diff options
-rw-r--r-- | README.md | 3 | ||||
-rw-r--r-- | RELNOTES | 2 | ||||
-rw-r--r-- | etc/akregator.profile | 1 | ||||
-rw-r--r-- | etc/audacity.profile | 2 | ||||
-rw-r--r-- | etc/disable-common.inc | 7 | ||||
-rw-r--r-- | etc/disable-programs.inc | 1 | ||||
-rw-r--r-- | etc/libreoffice.profile | 2 | ||||
-rw-r--r-- | etc/remmina.profile | 1 | ||||
-rw-r--r-- | etc/soundconverter.profile | 2 | ||||
-rw-r--r-- | etc/tilp.profile | 34 | ||||
-rw-r--r-- | etc/whitelist-common.inc | 3 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 1 |
12 files changed, 54 insertions, 5 deletions
@@ -101,4 +101,5 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir | |||
101 | ## New profiles | 101 | ## New profiles |
102 | 102 | ||
103 | Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-canary, | 103 | Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-canary, |
104 | pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain | 104 | pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain, |
105 | tilp | ||
@@ -7,7 +7,7 @@ firejail (0.9.53) baseline; urgency=low | |||
7 | * private-tmp support for overlay and chroot sandboxes | 7 | * private-tmp support for overlay and chroot sandboxes |
8 | * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed, | 8 | * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed, |
9 | * new profiles: discord-canary, pycharm-community, pycharm-professional, kaffeine, | 9 | * new profiles: discord-canary, pycharm-community, pycharm-professional, kaffeine, |
10 | * new profiles: pdfchain | 10 | * new profiles: pdfchain, tilp |
11 | -- netblue30 <netblue30@yahoo.com> Tue, 12 Dec 2017 08:00:00 -0500 | 11 | -- netblue30 <netblue30@yahoo.com> Tue, 12 Dec 2017 08:00:00 -0500 |
12 | 12 | ||
13 | firejail (0.9.52) baseline; urgency=low | 13 | firejail (0.9.52) baseline; urgency=low |
diff --git a/etc/akregator.profile b/etc/akregator.profile index f2e5ea341..2c49ef9f0 100644 --- a/etc/akregator.profile +++ b/etc/akregator.profile | |||
@@ -17,6 +17,7 @@ mkfile ${HOME}/.config/akregatorrc | |||
17 | mkdir ${HOME}/.local/share/akregator | 17 | mkdir ${HOME}/.local/share/akregator |
18 | whitelist ${HOME}/.config/akregatorrc | 18 | whitelist ${HOME}/.config/akregatorrc |
19 | whitelist ${HOME}/.local/share/akregator | 19 | whitelist ${HOME}/.local/share/akregator |
20 | whitelist ${HOME}/.local/share/kssl | ||
20 | include /etc/firejail/whitelist-common.inc | 21 | include /etc/firejail/whitelist-common.inc |
21 | 22 | ||
22 | include /etc/firejail/whitelist-var-common.inc | 23 | include /etc/firejail/whitelist-var-common.inc |
diff --git a/etc/audacity.profile b/etc/audacity.profile index e173fa65a..ea1d38132 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile | |||
@@ -17,7 +17,7 @@ include /etc/firejail/disable-programs.inc | |||
17 | include /etc/firejail/whitelist-var-common.inc | 17 | include /etc/firejail/whitelist-var-common.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | net none | 20 | #net none |
21 | no3d | 21 | no3d |
22 | nodvd | 22 | nodvd |
23 | nogroups | 23 | nogroups |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index ec700e24e..2a4905c04 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -83,15 +83,21 @@ read-only ${HOME}/.config/kdeglobals | |||
83 | read-only ${HOME}/.config/kio_httprc | 83 | read-only ${HOME}/.config/kio_httprc |
84 | read-only ${HOME}/.config/kiorc | 84 | read-only ${HOME}/.config/kiorc |
