | private | 42 | private |
43 | private-bin tor,bash | 43 | private-bin tor,bash |
44 | private-cache | ||
44 | private-dev | 45 | private-dev |
45 | private-etc tor,passwd | 46 | private-etc tor,passwd |
46 | private-tmp | 47 | private-tmp |
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile index a33707ee4..9e3e0ef49 100644 --- a/etc/torbrowser-launcher.profile +++ b/etc/torbrowser-launcher.profile | |||
@@ -41,7 +41,7 @@ shell none | |||
41 | tracelog | 41 | tracelog |
42 | 42 | ||
43 | disable-mnt | 43 | disable-mnt |
44 | private-bin bash,cp,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python*,readlink,rm,sed,sh,tail,tclsh,test,tor-browser-en,torbrowser-launcher | 44 | private-bin bash,cp,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python*,readlink,rm,sed,sh,tail,tar,tclsh,test,tor-browser-en,torbrowser-launcher,xz |
45 | private-dev | 45 | private-dev |
46 | private-etc fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache | 46 | private-etc fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache |
47 | private-tmp | 47 | private-tmp |
diff --git a/etc/totem.profile b/etc/totem.profile index fecf12a4c..0b9252d6c 100644 --- a/etc/totem.profile +++ b/etc/totem.profile | |||
@@ -28,6 +28,7 @@ seccomp | |||
28 | shell none | 28 | shell none |
29 | 29 | ||
30 | private-bin totem | 30 | private-bin totem |
31 | private-cache | ||
31 | private-dev | 32 | private-dev |
32 | # private-etc fonts | 33 | # private-etc fonts |
33 | private-tmp | 34 | private-tmp |
diff --git a/etc/uefitool.profile b/etc/uefitool.profile index 2ab2d2652..70d694ac9 100644 --- a/etc/uefitool.profile +++ b/etc/uefitool.profile | |||
@@ -27,6 +27,7 @@ protocol unix | |||
27 | seccomp | 27 | seccomp |
28 | shell none | 28 | shell none |
29 | 29 | ||
30 | private-cache | ||
30 | private-dev | 31 | private-dev |
31 | private-tmp | 32 | private-tmp |
32 | 33 | ||
diff --git a/etc/unrar.profile b/etc/unrar.profile index ba2a86f4c..40ee277e0 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile | |||
@@ -4,7 +4,8 @@ quiet | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/unrar.local | 5 | include /etc/firejail/unrar.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | # added by included default.profile |
8 | #include /etc/firejail/globals.local | ||
8 | 9 | ||
9 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
10 | 11 | ||
diff --git a/etc/unzip.profile b/etc/unzip.profile index 95c27e976..1a1142fe8 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile | |||
@@ -4,7 +4,8 @@ quiet | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/unzip.local | 5 | include /etc/firejail/unzip.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | # added by included default.profile |
8 | #include /etc/firejail/globals.local | ||
8 | 9 | ||
9 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
10 | 11 | ||
diff --git a/etc/uudeview.profile b/etc/uudeview.profile index b64ecaa3e..f71f0150d 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile | |||
@@ -4,7 +4,8 @@ quiet | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/uudeview.local | 5 | include /etc/firejail/uudeview.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | # added by included default.profile |
8 | #include /etc/firejail/globals.local | ||
8 | 9 | ||
9 | hostname uudeview | 10 | hostname uudeview |
10 | ignore noroot | 11 | ignore noroot |
@@ -18,6 +19,7 @@ shell none | |||
18 | tracelog | 19 | tracelog |
19 | 20 | ||
20 | private-bin uudeview | 21 | private-bin uudeview |
22 | private-cache | ||
21 | private-dev | 23 | private-dev |
22 | private-etc ld.so.preload | 24 | private-etc ld.so.preload |
23 | 25 | ||
diff --git a/etc/viewnior.profile b/etc/viewnior.profile index d867e0e05..ce4983337 100644 --- a/etc/viewnior.profile +++ b/etc/viewnior.profile | |||
@@ -34,6 +34,7 @@ shell none | |||
34 | tracelog | 34 | tracelog |
35 | 35 | ||
36 | private-bin viewnior | 36 | private-bin viewnior |
