aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.gitignore2
-rw-r--r--Makefile.in6
-rw-r--r--README6
-rw-r--r--README.md70
-rw-r--r--RELNOTES11
-rwxr-xr-xconfigure53
-rw-r--r--configure.ac36
-rw-r--r--dummy.c3
-rw-r--r--etc/0ad.profile1
-rw-r--r--etc/7z.profile2
-rw-r--r--etc/akonadi_control.profile49
-rw-r--r--etc/apktool.profile3
-rw-r--r--etc/ardour5.profile3
-rw-r--r--etc/ark.profile3
-rw-r--r--etc/asunder.profile1
-rw-r--r--etc/atom.profile3
-rw-r--r--etc/atril-previewer.profile10
-rw-r--r--etc/atril-thumbnailer.profile10
-rw-r--r--etc/atril.profile3
-rw-r--r--etc/audacious.profile1
-rw-r--r--etc/audacity.profile5
-rw-r--r--etc/baobab.profile3
-rw-r--r--etc/bibletime.profile1
-rw-r--r--etc/bleachbit.profile6
-rw-r--r--etc/blender-2.8.profile6
-rw-r--r--etc/bless.profile3
-rw-r--r--etc/bluefish.profile3
-rw-r--r--etc/calligra.profile3
-rw-r--r--etc/catfish.profile3
-rw-r--r--etc/chromium-common.profile4
-rw-r--r--etc/cin.profile3
-rw-r--r--etc/clamav.profile3
-rw-r--r--etc/cpio.profile2
-rw-r--r--etc/default.profile1
-rw-r--r--etc/dex2jar.profile3
-rw-r--r--etc/dia.profile3
-rw-r--r--etc/digikam.profile1
-rw-r--r--etc/disable-common.inc8
-rw-r--r--etc/disable-programs.inc19
-rw-r--r--etc/display.profile3
-rw-r--r--etc/ebook-viewer.profile3
-rw-r--r--etc/electron.profile1
-rw-r--r--etc/engrampa.profile6
-rw-r--r--etc/eog.profile7
-rw-r--r--etc/eom.profile5
-rw-r--r--etc/etr.profile3
-rw-r--r--etc/evince-previewer.profile10
-rw-r--r--etc/evince-thumbnailer.profile10
-rw-r--r--etc/evince.profile5
-rw-r--r--etc/exiftool.profile2
-rw-r--r--etc/feh.profile3
-rw-r--r--etc/ffmpeg.profile3
-rw-r--r--etc/file-roller.profile6
-rw-r--r--etc/file.profile2
-rw-r--r--etc/firefox-common.profile1
-rw-r--r--etc/firejail.config3
-rw-r--r--etc/freecad.profile3
-rw-r--r--etc/frozen-bubble.profile3
-rw-r--r--etc/galculator.profile3
-rw-r--r--etc/gcloud.profile40
-rw-r--r--etc/gedit.profile6
-rw-r--r--etc/gimp.profile3
-rw-r--r--etc/gnome-calculator.profile7
-rw-r--r--etc/gnome-logs.profile40
-rw-r--r--etc/gnome-recipes.profile45
-rw-r--r--etc/gpicview.profile3
-rw-r--r--etc/gwenview.profile4
-rw-r--r--etc/gzip.profile2
-rw-r--r--etc/handbrake.profile1
-rw-r--r--etc/hashcat.profile3
-rw-r--r--etc/highlight.profile2
-rw-r--r--etc/hugin.profile3
-rw-r--r--etc/imagej.profile3
-rw-r--r--etc/img2txt.profile3
-rw-r--r--etc/inkscape.profile7
-rw-r--r--etc/jd-gui.profile3
-rw-r--r--etc/kate.profile9
-rw-r--r--etc/kcalc.profile4
-rw-r--r--etc/kdenlive.profile2
-rw-r--r--etc/keepassx.profile3
-rw-r--r--etc/keepassxc.profile4
-rw-r--r--etc/kmail.profile28
-rw-r--r--etc/knotes.profile27
-rw-r--r--etc/krita.profile2
-rw-r--r--etc/krunner.profile3
-rw-r--r--etc/kwrite.profile6
-rw-r--r--etc/less.profile2
-rw-r--r--etc/libreoffice.profile1
-rw-r--r--etc/lmms.profile3
-rw-r--r--etc/macrofusion.profile3
-rw-r--r--etc/mate-calc.profile3
-rw-r--r--etc/mediainfo.profile2
-rw-r--r--etc/meld.profile3
-rw-r--r--etc/mpv.profile1
-rw-r--r--etc/mupdf.profile3
-rw-r--r--etc/mupen64plus.profile3
-rw-r--r--etc/natron.profile3
-rw-r--r--etc/ncdu.profile29
-rw-r--r--etc/odt2txt.profile2
-rw-r--r--etc/okular.profile3
-rw-r--r--etc/open-invaders.profile3
-rw-r--r--etc/openbox.profile3
-rw-r--r--etc/openshot.profile1
-rw-r--r--etc/pcmanfm.profile3
-rwxr-xr-xetc/pdfchain.profile4
-rw-r--r--etc/pdfmod.profile3
-rw-r--r--etc/pdfsam.profile3
-rw-r--r--etc/pdftotext.profile2
-rw-r--r--etc/peek.profile3
-rw-r--r--etc/pingus.profile3
-rw-r--r--etc/pinta.profile3
-rw-r--r--etc/pluma.profile6
-rw-r--r--etc/qbittorrent.profile1
-rw-r--r--etc/ranger.profile3
-rw-r--r--etc/rhythmbox.profile3
-rw-r--r--etc/scribus.profile6
-rw-r--r--etc/sdat2img.profile3
-rw-r--r--etc/shotcut.profile3
-rw-r--r--etc/simutrans.profile3
-rw-r--r--etc/skanlite.profile3
-rw-r--r--etc/smplayer.profile1
-rw-r--r--etc/spotify.profile3
-rw-r--r--etc/sqlitebrowser.profile3
-rw-r--r--etc/steam.profile16
-rw-r--r--etc/strings.profile2
-rw-r--r--etc/supertux2.profile3
-rw-r--r--etc/synfigstudio.profile3
-rw-r--r--etc/tar.profile2
-rw-r--r--etc/terasology.profile3
-rw-r--r--etc/thunderbird-beta.profile8
-rw-r--r--etc/totem.profile3
-rw-r--r--etc/transmission-gtk.profile1
-rw-r--r--etc/transmission-qt.profile1
-rw-r--r--etc/transmission-show.profile3
-rw-r--r--etc/uefitool.profile3
-rw-r--r--etc/unrar.profile2
-rw-r--r--etc/unzip.profile2
-rw-r--r--etc/uudeview.profile3
-rw-r--r--etc/viewnior.profile2
-rw-r--r--etc/vlc.profile2
-rw-r--r--etc/x-terminal-emulator.profile3
-rw-r--r--etc/xcalc.profile3
-rw-r--r--etc/xed.profile6
-rw-r--r--etc/xpdf.profile3
-rw-r--r--etc/xplayer-audio-preview.profile10
-rw-r--r--etc/xplayer-video-thumbnailer10
-rw-r--r--etc/xplayer.profile2
-rw-r--r--etc/xreader-previewer.profile10
-rw-r--r--etc/xreader-thumbnailer.profile10
-rw-r--r--etc/xreader.profile1
-rw-r--r--etc/xviewer.profile4
-rw-r--r--etc/xzdec.profile2
-rw-r--r--etc/zart.profile3
-rw-r--r--etc/zathura.profile4
-rwxr-xr-xgcov.sh11
-rw-r--r--src/common.mk.in37
-rw-r--r--src/faudit/Makefile.in19
-rw-r--r--src/fbuilder/Makefile.in35
-rw-r--r--src/fcopy/Makefile.in35
-rw-r--r--src/firecfg/Makefile.in32
-rw-r--r--src/firecfg/firecfg.config9
-rw-r--r--src/firejail/Makefile.in37
-rw-r--r--src/firejail/checkcfg.c9
-rw-r--r--src/firejail/dbus.c63
-rw-r--r--src/firejail/firejail.h7
-rw-r--r--src/firejail/fs_dev.c20
-rw-r--r--src/firejail/main.c5
-rw-r--r--src/firejail/profile.c6
-rw-r--r--src/firejail/pulseaudio.c37
-rw-r--r--src/firejail/run_files.c30
-rw-r--r--src/firejail/sandbox.c7
-rw-r--r--src/firejail/usage.c4
-rw-r--r--src/firejail/util.c31
-rw-r--r--src/firemon/Makefile.in21
-rw-r--r--src/fldd/Makefile.in35
-rw-r--r--src/fnet/Makefile.in35
-rw-r--r--src/fnetfilter/Makefile.in35
-rw-r--r--src/fsec-optimize/Makefile.in35
-rw-r--r--src/fsec-print/Makefile.in35
-rw-r--r--src/fsec-print/print.c2
-rw-r--r--src/fseccomp/Makefile.in35
-rw-r--r--src/ftee/Makefile.in19
-rw-r--r--src/lib/Makefile.in17
-rw-r--r--src/lib/pid.c10
-rw-r--r--src/man/firejail.txt11
-rwxr-xr-xtest/root/firecfg.exp8
-rwxr-xr-xtest/root/root.sh4
-rwxr-xr-xtest/utils/audit.exp20
-rwxr-xr-xtest/utils/build.exp58
-rwxr-xr-xtest/utils/utils.sh11
190 files changed, 1081 insertions, 705 deletions
diff --git a/.gitignore b/.gitignore
index eeaa0bb03..1285dea92 100644
--- a/.gitignore
+++ b/.gitignore
@@ -38,3 +38,5 @@ seccomp.32
38seccomp.64 38seccomp.64
39seccomp.block_secondary 39seccomp.block_secondary
40seccomp.mdwx 40seccomp.mdwx
41src/common.mk
42
diff --git a/Makefile.in b/Makefile.in
index 27187f53a..134e7bd66 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -75,7 +75,7 @@ distclean: clean
75 for dir in $(APPS) $(MYLIBS); do \ 75 for dir in $(APPS) $(MYLIBS); do \
76 $(MAKE) -C $$dir distclean; \ 76 $(MAKE) -C $$dir distclean; \
77 done 77 done
78 rm -fr Makefile autom4te.cache config.log config.status config.h uids.h 78 rm -fr Makefile autom4te.cache config.log config.status config.h uids.h dummy.o src/common.mk
79 79
80realinstall: 80realinstall:
81 # firejail executable 81 # firejail executable
@@ -107,6 +107,7 @@ endif
107 install -c -m 0755 src/fbuilder/fbuilder $(DESTDIR)/$(libdir)/firejail/. 107 install -c -m 0755 src/fbuilder/fbuilder $(DESTDIR)/$(libdir)/firejail/.
108ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) 108ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
109 install -c -m 0755 src/fsec-print/fsec-print $(DESTDIR)/$(libdir)/firejail/. 109 install -c -m 0755 src/fsec-print/fsec-print $(DESTDIR)/$(libdir)/firejail/.
110 install -c -m 0755 src/fsec-optimize/fsec-optimize $(DESTDIR)/$(libdir)/firejail/.
110 install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/. 111 install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/.
111 install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/. 112 install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/.
112 install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/. 113 install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/.
@@ -176,6 +177,7 @@ install-strip: all
176 strip src/fnetfilter/fnetfilter 177 strip src/fnetfilter/fnetfilter
177 strip src/fseccomp/fseccomp 178 strip src/fseccomp/fseccomp
178 strip src/fsec-print/fsec-print 179 strip src/fsec-print/fsec-print
180 strip src/fsec-optimize/fsec-optimize
179 strip src/fcopy/fcopy 181 strip src/fcopy/fcopy
180 strip src/fldd/fldd 182 strip src/fldd/fldd
181 strip src/fbuilder/fbuilder 183 strip src/fbuilder/fbuilder
@@ -195,7 +197,7 @@ uninstall:
195 rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon 197 rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon
196 rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg 198 rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg
197 199
198DISTFILES = "src etc platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES" 200DISTFILES = "src etc platform contrib configure configure.ac dummy.c Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES"
199DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot" 201DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot"
200 202
201dist: 203dist:
diff --git a/README b/README
index 6aacf8131..d20e956cd 100644
--- a/README
+++ b/README
@@ -244,6 +244,10 @@ Gaman Gabriel (https://github.com/stelariusinfinitek)
244 - inox profile 244 - inox profile
245geg2048 (https://github.com/geg2048) 245geg2048 (https://github.com/geg2048)
246 - kwallet profile fixes 246 - kwallet profile fixes
247glitsj16 (https://github.com/glitsj16)
248 - evince-previewer, evince-thumbnailer profiles
249 - gnome-recipes, gnome-logs profiles
250 - fixed private-lib for gnome-calculator
247graywolf (https://github.com/graywolf) 251graywolf (https://github.com/graywolf)
248 - spelling fix 252 - spelling fix
249greigdp (https://github.com/greigdp) 253greigdp (https://github.com/greigdp)
@@ -284,6 +288,8 @@ Jaykishan Mutkawoa (https://github.com/jmutkawoa)
284James Elford (https://github.com/jelford) 288James Elford (https://github.com/jelford)
285 - pass password manager support 289 - pass password manager support
286 - removed shell none from ssh-agent configuration, fixing the infinit loop 290 - removed shell none from ssh-agent configuration, fixing the infinit loop
291 - added gcloud profile
292 - blacklist sensitive cloud provider files in disable-common
287Jericho (https://github.com/attritionorg) 293Jericho (https://github.com/attritionorg)
288 - spelling 294 - spelling
289Jesse Smith (https://github.com/slicer69) 295Jesse Smith (https://github.com/slicer69)
diff --git a/README.md b/README.md
index 90e3f7fcc..4d9727797 100644
--- a/README.md
+++ b/README.md
@@ -98,6 +98,65 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
98````` 98`````
99# Current development version: 0.9.53 99# Current development version: 0.9.53
100 100
101## Spectre mitigation
102
103If your gcc compiler version supports it, -mindirect-branch=thunk is inserted into EXTRA_CFLAGS during software configuration.
104The patch was introduced in gcc version 8, and it was backported to gcc 7. You'll also find it
105on older versions, for example on Debian stable running on gcc 6.3.0. This is how you check it:
106`````
107$ ./configure --prefix=/usr
108checking for gcc... gcc
109checking whether the C compiler works... yes
110checking for C compiler default output file name... a.out
111checking for suffix of executables...
112checking whether we are cross compiling... no
113checking for suffix of object files... o
114checking whether we are using the GNU C compiler... yes
115checking whether gcc accepts -g... yes
116checking for gcc option to accept ISO C89... none needed
117checking for a BSD-compatible install... /usr/bin/install -c
118checking for ranlib... ranlib
119checking for Spectre mitigation support in gcc compiler... yes
120[...]
121Configuration options:
122 prefix: /usr
123 sysconfdir: /etc
124 seccomp: -DHAVE_SECCOMP
125 <linux/seccomp.h>: -DHAVE_SECCOMP_H
126 apparmor:
127 global config: -DHAVE_GLOBALCFG
128 chroot: -DHAVE_CHROOT
129 bind: -DHAVE_BIND
130 network: -DHAVE_NETWORK
131 user namespace: -DHAVE_USERNS
132 X11 sandboxing support: -DHAVE_X11
133 whitelisting: -DHAVE_WHITELIST
134 private home support: -DHAVE_PRIVATE_HOME
135 file transfer support: -DHAVE_FILE_TRANSFER
136 overlayfs support: -DHAVE_OVERLAYFS
137 git install support:
138 busybox workaround: no
139 Spectre compiler patch: yes
140 EXTRA_LDFLAGS:
141 EXTRA_CFLAGS: -mindirect-branch=thunk
142 fatal warnings:
143 Gcov instrumentation:
144 Install contrib scripts: yes
145`````
146This feature is also supported for LLVM/clang compiler
147
148## New command line options
149`````
150 --nodbus
151 Disable D-Bus access. Only the regular UNIX socket is handled by
152 this command. To disable the abstract socket you would need to
153 request a new network namespace using --net command. Another
154 option is to remove unix from --protocol set.
155
156 Example:
157 $ firejail --nodbus --net=none
158`````
159
101## AppImage development 160## AppImage development
102 161
103Support for private-bin, private-lib and shell none has been disabled while running AppImage archives. 162Support for private-bin, private-lib and shell none has been disabled while running AppImage archives.
@@ -213,9 +272,10 @@ enable/disable apparmor functionality globally. By default the flag is enabled.
213AppArmor deployment: we are starting apparmor by default for the following programs: 272AppArmor deployment: we are starting apparmor by default for the following programs:
214- web browsers: firefox (firefox-common.profile), chromium (chromium-common.profile) 273- web browsers: firefox (firefox-common.profile), chromium (chromium-common.profile)
215- torrent clients: transmission-qt, transmission-gtk, qbittorrent 274- torrent clients: transmission-qt, transmission-gtk, qbittorrent
216- media players: vlc, mpv, audacious, totem, rhythmbox 275- media players: vlc, mpv, audacious, kodi, smplayer
217- media editing: kdenlive, audacity, handbrake, gimp, inkscape, krita, openshot 276- media editing: kdenlive, audacity, handbrake, inkscape, gimp, krita, openshot
218- etc.: atril, gnome-calculator, galculator, eom, eog 277- archive managers: ark, engrampa, file-roller
278- etc.: digikam, libreoffice, okular, gwenview, galculator, kcalc
219 279
220Checking apparmor status: 280Checking apparmor status:
221````` 281`````
@@ -246,4 +306,6 @@ firefox-common-addons.inc in firefox-common.profile.
246 306
247Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-canary, 307Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-canary,
248pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain, 308pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain,
249tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder 309tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder,
310gnome-recipes, akonadi_control, evince-previewer, evince-thumbnailer, blender-2.8,
311thunderbird-beta, ncdu, gnome-logs, gcloud
diff --git a/RELNOTES b/RELNOTES
index e7852663e..e76800f2c 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -9,10 +9,11 @@ firejail (0.9.53) baseline; urgency=low
9 All users of Firefox-based browsers who use addons and plugins 9 All users of Firefox-based browsers who use addons and plugins
10 that read/write from ${HOME} will need to uncomment the includes for 10 that read/write from ${HOME} will need to uncomment the includes for
11 firefox-common-addons.inc in firefox-common.profile. 11 firefox-common-addons.inc in firefox-common.profile.
12 * Spectre mitigation patch for gcc and clang compiler
13 * D-Bus handling (--nodbus)
12 * AppArmor support for overlayfs and chroot sandboxes 14 * AppArmor support for overlayfs and chroot sandboxes
13 * AppArmor support for AppImages 15 * AppArmor support for AppImages
14 * Enable AppArmor by default for Firefox, Chromium, Transmission 16 * Enable AppArmor by default for a large number of programs
15 VLC and mpv
16 * firejail --apparmor.print option 17 * firejail --apparmor.print option
17 * firemon --apparmor option 18 * firemon --apparmor option
18 * apparmor yes/no flag in /etc/firejail/firejail.config 19 * apparmor yes/no flag in /etc/firejail/firejail.config
@@ -26,8 +27,10 @@ firejail (0.9.53) baseline; urgency=low
26 * added sandbox name support in firemon 27 * added sandbox name support in firemon
27 * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed, 28 * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed,
28 * new profiles: discord-canary, pycharm-community, pycharm-professional, 29 * new profiles: discord-canary, pycharm-community, pycharm-professional,
29 * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine, VS Code, 30 * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine,
30 * new profiles: falkon, gnome-builder, asunder 31 * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes
32 * new profiles: akonadi_controle, evince-previewer, evince-thumbnailer,
33 * new profiles: blender-2.8, thunderbird-beta, ncdu, gnome-logs, gcloud
31 -- netblue30 <netblue30@yahoo.com> Thu, 1 Mar 2018 08:00:00 -0500 34 -- netblue30 <netblue30@yahoo.com> Thu, 1 Mar 2018 08:00:00 -0500
32 35
33firejail (0.9.52) baseline; urgency=low 36firejail (0.9.52) baseline; urgency=low
diff --git a/configure b/configure
index 761cebc1e..5addefc72 100755
--- a/configure
+++ b/configure
@@ -646,6 +646,7 @@ EGREP
646GREP 646GREP
647CPP 647CPP
648HAVE_APPARMOR 648HAVE_APPARMOR
649EXTRA_CFLAGS
649RANLIB 650RANLIB
650INSTALL_DATA 651INSTALL_DATA
651INSTALL_SCRIPT 652INSTALL_SCRIPT
@@ -2099,7 +2100,6 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
2099 2100
2100#AC_CONFIG_HEADERS([config.h]) 2101#AC_CONFIG_HEADERS([config.h])
2101 2102
2102
2103ac_ext=c 2103ac_ext=c
2104ac_cpp='$CPP $CPPFLAGS' 2104ac_cpp='$CPP $CPPFLAGS'
2105ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' 2105ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
@@ -3105,6 +3105,47 @@ else
3105fi 3105fi
3106 3106
3107 3107
3108HAVE_SPECTRE="no"
3109{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for Spectre mitigation support in gcc or clang compiler" >&5
3110$as_echo_n "checking for Spectre mitigation support in gcc or clang compiler... " >&6; }
3111if test "$CC" = "gcc"; then :
3112
3113 HAVE_SPECTRE="yes"
3114 $CC -mindirect-branch=thunk -c dummy.c || HAVE_SPECTRE="no"
3115 rm -f dummy.o
3116 if test "$HAVE_SPECTRE" = "yes"; then :
3117
3118 EXTRA_CFLAGS+=" -mindirect-branch=thunk "
3119
3120fi
3121
3122fi
3123if test "$CC" = "clang"; then :
3124
3125 HAVE_SPECTRE="yes"
3126 $CC -mretpoline -c dummy.c || HAVE_SPECTRE="no"
3127 rm -f dummy.o
3128 if test "$HAVE_SPECTRE" = "yes"; then :
3129
3130 EXTRA_CFLAGS+=" -mretpoline "
3131
3132fi
3133
3134fi
3135if test "$HAVE_SPECTRE" = "yes"; then :
3136
3137 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
3138$as_echo "yes" >&6; }
3139
3140fi
3141if test "$HAVE_SPECTRE" = "no"; then :
3142
3143 { $as_echo "$as_me:${as_lineno-$LINENO}: result: ... not available" >&5
3144$as_echo "... not available" >&6; }
3145
3146fi
3147
3148
3108HAVE_APPARMOR="" 3149HAVE_APPARMOR=""
3109# Check whether --enable-apparmor was given. 3150# Check whether --enable-apparmor was given.
