diff options
332 files changed, 3177 insertions, 3586 deletions
diff --git a/etc/0ad.profile b/etc/0ad.profile index 9f33af806..af6e32947 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile | |||
@@ -1,28 +1,26 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for 0ad |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/0ad.local | 4 | include /etc/firejail/0ad.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for 0ad. | ||
9 | noblacklist ~/.cache/0ad | 8 | noblacklist ~/.cache/0ad |
10 | noblacklist ~/.config/0ad | 9 | noblacklist ~/.config/0ad |
11 | noblacklist ~/.local/share/0ad | 10 | noblacklist ~/.local/share/0ad |
11 | |||
12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
16 | 16 | ||
17 | # Whitelists | 17 | mkdir ~/.cache/0ad |
18 | mkdir ~/.config/0ad | 18 | mkdir ~/.config/0ad |
19 | whitelist ~/.config/0ad | ||
20 | |||
21 | mkdir ~/.local/share/0ad | 19 | mkdir ~/.local/share/0ad |
22 | whitelist ~/.local/share/0ad | ||
23 | |||
24 | mkdir ~/.cache/0ad | ||
25 | whitelist ~/.cache/0ad | 20 | whitelist ~/.cache/0ad |
21 | whitelist ~/.config/0ad | ||
22 | whitelist ~/.local/share/0ad | ||
23 | include /etc/firejail/whitelist-common.inc | ||
26 | 24 | ||
27 | caps.drop all | 25 | caps.drop all |
28 | netfilter | 26 | netfilter |
@@ -35,9 +33,9 @@ seccomp | |||
35 | shell none | 33 | shell none |
36 | tracelog | 34 | tracelog |
37 | 35 | ||
36 | disable-mnt | ||
38 | private-dev | 37 | private-dev |
39 | private-tmp | 38 | private-tmp |
40 | disable-mnt | ||
41 | 39 | ||
42 | noexec ${HOME} | 40 | noexec ${HOME} |
43 | noexec /tmp | 41 | noexec /tmp |
diff --git a/etc/2048-qt.profile b/etc/2048-qt.profile index 2f3efe743..d8c402d34 100644 --- a/etc/2048-qt.profile +++ b/etc/2048-qt.profile | |||
@@ -1,20 +1,19 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for 2048-qt |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/2048-qt.local | 4 | include /etc/firejail/2048-qt.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | noblacklist ~/.config/xiaoyong | ||
9 | noblacklist ~/.config/2048-qt | 8 | noblacklist ~/.config/2048-qt |
9 | noblacklist ~/.config/xiaoyong | ||
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | #ipc-namespace | ||
18 | netfilter | 17 | netfilter |
19 | nogroups | 18 | nogroups |
20 | nonewprivs | 19 | nonewprivs |
@@ -25,9 +24,9 @@ protocol unix | |||
25 | seccomp | 24 | seccomp |
26 | shell none | 25 | shell none |
27 | 26 | ||
27 | disable-mnt | ||
28 | private-dev | 28 | private-dev |
29 | private-tmp | 29 | private-tmp |
30 | disable-mnt | ||
31 | 30 | ||
32 | noexec ${HOME} | 31 | noexec ${HOME} |
33 | noexec /tmp | 32 | noexec /tmp |
diff --git a/etc/7z.profile b/etc/7z.profile index c7c857dc8..5e2b76f18 100644 --- a/etc/7z.profile +++ b/etc/7z.profile | |||
@@ -1,23 +1,22 @@ | |||
1 | # Firejail profile for 7z | ||
2 | # This file is overwritten after every install/update | ||
1 | quiet | 3 | quiet |
2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
3 | include /etc/firejail/globals.local | ||
4 | |||
5 | # This file is overwritten during software install. | ||
6 | # Persistent customizations should go in a .local file. | ||
7 | include /etc/firejail/7z.local | 5 | include /etc/firejail/7z.local |
8 | 6 | # Persistent global definitions | |
9 | # 7zip crompression tool profile | 7 | include /etc/firejail/globals.local |
10 | ignore noroot | ||
11 | |||
12 | include /etc/firejail/default.profile | ||
13 | 8 | ||
14 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
15 | 10 | ||
16 | tracelog | 11 | ignore noroot |
17 | net none | 12 | net none |
13 | no3d | ||
14 | nosound | ||
18 | nosound | 15 | nosound |
19 | novideo | 16 | novideo |
20 | shell none | 17 | shell none |
18 | tracelog | ||
19 | |||
21 | private-dev | 20 | private-dev |
22 | nosound | 21 | |
23 | no3d | 22 | include /etc/firejail/default.profile |
diff --git a/etc/Cryptocat.profile b/etc/Cryptocat.profile index 7ee918bbe..dc45a32b7 100644 --- a/etc/Cryptocat.profile +++ b/etc/Cryptocat.profile | |||
@@ -1,17 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for Cryptocat |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/Cryptocat.local | 4 | include /etc/firejail/Cryptocat.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for Cryptocat | ||
9 | noblacklist ${HOME}/.config/Cryptocat | 8 | noblacklist ${HOME}/.config/Cryptocat |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
17 | netfilter | 16 | netfilter |
diff --git a/etc/Cyberfox.profile b/etc/Cyberfox.profile index f188545d1..4d0f7cac8 100644 --- a/etc/Cyberfox.profile +++ b/etc/Cyberfox.profile | |||
@@ -1,10 +1,5 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for cyberfox |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/Cyberfox.local | ||
7 | |||
8 | # Firejail profile for Cyberfox (based on Mozilla Firefox) | ||
9 | 4 | ||
10 | include /etc/firejail/cyberfox.profile | 5 | include /etc/firejail/cyberfox.profile |
diff --git a/etc/FossaMail.profile b/etc/FossaMail.profile index 6f5cd8cf0..3b8c093ef 100644 --- a/etc/FossaMail.profile +++ b/etc/FossaMail.profile | |||
@@ -1,9 +1,5 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for fossamail |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/FossaMail.local | ||
7 | 4 | ||
8 | # Firejail profile for FossaMail | ||
9 | include /etc/firejail/fossamail.profile | 5 | include /etc/firejail/fossamail.profile |
diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile index e634a5d60..8f6e33f7b 100644 --- a/etc/Mathematica.profile +++ b/etc/Mathematica.profile | |||
@@ -1,26 +1,25 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for Mathematica |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/Mathematica.local | 4 | include /etc/firejail/Mathematica.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Mathematica profile | ||
9 | noblacklist ${HOME}/.Mathematica | 8 | noblacklist ${HOME}/.Mathematica |
10 | noblacklist ${HOME}/.Wolfram Research | 9 | noblacklist ${HOME}/.Wolfram Research |
11 | 10 | ||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
12 | mkdir ~/.Mathematica | 16 | mkdir ~/.Mathematica |
13 | whitelist ~/.Mathematica | ||
14 | mkdir ~/.Wolfram Research | 17 | mkdir ~/.Wolfram Research |
18 | whitelist ~/.Mathematica | ||
15 | whitelist ~/.Wolfram Research | 19 | whitelist ~/.Wolfram Research |
16 | whitelist ~/Documents/Wolfram Mathematica | 20 | whitelist ~/Documents/Wolfram Mathematica |
17 | include /etc/firejail/whitelist-common.inc | 21 | include /etc/firejail/whitelist-common.inc |
18 | 22 | ||
19 | include /etc/firejail/disable-common.inc | ||
20 | include /etc/firejail/disable-programs.inc | ||
21 | include /etc/firejail/disable-devel.inc | ||
22 | include /etc/firejail/disable-passwdmgr.inc | ||
23 | |||
24 | caps.drop all | 23 | caps.drop all |
25 | nonewprivs | 24 | nonewprivs |
26 | noroot | 25 | noroot |
diff --git a/etc/Telegram.profile b/etc/Telegram.profile index 7b44a62f1..844595b3f 100644 --- a/etc/Telegram.profile +++ b/etc/Telegram.profile | |||
@@ -1,9 +1,5 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for telegram |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/Telegram.local | ||
7 | 4 | ||
8 | # Telegram profile | ||
9 | include /etc/firejail/telegram.profile | 5 | include /etc/firejail/telegram.profile |
diff --git a/etc/Thunar.profile b/etc/Thunar.profile index 30db6f023..7bb66240e 100644 --- a/etc/Thunar.profile +++ b/etc/Thunar.profile | |||
@@ -1,19 +1,18 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for Thunar |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/Thunar.local | 4 | include /etc/firejail/Thunar.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for thunar | 8 | noblacklist ${HOME}/.local/share/Trash |
9 | noblacklist ~/.config/Thunar | 9 | noblacklist ~/.config/Thunar |
10 | noblacklist ~/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml | 10 | noblacklist ~/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml |
11 | noblacklist ${HOME}/.local/share/Trash | ||
12 | 11 | ||
13 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
14 | #include /etc/firejail/disable-programs.inc | ||
15 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | # include /etc/firejail/disable-programs.inc | ||
17 | 16 | ||
18 | caps.drop all | 17 | caps.drop all |
19 | netfilter | 18 | netfilter |
diff --git a/etc/VirtualBox.profile b/etc/VirtualBox.profile index af5ee529b..706a3611b 100644 --- a/etc/VirtualBox.profile +++ b/etc/VirtualBox.profile | |||
@@ -1,8 +1,5 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for virtualbox |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/VirtualBox.local | ||
7 | 4 | ||
8 | include /etc/firejail/virtualbox.profile | 5 | include /etc/firejail/virtualbox.profile |
diff --git a/etc/Wire.profile b/etc/Wire.profile index 3c8c02b52..a2c0f0099 100644 --- a/etc/Wire.profile +++ b/etc/Wire.profile | |||
@@ -1,10 +1,5 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for wire |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/Wire.local | ||
7 | |||
8 | # wire messenger profile | ||
9 | 4 | ||
10 | include /etc/firejail/wire.profile | 5 | include /etc/firejail/wire.profile |
diff --git a/etc/abrowser.profile b/etc/abrowser.profile index f4470b327..a7fbb63d9 100644 --- a/etc/abrowser.profile +++ b/etc/abrowser.profile | |||
@@ -1,50 +1,46 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for abrowser |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/abrowser.local | 4 | include /etc/firejail/abrowser.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for Abrowser | ||
9 | noblacklist ~/.mozilla | ||
10 | noblacklist ~/.cache/mozilla | 8 | noblacklist ~/.cache/mozilla |
9 | noblacklist ~/.mozilla | ||
11 | noblacklist ~/.pki | 10 | noblacklist ~/.pki |
11 | |||
12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | 15 | ||
16 | caps.drop all | ||
17 | netfilter | ||
18 | nonewprivs | ||
19 | noroot | ||
20 | protocol unix,inet,inet6,netlink | ||
21 | seccomp | ||
22 | tracelog | ||
23 | |||
24 | whitelist ${DOWNLOADS} | ||
25 | mkdir ~/.mozilla | ||
26 | whitelist ~/.mozilla | ||
27 | mkdir ~/.cache/mozilla/abrowser | 16 | mkdir ~/.cache/mozilla/abrowser |
17 | mkdir ~/.mozilla | ||
18 | whitelist ${DOWNLOADS} | ||
19 | whitelist ~/.cache/gnome-mplayer/plugin | ||
28 | whitelist ~/.cache/mozilla/abrowser | 20 | whitelist ~/.cache/mozilla/abrowser |
29 | whitelist ~/dwhelper | ||
30 | whitelist ~/.zotero | ||
31 | whitelist ~/.vimperatorrc | ||
32 | whitelist ~/.vimperator | ||
33 | whitelist ~/.pentadactylrc | ||
34 | whitelist ~/.pentadactyl | ||
35 | whitelist ~/.keysnail.js | ||
36 | whitelist ~/.config/gnome-mplayer | 21 | whitelist ~/.config/gnome-mplayer |
37 | whitelist ~/.cache/gnome-mplayer/plugin | 22 | whitelist ~/.config/pipelight-silverlight5.1 |
38 | whitelist ~/.pki | 23 | whitelist ~/.config/pipelight-widevine |
24 | whitelist ~/.keysnail.js | ||
39 | whitelist ~/.lastpass | 25 | whitelist ~/.lastpass |
40 | 26 | whitelist ~/.mozilla | |
41 | # silverlight | 27 | whitelist ~/.pentadactyl |
28 | whitelist ~/.pentadactylrc | ||
29 | whitelist ~/.pki | ||
30 | whitelist ~/.vimperator | ||
31 | whitelist ~/.vimperatorrc | ||
42 | whitelist ~/.wine-pipelight | 32 | whitelist ~/.wine-pipelight |
43 | whitelist ~/.wine-pipelight64 | 33 | whitelist ~/.wine-pipelight64 |
44 | whitelist ~/.config/pipelight-widevine | 34 | whitelist ~/.zotero |
45 | whitelist ~/.config/pipelight-silverlight5.1 | 35 | whitelist ~/dwhelper |
46 | |||
47 | include /etc/firejail/whitelist-common.inc | 36 | include /etc/firejail/whitelist-common.inc |
48 | 37 | ||
49 | # experimental features | 38 | caps.drop all |
50 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 39 | netfilter |
40 | nonewprivs | ||
41 | noroot | ||
42 | protocol unix,inet,inet6,netlink | ||
43 | seccomp | ||
44 | tracelog | ||
45 | |||
46 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | ||
diff --git a/etc/akregator.profile b/etc/akregator.profile index ed79f0e94..77868dac7 100644 --- a/etc/akregator.profile +++ b/etc/akregator.profile | |||
@@ -1,34 +1,35 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for akregator |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/akregator.local | 4 | include /etc/firejail/akregator.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | noblacklist ${HOME}/.config/akregatorrc | 8 | noblacklist ${HOME}/.config/akregatorrc |
9 | noblacklist ${HOME}/.local/share/akregator | 9 | noblacklist ${HOME}/.local/share/akregator |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | #ipc-namespace | ||
18 | netfilter | 17 | netfilter |
19 | no3d | 18 | no3d |
20 | nogroups | 19 | nogroups |
21 | nonewprivs | 20 | nonewprivs |
22 | noroot | 21 | noroot |
23 | #nosound | ||
24 | novideo | 22 | novideo |
25 | protocol unix,inet,inet6 | 23 | protocol unix,inet,inet6 |
26 | seccomp | 24 | seccomp |
27 | shell none | 25 | shell none |
28 | 26 | ||
27 | disable-mnt | ||
29 | private-dev | 28 | private-dev |
30 | private-tmp | 29 | private-tmp |
31 | disable-mnt | ||
32 | 30 | ||
33 | noexec ${HOME} | 31 | noexec ${HOME} |
34 | noexec /tmp | 32 | noexec /tmp |
33 | |||
34 | # CLOBBERED COMMENTS | ||
35 | # nosound | ||
diff --git a/etc/amarok.profile b/etc/amarok.profile index d521b35b8..69f41bb1b 100644 --- a/etc/amarok.profile +++ b/etc/amarok.profile | |||
@@ -1,26 +1,28 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for amarok |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/amarok.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/amarok.local | ||
7 | 8 | ||
8 | # amarok profile | ||
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | netfilter | 15 | netfilter |
16 | nogroups | 16 | nogroups |
17 | nonewprivs | 17 | nonewprivs |
18 | noroot | 18 | noroot |
19 | shell none | ||
20 | #seccomp | ||
21 | protocol unix,inet,inet6 | 19 | protocol unix,inet,inet6 |
20 | shell none | ||
22 | 21 | ||
23 | #private-bin amarok | 22 | # private-bin amarok |
24 | private-dev | 23 | private-dev |
24 | # private-etc none | ||
25 | private-tmp | 25 | private-tmp |
26 | #private-etc none | 26 | |
27 | # CLOBBERED COMMENTS | ||
28 | # seccomp | ||
diff --git a/etc/android-studio.profile b/etc/android-studio.profile index 68a3cdc85..86e19f838 100644 --- a/etc/android-studio.profile +++ b/etc/android-studio.profile | |||
@@ -1,11 +1,9 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for android-studio |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/android-studio.local | 4 | include /etc/firejail/android-studio.local |
7 | 5 | # Persistent global definitions | |
8 | # Firejail profile for Android Studio | 6 | include /etc/firejail/globals.local |
9 | 7 | ||
10 | noblacklist ${HOME}/.AndroidStudio* | 8 | noblacklist ${HOME}/.AndroidStudio* |
11 | noblacklist ${HOME}/.android | 9 | noblacklist ${HOME}/.android |
@@ -25,13 +23,15 @@ netfilter | |||
25 | nogroups | 23 | nogroups |
26 | nonewprivs | 24 | nonewprivs |
27 | noroot | 25 | noroot |
28 | #nosound | ||
29 | novideo | 26 | novideo |
30 | protocol unix,inet,inet6 | 27 | protocol unix,inet,inet6 |
31 | seccomp | 28 | seccomp |
32 | shell none | 29 | shell none |
33 | 30 | ||
34 | private-dev | 31 | private-dev |
35 | #private-tmp | 32 | # private-tmp |
36 | 33 | ||
37 | noexec /tmp | 34 | noexec /tmp |
35 | |||
36 | # CLOBBERED COMMENTS | ||
37 | # nosound | ||
diff --git a/etc/apktool.profile b/etc/apktool.profile index d0905e253..e057e4c0f 100644 --- a/etc/apktool.profile +++ b/etc/apktool.profile | |||
@@ -1,12 +1,12 @@ | |||
1 | # Firejail profile for apktool | ||
2 | # This file is overwritten after every install/update | ||
1 | quiet | 3 | quiet |
2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
5 | include /etc/firejail/apktool.local | ||
6 | # Persistent global definitions | ||
3 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
4 | 8 | ||
5 | # This file is overwritten during software install. | ||
6 | # Persistent customizations should go in a .local file. | ||
7 | include /etc/firejail/apktool.local | ||
8 | 9 | ||
9 | # Firejail profile for apktool | ||
10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/arduino.profile b/etc/arduino.profile index ff605501d..2734e59a4 100644 --- a/etc/arduino.profile +++ b/etc/arduino.profile | |||
@@ -1,22 +1,20 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for arduino |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/arduino.local | 4 | include /etc/firejail/arduino.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for arduino | ||
9 | noblacklist ${HOME}/.arduino15 | 8 | noblacklist ${HOME}/.arduino15 |
10 | noblacklist ${HOME}/Arduino | ||
11 | noblacklist ${HOME}/.java | 9 | noblacklist ${HOME}/.java |
10 | noblacklist ${HOME}/Arduino | ||
12 | 11 | ||
13 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | include /etc/firejail/disable-passwdmgr.inc | ||
16 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | ||
15 | include /etc/firejail/disable-programs.inc | ||
17 | 16 | ||
18 | caps.drop all | 17 | caps.drop all |
19 | #ipc-namespace | ||
20 | netfilter | 18 | netfilter |
21 | no3d | 19 | no3d |
22 | nogroups | 20 | nogroups |
diff --git a/etc/ark.profile b/etc/ark.profile index 007748ed1..7c8574973 100644 --- a/etc/ark.profile +++ b/etc/ark.profile | |||
@@ -1,17 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for ark |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/ark.local | 4 | include /etc/firejail/ark.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # ark profile | ||
9 | noblacklist ~/.config/arkrc | 8 | noblacklist ~/.config/arkrc |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
17 | netfilter | 16 | netfilter |
@@ -19,11 +18,11 @@ nogroups | |||
19 | nonewprivs | 18 | nonewprivs |
20 | noroot | 19 | noroot |
21 | nosound | 20 | nosound |
22 | shell none | ||
23 | seccomp | ||
24 | protocol unix | 21 | protocol unix |
22 | seccomp | ||
23 | shell none | ||
25 | 24 | ||
26 | # private-bin | 25 | # private-bin |
27 | private-dev | 26 | private-dev |
28 | private-tmp | ||
29 | # private-etc | 27 | # private-etc |
28 | private-tmp | ||
diff --git a/etc/arm.profile b/etc/arm.profile index 3000c35d7..5686c3301 100644 --- a/etc/arm.profile +++ b/etc/arm.profile | |||
@@ -1,11 +1,9 @@ | |||
1 | # Persistent global definitions go here | ||
2 | include /etc/firejail/globals.local | ||
3 | |||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/arm.local | ||
7 | |||
8 | # Firejail profile for arm | 1 | # Firejail profile for arm |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/arm.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
9 | 7 | ||
10 | noblacklist ${HOME}/.arm | 8 | noblacklist ${HOME}/.arm |
11 | 9 | ||
@@ -33,7 +31,7 @@ shell none | |||
33 | tracelog | 31 | tracelog |
34 | 32 | ||
35 | disable-mnt | 33 | disable-mnt |
36 | #private-bin arm,tor,sh,python2,python2.7,ps,lsof,ldconfig | 34 | # private-bin arm,tor,sh,python2,python2.7,ps,lsof,ldconfig |
37 | private-dev | 35 | private-dev |
38 | private-etc tor,passwd | 36 | private-etc tor,passwd |
39 | private-tmp | 37 | private-tmp |
diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile index 367aa5672..acce287c7 100644 --- a/etc/atom-beta.profile +++ b/etc/atom-beta.profile | |||
@@ -1,17 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for atom-beta |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/atom-beta.local | 4 | include /etc/firejail/atom-beta.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for Atom Beta. | ||
9 | noblacklist ~/.atom | 8 | noblacklist ~/.atom |
10 | noblacklist ~/.config/Atom | 9 | noblacklist ~/.config/Atom |
11 | 10 | ||
12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
17 | netfilter | 16 | netfilter |
diff --git a/etc/atom.profile b/etc/atom.profile index 726682617..0b763997e 100644 --- a/etc/atom.profile +++ b/etc/atom.profile | |||
@@ -1,17 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for atom |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/atom.local | 4 | include /etc/firejail/atom.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for Atom. | ||
9 | noblacklist ~/.atom | 8 | noblacklist ~/.atom |
10 | noblacklist ~/.config/Atom | 9 | noblacklist ~/.config/Atom |
11 | 10 | ||
12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
17 | netfilter | 16 | netfilter |
diff --git a/etc/atool.profile b/etc/atool.profile index 49637aa21..a1da26076 100644 --- a/etc/atool.profile +++ b/etc/atool.profile | |||
@@ -1,18 +1,20 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for atool |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/atool.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | 8 | blacklist /tmp/.X11-unix |
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/atool.local | ||
7 | 9 | ||
8 | # atool profile | ||
9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | ||
11 | # include /etc/firejail/disable-devel.inc | 11 | # include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
13 | 14 | ||
14 | caps.drop all | 15 | caps.drop all |
15 | netfilter | 16 | netfilter |
17 | no3d | ||
16 | nogroups | 18 | nogroups |
17 | nonewprivs | 19 | nonewprivs |
18 | noroot | 20 | noroot |
@@ -20,13 +22,10 @@ nosound | |||
20 | novideo | 22 | novideo |
21 | protocol unix | 23 | protocol unix |
22 | seccomp | 24 | seccomp |
23 | no3d | ||
24 | shell none | 25 | shell none |
25 | tracelog | 26 | tracelog |
26 | 27 | ||
27 | blacklist /tmp/.X11-unix | ||
28 | |||
29 | # private-bin atool | 28 | # private-bin atool |
30 | private-tmp | ||
31 | private-dev | 29 | private-dev |
32 | private-etc none | 30 | private-etc none |
31 | private-tmp | ||
diff --git a/etc/atril.profile b/etc/atril.profile index 0abad494a..5cac339ca 100644 --- a/etc/atril.profile +++ b/etc/atril.profile | |||
@@ -1,17 +1,17 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for atril |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/atril.local | 4 | include /etc/firejail/atril.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Atril profile | ||
9 | noblacklist ~/.config/atril | 8 | noblacklist ~/.config/atril |
10 | noblacklist ~/.local/share | 9 | noblacklist ~/.local/share |
10 | |||
11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | nogroups | 17 | nogroups |
diff --git a/etc/audacious.profile b/etc/audacious.profile index a8379eb65..15bf6c013 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile | |||
@@ -1,17 +1,17 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for audacious |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/audacious.local | 4 | include /etc/firejail/audacious.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Audacious media player profile | ||
9 | noblacklist ~/.config/audacious | ||
10 | noblacklist ~/.config/Audaciousrc | 8 | noblacklist ~/.config/Audaciousrc |
9 | noblacklist ~/.config/audacious | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | netfilter | 17 | netfilter |
diff --git a/etc/audacity.profile b/etc/audacity.profile index 7c2072960..0f88886e7 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile | |||
@@ -1,11 +1,10 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for audacity |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/audacity.local | 4 | include /etc/firejail/audacity.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Audacity profile | ||
9 | noblacklist ~/.audacity-data | 8 | noblacklist ~/.audacity-data |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -14,7 +13,6 @@ include /etc/firejail/disable-passwdmgr.inc | |||
14 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
17 | #ipc-namespace | ||
18 | net none | 16 | net none |
19 | no3d | 17 | no3d |
20 | nogroups | 18 | nogroups |
diff --git a/etc/aweather.profile b/etc/aweather.profile index 9d8e336cd..9068c39c7 100644 --- a/etc/aweather.profile +++ b/etc/aweather.profile | |||
@@ -1,20 +1,20 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for aweather |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/aweather.local | 4 | include /etc/firejail/aweather.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for aweather. | ||
9 | noblacklist ~/.config/aweather | 8 | noblacklist ~/.config/aweather |
9 | |||
10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | # Whitelist | ||
16 | mkdir ~/.config/aweather | 15 | mkdir ~/.config/aweather |
17 | whitelist ~/.config/aweather | 16 | whitelist ~/.config/aweather |
17 | include /etc/firejail/whitelist-common.inc | ||
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | 20 | netfilter |
diff --git a/etc/baobab.profile b/etc/baobab.profile index 887e271e3..1336a220c 100644 --- a/etc/baobab.profile +++ b/etc/baobab.profile | |||
@@ -1,15 +1,15 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for baobab |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/baobab.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/baobab.local | ||
7 | 8 | ||
8 | # Firejail profile for Baobab | ||
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | #include /etc/firejail/disable-programs.inc | 12 | # include /etc/firejail/disable-programs.inc |
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | net none | 15 | net none |
diff --git a/etc/bibletime.profile b/etc/bibletime.profile index 2162151a1..d59c8e05c 100644 --- a/etc/bibletime.profile +++ b/etc/bibletime.profile | |||
@@ -1,11 +1,13 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for bibletime |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/bibletime.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | 8 | blacklist ~/.Xauthority |
5 | # Persistent customizations should go in a .local file. | 9 | blacklist ~/.bashrc |
6 | include /etc/firejail/bibletime.local | ||
7 | 10 | ||
8 | # Firejail profile for BibleTime | ||
9 | noblacklist ~/.bibletime | 11 | noblacklist ~/.bibletime |
10 | noblacklist ~/.config/qt5ct | 12 | noblacklist ~/.config/qt5ct |
11 | noblacklist ~/.sword | 13 | noblacklist ~/.sword |
@@ -15,13 +17,10 @@ include /etc/firejail/disable-devel.inc | |||
15 | include /etc/firejail/disable-passwdmgr.inc | 17 | include /etc/firejail/disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 18 | include /etc/firejail/disable-programs.inc |
17 | 19 | ||
18 | blacklist ~/.bashrc | ||
19 | blacklist ~/.Xauthority | ||
20 | |||
21 | whitelist ${HOME}/.bibletime | 20 | whitelist ${HOME}/.bibletime |
22 | whitelist ${HOME}/.config/qt5ct | 21 | whitelist ${HOME}/.config/qt5ct |
23 | whitelist ${HOME}/.sword | 22 | whitelist ${HOME}/.sword |
24 | 23 | include /etc/firejail/whitelist-common.inc | |
25 | 24 | ||
26 | caps.drop all | 25 | caps.drop all |
27 | netfilter | 26 | netfilter |
@@ -35,7 +34,7 @@ seccomp | |||
35 | shell none | 34 | shell none |
36 | tracelog | 35 | tracelog |
37 | 36 | ||
38 | #private-bin bibletime,qt5ct | 37 | # private-bin bibletime,qt5ct |
39 | private-etc fonts,resolv.conf,sword,sword.conf,passwd | ||
40 | private-dev | 38 | private-dev |
39 | private-etc fonts,resolv.conf,sword,sword.conf,passwd | ||
41 | private-tmp | 40 | private-tmp |
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index 2ecc0c425..9c32cca44 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile | |||
@@ -1,13 +1,13 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for bitlbee |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/bitlbee.local | 4 | include /etc/firejail/bitlbee.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # BitlBee instant messaging profile | ||
9 | noblacklist /sbin | 8 | noblacklist /sbin |
10 | noblacklist /usr/sbin | 9 | noblacklist /usr/sbin |
10 | |||
11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
@@ -16,16 +16,16 @@ include /etc/firejail/disable-programs.inc | |||
16 | netfilter | 16 | netfilter |
17 | no3d | 17 | no3d |
18 | nonewprivs | 18 | nonewprivs |
19 | private | ||
20 | private-dev | ||
21 | protocol unix,inet,inet6 | ||
22 | seccomp | ||
23 | nosound | 19 | nosound |
24 | novideo | 20 | novideo |
25 | read-write /var/lib/bitlbee | 21 | protocol unix,inet,inet6 |
22 | seccomp | ||
26 | 23 | ||
24 | disable-mnt | ||
25 | private | ||
26 | private-dev | ||
27 | private-dev | 27 | private-dev |
28 | private-tmp | 28 | private-tmp |
29 | disable-mnt | 29 | read-write /var/lib/bitlbee |
30 | 30 | ||
31 | noexec /tmp | 31 | noexec /tmp |
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile index f2553cd9c..dab328163 100644 --- a/etc/bleachbit.profile +++ b/etc/bleachbit.profile | |||
@@ -1,18 +1,17 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for bleachbit |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/bleachbit.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/bleachbit.local | ||
7 | 8 | ||
8 | # bleachbit profile | ||
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | # include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | # include /etc/firejail/disable-programs.inc | ||
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | #ipc-namespace | ||
16 | net none | 15 | net none |
17 | no3d | 16 | no3d |
18 | nogroups | 17 | nogroups |
@@ -26,8 +25,8 @@ shell none | |||
26 | 25 | ||
27 | # private-bin | 26 | # private-bin |
28 | # private-dev | 27 | # private-dev |
29 | # private-tmp | ||
30 | # private-etc | 28 | # private-etc |
29 | # private-tmp | ||
31 | 30 | ||
32 | memory-deny-write-execute | 31 | memory-deny-write-execute |
33 | noexec ${HOME} | 32 | noexec ${HOME} |
diff --git a/etc/blender.profile b/etc/blender.profile index b9757913d..f4c566c0d 100644 --- a/etc/blender.profile +++ b/etc/blender.profile | |||
@@ -1,15 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for blender |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/blender.local | 4 | include /etc/firejail/blender.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | noblacklist ~/.config/blender | 8 | noblacklist ~/.config/blender |
9 | |||
9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
11 | include /etc/firejail/disable-programs.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
13 | 14 | ||
14 | caps.drop all | 15 | caps.drop all |
15 | netfilter | 16 | netfilter |
diff --git a/etc/bless.profile b/etc/bless.profile index 25881fa3d..6c6558b1c 100644 --- a/etc/bless.profile +++ b/etc/bless.profile | |||
@@ -1,26 +1,18 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for bless |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/bless.local | 4 | include /etc/firejail/bless.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # | ||
9 | #Profile for bless | ||
10 | # | ||
11 | |||
12 | #No Blacklist Paths | ||
13 | noblacklist ${HOME}/.config/bless | 8 | noblacklist ${HOME}/.config/bless |
14 | 9 | ||
15 | #Blacklist Paths | ||
16 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
17 | include /etc/firejail/disable-programs.inc | ||
18 | include /etc/firejail/disable-passwdmgr.inc | ||
19 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
20 | 14 | ||
21 | #Options | ||
22 | caps.drop all | 15 | caps.drop all |
23 | #ipc-namespace | ||
24 | net none | 16 | net none |
25 | no3d | 17 | no3d |
26 | nogroups | 18 | nogroups |
diff --git a/etc/brasero.profile b/etc/brasero.profile index cafb9f39a..ee7fe8efa 100644 --- a/etc/brasero.profile +++ b/etc/brasero.profile | |||
@@ -1,20 +1,18 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for brasero |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/brasero.local | 4 | include /etc/firejail/brasero.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # brasero profile | ||
9 | noblacklist ~/.config/brasero | 8 | noblacklist ~/.config/brasero |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
17 | #ipc-namespace | ||
18 | nogroups | 16 | nogroups |
19 | nonewprivs | 17 | nonewprivs |
20 | noroot | 18 | noroot |
diff --git a/etc/caja.profile b/etc/caja.profile index a724e76b1..adbcc09b9 100644 --- a/etc/caja.profile +++ b/etc/caja.profile | |||
@@ -1,24 +1,18 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for caja |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/caja.local | 4 | include /etc/firejail/caja.local |
7 | 5 | # Persistent global definitions | |
8 | # Caja profile for Firejail | 6 | include /etc/firejail/globals.local |
9 | |||
10 | # Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there | ||
11 | # is already a caja process running on MATE desktops firejail will have no effect. | ||
12 | 7 | ||
13 | noblacklist ~/.config/caja | 8 | noblacklist ~/.config/caja |
14 | noblacklist ~/.local/share/caja-python | ||
15 | noblacklist ~/.local/share/Trash | 9 | noblacklist ~/.local/share/Trash |
10 | noblacklist ~/.local/share/caja-python | ||
16 | 11 | ||
17 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
18 | # caja needs to be able to start arbitrary applications so we cannot blacklist their files | ||
19 | #include /etc/firejail/disable-programs.inc | ||
20 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
21 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | # include /etc/firejail/disable-programs.inc | ||
22 | 16 | ||
23 | caps.drop all | 17 | caps.drop all |
24 | netfilter | 18 | netfilter |
@@ -31,6 +25,11 @@ shell none | |||
31 | tracelog | 25 | tracelog |
32 | 26 | ||
33 | # private-bin caja | 27 | # private-bin caja |
34 | # private-tmp | ||
35 | # private-dev | 28 | # private-dev |
36 | # private-etc fonts | 29 | # private-etc fonts |
30 | # private-tmp | ||
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there | ||
34 | # caja needs to be able to start arbitrary applications so we cannot blacklist their files | ||
35 | # is already a caja process running on MATE desktops firejail will have no effect. | ||
diff --git a/etc/calibre.profile b/etc/calibre.profile index b75e0c276..726a33db8 100644 --- a/etc/calibre.profile +++ b/etc/calibre.profile | |||
@@ -1,20 +1,19 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for calibre |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/calibre.local | 4 | include /etc/firejail/calibre.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | noblacklist ~/.config/calibre | ||
9 | noblacklist ~/.cache/calibre | 8 | noblacklist ~/.cache/calibre |
9 | noblacklist ~/.config/calibre | ||
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | # include /etc/firejail/disable-devel.inc |
13 | #include /etc/firejail/disable-devel.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | #ipc-namespace | ||
18 | netfilter | 17 | netfilter |
19 | no3d | 18 | no3d |
20 | nogroups | 19 | nogroups |
@@ -27,7 +26,7 @@ seccomp | |||
27 | shell none | 26 | shell none |
28 | tracelog | 27 | tracelog |
29 | 28 | ||
30 | #private-bin | 29 | # private-bin |
31 | private-dev | 30 | private-dev |
32 | private-tmp | 31 | private-tmp |
33 | 32 | ||
diff --git a/etc/catfish.profile b/etc/catfish.profile index 0deaca1b5..9fef3dc83 100644 --- a/etc/catfish.profile +++ b/etc/catfish.profile | |||
@@ -1,15 +1,12 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for catfish |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/catfish.local | 4 | include /etc/firejail/catfish.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for catfish | ||
9 | noblacklist ~/.config/catfish | 8 | noblacklist ~/.config/catfish |
10 | 9 | ||
11 | # We can't blacklist much since catfish | ||
12 | # is for finding files/content | ||
13 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
14 | 11 | ||
15 | caps.drop all | 12 | caps.drop all |
@@ -25,8 +22,12 @@ seccomp | |||
25 | shell none | 22 | shell none |
26 | tracelog | 23 | tracelog |
27 | 24 | ||
25 | # private-bin bash,catfish,env,locate,ls,mlocate,python,python2,python2.7,python3,python3.5,python3.5m,python3m | ||
26 | # private-dev | ||
27 | # private-tmp | ||
28 | |||
29 | # CLOBBERED COMMENTS | ||
28 | # These options work but are disabled in case | 30 | # These options work but are disabled in case |
31 | # We can't blacklist much since catfish | ||
29 | # a users wants to search in these directories. | 32 | # a users wants to search in these directories. |
30 | #private-bin bash,catfish,env,locate,ls,mlocate,python,python2,python2.7,python3,python3.5,python3.5m,python3m | 33 | # is for finding files/content |
31 | #private-dev | ||
32 | #private-tmp | ||
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index b1acd78f2..8aa11a0e6 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile | |||
@@ -1,22 +1,20 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for cherrytree |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/cherrytree.local | 4 | include /etc/firejail/cherrytree.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # cherrytree note taking application | 8 | noblacklist ${HOME}/.config/cherrytree |
9 | noblacklist /usr/bin/python2* | 9 | noblacklist /usr/bin/python2* |
10 | noblacklist /usr/lib/python3* | 10 | noblacklist /usr/lib/python3* |
11 | noblacklist ${HOME}/.config/cherrytree | ||
12 | 11 | ||
13 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | ||
17 | 16 | ||
18 | caps.drop all | 17 | caps.drop all |
19 | #ipc-namespace | ||
20 | netfilter | 18 | netfilter |
21 | no3d | 19 | no3d |
22 | nogroups | 20 | nogroups |
@@ -34,3 +32,6 @@ private-tmp | |||
34 | 32 | ||
35 | noexec ${HOME} | 33 | noexec ${HOME} |
36 | noexec /tmp | 34 | noexec /tmp |
35 | |||
36 | # CLOBBERED COMMENTS | ||
37 | # cherrytree note taking application | ||
diff --git a/etc/chromium-browser.profile b/etc/chromium-browser.profile index 652976016..dcafbaaa9 100644 --- a/etc/chromium-browser.profile +++ b/etc/chromium-browser.profile | |||
@@ -1,9 +1,5 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for chromium |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/chromium-browser.local | ||
7 | 4 | ||
8 | # Chromium browser profile | ||
9 | include /etc/firejail/chromium.profile | 5 | include /etc/firejail/chromium.profile |
diff --git a/etc/chromium.profile b/etc/chromium.profile index 8266770d7..97149d4d4 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -1,41 +1,41 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for chromium |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/chromium.local | 4 | include /etc/firejail/chromium.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Chromium browser profile | ||
9 | noblacklist ~/.config/chromium | ||
10 | noblacklist ~/.cache/chromium | 8 | noblacklist ~/.cache/chromium |
11 | noblacklist ~/.pki | 9 | noblacklist ~/.config/chromium |
12 | # specific to Arch | ||
13 | noblacklist ~/.config/chromium-flags.conf | 10 | noblacklist ~/.config/chromium-flags.conf |
11 | noblacklist ~/.pki | ||
12 | |||
14 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-programs.inc | ||
16 | # chromium is distributed with a perl script on Arch | ||
17 | # include /etc/firejail/disable-devel.inc | 14 | # include /etc/firejail/disable-devel.inc |
15 | include /etc/firejail/disable-programs.inc | ||
18 | 16 | ||
19 | whitelist ${DOWNLOADS} | ||
20 | mkdir ~/.config/chromium | ||
21 | whitelist ~/.config/chromium | ||
22 | mkdir ~/.cache/chromium | 17 | mkdir ~/.cache/chromium |
23 | whitelist ~/.cache/chromium | 18 | mkdir ~/.config/chromium |
24 | mkdir ~/.pki | 19 | mkdir ~/.pki |
25 | whitelist ~/.pki | 20 | whitelist ${DOWNLOADS} |
21 | whitelist ~/.cache/chromium | ||
22 | whitelist ~/.config/chromium | ||
26 | whitelist ~/.config/chromium-flags.conf | 23 | whitelist ~/.config/chromium-flags.conf |
27 | 24 | whitelist ~/.pki | |
28 | include /etc/firejail/whitelist-common.inc | 25 | include /etc/firejail/whitelist-common.inc |
29 | 26 | ||
30 | caps.keep sys_chroot,sys_admin | 27 | caps.keep sys_chroot,sys_admin |
31 | #ipc-namespace | ||
32 | netfilter | 28 | netfilter |
33 | nogroups | 29 | nogroups |
34 | shell none | 30 | shell none |
35 | 31 | ||
36 | private-dev | 32 | private-dev |
37 | #private-tmp - problems with multiple browser sessions | 33 | # private-tmp - problems with multiple browser sessions |
38 | #disable-mnt | ||
39 | 34 | ||
40 | noexec ${HOME} | 35 | noexec ${HOME} |
41 | noexec /tmp | 36 | noexec /tmp |
37 | |||
38 | # CLOBBERED COMMENTS | ||
39 | # chromium is distributed with a perl script on Arch | ||
40 | # disable-mnt | ||
41 | # specific to Arch | ||
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile index c626e7b74..730e27e33 100644 --- a/etc/claws-mail.profile +++ b/etc/claws-mail.profile | |||
@@ -1,25 +1,24 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for claws-mail |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/claws-mail.local | 4 | include /etc/firejail/claws-mail.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # claws-mail profile | ||
9 | noblacklist ~/.claws-mail | 8 | noblacklist ~/.claws-mail |
10 | noblacklist ~/.signature | ||
11 | noblacklist ~/.gnupg | 9 | noblacklist ~/.gnupg |
10 | noblacklist ~/.signature | ||
12 | 11 | ||
13 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | ||
17 | 16 | ||
18 | caps.drop all | 17 | caps.drop all |
19 | netfilter | 18 | netfilter |
19 | nogroups | ||
20 | nonewprivs | 20 | nonewprivs |
21 | noroot | 21 | noroot |
22 | nogroups | ||
23 | nosound | 22 | nosound |
24 | protocol unix,inet,inet6 | 23 | protocol unix,inet,inet6 |
25 | seccomp | 24 | seccomp |
diff --git a/etc/clementine.profile b/etc/clementine.profile index ccacc632d..a69be26df 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile | |||
@@ -1,20 +1,22 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for clementine |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/clementine.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/clementine.local | ||
7 | 8 | ||
8 | # Clementine media player profile | ||
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | nonewprivs | 15 | nonewprivs |
16 | noroot | 16 | noroot |
17 | novideo | 17 | novideo |
18 | protocol unix,inet,inet6 | 18 | protocol unix,inet,inet6 |
19 | # Clementine makes ioprio_set system calls, which are blacklisted by default. | ||
20 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old | 19 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old |
20 | |||
21 | # CLOBBERED COMMENTS | ||
22 | # Clementine makes ioprio_set system calls, which are blacklisted by default. | ||
diff --git a/etc/clipit.profile b/etc/clipit.profile index b44041cbf..444943061 100644 --- a/etc/clipit.profile +++ b/etc/clipit.profile | |||
@@ -1,16 +1,17 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for clipit |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/clipit.local | 4 | include /etc/firejail/clipit.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | noblacklist ${HOME}/.local/share/clipit | ||
9 | noblacklist ${HOME}/.config/clipit | 8 | noblacklist ${HOME}/.config/clipit |
9 | noblacklist ${HOME}/.local/share/clipit | ||
10 | |||
10 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
14 | 15 | ||
15 | caps.drop all | 16 | caps.drop all |
16 | netfilter | 17 | netfilter |
@@ -24,9 +25,9 @@ protocol unix | |||
24 | seccomp | 25 | seccomp |
25 | shell none | 26 | shell none |
26 | 27 | ||
28 | disable-mnt | ||
27 | private-dev | 29 | private-dev |
28 | private-tmp | 30 | private-tmp |
29 | disable-mnt | ||
30 | 31 | ||
31 | noexec ${HOME} | 32 | noexec ${HOME} |
32 | noexec /tmp | 33 | noexec /tmp |
diff --git a/etc/cmus.profile b/etc/cmus.profile index 399e81160..fc6476267 100644 --- a/etc/cmus.profile +++ b/etc/cmus.profile | |||
@@ -1,17 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for cmus |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/cmus.local | 4 | include /etc/firejail/cmus.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # cmus profile | ||
9 | noblacklist ${HOME}/.config/cmus | 8 | noblacklist ${HOME}/.config/cmus |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
17 | netfilter | 16 | netfilter |
@@ -19,7 +18,7 @@ nonewprivs | |||
19 | noroot | 18 | noroot |
20 | protocol unix,inet,inet6 | 19 | protocol unix,inet,inet6 |
21 | seccomp | 20 | seccomp |
21 | shell none | ||
22 | 22 | ||
23 | private-bin cmus | 23 | private-bin cmus |
24 | private-etc group | 24 | private-etc group |
25 | shell none | ||
diff --git a/etc/conkeror.profile b/etc/conkeror.profile index ccff4317d..b4cd3369a 100644 --- a/etc/conkeror.profile +++ b/etc/conkeror.profile | |||
@@ -1,31 +1,31 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for conkeror |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/conkeror.local | 4 | include /etc/firejail/conkeror.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for Conkeror web browser profile | ||
9 | noblacklist ${HOME}/.conkeror.mozdev.org | 8 | noblacklist ${HOME}/.conkeror.mozdev.org |
9 | |||
10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-programs.inc | 11 | include /etc/firejail/disable-programs.inc |
12 | 12 | ||
13 | whitelist ~/.conkeror.mozdev.org | ||
14 | whitelist ~/.conkerorrc | ||
15 | whitelist ~/.gtkrc-2.0 | ||
16 | whitelist ~/.lastpass | ||
17 | whitelist ~/.pentadactyl | ||
18 | whitelist ~/.pentadactylrc | ||
19 | whitelist ~/.vimperator | ||
20 | whitelist ~/.vimperatorrc | ||
21 | whitelist ~/.zotero | ||
22 | whitelist ~/Downloads | ||
23 | whitelist ~/dwhelper | ||
24 | include /etc/firejail/whitelist-common.inc | ||
25 | |||
13 | caps.drop all | 26 | caps.drop all |
14 | netfilter | 27 | netfilter |
15 | nonewprivs | 28 | nonewprivs |
16 | noroot | 29 | noroot |
17 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
18 | seccomp | 31 | seccomp |
19 | |||
20 | whitelist ~/.conkeror.mozdev.org | ||
21 | whitelist ~/Downloads | ||
22 | whitelist ~/dwhelper | ||
23 | whitelist ~/.zotero | ||
24 | whitelist ~/.lastpass | ||
25 | whitelist ~/.gtkrc-2.0 | ||
26 | whitelist ~/.vimperatorrc | ||
27 | whitelist ~/.vimperator | ||
28 | whitelist ~/.pentadactylrc | ||
29 | whitelist ~/.pentadactyl | ||
30 | whitelist ~/.conkerorrc | ||
31 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/corebird.profile b/etc/corebird.profile index 9ecfb36a5..62941164f 100644 --- a/etc/corebird.profile +++ b/etc/corebird.profile | |||
@@ -1,15 +1,15 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for corebird |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/corebird.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/corebird.local | ||
7 | 8 | ||
8 | # Firejail corebird profile | ||
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | netfilter | 15 | netfilter |
diff --git a/etc/cpio.profile b/etc/cpio.profile index fe1dc0408..cd9b9ad7c 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile | |||
@@ -1,28 +1,31 @@ | |||
1 | # Firejail profile for cpio | ||
2 | # This file is overwritten after every install/update | ||
1 | quiet | 3 | quiet |
2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
5 | include /etc/firejail/cpio.local | ||
6 | # Persistent global definitions | ||
3 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
4 | 8 | ||
5 | # This file is overwritten during software install. | 9 | blacklist /tmp/.X11-unix |
6 | # Persistent customizations should go in a .local file. | ||
7 | include /etc/firejail/cpio.local | ||
8 | 10 | ||
9 | # cpio profile | ||
10 | # /sbin and /usr/sbin are visible inside the sandbox | ||
11 | # /boot is not visible and /var is heavily modified | ||
12 | noblacklist /sbin | 11 | noblacklist /sbin |
13 | noblacklist /usr/sbin | 12 | noblacklist /usr/sbin |
13 | |||
14 | include /etc/firejail/disable-common.inc | 14 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-programs.inc | ||
16 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | ||
17 | 17 | ||
18 | private-dev | ||
19 | seccomp | ||
20 | caps.drop all | 18 | caps.drop all |
21 | net none | 19 | net none |
22 | shell none | ||
23 | tracelog | ||
24 | net none | 20 | net none |
25 | nosound | ||
26 | no3d | 21 | no3d |
22 | nosound | ||
23 | seccomp | ||
24 | shell none | ||
25 | tracelog | ||
27 | 26 | ||
28 | blacklist /tmp/.X11-unix | 27 | private-dev |
28 | |||
29 | # CLOBBERED COMMENTS | ||
30 | # /boot is not visible and /var is heavily modified | ||
31 | # /sbin and /usr/sbin are visible inside the sandbox | ||
diff --git a/etc/cryptocat.profile b/etc/cryptocat.profile index 1f6366a3d..021ce32d4 100644 --- a/etc/cryptocat.profile +++ b/etc/cryptocat.profile | |||
@@ -1,8 +1,5 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for Cryptocat |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/cryptocat.local | ||
7 | 4 | ||
8 | include /etc/Cryptocat.profile | 5 | include /etc/Cryptocat.profile |
diff --git a/etc/curl.profile b/etc/curl.profile index 58b5f050a..34874d270 100644 --- a/etc/curl.profile +++ b/etc/curl.profile | |||
@@ -1,19 +1,20 @@ | |||
1 | # Firejail profile for curl | ||
2 | # This file is overwritten after every install/update | ||
1 | quiet | 3 | quiet |
2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
5 | include /etc/firejail/curl.local | ||
6 | # Persistent global definitions | ||
3 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
4 | 8 | ||