37 | private-cache | ||
37 | private-dev | 38 | private-dev |
38 | private-etc fonts | 39 | private-etc fonts |
39 | private-tmp | 40 | private-tmp |
diff --git a/etc/w3m.profile b/etc/w3m.profile index 59544f5b5..bfc7874cf 100644 --- a/etc/w3m.profile +++ b/etc/w3m.profile | |||
@@ -31,6 +31,7 @@ shell none | |||
31 | tracelog | 31 | tracelog |
32 | 32 | ||
33 | # private-bin w3m | 33 | # private-bin w3m |
34 | private-cache | ||
34 | private-dev | 35 | private-dev |
35 | private-etc resolv.conf,ssl,pki,ca-certificates,crypto-policies | 36 | private-etc resolv.conf,ssl,pki,ca-certificates,crypto-policies |
36 | private-tmp | 37 | private-tmp |
diff --git a/etc/webstorm.profile b/etc/webstorm.profile index 93bcb50bb..1a77fd833 100644 --- a/etc/webstorm.profile +++ b/etc/webstorm.profile | |||
@@ -35,5 +35,6 @@ protocol unix,inet,inet6 | |||
35 | seccomp | 35 | seccomp |
36 | shell none | 36 | shell none |
37 | 37 | ||
38 | private-cache | ||
38 | private-dev | 39 | private-dev |
39 | private-tmp | 40 | private-tmp |
diff --git a/etc/wireshark.profile b/etc/wireshark.profile index 5130a4e64..8ab672279 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile | |||
@@ -8,6 +8,11 @@ include /etc/firejail/globals.local | |||
8 | noblacklist ${HOME}/.config/wireshark | 8 | noblacklist ${HOME}/.config/wireshark |
9 | noblacklist ${HOME}/.wireshark | 9 | noblacklist ${HOME}/.wireshark |
10 | 10 | ||
11 | # Wireshark can use Lua for scripting | ||
12 | noblacklist ${PATH}/lua* | ||
13 | noblacklist /usr/lib/lua | ||
14 | noblacklist /usr/include/lua* | ||
15 | noblacklist /usr/share/lua | ||
11 | 16 | ||
12 | include /etc/firejail/disable-common.inc | 17 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 18 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/xfce4-dict.profile b/etc/xfce4-dict.profile index 0be0b56a5..fc5294d5b 100644 --- a/etc/xfce4-dict.profile +++ b/etc/xfce4-dict.profile | |||
@@ -28,6 +28,7 @@ seccomp | |||
28 | shell none | 28 | shell none |
29 | 29 | ||
30 | disable-mnt | 30 | disable-mnt |
31 | private-cache | ||
31 | private-dev | 32 | private-dev |
32 | private-tmp | 33 | private-tmp |
33 | 34 | ||
diff --git a/etc/xfce4-notes.profile b/etc/xfce4-notes.profile index 484b66722..5749b7832 100644 --- a/etc/xfce4-notes.profile +++ b/etc/xfce4-notes.profile | |||
@@ -30,6 +30,7 @@ seccomp | |||
30 | shell none | 30 | shell none |
31 | 31 | ||
32 | disable-mnt | 32 | disable-mnt |
33 | private-cache | ||
33 | private-dev | 34 | private-dev |
34 | private-tmp | 35 | private-tmp |
35 | 36 | ||
diff --git a/etc/xzdec.profile b/etc/xzdec.profile index 5913fd07a..93b6d5093 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile | |||
@@ -4,7 +4,8 @@ quiet | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/xzdec.local | 5 | include /etc/firejail/xzdec.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | # added by included default.profile |
8 | #include /etc/firejail/globals.local | ||
8 | 9 | ||
9 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
10 | 11 | ||
diff --git a/etc/zathura.profile b/etc/zathura.profile index 028e15ef5..6cdbbe99b 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile | |||
@@ -29,6 +29,7 @@ seccomp | |||
29 | shell none | 29 | shell none |
30 | 30 | ||
31 | private-bin zathura | 31 | private-bin zathura |
32 | private-cache | ||
32 | private-dev | 33 | private-dev |
33 | private-etc fonts,machine-id | 34 | private-etc fonts,machine-id |
34 | private-tmp | 35 | private-tmp |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index da614ae90..718c2f973 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -15,7 +15,6 @@ Natron | |||
15 | Telegram | 15 | Telegram |
16 | Viber | 16 | Viber |
17 | VirtualBox | 17 | VirtualBox |
18 | Wire | ||
19 | Xephyr | 18 | Xephyr |
20 | XMind | 19 | XMind |
21 | abrowser | 20 | abrowser |
@@ -173,6 +172,7 @@ gnome-font-viewer | |||
173 | gnome-logs | 172 | gnome-logs |