3110if test "${enable_apparmor+set}" = set; then : 3151if test "${enable_apparmor+set}" = set; then :
@@ -3119,7 +3160,6 @@ if test "x$enable_apparmor" = "xyes"; then :
3119fi 3160fi
3120 3161
3121 3162
3122
3123ac_ext=c 3163ac_ext=c
3124ac_cpp='$CPP $CPPFLAGS' 3164ac_cpp='$CPP $CPPFLAGS'
3125ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' 3165ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
@@ -3531,7 +3571,7 @@ fi
3531fi 3571fi
3532if test "x$enable_apparmor" = "xyes"; then : 3572if test "x$enable_apparmor" = "xyes"; then :
3533 3573
3534 EXTRA_LDFLAGS+="-lapparmor " 3574 EXTRA_LDFLAGS+=" -lapparmor "
3535 3575
3536fi 3576fi
3537 3577
@@ -3725,7 +3765,7 @@ fi
3725if test "x$enable_gcov" = "xyes"; then : 3765if test "x$enable_gcov" = "xyes"; then :
3726 3766
3727 HAVE_GCOV="--coverage -DHAVE_GCOV " 3767 HAVE_GCOV="--coverage -DHAVE_GCOV "
3728 EXTRA_LDFLAGS+="-lgcov --coverage " 3768 EXTRA_LDFLAGS+=" -lgcov --coverage "
3729 3769
3730 3770
3731fi 3771fi
@@ -3823,7 +3863,7 @@ if test "$prefix" = /usr; then
3823 sysconfdir="/etc" 3863 sysconfdir="/etc"
3824fi 3864fi
3825 3865
3826ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile" 3866ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile"
3827 3867
3828cat >confcache <<\_ACEOF 3868cat >confcache <<\_ACEOF
3829# This file is a shell script that caches the results of configure 3869# This file is a shell script that caches the results of configure
@@ -4533,6 +4573,7 @@ for ac_config_target in $ac_config_targets
4533do 4573do
4534 case $ac_config_target in 4574 case $ac_config_target in
4535 "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; 4575 "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
4576 "src/common.mk") CONFIG_FILES="$CONFIG_FILES src/common.mk" ;;
4536 "src/lib/Makefile") CONFIG_FILES="$CONFIG_FILES src/lib/Makefile" ;; 4577 "src/lib/Makefile") CONFIG_FILES="$CONFIG_FILES src/lib/Makefile" ;;
4537 "src/fcopy/Makefile") CONFIG_FILES="$CONFIG_FILES src/fcopy/Makefile" ;; 4578 "src/fcopy/Makefile") CONFIG_FILES="$CONFIG_FILES src/fcopy/Makefile" ;;
4538 "src/fnet/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnet/Makefile" ;; 4579 "src/fnet/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnet/Makefile" ;;
@@ -5024,7 +5065,9 @@ echo " file transfer support: $HAVE_FILE_TRANSFER"
5024echo " overlayfs support: $HAVE_OVERLAYFS" 5065echo " overlayfs support: $HAVE_OVERLAYFS"
5025echo " git install support: $HAVE_GIT_INSTALL" 5066echo " git install support: $HAVE_GIT_INSTALL"
5026echo " busybox workaround: $BUSYBOX_WORKAROUND" 5067echo " busybox workaround: $BUSYBOX_WORKAROUND"
5068echo " Spectre compiler patch: $HAVE_SPECTRE"
5027echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" 5069echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS"
5070echo " EXTRA_CFLAGS: $EXTRA_CFLAGS"
5028echo " fatal warnings: $HAVE_FATAL_WARNINGS" 5071echo " fatal warnings: $HAVE_FATAL_WARNINGS"
5029echo " Gcov instrumentation: $HAVE_GCOV" 5072echo " Gcov instrumentation: $HAVE_GCOV"
5030echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL" 5073echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL"
diff --git a/configure.ac b/configure.ac
index 952dec3b8..460c93d50 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3,12 +3,37 @@ AC_INIT(firejail, 0.9.53, netblue30@yahoo.com, , http://firejail.wordpress.com)
3AC_CONFIG_SRCDIR([src/firejail/main.c]) 3AC_CONFIG_SRCDIR([src/firejail/main.c])
4#AC_CONFIG_HEADERS([config.h]) 4#AC_CONFIG_HEADERS([config.h])
5 5
6
7AC_PROG_CC 6AC_PROG_CC
8#AC_PROG_CXX 7#AC_PROG_CXX
9AC_PROG_INSTALL 8AC_PROG_INSTALL
10AC_PROG_RANLIB 9AC_PROG_RANLIB
11 10
11HAVE_SPECTRE="no"
12AC_MSG_CHECKING(for Spectre mitigation support in gcc or clang compiler)
13AS_IF([test "$CC" = "gcc"], [
14 HAVE_SPECTRE="yes"
15 $CC -mindirect-branch=thunk -c dummy.c || HAVE_SPECTRE="no"
16 rm -f dummy.o
17 AS_IF([test "$HAVE_SPECTRE" = "yes"], [
18 EXTRA_CFLAGS+=" -mindirect-branch=thunk "
19 ])
20])
21AS_IF([test "$CC" = "clang"], [
22 HAVE_SPECTRE="yes"
23 $CC -mretpoline -c dummy.c || HAVE_SPECTRE="no"
24 rm -f dummy.o
25 AS_IF([test "$HAVE_SPECTRE" = "yes"], [
26 EXTRA_CFLAGS+=" -mretpoline "
27 ])
28])
29AS_IF([test "$HAVE_SPECTRE" = "yes"], [
30 AC_MSG_RESULT(yes)
31])
32AS_IF([test "$HAVE_SPECTRE" = "no"], [
33 AC_MSG_RESULT(... not available)
34])
35AC_SUBST([EXTRA_CFLAGS])
36
12HAVE_APPARMOR="" 37HAVE_APPARMOR=""
13AC_ARG_ENABLE([apparmor], 38AC_ARG_ENABLE([apparmor],
14 AS_HELP_STRING([--enable-apparmor], [enable apparmor])) 39 AS_HELP_STRING([--enable-apparmor], [enable apparmor]))
@@ -17,13 +42,12 @@ AS_IF([test "x$enable_apparmor" = "xyes"], [
17 AC_SUBST(HAVE_APPARMOR) 42 AC_SUBST(HAVE_APPARMOR)
18]) 43])
19 44
20
21AS_IF([test "x$enable_apparmor" = "xyes"], [ 45AS_IF([test "x$enable_apparmor" = "xyes"], [
22 AC_CHECK_HEADER(sys/apparmor.h, , [AC_MSG_ERROR( 46 AC_CHECK_HEADER(sys/apparmor.h, , [AC_MSG_ERROR(
23 [Couldn't find sys/apparmor.h... please install apparmor user space library and development files] )]) 47 [Couldn't find sys/apparmor.h... please install apparmor user space library and development files] )])
24]) 48])
25AS_IF([test "x$enable_apparmor" = "xyes"], [ 49AS_IF([test "x$enable_apparmor" = "xyes"], [
26 EXTRA_LDFLAGS+="-lapparmor " 50 EXTRA_LDFLAGS+=" -lapparmor "
27]) 51])
28AC_SUBST([EXTRA_LDFLAGS]) 52AC_SUBST([EXTRA_LDFLAGS])
29 53
@@ -142,7 +166,7 @@ AC_ARG_ENABLE([gcov],
142 AS_HELP_STRING([--enable-gcov], [Gcov instrumentation])) 166 AS_HELP_STRING([--enable-gcov], [Gcov instrumentation]))
143AS_IF([test "x$enable_gcov" = "xyes"], [ 167AS_IF([test "x$enable_gcov" = "xyes"], [
144 HAVE_GCOV="--coverage -DHAVE_GCOV " 168 HAVE_GCOV="--coverage -DHAVE_GCOV "
145 EXTRA_LDFLAGS+="-lgcov --coverage " 169 EXTRA_LDFLAGS+=" -lgcov --coverage "
146 AC_SUBST(HAVE_GCOV) 170 AC_SUBST(HAVE_GCOV)
147]) 171])
148 172
@@ -175,7 +199,7 @@ if test "$prefix" = /usr; then
175 sysconfdir="/etc" 199 sysconfdir="/etc"
176fi 200fi
177 201
178AC_OUTPUT(Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \ 202AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \
179src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \ 203src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \
180src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile) 204src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile)
181 205
@@ -198,7 +222,9 @@ echo " file transfer support: $HAVE_FILE_TRANSFER"
198echo " overlayfs support: $HAVE_OVERLAYFS" 222echo " overlayfs support: $HAVE_OVERLAYFS"
199echo " git install support: $HAVE_GIT_INSTALL" 223echo " git install support: $HAVE_GIT_INSTALL"
200echo " busybox workaround: $BUSYBOX_WORKAROUND" 224echo " busybox workaround: $BUSYBOX_WORKAROUND"
225echo " Spectre compiler patch: $HAVE_SPECTRE"
201echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" 226echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS"
227echo " EXTRA_CFLAGS: $EXTRA_CFLAGS"
202echo " fatal warnings: $HAVE_FATAL_WARNINGS" 228echo " fatal warnings: $HAVE_FATAL_WARNINGS"
203echo " Gcov instrumentation: $HAVE_GCOV" 229echo " Gcov instrumentation: $HAVE_GCOV"
204echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL" 230echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL"
diff --git a/dummy.c b/dummy.c
new file mode 100644
index 000000000..061ed7eef
--- /dev/null
+++ b/dummy.c
@@ -0,0 +1,3 @@
1int main(void) {
2 return 0;
3}
diff --git a/etc/0ad.profile b/etc/0ad.profile
index 057dcf49e..766783997 100644
--- a/etc/0ad.profile
+++ b/etc/0ad.profile
@@ -24,6 +24,7 @@ include /etc/firejail/whitelist-common.inc
24 24
25caps.drop all 25caps.drop all
26netfilter 26netfilter
27nodbus
27nodvd 28nodvd
28nogroups 29nogroups
29nonewprivs 30nonewprivs
diff --git a/etc/7z.profile b/etc/7z.profile
index ededacbbe..0330e4dbf 100644
--- a/etc/7z.profile
+++ b/etc/7z.profile
@@ -6,12 +6,12 @@ include /etc/firejail/7z.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10blacklist /tmp/.X11-unix 9blacklist /tmp/.X11-unix
11 10
12ignore noroot 11ignore noroot
13net none 12net none
14no3d 13no3d
14nodbus
15nodvd 15nodvd
16nosound 16nosound
17notv 17notv
diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile
new file mode 100644
index 000000000..3a4404b28
--- /dev/null
+++ b/etc/akonadi_control.profile
@@ -0,0 +1,49 @@
1# Firejail profile for akonadi_control
2# Persistent local customizations
3include /etc/firejail/akonadi_control.local
4# Persistent global definitions
5include /etc/firejail/globals.local
6
7noblacklist ${HOME}/.cache/akonadi*
8noblacklist ${HOME}/.config/akonadi*
9noblacklist ${HOME}/.config/baloorc
10noblacklist ${HOME}/.config/emailidentities
11noblacklist ${HOME}/.config/kmail2rc
12noblacklist ${HOME}/.local/share/akonadi*
13noblacklist ${HOME}/.local/share/contacts
14noblacklist ${HOME}/.local/share/local-mail
15noblacklist ${HOME}/.local/share/notes
16noblacklist /tmp/akonadi-*
17noblacklist /usr/sbin
18
19include /etc/firejail/disable-common.inc
20include /etc/firejail/disable-devel.inc
21include /etc/firejail/disable-passwdmgr.inc
22include /etc/firejail/disable-programs.inc
23
24include /etc/firejail/whitelist-var-common.inc
25
26# disabled options below are not compatible with the apparmor profile for mysqld-akonadi.
27# this affects ubuntu and debian currently
28
29# apparmor
30caps.drop all
31ipc-namespace
32no3d
33netfilter
34nodvd
35nogroups
36# nonewprivs
37noroot
38nosound
39notv
40novideo
41# protocol unix,inet,inet6
42# seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
43tracelog
44
45private-dev
46# private-tmp - breaks programs that depend on akonadi
47
48noexec ${HOME}
49noexec /tmp
diff --git a/etc/apktool.profile b/etc/apktool.profile
index bbf91c264..d5063d79b 100644
--- a/etc/apktool.profile
+++ b/etc/apktool.profile
@@ -6,8 +6,6 @@ include /etc/firejail/apktool.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10
11include /etc/firejail/disable-common.inc 9include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-passwdmgr.inc 10include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc 11include /etc/firejail/disable-programs.inc
@@ -15,6 +13,7 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 13caps.drop all
16net none 14net none
17no3d 15no3d
16nodbus
18nodvd 17nodvd
19nogroups 18nogroups
20nonewprivs 19nonewprivs
diff --git a/etc/ardour5.profile b/etc/ardour5.profile
index 1f2228544..cf72561da 100644
--- a/etc/ardour5.profile
+++ b/etc/ardour5.profile
@@ -5,8 +5,6 @@ include /etc/firejail/ardour5.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/ardour4 8noblacklist ${HOME}/.config/ardour4
11noblacklist ${HOME}/.config/ardour5 9noblacklist ${HOME}/.config/ardour5
12noblacklist ${HOME}/.lv2 10noblacklist ${HOME}/.lv2
@@ -20,6 +18,7 @@ include /etc/firejail/disable-programs.inc
20caps.drop all 18caps.drop all
21ipc-namespace 19ipc-namespace
22net none 20net none
21nodbus
23nodvd 22nodvd
24nogroups 23nogroups
25nonewprivs 24nonewprivs
diff --git a/etc/ark.profile b/etc/ark.profile
index beeb652cf..8e156df0f 100644
--- a/etc/ark.profile
+++ b/etc/ark.profile
@@ -5,8 +5,6 @@ include /etc/firejail/ark.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/arkrc 8noblacklist ${HOME}/.config/arkrc
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -20,6 +18,7 @@ apparmor
20caps.drop all 18caps.drop all
21# net none 19# net none
22netfilter 20netfilter
21# nodbus
23nodvd 22nodvd
24nogroups 23nogroups
25nonewprivs 24nonewprivs
diff --git a/etc/asunder.profile b/etc/asunder.profile
index 0fbc3a158..7d643877f 100644
--- a/etc/asunder.profile
+++ b/etc/asunder.profile
@@ -20,6 +20,7 @@ include /etc/firejail/whitelist-var-common.inc
20apparmor 20apparmor
21caps.drop all 21caps.drop all
22netfilter 22netfilter
23nodbus
23# nogroups 24# nogroups
24nonewprivs 25nonewprivs
25noroot 26noroot
diff --git a/etc/atom.profile b/etc/atom.profile
index de09275cc..c513c7531 100644
--- a/etc/atom.profile
+++ b/etc/atom.profile
@@ -5,8 +5,6 @@ include /etc/firejail/atom.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.atom 8noblacklist ${HOME}/.atom
11noblacklist ${HOME}/.config/Atom 9noblacklist ${HOME}/.config/Atom
12 10
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 15caps.drop all
18# net none 16# net none
19netfilter 17netfilter
18nodbus
20nodvd 19nodvd
21nogroups 20nogroups
22nonewprivs 21nonewprivs
diff --git a/etc/atril-previewer.profile b/etc/atril-previewer.profile
new file mode 100644
index 000000000..5d841bc0e
--- /dev/null
+++ b/etc/atril-previewer.profile
@@ -0,0 +1,10 @@
1# Firejail profile for atril-previewer
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/atril-previewer.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9# Redirect
10include /etc/firejail/atril.profile
diff --git a/etc/atril-thumbnailer.profile b/etc/atril-thumbnailer.profile
new file mode 100644
index 000000000..88c74735d
--- /dev/null
+++ b/etc/atril-thumbnailer.profile
@@ -0,0 +1,10 @@
1# Firejail profile for atril-thumbnailer
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/atril-thumbnailer.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9# Redirect
10include /etc/firejail/atril.profile
diff --git a/etc/atril.profile b/etc/atril.profile
index a05f11076..e08b70ac6 100644
--- a/etc/atril.profile
+++ b/etc/atril.profile
@@ -5,6 +5,7 @@ include /etc/firejail/atril.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8noblacklist ${HOME}/.cache/atril
8noblacklist ${HOME}/.config/atril 9noblacklist ${HOME}/.config/atril
9 10
10#noblacklist ${HOME}/.local/share 11#noblacklist ${HOME}/.local/share
@@ -17,7 +18,7 @@ include /etc/firejail/disable-programs.inc
17 18
18include /etc/firejail/whitelist-var-common.inc 19include /etc/firejail/whitelist-var-common.inc
19 20
20apparmor 21# apparmor
21caps.drop all 22caps.drop all
22machine-id 23machine-id
23no3d 24no3d
diff --git a/etc/audacious.profile b/etc/audacious.profile
index 93ba5a45d..71003f156 100644
--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@@ -18,6 +18,7 @@ include /etc/firejail/whitelist-var-common.inc
18apparmor 18apparmor
19caps.drop all 19caps.drop all
20netfilter 20netfilter
21nodbus
21nogroups 22nogroups
22nonewprivs 23nonewprivs
23noroot 24noroot
diff --git a/etc/audacity.profile b/etc/audacity.profile
index 8c85dd6be..907dbeb55 100644
--- a/etc/audacity.profile
+++ b/etc/audacity.profile
@@ -5,8 +5,6 @@ include /etc/firejail/audacity.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.audacity-data 8noblacklist ${HOME}/.audacity-data
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -18,8 +16,9 @@ include /etc/firejail/whitelist-var-common.inc
18 16
19apparmor 17apparmor
20caps.drop all 18caps.drop all
21#net none 19net none
22no3d 20no3d
21# nodbus - problems on Fedora 27
23nodvd 22nodvd
24nogroups 23nogroups
25nonewprivs 24nonewprivs
diff --git a/etc/baobab.profile b/etc/baobab.profile
index e47e31bb1..5c1675611 100644
--- a/etc/baobab.profile
+++ b/etc/baobab.profile
@@ -5,8 +5,6 @@ include /etc/firejail/baobab.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10include /etc/firejail/disable-common.inc 8include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 9include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 10include /etc/firejail/disable-passwdmgr.inc
@@ -15,6 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc
15caps.drop all 13caps.drop all
16net none 14net none
17no3d 15no3d
16nodbus
18nodvd 17nodvd
19nogroups 18nogroups
20nonewprivs 19nonewprivs
diff --git a/etc/bibletime.profile b/etc/bibletime.profile
index 018569603..f23a29052 100644
--- a/etc/bibletime.profile
+++ b/etc/bibletime.profile
@@ -21,6 +21,7 @@ include /etc/firejail/whitelist-common.inc
21 21
22caps.drop all 22caps.drop all
23netfilter 23netfilter
24nodbus
24nodvd 25nodvd
25nogroups 26nogroups
26nonewprivs 27nonewprivs
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile
index dce7892a4..ae40c3ec7 100644
--- a/etc/bleachbit.profile
+++ b/etc/bleachbit.profile
@@ -5,8 +5,6 @@ include /etc/firejail/bleachbit.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10include /etc/firejail/disable-common.inc 8include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 9include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 10include /etc/firejail/disable-passwdmgr.inc
@@ -15,6 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc
15caps.drop all 13caps.drop all
16net none 14net none
17no3d 15no3d
16nodbus
18nodvd 17nodvd
19nogroups 18nogroups
20nonewprivs 19nonewprivs
@@ -29,6 +28,7 @@ shell none
29private-dev 28private-dev
30# private-tmp 29# private-tmp
31 30
32memory-deny-write-execute 31# memory-deny-write-execute breaks some systems, see issue #1850
32# memory-deny-write-execute
33noexec ${HOME} 33noexec ${HOME}
34noexec /tmp 34noexec /tmp
diff --git a/etc/blender-2.8.profile b/etc/blender-2.8.profile
new file mode 100644
index 000000000..4b907018e
--- /dev/null
+++ b/etc/blender-2.8.profile
@@ -0,0 +1,6 @@
1# Firejail profile alias for blender
2# This file is overwritten after every install/update
3
4
5# Redirect
6include /etc/firejail/blender.profile
diff --git a/etc/bless.profile b/etc/bless.profile
index 37d1e856f..10b471582 100644
--- a/etc/bless.profile
+++ b/etc/bless.profile
@@ -5,8 +5,6 @@ include /etc/firejail/bless.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/bless 8noblacklist ${HOME}/.config/bless
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 15caps.drop all
18net none 16net none
19no3d 17no3d
18nodbus
20nodvd 19nodvd
21nogroups 20nogroups
22nonewprivs 21nonewprivs
diff --git a/etc/bluefish.profile b/etc/bluefish.profile
index 66ba0168b..6eb1d753f 100644
--- a/etc/bluefish.profile
+++ b/etc/bluefish.profile
@@ -5,8 +5,6 @@ include /etc/firejail/bluefish.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10include /etc/firejail/disable-common.inc 8include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 9include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 10include /etc/firejail/disable-passwdmgr.inc
@@ -17,6 +15,7 @@ include /etc/firejail/whitelist-var-common.inc
17caps.drop all 15caps.drop all
18net none 16net none
19no3d 17no3d
18nodbus
20nodvd 19nodvd
21nogroups 20nogroups
22nonewprivs 21nonewprivs
diff --git a/etc/calligra.profile b/etc/calligra.profile
index f09716bc3..f7df8ce85 100644
--- a/etc/calligra.profile
+++ b/etc/calligra.profile
@@ -5,8 +5,6 @@ include /etc/firejail/calligra.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus
9
10include /etc/firejail/disable-common.inc 8include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 9include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 10include /etc/firejail/disable-passwdmgr.inc
@@ -15,6 +13,7 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 13caps.drop all
16ipc-namespace 14ipc-namespace
17# net none 15# net none
16# nodbus
18nodvd 17nodvd
19nogroups 18nogroups
20nonewprivs 19nonewprivs
diff --git a/etc/catfish.profile b/etc/catfish.profile
index 6d5ec1c52..6a608c673 100644
--- a/etc/catfish.profile
+++ b/etc/catfish.profile
@@ -8,8 +8,6 @@ include /etc/firejail/globals.local
8# We can't blacklist much since catfish 8# We can't blacklist much since catfish
9# is for finding files/content 9# is for finding files/content
10 10
11blacklist /run/user/*/bus
12
13noblacklist ${HOME}/.config/catfish 11noblacklist ${HOME}/.config/catfish
14 12
15include /etc/firejail/disable-common.inc 13include /etc/firejail/disable-common.inc
@@ -23,6 +21,7 @@ include /etc/firejail/whitelist-var-common.inc
23caps.drop all 21caps.drop all
24net none 22net none
25no3d 23no3d
24nodbus
26nodvd 25nodvd
27nogroups 26nogroups
28nonewprivs 27nonewprivs
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile
index a11947334..7f07c5b26 100644
--- a/etc/chromium-common.profile
+++ b/etc/chromium-common.profile
@@ -20,6 +20,7 @@ include /etc/firejail/whitelist-var-common.inc
20apparmor 20apparmor
21caps.keep sys_chroot,sys_admin 21caps.keep sys_chroot,sys_admin
22netfilter 22netfilter
23nodbus
23nodvd 24nodvd
24nogroups 25nogroups
25notv 26notv
@@ -31,3 +32,6 @@ private-dev
31 32
32noexec ${HOME} 33noexec ${HOME}
33noexec /tmp 34noexec /tmp
35
36# the file dialog needs to work without d-bus
37env NO_CHROME_KDE_FILE_DIALOG=1
diff --git a/etc/cin.profile b/etc/cin.profile
index d114e50b1..e86a4d9b4 100644
--- a/etc/cin.profile
+++ b/etc/cin.profile
@@ -5,8 +5,6 @@ include /etc/firejail/cin.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.bcast5 8noblacklist ${HOME}/.bcast5
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 15caps.drop all
18ipc-namespace 16ipc-namespace
19net none 17net none
18nodbus
20nodvd 19nodvd
21nogroups 20nogroups
22nonewprivs 21nonewprivs
diff --git a/etc/clamav.profile b/etc/clamav.profile
index c3a0132d0..41bd3b679 100644
--- a/etc/clamav.profile
+++ b/etc/clamav.profile
@@ -6,12 +6,11 @@ include /etc/firejail/clamav.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10
11caps.drop all 9caps.drop all
12ipc-namespace 10ipc-namespace
13net none 11net none
14no3d 12no3d
13nodbus
15nodvd 14nodvd
16nogroups 15nogroups
17nonewprivs 16nonewprivs
diff --git a/etc/cpio.profile b/etc/cpio.profile
index caee6570e..445e1cec7 100644
--- a/etc/cpio.profile
+++ b/etc/cpio.profile
@@ -6,7 +6,6 @@ include /etc/firejail/cpio.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10blacklist /tmp/.X11-unix 9blacklist /tmp/.X11-unix
11 10
12noblacklist /sbin 11noblacklist /sbin
@@ -19,6 +18,7 @@ include /etc/firejail/disable-programs.inc
19caps.drop all 18caps.drop all
20net none 19net none
21no3d 20no3d
21nodbus
22nodvd 22nodvd
23nonewprivs 23nonewprivs
24nosound 24nosound
diff --git a/etc/default.profile b/etc/default.profile
index 82eded802..1af7ceba4 100644
--- a/etc/default.profile
+++ b/etc/default.profile
@@ -17,6 +17,7 @@ caps.drop all
17# ipc-namespace 17# ipc-namespace
18netfilter 18netfilter
19# no3d 19# no3d
20# nodbus
20# nodvd 21# nodvd
21# nogroups 22# nogroups
22nonewprivs 23nonewprivs
diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile
index f89e17239..ed73b8b8c 100644
--- a/etc/dex2jar.profile
+++ b/etc/dex2jar.profile
@@ -6,8 +6,6 @@ include /etc/firejail/dex2jar.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10
