diff options
365 files changed, 1806 insertions, 1332 deletions
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index b53b69f75..737003874 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md | |||
@@ -26,3 +26,10 @@ firejail-profiles was not installed when installing firejail. | |||
26 | 26 | ||
27 | We take security bugs very seriously. If you believe you have found one, please report it by | 27 | We take security bugs very seriously. If you believe you have found one, please report it by |
28 | emailing us at netblue30@yahoo.com | 28 | emailing us at netblue30@yahoo.com |
29 | |||
30 | # Opening an pull request: | ||
31 | Pull requests with enhancements, bugfixes or new profiles are very welcome. | ||
32 | |||
33 | If you want to write a new profile, the easiest way to do this is to use the | ||
34 | [profile template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template). | ||
35 | If you have already written a profile, please make sure it follows the rules described in the template. | ||
diff --git a/Makefile.in b/Makefile.in index 0cbbb374c..af57f7d2c 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -121,6 +121,7 @@ endif | |||
121 | install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/. | 121 | install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/. |
122 | install -c -m 0644 README $(DESTDIR)/$(DOCDIR)/. | 122 | install -c -m 0644 README $(DESTDIR)/$(DOCDIR)/. |
123 | install -c -m 0644 RELNOTES $(DESTDIR)/$(DOCDIR)/. | 123 | install -c -m 0644 RELNOTES $(DESTDIR)/$(DOCDIR)/. |
124 | install -c -m 0644 etc/templates/* $(DESTDIR)/$(DOCDIR)/. | ||
124 | # etc files | 125 | # etc files |
125 | ./mketc.sh $(sysconfdir) $(BUSYBOX_WORKAROUND) | 126 | ./mketc.sh $(sysconfdir) $(BUSYBOX_WORKAROUND) |
126 | install -m 0755 -d $(DESTDIR)/$(sysconfdir)/firejail | 127 | install -m 0755 -d $(DESTDIR)/$(sysconfdir)/firejail |
@@ -97,7 +97,7 @@ announ (https://github.com/announ) | |||
97 | Antonio Russo (https://github.com/aerusso) | 97 | Antonio Russo (https://github.com/aerusso) |
98 | - enumerate root directories in apparmor profile | 98 | - enumerate root directories in apparmor profile |
99 | - fix join-or-start | 99 | - fix join-or-start |
100 | Austin Morton | 100 | Austin Morton (https://github.com/apmorton) |
101 | - deterministic-exit-code option | 101 | - deterministic-exit-code option |
102 | - private-cwd options | 102 | - private-cwd options |
103 | Austin S. Hemmelgarn (https://github.com/Ferroin) | 103 | Austin S. Hemmelgarn (https://github.com/Ferroin) |
@@ -193,6 +193,8 @@ Danil Semelenov (https://github.com/sgtpep) | |||
193 | Dara Adib (https://github.com/daradib) | 193 | Dara Adib (https://github.com/daradib) |
194 | - ssh profile fix | 194 | - ssh profile fix |
195 | - evince profile fix | 195 | - evince profile fix |
196 | David Thole (https://github.com/TheDarkTrumpet) | ||
197 | - added profile for teams-for-linux | ||
196 | Deelvesh Bunjun (https://github.com/DeelveshBunjun) | 198 | Deelvesh Bunjun (https://github.com/DeelveshBunjun) |
197 | - added xpdf profile | 199 | - added xpdf profile |
198 | dewbasaur (https://github.com/dewbasaur) | 200 | dewbasaur (https://github.com/dewbasaur) |
@@ -378,6 +380,9 @@ Jonas Heinrich (https://github.com/onny) | |||
378 | - fixed franz profile | 380 | - fixed franz profile |
379 | Jose Riha (https://github.com/jose1711) | 381 | Jose Riha (https://github.com/jose1711) |
380 | - added meteo-qt profile | 382 | - added meteo-qt profile |
383 | - created qgis, links, xlinks profiles | ||
384 | - extended profile.template with comments | ||
385 | - some typo and comment fixes in profile.template | ||
381 | jrabe (https://github.com/jrabe) | 386 | jrabe (https://github.com/jrabe) |
382 | - disallow access to kdbx files | 387 | - disallow access to kdbx files |
383 | - Epiphany profile | 388 | - Epiphany profile |
@@ -565,7 +570,9 @@ rusty-snake (https://github.com/rusty-snake) | |||
565 | - added profiles: gajim-history-manager, freemind, nomacs, kid3 | 570 | - added profiles: gajim-history-manager, freemind, nomacs, kid3 |
566 | - added profiles: kid3-qt, kid3-cli, anki, utox, mp3splt, mp3wrap | 571 | - added profiles: kid3-qt, kid3-cli, anki, utox, mp3splt, mp3wrap |
567 | - added profiles: oggsplt, flacsplt, cheese, inkview, mp3splt-gtk | 572 | - added profiles: oggsplt, flacsplt, cheese, inkview, mp3splt-gtk |
568 | - added profiles: ktouch, yelp | 573 | - added profiles: ktouch, yelp, klatexformula, klatexformula_cmdl |
574 | - added profiles: pandoc, gnome-sound-recorder, godot, newsbeuter | ||
575 | - added profiles: keepassxc-cli, keepassxc-proxy, rhythmbox-client | ||
569 | - many profile fixing and hardening | 576 | - many profile fixing and hardening |
570 | - some typo fixes | 577 | - some typo fixes |
571 | - added profile templates | 578 | - added profile templates |
@@ -703,6 +710,7 @@ Topi Miettinen (https://github.com/topimiettinen) | |||
703 | - seccomp default list update | 710 | - seccomp default list update |
704 | - improve loading of seccomp filter and memory-deny-write-execute feature | 711 | - improve loading of seccomp filter and memory-deny-write-execute feature |
705 | - private-lib feature | 712 | - private-lib feature |
713 | - make --nodbus block also system D-Bus socket | ||
706 | user1024 (user1024@tut.by) | 714 | user1024 (user1024@tut.by) |
707 | - electron profile whitelisting | 715 | - electron profile whitelisting |
708 | - fixed Rocket.Chat profile | 716 | - fixed Rocket.Chat profile |
@@ -30,6 +30,8 @@ Documentation: https://firejail.wordpress.com/documentation-2/ | |||
30 | 30 | ||
31 | FAQ: https://firejail.wordpress.com/support/ | 31 | FAQ: https://firejail.wordpress.com/support/ |
32 | 32 | ||
33 | Wiki: https://github.com/netblue30/firejail/wiki | ||
34 | |||
33 | Travis-CI status: https://travis-ci.org/netblue30/firejail | 35 | Travis-CI status: https://travis-ci.org/netblue30/firejail |
34 | 36 | ||
35 | 37 | ||
@@ -99,7 +101,7 @@ If you keep additional Firejail security profiles in a public repository, please | |||
99 | 101 | ||
100 | Use this issue to request new profiles: [#1139](https://github.com/netblue30/firejail/issues/1139) | 102 | Use this issue to request new profiles: [#1139](https://github.com/netblue30/firejail/issues/1139) |
101 | 103 | ||
102 | You can also use this tool to get a list of syscalls needed by a program: [https://github.com/avilum/syscalls](https://github.com/avilum/syscalls). | 104 | You can also use this tool to get a list of syscalls needed by a program: [contrib/syscalls.sh](contrib/syscalls.sh). |
103 | 105 | ||
104 | We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory. | 106 | We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory. |
105 | ````` | 107 | ````` |
@@ -110,3 +112,5 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
110 | ## Current development version: 0.9.61 | 112 | ## Current development version: 0.9.61 |
111 | 113 | ||
112 | ## New profiles: | 114 | ## New profiles: |
115 | |||
116 | klatexformula, klatexformula_cmdl, links, pandoc, qgis, teams-for-linux, xlinks, OpenArena, gnome-sound-recorder, godot, tcpdump, tshark, keepassxc-cli, keepassxc-proxy, newsbeuter, rhythmbox-client | ||
@@ -1,7 +1,11 @@ | |||
1 | firejail (0.9.60) baseline; urgency=low | 1 | firejail (0.9.61) baseline; urgency=low |
2 | * work in progress | 2 | * work in progress |
3 | * profile templates | 3 | * profile templates |
4 | -- netblue30 <netblue30@yahoo.com> Sun, 26 May 2019 08:00:00 -0500 | 4 | * new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks |
5 | * new profiles: pandoc, teams-for-linux, OpenArena, gnome-sound-recorder | ||
6 | * new profiles: godot, tcpdump, tshark, newsbeuter, keepassxc-cli | ||
7 | * new profiles: keepassxc-proxy, rhythmbox-client | ||
8 | -- netblue30 <netblue30@yahoo.com> Sat, 1 Jun 2019 08:00:00 -0500 | ||
5 | 9 | ||
6 | firejail (0.9.60) baseline; urgency=low | 10 | firejail (0.9.60) baseline; urgency=low |
7 | * security bug reported by Austin Morton: | 11 | * security bug reported by Austin Morton: |
diff --git a/contrib/syscalls.sh b/contrib/syscalls.sh new file mode 100755 index 000000000..9ab6acf5b --- /dev/null +++ b/contrib/syscalls.sh | |||
@@ -0,0 +1,30 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | STRACE_OUTPUT_FILE="$(pwd)/strace_output.txt" | ||
4 | SYSCALLS_OUTPUT_FILE="$(pwd)/syscalls.txt" | ||
5 | |||
6 | if [ $# -eq 0 ] | ||
7 | then | ||
8 | echo | ||
9 | echo " *** No program specified!!! ***" | ||
10 | echo | ||
11 | echo -e "Make this file executable and execute it as:\\n" | ||
12 | echo -e "\\e[96m syscalls.sh /full/path/to/program\\n" | ||
13 | echo -e "\\e[39mif you saved this script in a directory in your PATH (e.g., in ${HOME}/bin), otherwise as:\\n" | ||
14 | echo -e "\\e[96m ./syscalls.sh /full/path/to/program\\n" | ||
15 | echo -e "\\e[39mUse the full path to the respective program to avoid executing it sandboxed with Firejail\\n(if a Firejail profile for it already exits and 'sudo firecfg' was executed earlier)\\nin order to determine the necessary system calls." | ||
16 | echo | ||
17 | exit 0 | ||
18 | |||
19 | else | ||
20 | |||
21 | strace -cfo "$STRACE_OUTPUT_FILE" "$@" && awk '{print $NF}' "$STRACE_OUTPUT_FILE" | sed '/syscall\|-\|total/d' | sort -u | awk -vORS=, '{ print $1 }' | sed 's/,$/\n/' > "$SYSCALLS_OUTPUT_FILE" | ||
22 | echo | ||
23 | echo -e "\e[39mThese are the sorted syscalls:\n\e[93m" | ||
24 | cat "$SYSCALLS_OUTPUT_FILE" | ||
25 | echo | ||
26 | echo -e "\e[39mThe sorted syscalls were saved to:\n\n\e[96m$SYSCALLS_OUTPUT_FILE" | ||
27 | echo | ||
28 | exit 0 | ||
29 | |||
30 | fi | ||
diff --git a/etc/7z.profile b/etc/7z.profile index 44ab377b3..15e99e936 100644 --- a/etc/7z.profile +++ b/etc/7z.profile | |||
@@ -4,23 +4,33 @@ quiet | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include 7z.local | 5 | include 7z.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | # added by included profile | 7 | include globals.local |
8 | #include globals.local | ||
9 | 8 | ||
10 | blacklist /tmp/.X11-unix | 9 | include disable-common.inc |
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
11 | 15 | ||
12 | ignore noroot | 16 | caps.drop all |
17 | ipc-namespace | ||
18 | machine-id | ||
13 | net none | 19 | net none |
14 | no3d | 20 | no3d |
15 | nodbus | 21 | nodbus |
16 | nodvd | 22 | nodvd |
23 | #nogroups | ||
24 | nonewprivs | ||
25 | #noroot | ||
17 | nosound | 26 | nosound |
18 | notv | 27 | notv |
19 | nou2f | 28 | nou2f |
20 | novideo | 29 | novideo |
30 | protocol unix | ||
31 | seccomp | ||
21 | shell none | 32 | shell none |
22 | tracelog | 33 | tracelog |
34 | x11 none | ||
23 | 35 | ||
24 | private-dev | 36 | private-dev |
25 | |||
26 | include default.profile | ||
diff --git a/etc/JDownloader.profile b/etc/JDownloader.profile index d1bd5c9b2..1435f3422 100644 --- a/etc/JDownloader.profile +++ b/etc/JDownloader.profile | |||
@@ -5,14 +5,10 @@ include JDownloader.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | |||
9 | noblacklist ${HOME}/.jd | 8 | noblacklist ${HOME}/.jd |
10 | 9 | ||
11 | # Allow access to java | 10 | # Allow java (blacklisted by disable-devel.inc) |
12 | noblacklist ${PATH}/java | 11 | include allow-java.inc |
13 | noblacklist /usr/lib/java | ||
14 | noblacklist /etc/java | ||
15 | noblacklist /usr/share/java | ||
16 | 12 | ||
17 | include disable-common.inc | 13 | include disable-common.inc |
18 | include disable-devel.inc | 14 | include disable-devel.inc |
diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile index 6aba2678b..c2734b1c1 100644 --- a/etc/Mathematica.profile +++ b/etc/Mathematica.profile | |||
@@ -16,6 +16,7 @@ include disable-programs.inc | |||
16 | 16 | ||
17 | mkdir ${HOME}/.Mathematica | 17 | mkdir ${HOME}/.Mathematica |
18 | mkdir ${HOME}/.Wolfram Research | 18 | mkdir ${HOME}/.Wolfram Research |
19 | mkdir ${HOME}/Documents/Wolfram Mathematica | ||
19 | whitelist ${HOME}/.Mathematica | 20 | whitelist ${HOME}/.Mathematica |
20 | whitelist ${HOME}/.Wolfram Research | 21 | whitelist ${HOME}/.Wolfram Research |
21 | whitelist ${HOME}/Documents/Wolfram Mathematica | 22 | whitelist ${HOME}/Documents/Wolfram Mathematica |
diff --git a/etc/QMediathekView.profile b/etc/QMediathekView.profile index 7cc50da15..ece681c35 100644 --- a/etc/QMediathekView.profile +++ b/etc/QMediathekView.profile | |||
@@ -45,11 +45,9 @@ shell none | |||
45 | tracelog | 45 | tracelog |
46 | 46 | ||
47 | disable-mnt | 47 | disable-mnt |
48 | private-bin QMediathekView,mplayer,mpv,smplayer,totem,vlc,xplayer | 48 | private-bin mplayer,mpv,QMediathekView,smplayer,totem,vlc,xplayer |
49 | private-cache | 49 | private-cache |
50 | private-dev | 50 | private-dev |
51 | # private-etc alternatives | ||
52 | # private-lib | ||
53 | private-tmp | 51 | private-tmp |
54 | 52 | ||
55 | # memory-deny-write-execute - breaks on Arch | 53 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/QOwnNotes.profile b/etc/QOwnNotes.profile index 27ba00857..c774f3a60 100644 --- a/etc/QOwnNotes.profile +++ b/etc/QOwnNotes.profile | |||
@@ -47,8 +47,8 @@ shell none | |||
47 | tracelog | 47 | tracelog |
48 | 48 | ||
49 | disable-mnt | 49 | disable-mnt |
50 | private-bin QOwnNotes,gio | 50 | private-bin gio,QOwnNotes |
51 | private-dev | 51 | private-dev |
52 | private-etc alternatives,fonts,ld.so.cache,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies | 52 | private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hosts,ld.so.cache,nsswitch.conf,pki,pulse,resolv.conf,ssl |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
diff --git a/etc/Viber.profile b/etc/Viber.profile index 3f3ee8590..ecc500769 100644 --- a/etc/Viber.profile +++ b/etc/Viber.profile | |||
@@ -5,7 +5,6 @@ include Viber.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | |||
9 | noblacklist ${HOME}/.ViberPC | 8 | noblacklist ${HOME}/.ViberPC |
10 | 9 | ||
11 | include disable-common.inc | 10 | include disable-common.inc |
@@ -15,6 +14,7 @@ include disable-interpreters.inc | |||
15 | include disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 15 | include disable-programs.inc |
17 | 16 | ||
17 | mkdir ${HOME}/.ViberPC | ||
18 | whitelist ${DOWNLOADS} | 18 | whitelist ${DOWNLOADS} |
19 | whitelist ${HOME}/.ViberPC | 19 | whitelist ${HOME}/.ViberPC |
20 | include whitelist-common.inc | 20 | include whitelist-common.inc |
@@ -32,9 +32,8 @@ seccomp | |||
32 | shell none | 32 | shell none |
33 | 33 | ||