174 | gnome-maps | 173 | gnome-maps |
175 | gnome-mplayer | 174 | gnome-mplayer |
175 | gnome-mpv | ||
176 | gnome-music | 176 | gnome-music |
177 | gnome-photos | 177 | gnome-photos |
178 | gnome-recipes | 178 | gnome-recipes |
@@ -341,6 +341,7 @@ redeclipse | |||
341 | remmina | 341 | remmina |
342 | rhythmbox | 342 | rhythmbox |
343 | ricochet | 343 | ricochet |
344 | riot-desktop | ||
344 | riot-web | 345 | riot-web |
345 | ristretto | 346 | ristretto |
346 | rocketchat | 347 | rocketchat |
@@ -433,7 +434,7 @@ weechat-curses | |||
433 | wesnoth | 434 | wesnoth |
434 | wget | 435 | wget |
435 | wine | 436 | wine |
436 | wire | 437 | wire-desktop |
437 | wireshark | 438 | wireshark |
438 | wireshark-gtk | 439 | wireshark-gtk |
439 | wireshark-qt | 440 | wireshark-qt |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 6dc28b9bb..68e93e16e 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -175,15 +175,6 @@ int checkcfg(int val) { | |||
175 | else | 175 | else |
176 | goto errout; | 176 | goto errout; |
177 | } | 177 | } |
178 | // private-cache | ||
179 | else if (strncmp(ptr, "private-cache ", 14) == 0) { | ||
180 | if (strcmp(ptr + 14, "yes") == 0) | ||
181 | cfg_val[CFG_PRIVATE_CACHE] = 1; | ||
182 | else if (strcmp(ptr + 14, "no") == 0) | ||
183 | cfg_val[CFG_PRIVATE_CACHE] = 0; | ||
184 | else | ||
185 | goto errout; | ||
186 | } | ||
187 | // seccomp | 178 | // seccomp |
188 | else if (strncmp(ptr, "seccomp ", 8) == 0) { | 179 | else if (strncmp(ptr, "seccomp ", 8) == 0) { |
189 | if (strcmp(ptr + 8, "yes") == 0) | 180 | if (strcmp(ptr + 8, "yes") == 0) |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 3e05591b8..f554c8ddf 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -104,7 +104,7 @@ | |||
104 | // profiles | 104 | // profiles |
105 | #define DEFAULT_USER_PROFILE "default" | 105 | #define DEFAULT_USER_PROFILE "default" |
106 | #define DEFAULT_ROOT_PROFILE "server" | 106 | #define DEFAULT_ROOT_PROFILE "server" |
107 | #define MAX_INCLUDE_LEVEL 6 // include levels in profile files | 107 | #define MAX_INCLUDE_LEVEL 16 // include levels in profile files |
108 | 108 | ||
109 | 109 | ||
110 | #define ASSERT_PERMS(file, uid, gid, mode) \ | 110 | #define ASSERT_PERMS(file, uid, gid, mode) \ |
@@ -227,7 +227,6 @@ typedef struct config_t { | |||
227 | char *lib_private_keep; // keep list for private bin directory | 227 | char *lib_private_keep; // keep list for private bin directory |
228 | char *cwd; // current working directory | 228 | char *cwd; // current working directory |
229 | char *overlay_dir; | 229 | char *overlay_dir; |
230 | char *private_template; // template dir for tmpfs home | ||
231 | 230 | ||
232 | // networking | 231 | // networking |
233 | char *name; // sandbox name | 232 | char *name; // sandbox name |
@@ -307,7 +306,7 @@ static inline int any_interface_configured(void) { | |||
307 | } | 306 | } |
308 | 307 | ||
309 | extern int arg_private; // mount private /home | 308 | extern int arg_private; // mount private /home |
310 | extern int arg_private_template; // private /home template | 309 | extern int arg_private_cache; // private home/.cache |
311 | extern int arg_debug; // print debug messages | 310 | extern int arg_debug; // print debug messages |
312 | extern int arg_debug_blacklists; // print debug messages for blacklists | 311 | extern int arg_debug_blacklists; // print debug messages for blacklists |
313 | extern int arg_debug_whitelists; // print debug messages for whitelists | 312 | extern int arg_debug_whitelists; // print debug messages for whitelists |
@@ -566,12 +565,8 @@ void fs_dev_disable_u2f(void); | |||
566 | void fs_private(void); | 565 | void fs_private(void); |
567 | // private mode (--private=homedir) | 566 | // private mode (--private=homedir) |
568 | void fs_private_homedir(void); | 567 | void fs_private_homedir(void); |
569 | // private template (--private-template=templatedir) | ||