5 | # This file is overwritten during software install. | 9 | blacklist /tmp/.X11-unix |
6 | # Persistent customizations should go in a .local file. | ||
7 | include /etc/firejail/curl.local | ||
8 | 10 | ||
9 | # curl profile | ||
10 | noblacklist ~/.curlrc | 11 | noblacklist ~/.curlrc |
12 | |||
11 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | ||
14 | 16 | ||
15 | caps.drop all | 17 | caps.drop all |
16 | #ipc-namespace | ||
17 | netfilter | 18 | netfilter |
18 | no3d | 19 | no3d |
19 | nogroups | 20 | nogroups |
@@ -24,8 +25,6 @@ protocol unix,inet,inet6 | |||
24 | seccomp | 25 | seccomp |
25 | shell none | 26 | shell none |
26 | 27 | ||
27 | blacklist /tmp/.X11-unix | ||
28 | |||
29 | # private-bin curl | 28 | # private-bin curl |
30 | private-dev | 29 | private-dev |
31 | # private-etc resolv.conf | 30 | # private-etc resolv.conf |
diff --git a/etc/cvlc.profile b/etc/cvlc.profile index 921d505a9..0b63151a8 100644 --- a/etc/cvlc.profile +++ b/etc/cvlc.profile | |||
@@ -1,17 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for cvlc |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/cvlc.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/vlc.local | ||
7 | |||
8 | # Firejail profile for CVLC | ||
9 | noblacklist ${HOME}/.config/vlc | 8 | noblacklist ${HOME}/.config/vlc |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
17 | netfilter | 16 | netfilter |
@@ -23,9 +22,11 @@ seccomp | |||
23 | shell none | 22 | shell none |
24 | tracelog | 23 | tracelog |
25 | 24 | ||
26 | # clvc doesn't like private-bin | 25 | # private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc |
27 | #private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc | ||
28 | private-dev | 26 | private-dev |
29 | private-tmp | 27 | private-tmp |
30 | 28 | ||
31 | memory-deny-write-execute | 29 | memory-deny-write-execute |
30 | |||
31 | # CLOBBERED COMMENTS | ||
32 | # clvc doesn't like private-bin | ||
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile index 45fc00d6f..3c18ef002 100644 --- a/etc/cyberfox.profile +++ b/etc/cyberfox.profile | |||
@@ -1,75 +1,69 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for cyberfox |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/cyberfox.local | 4 | include /etc/firejail/cyberfox.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for Cyberfox (based on Mozilla Firefox) | ||
9 | noblacklist ~/.8pecxstudios | 8 | noblacklist ~/.8pecxstudios |
10 | noblacklist ~/.cache/8pecxstudios | 9 | noblacklist ~/.cache/8pecxstudios |
10 | noblacklist ~/.config/okularpartrc | ||
11 | noblacklist ~/.config/okularrc | ||
11 | noblacklist ~/.config/qpdfview | 12 | noblacklist ~/.config/qpdfview |
12 | noblacklist ~/.local/share/qpdfview | ||
13 | noblacklist ~/.kde4/share/apps/okular | ||
14 | noblacklist ~/.kde/share/apps/okular | 13 | noblacklist ~/.kde/share/apps/okular |
14 | noblacklist ~/.kde4/share/apps/okular | ||
15 | noblacklist ~/.local/share/okular | 15 | noblacklist ~/.local/share/okular |
16 | noblacklist ~/.config/okularpartrc | 16 | noblacklist ~/.local/share/qpdfview |
17 | noblacklist ~/.config/okularrc | ||
18 | noblacklist ~/.pki | 17 | noblacklist ~/.pki |
19 | 18 | ||
20 | include /etc/firejail/disable-common.inc | 19 | include /etc/firejail/disable-common.inc |
21 | include /etc/firejail/disable-programs.inc | ||
22 | include /etc/firejail/disable-devel.inc | 20 | include /etc/firejail/disable-devel.inc |
21 | include /etc/firejail/disable-programs.inc | ||
23 | 22 | ||
24 | caps.drop all | ||
25 | # ipc-namespace crashes cyberfox on some setups | ||
26 | netfilter | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | protocol unix,inet,inet6,netlink | ||
31 | seccomp | ||
32 | shell none | ||
33 | tracelog | ||
34 | |||
35 | whitelist ${DOWNLOADS} | ||
36 | mkdir ~/.8pecxstudios | 23 | mkdir ~/.8pecxstudios |
37 | whitelist ~/.8pecxstudios | ||
38 | mkdir ~/.cache/8pecxstudios | 24 | mkdir ~/.cache/8pecxstudios |
25 | mkdir ~/.pki | ||
26 | whitelist ${DOWNLOADS} | ||
27 | whitelist ~/.8pecxstudios | ||
39 | whitelist ~/.cache/8pecxstudios | 28 | whitelist ~/.cache/8pecxstudios |
40 | whitelist ~/dwhelper | ||
41 | whitelist ~/.zotero | ||
42 | whitelist ~/.vimperatorrc | ||
43 | whitelist ~/.vimperator | ||
44 | whitelist ~/.pentadactylrc | ||
45 | whitelist ~/.pentadactyl | ||
46 | whitelist ~/.keysnail.js | ||
47 | whitelist ~/.config/gnome-mplayer | ||
48 | whitelist ~/.cache/gnome-mplayer/plugin | 29 | whitelist ~/.cache/gnome-mplayer/plugin |
49 | mkdir ~/.pki | 30 | whitelist ~/.config/gnome-mplayer |
50 | whitelist ~/.pki | ||
51 | whitelist ~/.lastpass | ||
52 | whitelist ~/.config/qpdfview | ||
53 | whitelist ~/.local/share/qpdfview | ||
54 | whitelist ~/.config/okularrc | ||
55 | whitelist ~/.config/okularpartrc | 31 | whitelist ~/.config/okularpartrc |
56 | whitelist ~/.kde4/share/apps/okular | 32 | whitelist ~/.config/okularrc |
33 | whitelist ~/.config/pipelight-silverlight5.1 | ||
34 | whitelist ~/.config/pipelight-widevine | ||
35 | whitelist ~/.config/qpdfview | ||
57 | whitelist ~/.kde/share/apps/okular | 36 | whitelist ~/.kde/share/apps/okular |
37 | whitelist ~/.kde4/share/apps/okular | ||
38 | whitelist ~/.keysnail.js | ||
39 | whitelist ~/.lastpass | ||
58 | whitelist ~/.local/share/okular | 40 | whitelist ~/.local/share/okular |
59 | 41 | whitelist ~/.local/share/qpdfview | |
60 | # silverlight | 42 | whitelist ~/.pentadactyl |
43 | whitelist ~/.pentadactylrc | ||
44 | whitelist ~/.pki | ||
45 | whitelist ~/.vimperator | ||
46 | whitelist ~/.vimperatorrc | ||
61 | whitelist ~/.wine-pipelight | 47 | whitelist ~/.wine-pipelight |
62 | whitelist ~/.wine-pipelight64 | 48 | whitelist ~/.wine-pipelight64 |
63 | whitelist ~/.config/pipelight-widevine | 49 | whitelist ~/.zotero |
64 | whitelist ~/.config/pipelight-silverlight5.1 | 50 | whitelist ~/dwhelper |
65 | |||
66 | include /etc/firejail/whitelist-common.inc | 51 | include /etc/firejail/whitelist-common.inc |
67 | 52 | ||
68 | # experimental features | 53 | caps.drop all |
69 | #private-bin cyberfox,which,sh,dbus-launch,dbus-send,env | 54 | netfilter |
70 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,cyberfox,mime.types,mailcap,asound.conf,pulse | 55 | nogroups |
71 | # private-dev might prevent video calls going out | 56 | nonewprivs |
57 | noroot | ||
58 | protocol unix,inet,inet6,netlink | ||
59 | seccomp | ||
60 | shell none | ||
61 | tracelog | ||
62 | |||
63 | # private-bin cyberfox,which,sh,dbus-launch,dbus-send,env | ||
72 | private-dev | 64 | private-dev |
65 | # private-dev might prevent video calls going out | ||
66 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,cyberfox,mime.types,mailcap,asound.conf,pulse | ||
73 | private-tmp | 67 | private-tmp |
74 | 68 | ||
75 | noexec ${HOME} | 69 | noexec ${HOME} |
diff --git a/etc/darktable.profile b/etc/darktable.profile index eca2ae6c5..47d4710ad 100644 --- a/etc/darktable.profile +++ b/etc/darktable.profile | |||
@@ -1,19 +1,19 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for darktable |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/darktable.local | 4 | include /etc/firejail/darktable.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | noblacklist ~/.cache/darktable | 8 | noblacklist ~/.cache/darktable |
9 | noblacklist ~/.config/darktable | 9 | noblacklist ~/.config/darktable |
10 | |||
10 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
14 | 15 | ||
15 | caps.drop all | 16 | caps.drop all |
16 | #ipc-namespace | ||
17 | netfilter | 17 | netfilter |
18 | nogroups | 18 | nogroups |
19 | nonewprivs | 19 | nonewprivs |
diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile index 486df1d99..905920d42 100644 --- a/etc/deadbeef.profile +++ b/etc/deadbeef.profile | |||
@@ -1,20 +1,18 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for deadbeef |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/deadbeef.local | 4 | include /etc/firejail/deadbeef.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # DeaDBeeF media player profile | ||
9 | noblacklist ${HOME}/.config/deadbeef | 8 | noblacklist ${HOME}/.config/deadbeef |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
17 | #ipc-namespace | ||
18 | netfilter | 16 | netfilter |
19 | no3d | 17 | no3d |
20 | nogroups | 18 | nogroups |
diff --git a/etc/deluge.profile b/etc/deluge.profile index 4e7d90e53..ed115b024 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile | |||
@@ -1,22 +1,20 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for deluge |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/deluge.local | 4 | include /etc/firejail/deluge.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # deluge bittorrent client profile | ||
9 | noblacklist ${HOME}/.config/deluge | 8 | noblacklist ${HOME}/.config/deluge |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | 11 | # include /etc/firejail/disable-devel.inc |
13 | # deluge is using python on Debian | ||
14 | #include /etc/firejail/disable-devel.inc | ||
15 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
16 | 14 | ||
17 | mkdir ${HOME}/.config/deluge | 15 | mkdir ${HOME}/.config/deluge |
18 | whitelist ${HOME}/.config/deluge | ||
19 | whitelist ${DOWNLOADS} | 16 | whitelist ${DOWNLOADS} |
17 | whitelist ${HOME}/.config/deluge | ||
20 | include /etc/firejail/whitelist-common.inc | 18 | include /etc/firejail/whitelist-common.inc |
21 | 19 | ||
22 | caps.drop all | 20 | caps.drop all |
@@ -27,8 +25,11 @@ nosound | |||
27 | novideo | 25 | novideo |
28 | protocol unix,inet,inet6 | 26 | protocol unix,inet,inet6 |
29 | seccomp | 27 | seccomp |
30 | |||
31 | shell none | 28 | shell none |
32 | #private-bin deluge,sh,python,uname | 29 | |
30 | # private-bin deluge,sh,python,uname | ||
33 | private-dev | 31 | private-dev |
34 | private-tmp | 32 | private-tmp |
33 | |||
34 | # CLOBBERED COMMENTS | ||
35 | # deluge is using python on Debian | ||
diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile index 6d3aaa224..5e971a5d4 100644 --- a/etc/dex2jar.profile +++ b/etc/dex2jar.profile | |||
@@ -1,12 +1,12 @@ | |||
1 | # Firejail profile for dex2jar | ||
2 | # This file is overwritten after every install/update | ||
1 | quiet | 3 | quiet |
2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
5 | include /etc/firejail/dex2jar.local | ||
6 | # Persistent global definitions | ||
3 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
4 | 8 | ||
5 | # This file is overwritten during software install. | ||
6 | # Persistent customizations should go in a .local file. | ||
7 | include /etc/firejail/dex2jar.local | ||
8 | 9 | ||
9 | # Firejail profile for dex2jar | ||
10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
diff --git a/etc/dia.profile b/etc/dia.profile index 71d8a249b..2072314cb 100644 --- a/etc/dia.profile +++ b/etc/dia.profile | |||
@@ -1,15 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for dia |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/dia.local | 4 | include /etc/firejail/dia.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | noblacklist ~/.dia | 8 | noblacklist ~/.dia |
9 | |||
9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
11 | include /etc/firejail/disable-programs.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
13 | 14 | ||
14 | caps.drop all | 15 | caps.drop all |
15 | netfilter | 16 | netfilter |
@@ -23,9 +24,9 @@ protocol unix | |||
23 | seccomp | 24 | seccomp |
24 | shell none | 25 | shell none |
25 | 26 | ||
27 | disable-mnt | ||
26 | private-dev | 28 | private-dev |
27 | private-tmp | 29 | private-tmp |
28 | disable-mnt | ||
29 | 30 | ||
30 | noexec ${HOME} | 31 | noexec ${HOME} |
31 | noexec /tmp | 32 | noexec /tmp |
diff --git a/etc/digikam.profile b/etc/digikam.profile index d81d00ed3..0ff437608 100644 --- a/etc/digikam.profile +++ b/etc/digikam.profile | |||
@@ -1,36 +1,35 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for digikam |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/digikam.local | 4 | include /etc/firejail/digikam.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | noblacklist ${HOME}/.kde4/share/apps/digikam | ||
9 | noblacklist ${HOME}/.kde/share/apps/digikam | ||
10 | noblacklist ${HOME}/.config/digikamrc | 8 | noblacklist ${HOME}/.config/digikamrc |
9 | noblacklist ${HOME}/.kde/share/apps/digikam | ||
10 | noblacklist ${HOME}/.kde4/share/apps/digikam | ||
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | ||
15 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | ||
15 | include /etc/firejail/disable-programs.inc | ||
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | netfilter | 18 | netfilter |
19 | nogroups | ||
19 | nonewprivs | 20 | nonewprivs |
20 | noroot | 21 | noroot |
21 | protocol unix,inet,inet6,netlink | 22 | protocol unix,inet,inet6,netlink |
22 | |||
23 | # This is a seccomp whitelist profile for Debian jessie, Kubuntu 17.04. | ||
24 | # Uncomment seccomp.keep line and try it out. By default only the regular seccomp blacklist profile is enabled. | ||
25 | #seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group | ||
26 | seccomp | 23 | seccomp |
27 | |||
28 | nogroups | ||
29 | shell none | 24 | shell none |
25 | |||
30 | # private-bin program | 26 | # private-bin program |
31 | # private-etc none | ||
32 | # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device | 27 | # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device |
28 | # private-etc none | ||
33 | private-tmp | 29 | private-tmp |
34 | 30 | ||
35 | noexec ${HOME} | 31 | noexec ${HOME} |
36 | noexec /tmp | 32 | noexec /tmp |
33 | |||
34 | # CLOBBERED COMMENTS | ||
35 | # seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group | ||
diff --git a/etc/dillo.profile b/etc/dillo.profile index e11a6f13b..4601be8dc 100644 --- a/etc/dillo.profile +++ b/etc/dillo.profile | |||
@@ -1,16 +1,23 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for dillo |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/dillo.local | 4 | include /etc/firejail/dillo.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for Dillo web browser | ||
9 | noblacklist ~/.dillo | 8 | noblacklist ~/.dillo |
9 | |||
10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-programs.inc | ||
12 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | mkdir ~/.dillo | ||
16 | mkdir ~/.fltk | ||
17 | whitelist ${DOWNLOADS} | ||
18 | whitelist ~/.dillo | ||
19 | whitelist ~/.fltk | ||
20 | include /etc/firejail/whitelist-common.inc | ||
14 | 21 | ||
15 | caps.drop all | 22 | caps.drop all |
16 | netfilter | 23 | netfilter |
@@ -19,11 +26,3 @@ noroot | |||
19 | protocol unix,inet,inet6 | 26 | protocol unix,inet,inet6 |
20 | seccomp | 27 | seccomp |
21 | tracelog | 28 | tracelog |
22 | |||
23 | whitelist ${DOWNLOADS} | ||
24 | mkdir ~/.dillo | ||
25 | whitelist ~/.dillo | ||
26 | mkdir ~/.fltk | ||
27 | whitelist ~/.fltk | ||
28 | |||
29 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/dino.profile b/etc/dino.profile index 94563fa1d..0501cd408 100644 --- a/etc/dino.profile +++ b/etc/dino.profile | |||
@@ -1,11 +1,10 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for dino |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/dino.local | 4 | include /etc/firejail/dino.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for Dino | ||
9 | noblacklist ${HOME}/.local/share/dino | 8 | noblacklist ${HOME}/.local/share/dino |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -13,13 +12,12 @@ include /etc/firejail/disable-devel.inc | |||
13 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
15 | 14 | ||
16 | whitelist ${HOME}/Downloads | ||
17 | mkdir ${HOME}/.local/share/dino | 15 | mkdir ${HOME}/.local/share/dino |
18 | whitelist ${HOME}/.local/share/dino | 16 | whitelist ${HOME}/.local/share/dino |
17 | whitelist ${HOME}/Downloads | ||
19 | include /etc/firejail/whitelist-common.inc | 18 | include /etc/firejail/whitelist-common.inc |
20 | 19 | ||
21 | caps.drop all | 20 | caps.drop all |
22 | #ipc-namespace | ||
23 | netfilter | 21 | netfilter |
24 | no3d | 22 | no3d |
25 | nogroups | 23 | nogroups |
@@ -31,11 +29,11 @@ protocol unix,inet,inet6 | |||
31 | seccomp | 29 | seccomp |
32 | shell none | 30 | shell none |
33 | 31 | ||
32 | disable-mnt | ||
34 | private-bin dino | 33 | private-bin dino |
35 | #private-etc fonts #breaks server connection | ||
36 | private-dev | 34 | private-dev |
35 | # private-etc fonts # breaks server connection | ||
37 | private-tmp | 36 | private-tmp |
38 | disable-mnt | ||
39 | 37 | ||
40 | noexec ${HOME} | 38 | noexec ${HOME} |
41 | noexec /tmp | 39 | noexec /tmp |
diff --git a/etc/display.profile b/etc/display.profile index c2c46cba3..ff5d3d2b9 100644 --- a/etc/display.profile +++ b/etc/display.profile | |||
@@ -1,20 +1,20 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for display |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/display.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/display.local | ||
7 | 8 | ||
8 | # display (ImageMagick tool) image viewer profile | ||
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | net none | 15 | net none |
16 | nonewprivs | ||
17 | nogroups | 16 | nogroups |
17 | nonewprivs | ||
18 | noroot | 18 | noroot |
19 | nosound | 19 | nosound |
20 | protocol unix | 20 | protocol unix |
@@ -23,6 +23,6 @@ shell none | |||
23 | x11 xorg | 23 | x11 xorg |
24 | 24 | ||
25 | private-bin display | 25 | private-bin display |
26 | private-tmp | ||
27 | private-dev | 26 | private-dev |
28 | private-etc none | 27 | private-etc none |
28 | private-tmp | ||
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index 81199a22d..075b7ea15 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile | |||
@@ -1,20 +1,21 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for dnscrypt-proxy |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/dnscrypt-proxy.local | 4 | include /etc/firejail/dnscrypt-proxy.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # security profile for dnscrypt-proxy | ||
9 | noblacklist /sbin | 8 | noblacklist /sbin |
10 | noblacklist /usr/sbin | 9 | noblacklist /usr/sbin |
10 | |||
11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | 15 | ||
16 | private | ||
17 | private-dev | ||
18 | nosound | ||
19 | no3d | 16 | no3d |
17 | nosound | ||
20 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 18 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open |
19 | |||
20 | private | ||
21 | private-dev | ||
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index 797f093a1..834805af9 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile | |||
@@ -1,26 +1,26 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for dnsmasq |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/dnsmasq.local | 4 | include /etc/firejail/dnsmasq.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # dnsmasq profile | ||
9 | noblacklist /sbin | 8 | noblacklist /sbin |
10 | noblacklist /usr/sbin | 9 | noblacklist /usr/sbin |
10 | |||
11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | 15 | ||
16 | caps | 16 | caps |
17 | netfilter | 17 | netfilter |
18 | no3d | ||
18 | nonewprivs | 19 | nonewprivs |
19 | private | ||
20 | private-dev | ||
21 | nosound | 20 | nosound |
22 | no3d | ||
23 | protocol unix,inet,inet6,netlink | 21 | protocol unix,inet,inet6,netlink |
24 | seccomp | 22 | seccomp |
25 | 23 | ||
26 | disable-mnt | 24 | disable-mnt |
25 | private | ||
26 | private-dev | ||
diff --git a/etc/dolphin.profile b/etc/dolphin.profile index aac358d38..5760f6811 100644 --- a/etc/dolphin.profile +++ b/etc/dolphin.profile | |||
@@ -1,34 +1,33 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for dolphin |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/dolphin.local | 4 | include /etc/firejail/dolphin.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # dolphin profile | 8 | noblacklist ${HOME}/.local/share/Trash |
9 | |||
10 | # warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5 | ||
11 | |||
12 | noblacklist ~/.config/dolphinrc | 9 | noblacklist ~/.config/dolphinrc |
13 | noblacklist ~/.local/share/dolphin | 10 | noblacklist ~/.local/share/dolphin |
14 | noblacklist ${HOME}/.local/share/Trash | ||
15 | 11 | ||
16 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
17 | # dolphin needs to be able to start arbitrary applications so we cannot blacklist their files | ||
18 | #include /etc/firejail/disable-programs.inc | ||
19 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
20 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | # include /etc/firejail/disable-programs.inc | ||
21 | 16 | ||
22 | caps.drop all | 17 | caps.drop all |
23 | netfilter | 18 | netfilter |
24 | nogroups | 19 | nogroups |
25 | nonewprivs | 20 | nonewprivs |
26 | noroot | 21 | noroot |
27 | shell none | ||
28 | seccomp | ||
29 | protocol unix | 22 | protocol unix |
23 | seccomp | ||
24 | shell none | ||
30 | 25 | ||
31 | # private-bin | 26 | # private-bin |
32 | # private-dev | 27 | # private-dev |
33 | # private-tmp | ||
34 | # private-etc | 28 | # private-etc |
29 | # private-tmp | ||
30 | |||
31 | # CLOBBERED COMMENTS | ||
32 | # dolphin needs to be able to start arbitrary applications so we cannot blacklist their files | ||
33 | # warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5 | ||
diff --git a/etc/dosbox.profile b/etc/dosbox.profile index ed4e5f345..ff8e26bf9 100644 --- a/etc/dosbox.profile +++ b/etc/dosbox.profile | |||
@@ -1,17 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for dosbox |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/dosbox.local | 4 | include /etc/firejail/dosbox.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for dosbox | ||
9 | noblacklist ~/.dosbox | 8 | noblacklist ~/.dosbox |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
17 | netfilter | 16 | netfilter |
diff --git a/etc/dragon.profile b/etc/dragon.profile index 47d2c593a..e8d82363b 100644 --- a/etc/dragon.profile +++ b/etc/dragon.profile | |||
@@ -1,17 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for dragon |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/dragon.local | 4 | include /etc/firejail/dragon.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # dragon player profile | ||
9 | noblacklist ~/.config/dragonplayerrc | 8 | noblacklist ~/.config/dragonplayerrc |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
17 | netfilter | 16 | netfilter |
@@ -19,14 +18,14 @@ nogroups | |||
19 | nonewprivs | 18 | nonewprivs |
20 | noroot | 19 | noroot |
21 | novideo | 20 | novideo |
22 | shell none | ||
23 | seccomp | ||
24 | protocol unix,inet,inet6 | 21 | protocol unix,inet,inet6 |
22 | seccomp | ||
23 | shell none | ||
25 | 24 | ||
26 | private-bin dragon | 25 | private-bin dragon |
27 | private-dev | 26 | private-dev |
28 | private-tmp | ||
29 | # private-etc | 27 | # private-etc |
28 | private-tmp | ||
30 | 29 | ||
31 | noexec ${HOME} | 30 | noexec ${HOME} |
32 | noexec /tmp | 31 | noexec /tmp |
diff --git a/etc/dropbox.profile b/etc/dropbox.profile index 2319b337b..564a4054d 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile | |||
@@ -1,27 +1,27 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for dropbox |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/dropbox.local | 4 | include /etc/firejail/dropbox.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # dropbox profile | ||
9 | noblacklist ~/.config/autostart | 8 | noblacklist ~/.config/autostart |
10 | noblacklist ~/.dropbox-dist | 9 | noblacklist ~/.dropbox-dist |
10 | |||
11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | 15 | ||
16 | mkdir ~/Dropbox | ||
17 | whitelist ~/Dropbox | ||
18 | mkdir ~/.dropbox | 16 | mkdir ~/.dropbox |
19 | whitelist ~/.dropbox | ||
20 | mkdir ~/.dropbox-dist | 17 | mkdir ~/.dropbox-dist |
21 | whitelist ~/.dropbox-dist | 18 | mkdir ~/Dropbox |
22 | |||
23 | mkfile ~/.config/autostart/dropbox.desktop | 19 | mkfile ~/.config/autostart/dropbox.desktop |
24 | whitelist ~/.config/autostart/dropbox.desktop | 20 | whitelist ~/.config/autostart/dropbox.desktop |
21 | whitelist ~/.dropbox | ||
22 | whitelist ~/.dropbox-dist | ||
23 | whitelist ~/Dropbox | ||
24 | include /etc/firejail/whitelist-common.inc | ||
25 | 25 | ||
26 | caps.drop all | 26 | caps.drop all |
27 | netfilter | 27 | netfilter |
diff --git a/etc/ebook-viewer.profile b/etc/ebook-viewer.profile index ba28e3550..1e8e7bb6c 100644 --- a/etc/ebook-viewer.profile +++ b/etc/ebook-viewer.profile | |||
@@ -1,10 +1,7 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for calibre |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/ebook-viewer.local | ||
7 | 4 | ||
8 | # Firejail profile for ebook-viewer (Calibre) | ||
9 | include /etc/firejail/calibre.profile | ||
10 | net none | 5 | net none |
6 | |||
7 | include /etc/firejail/calibre.profile | ||
diff --git a/etc/electron.profile b/etc/electron.profile index efaecf029..0377ac073 100644 --- a/etc/electron.profile +++ b/etc/electron.profile | |||
@@ -1,7 +1,14 @@ | |||
1 | # Generic Firejail profile for Electron applications. | 1 | # Firejail profile for electron |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/electron.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
2 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-passwdmgr.inc | 10 | include /etc/firejail/disable-passwdmgr.inc |
11 | include /etc/firejail/disable-programs.inc | ||
5 | 12 | ||
6 | caps.drop all | 13 | caps.drop all |
7 | netfilter | 14 | netfilter |
diff --git a/etc/elinks.profile b/etc/elinks.profile index 597e43fb8..bd2c090a6 100644 --- a/etc/elinks.profile +++ b/etc/elinks.profile | |||
@@ -1,19 +1,21 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for elinks |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/elinks.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | 8 | blacklist /tmp/.X11-unix |
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/elinks.local | ||
7 | 9 | ||
8 | # elinks profile | ||
9 | noblacklist ~/.elinks | 10 | noblacklist ~/.elinks |
10 | 11 | ||
11 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | ||
15 | 16 | ||
16 | caps.drop all | 17 | caps.drop all |
18 | netfilter | ||
17 | no3d | 19 | no3d |
18 | nogroups | 20 | nogroups |
19 | nonewprivs | 21 | nonewprivs |
@@ -22,13 +24,10 @@ nosound | |||
22 | novideo | 24 | novideo |
23 | protocol unix,inet,inet6 | 25 | protocol unix,inet,inet6 |
24 | seccomp | 26 | seccomp |
25 | netfilter | ||
26 | shell none | 27 | shell none |
27 | tracelog | 28 | tracelog |
28 | 29 | ||
29 | blacklist /tmp/.X11-unix | ||
30 | |||
31 | # private-bin elinks | 30 | # private-bin elinks |
32 | private-tmp | ||
33 | private-dev | 31 | private-dev |
34 | # private-etc none | 32 | # private-etc none |
33 | private-tmp | ||
diff --git a/etc/emacs.profile b/etc/emacs.profile index 4f9d27215..db823c029 100644 --- a/etc/emacs.profile +++ b/etc/emacs.profile | |||
@@ -1,23 +1,21 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for emacs |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/emacs.local | 4 | include /etc/firejail/emacs.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # emacs profile | ||
9 | noblacklist ~/.emacs | 8 | noblacklist ~/.emacs |
10 | noblacklist ~/.emacs.d | 9 | noblacklist ~/.emacs.d |
11 | 10 | ||
12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
15 | 13 | include /etc/firejail/disable-programs.inc | |
16 | 14 | ||
17 | caps.drop all | 15 | caps.drop all |
18 | netfilter | 16 | netfilter |
17 | nogroups | ||
19 | nonewprivs | 18 | nonewprivs |
20 | noroot | 19 | noroot |
21 | nogroups | ||
22 | protocol unix,inet,inet6 | 20 | protocol unix,inet,inet6 |
23 | seccomp | 21 | seccomp |
diff --git a/etc/empathy.profile b/etc/empathy.profile index 415f752bf..5eb8d6868 100644 --- a/etc/empathy.profile +++ b/etc/empathy.profile | |||
@@ -1,19 +1,19 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for empathy |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/empathy.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/empathy.local | ||
7 | 8 | ||
8 | # Empathy instant messaging profile | ||
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
11 | include /etc/firejail/disable-programs.inc | ||
12 | 12 | ||
13 | caps.drop all | 13 | caps.drop all |
14 | netfilter | 14 | netfilter |
15 | nonewprivs | ||
16 | nogroups | 15 | nogroups |
16 | nonewprivs | ||
17 | noroot | 17 | noroot |
18 | protocol unix,inet,inet6 | 18 | protocol unix,inet,inet6 |
19 | seccomp | 19 | seccomp |
diff --git a/etc/enchant.profile b/etc/enchant.profile index 554ed5e28..5b0d190fa 100644 --- a/etc/enchant.profile +++ b/etc/enchant.profile | |||
@@ -1,17 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for enchant |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/enchant.local | 4 | include /etc/firejail/enchant.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # enchant profile | ||
9 | noblacklist ~/.config/enchant | 8 | noblacklist ~/.config/enchant |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
17 | netfilter | 16 | netfilter |
@@ -25,6 +24,6 @@ shell none | |||
25 | tracelog | 24 | tracelog |
26 | 25 | ||
27 | # private-bin enchant | 26 | # private-bin enchant |
28 | # private-tmp | ||
29 | # private-dev | 27 | # private-dev |
30 | # private-etc fonts | 28 | # private-etc fonts |
29 | # private-tmp | ||
diff --git a/etc/engrampa.profile b/etc/engrampa.profile index 605643472..b6d8e501f 100644 --- a/etc/engrampa.profile +++ b/etc/engrampa.profile | |||
@@ -1,15 +1,15 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for engrampa |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/engrampa.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/engrampa.local | ||
7 | 8 | ||
8 | # engrampa profile | ||
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | netfilter | 15 | netfilter |
@@ -24,6 +24,6 @@ shell none | |||
24 | tracelog | 24 | tracelog |
25 | 25 | ||
26 | # private-bin engrampa | 26 | # private-bin engrampa |
27 | # private-tmp | ||
28 | private-dev | 27 | private-dev |
29 | # private-etc fonts | 28 | # private-etc fonts |
29 | # private-tmp | ||
diff --git a/etc/eog.profile b/etc/eog.profile index e272a1935..452bb1a36 100644 --- a/etc/eog.profile +++ b/etc/eog.profile | |||
@@ -1,23 +1,21 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for eog |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/eog.local | 4 | include /etc/firejail/eog.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # eog (gnome image viewer) profile | ||
9 | noblacklist ~/.config/eog | ||
10 | noblacklist ~/.Steam | 8 | noblacklist ~/.Steam |
11 | noblacklist ~/.steam | 9 | noblacklist ~/.config/eog |
12 | noblacklist ~/.local/share/Trash | 10 | noblacklist ~/.local/share/Trash |
11 | noblacklist ~/.steam | ||
13 | 12 | ||
14 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-programs.inc | ||
16 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | ||
18 | 17 | ||
19 | caps.drop all | 18 | caps.drop all |
20 | #ipc-namespace | ||
21 | net none | 19 | net none |
22 | no3d | 20 | no3d |
23 | nogroups | 21 | nogroups |
diff --git a/etc/eom.profile b/etc/eom.profile index 28cb525c1..75a9e6764 100644 --- a/etc/eom.profile +++ b/etc/eom.profile | |||
@@ -1,20 +1,19 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for eom |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/eom.local | 4 | include /etc/firejail/eom.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for Eye of Mate (eom) | ||
9 | noblacklist ~/.config/mate/eom | ||
10 | noblacklist ~/.Steam | 8 | noblacklist ~/.Steam |
11 | noblacklist ~/.steam | 9 | noblacklist ~/.config/mate/eom |
12 | noblacklist ~/.local/share/Trash | 10 | noblacklist ~/.local/share/Trash |
11 | noblacklist ~/.steam | ||
13 | 12 | ||
14 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-programs.inc | ||
16 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | ||
18 | 17 | ||
19 | caps.drop all | 18 | caps.drop all |
20 | nogroups | 19 | nogroups |
diff --git a/etc/epiphany.profile b/etc/epiphany.profile index 90e07def9..86fddace0 100644 --- a/etc/epiphany.profile +++ b/etc/epiphany.profile | |||
@@ -1,26 +1,25 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for epiphany |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/epiphany.local | 4 | include /etc/firejail/epiphany.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Epiphany browser profile | 8 | noblacklist ${HOME}/.cache/epiphany |
9 | noblacklist ${HOME}/.config/epiphany | 9 | noblacklist ${HOME}/.config/epiphany |
10 | noblacklist ${HOME}/.local/share/epiphany | 10 | noblacklist ${HOME}/.local/share/epiphany |
11 | noblacklist ${HOME}/.cache/epiphany | ||
12 | 11 | ||
13 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-programs.inc | ||
16 | 15 | ||
17 | whitelist ${DOWNLOADS} | ||
18 | mkdir ${HOME}/.local/share/epiphany | ||
19 | whitelist ${HOME}/.local/share/epiphany | ||
20 | mkdir ${HOME}/.config/epiphany | ||
21 | whitelist ${HOME}/.config/epiphany | ||
22 | mkdir ${HOME}/.cache/epiphany | 16 | mkdir ${HOME}/.cache/epiphany |
17 | mkdir ${HOME}/.config/epiphany | ||
18 | mkdir ${HOME}/.local/share/epiphany | ||
19 | whitelist ${DOWNLOADS} | ||
23 | whitelist ${HOME}/.cache/epiphany | 20 | whitelist ${HOME}/.cache/epiphany |
21 | whitelist ${HOME}/.config/epiphany | ||
22 | whitelist ${HOME}/.local/share/epiphany | ||
24 | include /etc/firejail/whitelist-common.inc | 23 | include /etc/firejail/whitelist-common.inc |
25 | 24 | ||
26 | caps.drop all | 25 | caps.drop all |
diff --git a/etc/etr.profile b/etc/etr.profile index d7b747995..6ed9a274d 100644 --- a/etc/etr.profile +++ b/etc/etr.profile | |||
@@ -1,41 +1,34 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for etr |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/etr.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | 8 | noblacklist ~/.etr |
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/etr.local | ||
7 | 9 | ||
8 | ################################ | 10 | include /etc/firejail/disable-common.inc |
9 | # Extreme Tux Racer profile | 11 | include /etc/firejail/disable-passwdmgr.inc |
10 | ################################ | 12 | include /etc/firejail/disable-programs.inc |
11 | 13 | ||
12 | noblacklist ~/.etr | ||
13 | mkdir ~/.etr | 14 | mkdir ~/.etr |
14 | whitelist ~/.etr | 15 | whitelist ~/.etr |
15 | include /etc/firejail/whitelist-common.inc | 16 | include /etc/firejail/whitelist-common.inc |
16 | 17 | ||
17 | include /etc/firejail/disable-common.inc | ||
18 | include /etc/firejail/disable-programs.inc | ||
19 | include /etc/firejail/disable-passwdmgr.inc | ||
20 | |||
21 | caps.drop all | 18 | caps.drop all |
19 | net none | ||
20 | nogroups | ||
22 | nonewprivs | 21 | nonewprivs |
23 | noroot | 22 | noroot |
24 | protocol unix,netlink | 23 | protocol unix,netlink |
25 | seccomp | 24 | seccomp |
26 | |||
27 | # | ||
28 | # depending on your usage, you can enable some of the commands below: | ||
29 | # | ||
30 | net none | ||
31 | nogroups | ||
32 | shell none | 25 | shell none |
33 | #private-bin etr | 26 | |
34 | # private-etc none | 27 | # private-bin etr |
35 | private-dev | 28 | private-dev |
29 | # private-etc none | ||
36 | private-tmp | 30 | private-tmp |
37 | # nosound | ||
38 | |||
39 | |||
40 | |||
41 | 31 | ||
32 | # CLOBBERED COMMENTS | ||
33 | # depending on your usage, you can enable some of the commands below: | ||
34 | # nosound | ||
diff --git a/etc/evince.profile b/etc/evince.profile index 9f1ebbf76..e58cef336 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -1,20 +1,18 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for evince |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/evince.local | 4 | include /etc/firejail/evince.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # evince pdf reader profile | ||
9 | noblacklist ~/.config/evince | 8 | noblacklist ~/.config/evince |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
17 | #ipc-namespace | ||
18 | netfilter | 16 | netfilter |
19 | no3d | 17 | no3d |
20 | nogroups | 18 | nogroups |
@@ -30,9 +28,11 @@ tracelog | |||
30 | private-bin evince,evince-previewer,evince-thumbnailer | 28 | private-bin evince,evince-previewer,evince-thumbnailer |
31 | private-dev | 29 | private-dev |
32 | private-etc fonts | 30 | private-etc fonts |
33 | # evince needs access to /tmp/mozilla* to work in firefox | ||
34 | # private-tmp | 31 | # private-tmp |
35 | 32 | ||
36 | memory-deny-write-execute | 33 | memory-deny-write-execute |
37 | noexec ${HOME} | 34 | noexec ${HOME} |
38 | noexec /tmp | 35 | noexec /tmp |
36 | |||
37 | # CLOBBERED COMMENTS | ||
38 | # evince needs access to /tmp/mozilla* to work in firefox | ||
diff --git a/etc/evolution.profile b/etc/evolution.profile index ee8e02e8f..d41ef965a 100644 --- a/etc/evolution.profile +++ b/etc/evolution.profile | |||
@@ -1,29 +1,26 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for evolution |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/evolution.local | 4 | include /etc/firejail/evolution.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # evolution profile | 8 | noblacklist /var/mail |
9 | noblacklist /var/spool/mail | ||
10 | noblacklist ~/.bogofilter | ||
11 | noblacklist ~/.cache/evolution | ||
9 | noblacklist ~/.config/evolution | 12 | noblacklist ~/.config/evolution |
13 | noblacklist ~/.gnupg | ||
10 | noblacklist ~/.local/share/evolution | 14 | noblacklist ~/.local/share/evolution |
11 | noblacklist ~/.cache/evolution | ||
12 | noblacklist ~/.pki | 15 | noblacklist ~/.pki |
13 | noblacklist ~/.pki/nssdb | 16 | noblacklist ~/.pki/nssdb |
14 | noblacklist ~/.gnupg | ||
15 | noblacklist ~/.bogofilter | ||
16 | |||
17 | noblacklist /var/spool/mail | ||
18 | noblacklist /var/mail | ||
19 | 17 | ||
20 | include /etc/firejail/disable-common.inc | 18 | include /etc/firejail/disable-common.inc |
21 | include /etc/firejail/disable-programs.inc | ||
22 | include /etc/firejail/disable-devel.inc | 19 | include /etc/firejail/disable-devel.inc |
23 | include /etc/firejail/disable-passwdmgr.inc | 20 | include /etc/firejail/disable-passwdmgr.inc |
21 | include /etc/firejail/disable-programs.inc | ||
24 | 22 | ||
25 | caps.drop all | 23 | caps.drop all |
26 | #ipc-namespace | ||
27 | netfilter | 24 | netfilter |
28 | no3d | 25 | no3d |
29 | nogroups | 26 | nogroups |
diff --git a/etc/exiftool.profile b/etc/exiftool.profile index e69a6206e..3637fc989 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile | |||
@@ -1,36 +1,35 @@ | |||
1 | # Firejail profile for exiftool | ||
2 | # This file is overwritten after every install/update | ||
1 | quiet | 3 | quiet |
2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
5 | include /etc/firejail/exiftool.local | ||
6 | # Persistent global definitions | ||
3 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
4 | 8 | ||
5 | # This file is overwritten during software install. | 9 | blacklist /tmp/.X11-unix |
6 | # Persistent customizations should go in a .local file. | ||
7 | include /etc/firejail/exiftool.local | ||
8 | 10 | ||
9 | # exiftool profile | ||
10 | noblacklist /usr/bin/perl | 11 | noblacklist /usr/bin/perl |
11 | noblacklist /usr/share/perl* | ||
12 | noblacklist /usr/lib/perl* | 12 | noblacklist /usr/lib/perl* |
13 | noblacklist /usr/share/perl* | ||
13 | 14 | ||
14 | include /etc/firejail/disable-common.inc | 15 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-programs.inc | ||
16 | include /etc/firejail/disable-devel.inc | 16 | include /etc/firejail/disable-devel.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include /etc/firejail/disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | ||
18 | 19 | ||
19 | caps.drop all | 20 | caps.drop all |
20 | net none | 21 | net none |
22 | no3d | ||
21 | nogroups | 23 | nogroups |
22 | nonewprivs | 24 | nonewprivs |
23 | noroot | 25 | noroot |
24 | nosound | 26 | nosound |
25 | protocol unix | 27 | protocol unix |
26 | seccomp | 28 | seccomp |
27 | no3d | ||
28 | shell none | 29 | shell none |
29 | tracelog | 30 | tracelog |
30 | 31 | ||
31 | blacklist /tmp/.X11-unix | ||
32 | |||
33 | # private-bin exiftool,perl | 32 | # private-bin exiftool,perl |
34 | private-tmp | ||
35 | private-dev | 33 | private-dev |
36 | private-etc none | 34 | private-etc none |
35 | private-tmp | ||
diff --git a/etc/fbreader.profile b/etc/fbreader.profile index 41edbb50b..663ee3bbb 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile | |||
@@ -1,17 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for fbreader |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/fbreader.local | 4 | include /etc/firejail/fbreader.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # fbreader ebook reader profile | ||
9 | noblacklist ${HOME}/.FBReader | 8 | noblacklist ${HOME}/.FBReader |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
17 | netfilter | 16 | netfilter |
@@ -20,8 +19,8 @@ noroot | |||
20 | nosound | 19 | nosound |
21 | protocol unix,inet,inet6 | 20 | protocol unix,inet,inet6 |
22 | seccomp | 21 | seccomp |
23 | |||
24 | shell none | 22 | shell none |
23 | |||
25 | private-bin fbreader,FBReader | 24 | private-bin fbreader,FBReader |
26 | private-dev | 25 | private-dev |
27 | private-tmp | 26 | private-tmp |
diff --git a/etc/feh.profile b/etc/feh.profile index 8f40a0c3e..1e0d7acc7 100644 --- a/etc/feh.profile +++ b/etc/feh.profile | |||
@@ -1,15 +1,15 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for feh |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/feh.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/feh.local | ||
7 | 8 | ||
8 | # feh image viewer profile | ||
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | net none | 15 | net none |
diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 15d8d36c6..173bb344f 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile | |||
@@ -1,18 +1,17 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for file-roller |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/file-roller.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/file-roller.local | ||
7 | 8 | ||
8 | # file-roller profile | ||
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | #ipc-namespace | ||
16 | net none | 15 | net none |
17 | no3d | 16 | no3d |
18 | nogroups | 17 | nogroups |
@@ -26,9 +25,9 @@ shell none | |||
26 | tracelog | 25 | tracelog |
27 | 26 | ||
28 | # private-bin file-roller | 27 | # private-bin file-roller |
29 | # private-tmp | ||
30 | private-dev | 28 | private-dev |
31 | # private-etc fonts | 29 | # private-etc fonts |
30 | # private-tmp | ||
32 | 31 | ||
33 | memory-deny-write-execute | 32 | memory-deny-write-execute |
34 | noexec ${HOME} | 33 | noexec ${HOME} |
diff --git a/etc/file.profile b/etc/file.profile index 51e35007f..6e8280c3b 100644 --- a/etc/file.profile +++ b/etc/file.profile | |||
@@ -1,15 +1,16 @@ | |||
1 | # Firejail profile for file | ||
2 | # This file is overwritten after every install/update | ||
1 | quiet | 3 | quiet |
2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
5 | include /etc/firejail/file.local | ||
6 | # Persistent global definitions | ||
3 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
4 | 8 | ||
5 | # This file is overwritten during software install. | 9 | blacklist /tmp/.X11-unix |
6 | # Persistent customizations should go in a .local file. | ||
7 | include /etc/firejail/file.local | ||
8 | 10 | ||
9 | # file profile | ||
10 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-programs.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
13 | 14 | ||
14 | caps.drop all | 15 | caps.drop all |
15 | hostname file | 16 | hostname file |
@@ -17,7 +18,6 @@ net none | |||
17 | no3d | 18 | no3d |
18 | nogroups | 19 | nogroups |
19 | nonewprivs | 20 | nonewprivs |
20 | #noroot | ||
21 | nosound | 21 | nosound |
22 | protocol unix | 22 | protocol unix |
23 | seccomp | 23 | seccomp |
@@ -25,8 +25,9 @@ shell none | |||
25 | tracelog | 25 | tracelog |
26 | x11 none | 26 | x11 none |
27 | 27 | ||
28 | blacklist /tmp/.X11-unix | ||
29 | |||
30 | private-dev | ||
31 | private-bin file | 28 | private-bin file |
29 | private-dev | ||
32 | private-etc magic.mgc,magic,localtime | 30 | private-etc magic.mgc,magic,localtime |
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # noroot | ||
diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 3cc6fd601..c349a9e94 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile | |||
@@ -1,17 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for filezilla |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/filezilla.local | 4 | include /etc/firejail/filezilla.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # FileZilla ftp profile | ||
9 | noblacklist ${HOME}/.filezilla | ||
10 | noblacklist ${HOME}/.config/filezilla | 8 | noblacklist ${HOME}/.config/filezilla |
9 | noblacklist ${HOME}/.filezilla | ||
11 | 10 | ||
12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
17 | netfilter | 16 | netfilter |
diff --git a/etc/firefox-esr.profile b/etc/firefox-esr.profile index 33d4a87ad..f3400b1e1 100644 --- a/etc/firefox-esr.profile +++ b/etc/firefox-esr.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for firefox-esr |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/firefox-esr.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/firefox-esr.local | ||
7 | 8 | ||
8 | # Firejail profile for Mozilla Firefox ESR | ||
9 | include /etc/firejail/firefox.profile | 9 | include /etc/firejail/firefox.profile |
diff --git a/etc/firefox.profile b/etc/firefox.profile index aff6e8334..8d48a4704 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -1,77 +1,73 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for firefox |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/firefox.local | 4 | include /etc/firejail/firefox.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for Mozilla Firefox (Iceweasel in Debian) | ||
9 | noblacklist ~/.mozilla | ||
10 | noblacklist ~/.cache/mozilla | 8 | noblacklist ~/.cache/mozilla |
9 | noblacklist ~/.config/okularpartrc | ||
10 | noblacklist ~/.config/okularrc | ||
11 | noblacklist ~/.config/qpdfview | 11 | noblacklist ~/.config/qpdfview |
12 | noblacklist ~/.local/share/qpdfview | ||
13 | noblacklist ~/.kde4/share/apps/okular | ||
14 | noblacklist ~/.kde/share/apps/okular | 12 | noblacklist ~/.kde/share/apps/okular |
13 | noblacklist ~/.kde4/share/apps/okular | ||
15 | noblacklist ~/.local/share/okular | 14 | noblacklist ~/.local/share/okular |
16 | noblacklist ~/.config/okularpartrc | 15 | noblacklist ~/.local/share/qpdfview |
17 | noblacklist ~/.config/okularrc | 16 | noblacklist ~/.mozilla |
18 | noblacklist ~/.pki | 17 | noblacklist ~/.pki |
19 | 18 | ||
20 | include /etc/firejail/disable-common.inc | 19 | include /etc/firejail/disable-common.inc |
21 | include /etc/firejail/disable-programs.inc | ||
22 | include /etc/firejail/disable-devel.inc | 20 | include /etc/firejail/disable-devel.inc |
21 | include /etc/firejail/disable-programs.inc | ||
23 | 22 | ||
24 | caps.drop all | ||
25 | # ipc-namespace crashes firefox on some setups | ||
26 | netfilter | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | protocol unix,inet,inet6,netlink | ||
31 | seccomp | ||
32 | shell none | ||
33 | tracelog | ||
34 | |||
35 | whitelist ${DOWNLOADS} | ||
36 | mkdir ~/.mozilla | ||
37 | whitelist ~/.mozilla | ||
38 | mkdir ~/.cache/mozilla/firefox | 23 | mkdir ~/.cache/mozilla/firefox |
24 | mkdir ~/.mozilla | ||
25 | mkdir ~/.pki | ||
26 | whitelist ${DOWNLOADS} | ||
27 | whitelist ~/.cache/gnome-mplayer/plugin | ||
39 | whitelist ~/.cache/mozilla/firefox | 28 | whitelist ~/.cache/mozilla/firefox |
40 | whitelist ~/dwhelper | ||
41 | whitelist ~/.zotero | ||
42 | whitelist ~/.vimperatorrc | ||
43 | whitelist ~/.vimperator | ||
44 | whitelist ~/.pentadactylrc | ||
45 | whitelist ~/.pentadactyl | ||
46 | whitelist ~/.keysnail.js | ||
47 | whitelist ~/.config/gnome-mplayer | 29 | whitelist ~/.config/gnome-mplayer |
48 | whitelist ~/.cache/gnome-mplayer/plugin | ||
49 | mkdir ~/.pki | ||
50 | whitelist ~/.pki | ||
51 | whitelist ~/.lastpass | ||
52 | whitelist ~/.config/qpdfview | ||
53 | whitelist ~/.local/share/qpdfview | ||
54 | whitelist ~/.config/okularrc | ||
55 | whitelist ~/.config/okularpartrc | 30 | whitelist ~/.config/okularpartrc |
56 | whitelist ~/.kde4/share/apps/okular | 31 | whitelist ~/.config/okularrc |
32 | whitelist ~/.config/pipelight-silverlight5.1 | ||
33 | whitelist ~/.config/pipelight-widevine | ||
34 | whitelist ~/.config/qpdfview | ||
57 | whitelist ~/.kde/share/apps/okular | 35 | whitelist ~/.kde/share/apps/okular |
36 | whitelist ~/.kde4/share/apps/okular | ||
37 | whitelist ~/.keysnail.js | ||
38 | whitelist ~/.lastpass | ||
58 | whitelist ~/.local/share/okular | 39 | whitelist ~/.local/share/okular |
59 | 40 | whitelist ~/.local/share/qpdfview | |
60 | # silverlight | 41 | whitelist ~/.mozilla |
42 | whitelist ~/.pentadactyl | ||
43 | whitelist ~/.pentadactylrc | ||
44 | whitelist ~/.pki | ||