34 | disable-mnt | 34 | disable-mnt |
35 | private-bin sh,bash,dig,awk,Viber | 35 | private-bin awk,bash,dig,sh,Viber |
36 | private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf,pki,ca-certificates,crypto-policies,machine-id,asound.conf | 36 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11 |
37 | private-tmp | 37 | private-tmp |
38 | 38 | ||
39 | |||
40 | env QTWEBENGINE_DISABLE_SANDBOX=1 | 39 | env QTWEBENGINE_DISABLE_SANDBOX=1 |
diff --git a/etc/XMind.profile b/etc/XMind.profile index a5b0a864e..7e7c0c3cd 100644 --- a/etc/XMind.profile +++ b/etc/XMind.profile | |||
@@ -32,7 +32,7 @@ seccomp | |||
32 | shell none | 32 | shell none |
33 | 33 | ||
34 | disable-mnt | 34 | disable-mnt |
35 | private-bin XMind,sh,cp | 35 | private-bin cp,sh,XMind |
36 | private-tmp | 36 | private-tmp |
37 | private-dev | 37 | private-dev |
38 | 38 | ||
diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile index bce6dc6e6..5ef75022b 100644 --- a/etc/Xephyr.profile +++ b/etc/Xephyr.profile | |||
@@ -7,16 +7,13 @@ include globals.local | |||
7 | 7 | ||
8 | # | 8 | # |
9 | # This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr. | 9 | # This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr. |
10 | # To enable it, create a firejail-Xephyr symlink in /usr/local/bin: | 10 | # To enable it, create a firejail-Xephyr symlink in /usr/local/bin: |
11 | # | 11 | # |
12 | # $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xephyr | 12 | # $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xephyr |
13 | # | 13 | # |
14 | # or run "sudo firecfg" | 14 | # or run "sudo firecfg" |
15 | # | 15 | # |
16 | 16 | ||
17 | |||
18 | blacklist /media | ||
19 | |||
20 | whitelist /var/lib/xkb | 17 | whitelist /var/lib/xkb |
21 | include whitelist-common.inc | 18 | include whitelist-common.inc |
22 | 19 | ||
@@ -34,10 +31,11 @@ protocol unix | |||
34 | seccomp | 31 | seccomp |
35 | shell none | 32 | shell none |
36 | 33 | ||
34 | disable-mnt | ||
37 | # using a private home directory | 35 | # using a private home directory |
38 | private | 36 | private |
39 | # private-bin Xephyr,sh,xkbcomp | 37 | # private-bin sh,Xephyr,xkbcomp |
40 | # private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls | 38 | # private-bin bash,cat,ls,sh,strace,Xephyr,xkbcomp |
41 | private-dev | 39 | private-dev |
42 | # private-etc alternatives,ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname | 40 | # private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf |
43 | #private-tmp | 41 | #private-tmp |
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile index ed07485d6..3ecda698e 100644 --- a/etc/Xvfb.profile +++ b/etc/Xvfb.profile | |||
@@ -9,7 +9,7 @@ include globals.local | |||
9 | # | 9 | # |
10 | # This profile will sandbox Xvfb server itself when used with firejail --x11=xvfb. | 10 | # This profile will sandbox Xvfb server itself when used with firejail --x11=xvfb. |
11 | # The target program is sandboxed with its own profile. By default the this functionality | 11 | # The target program is sandboxed with its own profile. By default the this functionality |
12 | # is disabled. To enable it, create a firejail-Xvfb symlink in /usr/local/bin: | 12 | # is disabled. To enable it, create a firejail-Xvfb symlink in /usr/local/bin: |
13 | # | 13 | # |
14 | # $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xvfb | 14 | # $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xvfb |
15 | # | 15 | # |
@@ -17,8 +17,6 @@ include globals.local | |||
17 | # some Linux distributions. Also, older versions of Xpra use Xvfb. | 17 | # some Linux distributions. Also, older versions of Xpra use Xvfb. |
18 | # | 18 | # |
19 | 19 | ||
20 | blacklist /media | ||
21 | |||
22 | whitelist /var/lib/xkb | 20 | whitelist /var/lib/xkb |
23 | include whitelist-common.inc | 21 | include whitelist-common.inc |
24 | 22 | ||
@@ -36,10 +34,11 @@ protocol unix | |||
36 | seccomp | 34 | seccomp |
37 | shell none | 35 | shell none |
38 | 36 | ||
37 | disable-mnt | ||
39 | # using a private home directory | 38 | # using a private home directory |
40 | private | 39 | private |
41 | # private-bin Xvfb,sh,xkbcomp | 40 | # private-bin sh,xkbcomp,Xvfb |
42 | # private-bin Xvfb,sh,xkbcomp,strace,bash,cat,ls | 41 | # private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb |
43 | private-dev | 42 | private-dev |
44 | private-etc alternatives,ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname | 43 | private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf |
45 | private-tmp | 44 | private-tmp |
diff --git a/etc/akregator.profile b/etc/akregator.profile index 2f35c55c0..466eff22d 100644 --- a/etc/akregator.profile +++ b/etc/akregator.profile | |||
@@ -40,7 +40,7 @@ seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@res | |||
40 | shell none | 40 | shell none |
41 | 41 | ||
42 | disable-mnt | 42 | disable-mnt |
43 | private-bin akregator,akregatorstorageexporter,dbus-launch,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper | 43 | private-bin akregator,akregatorstorageexporter,dbus-launch,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kshell4,kshell5 |
44 | private-dev | 44 | private-dev |
45 | private-tmp | 45 | private-tmp |
46 | 46 | ||
diff --git a/etc/allow-java.inc b/etc/allow-java.inc new file mode 100644 index 000000000..5204d2dea --- /dev/null +++ b/etc/allow-java.inc | |||
@@ -0,0 +1,6 @@ | |||
1 | noblacklist ${HOME}/.java | ||
2 | |||
3 | noblacklist ${PATH}/java | ||
4 | noblacklist /usr/lib/java | ||
5 | noblacklist /etc/java | ||
6 | noblacklist /usr/share/java | ||
diff --git a/etc/allow-lua.inc b/etc/allow-lua.inc new file mode 100644 index 000000000..51d76f9b1 --- /dev/null +++ b/etc/allow-lua.inc | |||
@@ -0,0 +1,4 @@ | |||
1 | noblacklist ${PATH}/lua* | ||
2 | noblacklist /usr/include/lua* | ||
3 | noblacklist /usr/lib/lua | ||
4 | noblacklist /usr/share/lua | ||
diff --git a/etc/allow-perl.inc b/etc/allow-perl.inc new file mode 100644 index 000000000..d37328936 --- /dev/null +++ b/etc/allow-perl.inc | |||
@@ -0,0 +1,7 @@ | |||
1 | noblacklist ${PATH}/cpan* | ||
2 | noblacklist ${PATH}/core_perl | ||
3 | noblacklist ${PATH}/perl | ||
4 | noblacklist ${PATH}/site_perl | ||
5 | noblacklist ${PATH}/vendor_perl | ||
6 | noblacklist /usr/lib/perl* | ||
7 | noblacklist /usr/share/perl* | ||
diff --git a/etc/allow-python2.inc b/etc/allow-python2.inc new file mode 100644 index 000000000..8ea61648b --- /dev/null +++ b/etc/allow-python2.inc | |||
@@ -0,0 +1,5 @@ | |||
1 | noblacklist ${PATH}/python2* | ||
2 | noblacklist /usr/include/python2* | ||
3 | noblacklist /usr/lib/python2* | ||
4 | noblacklist /usr/local/lib/python2* | ||
5 | noblacklist /usr/share/python2* | ||
diff --git a/etc/allow-python3.inc b/etc/allow-python3.inc new file mode 100644 index 000000000..91c7ffca4 --- /dev/null +++ b/etc/allow-python3.inc | |||
@@ -0,0 +1,5 @@ | |||
1 | noblacklist ${PATH}/python3* | ||
2 | noblacklist /usr/include/python3* | ||
3 | noblacklist /usr/lib/python3* | ||
4 | noblacklist /usr/local/lib/python3* | ||
5 | noblacklist /usr/share/python3* | ||
diff --git a/etc/amarok.profile b/etc/amarok.profile index 6cec3befc..0b974e9ac 100644 --- a/etc/amarok.profile +++ b/etc/amarok.profile | |||
@@ -31,5 +31,5 @@ shell none | |||
31 | 31 | ||
32 | # private-bin amarok | 32 | # private-bin amarok |
33 | private-dev | 33 | private-dev |
34 | # private-etc alternatives,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies | 34 | # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl |
35 | private-tmp | 35 | private-tmp |
diff --git a/etc/amule.profile b/etc/amule.profile index 7cb2130bb..feb4a5e7e 100644 --- a/etc/amule.profile +++ b/etc/amule.profile | |||
@@ -6,7 +6,6 @@ include amule.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | |||
10 | noblacklist ${HOME}/.aMule | 9 | noblacklist ${HOME}/.aMule |
11 | 10 | ||
12 | include disable-common.inc | 11 | include disable-common.inc |
@@ -16,6 +15,7 @@ include disable-interpreters.inc | |||
16 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 16 | include disable-programs.inc |
18 | 17 | ||
18 | mkdir ${HOME}/.aMule | ||
19 | whitelist ${DOWNLOADS} | 19 | whitelist ${DOWNLOADS} |
20 | whitelist ${HOME}/.aMule | 20 | whitelist ${HOME}/.aMule |
21 | include whitelist-common.inc | 21 | include whitelist-common.inc |
diff --git a/etc/anki.profile b/etc/anki.profile index 6ab95dd52..c349376ff 100644 --- a/etc/anki.profile +++ b/etc/anki.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${DOCUMENTS} | |||
10 | noblacklist ${HOME}/.local/share/Anki2 | 10 | noblacklist ${HOME}/.local/share/Anki2 |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
@@ -25,6 +21,7 @@ include disable-passwdmgr.inc | |||
25 | include disable-programs.inc | 21 | include disable-programs.inc |
26 | include disable-xdg.inc | 22 | include disable-xdg.inc |
27 | 23 | ||
24 | mkdir ${HOME}/.local/share/Anki2 | ||
28 | whitelist ${DOCUMENTS} | 25 | whitelist ${DOCUMENTS} |
29 | whitelist ${HOME}/.local/share/Anki2 | 26 | whitelist ${HOME}/.local/share/Anki2 |
30 | include whitelist-common.inc | 27 | include whitelist-common.inc |
@@ -53,5 +50,5 @@ disable-mnt | |||
53 | private-bin anki,python* | 50 | private-bin anki,python* |
54 | private-cache | 51 | private-cache |
55 | private-dev | 52 | private-dev |
56 | private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,machine-id,pki,resolv.conf,Trolltech.conf,ssl | 53 | private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,machine-id,pki,resolv.conf,ssl,Trolltech.conf |
57 | private-tmp | 54 | private-tmp |
diff --git a/etc/aosp.profile b/etc/aosp.profile index bdfefa923..701bf4733 100644 --- a/etc/aosp.profile +++ b/etc/aosp.profile | |||
@@ -5,7 +5,6 @@ include aosp.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | |||
9 | noblacklist ${HOME}/.android | 8 | noblacklist ${HOME}/.android |
10 | noblacklist ${HOME}/.bash_history | 9 | noblacklist ${HOME}/.bash_history |
11 | noblacklist ${HOME}/.config/git | 10 | noblacklist ${HOME}/.config/git |
diff --git a/etc/apktool.profile b/etc/apktool.profile index acddf010b..aeeb845ea 100644 --- a/etc/apktool.profile +++ b/etc/apktool.profile | |||
@@ -31,6 +31,6 @@ protocol unix | |||
31 | seccomp | 31 | seccomp |
32 | shell none | 32 | shell none |
33 | 33 | ||
34 | private-bin apktool,bash,java,dirname,basename,expr,sh | 34 | private-bin apktool,basename,bash,dirname,expr,java,sh |
35 | private-cache | 35 | private-cache |
36 | private-dev | 36 | private-dev |
diff --git a/etc/arch-audit.profile b/etc/arch-audit.profile index e353326df..2f08fa169 100644 --- a/etc/arch-audit.profile +++ b/etc/arch-audit.profile | |||
@@ -7,7 +7,6 @@ include arch-audit.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | |||
11 | noblacklist /var/lib/pacman | 10 | noblacklist /var/lib/pacman |
12 | 11 | ||
13 | include disable-common.inc | 12 | include disable-common.inc |
diff --git a/etc/archaudit-report.profile b/etc/archaudit-report.profile index 2f1715da1..19c37f90e 100644 --- a/etc/archaudit-report.profile +++ b/etc/archaudit-report.profile | |||
@@ -6,7 +6,6 @@ include archaudit-report.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | |||
10 | noblacklist /var/lib/pacman | 9 | noblacklist /var/lib/pacman |
11 | 10 | ||
12 | include disable-common.inc | 11 | include disable-common.inc |
@@ -17,8 +16,6 @@ include disable-passwdmgr.inc | |||
17 | include disable-programs.inc | 16 | include disable-programs.inc |
18 | include disable-xdg.inc | 17 | include disable-xdg.inc |
19 | 18 | ||
20 | include whitelist-common.inc | ||
21 | |||
22 | caps.drop all | 19 | caps.drop all |
23 | ipc-namespace | 20 | ipc-namespace |
24 | netfilter | 21 | netfilter |
@@ -36,7 +33,7 @@ shell none | |||
36 | 33 | ||
37 | disable-mnt | 34 | disable-mnt |
38 | private | 35 | private |
39 | private-bin archaudit-report,arch-audit,bash,cat,comm,cut,date,fold,grep,pacman,pactree,rm,sed,sort,whoneeds | 36 | private-bin arch-audit,archaudit-report,bash,cat,comm,cut,date,fold,grep,pacman,pactree,rm,sed,sort,whoneeds |
40 | #private-dev | 37 | #private-dev |
41 | private-tmp | 38 | private-tmp |
42 | 39 | ||
diff --git a/etc/ardour5.profile b/etc/ardour5.profile index 211a32e22..5ebeafa76 100644 --- a/etc/ardour5.profile +++ b/etc/ardour5.profile | |||
@@ -34,9 +34,9 @@ protocol unix | |||
34 | seccomp | 34 | seccomp |
35 | shell none | 35 | shell none |
36 | 36 | ||
37 | #private-bin sh,ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm | 37 | #private-bin ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,ldd,nm,sed,sh |
38 | private-cache | 38 | private-cache |
39 | private-dev | 39 | private-dev |
40 | #private-etc alternatives,pulse,X11,alternatives,ardour4,ardour5,fonts,machine-id,asound.conf | 40 | #private-etc alternatives,ardour4,ardour5,asound.conf,fonts,machine-id,pulse,X11 |
41 | private-tmp | 41 | private-tmp |
42 | 42 | ||
diff --git a/etc/arduino.profile b/etc/arduino.profile index 2ea8445fe..fd1ca9a09 100644 --- a/etc/arduino.profile +++ b/etc/arduino.profile | |||
@@ -7,15 +7,11 @@ include arduino.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.arduino15 | 9 | noblacklist ${HOME}/.arduino15 |
10 | noblacklist ${HOME}/.java | ||
11 | noblacklist ${HOME}/Arduino | 10 | noblacklist ${HOME}/Arduino |
12 | noblacklist ${DOCUMENTS} | 11 | noblacklist ${DOCUMENTS} |
13 | 12 | ||
14 | # Allow access to java | 13 | # Allow java (blacklisted by disable-devel.inc) |
15 | noblacklist ${PATH}/java | 14 | include allow-java.inc |
16 | noblacklist /usr/lib/java | ||
17 | noblacklist /etc/java | ||
18 | noblacklist /usr/share/java | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/aria2c.profile b/etc/aria2c.profile index 68c83e573..3b9dfc365 100644 --- a/etc/aria2c.profile +++ b/etc/aria2c.profile | |||
@@ -35,9 +35,10 @@ shell none | |||
35 | 35 | ||
36 | # disable-mnt | 36 | # disable-mnt |
37 | private-bin aria2c,gzip | 37 | private-bin aria2c,gzip |
38 | private-cache | 38 | # Uncomment the next line (or put 'private-cache' in your aria2c.local) if you don't use Lutris/winetricks (see issue #2772) |
39 | #private-cache | ||
39 | private-dev | 40 | private-dev |
40 | private-etc alternatives,ca-certificates,ssl,resolv.conf | 41 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl |
41 | private-lib libreadline.so.* | 42 | private-lib libreadline.so.* |
42 | private-tmp | 43 | private-tmp |
43 | 44 | ||