570 | void fs_private_template(void); | ||
571 | // check new private home directory (--private= option) - exit if it fails | 568 | // check new private home directory (--private= option) - exit if it fails |
572 | void fs_check_private_dir(void); | 569 | void fs_check_private_dir(void); |
573 | // check new private template home directory (--private-template= option) exit if it fails | ||
574 | void fs_check_private_template(void); | ||
575 | void fs_private_home_list(void); | 570 | void fs_private_home_list(void); |
576 | 571 | ||
577 | 572 | ||
@@ -753,7 +748,6 @@ enum { | |||
753 | CFG_PRIVATE_LIB, | 748 | CFG_PRIVATE_LIB, |
754 | CFG_APPARMOR, | 749 | CFG_APPARMOR, |
755 | CFG_DBUS, | 750 | CFG_DBUS, |
756 | CFG_PRIVATE_CACHE, | ||
757 | CFG_MAX // this should always be the last entry | 751 | CFG_MAX // this should always be the last entry |
758 | }; | 752 | }; |
759 | extern char *xephyr_screen; | 753 | extern char *xephyr_screen; |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 68b09dcbd..24ff553d7 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -27,12 +27,7 @@ | |||
27 | #include <glob.h> | 27 | #include <glob.h> |
28 | #include <dirent.h> | 28 | #include <dirent.h> |
29 | #include <errno.h> | 29 | #include <errno.h> |
30 | |||
31 | // on Debian 7 we are missing O_PATH definition | ||
32 | #include <fcntl.h> | 30 | #include <fcntl.h> |
33 | #ifndef O_PATH | ||
34 | #define O_PATH 010000000 | ||
35 | #endif | ||
36 | 31 | ||
37 | // check noblacklist statements not matched by a proper blacklist in disable-*.inc files | 32 | // check noblacklist statements not matched by a proper blacklist in disable-*.inc files |
38 | //#define TEST_NO_BLACKLIST_MATCHING | 33 | //#define TEST_NO_BLACKLIST_MATCHING |
@@ -1353,8 +1348,10 @@ void fs_private_cache(void) { | |||
1353 | fwarning("user .cache is a symbolic link, tmpfs not mounted\n"); | 1348 | fwarning("user .cache is a symbolic link, tmpfs not mounted\n"); |
1354 | return; | 1349 | return; |
1355 | } | 1350 | } |
1356 | if (stat(cache, &s) == -1 || !S_ISDIR(s.st_mode)) | 1351 | if (stat(cache, &s) == -1 || !S_ISDIR(s.st_mode)) { |
1352 | fwarning("no user .cache directory found, tmpfs not mounted\n"); | ||
1357 | return; | 1353 | return; |
1354 | } | ||
1358 | if (s.st_uid != getuid()) { | 1355 | if (s.st_uid != getuid()) { |
1359 | fwarning("user .cache is not owned by current user, tmpfs not mounted\n"); | 1356 | fwarning("user .cache is not owned by current user, tmpfs not mounted\n"); |
1360 | return; | 1357 | return; |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 9ef80e5c3..d52b3996a 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -196,7 +196,6 @@ static void whitelist_path(ProfileEntry *entry) { | |||
196 | const char *fname; | 196 | const char *fname; |
197 | char *wfile = NULL; | 197 | char *wfile = NULL; |
198 | 198 | ||
199 | EUID_USER(); | ||
200 | if (entry->home_dir) { | 199 | if (entry->home_dir) { |
201 | if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) { | 200 | if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) { |
202 | fname = path + strlen(cfg.homedir); | 201 | fname = path + strlen(cfg.homedir); |
@@ -204,7 +203,8 @@ static void whitelist_path(ProfileEntry *entry) { | |||
204 | goto errexit; | 203 | goto errexit; |
205 | } | 204 | } |
206 | else | 205 | else |
207 | fname = path; | 206 | // symlink pointing outside /home, skip the mount |
207 | return; | ||
208 | 208 | ||
209 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1) | 209 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1) |
210 | errExit("asprintf"); | 210 | errExit("asprintf"); |
@@ -236,17 +236,27 @@ static void whitelist_path(ProfileEntry *entry) { | |||
236 | errExit("asprintf"); | 236 | errExit("asprintf"); |
237 | } | 237 | } |
238 | else if (entry->var_dir) { | 238 | else if (entry->var_dir) { |
239 | fname = path + 5; // strlen("/var/") | 239 | if (strncmp(path, "/var/", 5) == 0) { |