45 | whitelist ~/.vimperator | ||
46 | whitelist ~/.vimperatorrc | ||
61 | whitelist ~/.wine-pipelight | 47 | whitelist ~/.wine-pipelight |
62 | whitelist ~/.wine-pipelight64 | 48 | whitelist ~/.wine-pipelight64 |
63 | whitelist ~/.config/pipelight-widevine | 49 | whitelist ~/.zotero |
64 | whitelist ~/.config/pipelight-silverlight5.1 | 50 | whitelist ~/dwhelper |
65 | |||
66 | include /etc/firejail/whitelist-common.inc | 51 | include /etc/firejail/whitelist-common.inc |
67 | 52 | ||
68 | # experimental features | 53 | caps.drop all |
69 | #private-bin firefox,which,sh,dbus-launch,dbus-send,env | 54 | netfilter |
70 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse | 55 | nogroups |
71 | # private-dev might prevent video calls going out | 56 | nonewprivs |
57 | noroot | ||
58 | protocol unix,inet,inet6,netlink | ||
59 | seccomp | ||
60 | shell none | ||
61 | tracelog | ||
62 | |||
63 | # private-bin firefox,which,sh,dbus-launch,dbus-send,env | ||
72 | private-dev | 64 | private-dev |
65 | # private-dev might prevent video calls going out | ||
66 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse | ||
73 | private-tmp | 67 | private-tmp |
74 | #disable-mnt | ||
75 | 68 | ||
76 | noexec ${HOME} | 69 | noexec ${HOME} |
77 | noexec /tmp | 70 | noexec /tmp |
71 | |||
72 | # CLOBBERED COMMENTS | ||
73 | # disable-mnt | ||
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile index b9bf493b6..b3aa80f85 100644 --- a/etc/flashpeak-slimjet.profile +++ b/etc/flashpeak-slimjet.profile | |||
@@ -1,26 +1,26 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for flashpeak-slimjet |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/flashpeak-slimjet.local | 4 | include /etc/firejail/flashpeak-slimjet.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # SlimJet browser profile | ||
9 | # This is a whitelisted profile, the internal browser sandbox | ||
10 | # is disabled because it requires sudo password. The command | ||
11 | # to run it is as follows: | ||
12 | # | ||
13 | # firejail flashpeak-slimjet --no-sandbox | ||
14 | # | ||
15 | noblacklist ~/.config/slimjet | ||
16 | noblacklist ~/.cache/slimjet | 8 | noblacklist ~/.cache/slimjet |
9 | noblacklist ~/.config/slimjet | ||
17 | noblacklist ~/.pki | 10 | noblacklist ~/.pki |
11 | |||
18 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | # include /etc/firejail/disable-devel.inc | ||
19 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
20 | 15 | ||
21 | # chromium is distributed with a perl script on Arch | 16 | mkdir ~/.cache/slimjet |
22 | # include /etc/firejail/disable-devel.inc | 17 | mkdir ~/.config/slimjet |
23 | # | 18 | mkdir ~/.pki |
19 | whitelist ${DOWNLOADS} | ||
20 | whitelist ~/.cache/slimjet | ||
21 | whitelist ~/.config/slimjet | ||
22 | whitelist ~/.pki | ||
23 | include /etc/firejail/whitelist-common.inc | ||
24 | 24 | ||
25 | caps.drop all | 25 | caps.drop all |
26 | netfilter | 26 | netfilter |
@@ -29,12 +29,8 @@ noroot | |||
29 | protocol unix,inet,inet6,netlink | 29 | protocol unix,inet,inet6,netlink |
30 | seccomp | 30 | seccomp |
31 | 31 | ||
32 | whitelist ${DOWNLOADS} | 32 | # CLOBBERED COMMENTS |
33 | mkdir ~/.config/slimjet | 33 | # firejail flashpeak-slimjet --no-sandbox |
34 | whitelist ~/.config/slimjet | 34 | # chromium is distributed with a perl script on Arch |
35 | mkdir ~/.cache/slimjet | 35 | # is disabled because it requires sudo password. The command |
36 | whitelist ~/.cache/slimjet | 36 | # to run it is as follows: |
37 | mkdir ~/.pki | ||
38 | whitelist ~/.pki | ||
39 | |||
40 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/flowblade.profile b/etc/flowblade.profile index f8d45424f..b5cc8160b 100644 --- a/etc/flowblade.profile +++ b/etc/flowblade.profile | |||
@@ -1,18 +1,17 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for flowblade |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/flowblade.local | 4 | include /etc/firejail/flowblade.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # FlowBlade profile | ||
9 | noblacklist ${HOME}/.flowblade | ||
10 | noblacklist ${HOME}/.config/flowblade | 8 | noblacklist ${HOME}/.config/flowblade |
9 | noblacklist ${HOME}/.flowblade | ||
11 | 10 | ||
12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
16 | 15 | ||
17 | caps.drop all | 16 | caps.drop all |
18 | netfilter | 17 | netfilter |
diff --git a/etc/fontforge.profile b/etc/fontforge.profile index e8e3df62b..4b43602b8 100644 --- a/etc/fontforge.profile +++ b/etc/fontforge.profile | |||
@@ -1,16 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for fontforge |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/fontforge.local | 4 | include /etc/firejail/fontforge.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | noblacklist ${HOME}/.FontForge | 8 | noblacklist ${HOME}/.FontForge |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | netfilter | 16 | netfilter |
diff --git a/etc/fossamail.profile b/etc/fossamail.profile index 43968cf7a..d49027917 100644 --- a/etc/fossamail.profile +++ b/etc/fossamail.profile | |||
@@ -1,22 +1,20 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for fossamail |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/fossamail.local | 4 | include /etc/firejail/fossamail.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for FossaMail | 8 | noblacklist ~/.cache/fossamail |
9 | |||
10 | noblacklist ~/.gnupg | ||
11 | mkdir ~/.gnupg | ||
12 | whitelist ~/.gnupg | ||
13 | |||
14 | noblacklist ~/.fossamail | 9 | noblacklist ~/.fossamail |
15 | mkdir ~/.fossamail | 10 | noblacklist ~/.gnupg |
16 | whitelist ~/.fossamail | ||
17 | 11 | ||
18 | noblacklist ~/.cache/fossamail | ||
19 | mkdir ~/.cache/fossamail | 12 | mkdir ~/.cache/fossamail |
13 | mkdir ~/.fossamail | ||
14 | mkdir ~/.gnupg | ||
20 | whitelist ~/.cache/fossamail | 15 | whitelist ~/.cache/fossamail |
16 | whitelist ~/.fossamail | ||
17 | whitelist ~/.gnupg | ||
18 | include /etc/firejail/whitelist-common.inc | ||
21 | 19 | ||
22 | include /etc/firejail/firefox.profile | 20 | include /etc/firejail/firefox.profile |
diff --git a/etc/franz.profile b/etc/franz.profile index c5e019947..486326fe0 100644 --- a/etc/franz.profile +++ b/etc/franz.profile | |||
@@ -1,30 +1,28 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for franz |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/franz.local | 4 | include /etc/firejail/franz.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Franz profile | ||
9 | noblacklist ~/.config/Franz | ||
10 | noblacklist ~/.cache/Franz | 8 | noblacklist ~/.cache/Franz |
9 | noblacklist ~/.config/Franz | ||
11 | noblacklist ~/.pki | 10 | noblacklist ~/.pki |
11 | |||
12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | 15 | ||
16 | whitelist ${DOWNLOADS} | ||
17 | mkdir ~/.config/Franz | ||
18 | whitelist ~/.config/Franz | ||
19 | mkdir ~/.cache/Franz | 16 | mkdir ~/.cache/Franz |
20 | whitelist ~/.cache/Franz | 17 | mkdir ~/.config/Franz |
21 | mkdir ~/.pki | 18 | mkdir ~/.pki |
19 | whitelist ${DOWNLOADS} | ||
20 | whitelist ~/.cache/Franz | ||
21 | whitelist ~/.config/Franz | ||
22 | whitelist ~/.pki | 22 | whitelist ~/.pki |
23 | |||
24 | include /etc/firejail/whitelist-common.inc | 23 | include /etc/firejail/whitelist-common.inc |
25 | 24 | ||
26 | caps.drop all | 25 | caps.drop all |
27 | #ipc-namespace | ||
28 | netfilter | 26 | netfilter |
29 | nogroups | 27 | nogroups |
30 | nonewprivs | 28 | nonewprivs |
@@ -32,11 +30,13 @@ noroot | |||
32 | protocol unix,inet,inet6,netlink | 30 | protocol unix,inet,inet6,netlink |
33 | seccomp | 31 | seccomp |
34 | shell none | 32 | shell none |
35 | #tracelog | ||
36 | 33 | ||
34 | disable-mnt | ||
37 | private-dev | 35 | private-dev |
38 | private-tmp | 36 | private-tmp |
39 | disable-mnt | ||
40 | 37 | ||
41 | noexec ${HOME} | 38 | noexec ${HOME} |
42 | noexec /tmp | 39 | noexec /tmp |
40 | |||
41 | # CLOBBERED COMMENTS | ||
42 | # tracelog | ||
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile index 52f8e5b3e..dc8ad3e08 100644 --- a/etc/frozen-bubble.profile +++ b/etc/frozen-bubble.profile | |||
@@ -1,38 +1,34 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for frozen-bubble |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/frozen-bubble.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | 8 | noblacklist ~/.frozen-bubble |
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/frozen-bubble.local | ||
7 | 9 | ||
8 | ################################ | 10 | include /etc/firejail/disable-common.inc |
9 | # Frozen Bubble profile | 11 | include /etc/firejail/disable-passwdmgr.inc |
10 | ################################ | 12 | include /etc/firejail/disable-programs.inc |
11 | 13 | ||
12 | noblacklist ~/.frozen-bubble | ||
13 | mkdir ~/.frozen-bubble | 14 | mkdir ~/.frozen-bubble |
14 | whitelist ~/.frozen-bubble | 15 | whitelist ~/.frozen-bubble |
15 | include /etc/firejail/whitelist-common.inc | 16 | include /etc/firejail/whitelist-common.inc |
16 | 17 | ||
17 | include /etc/firejail/disable-common.inc | ||
18 | include /etc/firejail/disable-programs.inc | ||
19 | include /etc/firejail/disable-passwdmgr.inc | ||
20 | |||
21 | caps.drop all | 18 | caps.drop all |
19 | net none | ||
20 | nogroups | ||
22 | nonewprivs | 21 | nonewprivs |
23 | noroot | 22 | noroot |
24 | protocol unix,netlink | 23 | protocol unix,netlink |
25 | seccomp | 24 | seccomp |
26 | |||
27 | # | ||
28 | # depending on your usage, you can enable some of the commands below: | ||
29 | # | ||
30 | net none | ||
31 | nogroups | ||
32 | shell none | 25 | shell none |
33 | #private-bin frozen-bubble | 26 | |
34 | # private-etc none | 27 | # private-bin frozen-bubble |
35 | private-dev | 28 | private-dev |
29 | # private-etc none | ||
36 | private-tmp | 30 | private-tmp |
37 | # nosound | ||
38 | 31 | ||
32 | # CLOBBERED COMMENTS | ||
33 | # depending on your usage, you can enable some of the commands below: | ||
34 | # nosound | ||
diff --git a/etc/gajim.profile b/etc/gajim.profile index a3deb2c73..d8ca7424c 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile | |||
@@ -1,34 +1,30 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for gajim |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/gajim.local | 4 | include /etc/firejail/gajim.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for Gajim | ||
9 | noblacklist ${HOME}/.local/share/gajim | ||
10 | noblacklist ${HOME}/.config/gajim | ||
11 | noblacklist ${HOME}/.cache/gajim | 8 | noblacklist ${HOME}/.cache/gajim |
9 | noblacklist ${HOME}/.config/gajim | ||
10 | noblacklist ${HOME}/.local/share/gajim | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-devel.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | ||
15 | include /etc/firejail/disable-programs.inc | ||
12 | 16 | ||
13 | mkdir ${HOME}/.cache/gajim | 17 | mkdir ${HOME}/.cache/gajim |
14 | mkdir ${HOME}/.local/share/gajim | ||
15 | mkdir ${HOME}/.config/gajim | 18 | mkdir ${HOME}/.config/gajim |
16 | mkdir ${HOME}/Downloads | ||
17 | |||
18 | # Allow the local python 2.7 site packages, in case any plugins are using these | ||
19 | mkdir ${HOME}/.local/lib/python2.7/site-packages/ | 19 | mkdir ${HOME}/.local/lib/python2.7/site-packages/ |
20 | whitelist ${HOME}/.local/lib/python2.7/site-packages/ | 20 | mkdir ${HOME}/.local/share/gajim |
21 | read-only ${HOME}/.local/lib/python2.7/site-packages/ | 21 | mkdir ${HOME}/Downloads |
22 | |||
23 | whitelist ${HOME}/.cache/gajim | 22 | whitelist ${HOME}/.cache/gajim |
24 | whitelist ${HOME}/.local/share/gajim | ||
25 | whitelist ${HOME}/.config/gajim | 23 | whitelist ${HOME}/.config/gajim |
24 | whitelist ${HOME}/.local/lib/python2.7/site-packages/ | ||
25 | whitelist ${HOME}/.local/share/gajim | ||
26 | whitelist ${HOME}/Downloads | 26 | whitelist ${HOME}/Downloads |
27 | 27 | include /etc/firejail/whitelist-common.inc | |
28 | include /etc/firejail/disable-common.inc | ||
29 | include /etc/firejail/disable-passwdmgr.inc | ||
30 | include /etc/firejail/disable-programs.inc | ||
31 | include /etc/firejail/disable-devel.inc | ||
32 | 28 | ||
33 | caps.drop all | 29 | caps.drop all |
34 | netfilter | 30 | netfilter |
@@ -39,8 +35,12 @@ protocol unix,inet,inet6 | |||
39 | seccomp | 35 | seccomp |
40 | shell none | 36 | shell none |
41 | 37 | ||
42 | #private-bin python2.7 gajim | ||
43 | #private-etc fonts | ||
44 | private-dev | ||
45 | #private-tmp | ||
46 | disable-mnt | 38 | disable-mnt |
39 | # private-bin python2.7 gajim | ||
40 | private-dev | ||
41 | # private-etc fonts | ||
42 | # private-tmp | ||
43 | read-only ${HOME}/.local/lib/python2.7/site-packages/ | ||
44 | |||
45 | # CLOBBERED COMMENTS | ||
46 | # Allow the local python 2.7 site packages, in case any plugins are using these | ||
diff --git a/etc/galculator.profile b/etc/galculator.profile index 897946e7a..48ecccd59 100644 --- a/etc/galculator.profile +++ b/etc/galculator.profile | |||
@@ -1,20 +1,20 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for galculator |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/galculator.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/firejail.local | ||
7 | |||
8 | # Firejail profile for XYZ | ||
9 | noblacklist ~/.config/galculator | 8 | noblacklist ~/.config/galculator |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | mkdir ~/.config/galculator | 15 | mkdir ~/.config/galculator |
17 | whitelist ~/.config/galculator | 16 | whitelist ~/.config/galculator |
17 | include /etc/firejail/whitelist-common.inc | ||
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | net none | 20 | net none |
diff --git a/etc/geany.profile b/etc/geany.profile index 083e9423f..9ec334fc0 100644 --- a/etc/geany.profile +++ b/etc/geany.profile | |||
@@ -1,14 +1,15 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for geany |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/geany.local | 4 | include /etc/firejail/geany.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | noblacklist ${HOME}/.config/geany | 8 | noblacklist ${HOME}/.config/geany |
9 | |||
9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | ||
12 | 13 | ||
13 | caps.drop all | 14 | caps.drop all |
14 | netfilter | 15 | netfilter |
diff --git a/etc/geary.profile b/etc/geary.profile index f655f0efe..5833e51cf 100644 --- a/etc/geary.profile +++ b/etc/geary.profile | |||
@@ -1,28 +1,29 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for geary |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/geary.local | 4 | include /etc/firejail/geary.local |
7 | 5 | # Persistent global definitions | |
8 | # Firejail profile for Gnome Geary | 6 | include /etc/firejail/globals.local |
9 | # Users have Geary set to open a browser by clicking a link in an email | ||
10 | # We are not allowed to blacklist browser-specific directories | ||
11 | 7 | ||
12 | noblacklist ~/.gnupg | 8 | noblacklist ~/.gnupg |
13 | mkdir ~/.gnupg | ||
14 | whitelist ~/.gnupg | ||
15 | |||
16 | noblacklist ~/.local/share/geary | 9 | noblacklist ~/.local/share/geary |
10 | |||
11 | mkdir ~/.gnupg | ||
17 | mkdir ~/.local/share/geary | 12 | mkdir ~/.local/share/geary |
13 | whitelist ~/.config/mimeapps.list | ||
14 | whitelist ~/.gnupg | ||
15 | whitelist ~/.local/share/applications | ||
18 | whitelist ~/.local/share/geary | 16 | whitelist ~/.local/share/geary |
17 | include /etc/firejail/whitelist-common.inc | ||
18 | |||
19 | ignore private-tmp | ||
19 | 20 | ||
20 | whitelist ~/.config/mimeapps.list | ||
21 | read-only ~/.config/mimeapps.list | 21 | read-only ~/.config/mimeapps.list |
22 | whitelist ~/.local/share/applications | ||
23 | read-only ~/.local/share/applications | 22 | read-only ~/.local/share/applications |
24 | 23 | ||
25 | # allow browsers | ||
26 | ignore private-tmp | ||
27 | include /etc/firejail/firefox.profile | 24 | include /etc/firejail/firefox.profile |
28 | #include /etc/firejail/chromium.profile - chromium runs as suid! | 25 | |
26 | # CLOBBERED COMMENTS | ||
27 | # Users have Geary set to open a browser by clicking a link in an email | ||
28 | # We are not allowed to blacklist browser-specific directories | ||
29 | # allow browsers | ||
diff --git a/etc/gedit.profile b/etc/gedit.profile index 3e78d939e..2fd7f20fe 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile | |||
@@ -1,23 +1,18 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for gedit |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/gedit.local | 4 | include /etc/firejail/gedit.local |
7 | 5 | # Persistent global definitions | |
8 | # gedit profile | 6 | include /etc/firejail/globals.local |
9 | |||
10 | # when gedit is started via gnome-shell, firejail is not applied because systemd will start it | ||
11 | 7 | ||
12 | noblacklist ~/.config/gedit | 8 | noblacklist ~/.config/gedit |
13 | 9 | ||
14 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-programs.inc | 11 | # include /etc/firejail/disable-devel.inc |
16 | #include /etc/firejail/disable-devel.inc | ||
17 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
18 | 14 | ||
19 | caps.drop all | 15 | caps.drop all |
20 | #ipc-namespace | ||
21 | net none | 16 | net none |
22 | no3d | 17 | no3d |
23 | nogroups | 18 | nogroups |
@@ -36,3 +31,6 @@ private-tmp | |||
36 | 31 | ||
37 | noexec ${HOME} | 32 | noexec ${HOME} |
38 | noexec /tmp | 33 | noexec /tmp |
34 | |||
35 | # CLOBBERED COMMENTS | ||
36 | # when gedit is started via gnome-shell, firejail is not applied because systemd will start it | ||
diff --git a/etc/geeqie.profile b/etc/geeqie.profile index 194b76674..9434d49b8 100644 --- a/etc/geeqie.profile +++ b/etc/geeqie.profile | |||
@@ -1,30 +1,31 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for geeqie |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/geeqie.local | 4 | include /etc/firejail/geeqie.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for Geeqie | 8 | noblacklist ~/.cache/geeqie |
9 | noblacklist ~/.config/geeqie | 9 | noblacklist ~/.config/geeqie |
10 | noblacklist ~/.local/share/geeqie | 10 | noblacklist ~/.local/share/geeqie |
11 | noblacklist ~/.cache/geeqie | 11 | |
12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | ||
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | nogroups | 18 | nogroups |
19 | nonewprivs | 19 | nonewprivs |
20 | noroot | 20 | noroot |
21 | nosound | ||
21 | protocol unix | 22 | protocol unix |
22 | seccomp | 23 | seccomp |
23 | nosound | 24 | shell none |
24 | 25 | ||
26 | # private-bin geeqie | ||
25 | private-dev | 27 | private-dev |
28 | # private-etc X11 | ||
26 | 29 | ||
27 | #Experimental: | 30 | # CLOBBERED COMMENTS |
28 | shell none | 31 | # Experimental: |
29 | #private-bin geeqie | ||
30 | #private-etc X11 | ||
diff --git a/etc/ghb.profile b/etc/ghb.profile index 2068c3136..80291223c 100644 --- a/etc/ghb.profile +++ b/etc/ghb.profile | |||
@@ -1,9 +1,8 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for handbrake |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/ghb.local | ||
7 | 4 | ||
8 | # HandBrake | ||
9 | include /etc/firejail/handbrake.profile | 5 | include /etc/firejail/handbrake.profile |
6 | |||
7 | # CLOBBERED COMMENTS | ||
8 | # HandBrake | ||
diff --git a/etc/gimp-2.8.profile b/etc/gimp-2.8.profile index ce6cee7a5..5228078d9 100644 --- a/etc/gimp-2.8.profile +++ b/etc/gimp-2.8.profile | |||
@@ -1,8 +1,5 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for gimp |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/gimp-2.8.local | ||
7 | 4 | ||
8 | include /etc/firejail/gimp.profile | 5 | include /etc/firejail/gimp.profile |
diff --git a/etc/gimp.profile b/etc/gimp.profile index 0fe462912..e63d10d35 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile | |||
@@ -1,15 +1,15 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for gimp |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/gimp.local | 4 | include /etc/firejail/gimp.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # gimp | ||
9 | noblacklist ${HOME}/.gimp* | 8 | noblacklist ${HOME}/.gimp* |
9 | |||
10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-programs.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | net none | 15 | net none |
@@ -21,11 +21,13 @@ protocol unix | |||
21 | seccomp | 21 | seccomp |
22 | shell none | 22 | shell none |
23 | 23 | ||
24 | # gimp plugins are installed by the user in ~/.gimp-2.8/plug-ins/ directory | 24 | private-dev |
25 | # if you are not using external plugins, you can enable noexec statement below | 25 | private-tmp |
26 | # noexec ${HOME} | ||
27 | 26 | ||
28 | noexec /tmp | 27 | noexec /tmp |
29 | 28 | ||
30 | private-dev | 29 | # CLOBBERED COMMENTS |
31 | private-tmp | 30 | # gimp |
31 | # gimp plugins are installed by the user in ~/.gimp-2.8/plug-ins/ directory | ||
32 | # if you are not using external plugins, you can enable noexec statement below | ||
33 | # noexec ${HOME} | ||
diff --git a/etc/git.profile b/etc/git.profile index 5fa3ef95e..a565f3b5a 100644 --- a/etc/git.profile +++ b/etc/git.profile | |||
@@ -1,35 +1,34 @@ | |||
1 | # Firejail profile for git | ||
2 | # This file is overwritten after every install/update | ||
1 | quiet | 3 | quiet |
2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
5 | include /etc/firejail/git.local | ||
6 | # Persistent global definitions | ||
3 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
4 | 8 | ||
5 | # This file is overwritten during software install. | 9 | blacklist /tmp/.X11-unix |
6 | # Persistent customizations should go in a .local file. | ||
7 | include /etc/firejail/git.local | ||
8 | 10 | ||
9 | # git profile | ||
10 | noblacklist ~/.gitconfig | ||
11 | noblacklist ~/.ssh | ||
12 | noblacklist ~/.gnupg | ||
13 | noblacklist ~/.emacs | 11 | noblacklist ~/.emacs |
14 | noblacklist ~/.emacs.d | 12 | noblacklist ~/.emacs.d |
15 | noblacklist ~/.viminfo | 13 | noblacklist ~/.gitconfig |
14 | noblacklist ~/.gnupg | ||
15 | noblacklist ~/.ssh | ||
16 | noblacklist ~/.vim | 16 | noblacklist ~/.vim |
17 | noblacklist ~/.viminfo | ||
17 | 18 | ||
18 | include /etc/firejail/disable-common.inc | 19 | include /etc/firejail/disable-common.inc |
19 | include /etc/firejail/disable-programs.inc | ||
20 | include /etc/firejail/disable-passwdmgr.inc | 20 | include /etc/firejail/disable-passwdmgr.inc |
21 | include /etc/firejail/disable-programs.inc | ||
21 | 22 | ||
22 | caps.drop all | 23 | caps.drop all |
23 | netfilter | 24 | netfilter |
25 | no3d | ||
24 | nogroups | 26 | nogroups |
25 | nonewprivs | 27 | nonewprivs |
26 | noroot | 28 | noroot |
27 | nosound | 29 | nosound |
28 | no3d | ||
29 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
30 | seccomp | 31 | seccomp |
31 | shell none | 32 | shell none |
32 | 33 | ||
33 | blacklist /tmp/.X11-unix | ||
34 | |||
35 | private-dev | 34 | private-dev |
diff --git a/etc/gitg.profile b/etc/gitg.profile index 427cbe92c..a66ef1f92 100644 --- a/etc/gitg.profile +++ b/etc/gitg.profile | |||
@@ -1,14 +1,13 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for gitg |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/gitg.local | 4 | include /etc/firejail/gitg.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for gitg | ||
9 | noblacklist ${HOME}/.gitconfig | 8 | noblacklist ${HOME}/.gitconfig |
10 | noblacklist ${HOME}/.ssh | ||
11 | noblacklist ${HOME}/.local/share/gitg | 9 | noblacklist ${HOME}/.local/share/gitg |
10 | noblacklist ${HOME}/.ssh | ||
12 | 11 | ||
13 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/gitter.profile b/etc/gitter.profile index d85b4f660..1864044d8 100644 --- a/etc/gitter.profile +++ b/etc/gitter.profile | |||
@@ -1,16 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for gitter |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/gitter.local | 4 | include /etc/firejail/gitter.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for Gitter | ||
9 | noblacklist ~/.config/Gitter | 8 | noblacklist ~/.config/Gitter |
9 | |||
10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
13 | include /etc/firejail/disable-devel.inc | ||
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | netfilter | 16 | netfilter |
diff --git a/etc/gjs.profile b/etc/gjs.profile index f1def3f16..443dccfea 100644 --- a/etc/gjs.profile +++ b/etc/gjs.profile | |||
@@ -1,35 +1,34 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for gjs |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/gjs.local | 4 | include /etc/firejail/gjs.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # gjs (gnome javascript bindings) profile | 8 | noblacklist ~/.cache/libgweather |
9 | 9 | noblacklist ~/.cache/org.gnome.Books | |
10 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
11 | |||
12 | noblacklist ~/.config/libreoffice | 10 | noblacklist ~/.config/libreoffice |
13 | noblacklist ~/.local/share/gnome-photos | 11 | noblacklist ~/.local/share/gnome-photos |
14 | noblacklist ~/.cache/org.gnome.Books | ||
15 | noblacklist ~/.cache/libgweather | ||
16 | 12 | ||
17 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
18 | include /etc/firejail/disable-programs.inc | ||
19 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
20 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | ||
21 | 17 | ||
22 | caps.drop all | 18 | caps.drop all |
19 | netfilter | ||
23 | nogroups | 20 | nogroups |
24 | nonewprivs | 21 | nonewprivs |
25 | noroot | 22 | noroot |
26 | protocol unix,inet,inet6 | 23 | protocol unix,inet,inet6 |
27 | seccomp | 24 | seccomp |
28 | netfilter | ||
29 | shell none | 25 | shell none |
30 | tracelog | 26 | tracelog |
31 | 27 | ||
32 | # private-bin gjs,gnome-books,gnome-documents,gnome-photos,gnome-maps,gnome-weather | 28 | # private-bin gjs,gnome-books,gnome-documents,gnome-photos,gnome-maps,gnome-weather |
33 | private-tmp | ||
34 | private-dev | 29 | private-dev |
35 | # private-etc fonts | 30 | # private-etc fonts |
31 | private-tmp | ||
32 | |||
33 | # CLOBBERED COMMENTS | ||
34 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
diff --git a/etc/globaltime.profile b/etc/globaltime.profile index b9b2c008d..726619f26 100644 --- a/etc/globaltime.profile +++ b/etc/globaltime.profile | |||
@@ -1,15 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for globaltime |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/globaltime.local | 4 | include /etc/firejail/globaltime.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | noblacklist ${HOME}/.config/globaltime | 8 | noblacklist ${HOME}/.config/globaltime |
9 | |||
9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
11 | include /etc/firejail/disable-programs.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
13 | 14 | ||
14 | caps.drop all | 15 | caps.drop all |
15 | netfilter | 16 | netfilter |
@@ -23,9 +24,9 @@ protocol unix,inet,inet6 | |||
23 | seccomp | 24 | seccomp |
24 | shell none | 25 | shell none |
25 | 26 | ||
27 | disable-mnt | ||
26 | private-dev | 28 | private-dev |
27 | private-tmp | 29 | private-tmp |
28 | disable-mnt | ||
29 | 30 | ||
30 | noexec ${HOME} | 31 | noexec ${HOME} |
31 | noexec /tmp | 32 | noexec /tmp |
diff --git a/etc/gnome-2048.profile b/etc/gnome-2048.profile index 5e0dfc2a1..480c6a35f 100644 --- a/etc/gnome-2048.profile +++ b/etc/gnome-2048.profile | |||
@@ -1,42 +1,36 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for gnome-2048 |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/gnome-2048.local | 4 | include /etc/firejail/gnome-2048.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # | ||
9 | #Profile for gnome-2048 | ||
10 | # | ||
11 | |||
12 | #No Blacklist Paths | ||
13 | noblacklist ${HOME}/.local/share/gnome-2048 | 8 | noblacklist ${HOME}/.local/share/gnome-2048 |
14 | 9 | ||
15 | #Blacklist Paths | ||
16 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
17 | include /etc/firejail/disable-programs.inc | ||
18 | include /etc/firejail/disable-passwdmgr.inc | ||
19 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
20 | 14 | ||
21 | #Whitelist Paths | ||
22 | mkdir ${HOME}/.local/share/gnome-2048 | 15 | mkdir ${HOME}/.local/share/gnome-2048 |
23 | whitelist ${HOME}/.local/share/gnome-2048 | 16 | whitelist ${HOME}/.local/share/gnome-2048 |
24 | include /etc/firejail/whitelist-common.inc | 17 | include /etc/firejail/whitelist-common.inc |
25 | 18 | ||
26 | #Options | ||
27 | caps.drop all | 19 | caps.drop all |
28 | netfilter | 20 | netfilter |
29 | no3d | 21 | no3d |
30 | nonewprivs | 22 | nonewprivs |
31 | noroot | 23 | noroot |
32 | #nosound | ||
33 | novideo | 24 | novideo |
34 | protocol unix,inet,inet6 | 25 | protocol unix,inet,inet6 |
35 | seccomp | 26 | seccomp |
36 | 27 | ||
28 | disable-mnt | ||
37 | private-dev | 29 | private-dev |
38 | private-tmp | 30 | private-tmp |
39 | disable-mnt | ||
40 | 31 | ||
41 | noexec ${HOME} | 32 | noexec ${HOME} |
42 | noexec /tmp | 33 | noexec /tmp |
34 | |||
35 | # CLOBBERED COMMENTS | ||
36 | # nosound | ||
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile index e36294930..e934b48a5 100644 --- a/etc/gnome-books.profile +++ b/etc/gnome-books.profile | |||
@@ -1,19 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for gnome-books |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/gnome-books.local | 4 | include /etc/firejail/gnome-books.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # gnome-books profile | ||
9 | |||
10 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
11 | noblacklist ~/.cache/org.gnome.Books | 8 | noblacklist ~/.cache/org.gnome.Books |
12 | 9 | ||
13 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
17 | 14 | ||
18 | caps.drop all | 15 | caps.drop all |
19 | netfilter | 16 | netfilter |
@@ -29,9 +26,12 @@ shell none | |||
29 | tracelog | 26 | tracelog |
30 | 27 | ||
31 | # private-bin gjs gnome-books | 28 | # private-bin gjs gnome-books |
32 | private-tmp | ||
33 | private-dev | 29 | private-dev |
34 | #private-etc fonts | 30 | # private-etc fonts |
31 | private-tmp | ||
35 | 32 | ||
36 | noexec ${HOME} | 33 | noexec ${HOME} |
37 | noexec /tmp | 34 | noexec /tmp |
35 | |||
36 | # CLOBBERED COMMENTS | ||
37 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index 40328e5c3..2e949271b 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile | |||
@@ -1,26 +1,19 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for gnome-calculator |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/gnome-calculator.local | 4 | include /etc/firejail/gnome-calculator.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # | ||
9 | #Profile for gnome-calculator | ||
10 | # | ||
11 | 8 | ||
12 | #Blacklist Paths | ||
13 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | include /etc/firejail/disable-passwdmgr.inc | ||
16 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
17 | 11 | include /etc/firejail/disable-passwdmgr.inc | |
12 | include /etc/firejail/disable-programs.inc | ||
18 | include /etc/firejail/whitelist-common.inc | 13 | include /etc/firejail/whitelist-common.inc |
19 | 14 | ||
20 | #Options | ||
21 | caps.drop all | 15 | caps.drop all |
22 | netfilter | 16 | netfilter |
23 | #net none | ||
24 | no3d | 17 | no3d |
25 | nogroups | 18 | nogroups |
26 | nonewprivs | 19 | nonewprivs |
@@ -30,13 +23,16 @@ protocol unix,inet,inet6 | |||
30 | seccomp | 23 | seccomp |
31 | shell none | 24 | shell none |
32 | 25 | ||
26 | disable-mnt | ||
33 | private | 27 | private |
34 | private-bin gnome-calculator | 28 | private-bin gnome-calculator |
35 | private-dev | 29 | private-dev |
36 | #private-etc fonts | 30 | # private-etc fonts |
37 | private-tmp | 31 | private-tmp |
38 | disable-mnt | ||
39 | 32 | ||
40 | memory-deny-write-execute | 33 | memory-deny-write-execute |
41 | noexec ${HOME} | 34 | noexec ${HOME} |
42 | noexec /tmp | 35 | noexec /tmp |
36 | |||
37 | # CLOBBERED COMMENTS | ||
38 | # net none | ||
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile index 8c098d592..8fd6a2eca 100644 --- a/etc/gnome-chess.profile +++ b/etc/gnome-chess.profile | |||
@@ -1,17 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for gnome-chess |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/gnome-chess.local | 4 | include /etc/firejail/gnome-chess.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for gnome-chess | ||
9 | noblacklist ~/.local/share/gnome-chess | 8 | noblacklist ~/.local/share/gnome-chess |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
17 | no3d | 16 | no3d |
@@ -25,11 +24,11 @@ seccomp | |||
25 | shell none | 24 | shell none |
26 | tracelog | 25 | tracelog |
27 | 26 | ||
27 | disable-mnt | ||
28 | private-bin fairymax,gnome-chess,hoichess | 28 | private-bin fairymax,gnome-chess,hoichess |
29 | private-dev | 29 | private-dev |
30 | private-etc fonts,gnome-chess | 30 | private-etc fonts,gnome-chess |
31 | private-tmp | 31 | private-tmp |
32 | disable-mnt | ||
33 | 32 | ||
34 | noexec ${HOME} | 33 | noexec ${HOME} |
35 | noexec /tmp | 34 | noexec /tmp |
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile index 129bd6e71..e20cbd9fe 100644 --- a/etc/gnome-clocks.profile +++ b/etc/gnome-clocks.profile | |||
@@ -1,17 +1,18 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for gnome-clocks |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/gnome-clocks.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/gnome-clocks.local | ||
7 | 8 | ||
8 | # gnome-clocks profile | ||
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | netfilter | ||
15 | no3d | 16 | no3d |
16 | nogroups | 17 | nogroups |
17 | nonewprivs | 18 | nonewprivs |
@@ -19,15 +20,14 @@ noroot | |||
19 | novideo | 20 | novideo |
20 | protocol unix,inet,inet6 | 21 | protocol unix,inet,inet6 |
21 | seccomp | 22 | seccomp |
22 | netfilter | ||
23 | shell none | 23 | shell none |
24 | tracelog | 24 | tracelog |
25 | 25 | ||
26 | disable-mnt | ||
26 | # private-bin gnome-clocks | 27 | # private-bin gnome-clocks |
27 | private-tmp | ||
28 | private-dev | 28 | private-dev |
29 | # private-etc fonts | 29 | # private-etc fonts |
30 | disable-mnt | 30 | private-tmp |
31 | 31 | ||
32 | noexec ${HOME} | 32 | noexec ${HOME} |
33 | noexec /tmp | 33 | noexec /tmp |
diff --git a/etc/gnome-contacts.profile b/etc/gnome-contacts.profile index 9164f6360..1be74bfd3 100644 --- a/etc/gnome-contacts.profile +++ b/etc/gnome-contacts.profile | |||
@@ -1,23 +1,17 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for gnome-contacts |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/gnome-contacts.local | 4 | include /etc/firejail/gnome-contacts.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # | ||
9 | #Profile for gnome-contacts | ||
10 | # | ||
11 | 8 | ||
12 | #Blacklist Paths | ||
13 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | include /etc/firejail/disable-passwdmgr.inc | ||
16 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
17 | 11 | include /etc/firejail/disable-passwdmgr.inc | |
12 | include /etc/firejail/disable-programs.inc | ||
18 | include /etc/firejail/whitelist-common.inc | 13 | include /etc/firejail/whitelist-common.inc |
19 | 14 | ||
20 | #Options | ||
21 | caps.drop all | 15 | caps.drop all |
22 | netfilter | 16 | netfilter |
23 | no3d | 17 | no3d |
@@ -28,9 +22,9 @@ novideo | |||
28 | protocol unix,inet,inet6 | 22 | protocol unix,inet,inet6 |
29 | seccomp | 23 | seccomp |
30 | 24 | ||
25 | disable-mnt | ||
31 | private-dev | 26 | private-dev |
32 | private-tmp | 27 | private-tmp |
33 | disable-mnt | ||
34 | 28 | ||
35 | noexec ${HOME} | 29 | noexec ${HOME} |
36 | noexec /tmp | 30 | noexec /tmp |
diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile index 2d70bf7ef..2c77c32ae 100644 --- a/etc/gnome-documents.profile +++ b/etc/gnome-documents.profile | |||
@@ -1,20 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for gnome-documents |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/gnome-documents.local | 4 | include /etc/firejail/gnome-documents.local |
7 | 5 | # Persistent global definitions | |
8 | # gnome-documents profile | 6 | include /etc/firejail/globals.local |
9 | |||
10 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
11 | 7 | ||
12 | noblacklist ~/.config/libreoffice | 8 | noblacklist ~/.config/libreoffice |
13 | 9 | ||
14 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-programs.inc | ||
16 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
18 | 14 | ||
19 | caps.drop all | 15 | caps.drop all |
20 | netfilter | 16 | netfilter |
@@ -29,8 +25,11 @@ seccomp | |||
29 | shell none | 25 | shell none |
30 | tracelog | 26 | tracelog |
31 | 27 | ||
32 | private-tmp | ||
33 | private-dev | 28 | private-dev |
29 | private-tmp | ||
34 | 30 | ||
35 | noexec ${HOME} | 31 | noexec ${HOME} |
36 | noexec /tmp | 32 | noexec /tmp |
33 | |||
34 | # CLOBBERED COMMENTS | ||
35 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
diff --git a/etc/gnome-font-viewer.profile b/etc/gnome-font-viewer.profile index 605dafc62..f122f066a 100644 --- a/etc/gnome-font-viewer.profile +++ b/etc/gnome-font-viewer.profile | |||
@@ -1,17 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for gnome-font-viewer |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/gnome-font-viewer.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/gnome-font-viewer.local | ||
7 | 8 | ||
8 | #Blacklist Paths | ||
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | 13 | ||
14 | #Options | ||
15 | caps.drop all | 14 | caps.drop all |
16 | netfilter | 15 | netfilter |
17 | no3d | 16 | no3d |
@@ -22,9 +21,9 @@ novideo | |||
22 | protocol unix,inet,inet6 | 21 | protocol unix,inet,inet6 |
23 | seccomp | 22 | seccomp |
24 | 23 | ||
24 | disable-mnt | ||
25 | private-dev | 25 | private-dev |
26 | private-tmp | 26 | private-tmp |
27 | disable-mnt | ||
28 | 27 | ||
29 | noexec ${HOME} | 28 | noexec ${HOME} |
30 | noexec /tmp | 29 | noexec /tmp |
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile index 8c7310fa9..79ea783a6 100644 --- a/etc/gnome-maps.profile +++ b/etc/gnome-maps.profile | |||
@@ -1,20 +1,19 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for gnome-maps |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/gnome-maps.local | 4 | include /etc/firejail/gnome-maps.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # gnome-maps profile | ||
9 | |||
10 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
11 | noblacklist ${HOME}/.cache/champlain | 8 | noblacklist ${HOME}/.cache/champlain |
9 | |||
12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
16 | 14 | ||
17 | caps.drop all | 15 | caps.drop all |
16 | netfilter | ||
18 | nogroups | 17 | nogroups |
19 | nonewprivs | 18 | nonewprivs |
20 | noroot | 19 | noroot |
@@ -22,15 +21,17 @@ nosound | |||
22 | novideo | 21 | novideo |
23 | protocol unix,inet,inet6 | 22 | protocol unix,inet,inet6 |
24 | seccomp | 23 | seccomp |
25 | netfilter | ||
26 | shell none | 24 | shell none |
27 | tracelog | 25 | tracelog |
28 | 26 | ||
27 | disable-mnt | ||
29 | # private-bin gjs gnome-maps | 28 | # private-bin gjs gnome-maps |
30 | private-tmp | ||
31 | private-dev | 29 | private-dev |
32 | # private-etc fonts | 30 | # private-etc fonts |
33 | disable-mnt | 31 | private-tmp |
34 | 32 | ||
35 | noexec ${HOME} | 33 | noexec ${HOME} |
36 | noexec /tmp | 34 | noexec /tmp |
35 | |||
36 | # CLOBBERED COMMENTS | ||
37 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index 51b3279f3..d63cc4500 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile | |||
@@ -1,15 +1,15 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for gnome-mplayer |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/gnome-mplayer.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/gnome-mplayer.local | ||
7 | 8 | ||
8 | # GNOME MPlayer profile | ||
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | nogroups | 15 | nogroups |
@@ -23,6 +23,5 @@ shell none | |||
23 | private-dev | 23 | private-dev |
24 | private-tmp | 24 | private-tmp |
25 | 25 | ||
26 | |||
27 | noexec ${HOME} | 26 | noexec ${HOME} |
28 | noexec /tmp | 27 | noexec /tmp |
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile index 8b569e563..9d7b878cd 100644 --- a/etc/gnome-music.profile +++ b/etc/gnome-music.profile | |||
@@ -1,17 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for gnome-music |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/gnome-music.local | 4 | include /etc/firejail/gnome-music.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # gnome-music profile | ||
9 | noblacklist ~/.local/share/gnome-music | 8 | noblacklist ~/.local/share/gnome-music |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
17 | netfilter | 16 | netfilter |
@@ -26,10 +25,9 @@ shell none | |||
26 | tracelog | 25 | tracelog |
27 | 26 | ||
28 | # private-bin gnome-music,python3 | 27 | # private-bin gnome-music,python3 |
29 | private-tmp | ||
30 | private-dev | 28 | private-dev |
31 | # private-etc fonts | 29 | # private-etc fonts |
32 | 30 | private-tmp | |
33 | 31 | ||
34 | noexec ${HOME} | 32 | noexec ${HOME} |
35 | noexec /tmp | 33 | noexec /tmp |
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile index ed9dc0a03..bb13672f4 100644 --- a/etc/gnome-photos.profile +++ b/etc/gnome-photos.profile | |||
@@ -1,20 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for gnome-photos |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/gnome-photos.local | 4 | include /etc/firejail/gnome-photos.local |
7 | 5 | # Persistent global definitions | |
8 | # gnome-photos profile | 6 | include /etc/firejail/globals.local |
9 | |||
10 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
11 | 7 | ||
12 | noblacklist ~/.local/share/gnome-photos | 8 | noblacklist ~/.local/share/gnome-photos |
13 | 9 | ||
14 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-programs.inc | ||
16 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
18 | 14 | ||
19 | caps.drop all | 15 | caps.drop all |
20 | netfilter | 16 | netfilter |
@@ -28,9 +24,12 @@ shell none | |||
28 | tracelog | 24 | tracelog |
29 | 25 | ||
30 | # private-bin gjs gnome-photos | 26 | # private-bin gjs gnome-photos |
31 | private-tmp | ||
32 | private-dev | 27 | private-dev |
33 | # private-etc fonts | 28 | # private-etc fonts |
29 | private-tmp | ||
34 | 30 | ||
35 | noexec ${HOME} | 31 | noexec ${HOME} |
36 | noexec /tmp | 32 | noexec /tmp |
33 | |||
34 | # CLOBBERED COMMENTS | ||
35 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
diff --git a/etc/gnome-twitch.profile b/etc/gnome-twitch.profile index 7c215df5d..9ef09a87b 100644 --- a/etc/gnome-twitch.profile +++ b/etc/gnome-twitch.profile | |||
@@ -1,11 +1,10 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for gnome-twitch |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/gnome-twitch.local | 4 | include /etc/firejail/gnome-twitch.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for Gnome Twitch | ||
9 | noblacklist ${HOME}/.cache/gnome-twitch | 8 | noblacklist ${HOME}/.cache/gnome-twitch |
10 | noblacklist ${HOME}/.local/share/gnome-twitch | 9 | noblacklist ${HOME}/.local/share/gnome-twitch |
11 | 10 | ||
@@ -15,8 +14,8 @@ include /etc/firejail/disable-passwdmgr.inc | |||
15 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
16 | 15 | ||
17 | mkdir ${HOME}/.cache/gnome-twitch | 16 | mkdir ${HOME}/.cache/gnome-twitch |
18 | whitelist ${HOME}/.cache/gnome-twitch | ||
19 | mkdir ${HOME}/.local/share/gnome-twitch | 17 | mkdir ${HOME}/.local/share/gnome-twitch |
18 | whitelist ${HOME}/.cache/gnome-twitch | ||
20 | whitelist ${HOME}/.local/share/gnome-twitch | 19 | whitelist ${HOME}/.local/share/gnome-twitch |
21 | include /etc/firejail/whitelist-common.inc | 20 | include /etc/firejail/whitelist-common.inc |
22 | 21 | ||
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile index 815fba7ca..77538ad6e 100644 --- a/etc/gnome-weather.profile +++ b/etc/gnome-weather.profile | |||
@@ -1,21 +1,19 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for gnome-weather |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/gnome-weather.local | 4 | include /etc/firejail/gnome-weather.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # gnome-weather profile | ||
9 | |||
10 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
11 | noblacklist ~/.cache/libgweather | 8 | noblacklist ~/.cache/libgweather |
12 | 9 | ||
13 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
17 | 14 | ||
18 | caps.drop all | 15 | caps.drop all |
16 | netfilter | ||
19 | no3d | 17 | no3d |
20 | nogroups | 18 | nogroups |
21 | nonewprivs | 19 | nonewprivs |
@@ -24,15 +22,17 @@ nosound | |||
24 | novideo | 22 | novideo |
25 | protocol unix,inet,inet6 | 23 | protocol unix,inet,inet6 |
26 | seccomp | 24 | seccomp |
27 | netfilter | ||
28 | shell none | 25 | shell none |
29 | tracelog | 26 | tracelog |
30 | 27 | ||
28 | disable-mnt | ||
31 | # private-bin gjs gnome-weather | 29 | # private-bin gjs gnome-weather |
32 | private-tmp | ||
33 | private-dev | 30 | private-dev |
34 | # private-etc fonts | 31 | # private-etc fonts |
35 | disable-mnt | 32 | private-tmp |
36 | 33 | ||
37 | noexec ${HOME} | 34 | noexec ${HOME} |
38 | noexec /tmp | 35 | noexec /tmp |
36 | |||
37 | # CLOBBERED COMMENTS | ||
38 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
diff --git a/etc/goobox.profile b/etc/goobox.profile index 129d17ae7..45715f9ce 100644 --- a/etc/goobox.profile +++ b/etc/goobox.profile | |||
@@ -1,15 +1,15 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for goobox |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/goobox.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/goobox.local | ||
7 | 8 | ||
8 | # goobox profile | ||
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | netfilter | 15 | netfilter |
@@ -22,6 +22,6 @@ shell none | |||
22 | tracelog | 22 | tracelog |
23 | 23 | ||
24 | # private-bin goobox | 24 | # private-bin goobox |
25 | # private-tmp | ||
26 | # private-dev | 25 | # private-dev |
27 | # private-etc fonts | 26 | # private-etc fonts |
27 | # private-tmp | ||
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index 22a2e8f88..53220997a 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile | |||
@@ -1,39 +1,38 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for google-chrome-beta |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/google-chrome-beta.local | 4 | include /etc/firejail/google-chrome-beta.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Google Chrome beta browser profile | ||
9 | noblacklist ~/.config/google-chrome-beta | ||
10 | noblacklist ~/.cache/google-chrome-beta | 8 | noblacklist ~/.cache/google-chrome-beta |
9 | noblacklist ~/.config/google-chrome-beta | ||
11 | noblacklist ~/.pki | 10 | noblacklist ~/.pki |
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | 11 | ||
15 | # chromium is distributed with a perl script on Arch | 12 | include /etc/firejail/disable-common.inc |
16 | # include /etc/firejail/disable-devel.inc | 13 | # include /etc/firejail/disable-devel.inc |
17 | # | 14 | include /etc/firejail/disable-programs.inc |
18 | 15 | ||
19 | whitelist ${DOWNLOADS} | ||
20 | mkdir ~/.config/google-chrome-beta | ||
21 | whitelist ~/.config/google-chrome-beta | ||
22 | mkdir ~/.cache/google-chrome-beta | 16 | mkdir ~/.cache/google-chrome-beta |
23 | whitelist ~/.cache/google-chrome-beta | 17 | mkdir ~/.config/google-chrome-beta |
24 | mkdir ~/.pki | 18 | mkdir ~/.pki |
19 | whitelist ${DOWNLOADS} | ||
20 | whitelist ~/.cache/google-chrome-beta | ||
21 | whitelist ~/.config/google-chrome-beta | ||
25 | whitelist ~/.pki | 22 | whitelist ~/.pki |
26 | include /etc/firejail/whitelist-common.inc | 23 | include /etc/firejail/whitelist-common.inc |
27 | 24 | ||
28 | caps.keep sys_chroot,sys_admin | 25 | caps.keep sys_chroot,sys_admin |
29 | #ipc-namespace | ||
30 | netfilter | 26 | netfilter |
31 | nogroups | 27 | nogroups |
32 | shell none | 28 | shell none |
33 | 29 | ||
34 | private-dev | 30 | private-dev |
35 | #private-tmp - problems with multiple browser sessions | 31 | # private-tmp - problems with multiple browser sessions |
36 | #disable-mnt | ||
37 | 32 | ||
38 | noexec ${HOME} | 33 | noexec ${HOME} |
39 | noexec /tmp | 34 | noexec /tmp |
35 | |||
36 | # CLOBBERED COMMENTS | ||
37 | # chromium is distributed with a perl script on Arch | ||
38 | # disable-mnt | ||
diff --git a/etc/google-chrome-stable.profile b/etc/google-chrome-stable.profile index 776cc06e0..df4bd001f 100644 --- a/etc/google-chrome-stable.profile +++ b/etc/google-chrome-stable.profile | |||
@@ -1,9 +1,5 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for google-chrome |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/google-chrome-stable.local | ||
7 | 4 | ||
8 | # Google Chrome browser profile | ||
9 | include /etc/firejail/google-chrome.profile | 5 | include /etc/firejail/google-chrome.profile |
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index 0675d7b49..6f4ec9101 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile | |||