diff --git a/etc/ark.profile b/etc/ark.profile index 9214e96ff..7f74a4d49 100644 --- a/etc/ark.profile +++ b/etc/ark.profile | |||
@@ -34,8 +34,8 @@ protocol unix | |||
34 | seccomp | 34 | seccomp |
35 | shell none | 35 | shell none |
36 | 36 | ||
37 | private-bin ark,unrar,rar,unzip,zip,zipinfo,7z,p7zip,unar,lsar,lrzip,lzop,lz4,bash,sh,tclsh | 37 | private-bin 7z,ark,bash,lrzip,lsar,lz4,lzop,p7zip,rar,sh,tclsh,unar,unrar,unzip,zip,zipinfo |
38 | #private-etc alternatives,smb.conf,samba,mtab,fonts,drirc,kde5rc,passwd,group,xdg | 38 | #private-etc alternatives,drirc,fonts,group,kde5rc,mtab,passwd,samba,smb.conf,xdg |
39 | 39 | ||
40 | private-dev | 40 | private-dev |
41 | private-tmp | 41 | private-tmp |
diff --git a/etc/arm.profile b/etc/arm.profile index ae93e9665..51dad94d1 100644 --- a/etc/arm.profile +++ b/etc/arm.profile | |||
@@ -9,12 +9,8 @@ include globals.local | |||
9 | noblacklist ${HOME}/.arm | 9 | noblacklist ${HOME}/.arm |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 12 | include allow-python2.inc |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
@@ -45,8 +41,8 @@ shell none | |||
45 | tracelog | 41 | tracelog |
46 | 42 | ||
47 | disable-mnt | 43 | disable-mnt |
48 | private-bin arm,tor,sh,bash,python*,ps,lsof,ldconfig | 44 | private-bin arm,bash,ldconfig,lsof,ps,python*,sh,tor |
49 | private-dev | 45 | private-dev |
50 | private-etc alternatives,tor,passwd,ca-certificates,ssl,pki,crypto-policies | 46 | private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor |
51 | private-tmp | 47 | private-tmp |
52 | 48 | ||
diff --git a/etc/artha.profile b/etc/artha.profile index 8ef5124de..f886921cb 100644 --- a/etc/artha.profile +++ b/etc/artha.profile | |||
@@ -16,6 +16,13 @@ include disable-interpreters.inc | |||
16 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | mkdir ${HOME}/.config/artha.conf | ||
20 | mkdir ${HOME}/.config/enchant | ||
21 | whitelist ${HOME}/.config/artha.conf | ||
22 | whitelist ${HOME}/.config/enchant | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
19 | apparmor | 26 | apparmor |
20 | caps.drop all | 27 | caps.drop all |
21 | ipc-namespace | 28 | ipc-namespace |
@@ -38,7 +45,7 @@ disable-mnt | |||
38 | private-bin artha,enchant,notify-send | 45 | private-bin artha,enchant,notify-send |
39 | private-cache | 46 | private-cache |
40 | private-dev | 47 | private-dev |
41 | private-etc alternatives,machine-id,fonts | 48 | private-etc alternatives,fonts,machine-id |
42 | private-lib libnotify.so.* | 49 | private-lib libnotify.so.* |
43 | private-tmp | 50 | private-tmp |
44 | 51 | ||
diff --git a/etc/assogiate.profile b/etc/assogiate.profile index 6a9848e83..074d82955 100644 --- a/etc/assogiate.profile +++ b/etc/assogiate.profile | |||
@@ -7,7 +7,6 @@ include assogiate.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${PICTURES} | 9 | noblacklist ${PICTURES} |
10 | whitelist ${PICTURES} | ||
11 | 10 | ||
12 | include disable-common.inc | 11 | include disable-common.inc |
13 | include disable-devel.inc | 12 | include disable-devel.inc |
@@ -16,6 +15,8 @@ include disable-interpreters.inc | |||
16 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 16 | include disable-programs.inc |
18 | include disable-xdg.inc | 17 | include disable-xdg.inc |
18 | |||
19 | whitelist ${PICTURES} | ||
19 | include whitelist-common.inc | 20 | include whitelist-common.inc |
20 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
21 | 22 | ||
@@ -42,7 +43,7 @@ disable-mnt | |||
42 | private-bin assogiate,gtk-update-icon-cache,update-mime-database | 43 | private-bin assogiate,gtk-update-icon-cache,update-mime-database |
43 | private-cache | 44 | private-cache |
44 | private-dev | 45 | private-dev |
45 | private-lib gnome-vfs-2.0,libattr.so.*,libacl.so.*,libfam.so.* | 46 | private-lib gnome-vfs-2.0,libacl.so.*,libattr.so.*,libfam.so.* |
46 | private-tmp | 47 | private-tmp |
47 | 48 | ||
48 | memory-deny-write-execute | 49 | memory-deny-write-execute |
diff --git a/etc/asunder.profile b/etc/asunder.profile index fa2479051..fc10739aa 100644 --- a/etc/asunder.profile +++ b/etc/asunder.profile | |||
@@ -34,7 +34,6 @@ protocol unix,inet,inet6 | |||
34 | seccomp | 34 | seccomp |
35 | shell none | 35 | shell none |
36 | 36 | ||
37 | #private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc | ||
38 | private-dev | 37 | private-dev |
39 | private-tmp | 38 | private-tmp |
40 | 39 | ||
diff --git a/etc/atom.profile b/etc/atom.profile index a3c62284c..8928baf5d 100644 --- a/etc/atom.profile +++ b/etc/atom.profile | |||
@@ -8,11 +8,17 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.atom | 9 | noblacklist ${HOME}/.atom |
10 | noblacklist ${HOME}/.config/Atom | 10 | noblacklist ${HOME}/.config/Atom |
11 | noblacklist ${HOME}/.config/git | 11 | # allow rust |
12 | noblacklist ${HOME}/.cargo/config | 12 | noblacklist ${HOME}/.cargo/config |
13 | noblacklist ${HOME}/.cargo/registry | 13 | noblacklist ${HOME}/.cargo/registry |
14 | # allow git config files | ||
15 | noblacklist ${HOME}/.config/git | ||
14 | noblacklist ${HOME}/.gitconfig | 16 | noblacklist ${HOME}/.gitconfig |
15 | noblacklist ${HOME}/.git-credentials | 17 | noblacklist ${HOME}/.git-credentials |
18 | # allow python dev files | ||
19 | noblacklist ${HOME}/.python-history | ||
20 | noblacklist ${HOME}/.python_history | ||
21 | noblacklist ${HOME}/.pythonhist | ||
16 | noblacklist ${HOME}/.pythonrc.py | 22 | noblacklist ${HOME}/.pythonrc.py |
17 | 23 | ||
18 | include disable-common.inc | 24 | include disable-common.inc |
diff --git a/etc/atool.profile b/etc/atool.profile index b17498e9d..c9d950259 100644 --- a/etc/atool.profile +++ b/etc/atool.profile | |||
@@ -7,14 +7,8 @@ include atool.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | |||
12 | # Allow perl (blacklisted by disable-interpreters.inc) | 10 | # Allow perl (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/cpan* | 11 | include allow-perl.inc |
14 | noblacklist ${PATH}/core_perl | ||
15 | noblacklist ${PATH}/perl | ||
16 | noblacklist /usr/lib/perl* | ||
17 | noblacklist /usr/share/perl* | ||
18 | 12 | ||
19 | include disable-common.inc | 13 | include disable-common.inc |
20 | # include disable-devel.inc | 14 | # include disable-devel.inc |
@@ -44,12 +38,13 @@ protocol unix | |||
44 | seccomp | 38 | seccomp |
45 | shell none | 39 | shell none |
46 | tracelog | 40 | tracelog |
41 | x11 none | ||
47 | 42 | ||
48 | # private-bin atool,perl | 43 | # private-bin atool,perl |
49 | private-cache | 44 | private-cache |
50 | private-dev | 45 | private-dev |
51 | # without login.defs atool complains and uses UID/GID 1000 by default | 46 | # without login.defs atool complains and uses UID/GID 1000 by default |
52 | private-etc alternatives,passwd,group,login.defs | 47 | private-etc alternatives,group,login.defs,passwd |
53 | private-tmp | 48 | private-tmp |
54 | 49 | ||
55 | memory-deny-write-execute | 50 | memory-deny-write-execute |
diff --git a/etc/atril.profile b/etc/atril.profile index 2f39af823..adca38cb5 100644 --- a/etc/atril.profile +++ b/etc/atril.profile | |||
@@ -40,7 +40,7 @@ seccomp | |||
40 | shell none | 40 | shell none |
41 | tracelog | 41 | tracelog |
42 | 42 | ||
43 | private-bin atril, atril-previewer, atril-thumbnailer | 43 | private-bin atril,atril-previewer,atril-thumbnailer |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives,fonts,ld.so.cache | 45 | private-etc alternatives,fonts,ld.so.cache |
46 | # atril uses webkit gtk to display epub files | 46 | # atril uses webkit gtk to display epub files |
diff --git a/etc/authenticator.profile b/etc/authenticator.profile index e08dc12eb..4887299ec 100644 --- a/etc/authenticator.profile +++ b/etc/authenticator.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.cache/Authenticator | |||
10 | noblacklist ${HOME}/.config/Authenticator | 10 | noblacklist ${HOME}/.config/Authenticator |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | #noblacklist ${PATH}/python2* | 13 | #include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | #noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | #noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
@@ -47,4 +43,4 @@ private-dev | |||
47 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,pki,resolv.conf,ssl | 43 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,pki,resolv.conf,ssl |
48 | private-tmp | 44 | private-tmp |
49 | 45 | ||
50 | # memory-deny-write-execute - breaks on Arch | 46 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/autokey-common.profile b/etc/autokey-common.profile index 44c0a3c15..bd50a2dfb 100644 --- a/etc/autokey-common.profile +++ b/etc/autokey-common.profile | |||
@@ -10,14 +10,8 @@ noblacklist ${HOME}/.config/autokey | |||
10 | noblacklist ${HOME}/.local/share/autokey | 10 | noblacklist ${HOME}/.local/share/autokey |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | noblacklist /usr/share/python2* | ||
20 | noblacklist /usr/share/python3* | ||
21 | 15 | ||
22 | include disable-common.inc | 16 | include disable-common.inc |
23 | include disable-devel.inc | 17 | include disable-devel.inc |
@@ -44,4 +38,4 @@ private-cache | |||
44 | private-dev | 38 | private-dev |
45 | private-tmp | 39 | private-tmp |
46 | 40 | ||
47 | # memory-deny-write-execute - Breaks on Arch | 41 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/baobab.profile b/etc/baobab.profile index fc4e7f268..d2980f75c 100644 --- a/etc/baobab.profile +++ b/etc/baobab.profile | |||
@@ -33,4 +33,4 @@ private-bin baobab | |||
33 | private-dev | 33 | private-dev |
34 | private-tmp | 34 | private-tmp |
35 | 35 | ||
36 | #memory-deny-write-execute - breaks on Arch | 36 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/basilisk.profile b/etc/basilisk.profile index 5f9fc8ef7..5bc91dc74 100644 --- a/etc/basilisk.profile +++ b/etc/basilisk.profile | |||
@@ -10,7 +10,6 @@ noblacklist ${HOME}/.moonchild productions/basilisk | |||
10 | 10 | ||
11 | mkdir ${HOME}/.cache/moonchild productions/basilisk | 11 | mkdir ${HOME}/.cache/moonchild productions/basilisk |
12 | mkdir ${HOME}/.moonchild productions | 12 | mkdir ${HOME}/.moonchild productions |
13 | whitelist ${DOWNLOADS} | ||
14 | whitelist ${HOME}/.cache/moonchild productions/basilisk | 13 | whitelist ${HOME}/.cache/moonchild productions/basilisk |
15 | whitelist ${HOME}/.moonchild productions | 14 | whitelist ${HOME}/.moonchild productions |
16 | 15 | ||
diff --git a/etc/bibletime.profile b/etc/bibletime.profile index c41aafd47..4f1b05c88 100644 --- a/etc/bibletime.profile +++ b/etc/bibletime.profile | |||
@@ -6,12 +6,12 @@ include bibletime.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${HOME}/.bashrc | ||
10 | |||
11 | noblacklist ${HOME}/.bibletime | 9 | noblacklist ${HOME}/.bibletime |
12 | noblacklist ${HOME}/.sword | 10 | noblacklist ${HOME}/.sword |
13 | noblacklist ${HOME}/.local/share/bibletime | 11 | noblacklist ${HOME}/.local/share/bibletime |
14 | 12 | ||
13 | blacklist ${HOME}/.bashrc | ||
14 | |||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | 17 | include disable-exec.inc |
diff --git a/etc/bitcoin-qt.profile b/etc/bitcoin-qt.profile index 8aae5d668..ac1e21ba7 100644 --- a/etc/bitcoin-qt.profile +++ b/etc/bitcoin-qt.profile | |||
@@ -43,7 +43,7 @@ tracelog | |||
43 | private-bin bitcoin-qt | 43 | private-bin bitcoin-qt |
44 | private-dev | 44 | private-dev |
45 | # Causes problem with loading of libGL.so | 45 | # Causes problem with loading of libGL.so |
46 | #private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies | 46 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | memory-deny-write-execute | 49 | memory-deny-write-execute |
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index 287e5f52e..62eeb88f3 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile | |||
@@ -6,12 +6,15 @@ include bitlbee.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | ignore noexec ${HOME} | ||
10 | |||
9 | noblacklist /sbin | 11 | noblacklist /sbin |
10 | noblacklist /usr/sbin | 12 | noblacklist /usr/sbin |
11 | # noblacklist /var/log | 13 | # noblacklist /var/log |
12 | 14 | ||
13 | include disable-common.inc | 15 | include disable-common.inc |
14 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 20 | include disable-programs.inc |
@@ -34,5 +37,4 @@ private-cache | |||
34 | private-dev | 37 | private-dev |
35 | private-tmp | 38 | private-tmp |
36 | 39 | ||
37 | noexec /tmp | ||
38 | read-write /var/lib/bitlbee | 40 | read-write /var/lib/bitlbee |
diff --git a/etc/bitwarden.profile b/etc/bitwarden.profile index 2a6fe9d42..a5538bacc 100644 --- a/etc/bitwarden.profile +++ b/etc/bitwarden.profile | |||
@@ -6,9 +6,10 @@ include bitwarden.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/Bitwarden | ||
10 | ignore noexec /tmp | 9 | ignore noexec /tmp |
11 | 10 | ||
11 | noblacklist ${HOME}/.config/Bitwarden | ||
12 | |||
12 | include disable-common.inc | 13 | include disable-common.inc |
13 | include disable-devel.inc | 14 | include disable-devel.inc |
14 | include disable-exec.inc | 15 | include disable-exec.inc |
@@ -17,11 +18,11 @@ include disable-passwdmgr.inc | |||
17 | include disable-programs.inc | 18 | include disable-programs.inc |
18 | include disable-xdg.inc | 19 | include disable-xdg.inc |
19 | 20 | ||
20 | include whitelist-common.inc | 21 | mkdir ${HOME}/.config/Bitwarden |
21 | include whitelist-var-common.inc | ||
22 | |||
23 | whitelist ${HOME}/.config/Bitwarden | 22 | whitelist ${HOME}/.config/Bitwarden |
24 | whitelist ${DOWNLOADS} | 23 | whitelist ${DOWNLOADS} |
24 | include whitelist-common.inc | ||
25 | include whitelist-var-common.inc | ||
25 | 26 | ||
26 | apparmor | 27 | apparmor |
27 | caps.drop all | 28 | caps.drop all |
@@ -46,8 +47,8 @@ private-bin bitwarden | |||
46 | private-cache | 47 | private-cache |
47 | ?HAS_APPIMAGE: ignore private-dev | 48 | ?HAS_APPIMAGE: ignore private-dev |
48 | private-dev | 49 | private-dev |
49 | private-etc alternatives,ca-certificates,crypto-policies,hosts,nsswitch.conf,fonts,pki,resolv.conf,ssl | 50 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,nsswitch.conf,pki,resolv.conf,ssl |
50 | private-opt Bitwarden | 51 | private-opt Bitwarden |
51 | private-tmp | 52 | private-tmp |
52 | 53 | ||
53 | #memory-deny-write-execute - breaks on Arch | 54 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile index cbc8c25d6..47c0cfa48 100644 --- a/etc/bleachbit.profile +++ b/etc/bleachbit.profile | |||
@@ -7,12 +7,8 @@ include bleachbit.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Allow python (blacklisted by disable-interpreters.inc) | 9 | # Allow python (blacklisted by disable-interpreters.inc) |