240 | if (*fname == '\0') | 240 | fname = path + 5; // strlen("/var/") |
241 | goto errexit; | 241 | if (*fname == '\0') |
242 | goto errexit; | ||
243 | } | ||
244 | else | ||
245 | // symlink pointing outside /var, skip the mount | ||
246 | return; | ||
242 | 247 | ||
243 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_VAR_DIR, fname) == -1) | 248 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_VAR_DIR, fname) == -1) |
244 | errExit("asprintf"); | 249 | errExit("asprintf"); |
245 | } | 250 | } |
246 | else if (entry->dev_dir) { | 251 | else if (entry->dev_dir) { |
247 | fname = path + 5; // strlen("/dev/") | 252 | if (strncmp(path, "/dev/", 5) == 0) { |
248 | if (*fname == '\0') | 253 | fname = path + 5; // strlen("/dev/") |
249 | goto errexit; | 254 | if (*fname == '\0') |
255 | goto errexit; | ||
256 | } | ||
257 | else | ||
258 | // symlink pointing outside /dev, skip the mount | ||
259 | return; | ||
250 | 260 | ||
251 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_DEV_DIR, fname) == -1) | 261 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_DEV_DIR, fname) == -1) |
252 | errExit("asprintf"); | 262 | errExit("asprintf"); |
@@ -268,9 +278,14 @@ static void whitelist_path(ProfileEntry *entry) { | |||
268 | errExit("asprintf"); | 278 | errExit("asprintf"); |
269 | } | 279 | } |
270 | else if (entry->etc_dir) { | 280 | else if (entry->etc_dir) { |
271 | fname = path + 5; // strlen("/etc/") | 281 | if (strncmp(path, "/etc/", 5) == 0) { |
272 | if (*fname == '\0') | 282 | fname = path + 5; // strlen("/etc/") |
273 | goto errexit; | 283 | if (*fname == '\0') |
284 | goto errexit; | ||
285 | } | ||
286 | else | ||
287 | // symlink pointing outside /etc, skip the mount | ||
288 | return; | ||
274 | 289 | ||
275 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_ETC_DIR, fname) == -1) | 290 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_ETC_DIR, fname) == -1) |
276 | errExit("asprintf"); | 291 | errExit("asprintf"); |
@@ -291,20 +306,22 @@ static void whitelist_path(ProfileEntry *entry) { | |||
291 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MODULE_DIR, fname) == -1) | 306 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MODULE_DIR, fname) == -1) |
292 | errExit("asprintf"); | 307 | errExit("asprintf"); |
293 | } | 308 | } |
309 | assert(wfile); | ||
294 | 310 | ||
295 | // check if the file exists | 311 | // check if the file exists |
296 | assert(wfile); | 312 | EUID_USER(); |
297 | struct stat s; | 313 | struct stat s; |
298 | if (stat(wfile, &s) == 0) { | 314 | if (stat(wfile, &s) == 0) { |
299 | if (arg_debug || arg_debug_whitelists) | 315 | if (arg_debug || arg_debug_whitelists) |
300 | printf("Whitelisting %s\n", path); | 316 | printf("Whitelisting %s\n", path); |
301 | } | 317 | } |
302 | else { | 318 | else { |
319 | free(wfile); | ||
303 | EUID_ROOT(); | 320 | EUID_ROOT(); |
304 | return; | 321 | return; |
305 | } | 322 | } |
306 | |||
307 | EUID_ROOT(); | 323 | EUID_ROOT(); |
324 | |||
308 | // create the path if necessary | 325 | // create the path if necessary |
309 | mkpath(path, s.st_mode); | 326 | mkpath(path, s.st_mode); |
310 | fs_logger2("whitelist", path); | 327 | fs_logger2("whitelist", path); |
@@ -329,8 +346,10 @@ static void whitelist_path(ProfileEntry *entry) { | |||
329 | SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode); | 346 | SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode); |
330 | fclose(fp); | 347 | fclose(fp); |
331 | } | 348 | } |
332 | else | 349 | else { |
350 | free(wfile); | ||
333 | return; // the file is already present | 351 | return; // the file is already present |
352 | } | ||
334 | } | 353 | } |
335 | 354 | ||
336 | // mount | 355 | // mount |
@@ -565,22 +584,25 @@ void fs_whitelist(void) { | |||
565 | entry->var_dir = 1; | 584 | entry->var_dir = 1; |
566 | var_dir = 1; | 585 | var_dir = 1; |