@@ -1,39 +1,38 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for google-chrome-unstable |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/google-chrome-unstable.local | 4 | include /etc/firejail/google-chrome-unstable.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Google Chrome unstable browser profile | ||
9 | noblacklist ~/.config/google-chrome-unstable | ||
10 | noblacklist ~/.cache/google-chrome-unstable | 8 | noblacklist ~/.cache/google-chrome-unstable |
9 | noblacklist ~/.config/google-chrome-unstable | ||
11 | noblacklist ~/.pki | 10 | noblacklist ~/.pki |
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | 11 | ||
15 | # chromium is distributed with a perl script on Arch | 12 | include /etc/firejail/disable-common.inc |
16 | # include /etc/firejail/disable-devel.inc | 13 | # include /etc/firejail/disable-devel.inc |
17 | # | 14 | include /etc/firejail/disable-programs.inc |
18 | 15 | ||
19 | whitelist ${DOWNLOADS} | ||
20 | mkdir ~/.config/google-chrome-unstable | ||
21 | whitelist ~/.config/google-chrome-unstable | ||
22 | mkdir ~/.cache/google-chrome-unstable | 16 | mkdir ~/.cache/google-chrome-unstable |
23 | whitelist ~/.cache/google-chrome-unstable | 17 | mkdir ~/.config/google-chrome-unstable |
24 | mkdir ~/.pki | 18 | mkdir ~/.pki |
19 | whitelist ${DOWNLOADS} | ||
20 | whitelist ~/.cache/google-chrome-unstable | ||
21 | whitelist ~/.config/google-chrome-unstable | ||
25 | whitelist ~/.pki | 22 | whitelist ~/.pki |
26 | include /etc/firejail/whitelist-common.inc | 23 | include /etc/firejail/whitelist-common.inc |
27 | 24 | ||
28 | caps.keep sys_chroot,sys_admin | 25 | caps.keep sys_chroot,sys_admin |
29 | #ipc-namespace | ||
30 | netfilter | 26 | netfilter |
31 | nogroups | 27 | nogroups |
32 | shell none | 28 | shell none |
33 | 29 | ||
34 | private-dev | 30 | private-dev |
35 | #private-tmp - problems with multiple browser sessions | 31 | # private-tmp - problems with multiple browser sessions |
36 | #disable-mnt | ||
37 | 32 | ||
38 | noexec ${HOME} | 33 | noexec ${HOME} |
39 | noexec /tmp | 34 | noexec /tmp |
35 | |||
36 | # CLOBBERED COMMENTS | ||
37 | # chromium is distributed with a perl script on Arch | ||
38 | # disable-mnt | ||
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index e6fceadec..84fdcdd21 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile | |||
@@ -1,39 +1,38 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for google-chrome |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/google-chrome.local | 4 | include /etc/firejail/google-chrome.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Google Chrome browser profile | ||
9 | noblacklist ~/.config/google-chrome | ||
10 | noblacklist ~/.cache/google-chrome | 8 | noblacklist ~/.cache/google-chrome |
9 | noblacklist ~/.config/google-chrome | ||
11 | noblacklist ~/.pki | 10 | noblacklist ~/.pki |
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | 11 | ||
15 | # chromium is distributed with a perl script on Arch | 12 | include /etc/firejail/disable-common.inc |
16 | # include /etc/firejail/disable-devel.inc | 13 | # include /etc/firejail/disable-devel.inc |
17 | # | 14 | include /etc/firejail/disable-programs.inc |
18 | 15 | ||
19 | whitelist ${DOWNLOADS} | ||
20 | mkdir ~/.config/google-chrome | ||
21 | whitelist ~/.config/google-chrome | ||
22 | mkdir ~/.cache/google-chrome | 16 | mkdir ~/.cache/google-chrome |
23 | whitelist ~/.cache/google-chrome | 17 | mkdir ~/.config/google-chrome |
24 | mkdir ~/.pki | 18 | mkdir ~/.pki |
19 | whitelist ${DOWNLOADS} | ||
20 | whitelist ~/.cache/google-chrome | ||
21 | whitelist ~/.config/google-chrome | ||
25 | whitelist ~/.pki | 22 | whitelist ~/.pki |
26 | include /etc/firejail/whitelist-common.inc | 23 | include /etc/firejail/whitelist-common.inc |
27 | 24 | ||
28 | caps.keep sys_chroot,sys_admin | 25 | caps.keep sys_chroot,sys_admin |
29 | #ipc-namespace | ||
30 | netfilter | 26 | netfilter |
31 | nogroups | 27 | nogroups |
32 | shell none | 28 | shell none |
33 | 29 | ||
34 | private-dev | 30 | private-dev |
35 | #private-tmp - problems with multiple browser sessions | 31 | # private-tmp - problems with multiple browser sessions |
36 | #disable-mnt | ||
37 | 32 | ||
38 | noexec ${HOME} | 33 | noexec ${HOME} |
39 | noexec /tmp | 34 | noexec /tmp |
35 | |||
36 | # CLOBBERED COMMENTS | ||
37 | # chromium is distributed with a perl script on Arch | ||
38 | # disable-mnt | ||
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile index c373cc34c..e326c8083 100644 --- a/etc/google-play-music-desktop-player.profile +++ b/etc/google-play-music-desktop-player.profile | |||
@@ -1,24 +1,21 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for google-play-music-desktop-player |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/google-play-music-desktop-player.local | 4 | include /etc/firejail/google-play-music-desktop-player.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Google Play Music desktop player profile | ||
9 | noblacklist ~/.config/Google Play Music Desktop Player | 8 | noblacklist ~/.config/Google Play Music Desktop Player |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | #whitelist ~/.pulse | ||
17 | #whitelist ~/.config/pulse | ||
18 | whitelist ~/.config/Google Play Music Desktop Player | 15 | whitelist ~/.config/Google Play Music Desktop Player |
16 | include /etc/firejail/whitelist-common.inc | ||
19 | 17 | ||
20 | caps.drop all | 18 | caps.drop all |
21 | #ipc-namespace | ||
22 | netfilter | 19 | netfilter |
23 | no3d | 20 | no3d |
24 | nogroups | 21 | nogroups |
@@ -29,9 +26,13 @@ protocol unix,inet,inet6,netlink | |||
29 | seccomp | 26 | seccomp |
30 | shell none | 27 | shell none |
31 | 28 | ||
29 | disable-mnt | ||
32 | private-dev | 30 | private-dev |
33 | private-tmp | 31 | private-tmp |
34 | disable-mnt | ||
35 | 32 | ||
36 | noexec ${HOME} | 33 | noexec ${HOME} |
37 | noexec /tmp | 34 | noexec /tmp |
35 | |||
36 | # CLOBBERED COMMENTS | ||
37 | # whitelist ~/.config/pulse | ||
38 | # whitelist ~/.pulse | ||
diff --git a/etc/gpa.profile b/etc/gpa.profile index 9230c8b3a..9ffb3abd3 100644 --- a/etc/gpa.profile +++ b/etc/gpa.profile | |||
@@ -1,26 +1,25 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for gpa |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/gpa.local | 4 | include /etc/firejail/gpa.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # gpa profile | ||
9 | noblacklist ~/.gnupg | 8 | noblacklist ~/.gnupg |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
16 | netfilter | ||
17 | nogroups | 17 | nogroups |
18 | nonewprivs | 18 | nonewprivs |
19 | noroot | 19 | noroot |
20 | nosound | 20 | nosound |
21 | protocol unix,inet,inet6 | 21 | protocol unix,inet,inet6 |
22 | seccomp | 22 | seccomp |
23 | netfilter | ||
24 | shell none | 23 | shell none |
25 | tracelog | 24 | tracelog |
26 | 25 | ||
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile index 7c1a05c6f..0592bd113 100644 --- a/etc/gpg-agent.profile +++ b/etc/gpg-agent.profile | |||
@@ -1,31 +1,30 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for gpg-agent |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/gpg-agent.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | 8 | blacklist /tmp/.X11-unix |
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/gpg-agent.local | ||
7 | 9 | ||
8 | # gpg-agent profile | ||
9 | noblacklist ~/.gnupg | 10 | noblacklist ~/.gnupg |
10 | 11 | ||
11 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | ||
15 | 16 | ||
16 | caps.drop all | 17 | caps.drop all |
18 | netfilter | ||
19 | no3d | ||
17 | nogroups | 20 | nogroups |
18 | nonewprivs | 21 | nonewprivs |
19 | noroot | 22 | noroot |
20 | nosound | 23 | nosound |
21 | protocol unix,inet,inet6 | 24 | protocol unix,inet,inet6 |
22 | seccomp | 25 | seccomp |
23 | netfilter | ||
24 | no3d | ||
25 | shell none | 26 | shell none |
26 | tracelog | 27 | tracelog |
27 | 28 | ||
28 | blacklist /tmp/.X11-unix | ||
29 | |||
30 | # private-bin gpg-agent,gpg | 29 | # private-bin gpg-agent,gpg |
31 | private-dev | 30 | private-dev |
diff --git a/etc/gpg.profile b/etc/gpg.profile index 9ecc0a753..2d745b435 100644 --- a/etc/gpg.profile +++ b/etc/gpg.profile | |||
@@ -1,31 +1,30 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for gpg |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/gpg.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | 8 | blacklist /tmp/.X11-unix |
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/gpg.local | ||
7 | 9 | ||
8 | # gpg profile | ||
9 | noblacklist ~/.gnupg | 10 | noblacklist ~/.gnupg |
10 | 11 | ||
11 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | ||
15 | 16 | ||
16 | caps.drop all | 17 | caps.drop all |
18 | netfilter | ||
19 | no3d | ||
17 | nogroups | 20 | nogroups |
18 | nonewprivs | 21 | nonewprivs |
19 | noroot | 22 | noroot |
20 | nosound | 23 | nosound |
21 | protocol unix,inet,inet6 | 24 | protocol unix,inet,inet6 |
22 | seccomp | 25 | seccomp |
23 | netfilter | ||
24 | no3d | ||
25 | shell none | 26 | shell none |
26 | tracelog | 27 | tracelog |
27 | 28 | ||
28 | blacklist /tmp/.X11-unix | ||
29 | |||
30 | # private-bin gpg,gpg-agent | 29 | # private-bin gpg,gpg-agent |
31 | private-dev | 30 | private-dev |
diff --git a/etc/gpicview.profile b/etc/gpicview.profile index f457f0590..f9c56b7ad 100644 --- a/etc/gpicview.profile +++ b/etc/gpicview.profile | |||
@@ -1,17 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for gpicview |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/gpicview.local | 4 | include /etc/firejail/gpicview.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for GPicView | ||
9 | noblacklist ~/.config/gpicview | 8 | noblacklist ~/.config/gpicview |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
17 | net none | 16 | net none |
diff --git a/etc/gpredict.profile b/etc/gpredict.profile index 0abf60314..475f3deef 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile | |||
@@ -1,19 +1,19 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for gpredict |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/gpredict.local | 4 | include /etc/firejail/gpredict.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for gpredict. | ||
9 | noblacklist ~/.config/Gpredict | 8 | noblacklist ~/.config/Gpredict |
9 | |||
10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | # Whitelist | ||
16 | whitelist ~/.config/Gpredict | 15 | whitelist ~/.config/Gpredict |
16 | include /etc/firejail/whitelist-common.inc | ||
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | netfilter | 19 | netfilter |
@@ -26,10 +26,10 @@ seccomp | |||
26 | shell none | 26 | shell none |
27 | tracelog | 27 | tracelog |
28 | 28 | ||
29 | noexec ${HOME} | ||
30 | noexec /tmp | ||
31 | |||
32 | private-bin gpredict | 29 | private-bin gpredict |
33 | private-etc fonts,resolv.conf | ||
34 | private-dev | 30 | private-dev |
31 | private-etc fonts,resolv.conf | ||
35 | private-tmp | 32 | private-tmp |
33 | |||
34 | noexec ${HOME} | ||
35 | noexec /tmp | ||
diff --git a/etc/gtar.profile b/etc/gtar.profile index 9a4325082..9d28393bf 100644 --- a/etc/gtar.profile +++ b/etc/gtar.profile | |||
@@ -1,10 +1,5 @@ | |||
1 | quiet | 1 | # Firejail profile alias for tar |
2 | # Persistent global definitions go here | 2 | # This file is overwritten after every install/update |
3 | include /etc/firejail/globals.local | ||
4 | 3 | ||
5 | # This file is overwritten during software install. | ||
6 | # Persistent customizations should go in a .local file. | ||
7 | include /etc/firejail/gtar.local | ||
8 | 4 | ||
9 | # gtar profile | ||
10 | include /etc/firejail/tar.profile | 5 | include /etc/firejail/tar.profile |
diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 75d341d99..2e1503970 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile | |||
@@ -1,19 +1,18 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for gthumb |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/gthumb.local | 4 | include /etc/firejail/gthumb.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # gthumb profile | ||
9 | noblacklist ${HOME}/.config/gthumb | 8 | noblacklist ${HOME}/.config/gthumb |
10 | noblacklist ~/.Steam | 9 | noblacklist ~/.Steam |
11 | noblacklist ~/.steam | 10 | noblacklist ~/.steam |
12 | 11 | ||
13 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | ||
17 | 16 | ||
18 | caps.drop all | 17 | caps.drop all |
19 | nogroups | 18 | nogroups |
diff --git a/etc/guayadeque.profile b/etc/guayadeque.profile index 86f3d7838..22adb9e65 100644 --- a/etc/guayadeque.profile +++ b/etc/guayadeque.profile | |||
@@ -1,16 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for guayadeque |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/guayadeque.local | 4 | include /etc/firejail/guayadeque.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | noblacklist ${HOME}/.guayadeque | 8 | noblacklist ${HOME}/.guayadeque |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-programs.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | netfilter | 16 | netfilter |
diff --git a/etc/gucharmap.profile b/etc/gucharmap.profile index 4d6237067..96bf783c4 100644 --- a/etc/gucharmap.profile +++ b/etc/gucharmap.profile | |||
@@ -1,9 +1,10 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for gucharmap |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/gucharmap.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/gucharmap.local | ||
7 | 8 | ||
8 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
9 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
@@ -22,10 +23,10 @@ protocol unix | |||
22 | seccomp | 23 | seccomp |
23 | shell none | 24 | shell none |
24 | 25 | ||
26 | disable-mnt | ||
25 | private | 27 | private |
26 | private-dev | 28 | private-dev |
27 | private-tmp | 29 | private-tmp |
28 | disable-mnt | ||
29 | 30 | ||
30 | noexec ${HOME} | 31 | noexec ${HOME} |
31 | noexec /tmp | 32 | noexec /tmp |
diff --git a/etc/gwenview.profile b/etc/gwenview.profile index fffc3e3e9..19d83866e 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile | |||
@@ -1,23 +1,23 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for gwenview |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/gwenview.local | 4 | include /etc/firejail/gwenview.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # KDE gwenview profile | ||
9 | noblacklist ~/.kde4/share/apps/gwenview | ||
10 | noblacklist ~/.kde4/share/config/gwenviewrc | ||
11 | noblacklist ~/.kde/share/apps/gwenview | ||
12 | noblacklist ~/.kde/share/config/gwenviewrc | ||
13 | noblacklist ~/.config/gwenviewrc | 8 | noblacklist ~/.config/gwenviewrc |
14 | noblacklist ~/.config/org.kde.gwenviewrc | 9 | noblacklist ~/.config/org.kde.gwenviewrc |
10 | noblacklist ~/.kde/share/apps/gwenview | ||
11 | noblacklist ~/.kde/share/config/gwenviewrc | ||
12 | noblacklist ~/.kde4/share/apps/gwenview | ||
13 | noblacklist ~/.kde4/share/config/gwenviewrc | ||
15 | noblacklist ~/.local/share/gwenview | 14 | noblacklist ~/.local/share/gwenview |
16 | noblacklist ~/.local/share/org.kde.gwenview | 15 | noblacklist ~/.local/share/org.kde.gwenview |
16 | |||
17 | include /etc/firejail/disable-common.inc | 17 | include /etc/firejail/disable-common.inc |
18 | include /etc/firejail/disable-programs.inc | ||
19 | include /etc/firejail/disable-devel.inc | 18 | include /etc/firejail/disable-devel.inc |
20 | include /etc/firejail/disable-passwdmgr.inc | 19 | include /etc/firejail/disable-passwdmgr.inc |
20 | include /etc/firejail/disable-programs.inc | ||
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | nogroups | 23 | nogroups |
@@ -30,9 +30,10 @@ tracelog | |||
30 | 30 | ||
31 | private-bin gwenview,kbuildsycoca4,gimp,gimp-2.8 | 31 | private-bin gwenview,kbuildsycoca4,gimp,gimp-2.8 |
32 | private-dev | 32 | private-dev |
33 | 33 | # private-etc X11 | |
34 | # Experimental: | ||
35 | #private-etc X11 | ||
36 | 34 | ||
37 | noexec ${HOME} | 35 | noexec ${HOME} |
38 | noexec /tmp | 36 | noexec /tmp |
37 | |||
38 | # CLOBBERED COMMENTS | ||
39 | # Experimental: | ||
diff --git a/etc/gzip.profile b/etc/gzip.profile index 5a2a5d26e..13960eda0 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile | |||
@@ -1,17 +1,14 @@ | |||
1 | # Firejail profile for gzip | ||
2 | # This file is overwritten after every install/update | ||
1 | quiet | 3 | quiet |
2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
3 | include /etc/firejail/globals.local | ||
4 | |||
5 | # This file is overwritten during software install. | ||
6 | # Persistent customizations should go in a .local file. | ||
7 | include /etc/firejail/gzip.local | 5 | include /etc/firejail/gzip.local |
8 | 6 | # Persistent global definitions | |
9 | # gzip profile | 7 | include /etc/firejail/globals.local |
10 | ignore noroot | ||
11 | include /etc/firejail/default.profile | ||
12 | 8 | ||
13 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
14 | 10 | ||
11 | ignore noroot | ||
15 | net none | 12 | net none |
16 | no3d | 13 | no3d |
17 | nosound | 14 | nosound |
@@ -19,3 +16,5 @@ shell none | |||
19 | tracelog | 16 | tracelog |
20 | 17 | ||
21 | private-dev | 18 | private-dev |
19 | |||
20 | include /etc/firejail/default.profile | ||
diff --git a/etc/handbrake-gtk.profile b/etc/handbrake-gtk.profile index a162352de..80291223c 100644 --- a/etc/handbrake-gtk.profile +++ b/etc/handbrake-gtk.profile | |||
@@ -1,9 +1,8 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for handbrake |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/handbrake-gtk.local | ||
7 | 4 | ||
8 | # HandBrake | ||
9 | include /etc/firejail/handbrake.profile | 5 | include /etc/firejail/handbrake.profile |
6 | |||
7 | # CLOBBERED COMMENTS | ||
8 | # HandBrake | ||
diff --git a/etc/handbrake.profile b/etc/handbrake.profile index ccff63708..2b33051e2 100644 --- a/etc/handbrake.profile +++ b/etc/handbrake.profile | |||
@@ -1,15 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for handbrake |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/handbrake.local | 4 | include /etc/firejail/handbrake.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | noblacklist ~/.config/ghb | 8 | noblacklist ~/.config/ghb |
9 | |||
9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
11 | include /etc/firejail/disable-programs.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
13 | 14 | ||
14 | caps.drop all | 15 | caps.drop all |
15 | netfilter | 16 | netfilter |
diff --git a/etc/hashcat.profile b/etc/hashcat.profile index 1e9540f87..662b8a06c 100644 --- a/etc/hashcat.profile +++ b/etc/hashcat.profile | |||
@@ -1,12 +1,11 @@ | |||
1 | # Firejail profile for hashcat | ||
2 | # This file is overwritten after every install/update | ||
1 | quiet | 3 | quiet |
2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
3 | include /etc/firejail/globals.local | ||
4 | |||
5 | # This file is overwritten during software install. | ||
6 | # Persistent customizations should go in a .local file. | ||
7 | include /etc/firejail/hashcat.local | 5 | include /etc/firejail/hashcat.local |
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | 8 | ||
9 | # Firejail profile for Hashcat | ||
10 | noblacklist ${HOME}/.hashcat | 9 | noblacklist ${HOME}/.hashcat |
11 | 10 | ||
12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile index a5c23d0aa..b6dc1f945 100644 --- a/etc/hedgewars.profile +++ b/etc/hedgewars.profile | |||
@@ -1,17 +1,20 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for hedgewars |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/hedgewars.local | 4 | include /etc/firejail/hedgewars.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # whitelist profile for Hedgewars (game) | ||
9 | noblacklist ${HOME}/.hedgewars | 8 | noblacklist ${HOME}/.hedgewars |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | mkdir ~/.hedgewars | ||
16 | whitelist ~/.hedgewars | ||
17 | include /etc/firejail/whitelist-common.inc | ||
15 | 18 | ||
16 | caps.drop all | 19 | caps.drop all |
17 | netfilter | 20 | netfilter |
@@ -21,10 +24,6 @@ noroot | |||
21 | seccomp | 24 | seccomp |
22 | tracelog | 25 | tracelog |
23 | 26 | ||
27 | disable-mnt | ||
24 | private-dev | 28 | private-dev |
25 | private-tmp | 29 | private-tmp |
26 | disable-mnt | ||
27 | |||
28 | mkdir ~/.hedgewars | ||
29 | whitelist ~/.hedgewars | ||
30 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 36ddb9e89..f070937ef 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile | |||
@@ -1,21 +1,21 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for hexchat |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/hexchat.local | 4 | include /etc/firejail/hexchat.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # HexChat instant messaging profile | ||
9 | # Currently in testing (may not work for all users) | ||
10 | noblacklist ${HOME}/.config/hexchat | 8 | noblacklist ${HOME}/.config/hexchat |
11 | #noblacklist /usr/lib/python2* | 9 | |
12 | #noblacklist /usr/lib/python3* | ||
13 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | mkdir ~/.config/hexchat | ||
15 | whitelist ~/.config/hexchat | ||
16 | include /etc/firejail/whitelist-common.inc | ||
16 | 17 | ||
17 | caps.drop all | 18 | caps.drop all |
18 | #ipc-namespace | ||
19 | netfilter | 19 | netfilter |
20 | no3d | 20 | no3d |
21 | nogroups | 21 | nogroups |
@@ -28,15 +28,16 @@ seccomp | |||
28 | shell none | 28 | shell none |
29 | tracelog | 29 | tracelog |
30 | 30 | ||
31 | mkdir ~/.config/hexchat | 31 | disable-mnt |
32 | whitelist ~/.config/hexchat | ||
33 | include /etc/firejail/whitelist-common.inc | ||
34 | |||
35 | private-bin hexchat | 32 | private-bin hexchat |
36 | #debug note: private-bin requires perl, python, etc on some systems | ||
37 | private-dev | 33 | private-dev |
38 | private-tmp | 34 | private-tmp |
39 | disable-mnt | ||
40 | 35 | ||
41 | noexec ${HOME} | 36 | noexec ${HOME} |
42 | noexec /tmp | 37 | noexec /tmp |
38 | |||
39 | # CLOBBERED COMMENTS | ||
40 | # Currently in testing (may not work for all users) | ||
41 | # debug note: private-bin requires perl, python, etc on some systems | ||
42 | # noblacklist /usr/lib/python2* | ||
43 | # noblacklist /usr/lib/python3* | ||
diff --git a/etc/highlight.profile b/etc/highlight.profile index fefbcc55d..c314d34cb 100644 --- a/etc/highlight.profile +++ b/etc/highlight.profile | |||
@@ -1,31 +1,30 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for highlight |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/highlight.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | 8 | blacklist /tmp/.X11-unix |
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/highlight.local | ||
7 | 9 | ||
8 | # highlight profile | ||
9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
13 | 14 | ||
14 | caps.drop all | 15 | caps.drop all |
15 | net none | 16 | net none |
17 | no3d | ||
16 | nogroups | 18 | nogroups |
17 | nonewprivs | 19 | nonewprivs |
18 | noroot | 20 | noroot |
19 | nosound | 21 | nosound |
20 | protocol unix | 22 | protocol unix |
21 | seccomp | 23 | seccomp |
22 | no3d | ||
23 | shell none | 24 | shell none |
24 | tracelog | 25 | tracelog |
25 | 26 | ||
26 | blacklist /tmp/.X11-unix | ||
27 | |||
28 | private-bin highlight | 27 | private-bin highlight |
28 | private-dev | ||
29 | # private-etc none | 29 | # private-etc none |
30 | private-tmp | 30 | private-tmp |
31 | private-dev | ||
diff --git a/etc/hugin.profile b/etc/hugin.profile index 26e696f0d..8eb7410ff 100644 --- a/etc/hugin.profile +++ b/etc/hugin.profile | |||
@@ -1,16 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for hugin |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/hugin.local | 4 | include /etc/firejail/hugin.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | noblacklist ${HOME}/.hugin | 8 | noblacklist ${HOME}/.hugin |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | netfilter | 16 | netfilter |
diff --git a/etc/icecat.profile b/etc/icecat.profile index 600263a2a..b8b267dff 100644 --- a/etc/icecat.profile +++ b/etc/icecat.profile | |||
@@ -1,53 +1,49 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for icecat |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/icecat.local | 4 | include /etc/firejail/icecat.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for GNU Icecat | ||
9 | noblacklist ~/.mozilla | ||
10 | noblacklist ~/.cache/mozilla | 8 | noblacklist ~/.cache/mozilla |
9 | noblacklist ~/.mozilla | ||
11 | noblacklist ~/.pki | 10 | noblacklist ~/.pki |
11 | |||
12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | 15 | ||
16 | caps.drop all | ||
17 | netfilter | ||
18 | nonewprivs | ||
19 | noroot | ||
20 | protocol unix,inet,inet6,netlink | ||
21 | seccomp | ||
22 | tracelog | ||
23 | |||
24 | whitelist ${DOWNLOADS} | ||
25 | mkdir ~/.mozilla | ||
26 | whitelist ~/.mozilla | ||
27 | mkdir ~/.cache/mozilla/icecat | 16 | mkdir ~/.cache/mozilla/icecat |
17 | mkdir ~/.mozilla | ||
18 | whitelist ${DOWNLOADS} | ||
19 | whitelist ~/.cache/gnome-mplayer/plugin | ||
28 | whitelist ~/.cache/mozilla/icecat | 20 | whitelist ~/.cache/mozilla/icecat |
29 | whitelist ~/dwhelper | ||
30 | whitelist ~/.zotero | ||
31 | whitelist ~/.vimperatorrc | ||
32 | whitelist ~/.vimperator | ||
33 | whitelist ~/.pentadactylrc | ||
34 | whitelist ~/.pentadactyl | ||
35 | whitelist ~/.keysnail.js | ||
36 | whitelist ~/.config/gnome-mplayer | 21 | whitelist ~/.config/gnome-mplayer |
37 | whitelist ~/.cache/gnome-mplayer/plugin | 22 | whitelist ~/.config/pipelight-silverlight5.1 |
38 | whitelist ~/.pki | 23 | whitelist ~/.config/pipelight-widevine |
24 | whitelist ~/.keysnail.js | ||
39 | whitelist ~/.lastpass | 25 | whitelist ~/.lastpass |
40 | 26 | whitelist ~/.mozilla | |
41 | # silverlight | 27 | whitelist ~/.pentadactyl |
28 | whitelist ~/.pentadactylrc | ||
29 | whitelist ~/.pki | ||
30 | whitelist ~/.vimperator | ||
31 | whitelist ~/.vimperatorrc | ||
42 | whitelist ~/.wine-pipelight | 32 | whitelist ~/.wine-pipelight |
43 | whitelist ~/.wine-pipelight64 | 33 | whitelist ~/.wine-pipelight64 |
44 | whitelist ~/.config/pipelight-widevine | 34 | whitelist ~/.zotero |
45 | whitelist ~/.config/pipelight-silverlight5.1 | 35 | whitelist ~/dwhelper |
46 | |||
47 | include /etc/firejail/whitelist-common.inc | 36 | include /etc/firejail/whitelist-common.inc |
48 | 37 | ||
49 | # experimental features | 38 | caps.drop all |
50 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 39 | netfilter |
40 | nonewprivs | ||
41 | noroot | ||
42 | protocol unix,inet,inet6,netlink | ||
43 | seccomp | ||
44 | tracelog | ||
45 | |||
46 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | ||
51 | 47 | ||
52 | noexec ${HOME} | 48 | noexec ${HOME} |
53 | noexec /tmp | 49 | noexec /tmp |
diff --git a/etc/icedove.profile b/etc/icedove.profile index a3192c491..8cb4ec1ea 100644 --- a/etc/icedove.profile +++ b/etc/icedove.profile | |||
@@ -1,27 +1,27 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for icedove |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/icedove.local | 4 | include /etc/firejail/icedove.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for Mozilla Thunderbird (Icedove in Debian Stable) | 8 | noblacklist ~/.cache/icedove |
9 | # Users have icedove set to open a browser by clicking a link in an email | ||
10 | # We are not allowed to blacklist browser-specific directories | ||
11 | |||
12 | noblacklist ~/.gnupg | 9 | noblacklist ~/.gnupg |
13 | mkdir ~/.gnupg | ||
14 | whitelist ~/.gnupg | ||
15 | |||
16 | noblacklist ~/.icedove | 10 | noblacklist ~/.icedove |
17 | mkdir ~/.icedove | ||
18 | whitelist ~/.icedove | ||
19 | 11 | ||
20 | noblacklist ~/.cache/icedove | ||
21 | mkdir ~/.cache/icedove | 12 | mkdir ~/.cache/icedove |
13 | mkdir ~/.gnupg | ||
14 | mkdir ~/.icedove | ||
22 | whitelist ~/.cache/icedove | 15 | whitelist ~/.cache/icedove |
16 | whitelist ~/.gnupg | ||
17 | whitelist ~/.icedove | ||
18 | include /etc/firejail/whitelist-common.inc | ||
23 | 19 | ||
24 | # allow browsers | ||
25 | ignore private-tmp | 20 | ignore private-tmp |
21 | |||
26 | include /etc/firejail/firefox.profile | 22 | include /etc/firejail/firefox.profile |
27 | #include /etc/firejail/chromium.profile - chromium runs as suid! | 23 | |
24 | # CLOBBERED COMMENTS | ||
25 | # Users have icedove set to open a browser by clicking a link in an email | ||
26 | # We are not allowed to blacklist browser-specific directories | ||
27 | # allow browsers | ||
diff --git a/etc/iceweasel.profile b/etc/iceweasel.profile index 5558e317d..62671cb67 100644 --- a/etc/iceweasel.profile +++ b/etc/iceweasel.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for iceweasel |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/iceweasel.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/iceweasel.local | ||
7 | 8 | ||
8 | # Firejail profile for Mozilla Firefox (Iceweasel in Debian) | ||
9 | include /etc/firejail/firefox.profile | 9 | include /etc/firejail/firefox.profile |
diff --git a/etc/idea.sh.profile b/etc/idea.sh.profile index 771131262..2ca4cba69 100644 --- a/etc/idea.sh.profile +++ b/etc/idea.sh.profile | |||
@@ -1,16 +1,14 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for idea.sh |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/idea.sh.local | 4 | include /etc/firejail/idea.sh.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for IntelliJ IDEA Community Edition | 8 | noblacklist ${HOME}/.IdeaIC* |
9 | |||
10 | noblacklist ${HOME}/.android | 9 | noblacklist ${HOME}/.android |
11 | noblacklist ${HOME}/.gitconfig | 10 | noblacklist ${HOME}/.gitconfig |
12 | noblacklist ${HOME}/.gradle | 11 | noblacklist ${HOME}/.gradle |
13 | noblacklist ${HOME}/.IdeaIC* | ||
14 | noblacklist ${HOME}/.java | 12 | noblacklist ${HOME}/.java |
15 | noblacklist ${HOME}/.local/share/JetBrains | 13 | noblacklist ${HOME}/.local/share/JetBrains |
16 | noblacklist ${HOME}/.ssh | 14 | noblacklist ${HOME}/.ssh |
@@ -25,13 +23,15 @@ netfilter | |||
25 | nogroups | 23 | nogroups |
26 | nonewprivs | 24 | nonewprivs |
27 | noroot | 25 | noroot |
28 | #nosound | ||
29 | novideo | 26 | novideo |
30 | protocol unix,inet,inet6 | 27 | protocol unix,inet,inet6 |
31 | seccomp | 28 | seccomp |
32 | shell none | 29 | shell none |
33 | 30 | ||
34 | private-dev | 31 | private-dev |
35 | #private-tmp | 32 | # private-tmp |
36 | 33 | ||
37 | noexec /tmp | 34 | noexec /tmp |
35 | |||
36 | # CLOBBERED COMMENTS | ||
37 | # nosound | ||
diff --git a/etc/img2txt.profile b/etc/img2txt.profile index 2ea359e72..5117e887b 100644 --- a/etc/img2txt.profile +++ b/etc/img2txt.profile | |||
@@ -1,15 +1,15 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for img2txt |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/img2txt.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/img2txt.local | ||
7 | 8 | ||
8 | # img2txt profile | ||
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | net none | 15 | net none |
@@ -22,7 +22,7 @@ seccomp | |||
22 | shell none | 22 | shell none |
23 | tracelog | 23 | tracelog |
24 | 24 | ||
25 | #private-bin img2txt | 25 | # private-bin img2txt |
26 | private-tmp | ||
27 | private-dev | 26 | private-dev |
28 | #private-etc none | 27 | # private-etc none |
28 | private-tmp | ||
diff --git a/etc/inkscape.profile b/etc/inkscape.profile index af1be565b..cde845907 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile | |||
@@ -1,16 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for inkscape |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/inkscape.local | 4 | include /etc/firejail/inkscape.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # inkscape | ||
9 | noblacklist ${HOME}/.inkscape | 8 | noblacklist ${HOME}/.inkscape |
9 | |||
10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | netfilter | 16 | netfilter |
@@ -28,3 +28,6 @@ private-tmp | |||
28 | 28 | ||
29 | noexec ${HOME} | 29 | noexec ${HOME} |
30 | noexec /tmp | 30 | noexec /tmp |
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # inkscape | ||
diff --git a/etc/inox.profile b/etc/inox.profile index 49adf141b..98a1ea6a9 100644 --- a/etc/inox.profile +++ b/etc/inox.profile | |||
@@ -1,25 +1,24 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for inox |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/inox.local | 4 | include /etc/firejail/inox.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Inox browser profile | ||
9 | noblacklist ~/.config/inox | ||
10 | noblacklist ~/.cache/inox | 8 | noblacklist ~/.cache/inox |
9 | noblacklist ~/.config/inox | ||
11 | noblacklist ~/.pki | 10 | noblacklist ~/.pki |
11 | |||
12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | netfilter | ||
16 | |||
17 | whitelist ${DOWNLOADS} | ||
18 | mkdir ~/.config/inox | ||
19 | whitelist ~/.config/inox | ||
20 | mkdir ~/.cache/inox | 15 | mkdir ~/.cache/inox |
21 | whitelist ~/.cache/inox | 16 | mkdir ~/.config/inox |
22 | mkdir ~/.pki | 17 | mkdir ~/.pki |
18 | whitelist ${DOWNLOADS} | ||
19 | whitelist ~/.cache/inox | ||
20 | whitelist ~/.config/inox | ||
23 | whitelist ~/.pki | 21 | whitelist ~/.pki |
24 | |||
25 | include /etc/firejail/whitelist-common.inc | 22 | include /etc/firejail/whitelist-common.inc |
23 | |||
24 | netfilter | ||
diff --git a/etc/iridium-browser.profile b/etc/iridium-browser.profile index 5b035dd79..9e1a4fcc2 100644 --- a/etc/iridium-browser.profile +++ b/etc/iridium-browser.profile | |||
@@ -1,9 +1,5 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for iridium |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/iridium-browser.local | ||
7 | 4 | ||
8 | include /etc/firejail/iridium.profile | 5 | include /etc/firejail/iridium.profile |
9 | |||
diff --git a/etc/iridium.profile b/etc/iridium.profile index 0dd6695bf..03fae05dc 100644 --- a/etc/iridium.profile +++ b/etc/iridium.profile | |||
@@ -1,28 +1,27 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for iridium |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/iridium.local | 4 | include /etc/firejail/iridium.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Iridium browser profile | ||
9 | noblacklist ~/.config/iridium | ||
10 | noblacklist ~/.cache/iridium | 8 | noblacklist ~/.cache/iridium |
11 | include /etc/firejail/disable-common.inc | 9 | noblacklist ~/.config/iridium |
12 | include /etc/firejail/disable-programs.inc | ||
13 | 10 | ||
14 | # chromium/iridium is distributed with a perl script on Arch | 11 | include /etc/firejail/disable-common.inc |
15 | # include /etc/firejail/disable-devel.inc | 12 | # include /etc/firejail/disable-devel.inc |
16 | # | 13 | include /etc/firejail/disable-programs.inc |
17 | |||
18 | netfilter | ||
19 | 14 | ||
20 | whitelist ${DOWNLOADS} | ||
21 | mkdir ~/.config/iridium | ||
22 | whitelist ~/.config/iridium | ||
23 | mkdir ~/.cache/iridium | 15 | mkdir ~/.cache/iridium |
24 | whitelist ~/.cache/iridium | 16 | mkdir ~/.config/iridium |
25 | mkdir ~/.pki | 17 | mkdir ~/.pki |
18 | whitelist ${DOWNLOADS} | ||
19 | whitelist ~/.cache/iridium | ||
20 | whitelist ~/.config/iridium | ||
26 | whitelist ~/.pki | 21 | whitelist ~/.pki |
27 | |||
28 | include /etc/firejail/whitelist-common.inc | 22 | include /etc/firejail/whitelist-common.inc |
23 | |||
24 | netfilter | ||
25 | |||
26 | # CLOBBERED COMMENTS | ||
27 | # chromium/iridium is distributed with a perl script on Arch | ||
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index 9cb845b50..96d4a57ce 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile | |||
@@ -1,26 +1,19 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for jd-gui |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/jd-gui.local | 4 | include /etc/firejail/jd-gui.local |
7 | 5 | # Persistent global definitions | |
8 | # | 6 | include /etc/firejail/globals.local |
9 | #Profile for jd-gui | ||
10 | # | ||
11 | 7 | ||
12 | noblacklist ${HOME}/.config/jd-gui.cfg | 8 | noblacklist ${HOME}/.config/jd-gui.cfg |
13 | noblacklist ${HOME}/.java | 9 | noblacklist ${HOME}/.java |
14 | 10 | ||
15 | #Blacklist Paths | ||
16 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
17 | include /etc/firejail/disable-programs.inc | ||
18 | include /etc/firejail/disable-passwdmgr.inc | ||
19 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
20 | 15 | ||
21 | #Options | ||
22 | caps.drop all | 16 | caps.drop all |
23 | #ipc-namespace | ||
24 | net none | 17 | net none |
25 | no3d | 18 | no3d |
26 | nogroups | 19 | nogroups |
diff --git a/etc/jitsi.profile b/etc/jitsi.profile index 59459b5e9..72f9b5f5b 100644 --- a/etc/jitsi.profile +++ b/etc/jitsi.profile | |||
@@ -1,12 +1,12 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for jitsi |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/jitsi.local | 4 | include /etc/firejail/jitsi.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for jitsi | ||
9 | noblacklist ~/.jitsi | 8 | noblacklist ~/.jitsi |
9 | |||
10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
@@ -21,5 +21,5 @@ seccomp | |||
21 | shell none | 21 | shell none |
22 | tracelog | 22 | tracelog |
23 | 23 | ||
24 | private-tmp | ||
25 | disable-mnt | 24 | disable-mnt |
25 | private-tmp | ||
diff --git a/etc/k3b.profile b/etc/k3b.profile index 8c2d60107..c2aed68c9 100644 --- a/etc/k3b.profile +++ b/etc/k3b.profile | |||
@@ -1,29 +1,29 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for k3b |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/k3b.local | 4 | include /etc/firejail/k3b.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # k3b profile | ||
9 | noblacklist ~/.kde4/share/config/k3brc | ||
10 | noblacklist ~/.kde/share/config/k3brc | ||
11 | noblacklist ~/.config/k3brc | 8 | noblacklist ~/.config/k3brc |
9 | noblacklist ~/.kde/share/config/k3brc | ||
10 | noblacklist ~/.kde4/share/config/k3brc | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | ||
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | no3d | 18 | no3d |
19 | nonewprivs | 19 | nonewprivs |
20 | noroot | 20 | noroot |
21 | nosound | 21 | nosound |
22 | shell none | ||
23 | seccomp | ||
24 | protocol unix | 22 | protocol unix |
23 | seccomp | ||
24 | shell none | ||
25 | tracelog | 25 | tracelog |
26 | 26 | ||
27 | # private-bin | 27 | # private-bin |
28 | # private-tmp | ||
29 | # private-etc | 28 | # private-etc |
29 | # private-tmp | ||
diff --git a/etc/kate.profile b/etc/kate.profile index 97372f752..12d9127b4 100644 --- a/etc/kate.profile +++ b/etc/kate.profile | |||
@@ -1,22 +1,21 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for kate |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/kate.local | 4 | include /etc/firejail/kate.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # kate profile | ||
9 | noblacklist ~/.local/share/kate | ||
10 | noblacklist ~/.config/katerc | ||
11 | noblacklist ~/.config/katepartrc | 8 | noblacklist ~/.config/katepartrc |
9 | noblacklist ~/.config/katerc | ||
12 | noblacklist ~/.config/kateschemarc | 10 | noblacklist ~/.config/kateschemarc |
13 | noblacklist ~/.config/katesyntaxhighlightingrc | 11 | noblacklist ~/.config/katesyntaxhighlightingrc |
14 | noblacklist ~/.config/katevirc | 12 | noblacklist ~/.config/katevirc |
13 | noblacklist ~/.local/share/kate | ||
15 | 14 | ||
16 | include /etc/firejail/disable-common.inc | 15 | include /etc/firejail/disable-common.inc |
17 | include /etc/firejail/disable-programs.inc | 16 | # include /etc/firejail/disable-devel.inc |
18 | #include /etc/firejail/disable-devel.inc | ||
19 | include /etc/firejail/disable-passwdmgr.inc | 17 | include /etc/firejail/disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | ||
20 | 19 | ||
21 | caps.drop all | 20 | caps.drop all |
22 | netfilter | 21 | netfilter |
@@ -30,6 +29,6 @@ shell none | |||
30 | tracelog | 29 | tracelog |
31 | 30 | ||
32 | # private-bin kate | 31 | # private-bin kate |
33 | private-tmp | ||
34 | private-dev | 32 | private-dev |
35 | # private-etc fonts | 33 | # private-etc fonts |
34 | private-tmp | ||
diff --git a/etc/kcalc.profile b/etc/kcalc.profile index 1d425cf47..ac4e11195 100644 --- a/etc/kcalc.profile +++ b/etc/kcalc.profile | |||
@@ -1,9 +1,10 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for kcalc |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/kcalc.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/kcalc.local | ||
7 | 8 | ||
8 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
9 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
@@ -22,10 +23,10 @@ protocol unix | |||
22 | seccomp | 23 | seccomp |
23 | shell none | 24 | shell none |
24 | 25 | ||
26 | disable-mnt | ||
25 | private | 27 | private |
26 | private-dev | 28 | private-dev |
27 | private-tmp | 29 | private-tmp |
28 | disable-mnt | ||
29 | 30 | ||
30 | noexec ${HOME} | 31 | noexec ${HOME} |
31 | noexec /tmp | 32 | noexec /tmp |
diff --git a/etc/keepass.profile b/etc/keepass.profile index 48574f3dc..543bc01eb 100644 --- a/etc/keepass.profile +++ b/etc/keepass.profile | |||
@@ -1,26 +1,24 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for keepass |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/keepass.local | 4 | include /etc/firejail/keepass.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # keepass password manager profile | 8 | noblacklist ${HOME}/*.kdb |
9 | noblacklist ${HOME}/.keepass | 9 | noblacklist ${HOME}/*.kdbx |
10 | noblacklist ${HOME}/.config/keepass | ||
11 | noblacklist ${HOME}/.config/KeePass | 10 | noblacklist ${HOME}/.config/KeePass |
12 | noblacklist ${HOME}/.local/share/keepass | 11 | noblacklist ${HOME}/.config/keepass |
12 | noblacklist ${HOME}/.keepass | ||
13 | noblacklist ${HOME}/.local/share/KeePass | 13 | noblacklist ${HOME}/.local/share/KeePass |
14 | noblacklist ${HOME}/*.kdbx | 14 | noblacklist ${HOME}/.local/share/keepass |
15 | noblacklist ${HOME}/*.kdb | ||
16 | 15 | ||
17 | include /etc/firejail/disable-common.inc | 16 | include /etc/firejail/disable-common.inc |
18 | include /etc/firejail/disable-programs.inc | ||
19 | include /etc/firejail/disable-devel.inc | 17 | include /etc/firejail/disable-devel.inc |
20 | include /etc/firejail/disable-passwdmgr.inc | 18 | include /etc/firejail/disable-passwdmgr.inc |
19 | include /etc/firejail/disable-programs.inc | ||
21 | 20 | ||
22 | caps.drop all | 21 | caps.drop all |
23 | #ipc-namespace | ||
24 | netfilter | 22 | netfilter |
25 | no3d | 23 | no3d |
26 | nogroups | 24 | nogroups |
diff --git a/etc/keepass2.profile b/etc/keepass2.profile index 6ac601fc0..7d2881099 100644 --- a/etc/keepass2.profile +++ b/etc/keepass2.profile | |||
@@ -1,9 +1,5 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for keepass |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/keepass2.local | ||
7 | 4 | ||
8 | # keepass password manager profile | ||
9 | include /etc/firejail/keepass.profile | 5 | include /etc/firejail/keepass.profile |
diff --git a/etc/keepassx.profile b/etc/keepassx.profile index 34e260f8f..892dd7053 100644 --- a/etc/keepassx.profile +++ b/etc/keepassx.profile | |||
@@ -1,20 +1,19 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for keepassx |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/keepassx.local | 4 | include /etc/firejail/keepassx.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # keepassx password manager profile | 8 | noblacklist ${HOME}/*.kdb |
9 | noblacklist ${HOME}/*.kdbx | ||
9 | noblacklist ${HOME}/.config/keepassx | 10 | noblacklist ${HOME}/.config/keepassx |
10 | noblacklist ${HOME}/.keepassx | 11 | noblacklist ${HOME}/.keepassx |
11 | noblacklist ${HOME}/*.kdbx | ||
12 | noblacklist ${HOME}/*.kdb | ||
13 | 12 | ||
14 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-programs.inc | ||
16 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | ||
18 | 17 | ||
19 | caps.drop all | 18 | caps.drop all |
20 | machine-id | 19 | machine-id |
@@ -30,8 +29,8 @@ shell none | |||
30 | tracelog | 29 | tracelog |
31 | 30 | ||
32 | private-bin keepassx,keepassx2 | 31 | private-bin keepassx,keepassx2 |
33 | private-etc fonts,machine-id | ||
34 | private-dev | 32 | private-dev |
33 | private-etc fonts,machine-id | ||
35 | private-tmp | 34 | private-tmp |
36 | 35 | ||
37 | noexec ${HOME} | 36 | noexec ${HOME} |
diff --git a/etc/keepassx2.profile b/etc/keepassx2.profile index 0536866fb..ab56e0317 100644 --- a/etc/keepassx2.profile +++ b/etc/keepassx2.profile | |||
@@ -1,20 +1,19 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for keepassx2 |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/keepassx2.local | 4 | include /etc/firejail/keepassx2.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # keepassx password manager profile | 8 | noblacklist ${HOME}/*.kdb |
9 | noblacklist ${HOME}/*.kdbx | ||
9 | noblacklist ${HOME}/.config/keepassx | 10 | noblacklist ${HOME}/.config/keepassx |
10 | noblacklist ${HOME}/.keepassx | 11 | noblacklist ${HOME}/.keepassx |
11 | noblacklist ${HOME}/*.kdbx | ||
12 | noblacklist ${HOME}/*.kdb | ||
13 | 12 | ||
14 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-programs.inc | ||
16 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | ||
18 | 17 | ||
19 | caps.drop all | 18 | caps.drop all |
20 | net none | 19 | net none |
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile index 3ab4115e6..c8a494361 100644 --- a/etc/keepassxc.profile +++ b/etc/keepassxc.profile | |||
@@ -1,23 +1,21 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for keepassxc |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/keepassxc.local | 4 | include /etc/firejail/keepassxc.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for KeepassXC | 8 | noblacklist ${HOME}/*.kdb |
9 | noblacklist ${HOME}/*.kdbx | ||
9 | noblacklist ${HOME}/.config/keepassxc | 10 | noblacklist ${HOME}/.config/keepassxc |
10 | noblacklist ${HOME}/.keepassxc | 11 | noblacklist ${HOME}/.keepassxc |
11 | noblacklist ${HOME}/*.kdbx | ||
12 | noblacklist ${HOME}/*.kdb | ||
13 | 12 | ||
14 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-programs.inc | ||
16 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | ||
18 | 17 | ||
19 | caps.drop all | 18 | caps.drop all |
20 | #ipc-namespace | ||
21 | net none | 19 | net none |
22 | no3d | 20 | no3d |
23 | nogroups | 21 | nogroups |
diff --git a/etc/kino.profile b/etc/kino.profile index bb37d56ab..c64f2d599 100644 --- a/etc/kino.profile +++ b/etc/kino.profile | |||
@@ -1,12 +1,12 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for kino |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/kino.local | 4 | include /etc/firejail/kino.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | noblacklist ~/.kinorc | ||
9 | noblacklist ~/.kino-history | 8 | noblacklist ~/.kino-history |
9 | noblacklist ~/.kinorc | ||
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/kmail.profile b/etc/kmail.profile index 38fbf6bc3..876e80cbb 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
@@ -1,17 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for kmail |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/kmail.local | 4 | include /etc/firejail/kmail.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # kmail profile | ||
9 | noblacklist ${HOME}/.gnupg | 8 | noblacklist ${HOME}/.gnupg |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
17 | netfilter | 16 | netfilter |
diff --git a/etc/knotes.profile b/etc/knotes.profile index b1883112c..26b607257 100644 --- a/etc/knotes.profile +++ b/etc/knotes.profile | |||
@@ -1,17 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for knotes |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/knotes.local | 4 | include /etc/firejail/knotes.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # kate profile | ||
9 | noblacklist ~/.config/knotesrc | 8 | noblacklist ~/.config/knotesrc |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | 11 | # include /etc/firejail/disable-devel.inc |
13 | #include /etc/firejail/disable-devel.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
17 | netfilter | 16 | netfilter |
@@ -25,6 +24,6 @@ shell none | |||
25 | tracelog | 24 | tracelog |
26 | 25 | ||
27 | # private-bin kate | 26 | # private-bin kate |
28 | private-tmp | ||
29 | private-dev | 27 | private-dev |
30 | # private-etc fonts | 28 | # private-etc fonts |
29 | private-tmp | ||
diff --git a/etc/kodi.profile b/etc/kodi.profile index ea4020232..f3eb6867f 100644 --- a/etc/kodi.profile +++ b/etc/kodi.profile | |||
@@ -1,25 +1,22 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for kodi |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/kodi.local | 4 | include /etc/firejail/kodi.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for kodi | ||
9 | noblacklist ${HOME}/.kodi | 8 | noblacklist ${HOME}/.kodi |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | include /etc/firejail/disable-devel.inc | ||
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
17 | #ipc-namespace | ||
18 | netfilter | 16 | netfilter |
19 | nogroups | 17 | nogroups |
20 | nonewprivs | 18 | nonewprivs |
21 | noroot | 19 | noroot |
22 | #novideo | ||
23 | protocol unix,inet,inet6,netlink | 20 | protocol unix,inet,inet6,netlink |
24 | seccomp | 21 | seccomp |
25 | shell none | 22 | shell none |
@@ -30,3 +27,6 @@ private-tmp | |||