10 | noblacklist ${PATH}/python2* | 10 | include allow-python2.inc |
11 | noblacklist ${PATH}/python3* | 11 | include allow-python3.inc |
12 | noblacklist /usr/lib/python2* | ||
13 | noblacklist /usr/lib/python3* | ||
14 | noblacklist /usr/local/lib/python2* | ||
15 | noblacklist /usr/local/lib/python3* | ||
16 | 12 | ||
17 | include disable-common.inc | 13 | include disable-common.inc |
18 | include disable-devel.inc | 14 | include disable-devel.inc |
diff --git a/etc/blender.profile b/etc/blender.profile index bfe906408..6a72fb602 100644 --- a/etc/blender.profile +++ b/etc/blender.profile | |||
@@ -9,12 +9,8 @@ include globals.local | |||
9 | noblacklist ${HOME}/.config/blender | 9 | noblacklist ${HOME}/.config/blender |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 12 | include allow-python2.inc |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/bless.profile b/etc/bless.profile index d4ac80db1..35235962e 100644 --- a/etc/bless.profile +++ b/etc/bless.profile | |||
@@ -33,7 +33,7 @@ protocol unix | |||
33 | seccomp | 33 | seccomp |
34 | shell none | 34 | shell none |
35 | 35 | ||
36 | # private-bin bless,sh,bash,mono | 36 | # private-bin bash,bless,mono,sh |
37 | private-cache | 37 | private-cache |
38 | private-dev | 38 | private-dev |
39 | private-etc alternatives,fonts,mono | 39 | private-etc alternatives,fonts,mono |
diff --git a/etc/brackets.profile b/etc/brackets.profile index fa0d7e592..3e157d841 100644 --- a/etc/brackets.profile +++ b/etc/brackets.profile | |||
@@ -8,7 +8,7 @@ include globals.local | |||
8 | noblacklist ${HOME}/.config/Brackets | 8 | noblacklist ${HOME}/.config/Brackets |
9 | #noblacklist /opt/brackets/ | 9 | #noblacklist /opt/brackets/ |
10 | #noblacklist /opt/google/ | 10 | #noblacklist /opt/google/ |
11 | # Uncomment the the next two lines if you are developing rust. | 11 | # Uncomment the next two lines if you are developing rust. |
12 | # or put it in your brackets.local | 12 | # or put it in your brackets.local |
13 | #noblacklist ${HOME}/.cargo/config | 13 | #noblacklist ${HOME}/.cargo/config |
14 | #noblacklist ${HOME}/.cargo/registry | 14 | #noblacklist ${HOME}/.cargo/registry |
diff --git a/etc/brasero.profile b/etc/brasero.profile index aa838380a..058253308 100644 --- a/etc/brasero.profile +++ b/etc/brasero.profile | |||
@@ -31,7 +31,6 @@ tracelog | |||
31 | # private-bin brasero | 31 | # private-bin brasero |
32 | private-cache | 32 | private-cache |
33 | # private-dev | 33 | # private-dev |
34 | # private-etc alternatives,fonts | ||
35 | # private-tmp | 34 | # private-tmp |
36 | 35 | ||
37 | memory-deny-write-execute | 36 | memory-deny-write-execute |
diff --git a/etc/brave-browser.profile b/etc/brave-browser.profile index 6d9d162fd..e223ecf87 100644 --- a/etc/brave-browser.profile +++ b/etc/brave-browser.profile | |||
@@ -1,6 +1,5 @@ | |||
1 | # Firejail profile alias for brave | 1 | # Firejail profile alias for brave |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | |||
5 | # Redirect | 4 | # Redirect |
6 | include brave.profile | 5 | include brave.profile |
diff --git a/etc/brave.profile b/etc/brave.profile index cc003d49a..984fab5a8 100644 --- a/etc/brave.profile +++ b/etc/brave.profile | |||
@@ -6,6 +6,9 @@ include brave.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # noexec /tmp is included in chromium-common.profile and breaks Brave | ||
10 | ignore noexec /tmp | ||
11 | |||
9 | noblacklist ${HOME}/.config/brave | 12 | noblacklist ${HOME}/.config/brave |
10 | noblacklist ${HOME}/.config/BraveSoftware | 13 | noblacklist ${HOME}/.config/BraveSoftware |
11 | # brave uses gpg for built-in password manager | 14 | # brave uses gpg for built-in password manager |
@@ -17,8 +20,5 @@ whitelist ${HOME}/.config/brave | |||
17 | whitelist ${HOME}/.config/BraveSoftware | 20 | whitelist ${HOME}/.config/BraveSoftware |
18 | whitelist ${HOME}/.gnupg | 21 | whitelist ${HOME}/.gnupg |
19 | 22 | ||
20 | # noexec /tmp is included in chromium-common.profile and breaks Brave | ||
21 | ignore noexec /tmp | ||
22 | |||
23 | # Redirect | 23 | # Redirect |
24 | include chromium-common.profile | 24 | include chromium-common.profile |
diff --git a/etc/bsdtar.profile b/etc/bsdtar.profile index f964438bc..1f7a02c2b 100644 --- a/etc/bsdtar.profile +++ b/etc/bsdtar.profile | |||
@@ -37,9 +37,9 @@ shell none | |||
37 | tracelog | 37 | tracelog |
38 | 38 | ||
39 | # support compressed archives | 39 | # support compressed archives |
40 | private-bin sh,bash,bsdcat,bsdcpio,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive | 40 | private-bin bash,bsdcat,bsdcpio,bsdtar,bzip2,compress,gtar,gzip,lbzip2,libarchive,lz4,lzip,lzma,lzop,sh,xz |
41 | private-cache | 41 | private-cache |
42 | private-dev | 42 | private-dev |
43 | private-etc alternatives,passwd,group,localtime | 43 | private-etc alternatives,group,localtime,passwd |
44 | 44 | ||
45 | memory-deny-write-execute | 45 | memory-deny-write-execute |
diff --git a/etc/bzflag.profile b/etc/bzflag.profile index 94cd40899..86ab73e0b 100644 --- a/etc/bzflag.profile +++ b/etc/bzflag.profile | |||
@@ -38,7 +38,7 @@ shell none | |||
38 | tracelog | 38 | tracelog |
39 | 39 | ||
40 | disable-mnt | 40 | disable-mnt |
41 | private-bin bzflag,bzflag-wrapper,bzfs,bzadmin | 41 | private-bin bzadmin,bzflag,bzflag-wrapper,bzfs |
42 | private-cache | 42 | private-cache |
43 | private-dev | 43 | private-dev |
44 | private-tmp | 44 | private-tmp |
diff --git a/etc/caja.profile b/etc/caja.profile index f38110dc9..c5cef7b27 100644 --- a/etc/caja.profile +++ b/etc/caja.profile | |||
@@ -14,12 +14,8 @@ noblacklist ${HOME}/.local/share/Trash | |||
14 | # noblacklist ${HOME}/.local/share/caja-python | 14 | # noblacklist ${HOME}/.local/share/caja-python |
15 | 15 | ||
16 | # Allow python (blacklisted by disable-interpreters.inc) | 16 | # Allow python (blacklisted by disable-interpreters.inc) |
17 | noblacklist ${PATH}/python2* | 17 | include allow-python2.inc |
18 | noblacklist ${PATH}/python3* | 18 | include allow-python3.inc |
19 | noblacklist /usr/lib/python2* | ||
20 | noblacklist /usr/lib/python3* | ||
21 | noblacklist /usr/local/lib/python2* | ||
22 | noblacklist /usr/local/lib/python3* | ||
23 | 19 | ||
24 | include disable-common.inc | 20 | include disable-common.inc |
25 | include disable-devel.inc | 21 | include disable-devel.inc |
@@ -43,5 +39,4 @@ tracelog | |||
43 | # caja needs to be able to start arbitrary applications so we cannot blacklist their files | 39 | # caja needs to be able to start arbitrary applications so we cannot blacklist their files |
44 | # private-bin caja | 40 | # private-bin caja |
45 | # private-dev | 41 | # private-dev |
46 | # private-etc alternatives,fonts | ||
47 | # private-tmp | 42 | # private-tmp |
diff --git a/etc/cantata.profile b/etc/cantata.profile index e4a4de9c1..c44d56b90 100644 --- a/etc/cantata.profile +++ b/etc/cantata.profile | |||
@@ -11,9 +11,8 @@ noblacklist ${HOME}/.config/cantata | |||
11 | noblacklist ${HOME}/.local/share/cantata | 11 | noblacklist ${HOME}/.local/share/cantata |
12 | noblacklist ${MUSIC} | 12 | noblacklist ${MUSIC} |
13 | 13 | ||
14 | noblacklist ${PATH}/perl | 14 | # Allow perl (blacklisted by disable-interpreters.inc) |
15 | noblacklist /usr/lib/perl* | 15 | include allow-perl.inc |
16 | noblacklist /usr/share/perl* | ||
17 | 16 | ||
18 | include disable-common.inc | 17 | include disable-common.inc |
19 | include disable-devel.inc | 18 | include disable-devel.inc |
@@ -35,6 +34,6 @@ protocol unix,inet,inet6,netlink | |||
35 | seccomp | 34 | seccomp |
36 | shell none | 35 | shell none |
37 | 36 | ||
38 | # private-etc samba,gcrypt,drirc,fonts,mpd.conf,kde5rc,passwd,xdg,hosts,ssl | 37 | # private-etc drirc,fonts,gcrypt,hosts,kde5rc,mpd.conf,passwd,samba,ssl,xdg |
39 | private-bin cantata,mpd,perl | 38 | private-bin cantata,mpd,perl |
40 | private-dev | 39 | private-dev |
diff --git a/etc/catfish.profile b/etc/catfish.profile index 341348ff9..c6c2d7e8a 100644 --- a/etc/catfish.profile +++ b/etc/catfish.profile | |||
@@ -12,18 +12,14 @@ include globals.local | |||
12 | noblacklist ${HOME}/.config/catfish | 12 | noblacklist ${HOME}/.config/catfish |
13 | 13 | ||
14 | # Allow python (blacklisted by disable-interpreters.inc) | 14 | # Allow python (blacklisted by disable-interpreters.inc) |
15 | noblacklist ${PATH}/python2* | 15 | include allow-python2.inc |
16 | noblacklist ${PATH}/python3* | 16 | include allow-python3.inc |
17 | noblacklist /usr/lib/python2* | ||
18 | noblacklist /usr/lib/python3* | ||
19 | noblacklist /usr/local/lib/python2* | ||
20 | noblacklist /usr/local/lib/python3* | ||
21 | 17 | ||
22 | include disable-common.inc | 18 | # include disable-common.inc |
23 | # include disable-devel.inc | 19 | # include disable-devel.inc |
24 | include disable-interpreters.inc | 20 | include disable-interpreters.inc |
25 | include disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
26 | include disable-programs.inc | 22 | # include disable-programs.inc |
27 | 23 | ||
28 | whitelist /var/lib/mlocate | 24 | whitelist /var/lib/mlocate |
29 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
diff --git a/etc/celluloid.profile b/etc/celluloid.profile index 5604a16b9..89543d6cc 100644 --- a/etc/celluloid.profile +++ b/etc/celluloid.profile | |||
@@ -12,12 +12,8 @@ noblacklist ${MUSIC} | |||
12 | noblacklist ${VIDEOS} | 12 | noblacklist ${VIDEOS} |
13 | 13 | ||
14 | # Allow python (blacklisted by disable-interpreters.inc) | 14 | # Allow python (blacklisted by disable-interpreters.inc) |
15 | noblacklist ${PATH}/python2* | 15 | include allow-python2.inc |
16 | noblacklist ${PATH}/python3* | 16 | include allow-python3.inc |
17 | noblacklist /usr/lib/python2* | ||
18 | noblacklist /usr/lib/python3* | ||
19 | noblacklist /usr/local/lib/python2* | ||
20 | noblacklist /usr/local/lib/python3* | ||
21 | 17 | ||
22 | include disable-common.inc | 18 | include disable-common.inc |
23 | include disable-devel.inc | 19 | include disable-devel.inc |
@@ -42,9 +38,9 @@ seccomp | |||
42 | shell none | 38 | shell none |
43 | tracelog | 39 | tracelog |
44 | 40 | ||
45 | private-bin celluloid,gnome-mpv,youtube-dl,python*,env | 41 | private-bin celluloid,env,gnome-mpv,python*,youtube-dl |
46 | private-cache | 42 | private-cache |
47 | private-etc alternatives,ca-certificates,ssl,pki,pkcs11,hosts,machine-id,localtime,libva.conf,drirc,fonts,gtk-3.0,dconf,crypto-policies,xdg,selinux,resolv.conf | 43 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg |
48 | private-dev | 44 | private-dev |
49 | private-tmp | 45 | private-tmp |
50 | 46 | ||
diff --git a/etc/checkbashisms.profile b/etc/checkbashisms.profile index 5afbf2d56..fe3202cea 100644 --- a/etc/checkbashisms.profile +++ b/etc/checkbashisms.profile | |||
@@ -10,11 +10,7 @@ include globals.local | |||
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | 11 | ||
12 | # Allow perl (blacklisted by disable-interpreters.inc) | 12 | # Allow perl (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/cpan* | 13 | include allow-perl.inc |
14 | noblacklist ${PATH}/core_perl | ||
15 | noblacklist ${PATH}/perl | ||
16 | noblacklist /usr/lib/perl* | ||
17 | noblacklist /usr/share/perl* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
@@ -44,6 +40,7 @@ novideo | |||
44 | protocol unix | 40 | protocol unix |
45 | seccomp | 41 | seccomp |
46 | shell none | 42 | shell none |
43 | x11 none | ||
47 | 44 | ||
48 | private-cache | 45 | private-cache |
49 | private-dev | 46 | private-dev |
diff --git a/etc/cheese.profile b/etc/cheese.profile index b6cb0c9ce..633928260 100644 --- a/etc/cheese.profile +++ b/etc/cheese.profile | |||
@@ -7,6 +7,7 @@ include cheese.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${VIDEOS} | 9 | noblacklist ${VIDEOS} |
10 | noblacklist ${PICTURES} | ||
10 | 11 | ||
11 | include disable-common.inc | 12 | include disable-common.inc |
12 | include disable-devel.inc | 13 | include disable-devel.inc |
@@ -17,6 +18,7 @@ include disable-programs.inc | |||
17 | include disable-xdg.inc | 18 | include disable-xdg.inc |
18 | 19 | ||
19 | whitelist ${VIDEOS} | 20 | whitelist ${VIDEOS} |
21 | whitelist ${PICTURES} | ||
20 | include whitelist-common.inc | 22 | include whitelist-common.inc |
21 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
22 | 24 | ||
@@ -39,5 +41,5 @@ tracelog | |||
39 | disable-mnt | 41 | disable-mnt |
40 | private-bin cheese | 42 | private-bin cheese |
41 | private-cache | 43 | private-cache |
42 | private-etc alternatives,fonts,drirc,clutter-1.0,gtk-3.0,dconf | 44 | private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0 |
43 | private-tmp | 45 | private-tmp |
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 44ef12aa2..70dea5bd9 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/cherrytree | |||
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile index 63983d93b..ba6f9d88c 100644 --- a/etc/chromium-common.profile +++ b/etc/chromium-common.profile | |||
@@ -27,10 +27,9 @@ include whitelist-common.inc | |||
27 | include whitelist-var-common.inc | 27 | include whitelist-var-common.inc |
28 | 28 | ||
29 | apparmor | 29 | apparmor |
30 | caps.keep sys_chroot,sys_admin | 30 | caps.keep sys_admin,sys_chroot |
31 | netfilter | 31 | netfilter |
32 | # Breaks Gnome connector - disable if you use that | 32 | # nodbus - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector |
33 | nodbus | ||
34 | nodvd | 33 | nodvd |
35 | nogroups | 34 | nogroups |
36 | notv | 35 | notv |
@@ -42,4 +41,4 @@ private-dev | |||
42 | # private-tmp - problems with multiple browser sessions | 41 | # private-tmp - problems with multiple browser sessions |
43 | 42 | ||
44 | # the file dialog needs to work without d-bus | 43 | # the file dialog needs to work without d-bus |
45 | env NO_CHROME_KDE_FILE_DIALOG=1 | 44 | ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1 |
diff --git a/etc/clawsker.profile b/etc/clawsker.profile index c519ecedb..f8c05a55b 100644 --- a/etc/clawsker.profile +++ b/etc/clawsker.profile | |||
@@ -9,11 +9,7 @@ include globals.local | |||
9 | noblacklist ${HOME}/.claws-mail | 9 | noblacklist ${HOME}/.claws-mail |
10 | 10 | ||
11 | # Allow perl (blacklisted by disable-interpreters.inc) | 11 | # Allow perl (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/cpan* | 12 | include allow-perl.inc |
13 | noblacklist ${PATH}/core_perl | ||