11include /etc/firejail/disable-common.inc 9include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc 10include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc 11include /etc/firejail/disable-passwdmgr.inc
@@ -16,6 +14,7 @@ include /etc/firejail/disable-programs.inc
16caps.drop all 14caps.drop all
17net none 15net none
18no3d 16no3d
17nodbus
19nodvd 18nodvd
20nogroups 19nogroups
21nonewprivs 20nonewprivs
diff --git a/etc/dia.profile b/etc/dia.profile
index b1a723da0..fb3506955 100644
--- a/etc/dia.profile
+++ b/etc/dia.profile
@@ -5,8 +5,6 @@ include /etc/firejail/dia.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.dia 8noblacklist ${HOME}/.dia
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 15caps.drop all
18net none 16net none
19no3d 17no3d
18nodbus
20nodvd 19nodvd
21nogroups 20nogroups
22nonewprivs 21nonewprivs
diff --git a/etc/digikam.profile b/etc/digikam.profile
index 516876c6b..4df344cbc 100644
--- a/etc/digikam.profile
+++ b/etc/digikam.profile
@@ -20,6 +20,7 @@ include /etc/firejail/whitelist-var-common.inc
20apparmor 20apparmor
21caps.drop all 21caps.drop all
22netfilter 22netfilter
23# nodbus
23nodvd 24nodvd
24nogroups 25nogroups
25nonewprivs 26nonewprivs
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 19be56f86..0f605b933 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -75,6 +75,7 @@ blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
75blacklist ${HOME}/.local/share/kglobalaccel 75blacklist ${HOME}/.local/share/kglobalaccel
76blacklist ${HOME}/.local/share/kwin 76blacklist ${HOME}/.local/share/kwin
77blacklist ${HOME}/.local/share/plasma 77blacklist ${HOME}/.local/share/plasma
78blacklist ${HOME}/.local/share/plasmashell
78blacklist ${HOME}/.local/share/solid 79blacklist ${HOME}/.local/share/solid
79read-only ${HOME}/.cache/ksycoca5_* 80read-only ${HOME}/.cache/ksycoca5_*
80read-only ${HOME}/.config/*notifyrc 81read-only ${HOME}/.config/*notifyrc
@@ -296,6 +297,13 @@ blacklist /etc/ssh
296blacklist /home/.ecryptfs 297blacklist /home/.ecryptfs
297blacklist /var/backup 298blacklist /var/backup
298 299
300# cloud provider configuration
301blacklist ${HOME}/.aws
302blacklist ${HOME}/.boto
303blacklist /etc/boto.cfg
304blacklist ${HOME}/.config/gcloud
305blacklist ${HOME}/.kube
306
299# system directories 307# system directories
300blacklist /sbin 308blacklist /sbin
301blacklist /usr/local/sbin 309blacklist /usr/local/sbin
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 0d542c6d8..a6f12f3db 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -73,6 +73,7 @@ blacklist ${HOME}/.config/Slack
73blacklist ${HOME}/.config/Thunar 73blacklist ${HOME}/.config/Thunar
74blacklist ${HOME}/.config/VirtualBox 74blacklist ${HOME}/.config/VirtualBox
75blacklist ${HOME}/.config/Wire 75blacklist ${HOME}/.config/Wire
76blacklist ${HOME}/.config/akonadi*
76blacklist ${HOME}/.config/akregatorrc 77blacklist ${HOME}/.config/akregatorrc
77blacklist ${HOME}/.config/ardour4 78blacklist ${HOME}/.config/ardour4
78blacklist ${HOME}/.config/ardour5 79blacklist ${HOME}/.config/ardour5
@@ -106,6 +107,7 @@ blacklist ${HOME}/.config/digikam
106blacklist ${HOME}/.config/digikamrc 107blacklist ${HOME}/.config/digikamrc
107blacklist ${HOME}/.config/dolphinrc 108blacklist ${HOME}/.config/dolphinrc
108blacklist ${HOME}/.config/dragonplayerrc 109blacklist ${HOME}/.config/dragonplayerrc
110blacklist ${HOME}/.config/emailidentities
109blacklist ${HOME}/.config/enchant 111blacklist ${HOME}/.config/enchant
110blacklist ${HOME}/.config/eog 112blacklist ${HOME}/.config/eog
111blacklist ${HOME}/.config/epiphany 113blacklist ${HOME}/.config/epiphany
@@ -136,6 +138,7 @@ blacklist ${HOME}/.config/itch
136blacklist ${HOME}/.config/jd-gui.cfg 138blacklist ${HOME}/.config/jd-gui.cfg
137blacklist ${HOME}/.config/k3brc 139blacklist ${HOME}/.config/k3brc
138blacklist ${HOME}/.config/kaffeinerc 140blacklist ${HOME}/.config/kaffeinerc
141blacklist ${HOME}/.config/katemetainfos
139blacklist ${HOME}/.config/katepartrc 142blacklist ${HOME}/.config/katepartrc
140blacklist ${HOME}/.config/katerc 143blacklist ${HOME}/.config/katerc
141blacklist ${HOME}/.config/kateschemarc 144blacklist ${HOME}/.config/kateschemarc
@@ -144,6 +147,7 @@ blacklist ${HOME}/.config/katevirc
144blacklist ${HOME}/.config/kdenliverc 147blacklist ${HOME}/.config/kdenliverc
145blacklist ${HOME}/.config/kgetrc 148blacklist ${HOME}/.config/kgetrc
146blacklist ${HOME}/.config/klipperrc 149blacklist ${HOME}/.config/klipperrc
150blacklist ${HOME}/.config/kmail2rc
147blacklist ${HOME}/.config/kritarc 151blacklist ${HOME}/.config/kritarc
148blacklist ${HOME}/.config/kwriterc 152blacklist ${HOME}/.config/kwriterc
149blacklist ${HOME}/.config/kdeconnect 153blacklist ${HOME}/.config/kdeconnect
@@ -346,18 +350,21 @@ blacklist ${HOME}/.local/share/SuperHexagon
346blacklist ${HOME}/.local/share/TelegramDesktop 350blacklist ${HOME}/.local/share/TelegramDesktop
347blacklist ${HOME}/.local/share/Terraria 351blacklist ${HOME}/.local/share/Terraria
348blacklist ${HOME}/.local/share/TpLogger 352blacklist ${HOME}/.local/share/TpLogger
353blacklist ${HOME}/.local/share/akonadi*
349blacklist ${HOME}/.local/share/akregator 354blacklist ${HOME}/.local/share/akregator
350blacklist ${HOME}/.local/share/aspyr-media 355blacklist ${HOME}/.local/share/aspyr-media
351blacklist ${HOME}/.local/share/baloo 356blacklist ${HOME}/.local/share/baloo
352blacklist ${HOME}/.local/share/caja-python 357blacklist ${HOME}/.local/share/caja-python
353blacklist ${HOME}/.local/share/cdprojektred 358blacklist ${HOME}/.local/share/cdprojektred
354blacklist ${HOME}/.local/share/clipit 359blacklist ${HOME}/.local/share/clipit
360blacklist ${HOME}/.local/share/contacts
355blacklist ${HOME}/.local/share/data/Mumble 361blacklist ${HOME}/.local/share/data/Mumble
356blacklist ${HOME}/.local/share/data/MusE 362blacklist ${HOME}/.local/share/data/MusE
357blacklist ${HOME}/.local/share/data/MuseScore 363blacklist ${HOME}/.local/share/data/MuseScore
358blacklist ${HOME}/.local/share/data/qBittorrent 364blacklist ${HOME}/.local/share/data/qBittorrent
359blacklist ${HOME}/.local/share/dino 365blacklist ${HOME}/.local/share/dino
360blacklist ${HOME}/.local/share/dolphin 366blacklist ${HOME}/.local/share/dolphin
367blacklist ${HOME}/.local/share/emailidentities
361blacklist ${HOME}/.local/share/epiphany 368blacklist ${HOME}/.local/share/epiphany
362blacklist ${HOME}/.local/share/evolution 369blacklist ${HOME}/.local/share/evolution
363blacklist ${HOME}/.local/share/feral-interactive 370blacklist ${HOME}/.local/share/feral-interactive
@@ -369,6 +376,7 @@ blacklist ${HOME}/.local/share/gnome-2048
369blacklist ${HOME}/.local/share/gnome-chess 376blacklist ${HOME}/.local/share/gnome-chess
370blacklist ${HOME}/.local/share/gnome-music 377blacklist ${HOME}/.local/share/gnome-music
371blacklist ${HOME}/.local/share/gnome-photos 378blacklist ${HOME}/.local/share/gnome-photos
379blacklist ${HOME}/.local/share/gnome-recipes
372blacklist ${HOME}/.local/share/gnome-ring 380blacklist ${HOME}/.local/share/gnome-ring
373blacklist ${HOME}/.local/share/gnome-twitch 381blacklist ${HOME}/.local/share/gnome-twitch
374blacklist ${HOME}/.local/share/gwenview 382blacklist ${HOME}/.local/share/gwenview
@@ -376,11 +384,14 @@ blacklist ${HOME}/.local/share/kaffeine
376blacklist ${HOME}/.local/share/kate 384blacklist ${HOME}/.local/share/kate
377blacklist ${HOME}/.local/share/kdenlive 385blacklist ${HOME}/.local/share/kdenlive
378blacklist ${HOME}/.local/share/kget 386blacklist ${HOME}/.local/share/kget
387blacklist ${HOME}/.local/share/kmail2
388blacklist ${HOME}/.local/share/knotes
379blacklist ${HOME}/.local/share/krita 389blacklist ${HOME}/.local/share/krita
380blacklist ${HOME}/.local/share/ktorrentrc 390blacklist ${HOME}/.local/share/ktorrentrc
381blacklist ${HOME}/.local/share/ktorrent 391blacklist ${HOME}/.local/share/ktorrent
382blacklist ${HOME}/.local/share/kwrite 392blacklist ${HOME}/.local/share/kwrite
383blacklist ${HOME}/.local/share/liferea 393blacklist ${HOME}/.local/share/liferea
394blacklist ${HOME}/.local/share/local-mail
384blacklist ${HOME}/.local/share/lollypop 395blacklist ${HOME}/.local/share/lollypop
385blacklist ${HOME}/.local/share/maps-places.json 396blacklist ${HOME}/.local/share/maps-places.json
386blacklist ${HOME}/.local/share/meld 397blacklist ${HOME}/.local/share/meld
@@ -397,6 +408,7 @@ blacklist ${HOME}/.local/share/okular
397blacklist ${HOME}/.local/share/orage 408blacklist ${HOME}/.local/share/orage
398blacklist ${HOME}/.local/share/org.kde.gwenview 409blacklist ${HOME}/.local/share/org.kde.gwenview
399blacklist ${HOME}/.local/share/pix 410blacklist ${HOME}/.local/share/pix
411blacklist ${HOME}/.local/share/plasma_notes
400blacklist ${HOME}/.local/share/psi+ 412blacklist ${HOME}/.local/share/psi+
401blacklist ${HOME}/.local/share/qpdfview 413blacklist ${HOME}/.local/share/qpdfview
402blacklist ${HOME}/.local/share/qutebrowser 414blacklist ${HOME}/.local/share/qutebrowser
@@ -485,6 +497,7 @@ blacklist ${HOME}/.xpdfrc
485blacklist ${HOME}/.zoom 497blacklist ${HOME}/.zoom
486blacklist ${HOME}/Arduino 498blacklist ${HOME}/Arduino
487blacklist ${HOME}/wallet.dat 499blacklist ${HOME}/wallet.dat
500blacklist /tmp/akonadi-*
488blacklist /tmp/ssh-* 501blacklist /tmp/ssh-*
489 502
490# ~/.cache directory 503# ~/.cache directory
@@ -495,6 +508,8 @@ blacklist ${HOME}/.cache/Franz
495blacklist ${HOME}/.cache/INRIA 508blacklist ${HOME}/.cache/INRIA
496blacklist ${HOME}/.cache/MusicBrainz 509blacklist ${HOME}/.cache/MusicBrainz
497blacklist ${HOME}/.cache/QuiteRss 510blacklist ${HOME}/.cache/QuiteRss
511blacklist ${HOME}/.cache/akonadi*
512blacklist ${HOME}/.cache/atril
498blacklist ${HOME}/.cache/attic 513blacklist ${HOME}/.cache/attic
499blacklist ${HOME}/.cache/borg 514blacklist ${HOME}/.cache/borg
500blacklist ${HOME}/.cache/calibre 515blacklist ${HOME}/.cache/calibre
@@ -517,11 +532,14 @@ blacklist ${HOME}/.cache/google-chrome-unstable
517blacklist ${HOME}/.cache/gnome-twitch 532blacklist ${HOME}/.cache/gnome-twitch
518blacklist ${HOME}/.cache/icedove 533blacklist ${HOME}/.cache/icedove
519blacklist ${HOME}/.cache/INRIA/Natron 534blacklist ${HOME}/.cache/INRIA/Natron
535blacklist ${HOME}/.cache/inkscape
520blacklist ${HOME}/.cache/inox 536blacklist ${HOME}/.cache/inox
521blacklist ${HOME}/.cache/iridium 537blacklist ${HOME}/.cache/iridium
522blacklist ${HOME}/.cache/kdenlive 538blacklist ${HOME}/.cache/kdenlive
523blacklist ${HOME}/.cache/kinfocenter 539blacklist ${HOME}/.cache/kinfocenter
540blacklist ${HOME}/.cache/kmail2
524blacklist ${HOME}/.cache/krunner 541blacklist ${HOME}/.cache/krunner
542blacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite
525blacklist ${HOME}/.cache/kscreenlocker_greet 543blacklist ${HOME}/.cache/kscreenlocker_greet
526blacklist ${HOME}/.cache/ksmserver-logout-greeter 544blacklist ${HOME}/.cache/ksmserver-logout-greeter
527blacklist ${HOME}/.cache/ksplashqml 545blacklist ${HOME}/.cache/ksplashqml
@@ -554,6 +572,7 @@ blacklist ${HOME}/.cache/torbrowser
554blacklist ${HOME}/.cache/transmission 572blacklist ${HOME}/.cache/transmission
555blacklist ${HOME}/.cache/vivaldi 573blacklist ${HOME}/.cache/vivaldi
556blacklist ${HOME}/.cache/vivaldi-snapshot 574blacklist ${HOME}/.cache/vivaldi-snapshot
575blacklist ${HOME}/.cache/vlc
557blacklist ${HOME}/.cache/waterfox 576blacklist ${HOME}/.cache/waterfox
558blacklist ${HOME}/.cache/wesnoth 577blacklist ${HOME}/.cache/wesnoth
559blacklist ${HOME}/.cache/xmms2 578blacklist ${HOME}/.cache/xmms2
diff --git a/etc/display.profile b/etc/display.profile
index 41512a0cb..69183f4ca 100644
--- a/etc/display.profile
+++ b/etc/display.profile
@@ -5,8 +5,6 @@ include /etc/firejail/display.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10include /etc/firejail/disable-common.inc 8include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 9include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 10include /etc/firejail/disable-passwdmgr.inc
@@ -16,6 +14,7 @@ include /etc/firejail/whitelist-var-common.inc
16 14
17caps.drop all 15caps.drop all
18net none 16net none
17nodbus
19nodvd 18nodvd
20nogroups 19nogroups
21nonewprivs 20nonewprivs
diff --git a/etc/ebook-viewer.profile b/etc/ebook-viewer.profile
index 9f7e1382b..1e28b854a 100644
--- a/etc/ebook-viewer.profile
+++ b/etc/ebook-viewer.profile
@@ -1,9 +1,8 @@
1# Firejail profile alias for calibre 1# Firejail profile alias for calibre
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4blacklist /run/user/*/bus
5
6net none 4net none
5nodbus
7 6
8# Redirect 7# Redirect
9include /etc/firejail/calibre.profile 8include /etc/firejail/calibre.profile
diff --git a/etc/electron.profile b/etc/electron.profile
index 222beada0..52d45b3f8 100644
--- a/etc/electron.profile
+++ b/etc/electron.profile
@@ -14,6 +14,7 @@ whitelist ${DOWNLOADS}
14apparmor 14apparmor
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17nodbus
17nodvd 18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
diff --git a/etc/engrampa.profile b/etc/engrampa.profile
index ae61f1d93..cf32d579e 100644
--- a/etc/engrampa.profile
+++ b/etc/engrampa.profile
@@ -5,8 +5,6 @@ include /etc/firejail/engrampa.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus - makes settings immutable
9
10include /etc/firejail/disable-common.inc 8include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 9include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 10include /etc/firejail/disable-passwdmgr.inc
@@ -14,9 +12,11 @@ include /etc/firejail/disable-programs.inc
14 12
15include /etc/firejail/whitelist-var-common.inc 13include /etc/firejail/whitelist-var-common.inc
16 14
15apparmor
17caps.drop all 16caps.drop all
18# net none - makes settings immutable 17net none
19no3d 18no3d
19nodbus
20nodvd 20nodvd
21nogroups 21nogroups
22nonewprivs 22nonewprivs
diff --git a/etc/eog.profile b/etc/eog.profile
index 545a6e432..66434ae05 100644
--- a/etc/eog.profile
+++ b/etc/eog.profile
@@ -5,8 +5,6 @@ include /etc/firejail/eog.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus - makes settings immutable
9
10noblacklist ${HOME}/.Steam 8noblacklist ${HOME}/.Steam
11noblacklist ${HOME}/.config/eog 9noblacklist ${HOME}/.config/eog
12noblacklist ${HOME}/.local/share/Trash 10noblacklist ${HOME}/.local/share/Trash
@@ -19,10 +17,11 @@ include /etc/firejail/disable-programs.inc
19 17
20include /etc/firejail/whitelist-var-common.inc 18include /etc/firejail/whitelist-var-common.inc
21 19
22apparmor 20# apparmor - makes settings immutable
23caps.drop all 21caps.drop all
24# net none - makes settings immutable 22# net none - makes settings immutable
25no3d 23no3d
24# nodbus - makes settings immutable
26nodvd 25nodvd
27nogroups 26nogroups
28nonewprivs 27nonewprivs
@@ -37,7 +36,7 @@ shell none
37private-bin eog 36private-bin eog
38private-dev 37private-dev
39private-etc fonts 38private-etc fonts
40private-lib 39private-lib gdk-pixbuf-2.0,gio,girepository-1.0,gvfs,libgconf-2.so.4
41private-tmp 40private-tmp
42 41
43#memory-deny-write-execute - breaks on Arch 42#memory-deny-write-execute - breaks on Arch
diff --git a/etc/eom.profile b/etc/eom.profile
index c7c92db0e..48965bcb9 100644
--- a/etc/eom.profile
+++ b/etc/eom.profile
@@ -5,8 +5,6 @@ include /etc/firejail/eom.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus - makes settings immutable
9
10noblacklist ${HOME}/.Steam 8noblacklist ${HOME}/.Steam
11noblacklist ${HOME}/.config/mate/eom 9noblacklist ${HOME}/.config/mate/eom
12noblacklist ${HOME}/.local/share/Trash 10noblacklist ${HOME}/.local/share/Trash
@@ -19,10 +17,11 @@ include /etc/firejail/disable-programs.inc
19 17
20include /etc/firejail/whitelist-var-common.inc 18include /etc/firejail/whitelist-var-common.inc
21 19
22apparmor 20# apparmor - makes settings immutable
23caps.drop all 21caps.drop all
24# net none - makes settings immutable 22# net none - makes settings immutable
25no3d 23no3d
24# nodbus - makes settings immutable
26nodvd 25nodvd
27nogroups 26nogroups
28nonewprivs 27nonewprivs
diff --git a/etc/etr.profile b/etc/etr.profile
index ad2e5be5d..5c01636cc 100644
--- a/etc/etr.profile
+++ b/etc/etr.profile
@@ -5,8 +5,6 @@ include /etc/firejail/etr.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.etr 8noblacklist ${HOME}/.etr
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -20,6 +18,7 @@ include /etc/firejail/whitelist-var-common.inc
20 18
21caps.drop all 19caps.drop all
22net none 20net none
21nodbus
23nodvd 22nodvd
24nogroups 23nogroups
25nonewprivs 24nonewprivs
diff --git a/etc/evince-previewer.profile b/etc/evince-previewer.profile
new file mode 100644
index 000000000..d5bc6db33
--- /dev/null
+++ b/etc/evince-previewer.profile
@@ -0,0 +1,10 @@
1# Firejail profile for evince-previewer
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/evince-previewer.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9# Redirect
10include /etc/firejail/evince.profile
diff --git a/etc/evince-thumbnailer.profile b/etc/evince-thumbnailer.profile
new file mode 100644
index 000000000..abc21632d
--- /dev/null
+++ b/etc/evince-thumbnailer.profile
@@ -0,0 +1,10 @@
1# Firejail profile for evince-thumbnailer
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/evince-thumbnailer.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9# Redirect
10include /etc/firejail/evince.profile
diff --git a/etc/evince.profile b/etc/evince.profile
index 72c1ffc97..38c9ee9a9 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -5,8 +5,6 @@ include /etc/firejail/evince.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/evince 8noblacklist ${HOME}/.config/evince
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -21,6 +19,7 @@ machine-id
21# net none breaks AppArmor on Ubuntu systems 19# net none breaks AppArmor on Ubuntu systems
22netfilter 20netfilter
23no3d 21no3d
22# nodbus
24nodvd 23nodvd
25nogroups 24nogroups
26nonewprivs 25nonewprivs
@@ -38,7 +37,7 @@ private-dev
38private-etc fonts 37private-etc fonts
39 38
40#private-lib - seems to be breaking on Gnome Shell 3.26.2, Mutter WM, issue 1711 39#private-lib - seems to be breaking on Gnome Shell 3.26.2, Mutter WM, issue 1711
41#private-lib evince,libpoppler-glib.so.8 40private-lib evince,gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,libpoppler-glib.so.8,librsvg-2.so.2
42 41
43private-tmp 42private-tmp
44 43
diff --git a/etc/exiftool.profile b/etc/exiftool.profile
index 18d1e3c81..8ab6012f5 100644
--- a/etc/exiftool.profile
+++ b/etc/exiftool.profile
@@ -6,7 +6,6 @@ include /etc/firejail/exiftool.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10blacklist /tmp/.X11-unix 9blacklist /tmp/.X11-unix
11 10
12noblacklist /usr/bin/perl 11noblacklist /usr/bin/perl
@@ -21,6 +20,7 @@ include /etc/firejail/disable-programs.inc
21caps.drop all 20caps.drop all
22net none 21net none
23no3d 22no3d
23nodbus
24nodvd 24nodvd
25nogroups 25nogroups
26nonewprivs 26nonewprivs
diff --git a/etc/feh.profile b/etc/feh.profile
index 1320434f1..ba7a76c49 100644
--- a/etc/feh.profile
+++ b/etc/feh.profile
@@ -5,8 +5,6 @@ include /etc/firejail/feh.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10include /etc/firejail/disable-common.inc 8include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 9include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 10include /etc/firejail/disable-passwdmgr.inc
@@ -15,6 +13,7 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 13caps.drop all
16net none 14net none
17no3d 15no3d
16nodbus
18nodvd 17nodvd
19nogroups 18nogroups
20nonewprivs 19nonewprivs
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile
index acea1e834..538179107 100644
--- a/etc/ffmpeg.profile
+++ b/etc/ffmpeg.profile
@@ -6,8 +6,6 @@ include /etc/firejail/ffmpeg.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10
11include /etc/firejail/disable-common.inc 9include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc 10include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc 11include /etc/firejail/disable-passwdmgr.inc
@@ -18,6 +16,7 @@ include /etc/firejail/whitelist-var-common.inc
18caps.drop all 16caps.drop all
19net none 17net none
20no3d 18no3d
19nodbus
21nodvd 20nodvd
22nosound 21nosound
23notv 22notv
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
index bc4e70da4..eb76d1dbb 100644
--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@@ -5,8 +5,6 @@ include /etc/firejail/file-roller.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus - makes settings immutable
9
10include /etc/firejail/disable-common.inc 8include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 9include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 10include /etc/firejail/disable-passwdmgr.inc
@@ -14,9 +12,11 @@ include /etc/firejail/disable-programs.inc
14 12
15include /etc/firejail/whitelist-var-common.inc 13include /etc/firejail/whitelist-var-common.inc
16 14
15apparmor
17caps.drop all 16caps.drop all
18# net none - makes settings immutable 17net none
19no3d 18no3d
19nodbus
20nodvd 20nodvd
21nogroups 21nogroups
22nonewprivs 22nonewprivs
diff --git a/etc/file.profile b/etc/file.profile
index 041bf5ae5..2bdbaaaa8 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -6,7 +6,6 @@ include /etc/firejail/file.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10blacklist /tmp/.X11-unix 9blacklist /tmp/.X11-unix
11 10
12include /etc/firejail/disable-common.inc 11include /etc/firejail/disable-common.inc
@@ -17,6 +16,7 @@ caps.drop all
17hostname file 16hostname file
18net none 17net none
19no3d 18no3d
19nodbus
20nodvd 20nodvd
21nogroups 21nogroups
22nonewprivs 22nonewprivs
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index 12d160155..1f531c1b7 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -25,6 +25,7 @@ caps.drop all
25# machine-id breaks pulse audio; it should work fine in setups where sound is not required 25# machine-id breaks pulse audio; it should work fine in setups where sound is not required
26#machine-id 26#machine-id
27netfilter 27netfilter
28nodbus
28nodvd 29nodvd
29nogroups 30nogroups
30nonewprivs 31nonewprivs
diff --git a/etc/firejail.config b/etc/firejail.config
index ade3e3c84..0cd4dca3a 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -23,6 +23,9 @@
23# and it will harden the rest of the chroot tree. 23# and it will harden the rest of the chroot tree.