30 | 27 | ||
31 | noexec ${HOME} | 28 | noexec ${HOME} |
32 | noexec /tmp | 29 | noexec /tmp |
30 | |||
31 | # CLOBBERED COMMENTS | ||
32 | # novideo | ||
diff --git a/etc/konversation.profile b/etc/konversation.profile index 51382df28..d1c78afbe 100644 --- a/etc/konversation.profile +++ b/etc/konversation.profile | |||
@@ -1,21 +1,21 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for konversation |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/konversation.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/konversation.local | ||
7 | 8 | ||
8 | # Firejail konversation profile | ||
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | netfilter | 15 | netfilter |
16 | nogroups | 16 | nogroups |
17 | noroot | 17 | noroot |
18 | seccomp | ||
19 | protocol unix,inet,inet6 | 18 | protocol unix,inet,inet6 |
19 | seccomp | ||
20 | 20 | ||
21 | private-tmp | 21 | private-tmp |
diff --git a/etc/ktorrent.profile b/etc/ktorrent.profile index c19f1c5ef..8e396a464 100644 --- a/etc/ktorrent.profile +++ b/etc/ktorrent.profile | |||
@@ -1,38 +1,37 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for ktorrent |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/ktorrent.local | 4 | include /etc/firejail/ktorrent.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | noblacklist ~/.config/ktorrentrc | 8 | noblacklist ~/.config/ktorrentrc |
9 | noblacklist ~/.local/share/ktorrent | ||
10 | noblacklist ~/.kde/share/config/ktorrentrc | ||
11 | noblacklist ~/.kde4/share/config/ktorrentrc | ||
12 | noblacklist ~/.kde/share/apps/ktorrent | 9 | noblacklist ~/.kde/share/apps/ktorrent |
10 | noblacklist ~/.kde/share/config/ktorrentrc | ||
13 | noblacklist ~/.kde4/share/apps/ktorrent | 11 | noblacklist ~/.kde4/share/apps/ktorrent |
12 | noblacklist ~/.kde4/share/config/ktorrentrc | ||
13 | noblacklist ~/.local/share/ktorrent | ||
14 | 14 | ||
15 | include /etc/firejail/disable-common.inc | 15 | include /etc/firejail/disable-common.inc |
16 | include /etc/firejail/disable-devel.inc | 16 | include /etc/firejail/disable-devel.inc |
17 | include /etc/firejail/disable-programs.inc | ||
18 | include /etc/firejail/disable-passwdmgr.inc | 17 | include /etc/firejail/disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | ||
19 | 19 | ||
20 | mkfile ~/.config/ktorrentrc | 20 | mkdir ~/.kde/share/apps/ktorrent |
21 | whitelist ~/.config/ktorrentrc | ||
22 | mkdir ~/.local/share/ktorrent | ||
23 | whitelist ~/.local/share/ktorrent | ||
24 | mkdir ~/.kde/share/config/ktorrentrc | 21 | mkdir ~/.kde/share/config/ktorrentrc |
25 | whitelist ~/.kde/share/config/ktorrentrc | 22 | mkdir ~/.kde4/share/apps/ktorrent |
26 | mkdir ~/.kde4/share/config/ktorrentrc | 23 | mkdir ~/.kde4/share/config/ktorrentrc |
27 | whitelist ~/.kde4/share/config/ktorrentrc | 24 | mkdir ~/.local/share/ktorrent |
28 | mkdir ~/.kde/share/apps/ktorrent | 25 | mkfile ~/.config/ktorrentrc |
26 | whitelist ${DOWNLOADS} | ||
27 | whitelist ~/.config/ktorrentrc | ||
29 | whitelist ~/.kde/share/apps/ktorrent | 28 | whitelist ~/.kde/share/apps/ktorrent |
30 | mkdir ~/.kde4/share/apps/ktorrent | 29 | whitelist ~/.kde/share/config/ktorrentrc |
31 | whitelist ~/.kde4/share/apps/ktorrent | 30 | whitelist ~/.kde4/share/apps/ktorrent |
32 | whitelist ${DOWNLOADS} | 31 | whitelist ~/.kde4/share/config/ktorrentrc |
32 | whitelist ~/.local/share/ktorrent | ||
33 | include /etc/firejail/whitelist-common.inc | 33 | include /etc/firejail/whitelist-common.inc |
34 | 34 | ||
35 | |||
36 | caps.drop all | 35 | caps.drop all |
37 | netfilter | 36 | netfilter |
38 | no3d | 37 | no3d |
diff --git a/etc/kwrite.profile b/etc/kwrite.profile index 7ac881f6a..3b3045e07 100644 --- a/etc/kwrite.profile +++ b/etc/kwrite.profile | |||
@@ -1,35 +1,36 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for kwrite |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/kwrite.local | 4 | include /etc/firejail/kwrite.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # kate profile | ||
9 | noblacklist ~/.local/share/kwrite | ||
10 | noblacklist ~/.config/katerc | ||
11 | noblacklist ~/.config/katepartrc | 8 | noblacklist ~/.config/katepartrc |
9 | noblacklist ~/.config/katerc | ||
12 | noblacklist ~/.config/kateschemarc | 10 | noblacklist ~/.config/kateschemarc |
13 | noblacklist ~/.config/katesyntaxhighlightingrc | 11 | noblacklist ~/.config/katesyntaxhighlightingrc |
14 | noblacklist ~/.config/katevirc | 12 | noblacklist ~/.config/katevirc |
13 | noblacklist ~/.local/share/kwrite | ||
15 | 14 | ||
16 | include /etc/firejail/disable-common.inc | 15 | include /etc/firejail/disable-common.inc |
17 | include /etc/firejail/disable-programs.inc | 16 | # include /etc/firejail/disable-devel.inc |
18 | #include /etc/firejail/disable-devel.inc | ||
19 | include /etc/firejail/disable-passwdmgr.inc | 17 | include /etc/firejail/disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | ||
20 | 19 | ||
21 | caps.drop all | 20 | caps.drop all |
22 | netfilter | 21 | netfilter |
23 | nogroups | 22 | nogroups |
24 | nonewprivs | 23 | nonewprivs |
25 | noroot | 24 | noroot |
26 | #nosound - KWrite is using ALSA! | ||
27 | protocol unix | 25 | protocol unix |
28 | seccomp | 26 | seccomp |
29 | shell none | 27 | shell none |
30 | tracelog | 28 | tracelog |
31 | 29 | ||
32 | # private-bin kwrite | 30 | # private-bin kwrite |
33 | private-tmp | ||
34 | private-dev | 31 | private-dev |
35 | # private-etc fonts | 32 | # private-etc fonts |
33 | private-tmp | ||
34 | |||
35 | # CLOBBERED COMMENTS | ||
36 | # nosound - KWrite is using ALSA! | ||
diff --git a/etc/leafpad.profile b/etc/leafpad.profile index fc2cc7e09..de44a6771 100644 --- a/etc/leafpad.profile +++ b/etc/leafpad.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for leafpad |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/leafpad.local | 4 | include /etc/firejail/leafpad.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | noblacklist ${HOME}/.config/leafpad | 8 | noblacklist ${HOME}/.config/leafpad |
9 | 9 | ||
diff --git a/etc/less.profile b/etc/less.profile index f8c26879e..fe8a8fa24 100644 --- a/etc/less.profile +++ b/etc/less.profile | |||
@@ -1,15 +1,14 @@ | |||
1 | # Firejail profile for less | ||
2 | # This file is overwritten after every install/update | ||
1 | quiet | 3 | quiet |
2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
5 | include /etc/firejail/less.local | ||
6 | # Persistent global definitions | ||
3 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
4 | 8 | ||
5 | # This file is overwritten during software install. | 9 | blacklist /tmp/.X11-unix |
6 | # Persistent customizations should go in a .local file. | ||
7 | include /etc/firejail/less.local | ||
8 | 10 | ||
9 | # less profile | ||
10 | ignore noroot | 11 | ignore noroot |
11 | include /etc/firejail/default.profile | ||
12 | |||
13 | net none | 12 | net none |
14 | no3d | 13 | no3d |
15 | nosound | 14 | nosound |
@@ -17,10 +16,10 @@ novideo | |||
17 | shell none | 16 | shell none |
18 | tracelog | 17 | tracelog |
19 | 18 | ||
20 | blacklist /tmp/.X11-unix | ||
21 | |||
22 | private-dev | 19 | private-dev |
23 | 20 | ||
24 | memory-deny-write-execute | 21 | memory-deny-write-execute |
25 | noexec ${HOME} | 22 | noexec ${HOME} |
26 | noexec /tmp | 23 | noexec /tmp |
24 | |||
25 | include /etc/firejail/default.profile | ||
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index fe5861e4a..e2c8d0878 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile | |||
@@ -1,18 +1,18 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for libreoffice |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/libreoffice.local | 4 | include /etc/firejail/libreoffice.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for LibreOffice | ||
9 | noblacklist ~/.config/libreoffice | ||
10 | noblacklist ${HOME}/.java | 8 | noblacklist ${HOME}/.java |
11 | noblacklist /usr/local/sbin | 9 | noblacklist /usr/local/sbin |
10 | noblacklist ~/.config/libreoffice | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | ||
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | netfilter | 18 | netfilter |
@@ -25,7 +25,9 @@ shell none | |||
25 | tracelog | 25 | tracelog |
26 | 26 | ||
27 | private-dev | 27 | private-dev |
28 | # whitelist /tmp/.X11-unix/ | ||
29 | 28 | ||
30 | noexec ${HOME} | 29 | noexec ${HOME} |
31 | noexec /tmp | 30 | noexec /tmp |
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # whitelist /tmp/.X11-unix/ | ||
diff --git a/etc/liferea.profile b/etc/liferea.profile index f11137cdd..a0dd1a1ff 100644 --- a/etc/liferea.profile +++ b/etc/liferea.profile | |||
@@ -1,47 +1,44 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for liferea |
2 | include /etc/firejail/global.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/liferea.local | 4 | include /etc/firejail/liferea.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | ####################### | 8 | noblacklist ~/.cache/liferea |
9 | # profile for Liferea # | ||
10 | ####################### | ||
11 | noblacklist ~/.config/liferea | 9 | noblacklist ~/.config/liferea |
12 | mkdir ~/.config/liferea | ||
13 | whitelist ~/.config/liferea | ||
14 | |||
15 | noblacklist ~/.local/share/liferea | 10 | noblacklist ~/.local/share/liferea |
16 | mkdir ~/.local/share/liferea | ||
17 | whitelist ~/.local/share/liferea | ||
18 | |||
19 | noblacklist ~/.cache/liferea | ||
20 | mkdir ~/.cache/liferea | ||
21 | whitelist ~/.cache/liferea | ||
22 | 11 | ||
23 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
24 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
25 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
26 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
16 | |||
17 | mkdir ~/.cache/liferea | ||
18 | mkdir ~/.config/liferea | ||
19 | mkdir ~/.local/share/liferea | ||
20 | whitelist ~/.cache/liferea | ||
21 | whitelist ~/.config/liferea | ||
22 | whitelist ~/.local/share/liferea | ||
27 | include /etc/firejail/whitelist-common.inc | 23 | include /etc/firejail/whitelist-common.inc |
28 | 24 | ||
29 | caps.drop all | 25 | caps.drop all |
30 | #ipc-namespace | ||
31 | netfilter | 26 | netfilter |
32 | #no3d | ||
33 | nogroups | 27 | nogroups |
34 | nonewprivs | 28 | nonewprivs |
35 | noroot | 29 | noroot |
36 | #nosound | ||
37 | novideo | 30 | novideo |
38 | protocol unix,inet,inet6 | 31 | protocol unix,inet,inet6 |
39 | seccomp | 32 | seccomp |
40 | shell none | 33 | shell none |
41 | 34 | ||
35 | disable-mnt | ||
42 | private-dev | 36 | private-dev |
43 | private-tmp | 37 | private-tmp |
44 | disable-mnt | ||
45 | 38 | ||
46 | noexec ${HOME} | 39 | noexec ${HOME} |
47 | noexec /tmp | 40 | noexec /tmp |
41 | |||
42 | # CLOBBERED COMMENTS | ||
43 | # no3d | ||
44 | # nosound | ||
diff --git a/etc/localc.profile b/etc/localc.profile index 35ff153cd..c30bb5550 100644 --- a/etc/localc.profile +++ b/etc/localc.profile | |||
@@ -1,11 +1,5 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for libreoffice |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/localc.local | ||
7 | 4 | ||
8 | ################################ | ||
9 | # LibreOffice profile | ||
10 | ################################ | ||
11 | include /etc/firejail/libreoffice.profile | 5 | include /etc/firejail/libreoffice.profile |
diff --git a/etc/lodraw.profile b/etc/lodraw.profile index af8234b9b..c30bb5550 100644 --- a/etc/lodraw.profile +++ b/etc/lodraw.profile | |||
@@ -1,11 +1,5 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for libreoffice |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/lodraw.local | ||
7 | 4 | ||
8 | ################################ | ||
9 | # LibreOffice profile | ||
10 | ################################ | ||
11 | include /etc/firejail/libreoffice.profile | 5 | include /etc/firejail/libreoffice.profile |
diff --git a/etc/loffice.profile b/etc/loffice.profile index ad6b28fb6..c30bb5550 100644 --- a/etc/loffice.profile +++ b/etc/loffice.profile | |||
@@ -1,11 +1,5 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for libreoffice |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/loffice.local | ||
7 | 4 | ||
8 | ################################ | ||
9 | # LibreOffice profile | ||
10 | ################################ | ||
11 | include /etc/firejail/libreoffice.profile | 5 | include /etc/firejail/libreoffice.profile |
diff --git a/etc/lofromtemplate.profile b/etc/lofromtemplate.profile index 4a729bd71..c30bb5550 100644 --- a/etc/lofromtemplate.profile +++ b/etc/lofromtemplate.profile | |||
@@ -1,11 +1,5 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for libreoffice |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/lofromtemplate.local | ||
7 | 4 | ||
8 | ################################ | ||
9 | # LibreOffice profile | ||
10 | ################################ | ||
11 | include /etc/firejail/libreoffice.profile | 5 | include /etc/firejail/libreoffice.profile |
diff --git a/etc/loimpress.profile b/etc/loimpress.profile index f8da5da18..c30bb5550 100644 --- a/etc/loimpress.profile +++ b/etc/loimpress.profile | |||
@@ -1,11 +1,5 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for libreoffice |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/loimpress.local | ||
7 | 4 | ||
8 | ################################ | ||
9 | # LibreOffice profile | ||
10 | ################################ | ||
11 | include /etc/firejail/libreoffice.profile | 5 | include /etc/firejail/libreoffice.profile |
diff --git a/etc/lollypop.profile b/etc/lollypop.profile index 4be7721e3..22004d95e 100644 --- a/etc/lollypop.profile +++ b/etc/lollypop.profile | |||
@@ -1,26 +1,18 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for lollypop |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/lollypop.local | 4 | include /etc/firejail/lollypop.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # | ||
9 | #Profile for lollypop | ||
10 | # | ||
11 | |||
12 | #No Blacklist Paths | ||
13 | noblacklist ${HOME}/.local/share/lollypop | 8 | noblacklist ${HOME}/.local/share/lollypop |
14 | 9 | ||
15 | #Blacklist Paths | ||
16 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
17 | include /etc/firejail/disable-programs.inc | ||
18 | include /etc/firejail/disable-passwdmgr.inc | ||
19 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
20 | 14 | ||
21 | #Options | ||
22 | caps.drop all | 15 | caps.drop all |
23 | #ipc-namespace | ||
24 | netfilter | 16 | netfilter |
25 | no3d | 17 | no3d |
26 | nogroups | 18 | nogroups |
diff --git a/etc/lomath.profile b/etc/lomath.profile index 7ebdf9fe9..c30bb5550 100644 --- a/etc/lomath.profile +++ b/etc/lomath.profile | |||
@@ -1,11 +1,5 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for libreoffice |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/lomath.local | ||
7 | 4 | ||
8 | ################################ | ||
9 | # LibreOffice profile | ||
10 | ################################ | ||
11 | include /etc/firejail/libreoffice.profile | 5 | include /etc/firejail/libreoffice.profile |
diff --git a/etc/loweb.profile b/etc/loweb.profile index b504d0a86..c30bb5550 100644 --- a/etc/loweb.profile +++ b/etc/loweb.profile | |||
@@ -1,11 +1,5 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for libreoffice |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/loweb.local | ||
7 | 4 | ||
8 | ################################ | ||
9 | # LibreOffice profile | ||
10 | ################################ | ||
11 | include /etc/firejail/libreoffice.profile | 5 | include /etc/firejail/libreoffice.profile |
diff --git a/etc/lowriter.profile b/etc/lowriter.profile index 567cf91ec..c30bb5550 100644 --- a/etc/lowriter.profile +++ b/etc/lowriter.profile | |||
@@ -1,11 +1,5 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for libreoffice |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/lowriter.local | ||
7 | 4 | ||
8 | ################################ | ||
9 | # LibreOffice profile | ||
10 | ################################ | ||
11 | include /etc/firejail/libreoffice.profile | 5 | include /etc/firejail/libreoffice.profile |
diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile index f73c83cbd..961fca905 100644 --- a/etc/luminance-hdr.profile +++ b/etc/luminance-hdr.profile | |||
@@ -1,20 +1,18 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for luminance-hdr |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/luminance-hdr.local | 4 | include /etc/firejail/luminance-hdr.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # luminance-hdr | ||
9 | noblacklist ${HOME}/.config/Luminance | 8 | noblacklist ${HOME}/.config/Luminance |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
17 | #ipc-namespace | ||
18 | netfilter | 16 | netfilter |
19 | nogroups | 17 | nogroups |
20 | nonewprivs | 18 | nonewprivs |
@@ -26,8 +24,11 @@ seccomp | |||
26 | shell none | 24 | shell none |
27 | tracelog | 25 | tracelog |
28 | 26 | ||
29 | private-tmp | ||
30 | private-dev | 27 | private-dev |
28 | private-tmp | ||
31 | 29 | ||
32 | noexec ${HOME} | 30 | noexec ${HOME} |
33 | noexec /tmp | 31 | noexec /tmp |
32 | |||
33 | # CLOBBERED COMMENTS | ||
34 | # luminance-hdr | ||
diff --git a/etc/lximage-qt.profile b/etc/lximage-qt.profile index 42996af04..f0eda6fbe 100644 --- a/etc/lximage-qt.profile +++ b/etc/lximage-qt.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for lximage-qt |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/lximage-qt.local | 4 | include /etc/firejail/lximage-qt.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | noblacklist .config/lximage-qt | 8 | noblacklist .config/lximage-qt |
9 | 9 | ||
diff --git a/etc/lxmusic.profile b/etc/lxmusic.profile index eac72c6db..230ceaafb 100644 --- a/etc/lxmusic.profile +++ b/etc/lxmusic.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for lxmusic |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/lxmusic.local | 4 | include /etc/firejail/lxmusic.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | noblacklist ~/.cache/xmms2 | 8 | noblacklist ~/.cache/xmms2 |
9 | noblacklist ~/.config/xmms2 | 9 | noblacklist ~/.config/xmms2 |
diff --git a/etc/lxterminal.profile b/etc/lxterminal.profile index 08293647e..22ecbaa6f 100644 --- a/etc/lxterminal.profile +++ b/etc/lxterminal.profile | |||
@@ -1,17 +1,19 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for lxterminal |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/lxterminal.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/lxterminal.local | ||
7 | 8 | ||
8 | # lxterminal (LXDE) profile | ||
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | 10 | include /etc/firejail/disable-passwdmgr.inc |
11 | include /etc/firejail/disable-programs.inc | ||
12 | 12 | ||
13 | caps.drop all | 13 | caps.drop all |
14 | netfilter | 14 | netfilter |
15 | protocol unix,inet,inet6 | 15 | protocol unix,inet,inet6 |
16 | seccomp | 16 | seccomp |
17 | #noroot - somehow this breaks on Debian Jessie! | 17 | |
18 | # CLOBBERED COMMENTS | ||
19 | # noroot - somehow this breaks on Debian Jessie! | ||
diff --git a/etc/lynx.profile b/etc/lynx.profile index f7e83649a..8ff1f88b3 100644 --- a/etc/lynx.profile +++ b/etc/lynx.profile | |||
@@ -1,31 +1,30 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for lynx |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/lynx.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | 8 | blacklist /tmp/.X11-unix |
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/lynx.local | ||
7 | 9 | ||
8 | # lynx profile | ||
9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
13 | 14 | ||
14 | caps.drop all | 15 | caps.drop all |
16 | netfilter | ||
17 | no3d | ||
15 | nogroups | 18 | nogroups |
16 | nonewprivs | 19 | nonewprivs |
17 | noroot | 20 | noroot |
18 | nosound | 21 | nosound |
19 | no3d | ||
20 | protocol unix,inet,inet6 | 22 | protocol unix,inet,inet6 |
21 | seccomp | 23 | seccomp |
22 | netfilter | ||
23 | shell none | 24 | shell none |
24 | tracelog | 25 | tracelog |
25 | 26 | ||
26 | blacklist /tmp/.X11-unix | ||
27 | |||
28 | # private-bin lynx | 27 | # private-bin lynx |
29 | private-tmp | ||
30 | private-dev | 28 | private-dev |
31 | # private-etc none | 29 | # private-etc none |
30 | private-tmp | ||
diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile index e083e8b88..220807447 100644 --- a/etc/mate-calc.profile +++ b/etc/mate-calc.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for mate-calc |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/mate-calc.local | 4 | include /etc/firejail/mate-calc.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | noblacklist ${HOME}/.config/mate-calc | 8 | noblacklist ${HOME}/.config/mate-calc |
9 | 9 | ||
@@ -24,9 +24,9 @@ protocol unix | |||
24 | seccomp | 24 | seccomp |
25 | shell none | 25 | shell none |
26 | 26 | ||
27 | disable-mnt | ||
27 | private-dev | 28 | private-dev |
28 | private-tmp | 29 | private-tmp |
29 | disable-mnt | ||
30 | 30 | ||
31 | noexec ${HOME} | 31 | noexec ${HOME} |
32 | noexec /tmp | 32 | noexec /tmp |
diff --git a/etc/mate-calculator.profile b/etc/mate-calculator.profile index acc687b81..155ccfe7e 100644 --- a/etc/mate-calculator.profile +++ b/etc/mate-calculator.profile | |||
@@ -1,8 +1,7 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for mate-calculator |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/mate-calculator.local | 4 | include /etc/firejail/mate-calculator.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | #include /etc/firejail/mate-calc.profile | ||
diff --git a/etc/mate-color-select.profile b/etc/mate-color-select.profile index 74fe4bd69..42456d1f6 100644 --- a/etc/mate-color-select.profile +++ b/etc/mate-color-select.profile | |||
@@ -1,9 +1,10 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for mate-color-select |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/mate-color-select.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/mate-color-select.local | ||
7 | 8 | ||
8 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
9 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
@@ -22,10 +23,10 @@ protocol unix | |||
22 | seccomp | 23 | seccomp |
23 | shell none | 24 | shell none |
24 | 25 | ||
26 | disable-mnt | ||
25 | private | 27 | private |
26 | private-dev | 28 | private-dev |
27 | private-tmp | 29 | private-tmp |
28 | disable-mnt | ||
29 | 30 | ||
30 | noexec ${HOME} | 31 | noexec ${HOME} |
31 | noexec /tmp | 32 | noexec /tmp |
diff --git a/etc/mate-dictionary.profile b/etc/mate-dictionary.profile index 4fe0795d2..bc148fba3 100644 --- a/etc/mate-dictionary.profile +++ b/etc/mate-dictionary.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for mate-dictionary |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/mate-dictionary.local | 4 | include /etc/firejail/mate-dictionary.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | noblacklist ${HOME}/.config/mate/mate-dictionary | 8 | noblacklist ${HOME}/.config/mate/mate-dictionary |
9 | 9 | ||
@@ -24,9 +24,9 @@ protocol unix,inet,inet6 | |||
24 | seccomp | 24 | seccomp |
25 | shell none | 25 | shell none |
26 | 26 | ||
27 | disable-mnt | ||
27 | private-dev | 28 | private-dev |
28 | private-tmp | 29 | private-tmp |
29 | disable-mnt | ||
30 | 30 | ||
31 | noexec ${HOME} | 31 | noexec ${HOME} |
32 | noexec /tmp | 32 | noexec /tmp |
diff --git a/etc/mathematica.profile b/etc/mathematica.profile index b44d0407d..64cae12dd 100644 --- a/etc/mathematica.profile +++ b/etc/mathematica.profile | |||
@@ -1,9 +1,5 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for Mathematica |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/mathematica.local | ||
7 | 4 | ||
8 | # Mathematica profile | ||
9 | include /etc/firejail/Mathematica.profile | 5 | include /etc/firejail/Mathematica.profile |
diff --git a/etc/mcabber.profile b/etc/mcabber.profile index 603b5f5a0..8563201ac 100644 --- a/etc/mcabber.profile +++ b/etc/mcabber.profile | |||
@@ -1,28 +1,27 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for mcabber |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/mcabber.local | 4 | include /etc/firejail/mcabber.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # mcabber profile | ||
9 | noblacklist ${HOME}/.mcabber | 8 | noblacklist ${HOME}/.mcabber |
10 | noblacklist ${HOME}/.mcabberrc | 9 | noblacklist ${HOME}/.mcabberrc |
11 | 10 | ||
12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
16 | 15 | ||
17 | caps.drop all | 16 | caps.drop all |
18 | netfilter | 17 | netfilter |
19 | nonewprivs | 18 | nonewprivs |
20 | noroot | 19 | noroot |
20 | nosound | ||
21 | protocol inet,inet6 | 21 | protocol inet,inet6 |
22 | seccomp | 22 | seccomp |
23 | shell none | ||
23 | 24 | ||
24 | private-bin mcabber | 25 | private-bin mcabber |
25 | private-etc null | ||
26 | private-dev | 26 | private-dev |
27 | shell none | 27 | private-etc null |
28 | nosound | ||
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile index 8758d66b9..4a2e9246e 100644 --- a/etc/mediainfo.profile +++ b/etc/mediainfo.profile | |||
@@ -1,31 +1,30 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for mediainfo |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/mediainfo.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | 8 | blacklist /tmp/.X11-unix |
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/mediainfo.local | ||
7 | 9 | ||
8 | # mediainfo profile | ||
9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
13 | 14 | ||
14 | caps.drop all | 15 | caps.drop all |
15 | net none | 16 | net none |
16 | nonewprivs | 17 | no3d |
17 | nogroups | 18 | nogroups |
19 | nonewprivs | ||
18 | noroot | 20 | noroot |
19 | nosound | 21 | nosound |
20 | no3d | ||
21 | protocol unix | 22 | protocol unix |
22 | seccomp | 23 | seccomp |
23 | shell none | 24 | shell none |
24 | tracelog | 25 | tracelog |
25 | 26 | ||
26 | blacklist /tmp/.X11-unix | ||
27 | |||
28 | private-bin mediainfo | 27 | private-bin mediainfo |
29 | private-tmp | ||
30 | private-dev | 28 | private-dev |
31 | private-etc none | 29 | private-etc none |
30 | private-tmp | ||
diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile index 8bf4eda13..5e980909b 100644 --- a/etc/mediathekview.profile +++ b/etc/mediathekview.profile | |||
@@ -1,17 +1,17 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for mediathekview |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/mediathekview.local | 4 | include /etc/firejail/mediathekview.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # MediathekView profile | ||
9 | noblacklist ~/.mediathek3 | ||
10 | noblacklist ~/.config/vlc | 8 | noblacklist ~/.config/vlc |
9 | noblacklist ~/.mediathek3 | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | netfilter | 17 | netfilter |
@@ -21,8 +21,8 @@ protocol unix,inet,inet6 | |||
21 | seccomp | 21 | seccomp |
22 | tracelog | 22 | tracelog |
23 | 23 | ||
24 | noexec ${HOME} | ||
25 | noexec /tmp | ||
26 | |||
27 | private-dev | 24 | private-dev |
28 | private-tmp | 25 | private-tmp |
26 | |||
27 | noexec ${HOME} | ||
28 | noexec /tmp | ||
diff --git a/etc/meld.profile b/etc/meld.profile index 503f6d07c..4aeca3771 100644 --- a/etc/meld.profile +++ b/etc/meld.profile | |||
@@ -1,11 +1,10 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for meld |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/meld.local | 4 | include /etc/firejail/meld.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for meld | ||
9 | noblacklist ${HOME}/.local/share/meld | 8 | noblacklist ${HOME}/.local/share/meld |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -14,7 +13,6 @@ include /etc/firejail/disable-passwdmgr.inc | |||
14 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
17 | #ipc-namespace | ||
18 | net none | 16 | net none |
19 | no3d | 17 | no3d |
20 | nogroups | 18 | nogroups |
diff --git a/etc/midori.profile b/etc/midori.profile index 8a02fb738..f3a219f52 100644 --- a/etc/midori.profile +++ b/etc/midori.profile | |||
@@ -1,49 +1,44 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for midori |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/midori.local | 4 | include /etc/firejail/midori.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Midori profile | ||
9 | noblacklist ~/.config/midori | 8 | noblacklist ~/.config/midori |
10 | noblacklist ~/.local/share/midori | 9 | noblacklist ~/.local/share/midori |
11 | noblacklist ~/.local/share/webkit | 10 | noblacklist ~/.local/share/webkit |
12 | noblacklist ~/.local/share/webkitgtk | 11 | noblacklist ~/.local/share/webkitgtk |
13 | noblacklist ~/.pki | 12 | noblacklist ~/.pki |
13 | |||
14 | include /etc/firejail/disable-common.inc | 14 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-programs.inc | ||
16 | include /etc/firejail/disable-devel.inc | 15 | include /etc/firejail/disable-devel.inc |
17 | 16 | include /etc/firejail/disable-programs.inc | |
18 | mkdir ~/.config/midori | ||
19 | whitelist ~/.config/midori | ||
20 | 17 | ||
21 | mkdir ~/.cache/midori | 18 | mkdir ~/.cache/midori |
22 | whitelist ~/.cache/midori | 19 | mkdir ~/.config/midori |
23 | |||
24 | mkdir ~/.local/share/midori | 20 | mkdir ~/.local/share/midori |
25 | whitelist ~/.local/share/midori | ||
26 | |||
27 | mkdir ~/.local/share/webkit | 21 | mkdir ~/.local/share/webkit |
28 | whitelist ~/.local/share/webkit | ||
29 | |||
30 | mkdir ~/.local/share/webkitgtk | 22 | mkdir ~/.local/share/webkitgtk |
31 | whitelist ~/.local/share/webkitgtk | 23 | mkdir ~/.pki |
32 | |||
33 | whitelist ${DOWNLOADS} | 24 | whitelist ${DOWNLOADS} |
34 | whitelist ~/.config/gnome-mplayer | ||
35 | whitelist ~/.cache/gnome-mplayer/plugin | 25 | whitelist ~/.cache/gnome-mplayer/plugin |
36 | mkdir ~/.pki | 26 | whitelist ~/.cache/midori |
37 | whitelist ~/.pki | 27 | whitelist ~/.config/gnome-mplayer |
28 | whitelist ~/.config/midori | ||
38 | whitelist ~/.lastpass | 29 | whitelist ~/.lastpass |
39 | 30 | whitelist ~/.local/share/midori | |
31 | whitelist ~/.local/share/webkit | ||
32 | whitelist ~/.local/share/webkitgtk | ||
33 | whitelist ~/.pki | ||
34 | include /etc/firejail/whitelist-common.inc | ||
40 | 35 | ||
41 | caps.drop all | 36 | caps.drop all |
42 | netfilter | 37 | netfilter |
43 | nonewprivs | 38 | nonewprivs |
44 | # noroot - porblems on Ubuntu 14.04 | ||
45 | protocol unix,inet,inet6,netlink | 39 | protocol unix,inet,inet6,netlink |
46 | seccomp | 40 | seccomp |
47 | tracelog | 41 | tracelog |
48 | 42 | ||
49 | 43 | # CLOBBERED COMMENTS | |
44 | # noroot - porblems on Ubuntu 14.04 | ||
diff --git a/etc/mousepad.profile b/etc/mousepad.profile index c3e85d55f..5a54afb5b 100644 --- a/etc/mousepad.profile +++ b/etc/mousepad.profile | |||
@@ -1,17 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for mousepad |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/mousepad.local | 4 | include /etc/firejail/mousepad.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for mousepad | ||
9 | noblacklist ~/.config/Mousepad | 8 | noblacklist ~/.config/Mousepad |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
17 | netfilter | 16 | netfilter |
diff --git a/etc/mplayer.profile b/etc/mplayer.profile index 879223e1a..25bcef47a 100644 --- a/etc/mplayer.profile +++ b/etc/mplayer.profile | |||
@@ -1,31 +1,31 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for mplayer |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/mplayer.local | 4 | include /etc/firejail/mplayer.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # mplayer profile | ||
9 | noblacklist ${HOME}/.mplayer | 8 | noblacklist ${HOME}/.mplayer |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
17 | #ipc-namespace | ||
18 | netfilter | 16 | netfilter |
19 | # nogroups | ||
20 | nonewprivs | 17 | nonewprivs |
21 | noroot | 18 | noroot |
22 | protocol unix,inet,inet6,netlink | 19 | protocol unix,inet,inet6,netlink |
23 | seccomp | 20 | seccomp |
24 | shell none | 21 | shell none |
25 | 22 | ||
23 | private-bin mplayer | ||
26 | private-dev | 24 | private-dev |
27 | private-tmp | 25 | private-tmp |
28 | private-bin mplayer | ||
29 | 26 | ||
30 | noexec ${HOME} | 27 | noexec ${HOME} |
31 | noexec /tmp | 28 | noexec /tmp |
29 | |||
30 | # CLOBBERED COMMENTS | ||
31 | # nogroups | ||
diff --git a/etc/mpv.profile b/etc/mpv.profile index 0cda3e4e1..7c1e5ea27 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile | |||
@@ -1,18 +1,17 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for mpv |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/mpv.local | 4 | include /etc/firejail/mpv.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # mpv media player profile | ||
9 | noblacklist ${HOME}/.config/mpv | 8 | noblacklist ${HOME}/.config/mpv |
10 | noblacklist ${HOME}/.netrc | 9 | noblacklist ${HOME}/.netrc |
11 | 10 | ||
12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
16 | 15 | ||
17 | caps.drop all | 16 | caps.drop all |
18 | netfilter | 17 | netfilter |
@@ -21,10 +20,11 @@ nonewprivs | |||
21 | noroot | 20 | noroot |
22 | protocol unix,inet,inet6 | 21 | protocol unix,inet,inet6 |
23 | seccomp | 22 | seccomp |
23 | shell none | ||
24 | tracelog | 24 | tracelog |
25 | 25 | ||
26 | # to test | ||
27 | # ipc-namespace | ||
28 | shell none | ||
29 | private-bin mpv,youtube-dl,python,python2.7,python3.6,env | 26 | private-bin mpv,youtube-dl,python,python2.7,python3.6,env |
30 | private-dev | 27 | private-dev |
28 | |||
29 | # CLOBBERED COMMENTS | ||
30 | # to test | ||
diff --git a/etc/multimc5.profile b/etc/multimc5.profile index 6b0696064..882f17485 100644 --- a/etc/multimc5.profile +++ b/etc/multimc5.profile | |||
@@ -1,47 +1,40 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for multimc5 |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/multimc5.local | 4 | include /etc/firejail/multimc5.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # | ||
9 | #Profile for multimc5 | ||
10 | # | ||
11 | |||
12 | #No Blacklist Paths | ||
13 | noblacklist ${HOME}/.java | 8 | noblacklist ${HOME}/.java |
14 | noblacklist ${HOME}/.local/share/multimc5 | 9 | noblacklist ${HOME}/.local/share/multimc5 |
15 | noblacklist ${HOME}/.multimc5 | 10 | noblacklist ${HOME}/.multimc5 |
16 | 11 | ||
17 | #Blacklist Paths | ||
18 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
19 | include /etc/firejail/disable-programs.inc | ||
20 | include /etc/firejail/disable-passwdmgr.inc | ||
21 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | ||
15 | include /etc/firejail/disable-programs.inc | ||
22 | 16 | ||
23 | #Whitelist Paths | ||
24 | mkdir ${HOME}/.local/share/multimc5 | 17 | mkdir ${HOME}/.local/share/multimc5 |
25 | whitelist ${HOME}/.local/share/multimc5 | ||
26 | mkdir ${HOME}/.multimc5 | 18 | mkdir ${HOME}/.multimc5 |
19 | whitelist ${HOME}/.local/share/multimc5 | ||
27 | whitelist ${HOME}/.multimc5 | 20 | whitelist ${HOME}/.multimc5 |
28 | include /etc/firejail/whitelist-common.inc | 21 | include /etc/firejail/whitelist-common.inc |
29 | 22 | ||
30 | #Options | ||
31 | caps.drop all | 23 | caps.drop all |
32 | #ipc-namespace | ||
33 | netfilter | 24 | netfilter |
34 | nogroups | 25 | nogroups |
35 | nonewprivs | 26 | nonewprivs |
36 | noroot | 27 | noroot |
37 | novideo | 28 | novideo |
38 | protocol unix,inet,inet6 | 29 | protocol unix,inet,inet6 |
39 | #seccomp | ||
40 | shell none | 30 | shell none |
41 | 31 | ||
32 | disable-mnt | ||
42 | private-dev | 33 | private-dev |
43 | private-tmp | 34 | private-tmp |
44 | disable-mnt | ||
45 | 35 | ||
46 | noexec ${HOME} | 36 | noexec ${HOME} |
47 | noexec /tmp | 37 | noexec /tmp |
38 | |||
39 | # CLOBBERED COMMENTS | ||
40 | # seccomp | ||
diff --git a/etc/mumble.profile b/etc/mumble.profile index a2104957d..048b31b81 100644 --- a/etc/mumble.profile +++ b/etc/mumble.profile | |||
@@ -1,17 +1,17 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for mumble |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/mumble.local | 4 | include /etc/firejail/mumble.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # mumble profile | ||
9 | noblacklist ${HOME}/.config/Mumble | 8 | noblacklist ${HOME}/.config/Mumble |
10 | noblacklist ${HOME}/.local/share/data/Mumble | 9 | noblacklist ${HOME}/.local/share/data/Mumble |
10 | |||
11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | 15 | ||
16 | mkdir ${HOME}/.config/Mumble | 16 | mkdir ${HOME}/.config/Mumble |
17 | mkdir ${HOME}/.local/share/data/Mumble | 17 | mkdir ${HOME}/.local/share/data/Mumble |
@@ -20,20 +20,19 @@ whitelist ${HOME}/.local/share/data/Mumble | |||
20 | include /etc/firejail/whitelist-common.inc | 20 | include /etc/firejail/whitelist-common.inc |
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | #ipc-namespace | ||
24 | netfilter | 23 | netfilter |
25 | no3d | 24 | no3d |
26 | nonewprivs | ||
27 | nogroups | 25 | nogroups |
26 | nonewprivs | ||
28 | noroot | 27 | noroot |
29 | protocol unix,inet,inet6 | 28 | protocol unix,inet,inet6 |
30 | seccomp | 29 | seccomp |
31 | shell none | 30 | shell none |
32 | tracelog | 31 | tracelog |
33 | 32 | ||
33 | disable-mnt | ||
34 | private-bin mumble | 34 | private-bin mumble |
35 | private-tmp | 35 | private-tmp |
36 | disable-mnt | ||
37 | 36 | ||
38 | memory-deny-write-execute | 37 | memory-deny-write-execute |
39 | noexec ${HOME} | 38 | noexec ${HOME} |
diff --git a/etc/mupdf.profile b/etc/mupdf.profile index ca61edfdd..a55a01206 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile | |||
@@ -1,15 +1,15 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for mupdf |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/mupdf.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/mupdf.local | ||
7 | 8 | ||
8 | # mupdf reader profile | ||
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | net none | 15 | net none |
@@ -22,15 +22,13 @@ seccomp | |||
22 | shell none | 22 | shell none |
23 | tracelog | 23 | tracelog |
24 | 24 | ||
25 | private-tmp | 25 | # private-bin mupdf,sh,tempfile,rm |
26 | private-dev | 26 | private-dev |
27 | private-etc fonts | 27 | private-etc fonts |
28 | 28 | private-tmp | |
29 | # mupdf will never write anything | ||
30 | read-only ${HOME} | 29 | read-only ${HOME} |
31 | 30 | ||
32 | # | 31 | # CLOBBERED COMMENTS |
33 | # Experimental: | 32 | # Experimental: |
34 | # | 33 | # mupdf will never write anything |
35 | #seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev | 34 | # seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev |
36 | # private-bin mupdf,sh,tempfile,rm | ||
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile index 5705eb645..9c3bfe658 100644 --- a/etc/mupen64plus.profile +++ b/etc/mupen64plus.profile | |||
@@ -1,27 +1,29 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for mupen64plus |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/mupen64plus.local | 4 | include /etc/firejail/mupen64plus.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # mupen64plus profile | ||
9 | # manually whitelist ROM files | ||
10 | noblacklist ${HOME}/.config/mupen64plus | 8 | noblacklist ${HOME}/.config/mupen64plus |
11 | noblacklist ${HOME}/.local/share/mupen64plus | 9 | noblacklist ${HOME}/.local/share/mupen64plus |
12 | 10 | ||
13 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
17 | 15 | ||
18 | mkdir ${HOME}/.local/share/mupen64plus | ||
19 | whitelist ${HOME}/.local/share/mupen64plus/ | ||
20 | mkdir ${HOME}/.config/mupen64plus | 16 | mkdir ${HOME}/.config/mupen64plus |
17 | mkdir ${HOME}/.local/share/mupen64plus | ||
21 | whitelist ${HOME}/.config/mupen64plus/ | 18 | whitelist ${HOME}/.config/mupen64plus/ |
19 | whitelist ${HOME}/.local/share/mupen64plus/ | ||
20 | include /etc/firejail/whitelist-common.inc | ||
22 | 21 | ||
23 | caps.drop all | 22 | caps.drop all |
24 | net none | 23 | net none |
25 | nonewprivs | 24 | nonewprivs |
26 | noroot | 25 | noroot |
27 | seccomp | 26 | seccomp |
27 | |||
28 | # CLOBBERED COMMENTS | ||
29 | # manually whitelist ROM files | ||
diff --git a/etc/mutt.profile b/etc/mutt.profile index bf8323070..e2b9b38ec 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile | |||
@@ -1,50 +1,49 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for mutt |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/mutt.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | 8 | blacklist /tmp/.X11-unix |
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/mutt.local | ||
7 | 9 | ||
8 | # mutt email client profile | ||
9 | noblacklist ~/.muttrc | ||
10 | noblacklist ~/.mutt | ||
11 | noblacklist ~/.mutt/muttrc | ||
12 | noblacklist ~/.mailcap | ||
13 | noblacklist ~/.gnupg | ||
14 | noblacklist ~/.mail | ||
15 | noblacklist ~/.Mail | 10 | noblacklist ~/.Mail |
16 | noblacklist ~/mail | 11 | noblacklist ~/.bogofilter |
17 | noblacklist ~/Mail | ||
18 | noblacklist ~/sent | ||
19 | noblacklist ~/postponed | ||
20 | noblacklist ~/.cache/mutt | 12 | noblacklist ~/.cache/mutt |
21 | noblacklist ~/.w3m | ||
22 | noblacklist ~/.elinks | 13 | noblacklist ~/.elinks |
23 | noblacklist ~/.vim | ||
24 | noblacklist ~/.vimrc | ||
25 | noblacklist ~/.viminfo | ||
26 | noblacklist ~/.emacs | 14 | noblacklist ~/.emacs |
27 | noblacklist ~/.emacs.d | 15 | noblacklist ~/.emacs.d |
28 | noblacklist ~/.signature | 16 | noblacklist ~/.gnupg |
29 | noblacklist ~/.bogofilter | 17 | noblacklist ~/.mail |
18 | noblacklist ~/.mailcap | ||
30 | noblacklist ~/.msmtprc | 19 | noblacklist ~/.msmtprc |
20 | noblacklist ~/.mutt | ||
21 | noblacklist ~/.mutt/muttrc | ||
22 | noblacklist ~/.muttrc | ||
23 | noblacklist ~/.signature | ||
24 | noblacklist ~/.vim | ||
25 | noblacklist ~/.viminfo | ||
26 | noblacklist ~/.vimrc | ||
27 | noblacklist ~/.w3m | ||
28 | noblacklist ~/Mail | ||
29 | noblacklist ~/mail | ||
30 | noblacklist ~/postponed | ||
31 | noblacklist ~/sent | ||
31 | 32 | ||
32 | include /etc/firejail/disable-common.inc | 33 | include /etc/firejail/disable-common.inc |
33 | include /etc/firejail/disable-programs.inc | ||
34 | include /etc/firejail/disable-passwdmgr.inc | ||
35 | include /etc/firejail/disable-devel.inc | 34 | include /etc/firejail/disable-devel.inc |
35 | include /etc/firejail/disable-passwdmgr.inc | ||
36 | include /etc/firejail/disable-programs.inc | ||
36 | 37 | ||
37 | caps.drop all | 38 | caps.drop all |
38 | netfilter | 39 | netfilter |
40 | no3d | ||
39 | nogroups | 41 | nogroups |
40 | nonewprivs | 42 | nonewprivs |
41 | noroot | 43 | noroot |
42 | nosound | 44 | nosound |
43 | no3d | ||
44 | protocol unix,inet,inet6 | 45 | protocol unix,inet,inet6 |
45 | seccomp | 46 | seccomp |
46 | shell none | 47 | shell none |
47 | 48 | ||
48 | blacklist /tmp/.X11-unix | ||
49 | |||
50 | private-dev | 49 | private-dev |
diff --git a/etc/nautilus.profile b/etc/nautilus.profile index 4f2f50d9f..350e7f9b6 100644 --- a/etc/nautilus.profile +++ b/etc/nautilus.profile | |||
@@ -1,25 +1,19 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for nautilus |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/nautilus.local | 4 | include /etc/firejail/nautilus.local |
7 | 5 | # Persistent global definitions | |
8 | # nautilus profile | 6 | include /etc/firejail/globals.local |
9 | |||
10 | # Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there | ||
11 | # is already a nautilus process running on gnome desktops firejail will have no effect. | ||
12 | 7 | ||
13 | noblacklist ~/.config/nautilus | 8 | noblacklist ~/.config/nautilus |
9 | noblacklist ~/.local/share/Trash | ||
14 | noblacklist ~/.local/share/nautilus | 10 | noblacklist ~/.local/share/nautilus |
15 | noblacklist ~/.local/share/nautilus-python | 11 | noblacklist ~/.local/share/nautilus-python |
16 | noblacklist ~/.local/share/Trash | ||
17 | 12 | ||
18 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
19 | # nautilus needs to be able to start arbitrary applications so we cannot blacklist their files | ||
20 | #include /etc/firejail/disable-programs.inc | ||
21 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
22 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
16 | # include /etc/firejail/disable-programs.inc | ||
23 | 17 | ||
24 | caps.drop all | 18 | caps.drop all |
25 | netfilter | 19 | netfilter |
@@ -32,6 +26,11 @@ shell none | |||
32 | tracelog | 26 | tracelog |
33 | 27 | ||
34 | # private-bin nautilus | 28 | # private-bin nautilus |
35 | # private-tmp | ||
36 | # private-dev | 29 | # private-dev |
37 | # private-etc fonts | 30 | # private-etc fonts |
31 | # private-tmp | ||
32 | |||
33 | # CLOBBERED COMMENTS | ||
34 | # Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there | ||
35 | # is already a nautilus process running on gnome desktops firejail will have no effect. | ||
36 | # nautilus needs to be able to start arbitrary applications so we cannot blacklist their files | ||
diff --git a/etc/nemo.profile b/etc/nemo.profile index 5e6f4936f..e2219825a 100644 --- a/etc/nemo.profile +++ b/etc/nemo.profile | |||
@@ -1,18 +1,18 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for nemo |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/nemo.local | 4 | include /etc/firejail/nemo.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | noblacklist ${HOME}/.config/nemo | 8 | noblacklist ${HOME}/.config/nemo |
9 | noblacklist ${HOME}/.local/share/Trash | ||
9 | noblacklist ${HOME}/.local/share/nemo | 10 | noblacklist ${HOME}/.local/share/nemo |
10 | noblacklist ${HOME}/.local/share/nemo-python | 11 | noblacklist ${HOME}/.local/share/nemo-python |
11 | noblacklist ${HOME}/.local/share/Trash | ||
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | ||
15 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | ||
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | netfilter | 18 | netfilter |
diff --git a/etc/netsurf.profile b/etc/netsurf.profile index 82cd4d59b..68df57539 100644 --- a/etc/netsurf.profile +++ b/etc/netsurf.profile | |||
@@ -1,16 +1,23 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for netsurf |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/netsurf.local | 4 | include /etc/firejail/netsurf.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for Mozilla Firefox (Iceweasel in Debian) | ||
9 | noblacklist ~/.config/netsurf | ||
10 | noblacklist ~/.cache/netsurf | 8 | noblacklist ~/.cache/netsurf |
9 | noblacklist ~/.config/netsurf | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | mkdir ~/.cache/netsurf | ||
16 | mkdir ~/.config/netsurf | ||
17 | whitelist ${DOWNLOADS} | ||
18 | whitelist ~/.cache/netsurf | ||
19 | whitelist ~/.config/netsurf | ||
20 | include /etc/firejail/whitelist-common.inc | ||
14 | 21 | ||
15 | caps.drop all | 22 | caps.drop all |
16 | netfilter | 23 | netfilter |
@@ -19,11 +26,3 @@ noroot | |||
19 | protocol unix,inet,inet6,netlink | 26 | protocol unix,inet,inet6,netlink |
20 | seccomp | 27 | seccomp |
21 | tracelog | 28 | tracelog |
22 | |||
23 | whitelist ${DOWNLOADS} | ||
24 | mkdir ~/.config/netsurf | ||
25 | whitelist ~/.config/netsurf | ||
26 | mkdir ~/.cache/netsurf | ||
27 | whitelist ~/.cache/netsurf | ||
28 | |||
29 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/nylas.profile b/etc/nylas.profile index ac2f1120a..6b6697522 100644 --- a/etc/nylas.profile +++ b/etc/nylas.profile | |||
@@ -1,22 +1,21 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for nylas |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/nylas.local | 4 | include /etc/firejail/nylas.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for Nylas Mail | ||
9 | noblacklist ~/.config/Nylas Mail | 8 | noblacklist ~/.config/Nylas Mail |
10 | noblacklist ~/.nylas-mail | 9 | noblacklist ~/.nylas-mail |
11 | 10 | ||
12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
16 | 15 | ||
16 | whitelist ${DOWNLOADS} | ||
17 | whitelist ~/.config/Nylas Mail | 17 | whitelist ~/.config/Nylas Mail |
18 | whitelist ~/.nylas-mail | 18 | whitelist ~/.nylas-mail |
19 | whitelist ${DOWNLOADS} | ||
20 | include /etc/firejail/whitelist-common.inc | 19 | include /etc/firejail/whitelist-common.inc |
21 | 20 | ||
22 | caps.drop all | 21 | caps.drop all |
diff --git a/etc/obs.profile b/etc/obs.profile index 8316551f9..3dbacbf57 100644 --- a/etc/obs.profile +++ b/etc/obs.profile | |||
@@ -1,11 +1,10 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for obs |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/obs.local | 4 | include /etc/firejail/obs.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for OBS Studio | ||
9 | noblacklist ${HOME}/.config/obs-studio | 8 | noblacklist ${HOME}/.config/obs-studio |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile index 8cfadd9ac..06b4c16e0 100644 --- a/etc/odt2txt.profile +++ b/etc/odt2txt.profile | |||
@@ -1,33 +1,31 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for odt2txt |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/odt2txt.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | 8 | blacklist /tmp/.X11-unix |
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/odt2txt.local | ||
7 | 9 | ||
8 | # odt2txt profile | ||
9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
13 | 14 | ||
14 | caps.drop all | 15 | caps.drop all |