567 | // both path and absolute path are under /var | 586 | // both path and absolute path are under /var |
568 | // exceptions: /var/run and /var/lock | 587 | // exceptions: /var/tmp, /var/run and /var/lock |
569 | if (strcmp(new_name, "/var/run")== 0) | 588 | if (strcmp(new_name, "/var/run")== 0 && strcmp(fname, "/run") == 0); |
570 | ; | 589 | else if (strcmp(new_name, "/var/lock")== 0 && strcmp(fname, "/run/lock") == 0); |
571 | else if (strcmp(new_name, "/var/lock")== 0) | 590 | else if (strcmp(new_name, "/var/tmp")== 0 && strcmp(fname, "/tmp") == 0); |
572 | ; | 591 | else { |
573 | else if (strncmp(fname, "/var/", 5) != 0) { | 592 | // both path and absolute path are under /var |
574 | goto errexit; | 593 | if (strncmp(fname, "/var/", 5) != 0) { |
594 | goto errexit; | ||
595 | } | ||
575 | } | 596 | } |
576 | } | 597 | } |
577 | else if (strncmp(new_name, "/dev/", 5) == 0) { | 598 | else if (strncmp(new_name, "/dev/", 5) == 0) { |
578 | entry->dev_dir = 1; | 599 | entry->dev_dir = 1; |
579 | dev_dir = 1; | 600 | dev_dir = 1; |
580 | |||
581 | // special handling for /dev/shm | 601 | // special handling for /dev/shm |
582 | // on some platforms (Debian wheezy, Ubuntu 14.04), it is a symlink to /run/shm | 602 | // on some platforms (Debian wheezy, Ubuntu 14.04), it is a symlink to /run/shm |
583 | if (strcmp(new_name, "/dev/shm") == 0 && strcmp(fname, "/run/shm") == 0); | 603 | if (strcmp(new_name, "/dev/shm") == 0 && strcmp(fname, "/run/shm") == 0); |
604 | // special handling for /dev/log, which can be a symlink to /run/systemd/journal/dev-log | ||
605 | else if (strcmp(new_name, "/dev/log") == 0 && strcmp(fname, "/run/systemd/journal/dev-log") == 0); | ||
584 | // special processing for /proc/self/fd files | 606 | // special processing for /proc/self/fd files |
585 | else if (strcmp(new_name, "/dev/fd") == 0 && strcmp(fname, "/proc/self/fd") == 0); | 607 | else if (strcmp(new_name, "/dev/fd") == 0 && strcmp(fname, "/proc/self/fd") == 0); |
586 | else if (strcmp(new_name, "/dev/stdin") == 0 && strcmp(fname, "/proc/self/fd/0") == 0); | 608 | else if (strcmp(new_name, "/dev/stdin") == 0 && strcmp(fname, "/proc/self/fd/0") == 0); |
@@ -897,38 +919,28 @@ void fs_whitelist(void) { | |||
897 | 919 | ||
898 | //printf("here %d#%s#\n", __LINE__, entry->data); | 920 | //printf("here %d#%s#\n", __LINE__, entry->data); |
899 | // whitelist the real file | 921 | // whitelist the real file |
900 | if (strcmp(entry->data, "whitelist /run") == 0 && | 922 | whitelist_path(entry); |
901 | (strcmp(entry->link, "/var/run") == 0 || strcmp(entry->link, "/var/lock") == 0)) { | 923 | |
902 | int rv = symlink(entry->data + 10, entry->link); | 924 | // create the link if any |
903 | if (rv) | 925 | if (entry->link) { |
904 | fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link); | 926 | // if the link is already there, do not bother |
905 | else if (arg_debug || arg_debug_whitelists) | 927 | struct stat s; |
906 | printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10); | 928 | if (stat(entry->link, &s) != 0) { |
907 | } | 929 | // create the path if necessary |
908 | else { | 930 | mkpath(entry->link, s.st_mode); |
909 | whitelist_path(entry); | 931 | |
910 | 932 | int rv = symlink(entry->data + 10, entry->link); | |
911 | // create the link if any | 933 | if (rv) |
912 | if (entry->link) { | 934 | fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link); |
913 | // if the link is already there, do not bother | 935 | else if (arg_debug || arg_debug_whitelists) |
914 | struct stat s; | 936 | printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10); |
915 | if (stat(entry->link, &s) != 0) { | 937 | |
916 | // create the path if necessary | 938 | // check again for files in /tmp directory |
917 | mkpath(entry->link, s.st_mode); | 939 | if (strncmp(entry->link, "/tmp/", 5) == 0) { |
918 | 940 | char *path = realpath(entry->link, NULL); | |
919 | int rv = symlink(entry->data + 10, entry->link); | 941 | if (path == NULL || strncmp(path, "/tmp/", 5) != 0) |