24# chroot-desktop yes 24# chroot-desktop yes
25 25
26# Enable or disable dbus handling by --nodbus flag, default enabled.
27# dbus yes
28
26# Disable /mnt, /media, /run/mount and /run/media access. By default access 29# Disable /mnt, /media, /run/mount and /run/media access. By default access
27# to these directories is enabled. 30# to these directories is enabled.
28# disable-mnt no 31# disable-mnt no
diff --git a/etc/freecad.profile b/etc/freecad.profile
index bac502a5f..c51d88f7a 100644
--- a/etc/freecad.profile
+++ b/etc/freecad.profile
@@ -5,8 +5,6 @@ include /etc/firejail/freecad.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/FreeCAD 8noblacklist ${HOME}/.config/FreeCAD
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 15caps.drop all
18ipc-namespace 16ipc-namespace
19net none 17net none
18nodbus
20nodvd 19nodvd
21nogroups 20nogroups
22nonewprivs 21nonewprivs
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile
index ca38ed1b8..8acd32bdd 100644
--- a/etc/frozen-bubble.profile
+++ b/etc/frozen-bubble.profile
@@ -5,8 +5,6 @@ include /etc/firejail/frozen-bubble.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.frozen-bubble 8noblacklist ${HOME}/.frozen-bubble
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -21,6 +19,7 @@ include /etc/firejail/whitelist-var-common.inc
21 19
22caps.drop all 20caps.drop all
23net none 21net none
22nodbus
24nodvd 23nodvd
25nogroups 24nogroups
26nonewprivs 25nonewprivs
diff --git a/etc/galculator.profile b/etc/galculator.profile
index b28c7943f..8229f8250 100644
--- a/etc/galculator.profile
+++ b/etc/galculator.profile
@@ -5,8 +5,6 @@ include /etc/firejail/galculator.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/galculator 8noblacklist ${HOME}/.config/galculator
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -22,6 +20,7 @@ include /etc/firejail/whitelist-var-common.inc
22apparmor 20apparmor
23caps.drop all 21caps.drop all
24net none 22net none
23nodbus
25nodvd 24nodvd
26nogroups 25nogroups
27nonewprivs 26nonewprivs
diff --git a/etc/gcloud.profile b/etc/gcloud.profile
new file mode 100644
index 000000000..195dc9302
--- /dev/null
+++ b/etc/gcloud.profile
@@ -0,0 +1,40 @@
1# Firejail profile for gcloud
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/gcloud.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8noblacklist ${HOME}/.boto
9noblacklist ${HOME}/.config/gcloud
10noblacklist /var/run/docker.sock
11
12include /etc/firejail/disable-common.inc
13include /etc/firejail/disable-devel.inc
14include /etc/firejail/disable-programs.inc
15
16apparmor
17caps.drop all
18machine-id
19netfilter
20nodbus
21nodvd
22# required for sudo-free docker
23#nogroups
24nonewprivs
25noroot
26notv
27protocol unix,inet,inet6
28seccomp
29shell none
30tracelog
31
32disable-mnt
33private-dev
34private-etc ca-certificates,ssl,hosts,localtime,nsswitch.conf,resolv.conf,pki,crypto-policies,ld.so.cache
35private-tmp
36
37noexec /tmp
38
39# will break user-local installs of gcloud tooling
40# noexec ${HOME}
diff --git a/etc/gedit.profile b/etc/gedit.profile
index 97eb692de..e78b8a708 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -5,8 +5,6 @@ include /etc/firejail/gedit.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus - makes settings immutable
9
10noblacklist ${HOME}/.config/enchant 8noblacklist ${HOME}/.config/enchant
11noblacklist ${HOME}/.config/gedit 9noblacklist ${HOME}/.config/gedit
12noblacklist ${HOME}/.gitconfig 10noblacklist ${HOME}/.gitconfig
@@ -18,10 +16,12 @@ include /etc/firejail/disable-programs.inc
18 16
19include /etc/firejail/whitelist-var-common.inc 17include /etc/firejail/whitelist-var-common.inc
20 18
19# apparmor - makes settings immutable
21caps.drop all 20caps.drop all
22# net none - makes settings immutable
23machine-id 21machine-id
22# net none - makes settings immutable
24no3d 23no3d
24# nodbus - makes settings immutable
25nodvd 25nodvd
26nogroups 26nogroups
27nonewprivs 27nonewprivs
diff --git a/etc/gimp.profile b/etc/gimp.profile
index 3cc012a88..49df54d1f 100644
--- a/etc/gimp.profile
+++ b/etc/gimp.profile
@@ -5,8 +5,6 @@ include /etc/firejail/gimp.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.gimp* 8noblacklist ${HOME}/.gimp*
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -18,6 +16,7 @@ include /etc/firejail/whitelist-var-common.inc
18apparmor 16apparmor
19caps.drop all 17caps.drop all
20net none 18net none
19nodbus
21nodvd 20nodvd
22nogroups 21nogroups
23nonewprivs 22nonewprivs
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
index d13208a1e..dfb93c3b0 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@@ -6,7 +6,6 @@ include /etc/firejail/gnome-calculator.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9
10include /etc/firejail/disable-common.inc 9include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 10include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 11include /etc/firejail/disable-passwdmgr.inc
@@ -14,10 +13,12 @@ include /etc/firejail/disable-programs.inc
14include /etc/firejail/whitelist-common.inc 13include /etc/firejail/whitelist-common.inc
15include /etc/firejail/whitelist-var-common.inc 14include /etc/firejail/whitelist-var-common.inc
16 15
17apparmor 16# apparmor - makes settings immutable
18caps.drop all 17caps.drop all
18# net none
19netfilter 19netfilter
20no3d 20no3d
21# nodbus - makes settings immutable
21nodvd 22nodvd
22nogroups 23nogroups
23nonewprivs 24nonewprivs
@@ -32,7 +33,7 @@ shell none
32disable-mnt 33disable-mnt
33private-bin gnome-calculator 34private-bin gnome-calculator
34private-dev 35private-dev
35private-lib 36private-lib gdk-pixbuf-2.0,gio,girepository-1.0,gvfs,libgconf-2.so.4,libgnutls.so.30,libproxy.so.1,librsvg-2.so.2,libxml2.so.2
36private-tmp 37private-tmp
37 38
38#memory-deny-write-execute - breaks on Arch 39#memory-deny-write-execute - breaks on Arch
diff --git a/etc/gnome-logs.profile b/etc/gnome-logs.profile
new file mode 100644
index 000000000..7e7902dff
--- /dev/null
+++ b/etc/gnome-logs.profile
@@ -0,0 +1,40 @@
1# Firejail profile for gnome-logs
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/gnome-logs.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8include /etc/firejail/disable-common.inc
9include /etc/firejail/disable-devel.inc
10include /etc/firejail/disable-passwdmgr.inc
11include /etc/firejail/disable-programs.inc
12
13whitelist /var/log/journal
14include /etc/firejail/whitelist-var-common.inc
15
16caps.drop all
17net none
18no3d
19nodbus
20nodvd
21nogroups
22nonewprivs
23noroot
24nosound
25notv
26novideo
27protocol unix
28seccomp
29shell none
30
31disable-mnt
32private-bin gnome-logs
33private-dev
34#private-etc fonts
35#private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,librsvg-2.so.2
36private-tmp
37writable-var-log
38
39noexec ${HOME}
40noexec /tmp
diff --git a/etc/gnome-recipes.profile b/etc/gnome-recipes.profile
new file mode 100644
index 000000000..2f7657c0c
--- /dev/null
+++ b/etc/gnome-recipes.profile
@@ -0,0 +1,45 @@
1# Firejail profile for gnome-recipes
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/gnome-recipes.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9noblacklist ${HOME}/.local/share/gnome-recipes
10
11include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc
15
16mkdir ${HOME}/.cache/gnome-recipes
17whitelist ${HOME}/.cache/gnome-recipes
18include /etc/firejail/whitelist-common.inc
19include /etc/firejail/whitelist-var-common.inc
20
21caps.drop all
22ipc-namespace
23netfilter
24nodvd
25nogroups
26nonewprivs
27noroot
28nosound
29notv
30novideo
31protocol unix,inet,inet6
32seccomp
33shell none
34
35disable-mnt
36private-bin gnome-recipes,tar
37private-dev
38private-etc ca-certificates,fonts,ssl,crypto-policies,pki
39# private-lib works for me with Gnome Shell 3.26.2, Mutter WM (Arch Linux)
40# not widely tested though, leaving it to devs discretion to enable it later
41#private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,libgnutls.so.30,libjpeg.so.8,libp11-kit.so.0,libproxy.so.1,librsvg-2.so.2
42private-tmp
43
44noexec ${HOME}
45noexec /tmp
diff --git a/etc/gpicview.profile b/etc/gpicview.profile
index 8d47d9c31..c6453e972 100644
--- a/etc/gpicview.profile
+++ b/etc/gpicview.profile
@@ -5,8 +5,6 @@ include /etc/firejail/gpicview.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/gpicview 8noblacklist ${HOME}/.config/gpicview
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -18,6 +16,7 @@ include /etc/firejail/whitelist-var-common.inc
18 16
19caps.drop all 17caps.drop all
20net none 18net none
19nodbus
21nodvd 20nodvd
22nogroups 21nogroups
23nonewprivs 22nonewprivs
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
index d79b72152..d17be41cc 100644
--- a/etc/gwenview.profile
+++ b/etc/gwenview.profile
@@ -5,8 +5,6 @@ include /etc/firejail/gwenview.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/gwenviewrc 8noblacklist ${HOME}/.config/gwenviewrc
11noblacklist ${HOME}/.config/org.kde.gwenviewrc 9noblacklist ${HOME}/.config/org.kde.gwenviewrc
12noblacklist ${HOME}/.gimp* 10noblacklist ${HOME}/.gimp*
@@ -24,8 +22,10 @@ include /etc/firejail/disable-programs.inc
24 22
25include /etc/firejail/whitelist-var-common.inc 23include /etc/firejail/whitelist-var-common.inc
26 24
25apparmor
27caps.drop all 26caps.drop all
28# net none 27# net none
28# nodbus
29nodvd 29nodvd
30nogroups 30nogroups
31nonewprivs 31nonewprivs
diff --git a/etc/gzip.profile b/etc/gzip.profile
index 5187bb9f0..779067770 100644
--- a/etc/gzip.profile
+++ b/etc/gzip.profile
@@ -6,12 +6,12 @@ include /etc/firejail/gzip.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10blacklist /tmp/.X11-unix 9blacklist /tmp/.X11-unix
11 10
12ignore noroot 11ignore noroot
13net none 12net none
14no3d 13no3d
14nodbus
15nodvd 15nodvd
16nosound 16nosound
17notv 17notv
diff --git a/etc/handbrake.profile b/etc/handbrake.profile
index b99842d60..ff9dd248f 100644
--- a/etc/handbrake.profile
+++ b/etc/handbrake.profile
@@ -17,6 +17,7 @@ include /etc/firejail/whitelist-var-common.inc
17apparmor 17apparmor
18caps.drop all 18caps.drop all
19netfilter 19netfilter
20nodbus
20nogroups 21nogroups
21nonewprivs 22nonewprivs
22noroot 23noroot
diff --git a/etc/hashcat.profile b/etc/hashcat.profile
index ad1aae523..c8ab268c8 100644
--- a/etc/hashcat.profile
+++ b/etc/hashcat.profile
@@ -6,8 +6,6 @@ include /etc/firejail/hashcat.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10
11noblacklist ${HOME}/.hashcat 9noblacklist ${HOME}/.hashcat
12noblacklist /usr/include 10noblacklist /usr/include
13 11
@@ -18,6 +16,7 @@ include /etc/firejail/disable-programs.inc
18 16
19caps.drop all 17caps.drop all
20net none 18net none
19nodbus
21nodvd 20nodvd
22nogroups 21nogroups
23nonewprivs 22nonewprivs
diff --git a/etc/highlight.profile b/etc/highlight.profile
index a7c667ce1..781866f3b 100644
--- a/etc/highlight.profile
+++ b/etc/highlight.profile
@@ -5,7 +5,6 @@ include /etc/firejail/highlight.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9blacklist /tmp/.X11-unix 8blacklist /tmp/.X11-unix
10 9
11include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -16,6 +15,7 @@ include /etc/firejail/disable-programs.inc
16caps.drop all 15caps.drop all
17net none 16net none
18no3d 17no3d
18nodbus
19nodvd 19nodvd
20nogroups 20nogroups
21nonewprivs 21nonewprivs
diff --git a/etc/hugin.profile b/etc/hugin.profile
index bff074b74..3847a7daf 100644
--- a/etc/hugin.profile
+++ b/etc/hugin.profile
@@ -5,8 +5,6 @@ include /etc/firejail/hugin.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.hugin 8noblacklist ${HOME}/.hugin
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -16,6 +14,7 @@ include /etc/firejail/disable-programs.inc
16 14
17caps.drop all 15caps.drop all
18net none 16net none
17nodbus
19nodvd 18nodvd
20nogroups 19nogroups
21nonewprivs 20nonewprivs
diff --git a/etc/imagej.profile b/etc/imagej.profile
index 058da2805..7396160af 100644
--- a/etc/imagej.profile
+++ b/etc/imagej.profile
@@ -5,8 +5,6 @@ include /etc/firejail/imagej.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.imagej 8noblacklist ${HOME}/.imagej
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 15caps.drop all
18ipc-namespace 16ipc-namespace
19net none 17net none
18nodbus
20nodvd 19nodvd
21nogroups 20nogroups
22nonewprivs 21nonewprivs
diff --git a/etc/img2txt.profile b/etc/img2txt.profile
index 5a19a75f1..8c157bf2a 100644
--- a/etc/img2txt.profile
+++ b/etc/img2txt.profile
@@ -5,8 +5,6 @@ include /etc/firejail/img2txt.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10include /etc/firejail/disable-common.inc 8include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 9include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 10include /etc/firejail/disable-passwdmgr.inc
@@ -14,6 +12,7 @@ include /etc/firejail/disable-programs.inc
14 12
15caps.drop all 13caps.drop all
16net none 14net none
15nodbus
17nodvd 16nodvd
18nogroups 17nogroups
19nonewprivs 18nonewprivs
diff --git a/etc/inkscape.profile b/etc/inkscape.profile
index 6e669ea2c..af24bc3e9 100644
--- a/etc/inkscape.profile
+++ b/etc/inkscape.profile
@@ -5,9 +5,9 @@ include /etc/firejail/inkscape.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8noblacklist ${HOME}/.inkscape 8noblacklist ${HOME}/.cache/inkscape
9noblacklist ${HOME}/.config/inkscape 9noblacklist ${HOME}/.config/inkscape
10 10noblacklist ${HOME}/.inkscape
11 11
12include /etc/firejail/disable-common.inc 12include /etc/firejail/disable-common.inc
13include /etc/firejail/disable-devel.inc 13include /etc/firejail/disable-devel.inc
@@ -18,7 +18,8 @@ include /etc/firejail/whitelist-var-common.inc
18 18
19apparmor 19apparmor
20caps.drop all 20caps.drop all
21netfilter 21net none
22nodbus
22nodvd 23nodvd
23nogroups 24nogroups
24nonewprivs 25nonewprivs
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile
index bf461b93d..f70eff3e4 100644
--- a/etc/jd-gui.profile
+++ b/etc/jd-gui.profile
@@ -5,8 +5,6 @@ include /etc/firejail/jd-gui.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/jd-gui.cfg 8noblacklist ${HOME}/.config/jd-gui.cfg
11noblacklist ${HOME}/.java 9noblacklist ${HOME}/.java
12 10
@@ -18,6 +16,7 @@ include /etc/firejail/disable-programs.inc
18caps.drop all 16caps.drop all
19net none 17net none
20no3d 18no3d
19nodbus
21nodvd 20nodvd
22nogroups 21nogroups
23nonewprivs 22nonewprivs
diff --git a/etc/kate.profile b/etc/kate.profile
index a3d2be6b2..b3c1e81d8 100644
--- a/etc/kate.profile
+++ b/etc/kate.profile
@@ -5,8 +5,7 @@ include /etc/firejail/kate.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus 8noblacklist ${HOME}/.config/katemetainfos
9
10noblacklist ${HOME}/.config/katepartrc 9noblacklist ${HOME}/.config/katepartrc
11noblacklist ${HOME}/.config/katerc 10noblacklist ${HOME}/.config/katerc
12noblacklist ${HOME}/.config/kateschemarc 11noblacklist ${HOME}/.config/kateschemarc
@@ -21,9 +20,10 @@ include /etc/firejail/disable-programs.inc
21 20
22include /etc/firejail/whitelist-var-common.inc 21include /etc/firejail/whitelist-var-common.inc
23 22
24apparmor 23# apparmor
25caps.drop all 24caps.drop all
26# net none 25# net none
26# nodbus
27netfilter 27netfilter
28nodvd 28nodvd
29nogroups 29nogroups
@@ -42,4 +42,7 @@ private-dev
42# private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg 42# private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
43private-tmp 43private-tmp
44 44
45# noexec ${HOME}
46noexec /tmp
47
45join-or-start kate 48join-or-start kate
diff --git a/etc/kcalc.profile b/etc/kcalc.profile
index 3f024f3fa..86a3b1462 100644
--- a/etc/kcalc.profile
+++ b/etc/kcalc.profile
@@ -20,9 +20,11 @@ whitelist ${HOME}/.kde4/share/config/kcalcrc
20include /etc/firejail/whitelist-common.inc 20include /etc/firejail/whitelist-common.inc
21include /etc/firejail/whitelist-var-common.inc 21include /etc/firejail/whitelist-var-common.inc
22 22
23apparmor
23caps.drop all 24caps.drop all
24netfilter 25net none
25no3d 26no3d
27nodbus
26nodvd 28nodvd
27nogroups 29nogroups
28nonewprivs 30nonewprivs
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile
index 5c770856a..819279b10 100644
--- a/etc/kdenlive.profile
+++ b/etc/kdenlive.profile
@@ -5,7 +5,6 @@ include /etc/firejail/kdenlive.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus
9noblacklist ${HOME}/.cache/kdenlive 8noblacklist ${HOME}/.cache/kdenlive
10noblacklist ${HOME}/.config/kdenliverc 9noblacklist ${HOME}/.config/kdenliverc
11noblacklist ${HOME}/.local/share/kdenlive 10noblacklist ${HOME}/.local/share/kdenlive
@@ -18,6 +17,7 @@ include /etc/firejail/disable-programs.inc
18apparmor 17apparmor
19caps.drop all 18caps.drop all
20# net none 19# net none
20# nodbus
21nodvd 21nodvd
22nogroups 22nogroups
23nonewprivs 23nonewprivs
diff --git a/etc/keepassx.profile b/etc/keepassx.profile
index f7b0bd5d1..14af2682c 100644
--- a/etc/keepassx.profile
+++ b/etc/keepassx.profile
@@ -5,8 +5,6 @@ include /etc/firejail/keepassx.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/*.kdb 8noblacklist ${HOME}/*.kdb
11noblacklist ${HOME}/*.kdbx 9noblacklist ${HOME}/*.kdbx
12noblacklist ${HOME}/.config/keepassx 10noblacklist ${HOME}/.config/keepassx
@@ -23,6 +21,7 @@ caps.drop all
23machine-id 21machine-id
24net none 22net none
25no3d 23no3d
24nodbus
26nodvd 25nodvd
27nogroups 26nogroups
28nonewprivs 27nonewprivs
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile
index 66b524d29..0e464cbe4 100644
--- a/etc/keepassxc.profile
+++ b/etc/keepassxc.profile
@@ -5,8 +5,6 @@ include /etc/firejail/keepassxc.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/*.kdb 8noblacklist ${HOME}/*.kdb
11noblacklist ${HOME}/*.kdbx 9noblacklist ${HOME}/*.kdbx
12noblacklist ${HOME}/.config/keepassxc 10noblacklist ${HOME}/.config/keepassxc
@@ -22,9 +20,11 @@ include /etc/firejail/disable-programs.inc
22include /etc/firejail/whitelist-var-common.inc 20include /etc/firejail/whitelist-var-common.inc
23 21
24caps.drop all 22caps.drop all
23machine-id
25net none 24net none
26no3d 25no3d
27nodvd 26nodvd
27nodbus
28nogroups 28nogroups
29nonewprivs 29nonewprivs
30noroot 30noroot
diff --git a/etc/kmail.profile b/etc/kmail.profile
index ca774f4ec..3e425b62e 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -5,13 +5,32 @@ include /etc/firejail/kmail.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# kmail has problems launching akonadi in debian and ubuntu.
9# one solution is to have akonadi already running when kmail is started
10
11noblacklist ${HOME}/.cache/akonadi*
12noblacklist ${HOME}/.cache/kmail2
13noblacklist ${HOME}/.config/akonadi*
14noblacklist ${HOME}/.config/baloorc
15noblacklist ${HOME}/.config/emailidentities
16noblacklist ${HOME}/.config/kmail2rc
8noblacklist ${HOME}/.gnupg 17noblacklist ${HOME}/.gnupg
18noblacklist ${HOME}/.local/share/akonadi*
19noblacklist ${HOME}/.local/share/contacts
20noblacklist ${HOME}/.local/share/emailidentities
21noblacklist ${HOME}/.local/share/kmail2
22noblacklist ${HOME}/.local/share/local-mail
23noblacklist ${HOME}/.local/share/notes
24noblacklist /tmp/akonadi-*
9 25
10include /etc/firejail/disable-common.inc 26include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 27include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 28include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc 29include /etc/firejail/disable-programs.inc
14 30
31include /etc/firejail/whitelist-var-common.inc
32
33# apparmor
15caps.drop all 34caps.drop all
16netfilter 35netfilter
17nodvd 36nodvd
@@ -22,11 +41,14 @@ nosound
22notv 41notv
23novideo 42novideo
24protocol unix,inet,inet6,netlink 43protocol unix,inet,inet6,netlink
25# blacklisting of chroot system calls breaks kmail 44# we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls
26seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice 45seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
27# tracelog 46# tracelog
28# writable-run-user is needed for signing and encrypting emails 47# writable-run-user is needed for signing and encrypting emails
29writable-run-user 48writable-run-user
30 49
31private-dev 50private-dev
32# private-tmp - breaks akonadi and opening of email attachments 51# private-tmp - interrupts connection to akonadi, breaks opening of email attachments
52
53noexec ${HOME}
54noexec /tmp
diff --git a/etc/knotes.profile b/etc/knotes.profile
index 94ada7855..4bbbd332d 100644
--- a/etc/knotes.profile
+++ b/etc/knotes.profile
@@ -5,27 +5,12 @@ include /etc/firejail/knotes.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8noblacklist ${HOME}/.config/knotesrc 8# knotes has problems launching akonadi in debian and ubuntu.