14 | noblacklist ${PATH}/perl | ||
15 | noblacklist /usr/lib/perl* | ||
16 | noblacklist /usr/share/perl* | ||
17 | 13 | ||
18 | include disable-common.inc | 14 | include disable-common.inc |
19 | include disable-devel.inc | 15 | include disable-devel.inc |
@@ -51,4 +47,4 @@ private-etc alternatives,fonts | |||
51 | private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl* | 47 | private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl* |
52 | private-tmp | 48 | private-tmp |
53 | 49 | ||
54 | # memory-deny-write-execute - breaks on Arch | 50 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/clipit.profile b/etc/clipit.profile index 6e4d3fbaf..44cda0665 100644 --- a/etc/clipit.profile +++ b/etc/clipit.profile | |||
@@ -17,6 +17,13 @@ include disable-passwdmgr.inc | |||
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | include disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | mkdir ${HOME}/.config/clipit | ||
21 | mkdir ${HOME}/.local/share/clipit | ||
22 | whitelist ${HOME}/.config/clipit | ||
23 | whitelist ${HOME}/.local/share/clipit | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
20 | apparmor | 27 | apparmor |
21 | caps.drop all | 28 | caps.drop all |
22 | ipc-namespace | 29 | ipc-namespace |
diff --git a/etc/cmus.profile b/etc/cmus.profile index e602c4e2a..7e12a06de 100644 --- a/etc/cmus.profile +++ b/etc/cmus.profile | |||
@@ -27,4 +27,4 @@ seccomp | |||
27 | shell none | 27 | shell none |
28 | 28 | ||
29 | private-bin cmus | 29 | private-bin cmus |
30 | private-etc alternatives,group,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies | 30 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,ssl |
diff --git a/etc/code.profile b/etc/code.profile index 16678459e..6faf429e1 100644 --- a/etc/code.profile +++ b/etc/code.profile | |||
@@ -12,6 +12,9 @@ noblacklist ${HOME}/.config/Code - OSS | |||
12 | noblacklist ${HOME}/.config/git | 12 | noblacklist ${HOME}/.config/git |
13 | noblacklist ${HOME}/.gitconfig | 13 | noblacklist ${HOME}/.gitconfig |
14 | noblacklist ${HOME}/.git-credentials | 14 | noblacklist ${HOME}/.git-credentials |
15 | noblacklist ${HOME}/.python-history | ||
16 | noblacklist ${HOME}/.python_history | ||
17 | noblacklist ${HOME}/.pythonhist | ||
15 | noblacklist ${HOME}/.pythonrc.py | 18 | noblacklist ${HOME}/.pythonrc.py |
16 | noblacklist ${HOME}/.vscode | 19 | noblacklist ${HOME}/.vscode |
17 | noblacklist ${HOME}/.vscode-oss | 20 | noblacklist ${HOME}/.vscode-oss |
diff --git a/etc/conkeror.profile b/etc/conkeror.profile index 21bef48a4..38edf0d21 100644 --- a/etc/conkeror.profile +++ b/etc/conkeror.profile | |||
@@ -10,9 +10,10 @@ noblacklist ${HOME}/.conkeror.mozdev.org | |||
10 | include disable-common.inc | 10 | include disable-common.inc |
11 | include disable-programs.inc | 11 | include disable-programs.inc |
12 | 12 | ||
13 | mkdir ${HOME}/.conkeror.mozdev.org | ||
14 | mkfile ${HOME}/.conkerorrc | ||
13 | whitelist ${HOME}/.conkeror.mozdev.org | 15 | whitelist ${HOME}/.conkeror.mozdev.org |
14 | whitelist ${HOME}/.conkerorrc | 16 | whitelist ${HOME}/.conkerorrc |
15 | whitelist ${HOME}/.gtkrc-2.0 | ||
16 | whitelist ${HOME}/.lastpass | 17 | whitelist ${HOME}/.lastpass |
17 | whitelist ${HOME}/.pentadactyl | 18 | whitelist ${HOME}/.pentadactyl |
18 | whitelist ${HOME}/.pentadactylrc | 19 | whitelist ${HOME}/.pentadactylrc |
diff --git a/etc/cower.profile b/etc/cower.profile index bc1eeedc0..69575cea4 100644 --- a/etc/cower.profile +++ b/etc/cower.profile | |||
@@ -1,20 +1,13 @@ | |||
1 | # Firejail profile for cower | 1 | # Firejail profile for cower |
2 | # Description: a simple AUR agent with a pretentious name | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | |||
4 | # This profile could be significantly strengthened by adding the following to cower.local | ||
5 | # whitelist ${HOME}/<Your Build Folder> | ||
6 | # whitelist ${HOME}/.config/cower/ | ||
7 | |||
8 | quiet | 4 | quiet |
9 | |||
10 | # Persistent local customizations | 5 | # Persistent local customizations |
11 | include cower.local | 6 | include cower.local |
12 | # Persistent global definitions | 7 | # Persistent global definitions |
13 | include globals.local | 8 | include globals.local |
14 | 9 | ||
15 | noblacklist ${HOME}/.config/cower/config | 10 | noblacklist ${HOME}/.config/cower |
16 | read-only ${HOME}/.config/cower/config | ||
17 | |||
18 | noblacklist /var/lib/pacman | 11 | noblacklist /var/lib/pacman |
19 | 12 | ||
20 | include disable-common.inc | 13 | include disable-common.inc |
@@ -23,6 +16,11 @@ include disable-exec.inc | |||
23 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
24 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
25 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | include disable-xdg.inc | ||
20 | |||
21 | # This profile could be significantly strengthened by adding the following to cower.local | ||
22 | # whitelist ${HOME}/<Your Build Folder> | ||
23 | # whitelist ${HOME}/.config/cower | ||
26 | 24 | ||
27 | caps.drop all | 25 | caps.drop all |
28 | ipc-namespace | 26 | ipc-namespace |
@@ -42,7 +40,9 @@ shell none | |||
42 | 40 | ||
43 | disable-mnt | 41 | disable-mnt |
44 | private-bin cower | 42 | private-bin cower |
43 | private-cache | ||
45 | private-dev | 44 | private-dev |
46 | private-tmp | 45 | private-tmp |
47 | 46 | ||
48 | memory-deny-write-execute | 47 | memory-deny-write-execute |
48 | read-only ${HOME}/.config/cower/config | ||
diff --git a/etc/cpio.profile b/etc/cpio.profile index b6f7e7f9f..17a765700 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile | |||
@@ -7,8 +7,6 @@ include cpio.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | |||
12 | noblacklist /sbin | 10 | noblacklist /sbin |
13 | noblacklist /usr/sbin | 11 | noblacklist /usr/sbin |
14 | 12 | ||
@@ -36,6 +34,7 @@ novideo | |||
36 | seccomp | 34 | seccomp |
37 | shell none | 35 | shell none |
38 | tracelog | 36 | tracelog |
37 | x11 none | ||
39 | 38 | ||
40 | private-cache | 39 | private-cache |
41 | private-dev | 40 | private-dev |
diff --git a/etc/crow.profile b/etc/crow.profile index 8aa70a09c..755b6e9f8 100644 --- a/etc/crow.profile +++ b/etc/crow.profile | |||
@@ -38,7 +38,7 @@ shell none | |||
38 | disable-mnt | 38 | disable-mnt |
39 | private-bin crow | 39 | private-bin crow |
40 | private-dev | 40 | private-dev |
41 | private-etc alternatives,ca-certificates,ssl,machine-id,dconf,nsswitch.conf,resolv.conf,fonts,asound.conf,pulse,pki,crypto-policies | 41 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl |
42 | private-opt none | 42 | private-opt none |
43 | private-tmp | 43 | private-tmp |
44 | private-srv none | 44 | private-srv none |
diff --git a/etc/curl.profile b/etc/curl.profile index 2703c6fe8..76beee46a 100644 --- a/etc/curl.profile +++ b/etc/curl.profile | |||
@@ -7,10 +7,10 @@ include curl.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | |||
12 | noblacklist ${HOME}/.curlrc | 10 | noblacklist ${HOME}/.curlrc |
13 | 11 | ||
12 | blacklist /tmp/.X11-unix | ||
13 | |||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-exec.inc | 15 | include disable-exec.inc |
16 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
@@ -34,5 +34,5 @@ shell none | |||
34 | # private-bin curl | 34 | # private-bin curl |
35 | private-cache | 35 | private-cache |
36 | private-dev | 36 | private-dev |
37 | # private-etc alternatives,resolv.conf,ca-certificates,ssl,pki,crypto-policies | 37 | # private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl |
38 | private-tmp | 38 | private-tmp |
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile index fcb448b30..d1fff0004 100644 --- a/etc/cyberfox.profile +++ b/etc/cyberfox.profile | |||
@@ -13,7 +13,7 @@ mkdir ${HOME}/.cache/8pecxstudios | |||
13 | whitelist ${HOME}/.8pecxstudios | 13 | whitelist ${HOME}/.8pecxstudios |
14 | whitelist ${HOME}/.cache/8pecxstudios | 14 | whitelist ${HOME}/.cache/8pecxstudios |
15 | 15 | ||
16 | # private-bin cyberfox,which,sh,dbus-launch,dbus-send,env | 16 | # private-bin cyberfox,dbus-launch,dbus-send,env,sh,which |
17 | # private-etc must first be enabled in firefox-common.profile | 17 | # private-etc must first be enabled in firefox-common.profile |
18 | #private-etc cyberfox | 18 | #private-etc cyberfox |
19 | 19 | ||
diff --git a/etc/d-feet.profile b/etc/d-feet.profile index 9475bdd2a..e06769601 100644 --- a/etc/d-feet.profile +++ b/etc/d-feet.profile | |||
@@ -9,12 +9,8 @@ include globals.local | |||
9 | noblacklist ${HOME}/.config/d-feet | 9 | noblacklist ${HOME}/.config/d-feet |
10 | 10 | ||
11 | # Allow python (disabled by disable-interpreters.inc) | 11 | # Allow python (disabled by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 12 | include allow-python2.inc |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
@@ -53,4 +49,4 @@ private-dev | |||
53 | private-etc alternatives,dbus-1,fonts,machine-id | 49 | private-etc alternatives,dbus-1,fonts,machine-id |
54 | private-tmp | 50 | private-tmp |
55 | 51 | ||
56 | # memory-deny-write-execute - Breaks on Arch | 52 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/dconf-editor.profile b/etc/dconf-editor.profile index 6b7f8f112..7cd39ca6a 100644 --- a/etc/dconf-editor.profile +++ b/etc/dconf-editor.profile | |||
@@ -6,8 +6,6 @@ include dconf-editor.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | whitelist ${HOME}/.local/share/glib-2.0 | ||
10 | |||
11 | include disable-common.inc | 9 | include disable-common.inc |
12 | include disable-devel.inc | 10 | include disable-devel.inc |
13 | include disable-exec.inc | 11 | include disable-exec.inc |
@@ -16,6 +14,7 @@ include disable-passwdmgr.inc | |||
16 | include disable-programs.inc | 14 | include disable-programs.inc |
17 | include disable-xdg.inc | 15 | include disable-xdg.inc |
18 | 16 | ||
17 | whitelist ${HOME}/.local/share/glib-2.0 | ||
19 | include whitelist-common.inc | 18 | include whitelist-common.inc |
20 | 19 | ||
21 | apparmor | 20 | apparmor |
@@ -39,7 +38,7 @@ disable-mnt | |||
39 | private-bin dconf-editor | 38 | private-bin dconf-editor |
40 | private-cache | 39 | private-cache |
41 | private-dev | 40 | private-dev |
42 | private-etc alternatives,fonts,machine-id | 41 | private-etc alternatives,dconf,fonts,gtk-3.0,machine-id |
43 | private-lib | 42 | private-lib |
44 | private-tmp | 43 | private-tmp |
45 | 44 | ||
diff --git a/etc/dconf.profile b/etc/dconf.profile index 6ffcddaf5..81763bd94 100644 --- a/etc/dconf.profile +++ b/etc/dconf.profile | |||
@@ -6,8 +6,6 @@ include dconf.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | whitelist ${HOME}/.local/share/glib-2.0 | ||
10 | |||
11 | include disable-common.inc | 9 | include disable-common.inc |
12 | include disable-devel.inc | 10 | include disable-devel.inc |
13 | include disable-exec.inc | 11 | include disable-exec.inc |
@@ -16,6 +14,7 @@ include disable-passwdmgr.inc | |||
16 | include disable-programs.inc | 14 | include disable-programs.inc |
17 | include disable-xdg.inc | 15 | include disable-xdg.inc |
18 | 16 | ||
17 | whitelist ${HOME}/.local/share/glib-2.0 | ||
19 | # dconf paths are whitelisted by the following | 18 | # dconf paths are whitelisted by the following |
20 | include whitelist-common.inc | 19 | include whitelist-common.inc |
21 | 20 | ||
@@ -37,6 +36,7 @@ protocol unix | |||
37 | seccomp | 36 | seccomp |
38 | shell none | 37 | shell none |
39 | tracelog | 38 | tracelog |
39 | x11 none | ||
40 | 40 | ||
41 | disable-mnt | 41 | disable-mnt |
42 | private-bin dconf,gsettings | 42 | private-bin dconf,gsettings |
diff --git a/etc/deluge.profile b/etc/deluge.profile index e86c84272..8f4f9fbe9 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile | |||
@@ -9,12 +9,8 @@ include globals.local | |||
9 | noblacklist ${HOME}/.config/deluge | 9 | noblacklist ${HOME}/.config/deluge |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 12 | include allow-python2.inc |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | # include disable-devel.inc | 16 | # include disable-devel.inc |
@@ -43,6 +39,6 @@ seccomp | |||
43 | shell none | 39 | shell none |
44 | 40 | ||
45 | # deluge is using python on Debian | 41 | # deluge is using python on Debian |
46 | private-bin deluge,deluge-console,deluged,deluge-gtk,deluge-web,sh,python*,uname | 42 | private-bin deluge,deluge-console,deluge-gtk,deluge-web,deluged,python*,sh,uname |
47 | private-dev | 43 | private-dev |
48 | private-tmp | 44 | private-tmp |
diff --git a/etc/devhelp.profile b/etc/devhelp.profile index 4e618b7ea..60bebb0c9 100644 --- a/etc/devhelp.profile +++ b/etc/devhelp.profile | |||
@@ -41,6 +41,6 @@ private-dev | |||
41 | private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl | 41 | private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl |
42 | private-tmp | 42 | private-tmp |
43 | 43 | ||
44 | # memory-deny-write-execute - Breaks on Arch | 44 | #memory-deny-write-execute - breaks on Arch (see issue 1803) |
45 | 45 | ||
46 | read-only ${HOME} | 46 | read-only ${HOME} |
diff --git a/etc/devilspie.profile b/etc/devilspie.profile index 2d100c4b0..ca617983d 100644 --- a/etc/devilspie.profile +++ b/etc/devilspie.profile | |||
@@ -16,6 +16,11 @@ include disable-passwdmgr.inc | |||
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | mkdir ${HOME}/.devilspie | ||
20 | whitelist ${HOME}/.devilspie | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
19 | apparmor | 24 | apparmor |
20 | caps.drop all | 25 | caps.drop all |
21 | ipc-namespace | 26 | ipc-namespace |
diff --git a/etc/devilspie2.profile b/etc/devilspie2.profile index 2f599366b..74b0dc939 100644 --- a/etc/devilspie2.profile +++ b/etc/devilspie2.profile | |||
@@ -8,6 +8,9 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/devilspie2 | 9 | noblacklist ${HOME}/.config/devilspie2 |
10 | 10 | ||
11 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
12 | include allow-lua.inc | ||
13 | |||
11 | include disable-common.inc | 14 | include disable-common.inc |
12 | include disable-devel.inc | 15 | include disable-devel.inc |
13 | include disable-exec.inc | 16 | include disable-exec.inc |
@@ -16,6 +19,11 @@ include disable-passwdmgr.inc | |||
16 | include disable-programs.inc | 19 | include disable-programs.inc |
17 | include disable-xdg.inc | 20 | include disable-xdg.inc |
18 | 21 | ||
22 | mkdir ${HOME}/.config/devilspie2 | ||
23 | whitelist ${HOME}/.config/devilspie2 | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
19 | apparmor | 27 | apparmor |
20 | caps.drop all | 28 | caps.drop all |