15 | net none | 16 | net none |
17 | no3d | ||
16 | nogroups | 18 | nogroups |
17 | nonewprivs | 19 | nonewprivs |
18 | noroot | 20 | noroot |
19 | nosound | 21 | nosound |
20 | protocol unix | 22 | protocol unix |
21 | seccomp | 23 | seccomp |
22 | no3d | ||
23 | shell none | 24 | shell none |
24 | tracelog | 25 | tracelog |
25 | 26 | ||
26 | blacklist /tmp/.X11-unix | ||
27 | |||
28 | private-bin odt2txt | 27 | private-bin odt2txt |
29 | private-tmp | ||
30 | private-dev | 28 | private-dev |
31 | private-etc none | 29 | private-etc none |
32 | 30 | private-tmp | |
33 | read-only ${HOME} | 31 | read-only ${HOME} |
diff --git a/etc/okular.profile b/etc/okular.profile index 578f01915..331b625b8 100644 --- a/etc/okular.profile +++ b/etc/okular.profile | |||
@@ -1,29 +1,29 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for okular |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/okular.local | 4 | include /etc/firejail/okular.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # KDE okular profile | 8 | noblacklist ~/.config/okularpartrc |
9 | noblacklist ~/.kde4/share/apps/okular | 9 | noblacklist ~/.config/okularrc |
10 | noblacklist ~/.kde4/share/config/okularrc | ||
11 | noblacklist ~/.kde4/share/config/okularpartrc | ||
12 | noblacklist ~/.kde/share/apps/okular | 10 | noblacklist ~/.kde/share/apps/okular |
13 | noblacklist ~/.kde/share/config/okularrc | ||
14 | noblacklist ~/.kde/share/config/okularpartrc | 11 | noblacklist ~/.kde/share/config/okularpartrc |
12 | noblacklist ~/.kde/share/config/okularrc | ||
13 | noblacklist ~/.kde4/share/apps/okular | ||
14 | noblacklist ~/.kde4/share/config/okularpartrc | ||
15 | noblacklist ~/.kde4/share/config/okularrc | ||
15 | noblacklist ~/.local/share/okular | 16 | noblacklist ~/.local/share/okular |
16 | noblacklist ~/.config/okularrc | 17 | |
17 | noblacklist ~/.config/okularpartrc | ||
18 | include /etc/firejail/disable-common.inc | 18 | include /etc/firejail/disable-common.inc |
19 | include /etc/firejail/disable-programs.inc | ||
20 | include /etc/firejail/disable-devel.inc | 19 | include /etc/firejail/disable-devel.inc |
21 | include /etc/firejail/disable-passwdmgr.inc | 20 | include /etc/firejail/disable-passwdmgr.inc |
21 | include /etc/firejail/disable-programs.inc | ||
22 | 22 | ||
23 | caps.drop all | 23 | caps.drop all |
24 | netfilter | 24 | netfilter |
25 | nonewprivs | ||
26 | nogroups | 25 | nogroups |
26 | nonewprivs | ||
27 | noroot | 27 | noroot |
28 | nosound | 28 | nosound |
29 | protocol unix | 29 | protocol unix |
@@ -32,8 +32,8 @@ shell none | |||
32 | tracelog | 32 | tracelog |
33 | 33 | ||
34 | # private-bin okular,kbuildsycoca4,lpr | 34 | # private-bin okular,kbuildsycoca4,lpr |
35 | # private-etc fonts,X11 | ||
36 | private-dev | 35 | private-dev |
36 | # private-etc fonts,X11 | ||
37 | private-tmp | 37 | private-tmp |
38 | 38 | ||
39 | noexec ${HOME} | 39 | noexec ${HOME} |
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile index f95b0f5a2..e4c87e5b9 100644 --- a/etc/open-invaders.profile +++ b/etc/open-invaders.profile | |||
@@ -1,41 +1,34 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for open-invaders |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/open-invaders.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | 8 | noblacklist ~/.openinvaders |
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/open-invaders.local | ||
7 | 9 | ||
8 | ################################ | 10 | include /etc/firejail/disable-common.inc |
9 | # open-invaders profile | 11 | include /etc/firejail/disable-passwdmgr.inc |
10 | ################################ | 12 | include /etc/firejail/disable-programs.inc |
11 | 13 | ||
12 | noblacklist ~/.openinvaders | ||
13 | mkdir ~/.openinvaders | 14 | mkdir ~/.openinvaders |
14 | whitelist ~/.openinvaders | 15 | whitelist ~/.openinvaders |
15 | include /etc/firejail/whitelist-common.inc | 16 | include /etc/firejail/whitelist-common.inc |
16 | 17 | ||
17 | include /etc/firejail/disable-common.inc | ||
18 | include /etc/firejail/disable-programs.inc | ||
19 | include /etc/firejail/disable-passwdmgr.inc | ||
20 | |||
21 | caps.drop all | 18 | caps.drop all |
19 | net none | ||
20 | nogroups | ||
22 | nonewprivs | 21 | nonewprivs |
23 | noroot | 22 | noroot |
24 | protocol unix,netlink | 23 | protocol unix,netlink |
25 | seccomp | 24 | seccomp |
26 | |||
27 | # | ||
28 | # depending on your usage, you can enable some of the commands below: | ||
29 | # | ||
30 | net none | ||
31 | nogroups | ||
32 | shell none | 25 | shell none |
33 | #private-bin open-invaders | 26 | |
34 | # private-etc none | 27 | # private-bin open-invaders |
35 | private-dev | 28 | private-dev |
29 | # private-etc none | ||
36 | private-tmp | 30 | private-tmp |
37 | # nosound | ||
38 | |||
39 | |||
40 | |||
41 | 31 | ||
32 | # CLOBBERED COMMENTS | ||
33 | # depending on your usage, you can enable some of the commands below: | ||
34 | # nosound | ||
diff --git a/etc/openshot.profile b/etc/openshot.profile index 25c803512..b5ace455e 100644 --- a/etc/openshot.profile +++ b/etc/openshot.profile | |||
@@ -1,11 +1,10 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for openshot |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/openshot.local | 4 | include /etc/firejail/openshot.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # OpenShot profile | ||
9 | noblacklist ${HOME}/.openshot | 8 | noblacklist ${HOME}/.openshot |
10 | noblacklist ${HOME}/.openshot_qt | 9 | noblacklist ${HOME}/.openshot_qt |
11 | 10 | ||
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile index 4fc2235c1..078f5a0dd 100644 --- a/etc/opera-beta.profile +++ b/etc/opera-beta.profile | |||
@@ -1,24 +1,24 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for opera-beta |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/opera-beta.local | 4 | include /etc/firejail/opera-beta.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Opera-beta browser profile | ||
9 | noblacklist ~/.config/opera-beta | 8 | noblacklist ~/.config/opera-beta |
10 | noblacklist ~/.pki | 9 | noblacklist ~/.pki |
10 | |||
11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | 14 | ||
15 | netfilter | ||
16 | |||
17 | whitelist ${DOWNLOADS} | ||
18 | mkdir ~/.config/opera-beta | ||
19 | whitelist ~/.config/opera-beta | ||
20 | mkdir ~/.cache/opera | 15 | mkdir ~/.cache/opera |
21 | whitelist ~/.cache/opera | 16 | mkdir ~/.config/opera-beta |
22 | mkdir ~/.pki | 17 | mkdir ~/.pki |
18 | whitelist ${DOWNLOADS} | ||
19 | whitelist ~/.cache/opera | ||
20 | whitelist ~/.config/opera-beta | ||
23 | whitelist ~/.pki | 21 | whitelist ~/.pki |
24 | include /etc/firejail/whitelist-common.inc | 22 | include /etc/firejail/whitelist-common.inc |
23 | |||
24 | netfilter | ||
diff --git a/etc/opera.profile b/etc/opera.profile index b6c4ab7bd..7802a124a 100644 --- a/etc/opera.profile +++ b/etc/opera.profile | |||
@@ -1,28 +1,28 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for opera |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/opera.local | 4 | include /etc/firejail/opera.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Opera browser profile | 8 | noblacklist ~/.cache/opera |
9 | noblacklist ~/.config/opera | 9 | noblacklist ~/.config/opera |
10 | noblacklist ~/.opera | 10 | noblacklist ~/.opera |
11 | noblacklist ~/.cache/opera | ||
12 | noblacklist ~/.pki | 11 | noblacklist ~/.pki |
12 | |||
13 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
15 | include /etc/firejail/disable-programs.inc | ||
16 | 16 | ||
17 | netfilter | 17 | mkdir ~/.cache/opera |
18 | |||
19 | whitelist ${DOWNLOADS} | ||
20 | mkdir ~/.config/opera | 18 | mkdir ~/.config/opera |
21 | whitelist ~/.config/opera | ||
22 | mkdir ~/.opera | 19 | mkdir ~/.opera |
23 | mkdir ~/.cache/opera | 20 | mkdir ~/.pki |
21 | whitelist ${DOWNLOADS} | ||
24 | whitelist ~/.cache/opera | 22 | whitelist ~/.cache/opera |
23 | whitelist ~/.config/opera | ||
25 | whitelist ~/.opera | 24 | whitelist ~/.opera |
26 | mkdir ~/.pki | ||
27 | whitelist ~/.pki | 25 | whitelist ~/.pki |
28 | include /etc/firejail/whitelist-common.inc | 26 | include /etc/firejail/whitelist-common.inc |
27 | |||
28 | netfilter | ||
diff --git a/etc/orage.profile b/etc/orage.profile index c9977d002..132b526b4 100644 --- a/etc/orage.profile +++ b/etc/orage.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for orage |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/orage.local | 4 | include /etc/firejail/orage.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | noblacklist ${HOME}/.config/orage | 8 | noblacklist ${HOME}/.config/orage |
9 | noblacklist ${HOME}/.local/share/orage | 9 | noblacklist ${HOME}/.local/share/orage |
@@ -25,9 +25,9 @@ protocol unix | |||
25 | seccomp | 25 | seccomp |
26 | shell none | 26 | shell none |
27 | 27 | ||
28 | disable-mnt | ||
28 | private-dev | 29 | private-dev |
29 | private-tmp | 30 | private-tmp |
30 | disable-mnt | ||
31 | 31 | ||
32 | noexec ${HOME} | 32 | noexec ${HOME} |
33 | noexec /tmp | 33 | noexec /tmp |
diff --git a/etc/palemoon.profile b/etc/palemoon.profile index b3b57f931..ab72497c0 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile | |||
@@ -1,23 +1,23 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for palemoon |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/palemoon.local | 4 | include /etc/firejail/palemoon.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for Pale Moon | ||
9 | noblacklist ~/.moonchild productions/pale moon | ||
10 | noblacklist ~/.cache/moonchild productions/pale moon | 8 | noblacklist ~/.cache/moonchild productions/pale moon |
9 | noblacklist ~/.moonchild productions/pale moon | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/whitelist-common.inc | 13 | include /etc/firejail/disable-programs.inc |
15 | 14 | ||
16 | whitelist ${DOWNLOADS} | ||
17 | mkdir ~/.moonchild productions | ||
18 | whitelist ~/.moonchild productions | ||
19 | mkdir ~/.cache/moonchild productions/pale moon | 15 | mkdir ~/.cache/moonchild productions/pale moon |
16 | mkdir ~/.moonchild productions | ||
17 | whitelist ${DOWNLOADS} | ||
20 | whitelist ~/.cache/moonchild productions/pale moon | 18 | whitelist ~/.cache/moonchild productions/pale moon |
19 | whitelist ~/.moonchild productions | ||
20 | include /etc/firejail/whitelist-common.inc | ||
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | netfilter | 23 | netfilter |
@@ -29,30 +29,27 @@ seccomp | |||
29 | shell none | 29 | shell none |
30 | tracelog | 30 | tracelog |
31 | 31 | ||
32 | #private-bin palemoon | 32 | # private-bin palemoon |
33 | #private-opt palemoon | 33 | # private-dev (disabled for now as it will interfere with webcam use in palemoon) |
34 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | ||
35 | # private-opt palemoon | ||
34 | private-tmp | 36 | private-tmp |
35 | 37 | ||
36 | # These are uncommented in the Firefox profile. If you run into trouble you may | 38 | # CLOBBERED COMMENTS |
37 | # want to uncomment (some of) them. | ||
38 | #whitelist ~/dwhelper | ||
39 | #whitelist ~/.zotero | ||
40 | #whitelist ~/.vimperatorrc | ||
41 | #whitelist ~/.vimperator | ||
42 | #whitelist ~/.pentadactylrc | ||
43 | #whitelist ~/.pentadactyl | ||
44 | #whitelist ~/.keysnail.js | ||
45 | #whitelist ~/.config/gnome-mplayer | ||
46 | #whitelist ~/.cache/gnome-mplayer/plugin | ||
47 | #whitelist ~/.pki | ||
48 | #whitelist ~/.lastpass | ||
49 | |||
50 | # For silverlight | 39 | # For silverlight |
51 | #whitelist ~/.wine-pipelight | 40 | # want to uncomment (some of) them. |
52 | #whitelist ~/.wine-pipelight64 | 41 | # whitelist ~/.cache/gnome-mplayer/plugin |
53 | #whitelist ~/.config/pipelight-widevine | 42 | # whitelist ~/.config/gnome-mplayer |
54 | #whitelist ~/.config/pipelight-silverlight5.1 | 43 | # whitelist ~/.config/pipelight-silverlight5.1 |
55 | 44 | # whitelist ~/.config/pipelight-widevine | |
56 | # experimental features | 45 | # whitelist ~/.keysnail.js |
57 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 46 | # whitelist ~/.lastpass |
58 | #private-dev (disabled for now as it will interfere with webcam use in palemoon) | 47 | # whitelist ~/.pentadactyl |
48 | # whitelist ~/.pentadactylrc | ||
49 | # whitelist ~/.pki | ||
50 | # whitelist ~/.vimperator | ||
51 | # whitelist ~/.vimperatorrc | ||
52 | # whitelist ~/.wine-pipelight | ||
53 | # whitelist ~/.wine-pipelight64 | ||
54 | # whitelist ~/.zotero | ||
55 | # whitelist ~/dwhelper | ||
diff --git a/etc/parole.profile b/etc/parole.profile index e6a9d4ef5..00a12afd9 100644 --- a/etc/parole.profile +++ b/etc/parole.profile | |||
@@ -1,18 +1,15 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for parole |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/parole.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/parole.local | ||
7 | 8 | ||
8 | # Profile for Parole, the default XFCE4 media player | ||
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
13 | 12 | include /etc/firejail/disable-programs.inc | |
14 | private-etc passwd,group,fonts | ||
15 | private-bin parole,dbus-launch | ||
16 | 13 | ||
17 | caps.drop all | 14 | caps.drop all |
18 | netfilter | 15 | netfilter |
@@ -21,3 +18,6 @@ noroot | |||
21 | protocol unix,inet,inet6 | 18 | protocol unix,inet,inet6 |
22 | seccomp | 19 | seccomp |
23 | shell none | 20 | shell none |
21 | |||
22 | private-bin parole,dbus-launch | ||
23 | private-etc passwd,group,fonts | ||
diff --git a/etc/pcmanfm.profile b/etc/pcmanfm.profile index 654904f17..f2bc908df 100644 --- a/etc/pcmanfm.profile +++ b/etc/pcmanfm.profile | |||
@@ -1,18 +1,18 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for pcmanfm |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/pcmanfm.local | 4 | include /etc/firejail/pcmanfm.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | noblacklist ~/.config/pcmanfm | ||
9 | noblacklist ~/.config/libfm | ||
10 | noblacklist ${HOME}/.local/share/Trash | 8 | noblacklist ${HOME}/.local/share/Trash |
9 | noblacklist ~/.config/libfm | ||
10 | noblacklist ~/.config/pcmanfm | ||
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | #include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | # include /etc/firejail/disable-programs.inc | ||
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | net none | 18 | net none |
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index 2465be252..0f25f1fa5 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile | |||
@@ -1,24 +1,18 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for pdfsam |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/pdfsam.local | 4 | include /etc/firejail/pdfsam.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # | ||
9 | #Profile for pdfsam | ||
10 | # | ||
11 | noblacklist ${HOME}/.java | 8 | noblacklist ${HOME}/.java |
12 | 9 | ||
13 | #Blacklist Paths | ||
14 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-programs.inc | ||
16 | include /etc/firejail/disable-passwdmgr.inc | ||
17 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
18 | 14 | ||
19 | #Options | ||
20 | caps.drop all | 15 | caps.drop all |
21 | #ipc-namespace | ||
22 | net none | 16 | net none |
23 | no3d | 17 | no3d |
24 | nogroups | 18 | nogroups |
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile index e5dab840f..89fb295dd 100644 --- a/etc/pdftotext.profile +++ b/etc/pdftotext.profile | |||
@@ -1,31 +1,30 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for pdftotext |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/pdftotext.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | 8 | blacklist /tmp/.X11-unix |
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/pdftotext.local | ||
7 | 9 | ||
8 | # pdftotext profile | ||
9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
13 | 14 | ||
14 | caps.drop all | 15 | caps.drop all |
15 | net none | 16 | net none |
17 | no3d | ||
16 | nogroups | 18 | nogroups |
17 | nonewprivs | 19 | nonewprivs |
18 | noroot | 20 | noroot |
19 | nosound | 21 | nosound |
20 | protocol unix | 22 | protocol unix |
21 | seccomp | 23 | seccomp |
22 | no3d | ||
23 | shell none | 24 | shell none |
24 | tracelog | 25 | tracelog |
25 | 26 | ||
26 | blacklist /tmp/.X11-unix | ||
27 | |||
28 | private-bin pdftotext | 27 | private-bin pdftotext |
29 | private-tmp | ||
30 | private-dev | 28 | private-dev |
31 | private-etc none | 29 | private-etc none |
30 | private-tmp | ||
diff --git a/etc/peek.profile b/etc/peek.profile index 811eb701b..2860d3663 100644 --- a/etc/peek.profile +++ b/etc/peek.profile | |||
@@ -1,11 +1,10 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for peek |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/peek.local | 4 | include /etc/firejail/peek.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for Peek | ||
9 | noblacklist ${HOME}/.cache/peek | 8 | noblacklist ${HOME}/.cache/peek |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -25,7 +24,7 @@ protocol unix | |||
25 | seccomp | 24 | seccomp |
26 | shell none | 25 | shell none |
27 | 26 | ||
28 | #private-bin peek,convert,ffmpeg | 27 | # private-bin peek,convert,ffmpeg |
29 | private-dev | 28 | private-dev |
30 | private-tmp | 29 | private-tmp |
31 | 30 | ||
diff --git a/etc/picard.profile b/etc/picard.profile index 0c99e6b3e..ccdbc5116 100644 --- a/etc/picard.profile +++ b/etc/picard.profile | |||
@@ -1,11 +1,10 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for picard |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/picard.local | 4 | include /etc/firejail/picard.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for MusicBrainz Picard | ||
9 | noblacklist ${HOME}/.cache/MusicBrainz | 8 | noblacklist ${HOME}/.cache/MusicBrainz |
10 | noblacklist ${HOME}/.config/MusicBrainz | 9 | noblacklist ${HOME}/.config/MusicBrainz |
11 | 10 | ||
diff --git a/etc/pidgin.profile b/etc/pidgin.profile index 5c0b5de04..7bc88a814 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile | |||
@@ -1,11 +1,10 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for pidgin |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/pidgin.local | 4 | include /etc/firejail/pidgin.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Pidgin profile | ||
9 | noblacklist ${HOME}/.purple | 8 | noblacklist ${HOME}/.purple |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
diff --git a/etc/pingus.profile b/etc/pingus.profile index b3b479046..6699b7944 100644 --- a/etc/pingus.profile +++ b/etc/pingus.profile | |||
@@ -1,41 +1,34 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for pingus |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/pingus.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | 8 | noblacklist ~/.pingus |
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/pingus.local | ||
7 | 9 | ||
8 | ################################ | 10 | include /etc/firejail/disable-common.inc |
9 | # Pinugs profile | 11 | include /etc/firejail/disable-passwdmgr.inc |
10 | ################################ | 12 | include /etc/firejail/disable-programs.inc |
11 | 13 | ||
12 | noblacklist ~/.pingus | ||
13 | mkdir ~/.pingus | 14 | mkdir ~/.pingus |
14 | whitelist ~/.pingus | 15 | whitelist ~/.pingus |
15 | include /etc/firejail/whitelist-common.inc | 16 | include /etc/firejail/whitelist-common.inc |
16 | 17 | ||
17 | include /etc/firejail/disable-common.inc | ||
18 | include /etc/firejail/disable-programs.inc | ||
19 | include /etc/firejail/disable-passwdmgr.inc | ||
20 | |||
21 | caps.drop all | 18 | caps.drop all |
19 | net none | ||
20 | nogroups | ||
22 | nonewprivs | 21 | nonewprivs |
23 | noroot | 22 | noroot |
24 | protocol unix,netlink | 23 | protocol unix,netlink |
25 | seccomp | 24 | seccomp |
26 | |||
27 | # | ||
28 | # depending on your usage, you can enable some of the commands below: | ||
29 | # | ||
30 | net none | ||
31 | nogroups | ||
32 | shell none | 25 | shell none |
33 | #private-bin pingus | 26 | |
34 | # private-etc none | 27 | # private-bin pingus |
35 | private-dev | 28 | private-dev |
29 | # private-etc none | ||
36 | private-tmp | 30 | private-tmp |
37 | # nosound | ||
38 | |||
39 | |||
40 | |||
41 | 31 | ||
32 | # CLOBBERED COMMENTS | ||
33 | # depending on your usage, you can enable some of the commands below: | ||
34 | # nosound | ||
diff --git a/etc/pithos.profile b/etc/pithos.profile index c08f27f17..7eea5d8c2 100644 --- a/etc/pithos.profile +++ b/etc/pithos.profile | |||
@@ -1,25 +1,18 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for pithos |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/pithos.local | 4 | include /etc/firejail/pithos.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # | ||
9 | #Profile for pithos | ||
10 | # | ||
11 | 8 | ||
12 | #Blacklist Paths | ||
13 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | include /etc/firejail/disable-passwdmgr.inc | ||
16 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
17 | 11 | include /etc/firejail/disable-passwdmgr.inc | |
12 | include /etc/firejail/disable-programs.inc | ||
18 | include /etc/firejail/whitelist-common.inc | 13 | include /etc/firejail/whitelist-common.inc |
19 | 14 | ||
20 | #Options | ||
21 | caps.drop all | 15 | caps.drop all |
22 | #ipc-namespace | ||
23 | netfilter | 16 | netfilter |
24 | no3d | 17 | no3d |
25 | nogroups | 18 | nogroups |
@@ -30,9 +23,9 @@ protocol unix,inet,inet6 | |||
30 | seccomp | 23 | seccomp |
31 | shell none | 24 | shell none |
32 | 25 | ||
26 | disable-mnt | ||
33 | private-dev | 27 | private-dev |
34 | private-tmp | 28 | private-tmp |
35 | disable-mnt | ||
36 | 29 | ||
37 | noexec ${HOME} | 30 | noexec ${HOME} |
38 | noexec /tmp | 31 | noexec /tmp |
diff --git a/etc/pix.profile b/etc/pix.profile index f6e3d4ae3..0d1d46fd6 100644 --- a/etc/pix.profile +++ b/etc/pix.profile | |||
@@ -1,20 +1,19 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for pix |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/pix.local | 4 | include /etc/firejail/pix.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for pix | ||
9 | noblacklist ${HOME}/.config/pix | 8 | noblacklist ${HOME}/.config/pix |
10 | noblacklist ${HOME}/.local/share/pix | 9 | noblacklist ${HOME}/.local/share/pix |
11 | noblacklist ~/.Steam | 10 | noblacklist ~/.Steam |
12 | noblacklist ~/.steam | 11 | noblacklist ~/.steam |
13 | 12 | ||
14 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-programs.inc | ||
16 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | ||
18 | 17 | ||
19 | caps.drop all | 18 | caps.drop all |
20 | nogroups | 19 | nogroups |
diff --git a/etc/pluma.profile b/etc/pluma.profile index c2a30b2c3..75bdeadc4 100644 --- a/etc/pluma.profile +++ b/etc/pluma.profile | |||
@@ -1,17 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for pluma |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/pluma.local | 4 | include /etc/firejail/pluma.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for Xed | ||
9 | noblacklist ${HOME}/.config/pluma | 8 | noblacklist ${HOME}/.config/pluma |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
17 | net none | 16 | net none |
diff --git a/etc/polari.profile b/etc/polari.profile index 657139b6b..e2788b7d0 100644 --- a/etc/polari.profile +++ b/etc/polari.profile | |||
@@ -1,26 +1,26 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for polari |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/polari.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/polari.local | ||
7 | 8 | ||
8 | # Polari IRC profile | ||
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
11 | include /etc/firejail/disable-programs.inc | ||
12 | 12 | ||
13 | mkdir ${HOME}/.cache/telepathy | ||
14 | mkdir ${HOME}/.config/telepathy-account-widgets | ||
13 | mkdir ${HOME}/.local/share/Empathy | 15 | mkdir ${HOME}/.local/share/Empathy |
14 | whitelist ${HOME}/.local/share/Empathy | ||
15 | mkdir ${HOME}/.local/share/telepathy | ||
16 | whitelist ${HOME}/.local/share/telepathy | ||
17 | mkdir ${HOME}/.local/share/TpLogger | 16 | mkdir ${HOME}/.local/share/TpLogger |
18 | whitelist ${HOME}/.local/share/TpLogger | 17 | mkdir ${HOME}/.local/share/telepathy |
19 | mkdir ${HOME}/.config/telepathy-account-widgets | ||
20 | whitelist ${HOME}/.config/telepathy-account-widgets | ||
21 | mkdir ${HOME}/.cache/telepathy | ||
22 | whitelist ${HOME}/.cache/telepathy | ||
23 | mkdir ${HOME}/.purple | 18 | mkdir ${HOME}/.purple |
19 | whitelist ${HOME}/.cache/telepathy | ||
20 | whitelist ${HOME}/.config/telepathy-account-widgets | ||
21 | whitelist ${HOME}/.local/share/Empathy | ||
22 | whitelist ${HOME}/.local/share/TpLogger | ||
23 | whitelist ${HOME}/.local/share/telepathy | ||
24 | whitelist ${HOME}/.purple | 24 | whitelist ${HOME}/.purple |
25 | include /etc/firejail/whitelist-common.inc | 25 | include /etc/firejail/whitelist-common.inc |
26 | 26 | ||
@@ -36,9 +36,9 @@ seccomp | |||
36 | shell none | 36 | shell none |
37 | tracelog | 37 | tracelog |
38 | 38 | ||
39 | disable-mnt | ||
39 | private-dev | 40 | private-dev |
40 | private-tmp | 41 | private-tmp |
41 | disable-mnt | ||
42 | 42 | ||
43 | noexec ${HOME} | 43 | noexec ${HOME} |
44 | noexec /tmp | 44 | noexec /tmp |
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile index 9500731fe..27ee2500c 100644 --- a/etc/psi-plus.profile +++ b/etc/psi-plus.profile | |||
@@ -1,27 +1,25 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for psi-plus |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/psi-plus.local | 4 | include /etc/firejail/psi-plus.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for Psi+ | ||
9 | noblacklist ${HOME}/.config/psi+ | 8 | noblacklist ${HOME}/.config/psi+ |
10 | noblacklist ${HOME}/.local/share/psi+ | 9 | noblacklist ${HOME}/.local/share/psi+ |
11 | 10 | ||
12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
16 | 15 | ||
17 | whitelist ${DOWNLOADS} | 16 | mkdir ~/.cache/psi+ |
18 | mkdir ~/.config/psi+ | 17 | mkdir ~/.config/psi+ |
19 | whitelist ~/.config/psi+ | ||
20 | mkdir ~/.local/share/psi+ | 18 | mkdir ~/.local/share/psi+ |
21 | whitelist ~/.local/share/psi+ | 19 | whitelist ${DOWNLOADS} |
22 | mkdir ~/.cache/psi+ | ||
23 | whitelist ~/.cache/psi+ | 20 | whitelist ~/.cache/psi+ |
24 | 21 | whitelist ~/.config/psi+ | |
22 | whitelist ~/.local/share/psi+ | ||
25 | include /etc/firejail/whitelist-common.inc | 23 | include /etc/firejail/whitelist-common.inc |
26 | 24 | ||
27 | caps.drop all | 25 | caps.drop all |
@@ -35,9 +33,9 @@ protocol unix,inet,inet6 | |||
35 | seccomp | 33 | seccomp |
36 | shell none | 34 | shell none |
37 | 35 | ||
36 | disable-mnt | ||
38 | private-dev | 37 | private-dev |
39 | private-tmp | 38 | private-tmp |
40 | disable-mnt | ||
41 | 39 | ||
42 | noexec ${HOME} | 40 | noexec ${HOME} |
43 | noexec /tmp | 41 | noexec /tmp |
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 7ae8a22d4..5dcba0825 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
@@ -1,30 +1,29 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for qbittorrent |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/qbittorrent.local | 4 | include /etc/firejail/qbittorrent.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # qbittorrent bittorrent profile | 8 | noblacklist ~/.cache/qBittorrent |
9 | noblacklist ~/.config/qt5ct | ||
10 | noblacklist ~/.config/qBittorrent | 9 | noblacklist ~/.config/qBittorrent |
11 | noblacklist ~/.config/qBittorrentrc | 10 | noblacklist ~/.config/qBittorrentrc |
12 | noblacklist ~/.cache/qBittorrent | 11 | noblacklist ~/.config/qt5ct |
13 | 12 | ||
14 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-programs.inc | ||
16 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | ||
18 | 17 | ||
19 | mkdir ~/.local/share/data/qBittorrent | 18 | mkdir ~/.cache/qBittorrent |
20 | whitelist ~/.local/share/data/qBittorrent | ||
21 | whitelist ~/.config/qt5ct | ||
22 | mkdir ~/.config/qBittorrent | 19 | mkdir ~/.config/qBittorrent |
20 | mkdir ~/.local/share/data/qBittorrent | ||
21 | whitelist ${DOWNLOADS} | ||
22 | whitelist ~/.cache/qBittorrent | ||
23 | whitelist ~/.config/qBittorrent | 23 | whitelist ~/.config/qBittorrent |
24 | whitelist ~/.config/qBittorrentrc | 24 | whitelist ~/.config/qBittorrentrc |
25 | mkdir ~/.cache/qBittorrent | 25 | whitelist ~/.config/qt5ct |
26 | whitelist ~/.cache/qBittorrent | 26 | whitelist ~/.local/share/data/qBittorrent |
27 | whitelist ${DOWNLOADS} | ||
28 | include /etc/firejail/whitelist-common.inc | 27 | include /etc/firejail/whitelist-common.inc |
29 | 28 | ||
30 | caps.drop all | 29 | caps.drop all |
@@ -37,9 +36,11 @@ nosound | |||
37 | protocol unix,inet,inet6,netlink | 36 | protocol unix,inet,inet6,netlink |
38 | seccomp | 37 | seccomp |
39 | 38 | ||
40 | # there are some problems with "Open destination folder", see bug #536 | 39 | # private-bin qbittorrent |
41 | #shell none | ||
42 | #private-bin qbittorrent | ||
43 | private-dev | 40 | private-dev |
44 | # private-etc X11,fonts,xdg,resolv.conf | 41 | # private-etc X11,fonts,xdg,resolv.conf |
45 | private-tmp | 42 | private-tmp |
43 | |||
44 | # CLOBBERED COMMENTS | ||
45 | # shell none | ||
46 | # there are some problems with "Open destination folder", see bug # 536 | ||
diff --git a/etc/qemu-launcher.profile b/etc/qemu-launcher.profile index f6458de86..0f3235266 100644 --- a/etc/qemu-launcher.profile +++ b/etc/qemu-launcher.profile | |||
@@ -1,16 +1,15 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for qemu-launcher |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/qemu-launcher.local | 4 | include /etc/firejail/qemu-launcher.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # qemu-launcher profile | ||
9 | noblacklist ~/.qemu-launcher | 8 | noblacklist ~/.qemu-launcher |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | ||
14 | 13 | ||
15 | caps.drop all | 14 | caps.drop all |
16 | netfilter | 15 | netfilter |
diff --git a/etc/qemu-system-x86_64.profile b/etc/qemu-system-x86_64.profile index fdfd7ab72..b1b8e9319 100644 --- a/etc/qemu-system-x86_64.profile +++ b/etc/qemu-system-x86_64.profile | |||
@@ -1,14 +1,14 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for qemu-system-x86_64 |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/qemu-system-x86_64.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/qemu-system-x86_64.local | ||
7 | 8 | ||
8 | # qemu profile | ||
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | 10 | include /etc/firejail/disable-passwdmgr.inc |
11 | include /etc/firejail/disable-programs.inc | ||
12 | 12 | ||
13 | caps.drop all | 13 | caps.drop all |
14 | netfilter | 14 | netfilter |
diff --git a/etc/qlipper.profile b/etc/qlipper.profile index d57856c1a..98c794624 100644 --- a/etc/qlipper.profile +++ b/etc/qlipper.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for qlipper |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/qlipper.local | 4 | include /etc/firejail/qlipper.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | noblacklist ${HOME}/.config/Qlipper | 8 | noblacklist ${HOME}/.config/Qlipper |
9 | 9 | ||
@@ -24,9 +24,9 @@ protocol unix | |||
24 | seccomp | 24 | seccomp |
25 | shell none | 25 | shell none |
26 | 26 | ||
27 | disable-mnt | ||
27 | private-dev | 28 | private-dev |
28 | private-tmp | 29 | private-tmp |
29 | disable-mnt | ||
30 | 30 | ||
31 | noexec ${HOME} | 31 | noexec ${HOME} |
32 | noexec /tmp | 32 | noexec /tmp |
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile index 97bd2b0b1..596171420 100644 --- a/etc/qpdfview.profile +++ b/etc/qpdfview.profile | |||
@@ -1,19 +1,18 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for qpdfview |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/qpdfview.local | 4 | include /etc/firejail/qpdfview.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # qpdfview profile | ||
9 | noblacklist ${HOME}/.config/qt5ct | ||
10 | noblacklist ${HOME}/.config/qpdfview | 8 | noblacklist ${HOME}/.config/qpdfview |
9 | noblacklist ${HOME}/.config/qt5ct | ||
11 | noblacklist ${HOME}/.local/share/qpdfview | 10 | noblacklist ${HOME}/.local/share/qpdfview |
12 | 11 | ||
13 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | ||
17 | 16 | ||
18 | caps.drop all | 17 | caps.drop all |
19 | nogroups | 18 | nogroups |
diff --git a/etc/qtox.profile b/etc/qtox.profile index cc2a45bb2..08cbcd332 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile | |||
@@ -1,23 +1,24 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for qtox |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/qtox.local | 4 | include /etc/firejail/qtox.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # qTox instant messaging profile | ||
9 | noblacklist ~/.config/tox | ||
10 | noblacklist ~/.config/qt5ct | 8 | noblacklist ~/.config/qt5ct |
9 | noblacklist ~/.config/tox | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | 15 | ||
16 | mkdir ${HOME}/.config/tox | ||
17 | whitelist ${HOME}/.config/tox | ||
18 | mkdir ${HOME}/.config/qt5ct | 16 | mkdir ${HOME}/.config/qt5ct |
19 | whitelist ${HOME}/.config/qt5ct | 17 | mkdir ${HOME}/.config/tox |
20 | whitelist ${DOWNLOADS} | 18 | whitelist ${DOWNLOADS} |
19 | whitelist ${HOME}/.config/qt5ct | ||
20 | whitelist ${HOME}/.config/tox | ||
21 | include /etc/firejail/whitelist-common.inc | ||
21 | 22 | ||
22 | caps.drop all | 23 | caps.drop all |
23 | netfilter | 24 | netfilter |
@@ -29,9 +30,9 @@ seccomp | |||
29 | shell none | 30 | shell none |
30 | tracelog | 31 | tracelog |
31 | 32 | ||
32 | noexec ${HOME} | 33 | disable-mnt |
33 | noexec /tmp | ||
34 | |||
35 | private-bin qtox | 34 | private-bin qtox |
36 | private-tmp | 35 | private-tmp |
37 | disable-mnt | 36 | |
37 | noexec ${HOME} | ||
38 | noexec /tmp | ||
diff --git a/etc/quassel.profile b/etc/quassel.profile index 6a8988941..9e9ecfce9 100644 --- a/etc/quassel.profile +++ b/etc/quassel.profile | |||
@@ -1,18 +1,18 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for quassel |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/quassel.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/quassel.local | ||
7 | 8 | ||
8 | # Quassel IRC profile | ||
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
11 | include /etc/firejail/disable-programs.inc | ||
12 | 12 | ||
13 | caps.drop all | 13 | caps.drop all |
14 | netfilter | ||
14 | nonewprivs | 15 | nonewprivs |
15 | noroot | 16 | noroot |
16 | netfilter | ||
17 | protocol unix,inet,inet6 | 17 | protocol unix,inet,inet6 |
18 | seccomp | 18 | seccomp |
diff --git a/etc/quiterss.profile b/etc/quiterss.profile index aa17693cd..934763a25 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for quiterss |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/quiterss.local | 4 | include /etc/firejail/quiterss.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/QuiteRss | 8 | noblacklist ${HOME}/.cache/QuiteRss |
9 | noblacklist ${HOME}/.config/QuiteRss | 9 | noblacklist ${HOME}/.config/QuiteRss |
@@ -11,19 +11,20 @@ noblacklist ${HOME}/.config/QuiteRssrc | |||
11 | noblacklist ${HOME}/.local/share/QuiteRss | 11 | noblacklist ${HOME}/.local/share/QuiteRss |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | include /etc/firejail/disable-passwdmgr.inc | ||
16 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | ||
16 | include /etc/firejail/disable-programs.inc | ||
17 | 17 | ||
18 | whitelist ${HOME}/quiterssfeeds.opml | 18 | mkdir ~/.cache/QuiteRss |
19 | mkdir ~/.config/QuiteRss | 19 | mkdir ~/.config/QuiteRss |
20 | whitelist ${HOME}/.config/QuiteRss/ | ||
21 | whitelist ${HOME}/.config/QuiteRssrc | ||
22 | mkdir ~/.local/share/data | 20 | mkdir ~/.local/share/data |
23 | mkdir ~/.local/share/data/QuiteRss | 21 | mkdir ~/.local/share/data/QuiteRss |
24 | whitelist ${HOME}/.local/share/data/QuiteRss | ||
25 | mkdir ~/.cache/QuiteRss | ||
26 | whitelist ${HOME}/.cache/QuiteRss | 22 | whitelist ${HOME}/.cache/QuiteRss |
23 | whitelist ${HOME}/.config/QuiteRss/ | ||
24 | whitelist ${HOME}/.config/QuiteRssrc | ||
25 | whitelist ${HOME}/.local/share/data/QuiteRss | ||
26 | whitelist ${HOME}/quiterssfeeds.opml | ||
27 | include /etc/firejail/whitelist-common.inc | ||
27 | 28 | ||
28 | caps.drop all | 29 | caps.drop all |
29 | netfilter | 30 | netfilter |
@@ -36,12 +37,10 @@ seccomp | |||
36 | shell none | 37 | shell none |
37 | tracelog | 38 | tracelog |
38 | 39 | ||
40 | disable-mnt | ||
39 | private-bin quiterss | 41 | private-bin quiterss |
40 | private-dev | 42 | private-dev |
41 | #private-etc X11,ssl | 43 | # private-etc X11,ssl |
42 | disable-mnt | ||
43 | |||
44 | include /etc/firejail/whitelist-common.inc | ||
45 | 44 | ||
46 | noexec ${HOME} | 45 | noexec ${HOME} |
47 | noexec /tmp | 46 | noexec /tmp |
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile index 5dfeeb281..6d0c16785 100644 --- a/etc/qupzilla.profile +++ b/etc/qupzilla.profile | |||
@@ -1,27 +1,28 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for qupzilla |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/qupzilla.local | 4 | include /etc/firejail/qupzilla.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for Qupzilla web browser | ||
9 | noblacklist ${HOME}/.config/qupzilla | ||
10 | noblacklist ${HOME}/.cache/qupzilla | 8 | noblacklist ${HOME}/.cache/qupzilla |
9 | noblacklist ${HOME}/.config/qupzilla | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | caps.drop all | 15 | |
16 | seccomp | ||
17 | protocol unix,inet,inet6,netlink | ||
18 | netfilter | ||
19 | tracelog | ||
20 | noroot | ||
21 | whitelist ${DOWNLOADS} | 16 | whitelist ${DOWNLOADS} |
22 | whitelist ~/.config/qupzilla | ||
23 | whitelist ~/.cache/qupzilla | 17 | whitelist ~/.cache/qupzilla |
18 | whitelist ~/.config/qupzilla | ||
24 | include /etc/firejail/whitelist-common.inc | 19 | include /etc/firejail/whitelist-common.inc |
25 | 20 | ||
26 | # experimental features | 21 | caps.drop all |
27 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 22 | netfilter |
23 | noroot | ||
24 | protocol unix,inet,inet6,netlink | ||
25 | seccomp | ||
26 | tracelog | ||
27 | |||
28 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | ||
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index aec5e4ad4..9eb0c9075 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile | |||
@@ -1,16 +1,25 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for qutebrowser |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/qutebrowser.local | 4 | include /etc/firejail/qutebrowser.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for Qutebrowser (Qt5-Webkit+Python) browser | ||
9 | noblacklist ~/.config/qutebrowser | ||
10 | noblacklist ~/.cache/qutebrowser | 8 | noblacklist ~/.cache/qutebrowser |
9 | noblacklist ~/.config/qutebrowser | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | mkdir ~/.cache/qutebrowser | ||
16 | mkdir ~/.config/qutebrowser | ||
17 | mkdir ~/.local/share/qutebrowser | ||
18 | whitelist ${DOWNLOADS} | ||
19 | whitelist ~/.cache/qutebrowser | ||
20 | whitelist ~/.config/qutebrowser | ||
21 | whitelist ~/.local/share/qutebrowser | ||
22 | include /etc/firejail/whitelist-common.inc | ||
14 | 23 | ||
15 | caps.drop all | 24 | caps.drop all |
16 | netfilter | 25 | netfilter |
@@ -19,12 +28,3 @@ noroot | |||
19 | protocol unix,inet,inet6,netlink | 28 | protocol unix,inet,inet6,netlink |
20 | seccomp | 29 | seccomp |
21 | tracelog | 30 | tracelog |
22 | |||
23 | whitelist ${DOWNLOADS} | ||
24 | mkdir ~/.config/qutebrowser | ||
25 | whitelist ~/.config/qutebrowser | ||
26 | mkdir ~/.cache/qutebrowser | ||
27 | whitelist ~/.cache/qutebrowser | ||
28 | mkdir ~/.local/share/qutebrowser | ||
29 | whitelist ~/.local/share/qutebrowser | ||
30 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/rambox.profile b/etc/rambox.profile index 2c70fbd13..ea88b472c 100644 --- a/etc/rambox.profile +++ b/etc/rambox.profile | |||
@@ -1,16 +1,23 @@ | |||
1 | #Persistent global definitions go here | 1 | # Firejail profile for rambox |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | #This file is overwritten during software install. | ||
5 | #Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/rambox.local | 4 | include /etc/firejail/rambox.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Rambox profile for firejail | ||
9 | noblacklist ~/.config/Rambox | 8 | noblacklist ~/.config/Rambox |
10 | noblacklist ~/.pki | 9 | noblacklist ~/.pki |
10 | |||
11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | mkdir ~/.config/Rambox | ||
16 | mkdir ~/.pki | ||
17 | whitelist ${DOWNLOADS} | ||
18 | whitelist ~/.config/Rambox | ||
19 | whitelist ~/.pki | ||
20 | include /etc/firejail/whitelist-common.inc | ||
14 | 21 | ||
15 | caps.drop all | 22 | caps.drop all |
16 | netfilter | 23 | netfilter |
@@ -19,13 +26,6 @@ nonewprivs | |||
19 | noroot | 26 | noroot |
20 | protocol unix,inet,inet6,netlink | 27 | protocol unix,inet,inet6,netlink |
21 | seccomp | 28 | seccomp |
22 | #tracelog | ||
23 | |||
24 | whitelist ${DOWNLOADS} | ||
25 | mkdir ~/.config/Rambox | ||
26 | whitelist ~/.config/Rambox | ||
27 | mkdir ~/.pki | ||
28 | whitelist ~/.pki | ||
29 | |||
30 | include /etc/firejail/whitelist-common.inc | ||
31 | 29 | ||
30 | # CLOBBERED COMMENTS | ||
31 | # tracelog | ||
diff --git a/etc/ranger.profile b/etc/ranger.profile index ab0545aaf..3915cffb6 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile | |||
@@ -1,29 +1,30 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for ranger |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/ranger.local | 4 | include /etc/firejail/ranger.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # ranger file manager profile | ||
9 | noblacklist /usr/bin/perl | 8 | noblacklist /usr/bin/perl |
10 | #noblacklist /usr/bin/cpan* | ||
11 | noblacklist /usr/share/perl* | ||
12 | noblacklist /usr/lib/perl* | 9 | noblacklist /usr/lib/perl* |
10 | noblacklist /usr/share/perl* | ||
13 | noblacklist ~/.config/ranger | 11 | noblacklist ~/.config/ranger |
14 | 12 | ||
15 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
16 | include /etc/firejail/disable-programs.inc | ||
17 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
18 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | ||
19 | 17 | ||
20 | caps.drop all | 18 | caps.drop all |
21 | net none | 19 | net none |
22 | nogroups | 20 | nogroups |
23 | nonewprivs | 21 | nonewprivs |
24 | noroot | 22 | noroot |
23 | nosound | ||
25 | protocol unix | 24 | protocol unix |
26 | seccomp | 25 | seccomp |
27 | nosound | ||
28 | 26 | ||
29 | private-dev | 27 | private-dev |
28 | |||
29 | # CLOBBERED COMMENTS | ||
30 | # noblacklist /usr/bin/cpan* | ||
diff --git a/etc/remmina.profile b/etc/remmina.profile index 5aff10fe3..39b5b2acd 100644 --- a/etc/remmina.profile +++ b/etc/remmina.profile | |||
@@ -1,14 +1,13 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for remmina |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/remmina.local | 4 | include /etc/firejail/remmina.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for Remmina | ||
9 | noblacklist ${HOME}/.ssh | ||
10 | noblacklist ${HOME}/.config/remmina | 8 | noblacklist ${HOME}/.config/remmina |
11 | noblacklist ${HOME}/.local/share/remmina | 9 | noblacklist ${HOME}/.local/share/remmina |
10 | noblacklist ${HOME}/.ssh | ||
12 | 11 | ||
13 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 930a8fed5..9f8e8fb1a 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile | |||
@@ -1,19 +1,18 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for rhythmbox |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/rhythmbox.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/rhythmbox.local | ||
7 | 8 | ||
8 | # Rhythmbox media player profile | ||
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | netfilter | 15 | netfilter |
16 | #no3d | ||
17 | nogroups | 16 | nogroups |
18 | nonewprivs | 17 | nonewprivs |
19 | noroot | 18 | noroot |
@@ -29,3 +28,6 @@ private-tmp | |||
29 | 28 | ||
30 | noexec ${HOME} | 29 | noexec ${HOME} |
31 | noexec /tmp | 30 | noexec /tmp |
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # no3d | ||
diff --git a/etc/riot-web.profile b/etc/riot-web.profile index 4814dadf7..93f389bbc 100644 --- a/etc/riot-web.profile +++ b/etc/riot-web.profile | |||
@@ -1,5 +1,13 @@ | |||
1 | # Firejail profile for Riot. | 1 | # Firejail profile for riot-web |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/riot-web.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
2 | noblacklist ~/.config/Riot | 8 | noblacklist ~/.config/Riot |
9 | |||
3 | whitelist ~/.config/Riot | 10 | whitelist ~/.config/Riot |
11 | include /etc/firejail/whitelist-common.inc | ||
4 | 12 | ||
5 | include /etc/firejail/electron.profile | 13 | include /etc/firejail/electron.profile |
diff --git a/etc/ristretto.profile b/etc/ristretto.profile index 3d3491658..8070254ac 100644 --- a/etc/ristretto.profile +++ b/etc/ristretto.profile | |||
@@ -1,10 +1,10 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for ristretto |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/ristretto.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/risretto.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/ristretto | 8 | noblacklist ${HOME}/.config/ristretto |
9 | noblacklist ~/.Steam | 9 | noblacklist ~/.Steam |
10 | noblacklist ~/.steam | 10 | noblacklist ~/.steam |
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 93416c248..b9f9960f4 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile | |||
@@ -1,15 +1,15 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for rtorrent |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/rtorrent.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/rtorrent.local | ||
7 | 8 | ||
8 | # rtorrent bittorrent profile | ||
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | netfilter | 15 | netfilter |
@@ -18,8 +18,8 @@ noroot | |||
18 | nosound | 18 | nosound |
19 | protocol unix,inet,inet6 | 19 | protocol unix,inet,inet6 |
20 | seccomp | 20 | seccomp |
21 | |||
22 | shell none | 21 | shell none |
22 | |||
23 | private-bin rtorrent | 23 | private-bin rtorrent |
24 | private-dev | 24 | private-dev |
25 | private-tmp | 25 | private-tmp |
diff --git a/etc/scribus.profile b/etc/scribus.profile index 5cd1768a0..73343f5da 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile | |||
@@ -1,32 +1,29 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for scribus |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/scribus.local | 4 | include /etc/firejail/scribus.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for Scribus | 8 | noblacklist ~/.config/okularpartrc |
9 | noblacklist ~/.scribus | 9 | noblacklist ~/.config/okularrc |
10 | noblacklist ~/.config/scribus | 10 | noblacklist ~/.config/scribus |
11 | noblacklist ~/.config/scribusrc | 11 | noblacklist ~/.config/scribusrc |
12 | noblacklist ~/.local/share/scribus | ||
13 | noblacklist ~/.gimp* | 12 | noblacklist ~/.gimp* |
14 | |||
15 | # Support for PDF readers (Scribus 1.5 and higher) | ||
16 | noblacklist ~/.kde4/share/apps/okular | ||
17 | noblacklist ~/.kde4/share/config/okularrc | ||
18 | noblacklist ~/.kde4/share/config/okularpartrc | ||
19 | noblacklist ~/.kde/share/apps/okular | 13 | noblacklist ~/.kde/share/apps/okular |
20 | noblacklist ~/.kde/share/config/okularrc | ||
21 | noblacklist ~/.kde/share/config/okularpartrc | 14 | noblacklist ~/.kde/share/config/okularpartrc |
15 | noblacklist ~/.kde/share/config/okularrc | ||
16 | noblacklist ~/.kde4/share/apps/okular | ||
17 | noblacklist ~/.kde4/share/config/okularpartrc | ||
18 | noblacklist ~/.kde4/share/config/okularrc | ||
22 | noblacklist ~/.local/share/okular | 19 | noblacklist ~/.local/share/okular |
23 | noblacklist ~/.config/okularrc | 20 | noblacklist ~/.local/share/scribus |
24 | noblacklist ~/.config/okularpartrc | 21 | noblacklist ~/.scribus |
25 | 22 | ||
26 | include /etc/firejail/disable-common.inc | 23 | include /etc/firejail/disable-common.inc |
27 | include /etc/firejail/disable-programs.inc | ||
28 | include /etc/firejail/disable-devel.inc | 24 | include /etc/firejail/disable-devel.inc |
29 | include /etc/firejail/disable-passwdmgr.inc | 25 | include /etc/firejail/disable-passwdmgr.inc |
26 | include /etc/firejail/disable-programs.inc | ||
30 | 27 | ||
31 | caps.drop all | 28 | caps.drop all |
32 | nonewprivs | 29 | nonewprivs |
@@ -37,4 +34,7 @@ seccomp | |||
37 | tracelog | 34 | tracelog |
38 | 35 | ||
39 | private-dev | 36 | private-dev |
40 | #private-tmp | 37 | # private-tmp |
38 | |||
39 | # CLOBBERED COMMENTS | ||
40 | # Support for PDF readers (Scribus 1.5 and higher) | ||
diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile index 855eae5b1..7311594c0 100644 --- a/etc/sdat2img.profile +++ b/etc/sdat2img.profile | |||
@@ -1,20 +1,20 @@ | |||
1 | # Firejail profile for sdat2img | ||
2 | # This file is overwritten after every install/update | ||
1 | quiet | 3 | quiet |
2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
5 | include /etc/firejail/sdat2img.local | ||
6 | # Persistent global definitions | ||