9 9# one solution is to have akonadi already running when knotes is started
10include /etc/firejail/disable-common.inc
11# include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc
14 10
15include /etc/firejail/whitelist-var-common.inc 11noblacklist ${HOME}/.config/knotesrc
12noblacklist ${HOME}/.local/share/knotes
16 13
17caps.drop all
18netfilter
19nodvd
20nogroups
21nonewprivs
22noroot
23nosound
24notv
25protocol unix
26seccomp
27shell none
28tracelog
29 14
30private-dev 15# Redirect
31#private-tmp - problems on kubuntu 17.04 16include /etc/firejail/kmail.profile
diff --git a/etc/krita.profile b/etc/krita.profile
index 0f4c5210b..24948c584 100644
--- a/etc/krita.profile
+++ b/etc/krita.profile
@@ -5,7 +5,6 @@ include /etc/firejail/krita.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus
9noblacklist ${HOME}/.config/kritarc 8noblacklist ${HOME}/.config/kritarc
10noblacklist ${HOME}/.local/share/krita 9noblacklist ${HOME}/.local/share/krita
11 10
@@ -18,6 +17,7 @@ apparmor
18caps.drop all 17caps.drop all
19ipc-namespace 18ipc-namespace
20# net none 19# net none
20# nodbus
21nodvd 21nodvd
22nogroups 22nogroups
23nonewprivs 23nonewprivs
diff --git a/etc/krunner.profile b/etc/krunner.profile
index 1e97f4290..17526c4ea 100644
--- a/etc/krunner.profile
+++ b/etc/krunner.profile
@@ -10,10 +10,13 @@ include /etc/firejail/globals.local
10# with its own profile, if it is sandboxed automatically. 10# with its own profile, if it is sandboxed automatically.
11 11
12# noblacklist ${HOME}/.cache/krunner 12# noblacklist ${HOME}/.cache/krunner
13# noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite
14# noblacklist ${HOME}/.config/chromium
13noblacklist ${HOME}/.config/krunnerrc 15noblacklist ${HOME}/.config/krunnerrc
14noblacklist ${HOME}/.kde/share/config/krunnerrc 16noblacklist ${HOME}/.kde/share/config/krunnerrc
15noblacklist ${HOME}/.kde4/share/config/krunnerrc 17noblacklist ${HOME}/.kde4/share/config/krunnerrc
16# noblacklist ${HOME}/.local/share/baloo 18# noblacklist ${HOME}/.local/share/baloo
19# noblacklist ${HOME}/.mozilla
17 20
18include /etc/firejail/disable-common.inc 21include /etc/firejail/disable-common.inc
19# include /etc/firejail/disable-devel.inc 22# include /etc/firejail/disable-devel.inc
diff --git a/etc/kwrite.profile b/etc/kwrite.profile
index a785f3541..ac51259c0 100644
--- a/etc/kwrite.profile
+++ b/etc/kwrite.profile
@@ -5,8 +5,6 @@ include /etc/firejail/kwrite.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/katepartrc 8noblacklist ${HOME}/.config/katepartrc
11noblacklist ${HOME}/.config/katerc 9noblacklist ${HOME}/.config/katerc
12noblacklist ${HOME}/.config/kateschemarc 10noblacklist ${HOME}/.config/kateschemarc
@@ -26,6 +24,7 @@ apparmor
26caps.drop all 24caps.drop all
27# net none 25# net none
28netfilter 26netfilter
27# nodbus
29nodvd 28nodvd
30nogroups 29nogroups
31nonewprivs 30nonewprivs
@@ -43,4 +42,7 @@ private-dev
43private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg 42private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg
44private-tmp 43private-tmp
45 44
45noexec ${HOME}
46noexec /tmp
47
46join-or-start kwrite 48join-or-start kwrite
diff --git a/etc/less.profile b/etc/less.profile
index 3b1c5d6bf..e2616ba4f 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -6,12 +6,12 @@ include /etc/firejail/less.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10blacklist /tmp/.X11-unix 9blacklist /tmp/.X11-unix
11 10
12ignore noroot 11ignore noroot
13net none 12net none
14no3d 13no3d
14nodbus
15nodvd 15nodvd
16nosound 16nosound
17notv 17notv
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
index ceb680951..15961321e 100644
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@@ -21,6 +21,7 @@ apparmor
21caps.drop all 21caps.drop all
22machine-id 22machine-id
23netfilter 23netfilter
24nodbus
24nodvd 25nodvd
25nogroups 26nogroups
26nonewprivs 27nonewprivs
diff --git a/etc/lmms.profile b/etc/lmms.profile
index b2bacb246..a9fecf5be 100644
--- a/etc/lmms.profile
+++ b/etc/lmms.profile
@@ -5,8 +5,6 @@ include /etc/firejail/lmms.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.lmmsrc.xml 8noblacklist ${HOME}/.lmmsrc.xml
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -18,6 +16,7 @@ caps.drop all
18ipc-namespace 16ipc-namespace
19net none 17net none
20no3d 18no3d
19nodbus
21nodvd 20nodvd
22nogroups 21nogroups
23nonewprivs 22nonewprivs
diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile
index f8c5c34ca..948c7226d 100644
--- a/etc/macrofusion.profile
+++ b/etc/macrofusion.profile
@@ -5,8 +5,6 @@ include /etc/firejail/macrofusion.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/mfusion 8noblacklist ${HOME}/.config/mfusion
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 15caps.drop all
18ipc-namespace 16ipc-namespace
19net none 17net none
18nodbus
20nodvd 19nodvd
21nogroups 20nogroups
22nonewprivs 21nonewprivs
diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile
index be5dac206..f452b751a 100644
--- a/etc/mate-calc.profile
+++ b/etc/mate-calc.profile
@@ -5,8 +5,6 @@ include /etc/firejail/mate-calc.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/mate-calc 8noblacklist ${HOME}/.config/mate-calc
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -24,6 +22,7 @@ whitelist ${HOME}/.themes
24caps.drop all 22caps.drop all
25net none 23net none
26no3d 24no3d
25nodbus
27nodvd 26nodvd
28nogroups 27nogroups
29nonewprivs 28nonewprivs
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile
index de9297174..c3c84ed39 100644
--- a/etc/mediainfo.profile
+++ b/etc/mediainfo.profile
@@ -5,7 +5,6 @@ include /etc/firejail/mediainfo.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9blacklist /tmp/.X11-unix 8blacklist /tmp/.X11-unix
10 9
11include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -16,6 +15,7 @@ include /etc/firejail/disable-programs.inc
16caps.drop all 15caps.drop all
17net none 16net none
18no3d 17no3d
18nodbus
19nodvd 19nodvd
20nogroups 20nogroups
21nonewprivs 21nonewprivs
diff --git a/etc/meld.profile b/etc/meld.profile
index 1a451ff57..78d9e0c76 100644
--- a/etc/meld.profile
+++ b/etc/meld.profile
@@ -5,8 +5,6 @@ include /etc/firejail/meld.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.local/share/meld 8noblacklist ${HOME}/.local/share/meld
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 15caps.drop all
18net none 16net none
19no3d 17no3d
18nodbus
20nodvd 19nodvd
21nogroups 20nogroups
22nonewprivs 21nonewprivs
diff --git a/etc/mpv.profile b/etc/mpv.profile
index a4dc679f4..dcd8b05e1 100644
--- a/etc/mpv.profile
+++ b/etc/mpv.profile
@@ -18,6 +18,7 @@ include /etc/firejail/whitelist-var-common.inc
18apparmor 18apparmor
19caps.drop all 19caps.drop all
20netfilter 20netfilter
21nodbus
21nogroups 22nogroups
22nonewprivs 23nonewprivs
23noroot 24noroot
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
index 9e04c3a81..af5859dbc 100644
--- a/etc/mupdf.profile
+++ b/etc/mupdf.profile
@@ -5,8 +5,6 @@ include /etc/firejail/mupdf.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10include /etc/firejail/disable-common.inc 8include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 9include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 10include /etc/firejail/disable-passwdmgr.inc
@@ -17,6 +15,7 @@ include /etc/firejail/whitelist-var-common.inc
17caps.drop all 15caps.drop all
18machine-id 16machine-id
19net none 17net none
18nodbus
20nodvd 19nodvd
21nogroups 20nogroups
22nonewprivs 21nonewprivs
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile
index e05babc91..2e3d7cfb8 100644
--- a/etc/mupen64plus.profile
+++ b/etc/mupen64plus.profile
@@ -5,8 +5,6 @@ include /etc/firejail/mupen64plus.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/mupen64plus 8noblacklist ${HOME}/.config/mupen64plus
11noblacklist ${HOME}/.local/share/mupen64plus 9noblacklist ${HOME}/.local/share/mupen64plus
12 10
@@ -24,6 +22,7 @@ include /etc/firejail/whitelist-common.inc
24 22
25caps.drop all 23caps.drop all
26net none 24net none
25nodbus
27nodvd 26nodvd
28nonewprivs 27nonewprivs
29noroot 28noroot
diff --git a/etc/natron.profile b/etc/natron.profile
index 413ea53f9..cf01c862c 100644
--- a/etc/natron.profile
+++ b/etc/natron.profile
@@ -5,8 +5,6 @@ include /etc/firejail/natron.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.Natron 8noblacklist ${HOME}/.Natron
11noblacklist ${HOME}/.cache/INRIA/Natron 9noblacklist ${HOME}/.cache/INRIA/Natron
12noblacklist ${HOME}/.config/INRIA 10noblacklist ${HOME}/.config/INRIA
@@ -19,6 +17,7 @@ include /etc/firejail/disable-programs.inc
19 17
20caps.drop all 18caps.drop all
21net none 19net none
20nodbus
22nodvd 21nodvd
23nogroups 22nogroups
24nonewprivs 23nonewprivs
diff --git a/etc/ncdu.profile b/etc/ncdu.profile
new file mode 100644
index 000000000..ab79a325e
--- /dev/null
+++ b/etc/ncdu.profile
@@ -0,0 +1,29 @@
1# Firejail profile for ncdu
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/ncdu.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8caps.drop all
9ipc-namespace
10nodbus
11net none
12no3d
13nodvd
14nogroups
15nonewprivs
16noroot
17nosound
18notv
19novideo
20protocol unix
21seccomp
22shell none
23
24private-dev
25# private-tmp
26
27memory-deny-write-execute
28noexec ${HOME}
29noexec /tmp
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile
index b6d4a63b5..c807a5399 100644
--- a/etc/odt2txt.profile
+++ b/etc/odt2txt.profile
@@ -5,7 +5,6 @@ include /etc/firejail/odt2txt.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9blacklist /tmp/.X11-unix 8blacklist /tmp/.X11-unix
10 9
11include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -16,6 +15,7 @@ include /etc/firejail/disable-programs.inc
16caps.drop all 15caps.drop all
17net none 16net none
18no3d 17no3d
18nodbus
19nodvd 19nodvd
20nogroups 20nogroups
21nonewprivs 21nonewprivs
diff --git a/etc/okular.profile b/etc/okular.profile
index ffe0d2bfb..f1f0b2c7e 100644
--- a/etc/okular.profile
+++ b/etc/okular.profile
@@ -5,8 +5,6 @@ include /etc/firejail/okular.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.cache/okular 8noblacklist ${HOME}/.cache/okular
11noblacklist ${HOME}/.config/okularpartrc 9noblacklist ${HOME}/.config/okularpartrc
12noblacklist ${HOME}/.config/okularrc 10noblacklist ${HOME}/.config/okularrc
@@ -30,6 +28,7 @@ caps.drop all
30machine-id 28machine-id
31# net none 29# net none
32netfilter 30netfilter
31# nodbus
33nodvd 32nodvd
34nogroups 33nogroups
35nonewprivs 34nonewprivs
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile
index 191f8d87b..3c3609dae 100644
--- a/etc/open-invaders.profile
+++ b/etc/open-invaders.profile
@@ -5,8 +5,6 @@ include /etc/firejail/open-invaders.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.openinvaders 8noblacklist ${HOME}/.openinvaders
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -20,6 +18,7 @@ include /etc/firejail/whitelist-common.inc
20 18
21caps.drop all 19caps.drop all
22net none 20net none
21nodbus
23nodvd 22nodvd
24nogroups 23nogroups
25nonewprivs 24nonewprivs
diff --git a/etc/openbox.profile b/etc/openbox.profile
index 5bab7ce7d..ec4b47c29 100644
--- a/etc/openbox.profile
+++ b/etc/openbox.profile
@@ -14,3 +14,6 @@ netfilter
14noroot 14noroot
15protocol unix,inet,inet6 15protocol unix,inet,inet6
16seccomp 16seccomp
17
18read-only ${HOME}/.config/openbox/autostart
19read-only ${HOME}/.config/openbox/environment
diff --git a/etc/openshot.profile b/etc/openshot.profile
index ca9110be6..b9eb29590 100644
--- a/etc/openshot.profile
+++ b/etc/openshot.profile
@@ -18,6 +18,7 @@ include /etc/firejail/whitelist-var-common.inc
18apparmor 18apparmor
19caps.drop all 19caps.drop all
20netfilter 20netfilter
21nodbus
21nodvd 22nodvd
22nogroups 23nogroups
23nonewprivs 24nonewprivs
diff --git a/etc/pcmanfm.profile b/etc/pcmanfm.profile
index 08c607020..0dcd21549 100644
--- a/etc/pcmanfm.profile
+++ b/etc/pcmanfm.profile
@@ -5,8 +5,6 @@ include /etc/firejail/pcmanfm.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.local/share/Trash 8noblacklist ${HOME}/.local/share/Trash
11# noblacklist ${HOME}/.config/libfm - disable-programs.inc is disabled, see below 9# noblacklist ${HOME}/.config/libfm - disable-programs.inc is disabled, see below
12# noblacklist ${HOME}/.config/pcmanfm 10# noblacklist ${HOME}/.config/pcmanfm
@@ -19,6 +17,7 @@ include /etc/firejail/disable-passwdmgr.inc
19caps.drop all 17caps.drop all
20# net none - see issue #1467, computer:/// location broken 18# net none - see issue #1467, computer:/// location broken
21no3d 19no3d
20# nodbus
22nodvd 21nodvd
23nonewprivs 22nonewprivs
24noroot 23noroot
diff --git a/etc/pdfchain.profile b/etc/pdfchain.profile
index d43c0911e..b4ccb6003 100755
--- a/etc/pdfchain.profile
+++ b/etc/pdfchain.profile
@@ -5,9 +5,6 @@ include /etc/firejail/pdfchain.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8
9blacklist /run/user/*/bus
10
11include /etc/firejail/disable-common.inc 8include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-programs.inc 9include /etc/firejail/disable-programs.inc
13include /etc/firejail/disable-devel.inc 10include /etc/firejail/disable-devel.inc
@@ -19,6 +16,7 @@ caps.drop all
19ipc-namespace 16ipc-namespace
20net none 17net none
21no3d 18no3d
19nodbus
22nogroups 20nogroups
23nonewprivs 21nonewprivs
24noroot 22noroot
diff --git a/etc/pdfmod.profile b/etc/pdfmod.profile
index 8ac09dcdc..9b08dfd84 100644
--- a/etc/pdfmod.profile
+++ b/etc/pdfmod.profile
@@ -5,8 +5,6 @@ include /etc/firejail/pdfmod.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.cache/pdfmod 8noblacklist ${HOME}/.cache/pdfmod
11noblacklist ${HOME}/.config/pdfmod 9noblacklist ${HOME}/.config/pdfmod
12 10
@@ -22,6 +20,7 @@ ipc-namespace
22machine-id 20machine-id
23net none 21net none
24no3d 22no3d
23nodbus
25nodvd 24nodvd
26nogroups 25nogroups
27nonewprivs 26nonewprivs
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile
index c1515ab73..465f68fd6 100644
--- a/etc/pdfsam.profile
+++ b/etc/pdfsam.profile
@@ -5,8 +5,6 @@ include /etc/firejail/pdfsam.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.java 8noblacklist ${HOME}/.java
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -18,6 +16,7 @@ caps.drop all
18machine-id 16machine-id
19net none 17net none
20no3d 18no3d
19nodbus
21nodvd 20nodvd
22nogroups 21nogroups
23nonewprivs 22nonewprivs
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile
index 736faa5ea..a97063754 100644
--- a/etc/pdftotext.profile
+++ b/etc/pdftotext.profile
@@ -5,7 +5,6 @@ include /etc/firejail/pdftotext.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9blacklist /tmp/.X11-unix 8blacklist /tmp/.X11-unix
10 9
11include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -19,6 +18,7 @@ caps.drop all
19machine-id 18machine-id
20net none 19net none
21no3d 20no3d
21nodbus
22nodvd 22nodvd
23nogroups 23nogroups
24nonewprivs 24nonewprivs
diff --git a/etc/peek.profile b/etc/peek.profile
index 01db4fa08..7b7ab9470 100644
--- a/etc/peek.profile
+++ b/etc/peek.profile
@@ -5,8 +5,6 @@ include /etc/firejail/peek.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.cache/peek 8noblacklist ${HOME}/.cache/peek
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 15caps.drop all
18net none 16net none
19no3d 17no3d
18nodbus
20nodvd 19nodvd
21nogroups 20nogroups
22nonewprivs 21nonewprivs
diff --git a/etc/pingus.profile b/etc/pingus.profile
index ec7eff632..b287e7ee8 100644
--- a/etc/pingus.profile
+++ b/etc/pingus.profile
@@ -5,8 +5,6 @@ include /etc/firejail/pingus.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.pingus 8noblacklist ${HOME}/.pingus
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -20,6 +18,7 @@ include /etc/firejail/whitelist-common.inc
20 18
21caps.drop all 19caps.drop all
22net none 20net none
21nodbus
23nodvd 22nodvd
24nogroups 23nogroups
25nonewprivs 24nonewprivs
diff --git a/etc/pinta.profile b/etc/pinta.profile
index 4a8815a73..b51521ef7 100644
--- a/etc/pinta.profile
+++ b/etc/pinta.profile
@@ -5,8 +5,6 @@ include /etc/firejail/pinta.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/Pinta 8noblacklist ${HOME}/.config/Pinta
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 15caps.drop all
18ipc-namespace 16ipc-namespace
19net none 17net none
18nodbus
20nodvd 19nodvd
21nogroups 20nogroups
22nonewprivs 21nonewprivs
diff --git a/etc/pluma.profile b/etc/pluma.profile
index b50e3cbaf..d0acfeb1a 100644
--- a/etc/pluma.profile
+++ b/etc/pluma.profile
@@ -5,8 +5,6 @@ include /etc/firejail/pluma.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus - makes settings immutable
9
10noblacklist ${HOME}/.config/pluma 8noblacklist ${HOME}/.config/pluma
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -16,10 +14,12 @@ include /etc/firejail/disable-programs.inc
16 14
17include /etc/firejail/whitelist-var-common.inc 15include /etc/firejail/whitelist-var-common.inc
18 16
17# apparmor - makes settings immutable
19caps.drop all 18caps.drop all
20# net none - makes settings immutable
21machine-id 19machine-id
20# net none - makes settings immutable
22no3d 21no3d
22# nodbus - makes settings immutable
23nodvd 23nodvd
24nogroups 24nogroups
25nonewprivs 25nonewprivs
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index 8df8177eb..14a9e8adc 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -30,6 +30,7 @@ apparmor
30caps.drop all 30caps.drop all
31machine-id 31machine-id
32netfilter 32netfilter
33nodbus
33nodvd 34nodvd
34nogroups 35nogroups
35nonewprivs 36nonewprivs
diff --git a/etc/ranger.profile b/etc/ranger.profile
index 211a1b2d5..fd5bbf89c 100644
--- a/etc/ranger.profile
+++ b/etc/ranger.profile
@@ -5,8 +5,6 @@ include /etc/firejail/ranger.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10# noblacklist /usr/bin/cpan* 8# noblacklist /usr/bin/cpan*
11noblacklist /usr/bin/perl 9noblacklist /usr/bin/perl
12noblacklist /usr/lib/perl* 10noblacklist /usr/lib/perl*
@@ -20,6 +18,7 @@ include /etc/firejail/disable-programs.inc
20 18
21caps.drop all 19caps.drop all
22net none 20net none
21nodbus
23nodvd 22nodvd
24nogroups 23nogroups
25nonewprivs 24nonewprivs
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile
index a20bdb883..6322f8217 100644
--- a/etc/rhythmbox.profile
+++ b/etc/rhythmbox.profile
@@ -13,10 +13,11 @@ include /etc/firejail/disable-programs.inc
13 13
14include /etc/firejail/whitelist-var-common.inc 14include /etc/firejail/whitelist-var-common.inc
15 15
16apparmor 16# apparmor - makes settings immutable
17caps.drop all 17caps.drop all
18netfilter 18netfilter
19# no3d 19# no3d
20# nodbus - makes settings immutable
20nogroups 21nogroups
21nonewprivs 22nonewprivs
22noroot 23noroot
diff --git a/etc/scribus.profile b/etc/scribus.profile
index 8ce63fbf0..f9f585a20 100644
--- a/etc/scribus.profile
+++ b/etc/scribus.profile
@@ -5,8 +5,6 @@ include /etc/firejail/scribus.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10# Support for PDF readers comes with Scribus 1.5 and higher 8# Support for PDF readers comes with Scribus 1.5 and higher
11noblacklist ${HOME}/.cache/okular 9noblacklist ${HOME}/.cache/okular
12noblacklist ${HOME}/.config/okularpartrc 10noblacklist ${HOME}/.config/okularpartrc
@@ -33,6 +31,7 @@ include /etc/firejail/whitelist-var-common.inc
33 31
34caps.drop all 32caps.drop all
35net none 33net none
34nodbus
36nodvd 35nodvd
37nogroups 36nogroups
38nonewprivs 37nonewprivs
@@ -48,3 +47,6 @@ tracelog
48# private-bin scribus,gs,gimp* 47# private-bin scribus,gs,gimp*
49private-dev 48private-dev
50private-tmp 49private-tmp
50
51noexec ${HOME}
52noexec /tmp
diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile
index bc94ae2a0..2f3d94f01 100644
--- a/etc/sdat2img.profile
+++ b/etc/sdat2img.profile
@@ -6,8 +6,6 @@ include /etc/firejail/sdat2img.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10
11include /etc/firejail/disable-common.inc 9include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc 10include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc 11include /etc/firejail/disable-passwdmgr.inc
@@ -16,6 +14,7 @@ include /etc/firejail/disable-programs.inc
16caps.drop all 14caps.drop all
17net none 15net none
18no3d 16no3d
17nodbus
19nodvd 18nodvd
20nogroups 19nogroups
21nonewprivs 20nonewprivs
diff --git a/etc/shotcut.profile b/etc/shotcut.profile
index 3f2cc3d33..293a89ba3 100644
--- a/etc/shotcut.profile
+++ b/etc/shotcut.profile
@@ -5,8 +5,6 @@ include /etc/firejail/shotcut.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/Meltytech 8noblacklist ${HOME}/.config/Meltytech
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -16,6 +14,7 @@ include /etc/firejail/disable-programs.inc
16 14
17caps.drop all 15caps.drop all
18net none 16net none
17nodbus
19nodvd 18nodvd
20nogroups 19nogroups
21nonewprivs 20nonewprivs
diff --git a/etc/simutrans.profile b/etc/simutrans.profile
index 8b4113d2f..adde3f8ce 100644
--- a/etc/simutrans.profile
+++ b/etc/simutrans.profile
@@ -5,8 +5,6 @@ include /etc/firejail/simutrans.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.simutrans 8noblacklist ${HOME}/.simutrans
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -20,6 +18,7 @@ include /etc/firejail/whitelist-common.inc
20 18
21caps.drop all 19caps.drop all
22net none 20net none
21nodbus
23nodvd 22nodvd
24nogroups 23nogroups
25nonewprivs 24nonewprivs
diff --git a/etc/skanlite.profile b/etc/skanlite.profile
index 316cf5821..4fa649654 100644
--- a/etc/skanlite.profile
+++ b/etc/skanlite.profile
@@ -5,8 +5,6 @@ include /etc/firejail/skanlite.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus
9
10include /etc/firejail/disable-common.inc 8include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 9include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 10include /etc/firejail/disable-passwdmgr.inc
@@ -15,6 +13,7 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 13caps.drop all
16# net none 14# net none
17netfilter 15netfilter
16# nodbus
18nodvd 17nodvd
19nogroups 18nogroups
20nonewprivs 19nonewprivs
diff --git a/etc/smplayer.profile b/etc/smplayer.profile
index 64eff5670..187b0674a 100644
--- a/etc/smplayer.profile
+++ b/etc/smplayer.profile
@@ -18,6 +18,7 @@ include /etc/firejail/whitelist-var-common.inc
18apparmor 18apparmor
19caps.drop all 19caps.drop all
20netfilter 20netfilter
21# nodbus - problems with KDE
21# nogroups 22# nogroups
22nonewprivs 23nonewprivs