21 | ipc-namespace | 29 | ipc-namespace |
diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile index 06a6be3aa..e5f37b06a 100644 --- a/etc/dex2jar.profile +++ b/etc/dex2jar.profile | |||
@@ -6,11 +6,8 @@ include dex2jar.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Allow access to java | 9 | # Allow java (blacklisted by disable-devel.inc) |
10 | noblacklist ${PATH}/java | 10 | include allow-java.inc |
11 | noblacklist /usr/lib/java | ||
12 | noblacklist /etc/java | ||
13 | noblacklist /usr/share/java | ||
14 | 11 | ||
15 | include disable-common.inc | 12 | include disable-common.inc |
16 | include disable-devel.inc | 13 | include disable-devel.inc |
@@ -38,7 +35,7 @@ protocol unix | |||
38 | seccomp | 35 | seccomp |
39 | shell none | 36 | shell none |
40 | 37 | ||
41 | private-bin dex2jar,java,sh,bash,expr,dirname,ls,uname,grep | 38 | private-bin bash,dex2jar,dirname,expr,grep,java,ls,sh,uname |
42 | private-cache | 39 | private-cache |
43 | private-dev | 40 | private-dev |
44 | 41 | ||
diff --git a/etc/dig.profile b/etc/dig.profile index 1843f6e46..6f2c1f755 100644 --- a/etc/dig.profile +++ b/etc/dig.profile | |||
@@ -17,7 +17,7 @@ include disable-passwdmgr.inc | |||
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | include disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | mkfile ${HOME}/.digrc | 20 | #mkfile ${HOME}/.digrc -- see #903 |
21 | whitelist ${HOME}/.digrc | 21 | whitelist ${HOME}/.digrc |
22 | include whitelist-common.inc | 22 | include whitelist-common.inc |
23 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
@@ -42,10 +42,9 @@ shell none | |||
42 | 42 | ||
43 | disable-mnt | 43 | disable-mnt |
44 | private | 44 | private |
45 | private-bin sh,bash,dig | 45 | private-bin bash,dig,sh |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | # private-etc alternatives,resolv.conf | ||
49 | private-lib | 48 | private-lib |
50 | private-tmp | 49 | private-tmp |
51 | 50 | ||
diff --git a/etc/digikam.profile b/etc/digikam.profile index e9c89a1b9..1b80981f7 100644 --- a/etc/digikam.profile +++ b/etc/digikam.profile | |||
@@ -33,11 +33,8 @@ noroot | |||
33 | notv | 33 | notv |
34 | protocol unix,inet,inet6,netlink | 34 | protocol unix,inet,inet6,netlink |
35 | seccomp | 35 | seccomp |
36 | # seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group | ||
37 | shell none | 36 | shell none |
38 | 37 | ||
39 | # private-bin program | ||
40 | # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device | 38 | # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device |
41 | # private-etc alternatives,ca-certificates,ssl,pki,crypto-policies | 39 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl |
42 | private-tmp | 40 | private-tmp |
43 | |||
diff --git a/etc/dino.profile b/etc/dino.profile index 2db395e02..f7b220936 100644 --- a/etc/dino.profile +++ b/etc/dino.profile | |||
@@ -37,6 +37,6 @@ shell none | |||
37 | disable-mnt | 37 | disable-mnt |
38 | private-bin dino | 38 | private-bin dino |
39 | private-dev | 39 | private-dev |
40 | # private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies # breaks server connection | 40 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl -- breaks server connection |
41 | private-tmp | 41 | private-tmp |
42 | 42 | ||
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 9d7a34bc5..ae82d72b5 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -19,7 +19,10 @@ blacklist-nolog ${HOME}/.local/share/fish/fish_history | |||
19 | blacklist-nolog ${HOME}/.local/share/klipper | 19 | blacklist-nolog ${HOME}/.local/share/klipper |
20 | blacklist-nolog ${HOME}/.macromedia | 20 | blacklist-nolog ${HOME}/.macromedia |
21 | blacklist-nolog ${HOME}/.python-history | 21 | blacklist-nolog ${HOME}/.python-history |
22 | blacklist-nolog ${HOME}/.python_history | ||
22 | blacklist-nolog ${HOME}/.pythonhist | 23 | blacklist-nolog ${HOME}/.pythonhist |
24 | blacklist-nolog ${HOME}/.lesshst | ||
25 | blacklist-nolog ${HOME}/.viminfo | ||
23 | blacklist-nolog /tmp/clipmenu* | 26 | blacklist-nolog /tmp/clipmenu* |
24 | 27 | ||
25 | # X11 session autostart | 28 | # X11 session autostart |
@@ -242,6 +245,7 @@ read-only ${HOME}/.ssh/authorized_keys | |||
242 | 245 | ||
243 | # Initialization files that allow arbitrary command execution | 246 | # Initialization files that allow arbitrary command execution |
244 | read-only ${HOME}/.caffrc | 247 | read-only ${HOME}/.caffrc |
248 | read-only ${HOME}/.cargo/env | ||
245 | read-only ${HOME}/.dotfiles | 249 | read-only ${HOME}/.dotfiles |
246 | read-only ${HOME}/.emacs | 250 | read-only ${HOME}/.emacs |
247 | read-only ${HOME}/.emacs.d | 251 | read-only ${HOME}/.emacs.d |
@@ -275,7 +279,6 @@ read-only ${HOME}/bin | |||
275 | read-only ${HOME}/.bin | 279 | read-only ${HOME}/.bin |
276 | read-only ${HOME}/.local/bin | 280 | read-only ${HOME}/.local/bin |
277 | read-only ${HOME}/.cargo/bin | 281 | read-only ${HOME}/.cargo/bin |
278 | read-only ${HOME}/.cargo/env | ||
279 | blacklist ${HOME}/.cargo/registry | 282 | blacklist ${HOME}/.cargo/registry |
280 | blacklist ${HOME}/.cargo/config | 283 | blacklist ${HOME}/.cargo/config |
281 | 284 | ||
@@ -294,10 +297,12 @@ blacklist ${HOME}/.Private | |||
294 | blacklist ${HOME}/.caff | 297 | blacklist ${HOME}/.caff |
295 | blacklist ${HOME}/.cert | 298 | blacklist ${HOME}/.cert |
296 | blacklist ${HOME}/.config/keybase | 299 | blacklist ${HOME}/.config/keybase |
300 | blacklist ${HOME}/.davfs2/secrets | ||
297 | blacklist ${HOME}/.ecryptfs | 301 | blacklist ${HOME}/.ecryptfs |
298 | blacklist ${HOME}/.fetchmailrc | 302 | blacklist ${HOME}/.fetchmailrc |
299 | blacklist ${HOME}/.gnome2/keyrings | 303 | blacklist ${HOME}/.gnome2/keyrings |
300 | blacklist ${HOME}/.gnupg | 304 | blacklist ${HOME}/.gnupg |
305 | blacklist ${HOME}/.config/hub | ||
301 | blacklist ${HOME}/.kde/share/apps/kwallet | 306 | blacklist ${HOME}/.kde/share/apps/kwallet |
302 | blacklist ${HOME}/.kde4/share/apps/kwallet | 307 | blacklist ${HOME}/.kde4/share/apps/kwallet |
303 | blacklist ${HOME}/.local/share/keyrings | 308 | blacklist ${HOME}/.local/share/keyrings |
@@ -313,6 +318,7 @@ blacklist ${HOME}/.local/share/pki | |||
313 | blacklist ${HOME}/.smbcredentials | 318 | blacklist ${HOME}/.smbcredentials |
314 | blacklist ${HOME}/.ssh | 319 | blacklist ${HOME}/.ssh |
315 | blacklist ${HOME}/.vaults | 320 | blacklist ${HOME}/.vaults |
321 | blacklist /etc/davfs2/secrets | ||
316 | blacklist /etc/group+ | 322 | blacklist /etc/group+ |
317 | blacklist /etc/group- | 323 | blacklist /etc/group- |
318 | blacklist /etc/gshadow | 324 | blacklist /etc/gshadow |
@@ -414,3 +420,12 @@ blacklist /usr/share/flatpak | |||
414 | blacklist /var/lib/flatpak | 420 | blacklist /var/lib/flatpak |
415 | # most of the time bwrap is SUID binary | 421 | # most of the time bwrap is SUID binary |
416 | blacklist ${PATH}/bwrap | 422 | blacklist ${PATH}/bwrap |
423 | |||
424 | # mail directories used by mutt | ||
425 | blacklist ${HOME}/.Mail | ||
426 | blacklist ${HOME}/.mail | ||
427 | blacklist ${HOME}/.signature | ||
428 | blacklist ${HOME}/Mail | ||
429 | blacklist ${HOME}/mail | ||
430 | blacklist ${HOME}/postponed | ||
431 | blacklist ${HOME}/sent | ||
diff --git a/etc/disable-interpreters.inc b/etc/disable-interpreters.inc index 22f58bb85..4c4eed25d 100644 --- a/etc/disable-interpreters.inc +++ b/etc/disable-interpreters.inc | |||
@@ -19,6 +19,8 @@ blacklist ${HOME}/.nvm | |||
19 | blacklist ${PATH}/cpan* | 19 | blacklist ${PATH}/cpan* |
20 | blacklist ${PATH}/core_perl | 20 | blacklist ${PATH}/core_perl |
21 | blacklist ${PATH}/perl | 21 | blacklist ${PATH}/perl |
22 | blacklist ${PATH}/site_perl | ||
23 | blacklist ${PATH}/vendor_perl | ||
22 | blacklist /usr/lib/perl* | 24 | blacklist /usr/lib/perl* |
23 | blacklist /usr/share/perl* | 25 | blacklist /usr/share/perl* |
24 | 26 | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 5481f976f..fb7e02d0b 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -7,6 +7,7 @@ blacklist ${HOME}/Monero/wallets | |||
7 | blacklist ${HOME}/Nextcloud/Notes | 7 | blacklist ${HOME}/Nextcloud/Notes |
8 | blacklist ${HOME}/SoftMaker | 8 | blacklist ${HOME}/SoftMaker |
9 | blacklist ${HOME}/Standard Notes Backups | 9 | blacklist ${HOME}/Standard Notes Backups |
10 | blacklist ${HOME}/mps | ||
10 | blacklist ${HOME}/wallet.dat | 11 | blacklist ${HOME}/wallet.dat |
11 | blacklist ${HOME}/.*coin | 12 | blacklist ${HOME}/.*coin |
12 | blacklist ${HOME}/.8pecxstudios | 13 | blacklist ${HOME}/.8pecxstudios |
@@ -118,6 +119,7 @@ blacklist ${HOME}/.config/artha.conf | |||
118 | blacklist ${HOME}/.config/asunder | 119 | blacklist ${HOME}/.config/asunder |
119 | blacklist ${HOME}/.config/atril | 120 | blacklist ${HOME}/.config/atril |
120 | blacklist ${HOME}/.config/audacious | 121 | blacklist ${HOME}/.config/audacious |
122 | blacklist ${HOME}/.config/autokey | ||
121 | blacklist ${HOME}/.config/aweather | 123 | blacklist ${HOME}/.config/aweather |
122 | blacklist ${HOME}/.config/baloofilerc | 124 | blacklist ${HOME}/.config/baloofilerc |
123 | blacklist ${HOME}/.config/baloorc | 125 | blacklist ${HOME}/.config/baloorc |
@@ -140,6 +142,7 @@ blacklist ${HOME}/.config/clipit | |||
140 | blacklist ${HOME}/.config/cliqz | 142 | blacklist ${HOME}/.config/cliqz |
141 | blacklist ${HOME}/.config/cmus | 143 | blacklist ${HOME}/.config/cmus |
142 | blacklist ${HOME}/.config/corebird | 144 | blacklist ${HOME}/.config/corebird |
145 | blacklist ${HOME}/.config/cower | ||
143 | blacklist ${HOME}/.config/darktable | 146 | blacklist ${HOME}/.config/darktable |
144 | blacklist ${HOME}/.config/deadbeef | 147 | blacklist ${HOME}/.config/deadbeef |
145 | blacklist ${HOME}/.config/deluge | 148 | blacklist ${HOME}/.config/deluge |
@@ -176,6 +179,7 @@ blacklist ${HOME}/.config/git | |||
176 | blacklist ${HOME}/.config/globaltime | 179 | blacklist ${HOME}/.config/globaltime |
177 | blacklist ${HOME}/.config/gnome-mplayer | 180 | blacklist ${HOME}/.config/gnome-mplayer |
178 | blacklist ${HOME}/.config/gnome-mpv | 181 | blacklist ${HOME}/.config/gnome-mpv |
182 | blacklist ${HOME}/.config/godot | ||
179 | blacklist ${HOME}/.config/gnome-pie | 183 | blacklist ${HOME}/.config/gnome-pie |
180 | blacklist ${HOME}/.config/google-chrome | 184 | blacklist ${HOME}/.config/google-chrome |
181 | blacklist ${HOME}/.config/google-chrome-beta | 185 | blacklist ${HOME}/.config/google-chrome-beta |
@@ -197,6 +201,7 @@ blacklist ${HOME}/.config/katerc | |||
197 | blacklist ${HOME}/.config/kateschemarc | 201 | blacklist ${HOME}/.config/kateschemarc |
198 | blacklist ${HOME}/.config/katesyntaxhighlightingrc | 202 | blacklist ${HOME}/.config/katesyntaxhighlightingrc |
199 | blacklist ${HOME}/.config/katevirc | 203 | blacklist ${HOME}/.config/katevirc |
204 | blacklist ${HOME}/.config/kdeconnect | ||
200 | blacklist ${HOME}/.config/kdenliverc | 205 | blacklist ${HOME}/.config/kdenliverc |
201 | blacklist ${HOME}/.config/kgetrc | 206 | blacklist ${HOME}/.config/kgetrc |
202 | blacklist ${HOME}/.config/kid3rc | 207 | blacklist ${HOME}/.config/kid3rc |
@@ -204,13 +209,12 @@ blacklist ${HOME}/.config/klavaro | |||
204 | blacklist ${HOME}/.config/klipperrc | 209 | blacklist ${HOME}/.config/klipperrc |
205 | blacklist ${HOME}/.config/kmail2rc | 210 | blacklist ${HOME}/.config/kmail2rc |
206 | blacklist ${HOME}/.config/kmailsearchindexingrc | 211 | blacklist ${HOME}/.config/kmailsearchindexingrc |
207 | blacklist ${HOME}/.config/kritarc | ||
208 | blacklist ${HOME}/.config/kwriterc | ||
209 | blacklist ${HOME}/.config/kdeconnect | ||
210 | blacklist ${HOME}/.config/knotesrc | 212 | blacklist ${HOME}/.config/knotesrc |
211 | blacklist ${HOME}/.config/konversationrc | 213 | blacklist ${HOME}/.config/konversationrc |
214 | blacklist ${HOME}/.config/kritarc | ||
212 | blacklist ${HOME}/.config/ktorrentrc | 215 | blacklist ${HOME}/.config/ktorrentrc |
213 | blacklist ${HOME}/.config/ktouch2rc | 216 | blacklist ${HOME}/.config/ktouch2rc |
217 | blacklist ${HOME}/.config/kwriterc | ||
214 | blacklist ${HOME}/.config/leafpad | 218 | blacklist ${HOME}/.config/leafpad |
215 | blacklist ${HOME}/.config/libreoffice | 219 | blacklist ${HOME}/.config/libreoffice |
216 | blacklist ${HOME}/.config/liferea | 220 | blacklist ${HOME}/.config/liferea |
@@ -235,6 +239,7 @@ blacklist ${HOME}/.config/nano | |||
235 | blacklist ${HOME}/.config/nautilus | 239 | blacklist ${HOME}/.config/nautilus |
236 | blacklist ${HOME}/.config/nemo | 240 | blacklist ${HOME}/.config/nemo |
237 | blacklist ${HOME}/.config/netsurf | 241 | blacklist ${HOME}/.config/netsurf |
242 | blacklist ${HOME}/.config/newsbeuter | ||
238 | blacklist ${HOME}/.config/nheko | 243 | blacklist ${HOME}/.config/nheko |
239 | blacklist ${HOME}/.config/NitroShare | 244 | blacklist ${HOME}/.config/NitroShare |
240 | blacklist ${HOME}/.config/nomacs | 245 | blacklist ${HOME}/.config/nomacs |
@@ -267,6 +272,7 @@ blacklist ${HOME}/.config/redshift.conf | |||
267 | blacklist ${HOME}/.config/remmina | 272 | blacklist ${HOME}/.config/remmina |
268 | blacklist ${HOME}/.config/ristretto | 273 | blacklist ${HOME}/.config/ristretto |
269 | blacklist ${HOME}/.config/scribus | 274 | blacklist ${HOME}/.config/scribus |
275 | blacklist ${HOME}/.config/scribusrc | ||
270 | blacklist ${HOME}/.config/sinew.in | 276 | blacklist ${HOME}/.config/sinew.in |
271 | blacklist ${HOME}/.config/skypeforlinux | 277 | blacklist ${HOME}/.config/skypeforlinux |
272 | blacklist ${HOME}/.config/slimjet | 278 | blacklist ${HOME}/.config/slimjet |
@@ -275,17 +281,17 @@ blacklist ${HOME}/.config/smtube | |||
275 | blacklist ${HOME}/.config/snox | 281 | blacklist ${HOME}/.config/snox |
276 | blacklist ${HOME}/.config/specialmailcollectionsrc | 282 | blacklist ${HOME}/.config/specialmailcollectionsrc |
277 | blacklist ${HOME}/.config/spotify | 283 | blacklist ${HOME}/.config/spotify |
278 | blacklist ${HOME}/.config/supertuxkart | ||
279 | blacklist ${HOME}/.config/sqlitebrowser | 284 | blacklist ${HOME}/.config/sqlitebrowser |
280 | blacklist ${HOME}/.config/stellarium | 285 | blacklist ${HOME}/.config/stellarium |
286 | blacklist ${HOME}/.config/supertuxkart | ||
281 | blacklist ${HOME}/.config/synfig | 287 | blacklist ${HOME}/.config/synfig |
282 | blacklist ${HOME}/.config/telepathy-account-widgets | 288 | blacklist ${HOME}/.config/telepathy-account-widgets |
283 | blacklist ${HOME}/.config/torbrowser | 289 | blacklist ${HOME}/.config/torbrowser |