3 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
4 | 8 | ||
5 | # This file is overwritten during software install. | ||
6 | # Persistent customizations should go in a .local file. | ||
7 | include /etc/firejail/sdat2img.local | ||
8 | 9 | ||
9 | # Firejail profile for sdat2img | ||
10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | no3d | ||
17 | net none | 16 | net none |
17 | no3d | ||
18 | nogroups | 18 | nogroups |
19 | nonewprivs | 19 | nonewprivs |
20 | noroot | 20 | noroot |
diff --git a/etc/seamonkey-bin.profile b/etc/seamonkey-bin.profile index f01810671..25e882b32 100644 --- a/etc/seamonkey-bin.profile +++ b/etc/seamonkey-bin.profile | |||
@@ -1,9 +1,5 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for seamonkey |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/seamonkey-bin.local | ||
7 | 4 | ||
8 | # Firejail profile for Seamonkey based off Mozilla Firefox | ||
9 | include /etc/firejail/seamonkey.profile | 5 | include /etc/firejail/seamonkey.profile |
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index b674897a8..072a9fef5 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile | |||
@@ -1,17 +1,39 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for seamonkey |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/seamonkey.local | 4 | include /etc/firejail/seamonkey.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for Seamoneky based off Mozilla Firefox | ||
9 | noblacklist ~/.mozilla | ||
10 | noblacklist ~/.cache/mozilla | 8 | noblacklist ~/.cache/mozilla |
9 | noblacklist ~/.mozilla | ||
11 | noblacklist ~/.pki | 10 | noblacklist ~/.pki |
11 | |||
12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | mkdir ~/.cache/mozilla | ||
17 | mkdir ~/.mozilla | ||
18 | whitelist ${DOWNLOADS} | ||
19 | whitelist ~/.cache/gnome-mplayer/plugin | ||
20 | whitelist ~/.cache/mozilla | ||
21 | whitelist ~/.config/gnome-mplayer | ||
22 | whitelist ~/.config/pipelight-silverlight5.1 | ||
23 | whitelist ~/.config/pipelight-widevine | ||
24 | whitelist ~/.keysnail.js | ||
25 | whitelist ~/.lastpass | ||
26 | whitelist ~/.mozilla | ||
27 | whitelist ~/.pentadactyl | ||
28 | whitelist ~/.pentadactylrc | ||
29 | whitelist ~/.pki | ||
30 | whitelist ~/.vimperator | ||
31 | whitelist ~/.vimperatorrc | ||
32 | whitelist ~/.wine-pipelight | ||
33 | whitelist ~/.wine-pipelight64 | ||
34 | whitelist ~/.zotero | ||
35 | whitelist ~/dwhelper | ||
36 | include /etc/firejail/whitelist-common.inc | ||
15 | 37 | ||
16 | caps.drop all | 38 | caps.drop all |
17 | netfilter | 39 | netfilter |
@@ -21,29 +43,4 @@ protocol unix,inet,inet6,netlink | |||
21 | seccomp | 43 | seccomp |
22 | tracelog | 44 | tracelog |
23 | 45 | ||
24 | whitelist ${DOWNLOADS} | 46 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse |
25 | mkdir ~/.mozilla | ||
26 | whitelist ~/.mozilla | ||
27 | mkdir ~/.cache/mozilla | ||
28 | whitelist ~/.cache/mozilla | ||
29 | whitelist ~/dwhelper | ||
30 | whitelist ~/.zotero | ||
31 | whitelist ~/.vimperatorrc | ||
32 | whitelist ~/.vimperator | ||
33 | whitelist ~/.pentadactylrc | ||
34 | whitelist ~/.pentadactyl | ||
35 | whitelist ~/.keysnail.js | ||
36 | whitelist ~/.config/gnome-mplayer | ||
37 | whitelist ~/.cache/gnome-mplayer/plugin | ||
38 | whitelist ~/.pki | ||
39 | whitelist ~/.lastpass | ||
40 | include /etc/firejail/whitelist-common.inc | ||
41 | |||
42 | # silverlight | ||
43 | whitelist ~/.wine-pipelight | ||
44 | whitelist ~/.wine-pipelight64 | ||
45 | whitelist ~/.config/pipelight-widevine | ||
46 | whitelist ~/.config/pipelight-silverlight5.1 | ||
47 | |||
48 | # experimental features | ||
49 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | ||
diff --git a/etc/silentarmy.profile b/etc/silentarmy.profile index bcad82b5d..d5d92670b 100644 --- a/etc/silentarmy.profile +++ b/etc/silentarmy.profile | |||
@@ -1,14 +1,13 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for silentarmy |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/silentarmy.local | 4 | include /etc/firejail/silentarmy.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for SILENTARMY | ||
9 | 8 | ||
10 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
11 | #include /etc/firejail/disable-devel.inc | 10 | # include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
14 | 13 | ||
@@ -25,7 +24,7 @@ shell none | |||
25 | 24 | ||
26 | disable-mnt | 25 | disable-mnt |
27 | private | 26 | private |
28 | #private-bin silentarmy,sa-solver,python3 | 27 | # private-bin silentarmy,sa-solver,python3 |
29 | private-dev | 28 | private-dev |
30 | private-tmp | 29 | private-tmp |
31 | 30 | ||
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile index 19e400d4f..d6c6886c7 100644 --- a/etc/simple-scan.profile +++ b/etc/simple-scan.profile | |||
@@ -1,30 +1,31 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for simple-scan |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/simple-scan.local | 4 | include /etc/firejail/simple-scan.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # simple-scan profile | ||
9 | noblacklist ~/.cache/simple-scan | 8 | noblacklist ~/.cache/simple-scan |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
16 | netfilter | ||
17 | nogroups | 17 | nogroups |
18 | nonewprivs | 18 | nonewprivs |
19 | noroot | 19 | noroot |
20 | nosound | 20 | nosound |
21 | protocol unix,inet,inet6 | 21 | protocol unix,inet,inet6 |
22 | #seccomp | ||
23 | netfilter | ||
24 | shell none | 22 | shell none |
25 | tracelog | 23 | tracelog |
26 | 24 | ||
27 | # private-bin simple-scan | 25 | # private-bin simple-scan |
28 | # private-tmp | ||
29 | # private-dev | 26 | # private-dev |
30 | # private-etc fonts | 27 | # private-etc fonts |
28 | # private-tmp | ||
29 | |||
30 | # CLOBBERED COMMENTS | ||
31 | # seccomp | ||
diff --git a/etc/simutrans.profile b/etc/simutrans.profile index b1df0ba28..32c0436f8 100644 --- a/etc/simutrans.profile +++ b/etc/simutrans.profile | |||
@@ -1,41 +1,34 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for simutrans |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/simutrans.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | 8 | noblacklist ~/.simutrans |
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/simutrans.local | ||
7 | 9 | ||
8 | ################################ | 10 | include /etc/firejail/disable-common.inc |
9 | # simutrans profile | 11 | include /etc/firejail/disable-passwdmgr.inc |
10 | ################################ | 12 | include /etc/firejail/disable-programs.inc |
11 | 13 | ||
12 | noblacklist ~/.simutrans | ||
13 | mkdir ~/.simutrans | 14 | mkdir ~/.simutrans |
14 | whitelist ~/.simutrans | 15 | whitelist ~/.simutrans |
15 | include /etc/firejail/whitelist-common.inc | 16 | include /etc/firejail/whitelist-common.inc |
16 | 17 | ||
17 | include /etc/firejail/disable-common.inc | ||
18 | include /etc/firejail/disable-programs.inc | ||
19 | include /etc/firejail/disable-passwdmgr.inc | ||
20 | |||
21 | caps.drop all | 18 | caps.drop all |
19 | net none | ||
20 | nogroups | ||
22 | nonewprivs | 21 | nonewprivs |
23 | noroot | 22 | noroot |
24 | protocol unix | 23 | protocol unix |
25 | seccomp | 24 | seccomp |
26 | |||
27 | # | ||
28 | # depending on your usage, you can enable some of the commands below: | ||
29 | # | ||
30 | net none | ||
31 | nogroups | ||
32 | shell none | 25 | shell none |
33 | #private-bin simutrans | 26 | |
34 | # private-etc none | 27 | # private-bin simutrans |
35 | private-dev | 28 | private-dev |
29 | # private-etc none | ||
36 | private-tmp | 30 | private-tmp |
37 | # nosound | ||
38 | |||
39 | |||
40 | |||
41 | 31 | ||
32 | # CLOBBERED COMMENTS | ||
33 | # depending on your usage, you can enable some of the commands below: | ||
34 | # nosound | ||
diff --git a/etc/skanlite.profile b/etc/skanlite.profile index 87698f575..f6e27a474 100644 --- a/etc/skanlite.profile +++ b/etc/skanlite.profile | |||
@@ -1,15 +1,15 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for skanlite |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/skanlite.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/skanlite.local | ||
7 | 8 | ||
8 | # skanlite profile | ||
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | netfilter | 15 | netfilter |
@@ -17,11 +17,13 @@ nogroups | |||
17 | nonewprivs | 17 | nonewprivs |
18 | noroot | 18 | noroot |
19 | nosound | 19 | nosound |
20 | shell none | ||
21 | seccomp | 20 | seccomp |
22 | # protocol unix,inet,inet6 | 21 | shell none |
23 | 22 | ||
24 | # private-bin skanlite | 23 | # private-bin skanlite |
25 | # private-dev | 24 | # private-dev |
26 | # private-tmp | ||
27 | # private-etc | 25 | # private-etc |
26 | # private-tmp | ||
27 | |||
28 | # CLOBBERED COMMENTS | ||
29 | # protocol unix,inet,inet6 | ||
diff --git a/etc/skype.profile b/etc/skype.profile index 7c7a4eb17..396563f0c 100644 --- a/etc/skype.profile +++ b/etc/skype.profile | |||
@@ -1,17 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for skype |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/skype.local | 4 | include /etc/firejail/skype.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Skype profile | ||
9 | noblacklist ${HOME}/.Skype | 8 | noblacklist ${HOME}/.Skype |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
17 | netfilter | 16 | netfilter |
@@ -22,9 +21,9 @@ protocol unix,inet,inet6 | |||
22 | seccomp | 21 | seccomp |
23 | shell none | 22 | shell none |
24 | 23 | ||
24 | disable-mnt | ||
25 | private-dev | 25 | private-dev |
26 | private-tmp | 26 | private-tmp |
27 | disable-mnt | ||
28 | 27 | ||
29 | noexec ${HOME} | 28 | noexec ${HOME} |
30 | noexec /tmp | 29 | noexec /tmp |
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile index a2f693945..7037961f8 100644 --- a/etc/skypeforlinux.profile +++ b/etc/skypeforlinux.profile | |||
@@ -1,17 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for skypeforlinux |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/skypeforlinux.local | 4 | include /etc/firejail/skypeforlinux.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # skypeforlinux profile | ||
9 | noblacklist ${HOME}/.config/skypeforlinux | 8 | noblacklist ${HOME}/.config/skypeforlinux |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
17 | netfilter | 16 | netfilter |
@@ -22,9 +21,9 @@ protocol unix,inet,inet6,netlink | |||
22 | seccomp | 21 | seccomp |
23 | shell none | 22 | shell none |
24 | 23 | ||
24 | disable-mnt | ||
25 | private-dev | 25 | private-dev |
26 | private-tmp | 26 | private-tmp |
27 | disable-mnt | ||
28 | 27 | ||
29 | noexec ${HOME} | 28 | noexec ${HOME} |
30 | noexec /tmp | 29 | noexec /tmp |
diff --git a/etc/slack.profile b/etc/slack.profile index a68717ea3..d2fb74af8 100644 --- a/etc/slack.profile +++ b/etc/slack.profile | |||
@@ -1,20 +1,25 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for slack |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/slack.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | 8 | blacklist /var |
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/slack.local | ||
7 | 9 | ||
8 | # Firejail profile for Slack | ||
9 | noblacklist ${HOME}/.config/Slack | 10 | noblacklist ${HOME}/.config/Slack |
10 | noblacklist ${HOME}/Downloads | 11 | noblacklist ${HOME}/Downloads |
11 | 12 | ||
12 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | ||
16 | 17 | ||
17 | blacklist /var | 18 | mkdir ${HOME}/.config |
19 | mkdir ${HOME}/.config/Slack | ||
20 | whitelist ${HOME}/.config/Slack | ||
21 | whitelist ${HOME}/Downloads | ||
22 | include /etc/firejail/whitelist-common.inc | ||
18 | 23 | ||
19 | caps.drop all | 24 | caps.drop all |
20 | name slack | 25 | name slack |
@@ -26,14 +31,8 @@ protocol unix,inet,inet6,netlink | |||
26 | seccomp | 31 | seccomp |
27 | shell none | 32 | shell none |
28 | 33 | ||
34 | disable-mnt | ||
29 | private-bin slack | 35 | private-bin slack |
30 | private-dev | 36 | private-dev |
31 | private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime | 37 | private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime |
32 | private-tmp | 38 | private-tmp |
33 | disable-mnt | ||
34 | |||
35 | mkdir ${HOME}/.config | ||
36 | mkdir ${HOME}/.config/Slack | ||
37 | whitelist ${HOME}/.config/Slack | ||
38 | whitelist ${HOME}/Downloads | ||
39 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/smplayer.profile b/etc/smplayer.profile index 6a5c115b7..d3ff02ddf 100644 --- a/etc/smplayer.profile +++ b/etc/smplayer.profile | |||
@@ -1,32 +1,32 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for smplayer |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/smplayer.local | 4 | include /etc/firejail/smplayer.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # smplayer profile | ||
9 | noblacklist ${HOME}/.config/smplayer | 8 | noblacklist ${HOME}/.config/smplayer |
10 | noblacklist ${HOME}/.mplayer | 9 | noblacklist ${HOME}/.mplayer |
11 | 10 | ||
12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
16 | 15 | ||
17 | caps.drop all | 16 | caps.drop all |
18 | #ipc-namespace | ||
19 | netfilter | 17 | netfilter |
20 | # nogroups | ||
21 | nonewprivs | 18 | nonewprivs |
22 | noroot | 19 | noroot |
23 | protocol unix,inet,inet6,netlink | 20 | protocol unix,inet,inet6,netlink |
24 | seccomp | 21 | seccomp |
25 | shell none | 22 | shell none |
26 | 23 | ||
24 | private-bin smplayer,mplayer | ||
27 | private-dev | 25 | private-dev |
28 | private-tmp | 26 | private-tmp |
29 | private-bin smplayer,mplayer | ||
30 | 27 | ||
31 | noexec ${HOME} | 28 | noexec ${HOME} |
32 | noexec /tmp | 29 | noexec /tmp |
30 | |||
31 | # CLOBBERED COMMENTS | ||
32 | # nogroups | ||
diff --git a/etc/soffice.profile b/etc/soffice.profile index 9fca8e4c9..c30bb5550 100644 --- a/etc/soffice.profile +++ b/etc/soffice.profile | |||
@@ -1,11 +1,5 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for libreoffice |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/soffice.local | ||
7 | 4 | ||
8 | ################################ | ||
9 | # LibreOffice profile | ||
10 | ################################ | ||
11 | include /etc/firejail/libreoffice.profile | 5 | include /etc/firejail/libreoffice.profile |
diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile index 642612a52..12ae63cf9 100644 --- a/etc/soundconverter.profile +++ b/etc/soundconverter.profile | |||
@@ -1,11 +1,11 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for soundconverter |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/soundconverter.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/soundconverter.local | ||
7 | 8 | ||
8 | # Firejail profile for Sound Converter | ||
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
diff --git a/etc/spotify.profile b/etc/spotify.profile index 07103b112..64805153c 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile | |||
@@ -1,26 +1,35 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for spotify |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/spotify.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | 8 | blacklist ${HOME}/.bashrc |
5 | # Persistent customizations should go in a .local file. | 9 | blacklist /boot |
6 | include /etc/firejail/spotify.local | 10 | blacklist /lost+found |
11 | blacklist /opt | ||
12 | blacklist /root | ||
13 | blacklist /sbin | ||
14 | blacklist /srv | ||
15 | blacklist /sys | ||
7 | 16 | ||
8 | # Spotify media player profile | ||
9 | noblacklist ${HOME}/.config/spotify | ||
10 | noblacklist ${HOME}/.cache/spotify | 17 | noblacklist ${HOME}/.cache/spotify |
18 | noblacklist ${HOME}/.config/spotify | ||
11 | noblacklist ${HOME}/.local/share/spotify | 19 | noblacklist ${HOME}/.local/share/spotify |
20 | |||
12 | include /etc/firejail/disable-common.inc | 21 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-devel.inc | 22 | include /etc/firejail/disable-devel.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 23 | include /etc/firejail/disable-passwdmgr.inc |
24 | include /etc/firejail/disable-programs.inc | ||
16 | 25 | ||
17 | # Whitelist the folders needed by Spotify | 26 | mkdir ${HOME}/.cache/spotify |
18 | mkdir ${HOME}/.config/spotify | 27 | mkdir ${HOME}/.config/spotify |
19 | whitelist ${HOME}/.config/spotify | ||
20 | mkdir ${HOME}/.local/share/spotify | 28 | mkdir ${HOME}/.local/share/spotify |
21 | whitelist ${HOME}/.local/share/spotify | ||
22 | mkdir ${HOME}/.cache/spotify | ||
23 | whitelist ${HOME}/.cache/spotify | 29 | whitelist ${HOME}/.cache/spotify |
30 | whitelist ${HOME}/.config/spotify | ||
31 | whitelist ${HOME}/.local/share/spotify | ||
32 | include /etc/firejail/whitelist-common.inc | ||
24 | 33 | ||
25 | caps.drop all | 34 | caps.drop all |
26 | netfilter | 35 | netfilter |
@@ -31,20 +40,11 @@ protocol unix,inet,inet6,netlink | |||
31 | seccomp | 40 | seccomp |
32 | shell none | 41 | shell none |
33 | 42 | ||
34 | noexec ${HOME} | 43 | disable-mnt |
35 | noexec /tmp | ||
36 | |||
37 | private-bin spotify,bash,sh,dash | 44 | private-bin spotify,bash,sh,dash |
38 | private-etc fonts,machine-id,pulse,resolv.conf | ||
39 | private-dev | 45 | private-dev |
46 | private-etc fonts,machine-id,pulse,resolv.conf | ||
40 | private-tmp | 47 | private-tmp |
41 | disable-mnt | ||
42 | 48 | ||
43 | blacklist ${HOME}/.bashrc | 49 | noexec ${HOME} |
44 | blacklist /boot | 50 | noexec /tmp |
45 | blacklist /lost+found | ||
46 | blacklist /opt | ||
47 | blacklist /root | ||
48 | blacklist /sbin | ||
49 | blacklist /srv | ||
50 | blacklist /sys | ||
diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile index a08064d8c..ac7daa873 100644 --- a/etc/sqlitebrowser.profile +++ b/etc/sqlitebrowser.profile | |||
@@ -1,11 +1,10 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for sqlitebrowser |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/sqlitebrowser.local | 4 | include /etc/firejail/sqlitebrowser.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for SQLiteBrowser | ||
9 | noblacklist ${HOME}/.config/sqlitebrowser | 8 | noblacklist ${HOME}/.config/sqlitebrowser |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile index ab47067f1..520524192 100644 --- a/etc/ssh-agent.profile +++ b/etc/ssh-agent.profile | |||
@@ -1,26 +1,28 @@ | |||
1 | # Firejail profile for ssh-agent | ||
2 | # This file is overwritten after every install/update | ||
1 | quiet | 3 | quiet |
2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
5 | include /etc/firejail/ssh-agent.local | ||
6 | # Persistent global definitions | ||
3 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
4 | 8 | ||
5 | # This file is overwritten during software install. | 9 | blacklist /tmp/.X11-unix |
6 | # Persistent customizations should go in a .local file. | ||
7 | include /etc/firejail/ssh-agent.local | ||
8 | 10 | ||
9 | # ssh-agent | ||
10 | noblacklist ~/.ssh | ||
11 | noblacklist /tmp/ssh-* | ||
12 | noblacklist /etc/ssh | 11 | noblacklist /etc/ssh |
12 | noblacklist /tmp/ssh-* | ||
13 | noblacklist ~/.ssh | ||
13 | 14 | ||
14 | include /etc/firejail/disable-common.inc | 15 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-programs.inc | ||
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include /etc/firejail/disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | ||
17 | 18 | ||
18 | caps.drop all | 19 | caps.drop all |
19 | netfilter | 20 | netfilter |
21 | no3d | ||
20 | nonewprivs | 22 | nonewprivs |
21 | noroot | 23 | noroot |
22 | no3d | ||
23 | protocol unix,inet,inet6 | 24 | protocol unix,inet,inet6 |
24 | seccomp | 25 | seccomp |
25 | 26 | ||
26 | blacklist /tmp/.X11-unix | 27 | # CLOBBERED COMMENTS |
28 | # ssh-agent | ||
diff --git a/etc/ssh.profile b/etc/ssh.profile index 466abdc88..0f9950a81 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile | |||
@@ -1,19 +1,18 @@ | |||
1 | # Firejail profile for ssh | ||
2 | # This file is overwritten after every install/update | ||
1 | quiet | 3 | quiet |
2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
3 | include /etc/firejail/globals.local | ||
4 | |||
5 | # This file is overwritten during software install. | ||
6 | # Persistent customizations should go in a .local file. | ||
7 | include /etc/firejail/ssh.local | 5 | include /etc/firejail/ssh.local |
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | 8 | ||
9 | # ssh client | ||
10 | noblacklist ~/.ssh | ||
11 | noblacklist /tmp/ssh-* | ||
12 | noblacklist /etc/ssh | 9 | noblacklist /etc/ssh |
10 | noblacklist /tmp/ssh-* | ||
11 | noblacklist ~/.ssh | ||
13 | 12 | ||
14 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-programs.inc | ||
16 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | ||
17 | 16 | ||
18 | caps.drop all | 17 | caps.drop all |
19 | ipc-namespace | 18 | ipc-namespace |
@@ -29,8 +28,11 @@ shell none | |||
29 | tracelog | 28 | tracelog |
30 | 29 | ||
31 | private-dev | 30 | private-dev |
32 | #private-tmp #Breaks when exiting | 31 | # private-tmp # Breaks when exiting |
33 | 32 | ||
34 | memory-deny-write-execute | 33 | memory-deny-write-execute |
35 | noexec ${HOME} | 34 | noexec ${HOME} |
36 | noexec /tmp | 35 | noexec /tmp |
36 | |||
37 | # CLOBBERED COMMENTS | ||
38 | # ssh client | ||
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile index f15e5d8ac..26154508a 100644 --- a/etc/start-tor-browser.profile +++ b/etc/start-tor-browser.profile | |||
@@ -1,11 +1,11 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for start-tor-browser |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/start-tor-browser.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/start-tor-browser.local | ||
7 | 8 | ||
8 | # Firejail profile for the Tor Brower Bundle | ||
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
@@ -22,6 +22,6 @@ shell none | |||
22 | tracelog | 22 | tracelog |
23 | 23 | ||
24 | private-bin bash,dash,sh,grep,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf | 24 | private-bin bash,dash,sh,grep,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf |
25 | private-etc fonts | ||
26 | private-dev | 25 | private-dev |
26 | private-etc fonts | ||
27 | private-tmp | 27 | private-tmp |
diff --git a/etc/steam.profile b/etc/steam.profile index 856824b5d..b3b62471d 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -1,41 +1,40 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for steam |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/steam.local | 4 | include /etc/firejail/steam.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # with >=llvm-4 mesa drivers need llvm stuff | ||
9 | noblacklist /usr/lib/llvm* | ||
10 | |||
11 | # Steam profile (applies to games/apps launched from Steam as well) | ||
12 | noblacklist ${HOME}/.java | ||
13 | noblacklist ${HOME}/.Steam | 8 | noblacklist ${HOME}/.Steam |
14 | noblacklist ${HOME}/.steam | ||
15 | noblacklist ${HOME}/.Steampath | 9 | noblacklist ${HOME}/.Steampath |
16 | noblacklist ${HOME}/.steampath | ||
17 | noblacklist ${HOME}/.Steampid | 10 | noblacklist ${HOME}/.Steampid |
18 | noblacklist ${HOME}/.steampid | 11 | noblacklist ${HOME}/.java |
19 | noblacklist ${HOME}/.local/share/Steam | 12 | noblacklist ${HOME}/.local/share/Steam |
20 | noblacklist ${HOME}/.local/share/steam | 13 | noblacklist ${HOME}/.local/share/steam |
14 | noblacklist ${HOME}/.steam | ||
15 | noblacklist ${HOME}/.steampath | ||
16 | noblacklist ${HOME}/.steampid | ||
17 | noblacklist /usr/lib/llvm* | ||
18 | |||
21 | include /etc/firejail/disable-common.inc | 19 | include /etc/firejail/disable-common.inc |
22 | include /etc/firejail/disable-programs.inc | ||
23 | include /etc/firejail/disable-devel.inc | 20 | include /etc/firejail/disable-devel.inc |
24 | include /etc/firejail/disable-passwdmgr.inc | 21 | include /etc/firejail/disable-passwdmgr.inc |
22 | include /etc/firejail/disable-programs.inc | ||
25 | 23 | ||
26 | caps.drop all | 24 | caps.drop all |
27 | #ipc-namespace | ||
28 | netfilter | 25 | netfilter |
29 | nogroups | 26 | nogroups |
30 | nonewprivs | 27 | nonewprivs |
31 | noroot | 28 | noroot |
32 | #novideo | ||
33 | protocol unix,inet,inet6,netlink | 29 | protocol unix,inet,inet6,netlink |
34 | seccomp | 30 | seccomp |
35 | shell none | 31 | shell none |
36 | 32 | ||
37 | # tracelog disabled as it breaks integrated browser | ||
38 | #tracelog | ||
39 | |||
40 | private-dev | 33 | private-dev |
41 | private-tmp | 34 | private-tmp |
35 | |||
36 | # CLOBBERED COMMENTS | ||
37 | # novideo | ||
38 | # tracelog | ||
39 | # tracelog disabled as it breaks integrated browser | ||
40 | # with >=llvm-4 mesa drivers need llvm stuff | ||
diff --git a/etc/stellarium.profile b/etc/stellarium.profile index 00579f8fd..768fbd082 100644 --- a/etc/stellarium.profile +++ b/etc/stellarium.profile | |||
@@ -1,23 +1,23 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for stellarium |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/stellarium.local | 4 | include /etc/firejail/stellarium.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for Stellarium. | ||
9 | noblacklist ~/.stellarium | ||
10 | noblacklist ~/.config/stellarium | 8 | noblacklist ~/.config/stellarium |
9 | noblacklist ~/.stellarium | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | # Whitelist | ||
17 | mkdir ~/.stellarium | ||
18 | whitelist ~/.stellarium | ||
19 | mkdir ~/.config/stellarium | 16 | mkdir ~/.config/stellarium |
17 | mkdir ~/.stellarium | ||
20 | whitelist ~/.config/stellarium | 18 | whitelist ~/.config/stellarium |
19 | whitelist ~/.stellarium | ||
20 | include /etc/firejail/whitelist-common.inc | ||
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | netfilter | 23 | netfilter |
@@ -30,7 +30,7 @@ seccomp | |||
30 | shell none | 30 | shell none |
31 | tracelog | 31 | tracelog |
32 | 32 | ||
33 | disable-mnt | ||
33 | private-bin stellarium | 34 | private-bin stellarium |
34 | private-dev | 35 | private-dev |
35 | private-tmp | 36 | private-tmp |
36 | disable-mnt | ||
diff --git a/etc/strings.profile b/etc/strings.profile index a83e3a801..09957ae09 100644 --- a/etc/strings.profile +++ b/etc/strings.profile | |||
@@ -1,22 +1,23 @@ | |||
1 | # Firejail profile for strings | ||
2 | # This file is overwritten after every install/update | ||
1 | quiet | 3 | quiet |
2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
5 | include /etc/firejail/strings.local | ||
6 | # Persistent global definitions | ||
3 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
4 | 8 | ||
5 | # This file is overwritten during software install. | 9 | blacklist /tmp/.X11-unix |
6 | # Persistent customizations should go in a .local file. | ||
7 | include /etc/firejail/strings.local | ||
8 | 10 | ||
9 | # strings profile | ||
10 | ignore noroot | 11 | ignore noroot |
11 | include /etc/firejail/default.profile | ||
12 | |||
13 | net none | 12 | net none |
14 | no3d | 13 | no3d |
15 | nosound | 14 | nosound |
16 | novideo | 15 | novideo |
17 | shell none | 16 | shell none |
18 | tracelog | 17 | tracelog |
18 | |||
19 | private-dev | 19 | private-dev |
20 | blacklist /tmp/.X11-unix | ||
21 | 20 | ||
22 | memory-deny-write-execute | 21 | memory-deny-write-execute |
22 | |||
23 | include /etc/firejail/default.profile | ||
diff --git a/etc/supertux2.profile b/etc/supertux2.profile index 276e91b05..87ad8da7f 100644 --- a/etc/supertux2.profile +++ b/etc/supertux2.profile | |||
@@ -1,41 +1,34 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for supertux2 |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/supertux2.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | 8 | noblacklist ~/.local/share/supertux2 |
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/supertux2.local | ||
7 | 9 | ||
8 | ################################ | 10 | include /etc/firejail/disable-common.inc |
9 | # SuperTux profile | 11 | include /etc/firejail/disable-passwdmgr.inc |
10 | ################################ | 12 | include /etc/firejail/disable-programs.inc |
11 | 13 | ||
12 | noblacklist ~/.local/share/supertux2 | ||
13 | mkdir ~/.local/share/supertux2 | 14 | mkdir ~/.local/share/supertux2 |
14 | whitelist ~/.local/share/supertux2 | 15 | whitelist ~/.local/share/supertux2 |
15 | include /etc/firejail/whitelist-common.inc | 16 | include /etc/firejail/whitelist-common.inc |
16 | 17 | ||
17 | include /etc/firejail/disable-common.inc | ||
18 | include /etc/firejail/disable-programs.inc | ||
19 | include /etc/firejail/disable-passwdmgr.inc | ||
20 | |||
21 | caps.drop all | 18 | caps.drop all |
19 | net none | ||
20 | nogroups | ||
22 | nonewprivs | 21 | nonewprivs |
23 | noroot | 22 | noroot |
24 | protocol unix,netlink | 23 | protocol unix,netlink |
25 | seccomp | 24 | seccomp |
26 | |||
27 | # | ||
28 | # depending on your usage, you can enable some of the commands below: | ||
29 | # | ||
30 | net none | ||
31 | nogroups | ||
32 | shell none | 25 | shell none |
33 | #private-bin supertux2 | 26 | |
34 | # private-etc none | 27 | # private-bin supertux2 |
35 | private-dev | 28 | private-dev |
29 | # private-etc none | ||
36 | private-tmp | 30 | private-tmp |
37 | # nosound | ||
38 | |||
39 | |||
40 | |||
41 | 31 | ||
32 | # CLOBBERED COMMENTS | ||
33 | # depending on your usage, you can enable some of the commands below: | ||
34 | # nosound | ||
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index bcb42f624..02db74df3 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile | |||
@@ -1,11 +1,10 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for synfigstudio |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/synfigstudio.local | 4 | include /etc/firejail/synfigstudio.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # synfigstudio | ||
9 | noblacklist ${HOME}/.config/synfig | 8 | noblacklist ${HOME}/.config/synfig |
10 | noblacklist ${HOME}/.synfig | 9 | noblacklist ${HOME}/.synfig |
11 | 10 | ||
@@ -30,3 +29,6 @@ private-tmp | |||
30 | 29 | ||
31 | noexec ${HOME} | 30 | noexec ${HOME} |
32 | noexec /tmp | 31 | noexec /tmp |
32 | |||
33 | # CLOBBERED COMMENTS | ||
34 | # synfigstudio | ||
diff --git a/etc/tar.profile b/etc/tar.profile index c2d089e71..c3b5aa0e6 100644 --- a/etc/tar.profile +++ b/etc/tar.profile | |||
@@ -1,25 +1,26 @@ | |||
1 | # Firejail profile for tar | ||
2 | # This file is overwritten after every install/update | ||
1 | quiet | 3 | quiet |
2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
3 | include /etc/firejail/globals.local | ||
4 | |||
5 | # This file is overwritten during software install. | ||
6 | # Persistent customizations should go in a .local file. | ||
7 | include /etc/firejail/tar.local | 5 | include /etc/firejail/tar.local |
8 | 6 | # Persistent global definitions | |
9 | # tar profile | 7 | include /etc/firejail/globals.local |
10 | ignore noroot | ||
11 | include /etc/firejail/default.profile | ||
12 | 8 | ||
13 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
14 | 10 | ||
15 | hostname tar | 11 | hostname tar |
12 | ignore noroot | ||
16 | net none | 13 | net none |
17 | no3d | 14 | no3d |
18 | nosound | 15 | nosound |
19 | shell none | 16 | shell none |
20 | tracelog | 17 | tracelog |
21 | 18 | ||
22 | # support compressed archives | ||
23 | private-bin sh,bash,dash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop | 19 | private-bin sh,bash,dash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop |
24 | private-dev | 20 | private-dev |
25 | private-etc passwd,group,localtime | 21 | private-etc passwd,group,localtime |
22 | |||
23 | include /etc/firejail/default.profile | ||
24 | |||
25 | # CLOBBERED COMMENTS | ||
26 | # support compressed archives | ||
diff --git a/etc/telegram-desktop.profile b/etc/telegram-desktop.profile index db5c2bdbb..844595b3f 100644 --- a/etc/telegram-desktop.profile +++ b/etc/telegram-desktop.profile | |||
@@ -1,9 +1,5 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for telegram |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/telegram-desktop.local | ||
7 | 4 | ||
8 | # Telegram profile | ||
9 | include /etc/firejail/telegram.profile | 5 | include /etc/firejail/telegram.profile |
diff --git a/etc/telegram.profile b/etc/telegram.profile index db00e8082..e40233c35 100644 --- a/etc/telegram.profile +++ b/etc/telegram.profile | |||
@@ -1,15 +1,15 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for telegram |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/telegram.local | 4 | include /etc/firejail/telegram.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Telegram profile | ||
9 | noblacklist ${HOME}/.TelegramDesktop | 8 | noblacklist ${HOME}/.TelegramDesktop |
9 | |||
10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-programs.inc | ||
12 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | netfilter | 15 | netfilter |
@@ -18,8 +18,8 @@ noroot | |||
18 | protocol unix,inet,inet6 | 18 | protocol unix,inet,inet6 |
19 | seccomp | 19 | seccomp |
20 | 20 | ||
21 | private-tmp | ||
22 | disable-mnt | 21 | disable-mnt |
22 | private-tmp | ||
23 | 23 | ||
24 | noexec ${HOME} | 24 | noexec ${HOME} |
25 | noexec /tmp | 25 | noexec /tmp |
diff --git a/etc/thunar.profile b/etc/thunar.profile index d8389ebc8..044f22d29 100644 --- a/etc/thunar.profile +++ b/etc/thunar.profile | |||
@@ -1,8 +1,5 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for Thunar |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/thunar.local | ||
7 | 4 | ||
8 | include /etc/firejail/Thunar.profile | 5 | include /etc/firejail/Thunar.profile |
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index c693a53b3..c80f76aa8 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile | |||
@@ -1,36 +1,35 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for thunderbird |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/thunderbird.local | 4 | include /etc/firejail/thunderbird.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for Mozilla Thunderbird | 8 | noblacklist ~/.cache/thunderbird |
9 | # Users have thunderbird set to open a browser by clicking a link in an email | ||
10 | # We are not allowed to blacklist browser-specific directories | ||
11 | |||
12 | noblacklist ~/.gnupg | 9 | noblacklist ~/.gnupg |
13 | mkdir ~/.gnupg | 10 | noblacklist ~/.icedove |
14 | whitelist ~/.gnupg | ||
15 | |||
16 | noblacklist ~/.thunderbird | 11 | noblacklist ~/.thunderbird |
17 | mkdir ~/.thunderbird | ||
18 | whitelist ~/.thunderbird | ||
19 | 12 | ||
20 | noblacklist ~/.icedove | 13 | mkdir ~/.cache/thunderbird |
14 | mkdir ~/.gnupg | ||
21 | mkdir ~/.icedove | 15 | mkdir ~/.icedove |
16 | mkdir ~/.thunderbird | ||
17 | whitelist ~/.cache/thunderbird | ||
18 | whitelist ~/.config/mimeapps.list | ||
19 | whitelist ~/.gnupg | ||
22 | whitelist ~/.icedove | 20 | whitelist ~/.icedove |
21 | whitelist ~/.local/share/applications | ||
22 | whitelist ~/.thunderbird | ||
23 | include /etc/firejail/whitelist-common.inc | ||
23 | 24 | ||
24 | noblacklist ~/.cache/thunderbird | 25 | ignore private-tmp |
25 | mkdir ~/.cache/thunderbird | ||
26 | whitelist ~/.cache/thunderbird | ||
27 | 26 | ||
28 | whitelist ~/.config/mimeapps.list | ||
29 | read-only ~/.config/mimeapps.list | 27 | read-only ~/.config/mimeapps.list |
30 | whitelist ~/.local/share/applications | ||
31 | read-only ~/.local/share/applications | 28 | read-only ~/.local/share/applications |
32 | 29 | ||
33 | # allow browsers | ||
34 | ignore private-tmp | ||
35 | include /etc/firejail/firefox.profile | 30 | include /etc/firejail/firefox.profile |
36 | #include /etc/firejail/chromium.profile - chromium runs as suid! | 31 | |
32 | # CLOBBERED COMMENTS | ||
33 | # Users have thunderbird set to open a browser by clicking a link in an email | ||
34 | # We are not allowed to blacklist browser-specific directories | ||
35 | # allow browsers | ||
diff --git a/etc/totem.profile b/etc/totem.profile index 7ae082760..a364e4c02 100644 --- a/etc/totem.profile +++ b/etc/totem.profile | |||
@@ -1,21 +1,19 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for totem |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/totem.local | 4 | include /etc/firejail/totem.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Totem media player profile | ||
9 | noblacklist ~/.config/totem | 8 | noblacklist ~/.config/totem |
10 | noblacklist ~/.local/share/totem | 9 | noblacklist ~/.local/share/totem |
11 | 10 | ||
12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
16 | 15 | ||
17 | caps.drop all | 16 | caps.drop all |
18 | #ipc-namespace | ||
19 | netfilter | 17 | netfilter |
20 | nogroups | 18 | nogroups |
21 | nonewprivs | 19 | nonewprivs |
@@ -26,7 +24,7 @@ shell none | |||
26 | 24 | ||
27 | private-bin totem | 25 | private-bin totem |
28 | private-dev | 26 | private-dev |
29 | #private-etc fonts | 27 | # private-etc fonts |
30 | private-tmp | 28 | private-tmp |
31 | 29 | ||
32 | noexec ${HOME} | 30 | noexec ${HOME} |
diff --git a/etc/tracker.profile b/etc/tracker.profile index b87bebf43..98040133c 100644 --- a/etc/tracker.profile +++ b/etc/tracker.profile | |||
@@ -1,34 +1,33 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for tracker |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/tracker.local | 4 | include /etc/firejail/tracker.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # tracker profile | 8 | blacklist /tmp/.X11-unix |
9 | |||
10 | # Tracker is started by systemd on most systems. Therefore it is not firejailed by default | ||
11 | 9 | ||
12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
16 | 14 | ||
17 | caps.drop all | 15 | caps.drop all |
18 | netfilter | 16 | netfilter |
17 | no3d | ||
19 | nogroups | 18 | nogroups |
20 | nonewprivs | 19 | nonewprivs |
21 | noroot | 20 | noroot |
22 | nosound | 21 | nosound |
23 | no3d | ||
24 | protocol unix | 22 | protocol unix |
25 | seccomp | 23 | seccomp |
26 | shell none | 24 | shell none |
27 | tracelog | 25 | tracelog |
28 | 26 | ||
29 | blacklist /tmp/.X11-unix | ||
30 | |||
31 | # private-bin tracker | 27 | # private-bin tracker |
32 | # private-tmp | ||
33 | # private-dev | 28 | # private-dev |
34 | # private-etc fonts | 29 | # private-etc fonts |
30 | # private-tmp | ||
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # Tracker is started by systemd on most systems. Therefore it is not firejailed by default | ||
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile index 5b7e6e7c8..e8fdd81d7 100644 --- a/etc/transmission-cli.profile +++ b/etc/transmission-cli.profile | |||
@@ -1,18 +1,17 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for transmission-cli |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/transmission-cli.local | 4 | include /etc/firejail/transmission-cli.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # transmission-cli bittorrent profile | ||
9 | noblacklist ${HOME}/.config/transmission | ||
10 | noblacklist ${HOME}/.cache/transmission | 8 | noblacklist ${HOME}/.cache/transmission |
9 | noblacklist ${HOME}/.config/transmission | ||
11 | 10 | ||
12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
16 | 15 | ||
17 | caps.drop all | 16 | caps.drop all |
18 | netfilter | 17 | netfilter |
@@ -24,9 +23,9 @@ seccomp | |||
24 | shell none | 23 | shell none |
25 | tracelog | 24 | tracelog |
26 | 25 | ||
27 | #private-bin transmission-cli | 26 | # private-bin transmission-cli |
28 | private-tmp | ||
29 | private-dev | 27 | private-dev |
30 | private-etc none | 28 | private-etc none |
29 | private-tmp | ||
31 | 30 | ||
32 | memory-deny-write-execute | 31 | memory-deny-write-execute |
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 7f85aa69c..b3cf5213a 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
@@ -1,24 +1,23 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for transmission-gtk |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/transmission-gtk.local | 4 | include /etc/firejail/transmission-gtk.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # transmission-gtk bittorrent profile | ||
9 | noblacklist ${HOME}/.config/transmission | ||
10 | noblacklist ${HOME}/.cache/transmission | 8 | noblacklist ${HOME}/.cache/transmission |
9 | noblacklist ${HOME}/.config/transmission | ||
11 | 10 | ||
12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
16 | 15 | ||
17 | mkdir ~/.config/transmission | ||
18 | whitelist ~/.config/transmission | ||
19 | mkdir ~/.cache/transmission | 16 | mkdir ~/.cache/transmission |
20 | whitelist ~/.cache/transmission | 17 | mkdir ~/.config/transmission |
21 | whitelist ${DOWNLOADS} | 18 | whitelist ${DOWNLOADS} |
19 | whitelist ~/.cache/transmission | ||
20 | whitelist ~/.config/transmission | ||
22 | include /etc/firejail/whitelist-common.inc | 21 | include /etc/firejail/whitelist-common.inc |
23 | 22 | ||
24 | caps.drop all | 23 | caps.drop all |
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 70a5af575..433fb716e 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile | |||
@@ -1,24 +1,23 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for transmission-qt |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/transmission-qt.local | 4 | include /etc/firejail/transmission-qt.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # transmission-qt bittorrent profile | ||
9 | noblacklist ${HOME}/.config/transmission | ||
10 | noblacklist ${HOME}/.cache/transmission | 8 | noblacklist ${HOME}/.cache/transmission |
9 | noblacklist ${HOME}/.config/transmission | ||
11 | 10 | ||
12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
16 | 15 | ||
17 | mkdir ~/.config/transmission | ||
18 | whitelist ~/.config/transmission | ||
19 | mkdir ~/.cache/transmission | 16 | mkdir ~/.cache/transmission |
20 | whitelist ~/.cache/transmission | 17 | mkdir ~/.config/transmission |
21 | whitelist ${DOWNLOADS} | 18 | whitelist ${DOWNLOADS} |
19 | whitelist ~/.cache/transmission | ||
20 | whitelist ~/.config/transmission | ||
22 | include /etc/firejail/whitelist-common.inc | 21 | include /etc/firejail/whitelist-common.inc |
23 | 22 | ||
24 | caps.drop all | 23 | caps.drop all |
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile index 743f9ff4f..e87ab51df 100644 --- a/etc/transmission-show.profile +++ b/etc/transmission-show.profile | |||
@@ -1,18 +1,17 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for transmission-show |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/transmission-show.local | 4 | include /etc/firejail/transmission-show.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # transmission-show profile | ||
9 | noblacklist ${HOME}/.config/transmission | ||
10 | noblacklist ${HOME}/.cache/transmission | 8 | noblacklist ${HOME}/.cache/transmission |
9 | noblacklist ${HOME}/.config/transmission | ||
11 | 10 | ||
12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
16 | 15 | ||
17 | caps.drop all | 16 | caps.drop all |
18 | net none | 17 | net none |
@@ -25,6 +24,6 @@ shell none | |||
25 | tracelog | 24 | tracelog |
26 | 25 | ||
27 | # private-bin | 26 | # private-bin |
28 | private-tmp | ||
29 | private-dev | 27 | private-dev |
30 | private-etc none | 28 | private-etc none |
29 | private-tmp | ||
diff --git a/etc/truecraft.profile b/etc/truecraft.profile index 20435c30f..850845c95 100644 --- a/etc/truecraft.profile +++ b/etc/truecraft.profile | |||
@@ -1,11 +1,10 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for truecraft |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/truecraft.local | 4 | include /etc/firejail/truecraft.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for TrueCraft | ||
9 | noblacklist ${HOME}/.config/mono | 8 | noblacklist ${HOME}/.config/mono |
10 | noblacklist ${HOME}/.config/truecraft | 9 | noblacklist ${HOME}/.config/truecraft |
11 | 10 | ||
@@ -15,8 +14,8 @@ include /etc/firejail/disable-passwdmgr.inc | |||
15 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
16 | 15 | ||
17 | mkdir ${HOME}/.config/mono | 16 | mkdir ${HOME}/.config/mono |
18 | whitelist ${HOME}/.config/mono | ||
19 | mkdir ${HOME}/.config/truecraft | 17 | mkdir ${HOME}/.config/truecraft |
18 | whitelist ${HOME}/.config/mono | ||
20 | whitelist ${HOME}/.config/truecraft | 19 | whitelist ${HOME}/.config/truecraft |
21 | include /etc/firejail/whitelist-common.inc | 20 | include /etc/firejail/whitelist-common.inc |
22 | 21 | ||
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 5b65b8c41..775ac8a96 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile | |||
@@ -1,16 +1,20 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for uget-gtk |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/uget-gtk.local | 4 | include /etc/firejail/uget-gtk.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # uGet profile | ||
9 | noblacklist ${HOME}/.config/uGet | 8 | noblacklist ${HOME}/.config/uGet |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | mkdir ~/.config/uGet | ||
15 | whitelist ${DOWNLOADS} | ||
16 | whitelist ~/.config/uGet | ||
17 | include /etc/firejail/whitelist-common.inc | ||
14 | 18 | ||
15 | caps.drop all | 19 | caps.drop all |
16 | netfilter | 20 | netfilter |
@@ -24,8 +28,3 @@ shell none | |||
24 | private-bin uget-gtk | 28 | private-bin uget-gtk |
25 | private-dev | 29 | private-dev |
26 | private-tmp | 30 | private-tmp |
27 | |||
28 | whitelist ${DOWNLOADS} | ||
29 | mkdir ~/.config/uGet | ||
30 | whitelist ~/.config/uGet | ||
31 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/unbound.profile b/etc/unbound.profile index 7431ee27a..091d59c1a 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile | |||
@@ -1,20 +1,21 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for unbound |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/unbound.local | 4 | include /etc/firejail/unbound.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # security profile for unbound (https://unbound.net) | ||
9 | noblacklist /sbin | 8 | noblacklist /sbin |
10 | noblacklist /usr/sbin | 9 | noblacklist /usr/sbin |
10 | |||
11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | 15 | ||
16 | private | ||
17 | private-dev | ||
18 | nosound | ||
19 | no3d | 16 | no3d |
17 | nosound | ||
20 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 18 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open |
19 | |||
20 | private | ||
21 | private-dev | ||
diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile index c4e535070..fc24fc04d 100644 --- a/etc/unknown-horizons.profile +++ b/etc/unknown-horizons.profile | |||
@@ -1,40 +1,33 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for unknown-horizons |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/unknown-horizons.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | 8 | noblacklist ~/.unknown-horizons |
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/unknown-horizons.local | ||
7 | 9 | ||
8 | ################################ | 10 | include /etc/firejail/disable-common.inc |
9 | # Extreme Tux Racer profile | 11 | include /etc/firejail/disable-passwdmgr.inc |
10 | ################################ | 12 | include /etc/firejail/disable-programs.inc |
11 | 13 | ||
12 | noblacklist ~/.unknown-horizons | ||
13 | mkdir ~/.unknown-horizons | 14 | mkdir ~/.unknown-horizons |
14 | whitelist ~/.unknown-horizons | 15 | whitelist ~/.unknown-horizons |
15 | include /etc/firejail/whitelist-common.inc | 16 | include /etc/firejail/whitelist-common.inc |
16 | 17 | ||
17 | include /etc/firejail/disable-common.inc | ||
18 | include /etc/firejail/disable-programs.inc | ||
19 | include /etc/firejail/disable-passwdmgr.inc | ||
20 | |||
21 | caps.drop all | 18 | caps.drop all |
19 | nogroups | ||
22 | nonewprivs | 20 | nonewprivs |
23 | noroot | 21 | noroot |
24 | protocol unix,netlink,inet,inet6 | 22 | protocol unix,netlink,inet,inet6 |
25 | seccomp | 23 | seccomp |
26 | |||
27 | # | ||
28 | # depending on your usage, you can enable some of the commands below: | ||
29 | # | ||
30 | nogroups | ||
31 | shell none | 24 | shell none |
32 | #private-bin unknown-horizons | 25 | |
33 | # private-etc none | 26 | # private-bin unknown-horizons |
34 | private-dev | 27 | private-dev |
28 | # private-etc none | ||
35 | private-tmp | 29 | private-tmp |
36 | # nosound | ||
37 | |||
38 | |||
39 | |||
40 | 30 | ||
31 | # CLOBBERED COMMENTS | ||
32 | # depending on your usage, you can enable some of the commands below: | ||
33 | # nosound | ||
diff --git a/etc/unrar.profile b/etc/unrar.profile index 62d6665ec..8d8fda952 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile | |||
@@ -1,18 +1,15 @@ | |||
1 | # Firejail profile for unrar | ||
2 | # This file is overwritten after every install/update | ||
1 | quiet | 3 | quiet |
2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
3 | include /etc/firejail/globals.local | ||
4 | |||
5 | # This file is overwritten during software install. | ||
6 | # Persistent customizations should go in a .local file. | ||
7 | include /etc/firejail/unrar.local | 5 | include /etc/firejail/unrar.local |
8 | 6 | # Persistent global definitions | |
9 | # unrar profile | 7 | include /etc/firejail/globals.local |
10 | ignore noroot | ||
11 | include /etc/firejail/default.profile | ||
12 | 8 | ||