23noroot 24noroot
diff --git a/etc/spotify.profile b/etc/spotify.profile
index c973783a9..dfd3bae7f 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -31,6 +31,7 @@ include /etc/firejail/whitelist-var-common.inc
31 31
32caps.drop all 32caps.drop all
33netfilter 33netfilter
34nodbus
34nodvd 35nodvd
35nogroups 36nogroups
36nonewprivs 37nonewprivs
@@ -44,7 +45,7 @@ tracelog
44disable-mnt 45disable-mnt
45private-bin spotify,bash,sh,zenity 46private-bin spotify,bash,sh,zenity
46private-dev 47private-dev
47private-etc fonts,group,ld.so.cache,machine-id,pulse,resolv.conf 48private-etc fonts,ld.so.cache,machine-id,pulse,resolv.conf
48private-opt spotify 49private-opt spotify
49private-tmp 50private-tmp
50 51
diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile
index 933d55b79..22c37645d 100644
--- a/etc/sqlitebrowser.profile
+++ b/etc/sqlitebrowser.profile
@@ -5,8 +5,6 @@ include /etc/firejail/sqlitebrowser.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/sqlitebrowser 8noblacklist ${HOME}/.config/sqlitebrowser
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 15caps.drop all
18net none 16net none
19no3d 17no3d
18nodbus
20nodvd 19nodvd
21nogroups 20nogroups
22nonewprivs 21nonewprivs
diff --git a/etc/steam.profile b/etc/steam.profile
index 4965d3a54..bcdea9bc7 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -32,7 +32,10 @@ include /etc/firejail/disable-programs.inc
32include /etc/firejail/whitelist-var-common.inc 32include /etc/firejail/whitelist-var-common.inc
33 33
34caps.drop all 34caps.drop all
35#ipc-namespace
35netfilter 36netfilter
37# nodbus disabled as it breaks appindicator support
38#nodbus
36nodvd 39nodvd
37nogroups 40nogroups
38nonewprivs 41nonewprivs
@@ -44,10 +47,17 @@ protocol unix,inet,inet6,netlink
44seccomp 47seccomp
45shell none 48shell none
46# tracelog disabled as it breaks integrated browser 49# tracelog disabled as it breaks integrated browser
47# tracelog 50#tracelog
51
52# private-bin is disabled while in testing, but has been tested working with multiple games
53#private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lspci,lsof,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity
54# extra programs are available which might be needed for select games
55#private-bin java,java-config,mono,python*
56# picture viewers are are needed for viewing screenshots
57#private-bin eog,eom,gthumb,pix,viewnior,xviewer
48 58
49# private-dev should be commented for controllers 59# private-dev should be commented for controllers
50private-dev 60private-dev
51# private-etc breaks some games 61# private-etc breaks a small selection of games on some systems, comment to support those
52#private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies 62private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies,alternatives
53private-tmp 63private-tmp
diff --git a/etc/strings.profile b/etc/strings.profile
index 09273f35d..8995ad2a6 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -6,12 +6,12 @@ include /etc/firejail/strings.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10blacklist /tmp/.X11-unix 9blacklist /tmp/.X11-unix
11 10
12ignore noroot 11ignore noroot
13net none 12net none
14no3d 13no3d
14nodbus
15nodvd 15nodvd
16nosound 16nosound
17notv 17notv
diff --git a/etc/supertux2.profile b/etc/supertux2.profile
index d60d7fa5f..24f42c276 100644
--- a/etc/supertux2.profile
+++ b/etc/supertux2.profile
@@ -5,8 +5,6 @@ include /etc/firejail/supertux2.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.local/share/supertux2 8noblacklist ${HOME}/.local/share/supertux2
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -21,6 +19,7 @@ include /etc/firejail/whitelist-var-common.inc
21 19
22caps.drop all 20caps.drop all
23net none 21net none
22nodbus
24nodvd 23nodvd
25nogroups 24nogroups
26nonewprivs 25nonewprivs
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile
index 415a42cf5..be9c2aa64 100644
--- a/etc/synfigstudio.profile
+++ b/etc/synfigstudio.profile
@@ -5,8 +5,6 @@ include /etc/firejail/synfigstudio.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/synfig 8noblacklist ${HOME}/.config/synfig
11noblacklist ${HOME}/.synfig 9noblacklist ${HOME}/.synfig
12 10
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
17 15
18caps.drop all 16caps.drop all
19net none 17net none
18nodbus
20nodvd 19nodvd
21nogroups 20nogroups
22nonewprivs 21nonewprivs
diff --git a/etc/tar.profile b/etc/tar.profile
index bd7973abf..5f54bf02d 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -6,13 +6,13 @@ include /etc/firejail/tar.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10blacklist /tmp/.X11-unix 9blacklist /tmp/.X11-unix
11 10
12hostname tar 11hostname tar
13ignore noroot 12ignore noroot
14net none 13net none
15no3d 14no3d
15nodbus
16nodvd 16nodvd
17nosound 17nosound
18notv 18notv
diff --git a/etc/terasology.profile b/etc/terasology.profile
index ea25938d3..e671c4dc3 100644
--- a/etc/terasology.profile
+++ b/etc/terasology.profile
@@ -5,8 +5,6 @@ include /etc/firejail/terasology.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.java 8noblacklist ${HOME}/.java
11noblacklist ${HOME}/.local/share/terasology 9noblacklist ${HOME}/.local/share/terasology
12 10
@@ -25,6 +23,7 @@ caps.drop all
25ipc-namespace 23ipc-namespace
26net none 24net none
27netfilter 25netfilter
26nodbus
28nodvd 27nodvd
29nogroups 28nogroups
30nonewprivs 29nonewprivs
diff --git a/etc/thunderbird-beta.profile b/etc/thunderbird-beta.profile
new file mode 100644
index 000000000..73d2419da
--- /dev/null
+++ b/etc/thunderbird-beta.profile
@@ -0,0 +1,8 @@
1# Firejail profile alias for thunderbird-beta
2# This file is overwritten after every install/update
3
4
5whitelist /opt/thunderbird-beta
6
7# Redirect
8include /etc/firejail/thunderbird.profile
diff --git a/etc/totem.profile b/etc/totem.profile
index 6dbc5f0c2..ad3845d90 100644
--- a/etc/totem.profile
+++ b/etc/totem.profile
@@ -15,9 +15,10 @@ include /etc/firejail/disable-programs.inc
15 15
16include /etc/firejail/whitelist-var-common.inc 16include /etc/firejail/whitelist-var-common.inc
17 17
18apparmor 18# apparmor - makes settings immutable
19caps.drop all 19caps.drop all
20netfilter 20netfilter
21# nodbus - makes settings immutable
21nogroups 22nogroups
22nonewprivs 23nonewprivs
23noroot 24noroot
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index 3d249748d..ee044aa0d 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -25,6 +25,7 @@ apparmor
25caps.drop all 25caps.drop all
26machine-id 26machine-id
27netfilter 27netfilter
28nodbus
28nodvd 29nodvd
29nonewprivs 30nonewprivs
30noroot 31noroot
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index 4f4d9bac1..a8fb80fd8 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -25,6 +25,7 @@ apparmor
25caps.drop all 25caps.drop all
26machine-id 26machine-id
27netfilter 27netfilter
28nodbus
28nodvd 29nodvd
29nonewprivs 30nonewprivs
30noroot 31noroot
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile
index 135371747..575bf77dc 100644
--- a/etc/transmission-show.profile
+++ b/etc/transmission-show.profile
@@ -5,8 +5,6 @@ include /etc/firejail/transmission-show.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.cache/transmission 8noblacklist ${HOME}/.cache/transmission
11noblacklist ${HOME}/.config/transmission 9noblacklist ${HOME}/.config/transmission
12 10
@@ -18,6 +16,7 @@ include /etc/firejail/disable-programs.inc
18caps.drop all 16caps.drop all
19machine-id 17machine-id
20net none 18net none
19nodbus
21nodvd 20nodvd
22nonewprivs 21nonewprivs
23noroot 22noroot
diff --git a/etc/uefitool.profile b/etc/uefitool.profile
index 6cff5249c..a10b44fb1 100644
--- a/etc/uefitool.profile
+++ b/etc/uefitool.profile
@@ -5,8 +5,6 @@ include /etc/firejail/uefitool.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10include /etc/firejail/disable-common.inc 8include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 9include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 10include /etc/firejail/disable-passwdmgr.inc
@@ -16,6 +14,7 @@ caps.drop all
16ipc-namespace 14ipc-namespace
17net none 15net none
18no3d 16no3d
17nodbus
19nodvd 18nodvd
20nogroups 19nogroups
21nonewprivs 20nonewprivs
diff --git a/etc/unrar.profile b/etc/unrar.profile
index f7e25d5d7..ba2a86f4c 100644
--- a/etc/unrar.profile
+++ b/etc/unrar.profile
@@ -6,13 +6,13 @@ include /etc/firejail/unrar.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10blacklist /tmp/.X11-unix 9blacklist /tmp/.X11-unix
11 10
12hostname unrar 11hostname unrar
13ignore noroot 12ignore noroot
14net none 13net none
15no3d 14no3d
15nodbus
16nodvd 16nodvd
17nosound 17nosound
18notv 18notv
diff --git a/etc/unzip.profile b/etc/unzip.profile
index fe16c670d..fddc79260 100644
--- a/etc/unzip.profile
+++ b/etc/unzip.profile
@@ -6,13 +6,13 @@ include /etc/firejail/unzip.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10blacklist /tmp/.X11-unix 9blacklist /tmp/.X11-unix
11 10
12hostname unzip 11hostname unzip
13ignore noroot 12ignore noroot
14net none 13net none
15no3d 14no3d
15nodbus
16nodvd 16nodvd
17nosound 17nosound
18notv 18notv
diff --git a/etc/uudeview.profile b/etc/uudeview.profile
index f7699552d..b64ecaa3e 100644
--- a/etc/uudeview.profile
+++ b/etc/uudeview.profile
@@ -6,11 +6,10 @@ include /etc/firejail/uudeview.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10
11hostname uudeview 9hostname uudeview
12ignore noroot 10ignore noroot
13net none 11net none
12nodbus
14nodvd 13nodvd
15nosound 14nosound
16notv 15notv
diff --git a/etc/viewnior.profile b/etc/viewnior.profile
index 39bf3f7ce..135147266 100644
--- a/etc/viewnior.profile
+++ b/etc/viewnior.profile
@@ -5,7 +5,6 @@ include /etc/firejail/viewnior.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9blacklist ${HOME}/.bashrc 8blacklist ${HOME}/.bashrc
10 9
11noblacklist ${HOME}/.Steam 10noblacklist ${HOME}/.Steam
@@ -20,6 +19,7 @@ include /etc/firejail/disable-programs.inc
20caps.drop all 19caps.drop all
21net none 20net none
22no3d 21no3d
22nodbus
23nodvd 23nodvd
24nogroups 24nogroups
25nonewprivs 25nonewprivs
diff --git a/etc/vlc.profile b/etc/vlc.profile
index dad9a9ae1..c8c84b992 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -5,6 +5,7 @@ include /etc/firejail/vlc.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8noblacklist ${HOME}/.cache/vlc
8noblacklist ${HOME}/.config/vlc 9noblacklist ${HOME}/.config/vlc
9noblacklist ${HOME}/.local/share/vlc 10noblacklist ${HOME}/.local/share/vlc
10 11
@@ -18,6 +19,7 @@ include /etc/firejail/whitelist-var-common.inc
18apparmor 19apparmor
19caps.drop all 20caps.drop all
20netfilter 21netfilter
22# nodbus - problems with KDE
21# nogroups 23# nogroups
22nonewprivs 24nonewprivs
23noroot 25noroot
diff --git a/etc/x-terminal-emulator.profile b/etc/x-terminal-emulator.profile
index 67707ffb8..ac8f0fe2a 100644
--- a/etc/x-terminal-emulator.profile
+++ b/etc/x-terminal-emulator.profile
@@ -5,12 +5,11 @@ include /etc/firejail/x-terminal-emulator.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10caps.drop all 8caps.drop all
11ipc-namespace 9ipc-namespace
12net none 10net none
13netfilter 11netfilter
12nodbus
14nogroups 13nogroups
15noroot 14noroot
16protocol unix 15protocol unix
diff --git a/etc/xcalc.profile b/etc/xcalc.profile
index 467f96003..8493fe658 100644
--- a/etc/xcalc.profile
+++ b/etc/xcalc.profile
@@ -5,8 +5,6 @@ include /etc/firejail/xcalc.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10include /etc/firejail/disable-common.inc 8include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 9include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 10include /etc/firejail/disable-passwdmgr.inc
@@ -18,6 +16,7 @@ caps.drop all
18net none 16net none
19netfilter 17netfilter
20no3d 18no3d
19nodbus
21nodvd 20nodvd
22nogroups 21nogroups
23nonewprivs 22nonewprivs
diff --git a/etc/xed.profile b/etc/xed.profile
index e4ab673e8..5d46560b7 100644
--- a/etc/xed.profile
+++ b/etc/xed.profile
@@ -5,8 +5,6 @@ include /etc/firejail/xed.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus - makes settings immutable
9
10noblacklist ${HOME}/.config/xed 8noblacklist ${HOME}/.config/xed
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -16,10 +14,12 @@ include /etc/firejail/disable-programs.inc
16 14
17include /etc/firejail/whitelist-var-common.inc 15include /etc/firejail/whitelist-var-common.inc
18 16
17# apparmor - makes settings immutable
19caps.drop all 18caps.drop all
20# net none - makes settings immutable
21machine-id 19machine-id
20# net none - makes settings immutable
22no3d 21no3d
22# nodbus - makes settings immutable
23nodvd 23nodvd
24nogroups 24nogroups
25nonewprivs 25nonewprivs
diff --git a/etc/xpdf.profile b/etc/xpdf.profile
index 7b8042e5c..9eeda4d29 100644
--- a/etc/xpdf.profile
+++ b/etc/xpdf.profile
@@ -5,8 +5,6 @@ include /etc/firejail/xpdf.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.xpdfrc 8noblacklist ${HOME}/.xpdfrc
11 9
12include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
@@ -20,6 +18,7 @@ caps.drop all
20machine-id 18machine-id
21net none 19net none
22no3d 20no3d
21nodbus
23nodvd 22nodvd
24nogroups 23nogroups
25nonewprivs 24nonewprivs
diff --git a/etc/xplayer-audio-preview.profile b/etc/xplayer-audio-preview.profile
new file mode 100644
index 000000000..a422b9989
--- /dev/null
+++ b/etc/xplayer-audio-preview.profile
@@ -0,0 +1,10 @@
1# Firejail profile for xplayer-audio-preview
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/xplayer-audio-preview.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9# Redirect
10include /etc/firejail/xplayer.profile
diff --git a/etc/xplayer-video-thumbnailer b/etc/xplayer-video-thumbnailer
new file mode 100644
index 000000000..1ec5250bf
--- /dev/null
+++ b/etc/xplayer-video-thumbnailer
@@ -0,0 +1,10 @@
1# Firejail profile for xplayer-video-thumbnailer
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/xplayer-video-thumbnailer.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9# Redirect
10include /etc/firejail/xplayer.profile
diff --git a/etc/xplayer.profile b/etc/xplayer.profile
index 8ea361d79..7e475bd58 100644
--- a/etc/xplayer.profile
+++ b/etc/xplayer.profile
@@ -15,8 +15,10 @@ include /etc/firejail/disable-programs.inc
15 15
16include /etc/firejail/whitelist-var-common.inc 16include /etc/firejail/whitelist-var-common.inc
17 17
18# apparmor - makes settings immutable
18caps.drop all 19caps.drop all
19netfilter 20netfilter
21# nodbus - makes settings immutable
20nogroups 22nogroups
21nonewprivs 23nonewprivs
22noroot 24noroot
diff --git a/etc/xreader-previewer.profile b/etc/xreader-previewer.profile
new file mode 100644
index 000000000..4c42c147c
--- /dev/null
+++ b/etc/xreader-previewer.profile
@@ -0,0 +1,10 @@
1# Firejail profile for xreader-previewer
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/xreader-previewer.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9# Redirect
10include /etc/firejail/xreader.profile
diff --git a/etc/xreader-thumbnailer.profile b/etc/xreader-thumbnailer.profile
new file mode 100644
index 000000000..bc0bcbb67
--- /dev/null
+++ b/etc/xreader-thumbnailer.profile
@@ -0,0 +1,10 @@
1# Firejail profile for xreader-thumbnailer
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/xreader-thumbnailer.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9# Redirect
10include /etc/firejail/xreader.profile
diff --git a/etc/xreader.profile b/etc/xreader.profile
index 00bd1ee2f..1ddfad26f 100644
--- a/etc/xreader.profile
+++ b/etc/xreader.profile
@@ -16,6 +16,7 @@ include /etc/firejail/disable-programs.inc
16 16
17include /etc/firejail/whitelist-var-common.inc 17include /etc/firejail/whitelist-var-common.inc
18 18
19# apparmor
19caps.drop all 20caps.drop all
20no3d 21no3d
21nodvd 22nodvd
diff --git a/etc/xviewer.profile b/etc/xviewer.profile
index 7c4ede111..26f9f0238 100644
--- a/etc/xviewer.profile
+++ b/etc/xviewer.profile
@@ -5,8 +5,6 @@ include /etc/firejail/xviewer.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus - makes settings immutable
9
10noblacklist ${HOME}/.Steam 8noblacklist ${HOME}/.Steam
11noblacklist ${HOME}/.config/xviewer 9noblacklist ${HOME}/.config/xviewer
12noblacklist ${HOME}/.local/share/Trash 10noblacklist ${HOME}/.local/share/Trash
@@ -19,9 +17,11 @@ include /etc/firejail/disable-programs.inc
19 17
20include /etc/firejail/whitelist-var-common.inc 18include /etc/firejail/whitelist-var-common.inc
21 19
20# apparmor - makes settings immutable
22caps.drop all 21caps.drop all
23# net none - makes settings immutable 22# net none - makes settings immutable
24no3d 23no3d
24# nodbus - makes settings immutable
25nodvd 25nodvd
26nogroups 26nogroups
27nonewprivs 27nonewprivs
diff --git a/etc/xzdec.profile b/etc/xzdec.profile
index 1136a6535..5913fd07a 100644
--- a/etc/xzdec.profile
+++ b/etc/xzdec.profile
@@ -6,12 +6,12 @@ include /etc/firejail/xzdec.local
6# Persistent global definitions 6# Persistent global definitions
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9blacklist /run/user/*/bus
10blacklist /tmp/.X11-unix 9blacklist /tmp/.X11-unix
11 10
12ignore noroot 11ignore noroot
13net none 12net none
14no3d 13no3d
14nodbus
15nodvd 15nodvd
16nosound 16nosound
17notv 17notv
diff --git a/etc/zart.profile b/etc/zart.profile
index e9fd9b3bd..60eb09c71 100644
--- a/etc/zart.profile
+++ b/etc/zart.profile
@@ -5,8 +5,6 @@ include /etc/firejail/zart.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10include /etc/firejail/disable-common.inc 8include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 9include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 10include /etc/firejail/disable-passwdmgr.inc
@@ -15,6 +13,7 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 13caps.drop all
16ipc-namespace 14ipc-namespace
17net none 15net none
16nodbus
18nodvd 17nodvd
19nogroups 18nogroups
20nonewprivs 19nonewprivs
diff --git a/etc/zathura.profile b/etc/zathura.profile
index 288abb8ec..3edece779 100644
--- a/etc/zathura.profile
+++ b/etc/zathura.profile
@@ -5,8 +5,6 @@ include /etc/firejail/zathura.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus
9
10noblacklist ${HOME}/.config/zathura 8noblacklist ${HOME}/.config/zathura
11noblacklist ${HOME}/.local/share/zathura 9noblacklist ${HOME}/.local/share/zathura
12 10
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
17 15
18caps.drop all 16caps.drop all
19# net none 17# net none
18# nodbus
20nodvd 19nodvd
21nogroups 20nogroups
22nonewprivs 21nonewprivs
@@ -31,5 +30,6 @@ private-bin zathura
31private-dev 30private-dev
32private-etc fonts 31private-etc fonts
33private-tmp 32private-tmp
33
34read-only ${HOME}/ 34read-only ${HOME}/
35read-write ${HOME}/.local/share/zathura/ 35read-write ${HOME}/.local/share/zathura/
diff --git a/gcov.sh b/gcov.sh
index df1fcb51b..ff910cbe0 100755
--- a/gcov.sh
+++ b/gcov.sh
@@ -10,11 +10,18 @@ gcov_init() {
10 /usr/lib/firejail/fcopy --help > /dev/null 10 /usr/lib/firejail/fcopy --help > /dev/null
11 /usr/lib/firejail/fldd --help > /dev/null 11 /usr/lib/firejail/fldd --help > /dev/null
12 firecfg --help > /dev/null 12 firecfg --help > /dev/null
13
14 /usr/lib/firejail/fnetfilter --help > /dev/null
15 /usr/lib/firejail/fsec-print --help > /dev/null
16 /usr/lib/firejail/fsec-optimize --help > /dev/null
17 /usr/lib/firejail/faudit --help > /dev/null
18 /usr/lib/firejail/fbuilder --help > /dev/null
19
13 sudo chown $USER:$USER `find .` 20 sudo chown $USER:$USER `find .`
14} 21}
15 22
16generate() { 23generate() {
17 lcov -q --capture -d src/firejail -d src/firemon -d src/fcopy -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-new 24 lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-new
18 lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new --output-file gcov-file 25 lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new --output-file gcov-file
19 rm -fr gcov-dir 26 rm -fr gcov-dir
20 genhtml -q gcov-file --output-directory gcov-dir 27 genhtml -q gcov-file --output-directory gcov-dir
@@ -25,7 +32,7 @@ generate() {
25 32
26 33
27gcov_init 34gcov_init
28lcov -q --capture -d src/firejail -d src/firemon -d src/fcopy -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-old 35lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-old
29 36
30#make test-environment 37#make test-environment
31#generate 38#generate
diff --git a/src/common.mk.in b/src/common.mk.in
new file mode 100644
index 000000000..1d4dbe304
--- /dev/null
+++ b/src/common.mk.in
@@ -0,0 +1,37 @@
1# common definitions for all makefiles
2
3CC=@CC@
4prefix=@prefix@
5exec_prefix=@exec_prefix@
6libdir=@libdir@
7sysconfdir=@sysconfdir@
8
9VERSION=@PACKAGE_VERSION@
10NAME=@PACKAGE_NAME@
11HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12HAVE_SECCOMP=@HAVE_SECCOMP@
13HAVE_CHROOT=@HAVE_CHROOT@
14HAVE_BIND=@HAVE_BIND@
15HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16HAVE_NETWORK=@HAVE_NETWORK@
17HAVE_USERNS=@HAVE_USERNS@
18HAVE_X11=@HAVE_X11@
19HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
20HAVE_WHITELIST=@HAVE_WHITELIST@
21HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
22HAVE_APPARMOR=@HAVE_APPARMOR@
23HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
24HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
25HAVE_GCOV=@HAVE_GCOV@
26HAVE_GIT_INSTALL=@HAVE_GIT_INSTALL@
27
28H_FILE_LIST = $(sort $(wildcard *.[h]))
29C_FILE_LIST = $(sort $(wildcard *.c))
30OBJS = $(C_FILE_LIST:.c=.o)
31BINOBJS = $(foreach file, $(OBJS), $file)
32
33CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) $(HAVE_GIT_INSTALL) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
34LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
35EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
36EXTRA_CFLAGS +=@EXTRA_CFLAGS@
37
diff --git a/src/faudit/Makefile.in b/src/faudit/Makefile.in
index a3b505c39..26df0fe51 100644
--- a/src/faudit/Makefile.in
+++ b/src/faudit/Makefile.in
@@ -1,25 +1,14 @@
1all: faudit 1all: faudit
2 2
3CC=@CC@ 3include ../common.mk
4PREFIX=@prefix@
5VERSION=@PACKAGE_VERSION@
6NAME=@PACKAGE_NAME@
7HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
8
9H_FILE_LIST = $(sort $(wildcard *.[h]))
10C_FILE_LIST = $(sort $(wildcard *.c))
11OBJS = $(C_FILE_LIST:.c=.o)
12BINOBJS = $(foreach file, $(OBJS), $file)
13CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(PREFIX)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
14LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
15 4
16%.o : %.c $(H_FILE_LIST) 5%.o : %.c $(H_FILE_LIST)
17 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
18 7
19faudit: $(OBJS) 8faudit: $(OBJS)
20 $(CC) $(LDFLAGS) -o $@ $(OBJS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
21 10
22clean:; rm -f *.o faudit 11clean:; rm -f *.o faudit *.gcov *.gcda *.gcno
23 12
24distclean: clean 13distclean: clean
25 rm -fr Makefile 14 rm -fr Makefile
diff --git a/src/fbuilder/Makefile.in b/src/fbuilder/Makefile.in
index dd8e2ce6e..7a606c872 100644
--- a/src/fbuilder/Makefile.in
+++ b/src/fbuilder/Makefile.in
@@ -1,40 +1,9 @@
1all: fbuilder 1all: fbuilder
2 2
3CC=@CC@ 3include ../common.mk
4prefix=@prefix@
5exec_prefix=@exec_prefix@
6libdir=@libdir@
7sysconfdir=@sysconfdir@
8
9VERSION=@PACKAGE_VERSION@
10NAME=@PACKAGE_NAME@
11HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12HAVE_SECCOMP=@HAVE_SECCOMP@
13HAVE_CHROOT=@HAVE_CHROOT@
14HAVE_BIND=@HAVE_BIND@
15HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16HAVE_NETWORK=@HAVE_NETWORK@
17HAVE_USERNS=@HAVE_USERNS@
18HAVE_X11=@HAVE_X11@
19HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
20HAVE_WHITELIST=@HAVE_WHITELIST@
21HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
22HAVE_APPARMOR=@HAVE_APPARMOR@
23HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
24HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
25EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
26HAVE_GCOV=@HAVE_GCOV@
27EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
28
29H_FILE_LIST = $(sort $(wildcard *.[h]))
30C_FILE_LIST = $(sort $(wildcard *.c))
31OBJS = $(C_FILE_LIST:.c=.o)
32BINOBJS = $(foreach file, $(OBJS), $file)
33CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
34LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
35 4
36%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
37 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
38 7
39fbuilder: $(OBJS) 8fbuilder: $(OBJS)
40 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
diff --git a/src/fcopy/Makefile.in b/src/fcopy/Makefile.in
index ad08f543e..c9e7d87ab 100644
--- a/src/fcopy/Makefile.in
+++ b/src/fcopy/Makefile.in
@@ -1,40 +1,9 @@
1all: fcopy 1all: fcopy
2 2
3CC=@CC@ 3include ../common.mk
4prefix=@prefix@
5exec_prefix=@exec_prefix@
6libdir=@libdir@
7sysconfdir=@sysconfdir@
8
9VERSION=@PACKAGE_VERSION@
10NAME=@PACKAGE_NAME@
11HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12HAVE_SECCOMP=@HAVE_SECCOMP@
13HAVE_CHROOT=@HAVE_CHROOT@
14HAVE_BIND=@HAVE_BIND@
15HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16HAVE_NETWORK=@HAVE_NETWORK@
17HAVE_USERNS=@HAVE_USERNS@
18HAVE_X11=@HAVE_X11@
19HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
20HAVE_WHITELIST=@HAVE_WHITELIST@
21HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
22HAVE_APPARMOR=@HAVE_APPARMOR@
23HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
24HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
25EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
26HAVE_GCOV=@HAVE_GCOV@
27EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
28
29H_FILE_LIST = $(sort $(wildcard *.[h]))
30C_FILE_LIST = $(sort $(wildcard *.c))
31OBJS = $(C_FILE_LIST:.c=.o)
32BINOBJS = $(foreach file, $(OBJS), $file)
33CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
34LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
35 4
36%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
37 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
38 7
39fcopy: $(OBJS) 8fcopy: $(OBJS)
40 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
diff --git a/src/firecfg/Makefile.in b/src/firecfg/Makefile.in
index 0b2b03275..b6dbb039d 100644
--- a/src/firecfg/Makefile.in
+++ b/src/firecfg/Makefile.in
@@ -1,40 +1,14 @@
1all: firecfg 1all: firecfg
2 2
3CC=@CC@ 3include ../common.mk
4prefix=@prefix@
5exec_prefix=@exec_prefix@
6libdir=@libdir@
7sysconfdir=@sysconfdir@
8
9VERSION=@PACKAGE_VERSION@
10NAME=@PACKAGE_NAME@
11HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12HAVE_SECCOMP=@HAVE_SECCOMP@
13HAVE_CHROOT=@HAVE_CHROOT@
14HAVE_BIND=@HAVE_BIND@
15HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16HAVE_NETWORK=@HAVE_NETWORK@
17HAVE_USERNS=@HAVE_USERNS@
18HAVE_X11=@HAVE_X11@
19HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
20HAVE_GCOV=@HAVE_GCOV@
21EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
22
23
24H_FILE_LIST = $(sort $(wildcard *.[h]))
25C_FILE_LIST = $(sort $(wildcard *.c))
26OBJS = $(C_FILE_LIST:.c=.o)
27BINOBJS = $(foreach file, $(OBJS), $file)
28CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
29LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
30 4
31%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h
32 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
33 7
34firecfg: $(OBJS) ../lib/common.o 8firecfg: $(OBJS) ../lib/common.o
35 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
36 10
37clean:; rm -f *.o firecfg firecfg.1 firecfg.1.gz *.gcov *.gcda *.gcno 11clean:; rm -f *.o firecfg *.gcov *.gcda *.gcno
38 12
39distclean: clean 13distclean: clean
40 rm -fr Makefile 14 rm -fr Makefile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index e29f95886..1f56e2532 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -16,6 +16,7 @@ VirtualBox
16Wire 16Wire
17Xephyr 17Xephyr
18abrowser 18abrowser
19akonadi_control
19akregator 20akregator
20amarok 21amarok
21amule 22amule
@@ -43,6 +44,7 @@ bibletime
43bitlbee 44bitlbee
44bleachbit 45bleachbit
45blender 46blender
47blender-2.8
46bless 48bless
47bluefish 49bluefish
48bnox 50bnox
@@ -108,6 +110,8 @@ eom
108epiphany 110epiphany
109etr 111etr
110evince 112evince
113evince-previewer
114evince-thumbnailer
111evolution 115evolution
112exiftool 116exiftool
113falkon 117falkon
@@ -130,6 +134,7 @@ freshclam
130frozen-bubble 134frozen-bubble
131gajim 135gajim
132galculator 136galculator
137gcloud
133geany 138geany
134geary 139geary
135gedit 140gedit
@@ -150,10 +155,12 @@ gnome-clocks
150gnome-contacts 155gnome-contacts
151gnome-documents 156gnome-documents
152gnome-font-viewer 157gnome-font-viewer
158gnome-logs
153gnome-maps 159gnome-maps
154gnome-mplayer 160gnome-mplayer
155gnome-music 161gnome-music
156gnome-photos 162gnome-photos
163gnome-recipes
157gnome-twitch 164gnome-twitch
158gnome-weather 165gnome-weather
159goobox 166goobox
@@ -258,6 +265,7 @@ musescore
258mutt 265mutt
259natron 266natron
260nautilus 267nautilus
268ncdu
261netsurf 269netsurf
262neverball 270neverball
263nheko 271nheko
@@ -348,6 +356,7 @@ telegram
348telegram-desktop 356telegram-desktop
349terasology 357terasology
350thunderbird 358thunderbird
359thunderbird-beta
351tilp 360tilp
352tor-browser-ar 361tor-browser-ar
353tor-browser-en 362tor-browser-en
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index 01cb929e2..9bd2f9c22 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -1,45 +1,14 @@
1all: firejail 1all: firejail
2 2
3CC=@CC@ 3include ../common.mk
4prefix=@prefix@
5exec_prefix=@exec_prefix@
6libdir=@libdir@
7sysconfdir=@sysconfdir@
8
9VERSION=@PACKAGE_VERSION@
10NAME=@PACKAGE_NAME@
11HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12HAVE_SECCOMP=@HAVE_SECCOMP@
13HAVE_CHROOT=@HAVE_CHROOT@
14HAVE_BIND=@HAVE_BIND@
15HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16HAVE_NETWORK=@HAVE_NETWORK@
17HAVE_USERNS=@HAVE_USERNS@
18HAVE_X11=@HAVE_X11@
19HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
20HAVE_WHITELIST=@HAVE_WHITELIST@
21HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
22HAVE_APPARMOR=@HAVE_APPARMOR@
23HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
24HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
25HAVE_GCOV=@HAVE_GCOV@
26HAVE_GIT_INSTALL=@HAVE_GIT_INSTALL@
27EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
28
29H_FILE_LIST = $(sort $(wildcard *.[h]))
30C_FILE_LIST = $(sort $(wildcard *.c))
31OBJS = $(C_FILE_LIST:.c=.o)
32BINOBJS = $(foreach file, $(OBJS), $file)
33CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) $(HAVE_GIT_INSTALL) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
34LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
35 4
36%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h
37 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
38 7
39firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o 8firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o
40 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS)
41 10
42clean:; rm -f *.o firejail firejail.1 firejail.1.gz *.gcov *.gcda *.gcno 11clean:; rm -f *.o firejail *.gcov *.gcda *.gcno
43 12
44distclean: clean 13distclean: clean
45 rm -fr Makefile 14 rm -fr Makefile
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 0d77c199b..20845270e 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -85,6 +85,15 @@ int checkcfg(int val) {
85 else 85 else
86 goto errout; 86 goto errout;
87 } 87 }
88 // dbus
89 else if (strncmp(ptr, "dbus ", 5) == 0) {
90 if (strcmp(ptr + 5, "yes") == 0)
91 cfg_val[CFG_DBUS] = 1;
92 else if (strcmp(ptr + 5, "no") == 0)
93 cfg_val[CFG_DBUS] = 0;
94 else
95 goto errout;
96 }
88 // join 97 // join
89 else if (strncmp(ptr, "join ", 5) == 0) { 98 else if (strncmp(ptr, "join ", 5) == 0) {
90 if (strcmp(ptr + 5, "yes") == 0) 99 if (strcmp(ptr + 5, "yes") == 0)
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c
new file mode 100644
index 000000000..6c122c6d0
--- /dev/null
+++ b/src/firejail/dbus.c
@@ -0,0 +1,63 @@
1/*
2 * Copyright (C) 2014-2018 Firejail Authors
3 *
4 * This file is part of firejail project
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License along
17 * with this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19*/
20#include "firejail.h"
21
22void dbus_session_disable(void) {
23 if (!checkcfg(CFG_DBUS)) {
24 fwarning("D-Bus handling is disabled in Firejail configuration file\n");
25 return;
26 }
27
28 char *path;
29 if (asprintf(&path, "/run/user/%d/bus", getuid()) == -1)
30 errExit("asprintf");
31 char *env_var;
32 if (asprintf(&env_var, "DBUS_SESSION_BUS_ADDRESS=unix:path=%s", path) == -1)
33 errExit("asprintf");
34
35 // set a new environment variable: DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/<UID>/bus
36 if (setenv("DBUS_SESSION_BUS_ADDRESS", env_var, 1) == -1) {
37 fprintf(stderr, "Error: cannot modify DBUS_SESSION_BUS_ADDRESS required by --nodbus\n");
38 exit(1);
39 }
40
41 // blacklist the path
42 disable_file_or_dir(path);
43 free(path);
44 free(env_var);
45
46 // look for a possible abstract unix socket
47
48 // --net=none
49 if (arg_nonetwork)
50 return;
51
52 // --net=eth0
53 if (any_bridge_configured())
54 return;
55
56 // --protocol=unix
57#ifdef HAVE_SECCOMP
58 if (cfg.protocol && !strstr(cfg.protocol, "unix"))
59 return;
60#endif
61
62 fwarning("An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.\n");
63}
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 5af141289..fdb5745cb 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -382,6 +382,7 @@ extern int arg_noprofile; // use default.profile if none other found/specified
382extern int arg_memory_deny_write_execute; // block writable and executable memory 382extern int arg_memory_deny_write_execute; // block writable and executable memory
383extern int arg_notv; // --notv 383extern int arg_notv; // --notv
384extern int arg_nodvd; // --nodvd 384extern int arg_nodvd; // --nodvd
385extern int arg_nodbus; // -nodbus
385 386
386extern int login_shell; 387extern int login_shell;
387extern int parent_to_child_fds[2]; 388extern int parent_to_child_fds[2];
@@ -520,6 +521,8 @@ void create_empty_file_as_root(const char *dir, mode_t mode);
520int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode); 521int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode);
521void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid); 522void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid);
522unsigned extract_timeout(const char *str); 523unsigned extract_timeout(const char *str);
524void disable_file_or_dir(const char *fname);
525void disable_file_path(const char *path, const char *file);
523 526
524// fs_var.c 527// fs_var.c
525void fs_var_log(void); // mounting /var/log 528void fs_var_log(void); // mounting /var/log
@@ -741,6 +744,7 @@ enum {
741 CFG_XPRA_ATTACH, 744 CFG_XPRA_ATTACH,
742 CFG_PRIVATE_LIB, 745 CFG_PRIVATE_LIB,
743 CFG_APPARMOR, 746 CFG_APPARMOR,
747 CFG_DBUS,
744 CFG_MAX // this should always be the last entry 748 CFG_MAX // this should always be the last entry
745}; 749};
746extern char *xephyr_screen; 750extern char *xephyr_screen;
@@ -800,4 +804,7 @@ void set_name_run_file(pid_t pid);
800void set_x11_run_file(pid_t pid, int display); 804void set_x11_run_file(pid_t pid, int display);
801void set_profile_run_file(pid_t pid, const char *fname); 805void set_profile_run_file(pid_t pid, const char *fname);
802 806
807// dbus.c
808void dbus_session_disable(void);
809
803#endif 810#endif
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 6eac78d96..152ddf5f7 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -297,26 +297,6 @@ void fs_private_dev(void){
297 } 297 }
298} 298}
299 299
300
301
302static void disable_file_or_dir(const char *fname) {
303 if (arg_debug)
304 printf("disable %s\n", fname);
305 struct stat s;
306 if (stat(fname, &s) != -1) {
307 if (is_dir(fname)) {
308 if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
309 errExit("disable directory");
310 }
311 else {
312 if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
313 errExit("disable file");
314 }
315 }
316 fs_logger2("blacklist", fname);
317
318}
319
320void fs_dev_disable_sound(void) { 300void fs_dev_disable_sound(void) {
321 unsigned i = 0; 301 unsigned i = 0;
322 while (dev[i].dev_fname != NULL) { 302 while (dev[i].dev_fname != NULL) {
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 38db165e8..6dc19abdd 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -120,6 +120,7 @@ int arg_noprofile = 0; // use default.profile if none other found/specified
120int arg_memory_deny_write_execute = 0; // block writable and executable memory 120int arg_memory_deny_write_execute = 0; // block writable and executable memory
121int arg_notv = 0; // --notv 121int arg_notv = 0; // --notv
122int arg_nodvd = 0; // --nodvd 122int arg_nodvd = 0; // --nodvd
123int arg_nodbus = 0; // -nodbus
123int login_shell = 0; 124int login_shell = 0;
124 125
125 126
@@ -1111,7 +1112,7 @@ int main(int argc, char **argv) {
1111 else if (strncmp(argv[i], "--protocol=", 11) == 0) { 1112 else if (strncmp(argv[i], "--protocol=", 11) == 0) {
1112 if (checkcfg(CFG_SECCOMP)) { 1113 if (checkcfg(CFG_SECCOMP)) {
1113 if (cfg.protocol) { 1114 if (cfg.protocol) {
1114 fwarning("a protocol list is present, the new list \"%s\" will not be installed\n", argv[i] + 11); 1115 fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol);
1115 } 1116 }
1116 else { 1117 else {
1117 // store list 1118 // store list
@@ -1734,6 +1735,8 @@ int main(int argc, char **argv) {
1734 arg_notv = 1; 1735 arg_notv = 1;
1735 else if (strcmp(argv[i], "--nodvd") == 0) 1736 else if (strcmp(argv[i], "--nodvd") == 0)
1736 arg_nodvd = 1; 1737 arg_nodvd = 1;
1738 else if (strcmp(argv[i], "--nodbus") == 0)
1739 arg_nodbus = 1;
1737 1740
1738 //************************************* 1741 //*************************************
1739 // network 1742 // network
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 5566b9860..2cb91964a 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -249,6 +249,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
249 arg_no3d = 1; 249 arg_no3d = 1;
250 return 0; 250 return 0;
251 } 251 }
252 else if (strcmp(ptr, "nodbus") == 0) {
253 arg_nodbus = 1;
254 return 0;
255 }
252 else if (strcmp(ptr, "allow-private-blacklist") == 0) { 256 else if (strcmp(ptr, "allow-private-blacklist") == 0) {
253 fmessage("--allow-private-blacklist was deprecated\n"); 257 fmessage("--allow-private-blacklist was deprecated\n");
254 return 0; 258 return 0;
@@ -549,7 +553,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
549#ifdef HAVE_SECCOMP 553#ifdef HAVE_SECCOMP
550 if (checkcfg(CFG_SECCOMP)) { 554 if (checkcfg(CFG_SECCOMP)) {
551 if (cfg.protocol) { 555 if (cfg.protocol) {
552 fwarning("a protocol list is present, the new list \"%s\" will not be installed\n", ptr + 9); 556 fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol);
553 return 0; 557 return 0;
554 } 558 }
555 559
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index ef674fb4a..9109a6865 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -24,52 +24,24 @@
24#include <dirent.h> 24#include <dirent.h>
25#include <sys/wait.h> 25#include <sys/wait.h>
26 26
27static void disable_file(const char *path, const char *file) {
28 assert(file);
29 assert(path);
30
31 struct stat s;
32 char *fname;
33 if (asprintf(&fname, "%s/%s", path, file) == -1)
34 errExit("asprintf");
35 if (stat(fname, &s) == -1)
36 goto doexit;
37
38 if (arg_debug)
39 printf("Disable%s\n", fname);
40
41 if (S_ISDIR(s.st_mode)) {
42 if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
43 errExit("disable file");
44 }
45 else {
46 if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
47 errExit("disable file");
48 }
49 fs_logger2("blacklist", fname);
50
51doexit:
52 free(fname);
53}
54
55// disable pulseaudio socket 27// disable pulseaudio socket
56void pulseaudio_disable(void) { 28void pulseaudio_disable(void) {
57 if (arg_debug) 29 if (arg_debug)
58 printf("disable pulseaudio\n"); 30 printf("disable pulseaudio\n");
59 // blacklist user config directory 31 // blacklist user config directory
60 disable_file(cfg.homedir, ".config/pulse"); 32 disable_file_path(cfg.homedir, ".config/pulse");
61 33
62 34
63 // blacklist pulseaudio socket in XDG_RUNTIME_DIR 35 // blacklist pulseaudio socket in XDG_RUNTIME_DIR
64 char *name = getenv("XDG_RUNTIME_DIR"); 36 char *name = getenv("XDG_RUNTIME_DIR");
65 if (name) 37 if (name)
66 disable_file(name, "pulse/native"); 38 disable_file_path(name, "pulse/native");
67 39
68 // try the default location anyway 40 // try the default location anyway
69 char *path; 41 char *path;
70 if (asprintf(&path, "/run/user/%d", getuid()) == -1) 42 if (asprintf(&path, "/run/user/%d", getuid()) == -1)
71 errExit("asprintf"); 43 errExit("asprintf");
72 disable_file(path, "pulse/native"); 44 disable_file_path(path, "pulse/native");
73 free(path); 45 free(path);
74 46
75 47
@@ -87,12 +59,11 @@ void pulseaudio_disable(void) {
87 struct dirent *entry; 59 struct dirent *entry;
88 while ((entry = readdir(dir))) { 60 while ((entry = readdir(dir))) {
89 if (strncmp(entry->d_name, "pulse-", 6) == 0) { 61 if (strncmp(entry->d_name, "pulse-", 6) == 0) {
90 disable_file("/tmp", entry->d_name); 62 disable_file_path("/tmp", entry->d_name);
91 } 63 }
92 } 64 }
93 65
94 closedir(dir); 66 closedir(dir);
95
96} 67}
97 68
98 69
diff --git a/src/firejail/run_files.c b/src/firejail/run_files.c
index 57a0e19df..361ad1414 100644
--- a/src/firejail/run_files.c
+++ b/src/firejail/run_files.c
@@ -20,6 +20,7 @@
20 20
21#include "firejail.h" 21#include "firejail.h"
22#include "../include/pid.h" 22#include "../include/pid.h"
23#define BUFLEN 4096
23 24
24static void delete_x11_run_file(pid_t pid) { 25static void delete_x11_run_file(pid_t pid) {
25 char *fname; 26 char *fname;
@@ -74,7 +75,36 @@ void delete_run_files(pid_t pid) {
74 delete_profile_run_file(pid); 75 delete_profile_run_file(pid);
75} 76}
76 77
78static char *newname(char *name) {
79 char *rv;
80 pid_t pid;
81
82 // try the name
83 if (name2pid(name, &pid))
84 return name;
85
86 // try name-1 to 9
87 int i;
88 for (i = 1; i < 10; i++) {
89 if (asprintf(&rv, "%s-%d", name, i) == -1)
90 errExit("asprintf");
91 if (name2pid(rv, &pid)) {
92 fwarning("Sandbox name changed to %s\n", rv);
93 return rv;
94 }
95 free(rv);
96 }
97
98 // return name-pid
99 if (asprintf(&rv, "%s-%d", name, getpid()) == -1)
100 errExit("asprintf");
101 return rv;
102}
103
104
77void set_name_run_file(pid_t pid) { 105void set_name_run_file(pid_t pid) {
106 cfg.name = newname(cfg.name);
107
78 char *fname; 108 char *fname;
79 if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, pid) == -1) 109 if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, pid) == -1)
80 errExit("asprintf"); 110 errExit("asprintf");
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 96b7b267b..75dbc976d 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -838,6 +838,13 @@ int sandbox(void* sandbox_arg) {
838 } 838 }
839 839
840 //**************************** 840 //****************************
841 // Session D-BUS
842 //****************************
843 if (arg_nodbus)
844 dbus_session_disable();
845
846
847 //****************************
841 // hosts and hostname 848 // hosts and hostname
842 //**************************** 849 //****************************
843 if (cfg.hostname) 850 if (cfg.hostname)
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 15b548d20..d0292f524 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -132,7 +132,9 @@ void usage(void) {
132#endif 132#endif
133 printf(" --nice=value - set nice value.\n"); 133 printf(" --nice=value - set nice value.\n");
134 printf(" --no3d - disable 3D hardware acceleration.\n"); 134 printf(" --no3d - disable 3D hardware acceleration.\n");
135 printf(" --noblacklist=filename - disable blacklist for file or directory .\n"); 135 printf(" --noblacklist=filename - disable blacklist for file or directory.\n");
136 printf(" --nodbus - disable D-Bus access.\n");
137 printf(" --nodvd - disable DVD and audio CD devices.\n");
136 printf(" --noexec=filename - remount the file or directory noexec nosuid and nodev.\n"); 138 printf(" --noexec=filename - remount the file or directory noexec nosuid and nodev.\n");
137 printf(" --nogroups - disable supplementary groups.\n"); 139 printf(" --nogroups - disable supplementary groups.\n");
138 printf(" --nonewprivs - sets the NO_NEW_PRIVS prctl.\n"); 140 printf(" --nonewprivs - sets the NO_NEW_PRIVS prctl.\n");
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 0adca5e33..c644f83a8 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -21,6 +21,7 @@
21#include "firejail.h" 21#include "firejail.h"
22#include <ftw.h> 22#include <ftw.h>
23#include <sys/stat.h> 23#include <sys/stat.h>