920 | if (rv) | 942 | errLogExit("invalid whitelist symlink %s\n", entry->link); |
921 | fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link); | 943 | free(path); |
922 | else if (arg_debug || arg_debug_whitelists) | ||
923 | printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10); | ||
924 | |||
925 | // check again for files in /tmp directory | ||
926 | if (strncmp(entry->link, "/tmp/", 5) == 0) { | ||
927 | char *path = realpath(entry->link, NULL); | ||
928 | if (path == NULL || strncmp(path, "/tmp/", 5) != 0) | ||
929 | errLogExit("invalid whitelist symlink %s\n", entry->link); | ||
930 | free(path); | ||
931 | } | ||
932 | } | 944 | } |
933 | } | 945 | } |
934 | } | 946 | } |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 9babb72de..50b2da7b9 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -45,7 +45,7 @@ gid_t firejail_gid = 0; | |||
45 | static char child_stack[STACK_SIZE]; // space for child's stack | 45 | static char child_stack[STACK_SIZE]; // space for child's stack |
46 | Config cfg; // configuration | 46 | Config cfg; // configuration |
47 | int arg_private = 0; // mount private /home and /tmp directoryu | 47 | int arg_private = 0; // mount private /home and /tmp directoryu |
48 | int arg_private_template = 0; // mount private /home using a template | 48 | int arg_private_cache = 0; // mount private home/.cache |
49 | int arg_debug = 0; // print debug messages | 49 | int arg_debug = 0; // print debug messages |
50 | int arg_debug_blacklists = 0; // print debug messages for blacklists | 50 | int arg_debug_blacklists = 0; // print debug messages for blacklists |
51 | int arg_debug_whitelists = 0; // print debug messages for whitelists | 51 | int arg_debug_whitelists = 0; // print debug messages for whitelists |
@@ -1681,6 +1681,9 @@ int main(int argc, char **argv) { | |||
1681 | else if (strcmp(argv[i], "--private-tmp") == 0) { | 1681 | else if (strcmp(argv[i], "--private-tmp") == 0) { |
1682 | arg_private_tmp = 1; | 1682 | arg_private_tmp = 1; |
1683 | } | 1683 | } |
1684 | else if (strcmp(argv[i], "--private-cache") == 0) { | ||
1685 | arg_private_cache = 1; | ||
1686 | } | ||
1684 | 1687 | ||
1685 | //************************************* | 1688 | //************************************* |
1686 | // hostname, etc | 1689 | // hostname, etc |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 88d27f09f..22db6f5fb 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -217,6 +217,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
217 | arg_allusers = 1; | 217 | arg_allusers = 1; |
218 | return 0; | 218 | return 0; |
219 | } | 219 | } |
220 | else if (strcmp(ptr, "private-cache") == 0) { | ||
221 | arg_private_cache = 1; | ||
222 | return 0; | ||
223 | } | ||
220 | else if (strcmp(ptr, "private-dev") == 0) { | 224 | else if (strcmp(ptr, "private-dev") == 0) { |
221 | arg_private_dev = 1; | 225 | arg_private_dev = 1; |
222 | return 0; | 226 | return 0; |
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index e39f6f50c..521f144e8 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
@@ -23,13 +23,7 @@ | |||
23 | #include <sys/mount.h> | 23 | #include <sys/mount.h> |
24 | #include <dirent.h> | 24 | #include <dirent.h> |
25 | #include <sys/wait.h> | 25 | #include <sys/wait.h> |
26 | |||
27 | // on Debian 7 we are missing O_PATH definition | ||
28 | #include <fcntl.h> | 26 | #include <fcntl.h> |
29 | #ifndef O_PATH | ||
30 | #define O_PATH 010000000 | ||
31 | #endif | ||
32 | |||
33 | 27 | ||
34 | // disable pulseaudio socket | 28 | // disable pulseaudio socket |
35 | void pulseaudio_disable(void) { | 29 | void pulseaudio_disable(void) { |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index a1400db34..7922da9b9 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -833,9 +833,14 @@ int sandbox(void* sandbox_arg) { | |||
833 | } | 833 | } |
834 | } | 834 | } |
835 | 835 | ||