85 | read-only ${HOME}/.config/kioslaverc | 85 | read-only ${HOME}/.config/kioslaverc |
86 | read-only ${HOME}/.config/ksslcablacklist | ||
87 | read-only ${HOME}/.kde/share/apps/kssl | ||
86 | read-only ${HOME}/.kde/share/config/kdeglobals | 88 | read-only ${HOME}/.kde/share/config/kdeglobals |
87 | read-only ${HOME}/.kde/share/config/kio_httprc | 89 | read-only ${HOME}/.kde/share/config/kio_httprc |
88 | read-only ${HOME}/.kde/share/config/kioslaverc | 90 | read-only ${HOME}/.kde/share/config/kioslaverc |
91 | read-only ${HOME}/.kde/share/config/ksslcablacklist | ||
89 | read-only ${HOME}/.kde/share/kde4/services | 92 | read-only ${HOME}/.kde/share/kde4/services |
93 | read-only ${HOME}/.kde4/share/apps/kssl | ||
90 | read-only ${HOME}/.kde4/share/config/kdeglobals | 94 | read-only ${HOME}/.kde4/share/config/kdeglobals |
91 | read-only ${HOME}/.kde4/share/config/kio_httprc | 95 | read-only ${HOME}/.kde4/share/config/kio_httprc |
92 | read-only ${HOME}/.kde4/share/config/kioslaverc | 96 | read-only ${HOME}/.kde4/share/config/kioslaverc |
97 | read-only ${HOME}/.kde4/share/config/ksslcablacklist | ||
93 | read-only ${HOME}/.kde4/share/kde4/services | 98 | read-only ${HOME}/.kde4/share/kde4/services |
94 | read-only ${HOME}/.local/share/kservices5 | 99 | read-only ${HOME}/.local/share/kservices5 |
100 | read-only ${HOME}/.local/share/kssl | ||
95 | 101 | ||
96 | # kdeinit socket | 102 | # kdeinit socket |
97 | blacklist /run/user/*/kdeinit5__* | 103 | blacklist /run/user/*/kdeinit5__* |
@@ -245,6 +251,7 @@ read-only ${HOME}/bin | |||
245 | blacklist ${HOME}/.local/share/Trash | 251 | blacklist ${HOME}/.local/share/Trash |
246 | 252 | ||
247 | # Write-protection for desktop entries | 253 | # Write-protection for desktop entries |
254 | read-only ${HOME}/.config/menus | ||
248 | read-only ${HOME}/.local/share/applications | 255 | read-only ${HOME}/.local/share/applications |
249 | 256 | ||
250 | # top secret | 257 | # top secret |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 660bb9ffd..a93f50a8d 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -445,6 +445,7 @@ blacklist ${HOME}/.sylpheed-2.0 | |||
445 | blacklist ${HOME}/.synfig | 445 | blacklist ${HOME}/.synfig |
446 | blacklist ${HOME}/.tconn | 446 | blacklist ${HOME}/.tconn |
447 | blacklist ${HOME}/.thunderbird | 447 | blacklist ${HOME}/.thunderbird |
448 | blacklist ${HOME}/.tilp | ||
448 | blacklist ${HOME}/.tooling | 449 | blacklist ${HOME}/.tooling |
449 | blacklist ${HOME}/.tor-browser-* | 450 | blacklist ${HOME}/.tor-browser-* |
450 | blacklist ${HOME}/.ts3client | 451 | blacklist ${HOME}/.ts3client |
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 3548a75ad..220e0f02c 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile | |||
@@ -34,3 +34,5 @@ private-tmp | |||
34 | 34 | ||
35 | noexec ${HOME} | 35 | noexec ${HOME} |
36 | noexec /tmp | 36 | noexec /tmp |
37 | |||
38 | join-or-start libreoffice | ||
diff --git a/etc/remmina.profile b/etc/remmina.profile index bef6376c6..cc209b84a 100644 --- a/etc/remmina.profile +++ b/etc/remmina.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/remmina.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.remmina | ||
8 | noblacklist ${HOME}/.config/remmina | 9 | noblacklist ${HOME}/.config/remmina |
9 | noblacklist ${HOME}/.local/share/remmina | 10 | noblacklist ${HOME}/.local/share/remmina |
10 | noblacklist ${HOME}/.ssh | 11 | noblacklist ${HOME}/.ssh |
diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile index c27fb3819..1f64567ef 100644 --- a/etc/soundconverter.profile +++ b/etc/soundconverter.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/soundconverter.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | 8 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 9 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 10 | include /etc/firejail/disable-passwdmgr.inc |
diff --git a/etc/tilp.profile b/etc/tilp.profile new file mode 100644 index 000000000..a6165fbfe --- /dev/null +++ b/etc/tilp.profile | |||
@@ -0,0 +1,34 @@ | |||
1 | # Firejail profile for tilp | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/tilp.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.tilp | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | caps.drop all | ||
16 | net none | ||
17 | nodvd | ||
18 | nogroups | ||
19 | nonewprivs | ||
20 | noroot | ||
21 | notv | ||
22 | novideo | ||
23 | protocol unix,netlink | ||
24 | seccomp | ||
25 | shell none | ||
26 | tracelog | ||
27 | |||
28 | disable-mnt | ||
29 | private-bin tilp | ||
30 | private-etc fonts | ||
31 | private-tmp | ||
32 | |||
33 | noexec ${HOME} | ||
34 | noexec /tmp | ||
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index 97846b4a3..c664d5a53 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc | |||
@@ -57,15 +57,18 @@ whitelist ${HOME}/.config/Trolltech.conf | |||
57 | whitelist ${HOME}/.config/kdeglobals | 57 | whitelist ${HOME}/.config/kdeglobals |
58 | whitelist ${HOME}/.config/kio_httprc | 58 | whitelist ${HOME}/.config/kio_httprc |
59 | whitelist ${HOME}/.config/kioslaverc | 59 | whitelist ${HOME}/.config/kioslaverc |
60 | whitelist ${HOME}/.config/ksslcablacklist | ||
60 | whitelist ${HOME}/.config/qt5ct | 61 | whitelist ${HOME}/.config/qt5ct |
61 | whitelist ${HOME}/.kde/share/config/kdeglobals | 62 | whitelist ${HOME}/.kde/share/config/kdeglobals |
62 | whitelist ${HOME}/.kde/share/config/kio_httprc | 63 | whitelist ${HOME}/.kde/share/config/kio_httprc |
63 | whitelist ${HOME}/.kde/share/config/kioslaverc | 64 | whitelist ${HOME}/.kde/share/config/kioslaverc |
65 | whitelist ${HOME}/.kde/share/config/ksslcablacklist | ||
64 | whitelist ${HOME}/.kde/share/config/oxygenrc | 66 | whitelist ${HOME}/.kde/share/config/oxygenrc |
65 | whitelist ${HOME}/.kde/share/icons | 67 | whitelist ${HOME}/.kde/share/icons |
66 | whitelist ${HOME}/.kde4/share/config/kdeglobals | 68 | whitelist ${HOME}/.kde4/share/config/kdeglobals |
67 | whitelist ${HOME}/.kde4/share/config/kio_httprc | 69 | whitelist ${HOME}/.kde4/share/config/kio_httprc |
68 | whitelist ${HOME}/.kde4/share/config/kioslaverc | 70 | whitelist ${HOME}/.kde4/share/config/kioslaverc |
71 | whitelist ${HOME}/.kde4/share/config/ksslcablacklist | ||
69 | whitelist ${HOME}/.kde4/share/config/oxygenrc | 72 | whitelist ${HOME}/.kde4/share/config/oxygenrc |
70 | whitelist ${HOME}/.kde4/share/icons | 73 | whitelist ${HOME}/.kde4/share/icons |
71 | whitelist ${HOME}/.local/share/qt5ct | 74 | whitelist ${HOME}/.local/share/qt5ct |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 90bbc8bb5..9bd60171b 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -338,6 +338,7 @@ telegram | |||
338 | telegram-desktop | 338 | telegram-desktop |
339 | terasology | 339 | terasology |
340 | thunderbird | 340 | thunderbird |
341 | tilp | ||
341 | tor-browser-ar | 342 | tor-browser-ar |
342 | tor-browser-en | 343 | tor-browser-en |
343 | tor-browser-en-us | 344 | tor-browser-en-us |