24#include <sys/mount.h>
24#include <fcntl.h> 25#include <fcntl.h>
25#include <syslog.h> 26#include <syslog.h>
26#include <errno.h> 27#include <errno.h>
@@ -964,3 +965,33 @@ unsigned extract_timeout(const char *str) {
964 965
965 return h * 3600 + m * 60 + s; 966 return h * 3600 + m * 60 + s;
966} 967}
968
969void disable_file_or_dir(const char *fname) {
970 if (arg_debug)
971 printf("blacklist %s\n", fname);
972 struct stat s;
973 if (stat(fname, &s) != -1) {
974 if (is_dir(fname)) {
975 if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
976 errExit("disable directory");
977 }
978 else {
979 if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
980 errExit("disable file");
981 }
982 }
983 fs_logger2("blacklist", fname);
984}
985
986void disable_file_path(const char *path, const char *file) {
987 assert(file);
988 assert(path);
989
990 char *fname;
991 if (asprintf(&fname, "%s/%s", path, file) == -1)
992 errExit("asprintf");
993
994 disable_file_or_dir(fname);
995 free(fname);
996}
997
diff --git a/src/firemon/Makefile.in b/src/firemon/Makefile.in
index 326c305d9..d3ffe5d3f 100644
--- a/src/firemon/Makefile.in
+++ b/src/firemon/Makefile.in
@@ -1,26 +1,9 @@
1all: firemon 1all: firemon
2 2
3CC=@CC@ 3include ../common.mk
4prefix=@prefix@
5VERSION=@PACKAGE_VERSION@
6NAME=@PACKAGE_NAME@
7HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
8HAVE_GCOV=@HAVE_GCOV@
9HAVE_APPARMOR=@HAVE_APPARMOR@
10EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
11
12H_FILE_LIST = $(sort $(wildcard *.[h]))
13C_FILE_LIST = $(sort $(wildcard *.c))
14OBJS = $(C_FILE_LIST:.c=.o)
15BINOBJS = $(foreach file, $(OBJS), $file)
16CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' $(HAVE_APPARMOR) $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
17LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now
18HAVE_GCOV=@HAVE_GCOV@
19EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
20
21 4
22%.o : %.c $(H_FILE_LIST) 5%.o : %.c $(H_FILE_LIST)
23 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
24 7
25firemon: $(OBJS) ../lib/common.o ../lib/pid.o 8firemon: $(OBJS) ../lib/common.o ../lib/pid.o
26 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS)
diff --git a/src/fldd/Makefile.in b/src/fldd/Makefile.in
index e2bf4b787..5af37cfbd 100644
--- a/src/fldd/Makefile.in
+++ b/src/fldd/Makefile.in
@@ -1,40 +1,9 @@
1all: fldd 1all: fldd
2 2
3CC=@CC@ 3include ../common.mk
4prefix=@prefix@
5exec_prefix=@exec_prefix@
6libdir=@libdir@
7sysconfdir=@sysconfdir@
8
9VERSION=@PACKAGE_VERSION@
10NAME=@PACKAGE_NAME@
11HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12HAVE_SECCOMP=@HAVE_SECCOMP@
13HAVE_CHROOT=@HAVE_CHROOT@
14HAVE_BIND=@HAVE_BIND@
15HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16HAVE_NETWORK=@HAVE_NETWORK@
17HAVE_USERNS=@HAVE_USERNS@
18HAVE_X11=@HAVE_X11@
19HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
20HAVE_WHITELIST=@HAVE_WHITELIST@
21HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
22HAVE_APPARMOR=@HAVE_APPARMOR@
23HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
24HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
25EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
26HAVE_GCOV=@HAVE_GCOV@
27EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
28
29H_FILE_LIST = $(sort $(wildcard *.[h]))
30C_FILE_LIST = $(sort $(wildcard *.c))
31OBJS = $(C_FILE_LIST:.c=.o)
32BINOBJS = $(foreach file, $(OBJS), $file)
33CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
34LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
35 4
36%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h ../include/ldd_utils.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h ../include/ldd_utils.h
37 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
38 7
39fldd: $(OBJS) ../lib/ldd_utils.o 8fldd: $(OBJS) ../lib/ldd_utils.o
40 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS)
diff --git a/src/fnet/Makefile.in b/src/fnet/Makefile.in
index 3288e6354..06b3981a9 100644
--- a/src/fnet/Makefile.in
+++ b/src/fnet/Makefile.in
@@ -1,40 +1,9 @@
1all: fnet 1all: fnet
2 2
3CC=@CC@ 3include ../common.mk
4prefix=@prefix@
5exec_prefix=@exec_prefix@
6libdir=@libdir@
7sysconfdir=@sysconfdir@
8
9VERSION=@PACKAGE_VERSION@
10NAME=@PACKAGE_NAME@
11HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12HAVE_SECCOMP=@HAVE_SECCOMP@
13HAVE_CHROOT=@HAVE_CHROOT@
14HAVE_BIND=@HAVE_BIND@
15HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16HAVE_NETWORK=@HAVE_NETWORK@
17HAVE_USERNS=@HAVE_USERNS@
18HAVE_X11=@HAVE_X11@
19HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
20HAVE_WHITELIST=@HAVE_WHITELIST@
21HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
22HAVE_APPARMOR=@HAVE_APPARMOR@
23HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
24HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
25EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
26HAVE_GCOV=@HAVE_GCOV@
27EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
28
29H_FILE_LIST = $(sort $(wildcard *.[h]))
30C_FILE_LIST = $(sort $(wildcard *.c))
31OBJS = $(C_FILE_LIST:.c=.o)
32BINOBJS = $(foreach file, $(OBJS), $file)
33CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
34LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
35 4
36%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h
37 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
38 7
39fnet: $(OBJS) ../lib/libnetlink.o 8fnet: $(OBJS) ../lib/libnetlink.o
40 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS)
diff --git a/src/fnetfilter/Makefile.in b/src/fnetfilter/Makefile.in
index 1063737e1..2e263cc2b 100644
--- a/src/fnetfilter/Makefile.in
+++ b/src/fnetfilter/Makefile.in
@@ -1,40 +1,9 @@
1all: fnetfilter 1all: fnetfilter
2 2
3CC=@CC@ 3include ../common.mk
4prefix=@prefix@
5exec_prefix=@exec_prefix@
6libdir=@libdir@
7sysconfdir=@sysconfdir@
8
9VERSION=@PACKAGE_VERSION@
10NAME=@PACKAGE_NAME@
11HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12HAVE_SECCOMP=@HAVE_SECCOMP@
13HAVE_CHROOT=@HAVE_CHROOT@
14HAVE_BIND=@HAVE_BIND@
15HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16HAVE_NETWORK=@HAVE_NETWORK@
17HAVE_USERNS=@HAVE_USERNS@
18HAVE_X11=@HAVE_X11@
19HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
20HAVE_WHITELIST=@HAVE_WHITELIST@
21HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
22HAVE_APPARMOR=@HAVE_APPARMOR@
23HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
24HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
25EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
26HAVE_GCOV=@HAVE_GCOV@
27EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
28
29H_FILE_LIST = $(sort $(wildcard *.[h]))
30C_FILE_LIST = $(sort $(wildcard *.c))
31OBJS = $(C_FILE_LIST:.c=.o)
32BINOBJS = $(foreach file, $(OBJS), $file)
33CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
34LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
35 4
36%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
37 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
38 7
39fnetfilter: $(OBJS) 8fnetfilter: $(OBJS)
40 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
diff --git a/src/fsec-optimize/Makefile.in b/src/fsec-optimize/Makefile.in
index 6ddbfc075..e5e14a6a6 100644
--- a/src/fsec-optimize/Makefile.in
+++ b/src/fsec-optimize/Makefile.in
@@ -1,40 +1,9 @@
1all: fsec-optimize 1all: fsec-optimize
2 2
3CC=@CC@ 3include ../common.mk
4prefix=@prefix@
5exec_prefix=@exec_prefix@
6libdir=@libdir@
7sysconfdir=@sysconfdir@
8
9VERSION=@PACKAGE_VERSION@
10NAME=@PACKAGE_NAME@
11HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12HAVE_SECCOMP=@HAVE_SECCOMP@
13HAVE_CHROOT=@HAVE_CHROOT@
14HAVE_BIND=@HAVE_BIND@
15HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16HAVE_NETWORK=@HAVE_NETWORK@
17HAVE_USERNS=@HAVE_USERNS@
18HAVE_X11=@HAVE_X11@
19HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
20HAVE_WHITELIST=@HAVE_WHITELIST@
21HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
22HAVE_APPARMOR=@HAVE_APPARMOR@
23HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
24HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
25EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
26HAVE_GCOV=@HAVE_GCOV@
27EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
28
29H_FILE_LIST = $(sort $(wildcard *.[h]))
30C_FILE_LIST = $(sort $(wildcard *.c))
31OBJS = $(C_FILE_LIST:.c=.o)
32BINOBJS = $(foreach file, $(OBJS), $file)
33CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
34LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
35 4
36%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h
37 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
38 7
39fsec-optimize: $(OBJS) ../lib/libnetlink.o 8fsec-optimize: $(OBJS) ../lib/libnetlink.o
40 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
diff --git a/src/fsec-print/Makefile.in b/src/fsec-print/Makefile.in
index 5d23382f7..3db4406f4 100644
--- a/src/fsec-print/Makefile.in
+++ b/src/fsec-print/Makefile.in
@@ -1,40 +1,9 @@
1all: fsec-print 1all: fsec-print
2 2
3CC=@CC@ 3include ../common.mk
4prefix=@prefix@
5exec_prefix=@exec_prefix@
6libdir=@libdir@
7sysconfdir=@sysconfdir@
8
9VERSION=@PACKAGE_VERSION@
10NAME=@PACKAGE_NAME@
11HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12HAVE_SECCOMP=@HAVE_SECCOMP@
13HAVE_CHROOT=@HAVE_CHROOT@
14HAVE_BIND=@HAVE_BIND@
15HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16HAVE_NETWORK=@HAVE_NETWORK@
17HAVE_USERNS=@HAVE_USERNS@
18HAVE_X11=@HAVE_X11@
19HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
20HAVE_WHITELIST=@HAVE_WHITELIST@
21HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
22HAVE_APPARMOR=@HAVE_APPARMOR@
23HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
24HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
25EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
26HAVE_GCOV=@HAVE_GCOV@
27EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
28
29H_FILE_LIST = $(sort $(wildcard *.[h]))
30C_FILE_LIST = $(sort $(wildcard *.c))
31OBJS = $(C_FILE_LIST:.c=.o)
32BINOBJS = $(foreach file, $(OBJS), $file)
33CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
34LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
35 4
36%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h
37 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
38 7
39fsec-print: $(OBJS) ../lib/libnetlink.o 8fsec-print: $(OBJS) ../lib/libnetlink.o
40 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
diff --git a/src/fsec-print/print.c b/src/fsec-print/print.c
index e3b53c44c..faf59aa35 100644
--- a/src/fsec-print/print.c
+++ b/src/fsec-print/print.c
@@ -269,7 +269,7 @@ static void bpf_decode_args(const struct sock_filter *bpf, unsigned int line) {
269 native_arch = (ARCH_NR == ARCH_64)? 1: 0; 269 native_arch = (ARCH_NR == ARCH_64)? 1: 0;
270 } 270 }
271 else if (bpf->k == X32_SYSCALL_BIT) 271 else if (bpf->k == X32_SYSCALL_BIT)
272 printf("X32_ABI true:%.4x (false %.4x)", 272 printf("X32_ABI %.4x (false %.4x)",
273 (line + 1) + bpf->jt, 273 (line + 1) + bpf->jt,
274 (line + 1) + bpf->jf); 274 (line + 1) + bpf->jf);
275 else if (name) 275 else if (name)
diff --git a/src/fseccomp/Makefile.in b/src/fseccomp/Makefile.in
index df4343d36..2c99096bb 100644
--- a/src/fseccomp/Makefile.in
+++ b/src/fseccomp/Makefile.in
@@ -1,40 +1,9 @@
1all: fseccomp 1all: fseccomp
2 2
3CC=@CC@ 3include ../common.mk
4prefix=@prefix@
5exec_prefix=@exec_prefix@
6libdir=@libdir@
7sysconfdir=@sysconfdir@
8
9VERSION=@PACKAGE_VERSION@
10NAME=@PACKAGE_NAME@
11HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12HAVE_SECCOMP=@HAVE_SECCOMP@
13HAVE_CHROOT=@HAVE_CHROOT@
14HAVE_BIND=@HAVE_BIND@
15HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16HAVE_NETWORK=@HAVE_NETWORK@
17HAVE_USERNS=@HAVE_USERNS@
18HAVE_X11=@HAVE_X11@
19HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
20HAVE_WHITELIST=@HAVE_WHITELIST@
21HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
22HAVE_APPARMOR=@HAVE_APPARMOR@
23HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
24HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
25EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
26HAVE_GCOV=@HAVE_GCOV@
27EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
28
29H_FILE_LIST = $(sort $(wildcard *.[h]))
30C_FILE_LIST = $(sort $(wildcard *.c))
31OBJS = $(C_FILE_LIST:.c=.o)
32BINOBJS = $(foreach file, $(OBJS), $file)
33CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
34LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
35 4
36%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
37 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
38 7
39fseccomp: $(OBJS) 8fseccomp: $(OBJS)
40 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
diff --git a/src/ftee/Makefile.in b/src/ftee/Makefile.in
index fd39f0cb7..d3b92362c 100644
--- a/src/ftee/Makefile.in
+++ b/src/ftee/Makefile.in
@@ -1,25 +1,12 @@
1all: ftee 1all: ftee
2 2
3CC=@CC@ 3include ../common.mk
4PREFIX=@prefix@
5VERSION=@PACKAGE_VERSION@
6NAME=@PACKAGE_NAME@
7HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
8HAVE_GCOV=@HAVE_GCOV@
9EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
10
11H_FILE_LIST = $(sort $(wildcard *.[h]))
12C_FILE_LIST = $(sort $(wildcard *.c))
13OBJS = $(C_FILE_LIST:.c=.o)
14BINOBJS = $(foreach file, $(OBJS), $file)
15CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(PREFIX)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
16LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
17 4
18%.o : %.c $(H_FILE_LIST) 5%.o : %.c $(H_FILE_LIST)
19 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
20 7
21ftee: $(OBJS) 8ftee: $(OBJS)
22 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
23 10
24clean:; rm -f *.o ftee *.gcov *.gcda *.gcno 11clean:; rm -f *.o ftee *.gcov *.gcda *.gcno
25 12
diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in
index a49e56ad2..a744b8d80 100644
--- a/src/lib/Makefile.in
+++ b/src/lib/Makefile.in
@@ -1,22 +1,9 @@
1CC=@CC@ 1include ../common.mk
2PREFIX=@prefix@
3VERSION=@PACKAGE_VERSION@
4NAME=@PACKAGE_NAME@
5HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
6HAVE_GCOV=@HAVE_GCOV@
7EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
8
9H_FILE_LIST = $(sort $(wildcard *.[h]))
10C_FILE_LIST = $(sort $(wildcard *.c))
11OBJS = $(C_FILE_LIST:.c=.o)
12BINOBJS = $(foreach file, $(OBJS), $file)
13CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DLIBDIR='"$(libdir)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
14LDFLAGS:=-pic -Wl,-z,relro -Wl,-z,now
15 2
16all: $(OBJS) 3all: $(OBJS)
17 4
18%.o : %.c $(H_FILE_LIST) 5%.o : %.c $(H_FILE_LIST)
19 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
20 7
21clean:; rm -f $(OBJS) *.gcov *.gcda *.gcno 8clean:; rm -f $(OBJS) *.gcov *.gcda *.gcno
22 9
diff --git a/src/lib/pid.c b/src/lib/pid.c
index f138efc8c..3c804716d 100644
--- a/src/lib/pid.c
+++ b/src/lib/pid.c
@@ -188,10 +188,11 @@ static void print_elem(unsigned index, int nowrap) {
188 uid_t uid = pids[index].uid; 188 uid_t uid = pids[index].uid;
189 char *cmd = pid_proc_cmdline(index); 189 char *cmd = pid_proc_cmdline(index);
190 char *user = pid_get_user_name(uid); 190 char *user = pid_get_user_name(uid);
191 char *allocated = user; 191 char *user_allocated = user;
192 192
193 // extract sandbox name - pid == index 193 // extract sandbox name - pid == index
194 char *sandbox_name = ""; 194 char *sandbox_name = "";
195 char *sandbox_name_allocated = NULL;
195 char *fname; 196 char *fname;
196 if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, index) == -1) 197 if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, index) == -1)
197 errExit("asprintf"); 198 errExit("asprintf");
@@ -202,6 +203,7 @@ static void print_elem(unsigned index, int nowrap) {
202 sandbox_name = malloc(s.st_size + 1); 203 sandbox_name = malloc(s.st_size + 1);
203 if (!sandbox_name) 204 if (!sandbox_name)
204 errExit("malloc"); 205 errExit("malloc");
206 sandbox_name_allocated = sandbox_name;
205 char *rv = fgets(sandbox_name, s.st_size + 1, fp); 207 char *rv = fgets(sandbox_name, s.st_size + 1, fp);
206 if (!rv) 208 if (!rv)
207 *sandbox_name = '\0'; 209 *sandbox_name = '\0';
@@ -241,8 +243,10 @@ static void print_elem(unsigned index, int nowrap) {
241 else 243 else
242 printf("%s%u:\n", indent, index); 244 printf("%s%u:\n", indent, index);
243 } 245 }
244 if (allocated) 246 if (user_allocated)
245 free(allocated); 247 free(user_allocated);
248 if (sandbox_name_allocated)
249 free(sandbox_name_allocated);
246} 250}
247 251
248// recursivity!!! 252// recursivity!!!
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 34e4102f6..f080c8c7b 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1064,6 +1064,17 @@ $ nc dict.org 2628
1064220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64 1064220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64
1065.br 1065.br
1066.TP 1066.TP
1067\fB\-\-nodbus
1068Disable D-Bus access. Only the regular UNIX socket is handled by this command. To
1069disable the abstract socket you would need to request a new network namespace using
1070\-\-net command. Another option is to remove unix from \-\-protocol set.
1071.br
1072
1073.br
1074Example:
1075.br
1076$ firejail \-\-nodbus \-\-net=none
1077.TP
1067\fB\-\-nodvd 1078\fB\-\-nodvd
1068Disable DVD and audio CD devices. 1079Disable DVD and audio CD devices.
1069.br 1080.br
diff --git a/test/root/firecfg.exp b/test/root/firecfg.exp
index 02f2323a0..656b8e215 100755
--- a/test/root/firecfg.exp
+++ b/test/root/firecfg.exp
@@ -13,7 +13,7 @@ sleep 1
13send -- "firecfg --clean\r" 13send -- "firecfg --clean\r"
14expect { 14expect {
15 timeout {puts "TESTING ERROR 0\n";exit} 15 timeout {puts "TESTING ERROR 0\n";exit}
16 "/usr/local/bin/firefox removed" 16 "less removed"
17} 17}
18sleep 1 18sleep 1
19 19
@@ -30,11 +30,11 @@ sleep 1
30send -- "firecfg\r" 30send -- "firecfg\r"
31expect { 31expect {
32 timeout {puts "TESTING ERROR 3\n";exit} 32 timeout {puts "TESTING ERROR 3\n";exit}
33 "firefox created" 33 "less created"
34} 34}
35sleep 1 35sleep 1
36 36
37send -- "file /usr/local/bin/firefox\r" 37send -- "file /usr/local/bin/less\r"
38expect { 38expect {
39 timeout {puts "TESTING ERROR 4\n";exit} 39 timeout {puts "TESTING ERROR 4\n";exit}
40 "symbolic link to /usr/bin/firejail" 40 "symbolic link to /usr/bin/firejail"
@@ -44,7 +44,7 @@ sleep 1
44send -- "firecfg --list\r" 44send -- "firecfg --list\r"
45expect { 45expect {
46 timeout {puts "TESTING ERROR 5\n";exit} 46 timeout {puts "TESTING ERROR 5\n";exit}
47 "/usr/local/bin/firefox" 47 "/usr/local/bin/less"
48} 48}
49sleep 1 49sleep 1
50 50
diff --git a/test/root/root.sh b/test/root/root.sh
index 912ae23f0..22b12cf86 100755
--- a/test/root/root.sh
+++ b/test/root/root.sh
@@ -110,13 +110,13 @@ echo "TESTING: firemon events (test/root/firemon-events.exp)"
110#******************************** 110#********************************
111# firecfg 111# firecfg
112#******************************** 112#********************************
113which firefox 113which less
114if [ "$?" -eq 0 ]; 114if [ "$?" -eq 0 ];
115then 115then
116 echo "TESTING: firecfg (test/root/firecfg.exp)" 116 echo "TESTING: firecfg (test/root/firecfg.exp)"
117 ./firecfg.exp 117 ./firecfg.exp
118else 118else
119 echo "TESTING SKIP: firecfg, firefox not found" 119 echo "TESTING SKIP: firecfg, less not found"
120fi 120fi
121 121
122# restore the default config file 122# restore the default config file
diff --git a/test/utils/audit.exp b/test/utils/audit.exp
index c68ee387c..684886af7 100755
--- a/test/utils/audit.exp
+++ b/test/utils/audit.exp
@@ -76,4 +76,24 @@ expect {
76} 76}
77after 100 77after 100
78 78
79# run audit executable without a sandbox
80send -- "faudit\r"
81expect {
82 timeout {puts "TESTING ERROR 13\n";exit}
83 "is not running in a PID namespace"
84}
85expect {
86 timeout {puts "TESTING ERROR 14\n";exit}
87 "BAD: seccomp disabled"
88}
89expect {
90 timeout {puts "TESTING ERROR 15\n";exit}
91 "BAD: the capability map is"
92}
93expect {
94 timeout {puts "TESTING ERROR 16\n";exit}
95 "MAYBE: /dev directory seems to be fully populated"
96}
97after 100
98
79puts "\nall done\n" 99puts "\nall done\n"
diff --git a/test/utils/build.exp b/test/utils/build.exp
new file mode 100755
index 000000000..de2a9b6ae
--- /dev/null
+++ b/test/utils/build.exp
@@ -0,0 +1,58 @@
1#!/usr/bin/expect -f
2# This file is part of Firejail project
3# Copyright (C) 2014-2018 Firejail Authors
4# License GPL v2
5
6set timeout 10
7spawn $env(SHELL)
8match_max 100000
9
10send -- "firejail --build cat ~/firejail-test-file-7699\r"
11expect {
12 timeout {puts "TESTING ERROR 0\n";exit}
13 "whitelist ~/firejail-test-file-7699"
14}
15expect {
16 timeout {puts "TESTING ERROR 0.1\n";exit}
17 "include /etc/firejail/whitelist-common.inc"
18}
19expect {
20 timeout {puts "TESTING ERROR 1\n";exit}
21 "private-tmp"
22}
23expect {
24 timeout {puts "TESTING ERROR 2\n";exit}
25 "private-dev"
26}
27expect {
28 timeout {puts "TESTING ERROR 3\n";exit}
29 "blacklist /var"
30}
31expect {
32 timeout {puts "TESTING ERROR 4\n";exit}
33 "private-bin cat,"
34}
35expect {
36 timeout {puts "TESTING ERROR 5\n";exit}
37 "caps.drop all"
38}
39expect {
40 timeout {puts "TESTING ERROR 6\n";exit}
41 "nonewprivs"
42}
43expect {
44 timeout {puts "TESTING ERROR 7\n";exit}
45 "seccomp"
46}
47expect {
48 timeout {puts "TESTING ERROR 8\n";exit}
49 "net none"
50}
51expect {
52 timeout {puts "TESTING ERROR 9\n";exit}
53 "shell none"
54}
55after 100
56
57
58puts "all done\n"
diff --git a/test/utils/utils.sh b/test/utils/utils.sh
index 9dd3b67a3..d72cc2269 100755
--- a/test/utils/utils.sh
+++ b/test/utils/utils.sh
@@ -6,6 +6,17 @@
6export MALLOC_CHECK_=3 6export MALLOC_CHECK_=3
7export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) 7export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
8 8
9if [ -f /etc/debian_version ]; then
10 libdir=$(dirname "$(dpkg -L firejail | grep faudit)")
11 export PATH="$PATH:$libdir"
12fi
13export PATH="$PATH:/usr/lib/firejail"
14
15echo "testing" > ~/firejail-test-file-7699
16echo "TESTING: build (test/utils/build.exp)"
17./build.exp
18rm -f ~/firejail-test-file-7699
19
9echo "TESTING: audit (test/utils/audit.exp)" 20echo "TESTING: audit (test/utils/audit.exp)"
10./audit.exp 21./audit.exp
11 22
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-19 01:36:18 +0000