836 | // private cache directory by default | 836 | if (arg_private_cache) { |
837 | if (checkcfg(CFG_PRIVATE_CACHE)) | 837 | if (cfg.chrootdir) |
838 | fs_private_cache(); | 838 | fwarning("private-cache feature is disabled in chroot\n"); |
839 | else if (arg_overlay) | ||
840 | fwarning("private-cache feature is disabled in overlay\n"); | ||
841 | else | ||
842 | fs_private_cache(); | ||
843 | } | ||
839 | 844 | ||
840 | if (arg_private_tmp) { | 845 | if (arg_private_tmp) { |
841 | // private-tmp is implemented as a whitelist | 846 | // private-tmp is implemented as a whitelist |
diff --git a/src/firejail/util.c b/src/firejail/util.c index f6233359a..eb59e36be 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -29,12 +29,7 @@ | |||
29 | #include <sys/ioctl.h> | 29 | #include <sys/ioctl.h> |
30 | #include <termios.h> | 30 | #include <termios.h> |
31 | #include <sys/wait.h> | 31 | #include <sys/wait.h> |
32 | |||
33 | // on Debian 7 we are missing O_PATH definition | ||
34 | #include <fcntl.h> | 32 | #include <fcntl.h> |
35 | #ifndef O_PATH | ||
36 | #define O_PATH 010000000 | ||
37 | #endif | ||
38 | 33 | ||
39 | #define MAX_GROUPS 1024 | 34 | #define MAX_GROUPS 1024 |
40 | 35 | ||
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 62a769508..df6092dff 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -514,7 +514,7 @@ void x11_start_xephyr(int argc, char **argv) { | |||
514 | assert(pos < (sizeof(server_argv)/sizeof(*server_argv))); | 514 | assert(pos < (sizeof(server_argv)/sizeof(*server_argv))); |
515 | assert(server_argv[pos-1] == NULL); // last element is null | 515 | assert(server_argv[pos-1] == NULL); // last element is null |
516 | 516 | ||
517 | if (arg_debug) { | 517 | { |
518 | size_t i = 0; | 518 | size_t i = 0; |
519 | printf("\n*** Starting xephyr server:"); | 519 | printf("\n*** Starting xephyr server:"); |
520 | while (server_argv[i]!=NULL) { | 520 | while (server_argv[i]!=NULL) { |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index c32fdf8f4..851eb1026 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -221,6 +221,10 @@ filesystem, and copy the files and directories in the list in the | |||
221 | new home. All modifications are discarded when the sandbox is | 221 | new home. All modifications are discarded when the sandbox is |
222 | closed. | 222 | closed. |
223 | .TP | 223 | .TP |
224 | \fBprivate-cache | ||
225 | Mount an empty temporary filesystem on top of the .cache directory in user home. All | ||
226 | modifications are discarded when the sandbox is closed. | ||
227 | .TP | ||
224 | \fBprivate-bin file,file | 228 | \fBprivate-bin file,file |
225 | Build a new /bin in a temporary filesystem, and copy the programs in the list. | 229 | Build a new /bin in a temporary filesystem, and copy the programs in the list. |
226 | The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. | 230 | The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 760249e70..d527c05d8 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1322,6 +1322,17 @@ Example: | |||
1322 | $ firejail \-\-private-home=.mozilla firefox | 1322 | $ firejail \-\-private-home=.mozilla firefox |
1323 | 1323 | ||
1324 | .TP | 1324 | .TP |
1325 | \fB\-\-private-cache | ||
1326 | Mount an empty temporary filesystem on top of the .cache directory in user home. All | ||
1327 | modifications are discarded when the sandbox is closed. | ||
1328 | .br | ||
1329 | |||
1330 | .br | ||
1331 | Example: | ||
1332 | .br | ||
1333 | $ firejail \-\-private-cache openbox | ||
1334 | |||
1335 | .TP | ||
1325 | \fB\-\-private-bin=file,file | 1336 | \fB\-\-private-bin=file,file |
1326 | Build a new /bin in a temporary filesystem, and copy the programs in the list. | 1337 | Build a new /bin in a temporary filesystem, and copy the programs in the list. |
1327 | If no listed file is found, /bin directory will be empty. | 1338 | If no listed file is found, /bin directory will be empty. |