13 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
14 | 10 | ||
15 | hostname unrar | 11 | hostname unrar |
12 | ignore noroot | ||
16 | net none | 13 | net none |
17 | no3d | 14 | no3d |
18 | nosound | 15 | nosound |
@@ -23,3 +20,5 @@ private-bin unrar | |||
23 | private-dev | 20 | private-dev |
24 | private-etc passwd,group,localtime | 21 | private-etc passwd,group,localtime |
25 | private-tmp | 22 | private-tmp |
23 | |||
24 | include /etc/firejail/default.profile | ||
diff --git a/etc/unzip.profile b/etc/unzip.profile index 130e57ae9..6556b4f56 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile | |||
@@ -1,17 +1,15 @@ | |||
1 | # Firejail profile for unzip | ||
2 | # This file is overwritten after every install/update | ||
1 | quiet | 3 | quiet |
2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
3 | include /etc/firejail/globals.local | ||
4 | |||
5 | # This file is overwritten during software install. | ||
6 | # Persistent customizations should go in a .local file. | ||
7 | include /etc/firejail/unzip.local | 5 | include /etc/firejail/unzip.local |
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | 8 | ||
9 | # unzip profile | ||
10 | ignore noroot | ||
11 | include /etc/firejail/default.profile | ||
12 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
13 | 10 | ||
14 | hostname unzip | 11 | hostname unzip |
12 | ignore noroot | ||
15 | net none | 13 | net none |
16 | no3d | 14 | no3d |
17 | nosound | 15 | nosound |
@@ -21,3 +19,5 @@ tracelog | |||
21 | private-bin unzip | 19 | private-bin unzip |
22 | private-dev | 20 | private-dev |
23 | private-etc passwd,group,localtime | 21 | private-etc passwd,group,localtime |
22 | |||
23 | include /etc/firejail/default.profile | ||
diff --git a/etc/uudeview.profile b/etc/uudeview.profile index 46f28179b..22457bf2c 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile | |||
@@ -1,17 +1,14 @@ | |||
1 | # Firejail profile for uudeview | ||
2 | # This file is overwritten after every install/update | ||
1 | quiet | 3 | quiet |
2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
3 | include /etc/firejail/globals.local | ||
4 | |||
5 | # This file is overwritten during software install. | ||
6 | # Persistent customizations should go in a .local file. | ||
7 | include /etc/firejail/uudeview.local | 5 | include /etc/firejail/uudeview.local |
8 | 6 | # Persistent global definitions | |
9 | # uudeview profile | 7 | include /etc/firejail/globals.local |
10 | ignore noroot | ||
11 | include /etc/firejail/default.profile | ||
12 | 8 | ||
13 | 9 | ||
14 | hostname uudeview | 10 | hostname uudeview |
11 | ignore noroot | ||
15 | net none | 12 | net none |
16 | nosound | 13 | nosound |
17 | shell none | 14 | shell none |
@@ -20,3 +17,5 @@ tracelog | |||
20 | private-bin uudeview | 17 | private-bin uudeview |
21 | private-dev | 18 | private-dev |
22 | private-etc ld.so.preload | 19 | private-etc ld.so.preload |
20 | |||
21 | include /etc/firejail/default.profile | ||
diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile index 4ab4ce0f4..caae3659e 100644 --- a/etc/uzbl-browser.profile +++ b/etc/uzbl-browser.profile | |||
@@ -1,17 +1,27 @@ | |||
1 | # Persistent global definitions go here | ||
2 | include /etc/firejail/globals.local | ||
3 | |||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/uzbl-browser.local | ||
7 | |||
8 | # Firejail profile for uzbl-browser | 1 | # Firejail profile for uzbl-browser |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/uzbl-browser.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
9 | 7 | ||
10 | noblacklist ~/.config/uzbl | 8 | noblacklist ~/.config/uzbl |
11 | noblacklist ~/.gnupg | 9 | noblacklist ~/.gnupg |
10 | |||
12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | mkdir ~/.config/uzbl | ||
16 | mkdir ~/.gnupg | ||
17 | mkdir ~/.local/share/uzbl | ||
18 | mkdir ~/.password-store | ||
19 | whitelist ${DOWNLOADS} | ||
20 | whitelist ~/.config/uzbl | ||
21 | whitelist ~/.gnupg | ||
22 | whitelist ~/.local/share/uzbl | ||
23 | whitelist ~/.password-store | ||
24 | include /etc/firejail/whitelist-common.inc | ||
15 | 25 | ||
16 | caps.drop all | 26 | caps.drop all |
17 | netfilter | 27 | netfilter |
@@ -20,17 +30,3 @@ noroot | |||
20 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
21 | seccomp | 31 | seccomp |
22 | tracelog | 32 | tracelog |
23 | |||
24 | mkdir ~/.config/uzbl | ||
25 | whitelist ~/.config/uzbl | ||
26 | mkdir ~/.local/share/uzbl | ||
27 | whitelist ~/.local/share/uzbl | ||
28 | |||
29 | whitelist ${DOWNLOADS} | ||
30 | |||
31 | mkdir ~/.gnupg | ||
32 | whitelist ~/.gnupg | ||
33 | mkdir ~/.password-store | ||
34 | whitelist ~/.password-store | ||
35 | |||
36 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/viewnior.profile b/etc/viewnior.profile index 20f738d42..9235d149c 100644 --- a/etc/viewnior.profile +++ b/etc/viewnior.profile | |||
@@ -1,22 +1,21 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for viewnior |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/viewnior.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | 8 | blacklist ~/.Xauthority |
5 | # Persistent customizations should go in a .local file. | 9 | blacklist ~/.bashrc |
6 | include /etc/firejail/viewnior.local | ||
7 | 10 | ||
8 | # Firejail profile for viewnior | ||
9 | noblacklist ~/.config/viewnior | ||
10 | noblacklist ~/.Steam | 11 | noblacklist ~/.Steam |
12 | noblacklist ~/.config/viewnior | ||
11 | noblacklist ~/.steam | 13 | noblacklist ~/.steam |
12 | 14 | ||
13 | include /etc/firejail/disable-common.inc | 15 | include /etc/firejail/disable-common.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | include /etc/firejail/disable-devel.inc | 16 | include /etc/firejail/disable-devel.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 17 | include /etc/firejail/disable-passwdmgr.inc |
17 | 18 | include /etc/firejail/disable-programs.inc | |
18 | blacklist ~/.bashrc | ||
19 | blacklist ~/.Xauthority | ||
20 | 19 | ||
21 | caps.drop all | 20 | caps.drop all |
22 | net none | 21 | net none |
diff --git a/etc/viking.profile b/etc/viking.profile index e34bdc3f7..aa26388f8 100644 --- a/etc/viking.profile +++ b/etc/viking.profile | |||
@@ -1,22 +1,19 @@ | |||
1 | # Persistent global definitions go here | ||
2 | include /etc/firejail/globals.local | ||
3 | |||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/viking.local | ||
7 | |||
8 | # Firejail profile for viking | 1 | # Firejail profile for viking |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/viking.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
9 | 7 | ||
10 | noblacklist ${HOME}/.viking | 8 | noblacklist ${HOME}/.viking |
11 | noblacklist ${HOME}/.viking-maps | 9 | noblacklist ${HOME}/.viking-maps |
12 | 10 | ||
13 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | include /etc/firejail/disable-passwdmgr.inc | ||
16 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
17 | 15 | ||
18 | caps.drop all | 16 | caps.drop all |
19 | #ipc-namespace | ||
20 | netfilter | 17 | netfilter |
21 | no3d | 18 | no3d |
22 | nogroups | 19 | nogroups |
diff --git a/etc/vim.profile b/etc/vim.profile index abe86e375..815676da8 100644 --- a/etc/vim.profile +++ b/etc/vim.profile | |||
@@ -1,18 +1,17 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for vim |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/vim.local | 4 | include /etc/firejail/vim.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # vim profile | ||
9 | noblacklist ~/.vim | 8 | noblacklist ~/.vim |
10 | noblacklist ~/.vimrc | ||
11 | noblacklist ~/.viminfo | 9 | noblacklist ~/.viminfo |
10 | noblacklist ~/.vimrc | ||
12 | 11 | ||
13 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
16 | 15 | ||
17 | caps.drop all | 16 | caps.drop all |
18 | netfilter | 17 | netfilter |
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile index 374c73da2..ca7987932 100644 --- a/etc/virtualbox.profile +++ b/etc/virtualbox.profile | |||
@@ -1,27 +1,28 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for virtualbox |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/virtualbox.local | 4 | include /etc/firejail/virtualbox.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # virtualbox profile | ||
9 | noblacklist ${HOME}/.VirtualBox | 8 | noblacklist ${HOME}/.VirtualBox |
10 | noblacklist ${HOME}/VirtualBox VMs | ||
11 | noblacklist ${HOME}/.config/VirtualBox | 9 | noblacklist ${HOME}/.config/VirtualBox |
12 | 10 | noblacklist ${HOME}/VirtualBox VMs | |
13 | mkdir ~/VirtualBox VMs | ||
14 | whitelist ~/VirtualBox VMs | ||
15 | mkdir ~/.config/VirtualBox | ||
16 | whitelist ~/.config/VirtualBox | ||
17 | |||
18 | # noblacklist /usr/bin/virtualbox | ||
19 | noblacklist /usr/lib/virtualbox | 11 | noblacklist /usr/lib/virtualbox |
20 | noblacklist /usr/lib64/virtualbox | 12 | noblacklist /usr/lib64/virtualbox |
13 | |||
21 | include /etc/firejail/disable-common.inc | 14 | include /etc/firejail/disable-common.inc |
22 | include /etc/firejail/disable-programs.inc | ||
23 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | ||
17 | |||
18 | mkdir ~/.config/VirtualBox | ||
19 | mkdir ~/VirtualBox VMs | ||
20 | whitelist ~/.config/VirtualBox | ||
21 | whitelist ~/VirtualBox VMs | ||
24 | include /etc/firejail/whitelist-common.inc | 22 | include /etc/firejail/whitelist-common.inc |
25 | 23 | ||
26 | caps.drop all | 24 | caps.drop all |
27 | netfilter | 25 | netfilter |
26 | |||
27 | # CLOBBERED COMMENTS | ||
28 | # noblacklist /usr/bin/virtualbox | ||
diff --git a/etc/vivaldi-beta.profile b/etc/vivaldi-beta.profile index f2c2f4cc0..4fa8a877c 100644 --- a/etc/vivaldi-beta.profile +++ b/etc/vivaldi-beta.profile | |||
@@ -1,9 +1,5 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for vivaldi |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/vivaldi-beta.local | ||
7 | 4 | ||
8 | # Vivaldi Beta browser profile | ||
9 | include /etc/firejail/vivaldi.profile | 5 | include /etc/firejail/vivaldi.profile |
diff --git a/etc/vivaldi-stable.profile b/etc/vivaldi-stable.profile index 9b2ccd4f3..4fa8a877c 100644 --- a/etc/vivaldi-stable.profile +++ b/etc/vivaldi-stable.profile | |||
@@ -1,8 +1,5 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for vivaldi |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/vivaldi.local | ||
7 | 4 | ||
8 | include /etc/firejail/vivaldi.profile | 5 | include /etc/firejail/vivaldi.profile |
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile index fab620499..1b63f1573 100644 --- a/etc/vivaldi.profile +++ b/etc/vivaldi.profile | |||
@@ -1,36 +1,34 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for vivaldi |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/vivaldi.local | 4 | include /etc/firejail/vivaldi.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Vivaldi browser profile | ||
9 | noblacklist ~/.cache/vivaldi | 8 | noblacklist ~/.cache/vivaldi |
10 | |||
11 | # Vivaldi browser profile | ||
12 | noblacklist ~/.config/vivaldi | 9 | noblacklist ~/.config/vivaldi |
10 | |||
13 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-programs.inc | ||
16 | 14 | ||
17 | |||
18 | whitelist ${DOWNLOADS} | ||
19 | mkdir ~/.config/vivaldi | ||
20 | whitelist ~/.config/vivaldi | ||
21 | mkdir ~/.cache/vivaldi | 15 | mkdir ~/.cache/vivaldi |
16 | mkdir ~/.config/vivaldi | ||
17 | whitelist ${DOWNLOADS} | ||
22 | whitelist ~/.cache/vivaldi | 18 | whitelist ~/.cache/vivaldi |
19 | whitelist ~/.config/vivaldi | ||
23 | include /etc/firejail/whitelist-common.inc | 20 | include /etc/firejail/whitelist-common.inc |
24 | 21 | ||
25 | caps.keep sys_chroot,sys_admin | 22 | caps.keep sys_chroot,sys_admin |
26 | #ipc-namespace | ||
27 | netfilter | 23 | netfilter |
28 | nogroups | 24 | nogroups |
29 | shell none | 25 | shell none |
30 | 26 | ||
31 | private-dev | 27 | private-dev |
32 | #private-tmp - problems with multiple browser sessions | 28 | # private-tmp - problems with multiple browser sessions |
33 | #disable-mnt | ||
34 | 29 | ||
35 | noexec ${HOME} | 30 | noexec ${HOME} |
36 | noexec /tmp | 31 | noexec /tmp |
32 | |||
33 | # CLOBBERED COMMENTS | ||
34 | # disable-mnt | ||
diff --git a/etc/vlc.profile b/etc/vlc.profile index 6ae8b0d15..c95f6f048 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -1,22 +1,19 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for vlc |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/vlc.local | 4 | include /etc/firejail/vlc.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # VLC media player profile | ||
9 | noblacklist ${HOME}/.config/vlc | 8 | noblacklist ${HOME}/.config/vlc |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
17 | #ipc-namespace | ||
18 | netfilter | 16 | netfilter |
19 | # nogroups | ||
20 | nonewprivs | 17 | nonewprivs |
21 | noroot | 18 | noroot |
22 | protocol unix,inet,inet6,netlink | 19 | protocol unix,inet,inet6,netlink |
@@ -27,6 +24,9 @@ private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc | |||
27 | private-dev | 24 | private-dev |
28 | private-tmp | 25 | private-tmp |
29 | 26 | ||
30 | # memory-deny-write-execute - breaks playing videos | ||
31 | noexec ${HOME} | 27 | noexec ${HOME} |
32 | noexec /tmp | 28 | noexec /tmp |
29 | |||
30 | # CLOBBERED COMMENTS | ||
31 | # memory-deny-write-execute - breaks playing videos | ||
32 | # nogroups | ||
diff --git a/etc/vym.profile b/etc/vym.profile index d3058fa64..f769dda16 100644 --- a/etc/vym.profile +++ b/etc/vym.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for vym |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/vym.local | 4 | include /etc/firejail/vym.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | noblacklist ./.config/InSilmaril | 8 | noblacklist ./.config/InSilmaril |
9 | 9 | ||
@@ -24,9 +24,9 @@ protocol unix | |||
24 | seccomp | 24 | seccomp |
25 | shell none | 25 | shell none |
26 | 26 | ||
27 | disable-mnt | ||
27 | private-dev | 28 | private-dev |
28 | private-tmp | 29 | private-tmp |
29 | disable-mnt | ||
30 | 30 | ||
31 | noexec ${HOME} | 31 | noexec ${HOME} |
32 | noexec /tmp | 32 | noexec /tmp |
diff --git a/etc/w3m.profile b/etc/w3m.profile index 6f7957992..fc5ee2bad 100644 --- a/etc/w3m.profile +++ b/etc/w3m.profile | |||
@@ -1,33 +1,32 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for w3m |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/w3m.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | 8 | blacklist /tmp/.X11-unix |
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/w3m.local | ||
7 | 9 | ||
8 | # w3m profile | ||
9 | noblacklist ~/.w3m | 10 | noblacklist ~/.w3m |
10 | 11 | ||
11 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | ||
15 | 16 | ||
16 | caps.drop all | 17 | caps.drop all |
18 | netfilter | ||
19 | no3d | ||
17 | nogroups | 20 | nogroups |
18 | nonewprivs | 21 | nonewprivs |
19 | noroot | 22 | noroot |
20 | nosound | 23 | nosound |
21 | no3d | ||
22 | protocol unix,inet,inet6 | 24 | protocol unix,inet,inet6 |
23 | seccomp | 25 | seccomp |
24 | netfilter | ||
25 | shell none | 26 | shell none |
26 | tracelog | 27 | tracelog |
27 | 28 | ||
28 | blacklist /tmp/.X11-unix | ||
29 | |||
30 | # private-bin w3m | 29 | # private-bin w3m |
31 | private-tmp | ||
32 | private-dev | 30 | private-dev |
33 | private-etc none | 31 | private-etc none |
32 | private-tmp | ||
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile index 767824d8d..157fe3e81 100644 --- a/etc/warzone2100.profile +++ b/etc/warzone2100.profile | |||
@@ -1,24 +1,21 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for warzone2100 |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/warzone2100.local | 4 | include /etc/firejail/warzone2100.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for warzone2100 | ||
9 | noblacklist ~/.warzone2100-3.* | 8 | noblacklist ~/.warzone2100-3.* |
9 | |||
10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | # Whitelist | ||
16 | #mkdir ~/.warzone2100-3.1 | ||
17 | whitelist ~/.warzone2100-3.1 | 15 | whitelist ~/.warzone2100-3.1 |
18 | #mkdir ~/.warzone2100-3.2 | ||
19 | whitelist ~/.warzone2100-3.2 | 16 | whitelist ~/.warzone2100-3.2 |
17 | include /etc/firejail/whitelist-common.inc | ||
20 | 18 | ||
21 | # Call these options | ||
22 | caps.drop all | 19 | caps.drop all |
23 | netfilter | 20 | netfilter |
24 | nogroups | 21 | nogroups |
@@ -29,7 +26,12 @@ seccomp | |||
29 | shell none | 26 | shell none |
30 | tracelog | 27 | tracelog |
31 | 28 | ||
29 | disable-mnt | ||
32 | private-bin warzone2100 | 30 | private-bin warzone2100 |
33 | private-dev | 31 | private-dev |
34 | private-tmp | 32 | private-tmp |
35 | disable-mnt | 33 | |
34 | # CLOBBERED COMMENTS | ||
35 | # Call these options | ||
36 | # mkdir ~/.warzone2100-3.1 | ||
37 | # mkdir ~/.warzone2100-3.2 | ||
diff --git a/etc/waterfox.profile b/etc/waterfox.profile index ff2ede8f9..893d45719 100644 --- a/etc/waterfox.profile +++ b/etc/waterfox.profile | |||
@@ -1,75 +1,69 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for waterfox |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/waterfox.local | 4 | include /etc/firejail/waterfox.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for Waterfox (based on Mozilla Firefox) | ||
9 | noblacklist ~/.mozilla | ||
10 | noblacklist ~/.cache/mozilla | 8 | noblacklist ~/.cache/mozilla |
9 | noblacklist ~/.config/okularpartrc | ||
10 | noblacklist ~/.config/okularrc | ||
11 | noblacklist ~/.config/qpdfview | 11 | noblacklist ~/.config/qpdfview |
12 | noblacklist ~/.local/share/qpdfview | ||
13 | noblacklist ~/.kde4/share/apps/okular | ||
14 | noblacklist ~/.kde/share/apps/okular | 12 | noblacklist ~/.kde/share/apps/okular |
13 | noblacklist ~/.kde4/share/apps/okular | ||
15 | noblacklist ~/.local/share/okular | 14 | noblacklist ~/.local/share/okular |
16 | noblacklist ~/.config/okularpartrc | 15 | noblacklist ~/.local/share/qpdfview |
17 | noblacklist ~/.config/okularrc | 16 | noblacklist ~/.mozilla |
18 | noblacklist ~/.pki | 17 | noblacklist ~/.pki |
19 | 18 | ||
20 | include /etc/firejail/disable-common.inc | 19 | include /etc/firejail/disable-common.inc |
21 | include /etc/firejail/disable-programs.inc | ||
22 | include /etc/firejail/disable-devel.inc | 20 | include /etc/firejail/disable-devel.inc |
21 | include /etc/firejail/disable-programs.inc | ||
23 | 22 | ||
24 | caps.drop all | ||
25 | # ipc-namespace crashes waterfox on some setups | ||
26 | netfilter | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | protocol unix,inet,inet6,netlink | ||
31 | seccomp | ||
32 | shell none | ||
33 | tracelog | ||
34 | |||
35 | whitelist ${DOWNLOADS} | ||
36 | mkdir ~/.mozilla | ||
37 | whitelist ~/.mozilla | ||
38 | mkdir ~/.cache/mozilla/firefox | 23 | mkdir ~/.cache/mozilla/firefox |
24 | mkdir ~/.mozilla | ||
25 | mkdir ~/.pki | ||
26 | whitelist ${DOWNLOADS} | ||
27 | whitelist ~/.cache/gnome-mplayer/plugin | ||
39 | whitelist ~/.cache/mozilla/firefox | 28 | whitelist ~/.cache/mozilla/firefox |
40 | whitelist ~/dwhelper | ||
41 | whitelist ~/.zotero | ||
42 | whitelist ~/.vimperatorrc | ||
43 | whitelist ~/.vimperator | ||
44 | whitelist ~/.pentadactylrc | ||
45 | whitelist ~/.pentadactyl | ||
46 | whitelist ~/.keysnail.js | ||
47 | whitelist ~/.config/gnome-mplayer | 29 | whitelist ~/.config/gnome-mplayer |
48 | whitelist ~/.cache/gnome-mplayer/plugin | ||
49 | mkdir ~/.pki | ||
50 | whitelist ~/.pki | ||
51 | whitelist ~/.lastpass | ||
52 | whitelist ~/.config/qpdfview | ||
53 | whitelist ~/.local/share/qpdfview | ||
54 | whitelist ~/.config/okularrc | ||
55 | whitelist ~/.config/okularpartrc | 30 | whitelist ~/.config/okularpartrc |
56 | whitelist ~/.kde4/share/apps/okular | 31 | whitelist ~/.config/okularrc |
32 | whitelist ~/.config/pipelight-silverlight5.1 | ||
33 | whitelist ~/.config/pipelight-widevine | ||
34 | whitelist ~/.config/qpdfview | ||
57 | whitelist ~/.kde/share/apps/okular | 35 | whitelist ~/.kde/share/apps/okular |
36 | whitelist ~/.kde4/share/apps/okular | ||
37 | whitelist ~/.keysnail.js | ||
38 | whitelist ~/.lastpass | ||
58 | whitelist ~/.local/share/okular | 39 | whitelist ~/.local/share/okular |
59 | 40 | whitelist ~/.local/share/qpdfview | |
60 | # silverlight | 41 | whitelist ~/.mozilla |
42 | whitelist ~/.pentadactyl | ||
43 | whitelist ~/.pentadactylrc | ||
44 | whitelist ~/.pki | ||
45 | whitelist ~/.vimperator | ||
46 | whitelist ~/.vimperatorrc | ||
61 | whitelist ~/.wine-pipelight | 47 | whitelist ~/.wine-pipelight |
62 | whitelist ~/.wine-pipelight64 | 48 | whitelist ~/.wine-pipelight64 |
63 | whitelist ~/.config/pipelight-widevine | 49 | whitelist ~/.zotero |
64 | whitelist ~/.config/pipelight-silverlight5.1 | 50 | whitelist ~/dwhelper |
65 | |||
66 | include /etc/firejail/whitelist-common.inc | 51 | include /etc/firejail/whitelist-common.inc |
67 | 52 | ||
68 | # experimental features | 53 | caps.drop all |
69 | #private-bin waterfox,which,sh,dbus-launch,dbus-send,env | 54 | netfilter |
70 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse | 55 | nogroups |
71 | # private-dev might prevent video calls going out | 56 | nonewprivs |
57 | noroot | ||
58 | protocol unix,inet,inet6,netlink | ||
59 | seccomp | ||
60 | shell none | ||
61 | tracelog | ||
62 | |||
63 | # private-bin waterfox,which,sh,dbus-launch,dbus-send,env | ||
72 | private-dev | 64 | private-dev |
65 | # private-dev might prevent video calls going out | ||
66 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse | ||
73 | private-tmp | 67 | private-tmp |
74 | 68 | ||
75 | noexec ${HOME} | 69 | noexec ${HOME} |
diff --git a/etc/weechat-curses.profile b/etc/weechat-curses.profile index 32038f99f..2d3f6c963 100644 --- a/etc/weechat-curses.profile +++ b/etc/weechat-curses.profile | |||
@@ -1,9 +1,5 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for weechat |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/weechat-curses.local | ||
7 | 4 | ||
8 | # Weechat IRC profile (Debian) | ||
9 | include /etc/firejail/weechat.profile | 5 | include /etc/firejail/weechat.profile |
diff --git a/etc/weechat.profile b/etc/weechat.profile index 452823681..75a4dc4a7 100644 --- a/etc/weechat.profile +++ b/etc/weechat.profile | |||
@@ -1,12 +1,12 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for weechat |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/weechat.local | 4 | include /etc/firejail/weechat.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Weechat IRC profile | ||
9 | noblacklist ${HOME}/.weechat | 8 | noblacklist ${HOME}/.weechat |
9 | |||
10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-programs.inc | 11 | include /etc/firejail/disable-programs.inc |
12 | 12 | ||
@@ -17,6 +17,7 @@ noroot | |||
17 | protocol unix,inet,inet6 | 17 | protocol unix,inet,inet6 |
18 | seccomp | 18 | seccomp |
19 | 19 | ||
20 | # no private-bin support for various reasons: | 20 | # CLOBBERED COMMENTS |
21 | # Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc, | 21 | # Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc, |
22 | # logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins | 22 | # logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins |
23 | # no private-bin support for various reasons: | ||
diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index a13f80bb6..9798e0ace 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile | |||
@@ -1,19 +1,26 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for wesnoth |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/wesnoth.local | 4 | include /etc/firejail/wesnoth.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Whitelist-based profile for "Battle for Wesnoth" (game). | ||
9 | noblacklist ${HOME}/.config/wesnoth | ||
10 | noblacklist ${HOME}/.cache/wesnoth | 8 | noblacklist ${HOME}/.cache/wesnoth |
9 | noblacklist ${HOME}/.config/wesnoth | ||
11 | noblacklist ${HOME}/.local/share/wesnoth | 10 | noblacklist ${HOME}/.local/share/wesnoth |
12 | 11 | ||
13 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | ||
16 | |||
17 | mkdir ${HOME}/.cache/wesnoth | ||
18 | mkdir ${HOME}/.config/wesnoth | ||
19 | mkdir ${HOME}/.local/share/wesnoth | ||
20 | whitelist ${HOME}/.cache/wesnoth | ||
21 | whitelist ${HOME}/.config/wesnoth | ||
22 | whitelist ${HOME}/.local/share/wesnoth | ||
23 | include /etc/firejail/whitelist-common.inc | ||
17 | 24 | ||
18 | caps.drop all | 25 | caps.drop all |
19 | nonewprivs | 26 | nonewprivs |
@@ -23,11 +30,3 @@ seccomp | |||
23 | 30 | ||
24 | private-dev | 31 | private-dev |
25 | private-tmp | 32 | private-tmp |
26 | |||
27 | mkdir ${HOME}/.local/share/wesnoth | ||
28 | mkdir ${HOME}/.config/wesnoth | ||
29 | mkdir ${HOME}/.cache/wesnoth | ||
30 | whitelist ${HOME}/.local/share/wesnoth | ||
31 | whitelist ${HOME}/.config/wesnoth | ||
32 | whitelist ${HOME}/.cache/wesnoth | ||
33 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/wget.profile b/etc/wget.profile index 1b09eac26..7ab24aa8f 100644 --- a/etc/wget.profile +++ b/etc/wget.profile | |||
@@ -1,19 +1,20 @@ | |||
1 | # Firejail profile for wget | ||
2 | # This file is overwritten after every install/update | ||
1 | quiet | 3 | quiet |
2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
5 | include /etc/firejail/wget.local | ||
6 | # Persistent global definitions | ||
3 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
4 | 8 | ||
5 | # This file is overwritten during software install. | 9 | blacklist /tmp/.X11-unix |
6 | # Persistent customizations should go in a .local file. | ||
7 | include /etc/firejail/wget.local | ||
8 | 10 | ||
9 | # wget profile | ||
10 | noblacklist ~/.wgetrc | 11 | noblacklist ~/.wgetrc |
12 | |||
11 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | ||
14 | 16 | ||
15 | caps.drop all | 17 | caps.drop all |
16 | #ipc-namespace | ||
17 | netfilter | 18 | netfilter |
18 | no3d | 19 | no3d |
19 | nogroups | 20 | nogroups |
@@ -25,8 +26,6 @@ protocol unix,inet,inet6 | |||
25 | seccomp | 26 | seccomp |
26 | shell none | 27 | shell none |
27 | 28 | ||
28 | blacklist /tmp/.X11-unix | ||
29 | |||
30 | # private-bin wget | 29 | # private-bin wget |
31 | private-dev | 30 | private-dev |
32 | # private-etc resolv.conf | 31 | # private-etc resolv.conf |
diff --git a/etc/wine.profile b/etc/wine.profile index 5ee8bae38..00eea2b7c 100644 --- a/etc/wine.profile +++ b/etc/wine.profile | |||
@@ -1,20 +1,19 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for wine |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/wine.local | 4 | include /etc/firejail/wine.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # wine profile | ||
9 | noblacklist ${HOME}/.Steam | 8 | noblacklist ${HOME}/.Steam |
10 | noblacklist ${HOME}/.steam | ||
11 | noblacklist ${HOME}/.local/share/Steam | 9 | noblacklist ${HOME}/.local/share/Steam |
12 | noblacklist ${HOME}/.local/share/steam | 10 | noblacklist ${HOME}/.local/share/steam |
11 | noblacklist ${HOME}/.steam | ||
13 | noblacklist ${HOME}/.wine | 12 | noblacklist ${HOME}/.wine |
14 | 13 | ||
15 | include /etc/firejail/disable-common.inc | 14 | include /etc/firejail/disable-common.inc |
16 | include /etc/firejail/disable-programs.inc | ||
17 | include /etc/firejail/disable-devel.inc | 15 | include /etc/firejail/disable-devel.inc |
16 | include /etc/firejail/disable-programs.inc | ||
18 | 17 | ||
19 | caps.drop all | 18 | caps.drop all |
20 | netfilter | 19 | netfilter |
diff --git a/etc/wire.profile b/etc/wire.profile index 71147ebc1..f20dfe8e2 100644 --- a/etc/wire.profile +++ b/etc/wire.profile | |||
@@ -1,31 +1,31 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for wire |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/wire.local | 4 | include /etc/firejail/wire.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # wire messenger profile | ||
9 | noblacklist ~/.config/Wire | 8 | noblacklist ~/.config/Wire |
10 | noblacklist ~/.config/wire | 9 | noblacklist ~/.config/wire |
11 | 10 | ||
12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
16 | 15 | ||
17 | caps.drop all | 16 | caps.drop all |
18 | netfilter | 17 | netfilter |
19 | nonewprivs | ||
20 | nogroups | 18 | nogroups |
19 | nonewprivs | ||
21 | noroot | 20 | noroot |
22 | protocol unix,inet,inet6,netlink | 21 | protocol unix,inet,inet6,netlink |
23 | seccomp | 22 | seccomp |
24 | shell none | 23 | shell none |
25 | 24 | ||
26 | private-tmp | ||
27 | private-dev | ||
28 | disable-mnt | 25 | disable-mnt |
26 | private-dev | ||
27 | private-tmp | ||
29 | 28 | ||
29 | # CLOBBERED COMMENTS | ||
30 | # Note: the current beta version of wire is located in /opt/Wire/wire and therefore not in PATH. | 30 | # Note: the current beta version of wire is located in /opt/Wire/wire and therefore not in PATH. |
31 | # To use wire with firejail run "firejail /opt/Wire/wire" | 31 | # To use wire with firejail run "firejail /opt/Wire/wire" |
diff --git a/etc/wireshark-gtk.profile b/etc/wireshark-gtk.profile index 5cc2ae2a1..35a76a978 100644 --- a/etc/wireshark-gtk.profile +++ b/etc/wireshark-gtk.profile | |||
@@ -1,8 +1,5 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for wireshark |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/wireshark-gtk.local | ||
7 | 4 | ||
8 | include /etc/firejail/wireshark.profile | 5 | include /etc/firejail/wireshark.profile |
diff --git a/etc/wireshark-qt.profile b/etc/wireshark-qt.profile index f6f26a6b3..35a76a978 100644 --- a/etc/wireshark-qt.profile +++ b/etc/wireshark-qt.profile | |||
@@ -1,8 +1,5 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for wireshark |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/wireshark-qt.local | ||
7 | 4 | ||
8 | include /etc/firejail/wireshark.profile | 5 | include /etc/firejail/wireshark.profile |
diff --git a/etc/wireshark.profile b/etc/wireshark.profile index d5f3b8c4b..0c4bc8029 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile | |||
@@ -1,39 +1,35 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for wireshark |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/wireshark.local | 4 | include /etc/firejail/wireshark.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for | ||
9 | noblacklist ${HOME}/.config/wireshark | 8 | noblacklist ${HOME}/.config/wireshark |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | # | ||
17 | # The profile allows users to run wireshark as root | ||
18 | # | ||
19 | #caps.drop all | ||
20 | #noroot | ||
21 | #protocol unix,inet,inet6,netlink | ||
22 | |||
23 | #ipc-namespace | ||
24 | netfilter | 15 | netfilter |
25 | no3d | 16 | no3d |
26 | # nogroups - breaks unprivileged wireshark usage | ||
27 | # nonewprivs - breaks unprivileged wireshark usage | ||
28 | nosound | 17 | nosound |
29 | # seccomp - breaks unprivileged wireshark usage | ||
30 | shell none | 18 | shell none |
31 | tracelog | 19 | tracelog |
32 | 20 | ||
33 | #private-bin wireshark | 21 | # private-bin wireshark |
34 | # private-etc fonts,group,hosts,machine-id,passwd | ||
35 | private-dev | 22 | private-dev |
23 | # private-etc fonts,group,hosts,machine-id,passwd | ||
36 | private-tmp | 24 | private-tmp |
37 | 25 | ||
38 | noexec ${HOME} | 26 | noexec ${HOME} |
39 | noexec /tmp | 27 | noexec /tmp |
28 | |||
29 | # CLOBBERED COMMENTS | ||
30 | # caps.drop all | ||
31 | # nogroups - breaks unprivileged wireshark usage | ||
32 | # nonewprivs - breaks unprivileged wireshark usage | ||
33 | # noroot | ||
34 | # protocol unix,inet,inet6,netlink | ||
35 | # seccomp - breaks unprivileged wireshark usage | ||
diff --git a/etc/xchat.profile b/etc/xchat.profile index efed5c995..795e7ecd6 100644 --- a/etc/xchat.profile +++ b/etc/xchat.profile | |||
@@ -1,16 +1,15 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for xchat |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/xchat.local | 4 | include /etc/firejail/xchat.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # XChat IRC profile | ||
9 | noblacklist ${HOME}/.config/xchat | 8 | noblacklist ${HOME}/.config/xchat |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-programs.inc | ||
14 | 13 | ||
15 | caps.drop all | 14 | caps.drop all |
16 | nonewprivs | 15 | nonewprivs |
diff --git a/etc/xed.profile b/etc/xed.profile index 1b5fdd57a..17d0ad9d9 100644 --- a/etc/xed.profile +++ b/etc/xed.profile | |||
@@ -1,17 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for xed |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/xed.local | 4 | include /etc/firejail/xed.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for Xed | ||
9 | noblacklist ${HOME}/.config/xed | 8 | noblacklist ${HOME}/.config/xed |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
17 | net none | 16 | net none |
diff --git a/etc/xfburn.profile b/etc/xfburn.profile index 7bfeba2b1..dbacf6462 100644 --- a/etc/xfburn.profile +++ b/etc/xfburn.profile | |||
@@ -1,17 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for xfburn |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/xfburn.local | 4 | include /etc/firejail/xfburn.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # xfburn profile | ||
9 | noblacklist ~/.config/xfburn | 8 | noblacklist ~/.config/xfburn |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
17 | netfilter | 16 | netfilter |
@@ -25,6 +24,6 @@ shell none | |||
25 | tracelog | 24 | tracelog |
26 | 25 | ||
27 | # private-bin xfburn | 26 | # private-bin xfburn |
28 | # private-tmp | ||
29 | # private-dev | 27 | # private-dev |
30 | # private-etc fonts | 28 | # private-etc fonts |
29 | # private-tmp | ||
diff --git a/etc/xfce4-dict.profile b/etc/xfce4-dict.profile index 08ae17a55..26f65ee1c 100644 --- a/etc/xfce4-dict.profile +++ b/etc/xfce4-dict.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for xfce4-dict |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/xfce4-dict.local | 4 | include /etc/firejail/xfce4-dict.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | noblacklist ${HOME}/.config/xfce4-dict | 8 | noblacklist ${HOME}/.config/xfce4-dict |
9 | 9 | ||
@@ -24,9 +24,9 @@ protocol unix,inet,inet6 | |||
24 | seccomp | 24 | seccomp |
25 | shell none | 25 | shell none |
26 | 26 | ||
27 | disable-mnt | ||
27 | private-dev | 28 | private-dev |
28 | private-tmp | 29 | private-tmp |
29 | disable-mnt | ||
30 | 30 | ||
31 | noexec ${HOME} | 31 | noexec ${HOME} |
32 | noexec /tmp | 32 | noexec /tmp |
diff --git a/etc/xfce4-notes.profile b/etc/xfce4-notes.profile index e3215d6ea..6f026c2e7 100644 --- a/etc/xfce4-notes.profile +++ b/etc/xfce4-notes.profile | |||
@@ -1,12 +1,12 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for xfce4-notes |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/xfce4-notes.local | 4 | include /etc/firejail/xfce4-notes.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | noblacklist ${HOME}/.config/xfce4/xfce4-notes.rc | ||
9 | noblacklist ${HOME}/.config/xfce4/xfce4-notes.gtkrc | 8 | noblacklist ${HOME}/.config/xfce4/xfce4-notes.gtkrc |
9 | noblacklist ${HOME}/.config/xfce4/xfce4-notes.rc | ||
10 | noblacklist ${HOME}/.local/share/notes | 10 | noblacklist ${HOME}/.local/share/notes |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
@@ -26,9 +26,9 @@ protocol unix | |||
26 | seccomp | 26 | seccomp |
27 | shell none | 27 | shell none |
28 | 28 | ||
29 | disable-mnt | ||
29 | private-dev | 30 | private-dev |
30 | private-tmp | 31 | private-tmp |
31 | disable-mnt | ||
32 | 32 | ||
33 | noexec ${HOME} | 33 | noexec ${HOME} |
34 | noexec /tmp | 34 | noexec /tmp |
diff --git a/etc/xiphos.profile b/etc/xiphos.profile index f3171cd8d..eb894d8b5 100644 --- a/etc/xiphos.profile +++ b/etc/xiphos.profile | |||
@@ -1,11 +1,13 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for xiphos |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/xiphos.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | 8 | blacklist ~/.Xauthority |
5 | # Persistent customizations should go in a .local file. | 9 | blacklist ~/.bashrc |
6 | include /etc/firejail/xiphos.local | ||
7 | 10 | ||
8 | # Firejail profile for xiphos | ||
9 | noblacklist ~/.sword | 11 | noblacklist ~/.sword |
10 | noblacklist ~/.xiphos | 12 | noblacklist ~/.xiphos |
11 | 13 | ||
@@ -14,8 +16,9 @@ include /etc/firejail/disable-devel.inc | |||
14 | include /etc/firejail/disable-passwdmgr.inc | 16 | include /etc/firejail/disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 17 | include /etc/firejail/disable-programs.inc |
16 | 18 | ||
17 | blacklist ~/.bashrc | 19 | whitelist ${HOME}/.sword |
18 | blacklist ~/.Xauthority | 20 | whitelist ${HOME}/.xiphos |
21 | include /etc/firejail/whitelist-common.inc | ||
19 | 22 | ||
20 | caps.drop all | 23 | caps.drop all |
21 | netfilter | 24 | netfilter |
@@ -29,9 +32,6 @@ shell none | |||
29 | tracelog | 32 | tracelog |
30 | 33 | ||
31 | private-bin xiphos | 34 | private-bin xiphos |
32 | private-etc fonts,resolv.conf,sword | ||
33 | private-dev | 35 | private-dev |
36 | private-etc fonts,resolv.conf,sword | ||
34 | private-tmp | 37 | private-tmp |
35 | |||
36 | whitelist ${HOME}/.sword | ||
37 | whitelist ${HOME}/.xiphos | ||
diff --git a/etc/xmms.profile b/etc/xmms.profile index 5b99924bc..d2cf00a36 100644 --- a/etc/xmms.profile +++ b/etc/xmms.profile | |||
@@ -1,26 +1,25 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for xmms |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/xmms.local | 4 | include /etc/firejail/xmms.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for XMMS | ||
9 | noblacklist ${HOME}/.xmms | 8 | noblacklist ${HOME}/.xmms |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | ||
15 | 14 | ||
16 | caps.drop all | 15 | caps.drop all |
17 | netfilter | 16 | netfilter |
17 | no3d | ||
18 | nonewprivs | 18 | nonewprivs |
19 | noroot | 19 | noroot |
20 | protocol unix,inet,inet6 | 20 | protocol unix,inet,inet6 |
21 | seccomp | 21 | seccomp |
22 | shell none | 22 | shell none |
23 | no3d | ||
24 | 23 | ||
25 | private-bin xmms | 24 | private-bin xmms |
26 | private-dev | 25 | private-dev |
diff --git a/etc/xonotic-glx.profile b/etc/xonotic-glx.profile index f5f802158..8be8b2d7b 100644 --- a/etc/xonotic-glx.profile +++ b/etc/xonotic-glx.profile | |||
@@ -1,12 +1,5 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for xonotic |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/xonotic-glx.local | ||
7 | |||
8 | # | ||
9 | #Profile for xonotic:xonotic-glx | ||
10 | # | ||
11 | 4 | ||
12 | include /etc/firejail/xonotic.profile | 5 | include /etc/firejail/xonotic.profile |
diff --git a/etc/xonotic-sdl.profile b/etc/xonotic-sdl.profile index 85c48151b..8be8b2d7b 100644 --- a/etc/xonotic-sdl.profile +++ b/etc/xonotic-sdl.profile | |||
@@ -1,12 +1,5 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile alias for xonotic |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/xonotic-sdl.local | ||
7 | |||
8 | # | ||
9 | #Profile for xonotic:xonotic-sdl | ||
10 | # | ||
11 | 4 | ||
12 | include /etc/firejail/xonotic.profile | 5 | include /etc/firejail/xonotic.profile |
diff --git a/etc/xonotic.profile b/etc/xonotic.profile index 957636124..95a2a2dbd 100644 --- a/etc/xonotic.profile +++ b/etc/xonotic.profile | |||
@@ -1,31 +1,22 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for xonotic |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/xonotic.local | 4 | include /etc/firejail/xonotic.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # | ||
9 | #Profile for xonotic | ||
10 | # | ||
11 | |||
12 | #No Blacklist Paths | ||
13 | noblacklist ${HOME}/.xonotic | 8 | noblacklist ${HOME}/.xonotic |
14 | 9 | ||
15 | #Blacklist Paths | ||
16 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
17 | include /etc/firejail/disable-programs.inc | ||
18 | include /etc/firejail/disable-passwdmgr.inc | ||
19 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
20 | 14 | ||
21 | #Whitelist Paths | ||
22 | mkdir ${HOME}/.xonotic | 15 | mkdir ${HOME}/.xonotic |
23 | whitelist ${HOME}/.xonotic | 16 | whitelist ${HOME}/.xonotic |
24 | include /etc/firejail/whitelist-common.inc | 17 | include /etc/firejail/whitelist-common.inc |
25 | 18 | ||
26 | #Options | ||
27 | caps.drop all | 19 | caps.drop all |
28 | #ipc-namespace | ||
29 | netfilter | 20 | netfilter |
30 | nogroups | 21 | nogroups |
31 | nonewprivs | 22 | nonewprivs |
@@ -35,10 +26,10 @@ protocol unix,inet,inet6 | |||
35 | seccomp | 26 | seccomp |
36 | shell none | 27 | shell none |
37 | 28 | ||
29 | disable-mnt | ||
38 | private-bin xonotic-sdl,xonotic-glx,blind-id | 30 | private-bin xonotic-sdl,xonotic-glx,blind-id |
39 | private-dev | 31 | private-dev |
40 | private-tmp | 32 | private-tmp |
41 | disable-mnt | ||
42 | 33 | ||
43 | noexec ${HOME} | 34 | noexec ${HOME} |
44 | noexec /tmp | 35 | noexec /tmp |
diff --git a/etc/xpdf.profile b/etc/xpdf.profile index ce8cd2459..be69ebe1a 100644 --- a/etc/xpdf.profile +++ b/etc/xpdf.profile | |||
@@ -1,13 +1,10 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for xpdf |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/xpdf.local | 4 | include /etc/firejail/xpdf.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | ################################ | ||
9 | # xpdf application profile | ||
10 | ################################ | ||
11 | noblacklist ${HOME}/.xpdfrc | 8 | noblacklist ${HOME}/.xpdfrc |
12 | 9 | ||
13 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
diff --git a/etc/xplayer.profile b/etc/xplayer.profile index 0b6acf9d2..afa3deac6 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile | |||
@@ -1,18 +1,17 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for xplayer |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/xplayer.local | 4 | include /etc/firejail/xplayer.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Xplayer profile | ||
9 | noblacklist ~/.config/xplayer | 8 | noblacklist ~/.config/xplayer |
10 | noblacklist ~/.local/share/xplayer | 9 | noblacklist ~/.local/share/xplayer |
11 | 10 | ||
12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
16 | 15 | ||
17 | caps.drop all | 16 | caps.drop all |
18 | netfilter | 17 | netfilter |
diff --git a/etc/xreader.profile b/etc/xreader.profile index ec7488ed8..2abe569c5 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile | |||
@@ -1,19 +1,18 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for xreader |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/xreader.local | 4 | include /etc/firejail/xreader.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Xreader profile | 8 | noblacklist ~/.cache/xreader |
9 | noblacklist ~/.config/xreader | 9 | noblacklist ~/.config/xreader |
10 | noblacklist ~/.local/share | 10 | noblacklist ~/.local/share |
11 | noblacklist ~/.cache/xreader | ||
12 | 11 | ||
13 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | ||
17 | 16 | ||
18 | caps.drop all | 17 | caps.drop all |
19 | nogroups | 18 | nogroups |
diff --git a/etc/xviewer.profile b/etc/xviewer.profile index 906bcb814..7c9886b29 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile | |||
@@ -1,20 +1,19 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for xviewer |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/xviewer.local | 4 | include /etc/firejail/xviewer.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # xviewer profile | ||
9 | noblacklist ~/.config/xviewer | ||
10 | noblacklist ~/.Steam | 8 | noblacklist ~/.Steam |
11 | noblacklist ~/.steam | 9 | noblacklist ~/.config/xviewer |
12 | noblacklist ~/.local/share/Trash | 10 | noblacklist ~/.local/share/Trash |
11 | noblacklist ~/.steam | ||
13 | 12 | ||
14 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-programs.inc | ||
16 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | ||
18 | 17 | ||
19 | caps.drop all | 18 | caps.drop all |
20 | nogroups | 19 | nogroups |
@@ -26,8 +25,8 @@ seccomp | |||
26 | shell none | 25 | shell none |
27 | tracelog | 26 | tracelog |
28 | 27 | ||
29 | private-dev | ||
30 | private-bin xviewer | 28 | private-bin xviewer |
29 | private-dev | ||
31 | private-tmp | 30 | private-tmp |
32 | 31 | ||
33 | noexec ${HOME} | 32 | noexec ${HOME} |
diff --git a/etc/xz.profile b/etc/xz.profile index a3c1ab3ca..b552f59c0 100644 --- a/etc/xz.profile +++ b/etc/xz.profile | |||
@@ -1,10 +1,5 @@ | |||
1 | quiet | 1 | # Firejail profile alias for cpio |
2 | # Persistent global definitions go here | 2 | # This file is overwritten after every install/update |
3 | include /etc/firejail/globals.local | ||
4 | 3 | ||
5 | # This file is overwritten during software install. | ||
6 | # Persistent customizations should go in a .local file. | ||
7 | include /etc/firejail/xz.local | ||
8 | 4 | ||
9 | # xz profile | ||
10 | include /etc/firejail/cpio.profile | 5 | include /etc/firejail/cpio.profile |
diff --git a/etc/xzdec.profile b/etc/xzdec.profile index 2a84bf0ee..0d5b8dda6 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile | |||
@@ -1,17 +1,14 @@ | |||
1 | # Firejail profile for xzdec | ||
2 | # This file is overwritten after every install/update | ||
1 | quiet | 3 | quiet |
2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
3 | include /etc/firejail/globals.local | ||
4 | |||
5 | # This file is overwritten during software install. | ||
6 | # Persistent customizations should go in a .local file. | ||
7 | include /etc/firejail/xzdec.local | 5 | include /etc/firejail/xzdec.local |
8 | 6 | # Persistent global definitions | |
9 | # xzdec profile | 7 | include /etc/firejail/globals.local |
10 | ignore noroot | ||
11 | include /etc/firejail/default.profile | ||
12 | 8 | ||
13 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
14 | 10 | ||
11 | ignore noroot | ||
15 | net none | 12 | net none |
16 | no3d | 13 | no3d |
17 | nosound | 14 | nosound |
@@ -19,3 +16,5 @@ shell none | |||
19 | tracelog | 16 | tracelog |
20 | 17 | ||
21 | private-dev | 18 | private-dev |
19 | |||
20 | include /etc/firejail/default.profile | ||
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index a58617ddf..fea7284c8 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile | |||
@@ -1,18 +1,17 @@ | |||
1 | # Firejail profile for youtube-dl | ||
2 | # This file is overwritten after every install/update | ||
1 | quiet | 3 | quiet |
2 | # Persistent global definitions go here | 4 | # Persistent local customizations |
3 | include /etc/firejail/globals.local | ||
4 | |||
5 | # This file is overwritten during software install. | ||
6 | # Persistent customizations should go in a .local file. | ||
7 | include /etc/firejail/youtube-dl.local | 5 | include /etc/firejail/youtube-dl.local |
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | 8 | ||
9 | # Firejail profile for youtube-dl | ||
10 | noblacklist ${HOME}/.netrc | 9 | noblacklist ${HOME}/.netrc |
11 | 10 | ||
12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | ||
15 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
16 | 15 | ||
17 | caps.drop all | 16 | caps.drop all |
18 | ipc-namespace | 17 | ipc-namespace |
diff --git a/etc/zathura.profile b/etc/zathura.profile index 502e066c8..0552f85a9 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile | |||
@@ -1,17 +1,17 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for zathura |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/zathura.local | 4 | include /etc/firejail/zathura.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # zathura document viewer profile | ||
9 | noblacklist ~/.config/zathura | 8 | noblacklist ~/.config/zathura |
10 | noblacklist ~/.local/share/zathura | 9 | noblacklist ~/.local/share/zathura |
10 | |||
11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | net none | 17 | net none |
@@ -19,14 +19,13 @@ nogroups | |||
19 | nonewprivs | 19 | nonewprivs |
20 | noroot | 20 | noroot |
21 | nosound | 21 | nosound |
22 | shell none | ||
23 | seccomp | ||
24 | protocol unix | 22 | protocol unix |
23 | seccomp | ||
24 | shell none | ||
25 | 25 | ||
26 | private-bin zathura | 26 | private-bin zathura |
27 | private-dev | 27 | private-dev |
28 | private-etc fonts | 28 | private-etc fonts |
29 | private-tmp | 29 | private-tmp |
30 | |||
31 | read-only ~/ | 30 | read-only ~/ |
32 | read-write ~/.local/share/zathura/ | 31 | read-write ~/.local/share/zathura/ |
diff --git a/etc/zoom.profile b/etc/zoom.profile index bf71aa5ce..4ef756d9f 100644 --- a/etc/zoom.profile +++ b/etc/zoom.profile | |||
@@ -1,23 +1,20 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for zoom |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/zoom.local | 4 | include /etc/firejail/zoom.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Firejail profile for zoom.us | ||
9 | noblacklist ~/.config/zoomus.conf | 8 | noblacklist ~/.config/zoomus.conf |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
14 | 12 | include /etc/firejail/disable-programs.inc | |
15 | |||
16 | # Whitelists | ||
17 | 13 | ||
18 | mkdir ~/.zoom | 14 | mkdir ~/.zoom |
19 | whitelist ~/.zoom | ||
20 | whitelist ~/.cache/zoom | 15 | whitelist ~/.cache/zoom |
16 | whitelist ~/.zoom | ||
17 | include /etc/firejail/whitelist-common.inc | ||
21 | 18 | ||
22 | caps.drop all | 19 | caps.drop all |
23 | netfilter | 20 | netfilter |