284 | blacklist ${HOME}/.config/totem | 290 | blacklist ${HOME}/.config/totem |
285 | blacklist ${HOME}/.config/tox | 291 | blacklist ${HOME}/.config/tox |
286 | blacklist ${HOME}/.config/transgui | 292 | blacklist ${HOME}/.config/transgui |
287 | blacklist ${HOME}/.config/truecraft | ||
288 | blacklist ${HOME}/.config/transmission | 293 | blacklist ${HOME}/.config/transmission |
294 | blacklist ${HOME}/.config/truecraft | ||
289 | blacklist ${HOME}/.config/uGet | 295 | blacklist ${HOME}/.config/uGet |
290 | blacklist ${HOME}/.config/uzbl | 296 | blacklist ${HOME}/.config/uzbl |
291 | blacklist ${HOME}/.config/viewnior | 297 | blacklist ${HOME}/.config/viewnior |
@@ -328,7 +334,6 @@ blacklist ${HOME}/.electron-cache | |||
328 | blacklist ${HOME}/.electrum* | 334 | blacklist ${HOME}/.electrum* |
329 | blacklist ${HOME}/.elinks | 335 | blacklist ${HOME}/.elinks |
330 | blacklist ${HOME}/.emacs | 336 | blacklist ${HOME}/.emacs |
331 | blacklist ${HOME}/.emacs | ||
332 | blacklist ${HOME}/.emacs.d | 337 | blacklist ${HOME}/.emacs.d |
333 | blacklist ${HOME}/.ethereum | 338 | blacklist ${HOME}/.ethereum |
334 | blacklist ${HOME}/.etr | 339 | blacklist ${HOME}/.etr |
@@ -370,10 +375,10 @@ blacklist ${HOME}/.kde/share/apps/kaffeine | |||
370 | blacklist ${HOME}/.kde/share/apps/kcookiejar | 375 | blacklist ${HOME}/.kde/share/apps/kcookiejar |
371 | blacklist ${HOME}/.kde/share/apps/kget | 376 | blacklist ${HOME}/.kde/share/apps/kget |
372 | blacklist ${HOME}/.kde/share/apps/khtml | 377 | blacklist ${HOME}/.kde/share/apps/khtml |
378 | blacklist ${HOME}/.kde/share/apps/klatexformula | ||
373 | blacklist ${HOME}/.kde/share/apps/konqsidebartng | 379 | blacklist ${HOME}/.kde/share/apps/konqsidebartng |
374 | blacklist ${HOME}/.kde/share/apps/konqueror | 380 | blacklist ${HOME}/.kde/share/apps/konqueror |
375 | blacklist ${HOME}/.kde/share/apps/kopete | 381 | blacklist ${HOME}/.kde/share/apps/kopete |
376 | blacklist ${HOME}/.kde/share/apps/khtml | ||
377 | blacklist ${HOME}/.kde/share/apps/ktorrent | 382 | blacklist ${HOME}/.kde/share/apps/ktorrent |
378 | blacklist ${HOME}/.kde/share/apps/okular | 383 | blacklist ${HOME}/.kde/share/apps/okular |
379 | blacklist ${HOME}/.kde/share/config/baloofilerc | 384 | blacklist ${HOME}/.kde/share/config/baloofilerc |
@@ -426,10 +431,12 @@ blacklist ${HOME}/.kde4/share/config/okularrc | |||
426 | blacklist ${HOME}/.killingfloor | 431 | blacklist ${HOME}/.killingfloor |
427 | blacklist ${HOME}/.kino-history | 432 | blacklist ${HOME}/.kino-history |
428 | blacklist ${HOME}/.kinorc | 433 | blacklist ${HOME}/.kinorc |
434 | blacklist ${HOME}/.klatexformula | ||
429 | blacklist ${HOME}/.kodi | 435 | blacklist ${HOME}/.kodi |
430 | blacklist ${HOME}/.lincity-ng | 436 | blacklist ${HOME}/.lincity-ng |
431 | blacklist ${HOME}/.linphone-history.db | 437 | blacklist ${HOME}/.linphone-history.db |
432 | blacklist ${HOME}/.linphonerc | 438 | blacklist ${HOME}/.linphonerc |
439 | blacklist ${HOME}/.links | ||
433 | blacklist ${HOME}/.lmmsrc.xml | 440 | blacklist ${HOME}/.lmmsrc.xml |
434 | blacklist ${HOME}/.local/lib/vivaldi | 441 | blacklist ${HOME}/.local/lib/vivaldi |
435 | blacklist ${HOME}/.local/share/0ad | 442 | blacklist ${HOME}/.local/share/0ad |
@@ -454,6 +461,7 @@ blacklist ${HOME}/.local/share/akonadi* | |||
454 | blacklist ${HOME}/.local/share/akregator | 461 | blacklist ${HOME}/.local/share/akregator |
455 | blacklist ${HOME}/.local/share/apps/korganizer | 462 | blacklist ${HOME}/.local/share/apps/korganizer |
456 | blacklist ${HOME}/.local/share/aspyr-media | 463 | blacklist ${HOME}/.local/share/aspyr-media |
464 | blacklist ${HOME}/.local/share/autokey | ||
457 | blacklist ${HOME}/.local/share/baloo | 465 | blacklist ${HOME}/.local/share/baloo |
458 | blacklist ${HOME}/.local/share/bibletime | 466 | blacklist ${HOME}/.local/share/bibletime |
459 | blacklist ${HOME}/.local/share/caja-python | 467 | blacklist ${HOME}/.local/share/caja-python |
@@ -486,6 +494,7 @@ blacklist ${HOME}/.local/share/gnome-photos | |||
486 | blacklist ${HOME}/.local/share/gnome-recipes | 494 | blacklist ${HOME}/.local/share/gnome-recipes |
487 | blacklist ${HOME}/.local/share/gnome-ring | 495 | blacklist ${HOME}/.local/share/gnome-ring |
488 | blacklist ${HOME}/.local/share/gnome-twitch | 496 | blacklist ${HOME}/.local/share/gnome-twitch |
497 | blacklist ${HOME}/.local/share/godot | ||
489 | blacklist ${HOME}/.local/share/gradio | 498 | blacklist ${HOME}/.local/share/gradio |
490 | blacklist ${HOME}/.local/share/gwenview | 499 | blacklist ${HOME}/.local/share/gwenview |
491 | blacklist ${HOME}/.local/share/kaffeine | 500 | blacklist ${HOME}/.local/share/kaffeine |
@@ -496,8 +505,8 @@ blacklist ${HOME}/.local/share/klavaro | |||
496 | blacklist ${HOME}/.local/share/kmail2 | 505 | blacklist ${HOME}/.local/share/kmail2 |
497 | blacklist ${HOME}/.local/share/knotes | 506 | blacklist ${HOME}/.local/share/knotes |
498 | blacklist ${HOME}/.local/share/krita | 507 | blacklist ${HOME}/.local/share/krita |
499 | blacklist ${HOME}/.local/share/ktorrentrc | ||
500 | blacklist ${HOME}/.local/share/ktorrent | 508 | blacklist ${HOME}/.local/share/ktorrent |
509 | blacklist ${HOME}/.local/share/ktorrentrc | ||
501 | blacklist ${HOME}/.local/share/ktouch | 510 | blacklist ${HOME}/.local/share/ktouch |
502 | blacklist ${HOME}/.local/share/kwrite | 511 | blacklist ${HOME}/.local/share/kwrite |
503 | blacklist ${HOME}/.local/share/liferea | 512 | blacklist ${HOME}/.local/share/liferea |
@@ -522,13 +531,13 @@ blacklist ${HOME}/.local/share/ocenaudio | |||
522 | blacklist ${HOME}/.local/share/okular | 531 | blacklist ${HOME}/.local/share/okular |
523 | blacklist ${HOME}/.local/share/orage | 532 | blacklist ${HOME}/.local/share/orage |
524 | blacklist ${HOME}/.local/share/org.kde.gwenview | 533 | blacklist ${HOME}/.local/share/org.kde.gwenview |
525 | blacklist ${HOME}/.local/share/rhythmbox | ||
526 | blacklist ${HOME}/.local/share/pix | 534 | blacklist ${HOME}/.local/share/pix |
527 | blacklist ${HOME}/.local/share/plasma_notes | 535 | blacklist ${HOME}/.local/share/plasma_notes |
528 | blacklist ${HOME}/.local/share/psi+ | 536 | blacklist ${HOME}/.local/share/psi+ |
529 | blacklist ${HOME}/.local/share/qpdfview | 537 | blacklist ${HOME}/.local/share/qpdfview |
530 | blacklist ${HOME}/.local/share/qutebrowser | 538 | blacklist ${HOME}/.local/share/qutebrowser |
531 | blacklist ${HOME}/.local/share/remmina | 539 | blacklist ${HOME}/.local/share/remmina |
540 | blacklist ${HOME}/.local/share/rhythmbox | ||
532 | blacklist ${HOME}/.local/share/scribus | 541 | blacklist ${HOME}/.local/share/scribus |
533 | blacklist ${HOME}/.local/share/spotify | 542 | blacklist ${HOME}/.local/share/spotify |
534 | blacklist ${HOME}/.local/share/steam | 543 | blacklist ${HOME}/.local/share/steam |
@@ -566,9 +575,11 @@ blacklist ${HOME}/.multimc5 | |||
566 | blacklist ${HOME}/.nanorc | 575 | blacklist ${HOME}/.nanorc |
567 | blacklist ${HOME}/.netactview | 576 | blacklist ${HOME}/.netactview |
568 | blacklist ${HOME}/.neverball | 577 | blacklist ${HOME}/.neverball |
578 | blacklist ${HOME}/.newsbeuter | ||
569 | blacklist ${HOME}/.newsboat | 579 | blacklist ${HOME}/.newsboat |
570 | blacklist ${HOME}/.nv | 580 | blacklist ${HOME}/.nv |
571 | blacklist ${HOME}/.nylas-mail | 581 | blacklist ${HOME}/.nylas-mail |
582 | blacklist ${HOME}/.openarena | ||
572 | blacklist ${HOME}/.opencity | 583 | blacklist ${HOME}/.opencity |
573 | blacklist ${HOME}/.openinvaders | 584 | blacklist ${HOME}/.openinvaders |
574 | blacklist ${HOME}/.openshot | 585 | blacklist ${HOME}/.openshot |
@@ -603,6 +614,7 @@ blacklist ${HOME}/.surf | |||
603 | blacklist ${HOME}/.sword | 614 | blacklist ${HOME}/.sword |
604 | blacklist ${HOME}/.sylpheed-2.0 | 615 | blacklist ${HOME}/.sylpheed-2.0 |
605 | blacklist ${HOME}/.synfig | 616 | blacklist ${HOME}/.synfig |
617 | blacklist ${HOME}/.config/teams-for-linux | ||
606 | blacklist ${HOME}/.tconn | 618 | blacklist ${HOME}/.tconn |
607 | blacklist ${HOME}/.teeworlds | 619 | blacklist ${HOME}/.teeworlds |
608 | blacklist ${HOME}/.thunderbird | 620 | blacklist ${HOME}/.thunderbird |
@@ -629,8 +641,8 @@ blacklist ${HOME}/.wget-hsts | |||
629 | blacklist ${HOME}/.wgetrc | 641 | blacklist ${HOME}/.wgetrc |
630 | blacklist ${HOME}/.widelands | 642 | blacklist ${HOME}/.widelands |
631 | blacklist ${HOME}/.wine | 643 | blacklist ${HOME}/.wine |
632 | blacklist ${HOME}/.wireshark | ||
633 | blacklist ${HOME}/.wine64 | 644 | blacklist ${HOME}/.wine64 |
645 | blacklist ${HOME}/.wireshark | ||
634 | blacklist ${HOME}/.xiphos | 646 | blacklist ${HOME}/.xiphos |
635 | blacklist ${HOME}/.xmind | 647 | blacklist ${HOME}/.xmind |
636 | blacklist ${HOME}/.xmms | 648 | blacklist ${HOME}/.xmms |
@@ -676,6 +688,7 @@ blacklist ${HOME}/.cache/fossamail | |||
676 | blacklist ${HOME}/.cache/freecol | 688 | blacklist ${HOME}/.cache/freecol |
677 | blacklist ${HOME}/.cache/gajim | 689 | blacklist ${HOME}/.cache/gajim |
678 | blacklist ${HOME}/.cache/geeqie | 690 | blacklist ${HOME}/.cache/geeqie |
691 | blacklist ${HOME}/.cache/godot | ||
679 | blacklist ${HOME}/.cache/google-chrome | 692 | blacklist ${HOME}/.cache/google-chrome |
680 | blacklist ${HOME}/.cache/google-chrome-beta | 693 | blacklist ${HOME}/.cache/google-chrome-beta |
681 | blacklist ${HOME}/.cache/google-chrome-unstable | 694 | blacklist ${HOME}/.cache/google-chrome-unstable |
diff --git a/etc/discord-common.profile b/etc/discord-common.profile index a791c7a06..82dd0475c 100644 --- a/etc/discord-common.profile +++ b/etc/discord-common.profile | |||
@@ -27,9 +27,9 @@ novideo | |||
27 | protocol unix,inet,inet6,netlink | 27 | protocol unix,inet,inet6,netlink |
28 | seccomp | 28 | seccomp |
29 | 29 | ||
30 | private-bin sh,xdg-mime,tr,sed,echo,head,cut,xdg-open,grep,egrep,bash,zsh | 30 | private-bin bash,cut,echo,egrep,grep,head,sed,sh,tr,xdg-mime,xdg-open,zsh |
31 | private-dev | 31 | private-dev |
32 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,ld.so.cache,localtime,login.defs,password,pki,resolv.conf,ssl | 32 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl |
33 | private-tmp | 33 | private-tmp |
34 | 34 | ||
35 | noexec /tmp | 35 | noexec /tmp |
diff --git a/etc/display.profile b/etc/display.profile index 0bab32db1..0b9d685e8 100644 --- a/etc/display.profile +++ b/etc/display.profile | |||
@@ -8,12 +8,8 @@ include globals.local | |||
8 | noblacklist ${PICTURES} | 8 | noblacklist ${PICTURES} |
9 | 9 | ||
10 | # Allow python (blacklisted by disable-interpreters.inc) | 10 | # Allow python (blacklisted by disable-interpreters.inc) |
11 | noblacklist ${PATH}/python2* | 11 | include allow-python2.inc |
12 | noblacklist ${PATH}/python3* | 12 | include allow-python3.inc |
13 | noblacklist /usr/lib/python2* | ||
14 | noblacklist /usr/lib/python3* | ||
15 | noblacklist /usr/local/lib/python2* | ||
16 | noblacklist /usr/local/lib/python3* | ||
17 | 13 | ||
18 | include disable-common.inc | 14 | include disable-common.inc |
19 | include disable-devel.inc | 15 | include disable-devel.inc |
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index 0dc0cc793..ae248f2e8 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile | |||
@@ -6,11 +6,11 @@ include dnscrypt-proxy.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist /sbin | 9 | noblacklist /sbin |
12 | noblacklist /usr/sbin | 10 | noblacklist /usr/sbin |
13 | 11 | ||
12 | blacklist /tmp/.X11-unix | ||
13 | |||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
@@ -26,7 +26,7 @@ nosound | |||
26 | notv | 26 | notv |
27 | nou2f | 27 | nou2f |
28 | novideo | 28 | novideo |
29 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 29 | seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice |
30 | 30 | ||
31 | disable-mnt | 31 | disable-mnt |
32 | private | 32 | private |
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index bb41b71d1..daf4795c3 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile | |||
@@ -6,11 +6,11 @@ include dnsmasq.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist /sbin | 9 | noblacklist /sbin |
12 | noblacklist /usr/sbin | 10 | noblacklist /usr/sbin |
13 | 11 | ||
12 | blacklist /tmp/.X11-unix | ||
13 | |||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
diff --git a/etc/dooble.profile b/etc/dooble.profile index 80bcce463..bc197b223 100644 --- a/etc/dooble.profile +++ b/etc/dooble.profile | |||
@@ -1,11 +1,12 @@ | |||
1 | # Firejail profile for dooble | 1 | # Firejail profile for dooble |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include dooble.local | ||
5 | # Backward compatibility | ||
4 | include dooble-qt4.local | 6 | include dooble-qt4.local |
5 | # Persistent global definitions | 7 | # Persistent global definitions |
6 | include globals.local | 8 | include globals.local |
7 | 9 | ||
8 | |||
9 | noblacklist ${HOME}/.dooble | 10 | noblacklist ${HOME}/.dooble |
10 | 11 | ||
11 | include disable-common.inc | 12 | include disable-common.inc |
diff --git a/etc/electrum.profile b/etc/electrum.profile index ffa0fb5f6..42438977f 100644 --- a/etc/electrum.profile +++ b/etc/electrum.profile | |||
@@ -9,12 +9,8 @@ include globals.local | |||
9 | noblacklist ${HOME}/.electrum | 9 | noblacklist ${HOME}/.electrum |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 12 | include allow-python2.inc |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
@@ -50,6 +46,6 @@ disable-mnt | |||
50 | private-bin electrum,python* | 46 | private-bin electrum,python* |
51 | private-cache | 47 | private-cache |
52 | private-dev | 48 | private-dev |
53 | private-etc alternatives,fonts,dconf,ca-certificates,ssl,pki,crypto-policies,machine-id,resolv.conf | 49 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,machine-id,pki,resolv.conf,ssl |
54 | private-tmp | 50 | private-tmp |
55 | 51 | ||
diff --git a/etc/elinks.profile b/etc/elinks.profile index 842a0db04..94f4179c7 100644 --- a/etc/elinks.profile +++ b/etc/elinks.profile | |||
@@ -6,10 +6,10 @@ include elinks.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist ${HOME}/.elinks | 9 | noblacklist ${HOME}/.elinks |
12 | 10 | ||
11 | blacklist /tmp/.X11-unix | ||
12 | |||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
@@ -36,5 +36,5 @@ tracelog | |||
36 | # private-bin elinks | 36 | # private-bin elinks |
37 | private-cache | 37 | private-cache |
38 | private-dev | 38 | private-dev |
39 | # private-etc alternatives,ca-certificates,ssl,pki,crypto-policies | 39 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl |
40 | private-tmp | 40 | private-tmp |
diff --git a/etc/emacs.profile b/etc/emacs.profile index 24e800b5e..f8b451f02 100644 --- a/etc/emacs.profile +++ b/etc/emacs.profile | |||
@@ -12,6 +12,9 @@ noblacklist ${HOME}/.emacs.d | |||
12 | # or put it into your emacs.local | 12 | # or put it into your emacs.local |
13 | #noblacklist ${HOME}/.gnupg | 13 | #noblacklist ${HOME}/.gnupg |
14 | noblacklist ${HOME}/.python-history | 14 | noblacklist ${HOME}/.python-history |
15 | noblacklist ${HOME}/.python_history | ||
16 | noblacklist ${HOME}/.pythonhist | ||
17 | noblacklist ${HOME}/.pythonrc.py | ||
15 | 18 | ||
16 | include disable-common.inc | 19 | include disable-common.inc |
17 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
diff --git a/etc/enchant.profile b/etc/enchant.profile index 288d8799c..d30fb8232 100644 --- a/etc/enchant.profile +++ b/etc/enchant.profile | |||
@@ -35,6 +35,7 @@ protocol unix | |||
35 | seccomp | 35 | seccomp |
36 | shell none | 36 | shell none |
37 | tracelog | 37 | tracelog |
38 | x11 none | ||
38 | 39 | ||
39 | private-bin enchant,enchant-* | 40 | private-bin enchant,enchant-* |
40 | private-cache | 41 | private-cache |
diff --git a/etc/engrampa.profile b/etc/engrampa.profile index 562e8f542..aaf3e3382 100644 --- a/etc/engrampa.profile +++ b/etc/engrampa.profile | |||
@@ -35,7 +35,6 @@ tracelog | |||
35 | 35 | ||
36 | # private-bin engrampa | 36 | # private-bin engrampa |
37 | private-dev | 37 | private-dev |
38 | # private-etc alternatives,fonts | ||
39 | # private-tmp | 38 | # private-tmp |
40 | 39 | ||
41 | memory-deny-write-execute | 40 | memory-deny-write-execute |
diff --git a/etc/enpass.profile b/etc/enpass.profile index b337c721d..68113e294 100644 --- a/etc/enpass.profile +++ b/etc/enpass.profile | |||
@@ -20,12 +20,16 @@ include disable-passwdmgr.inc | |||
20 | include disable-programs.inc | 20 | include disable-programs.inc |
21 | include disable-xdg.inc | 21 | include disable-xdg.inc |
22 | 22 | ||
23 | mkdir ${HOME}/.cache/Enpass | ||
24 | mkfile ${HOME}/.config/sinew.in | ||
25 | mkdir ${HOME}/.config/Sinew Software Systems | ||
26 | mkdir ${HOME}/.local/share/Enpass | ||
23 | whitelist ${HOME}/.cache/Enpass | 27 | whitelist ${HOME}/.cache/Enpass |
24 | whitelist ${HOME}/.config/sinew.in | 28 | whitelist ${HOME}/.config/sinew.in |
25 | whitelist ${HOME}/.config/Sinew Software Systems | 29 | whitelist ${HOME}/.config/Sinew Software Systems |
26 | whitelist ${HOME}/.local/share/Enpass | 30 | whitelist ${HOME}/.local/share/Enpass |
27 | whitelist ${DOCUMENTS} | 31 | whitelist ${DOCUMENTS} |
28 | 32 | include whitelist-common.inc | |
29 | include whitelist-var-common.inc | 33 | include whitelist-var-common.inc |
30 | 34 | ||
31 | # machine-id and nosound break audio notification functionality | 35 | # machine-id and nosound break audio notification functionality |
@@ -49,10 +53,10 @@ seccomp | |||
49 | shell none | 53 | shell none |
50 | tracelog | 54 | tracelog |
51 | 55 | ||
52 | private-bin dirname,Enpass,importer_enpass,sh,readlink | 56 | private-bin dirname,Enpass,importer_enpass,readlink,sh |
53 | ?HAS_APPIMAGE: ignore private-dev | 57 | ?HAS_APPIMAGE: ignore private-dev |
54 | private-dev | 58 | private-dev |
55 | private-opt Enpass | 59 | private-opt Enpass |
56 | private-tmp | 60 | private-tmp |
57 | 61 | ||
58 | #memory-deny-write-execute - breaks on Arch | 62 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/eo-common.profile b/etc/eo-common.profile index ad18e10c4..2a65de5e1 100644 --- a/etc/eo-common.profile +++ b/etc/eo-common.profile | |||
@@ -44,4 +44,4 @@ private-etc alternatives,dconf,fonts,gtk-3.0 | |||
44 | private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.* | 44 | private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.* |
45 | private-tmp | 45 | private-tmp |
46 | 46 | ||
47 | #memory-deny-write-execute - breaks on Arch | 47 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/evince.profile b/etc/evince.profile index 1a429d673..c1fbc7a4f 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -43,7 +43,7 @@ private-bin evince,evince-previewer,evince-thumbnailer | |||
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives,fonts,group,machine-id,passwd | 45 | private-etc alternatives,fonts,group,machine-id,passwd |
46 | private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*,gconv | 46 | private-lib evince,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | # memory-deny-write-execute - might break application (https://github.com/netblue30/firejail/issues/1803) | 49 | # memory-deny-write-execute - might break application (https://github.com/netblue30/firejail/issues/1803) |
diff --git a/etc/exfalso.profile b/etc/exfalso.profile index 6146a8952..b5eda059f 100644 --- a/etc/exfalso.profile +++ b/etc/exfalso.profile | |||
@@ -10,12 +10,11 @@ noblacklist ${HOME}/.quodlibet | |||
10 | noblacklist ${MUSIC} | 10 | noblacklist ${MUSIC} |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | 15 | |
16 | noblacklist /usr/lib/python3* | 16 | whitelist ${DOWNLOADS} |
17 | noblacklist /usr/local/lib/python2* | 17 | whitelist ${MUSIC} |
18 | noblacklist /usr/local/lib/python3* | ||
19 | 18 | ||
20 | include disable-common.inc | 19 | include disable-common.inc |
21 | include disable-devel.inc | 20 | include disable-devel.inc |
@@ -25,6 +24,11 @@ include disable-passwdmgr.inc | |||
25 | include disable-programs.inc | 24 | include disable-programs.inc |
26 | include disable-xdg.inc | 25 | include disable-xdg.inc |
27 | 26 | ||
27 | mkdir ${HOME}/.quodlibet | ||
28 | whitelist ${HOME}/.quodlibet | ||
29 | include whitelist-common.inc | ||
30 | include whitelist-var-common.inc | ||
31 | |||
28 | caps.drop all | 32 | caps.drop all |
29 | machine-id | 33 | machine-id |
30 | netfilter | 34 | netfilter |
@@ -49,4 +53,4 @@ private-etc alternatives,fonts,group,passwd | |||
49 | private-lib libatk-1.0.so.*,libgdk-3.so.*,libgdk_pixbuf-2.0.so.*,libgirepository-1.0.so.*,libgstreamer-1.0.so.*,libgtk-3.so.*,libgtksourceview-3.0.so.*,libpango-1.0.so.*,libpython*,libreadline.so.*,libsoup-2.4.so.*,libssl.so.1.*,python2*,python3* | 53 | private-lib libatk-1.0.so.*,libgdk-3.so.*,libgdk_pixbuf-2.0.so.*,libgirepository-1.0.so.*,libgstreamer-1.0.so.*,libgtk-3.so.*,libgtksourceview-3.0.so.*,libpango-1.0.so.*,libpython*,libreadline.so.*,libsoup-2.4.so.*,libssl.so.1.*,python2*,python3* |
50 | private-tmp | 54 | private-tmp |
51 | 55 | ||
52 | # memory-deny-write-execute - Breaks on Arch | 56 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/exiftool.profile b/etc/exiftool.profile index f694ea212..e76a4ca4c 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile | |||
@@ -6,12 +6,8 @@ include exiftool.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | 9 | # Allow perl (blacklisted by disable-interpreters.inc) |
10 | 10 | include allow-perl.inc | |
11 | # Allow access to perl | ||
12 | noblacklist ${PATH}/perl | ||
13 | noblacklist /usr/lib/perl* | ||
14 | noblacklist /usr/share/perl* | ||
15 | 11 | ||
16 | include disable-common.inc | 12 | include disable-common.inc |
17 | include disable-devel.inc | 13 | include disable-devel.inc |
@@ -39,6 +35,7 @@ protocol unix | |||
39 | seccomp | 35 | seccomp |
40 | shell none | 36 | shell none |
41 | tracelog | 37 | tracelog |
38 | x11 none | ||
42 | 39 | ||
43 | # To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool to /usr/bin/exiftool and uncomment the below. | 40 | # To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool to /usr/bin/exiftool and uncomment the below. |
44 | # Users on non-Arch Linux distributions can safely uncomment (or put in exiftool.local) the line below to enable extra hardening. | 41 | # Users on non-Arch Linux distributions can safely uncomment (or put in exiftool.local) the line below to enable extra hardening. |
diff --git a/etc/falkon.profile b/etc/falkon.profile index af6aaa1a7..cabf5aeba 100644 --- a/etc/falkon.profile +++ b/etc/falkon.profile | |||
@@ -16,6 +16,8 @@ include disable-interpreters.inc | |||
16 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | mkdir ${HOME}/.cache/falkon | ||
20 | mkdir ${HOME}/.config/falkon | ||
19 | whitelist ${DOWNLOADS} | 21 | whitelist ${DOWNLOADS} |
20 | whitelist ${HOME}/.cache/falkon | 22 | whitelist ${HOME}/.cache/falkon |
21 | whitelist ${HOME}/.config/falkon | 23 | whitelist ${HOME}/.config/falkon |
diff --git a/etc/feh-network.inc b/etc/feh-network.inc index f3876475e..e94e7205c 100644 --- a/etc/feh-network.inc +++ b/etc/feh-network.inc | |||
@@ -1,4 +1,4 @@ | |||
1 | ignore net none | 1 | ignore net none |
2 | netfilter | 2 | netfilter |
3 | protocol unix,inet,inet6 | 3 | protocol unix,inet,inet6 |
4 | private-etc resolv.conf,ca-certificates,ssl,pki,hosts,crypto-policies | 4 | private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl |
diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile index 46d0bd08e..d64fe830f 100644 --- a/etc/fetchmail.profile +++ b/etc/fetchmail.profile | |||
@@ -30,5 +30,5 @@ protocol unix,inet,inet6 | |||
30 | seccomp | 30 | seccomp |
31 | shell none | 31 | shell none |
32 | 32 | ||
33 | #private-bin fetchmail,procmail,bash,chmod | 33 | #private-bin bash,chmod,fetchmail,procmail |
34 | private-dev | 34 | private-dev |
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile index ee722bc54..0771bf6a5 100644 --- a/etc/ffmpeg.profile +++ b/etc/ffmpeg.profile | |||
@@ -36,14 +36,13 @@ nou2f | |||
36 | novideo | 36 | novideo |
37 | protocol inet,inet6 | 37 | protocol inet,inet6 |
38 | seccomp | 38 | seccomp |
39 | # seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom | ||
40 | shell none | 39 | shell none |
41 | tracelog | 40 | tracelog |
42 | 41 | ||
43 | private-bin ffmpeg | 42 | private-bin ffmpeg |
44 | private-cache | 43 | private-cache |
45 | private-dev | 44 | private-dev |
46 | private-etc alternatives,pki,pkcs11,hosts,ssl,ca-certificates,resolv.conf | 45 | private-etc alternatives,ca-certificates,hosts,pkcs11,pki,resolv.conf,ssl |
47 | private-tmp | 46 | private-tmp |
48 | 47 | ||
49 | # memory-deny-write-execute - it breaks old versions of ffmpeg | 48 | # memory-deny-write-execute - it breaks old versions of ffmpeg |
diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 95accdd36..59d2f3ec8 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile | |||
@@ -39,7 +39,6 @@ tracelog | |||
39 | 39 | ||
40 | # private-bin file-roller | 40 | # private-bin file-roller |
41 | private-dev | 41 | private-dev |
42 | # private-etc alternatives,fonts | ||
43 | # private-tmp | 42 | # private-tmp |
44 | 43 | ||
45 | # memory-deny-write-execute | 44 | # memory-deny-write-execute |
diff --git a/etc/file.profile b/etc/file.profile index c304b4efe..69fa7d8cd 100644 --- a/etc/file.profile +++ b/etc/file.profile | |||
@@ -7,8 +7,6 @@ include file.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | |||
12 | include disable-common.inc | 10 | include disable-common.inc |
13 | include disable-exec.inc | 11 | include disable-exec.inc |
14 | include disable-passwdmgr.inc | 12 | include disable-passwdmgr.inc |
@@ -38,7 +36,7 @@ x11 none | |||
38 | #private-bin file | 36 | #private-bin file |
39 | private-cache | 37 | private-cache |
40 | private-dev | 38 | private-dev |
41 | private-etc alternatives,magic.mgc,magic,localtime | 39 | private-etc alternatives,localtime,magic,magic.mgc |
42 | private-lib libarchive.so.*,libfakeroot,libmagic.so.* | 40 | private-lib libarchive.so.*,libfakeroot,libmagic.so.* |
43 | 41 | ||
44 | memory-deny-write-execute | 42 | memory-deny-write-execute |
diff --git a/etc/filezilla.profile b/etc/filezilla.profile index d1bebafb5..d8d4c1746 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/filezilla | |||
10 | noblacklist ${HOME}/.filezilla | 10 | noblacklist ${HOME}/.filezilla |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
@@ -37,6 +33,6 @@ seccomp | |||
37 | shell none | 33 | shell none |
38 | 34 | ||
39 | # private-bin breaks --join if the user has zsh set as $SHELL - adding zsh on private-bin | 35 | # private-bin breaks --join if the user has zsh set as $SHELL - adding zsh on private-bin |
40 | private-bin filezilla,uname,sh,bash,zsh,python*,lsb_release,fzputtygen,fzsftp | 36 | private-bin bash,filezilla,fzputtygen,fzsftp,lsb_release,python*,sh,uname,zsh |
41 | private-dev | 37 | private-dev |
42 | private-tmp | 38 | private-tmp |
diff --git a/etc/firefox-common-addons.inc b/etc/firefox-common-addons.inc index 7a0c3e99f..0b95c555b 100644 --- a/etc/firefox-common-addons.inc +++ b/etc/firefox-common-addons.inc | |||
@@ -43,8 +43,10 @@ whitelist ${HOME}/.lastpass | |||
43 | whitelist ${HOME}/.local/share/kget | 43 | whitelist ${HOME}/.local/share/kget |
44 | whitelist ${HOME}/.local/share/okular | 44 | whitelist ${HOME}/.local/share/okular |
45 | whitelist ${HOME}/.local/share/qpdfview | 45 | whitelist ${HOME}/.local/share/qpdfview |
46 | whitelist ${HOME}/.local/share/tridactyl | ||
46 | whitelist ${HOME}/.pentadactyl | 47 | whitelist ${HOME}/.pentadactyl |
47 | whitelist ${HOME}/.pentadactylrc | 48 | whitelist ${HOME}/.pentadactylrc |
49 | whitelist ${HOME}/.tridactylrc | ||
48 | whitelist ${HOME}/.vimperator | 50 | whitelist ${HOME}/.vimperator |
49 | whitelist ${HOME}/.vimperatorrc | 51 | whitelist ${HOME}/.vimperatorrc |
50 | whitelist ${HOME}/.wine-pipelight | 52 | whitelist ${HOME}/.wine-pipelight |
@@ -56,8 +58,7 @@ whitelist ${HOME}/dwhelper | |||
56 | noblacklist ${HOME}/.local/share/gnome-shell | 58 | noblacklist ${HOME}/.local/share/gnome-shell |
57 | whitelist ${HOME}/.local/share/gnome-shell | 59 | whitelist ${HOME}/.local/share/gnome-shell |
58 | ignore nodbus | 60 | ignore nodbus |
59 | noblacklist ${PATH}/python3* | 61 | include allow-python3.inc |
60 | noblacklist /usr/lib/python3* | ||
61 | 62 | ||
62 | # Flash plugin | 63 | # Flash plugin |
63 | # private-etc must first be enabled in firefox-common.profile and in profiles including it. | 64 | # private-etc must first be enabled in firefox-common.profile and in profiles including it. |
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index bccbb3412..961b338e7 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile | |||
@@ -34,11 +34,8 @@ caps.drop all | |||
34 | # machine-id breaks pulse audio; it should work fine in setups where sound is not required. | 34 | # machine-id breaks pulse audio; it should work fine in setups where sound is not required. |
35 | #machine-id | 35 | #machine-id |
36 | netfilter | 36 | netfilter |
37 | # Breaks Gnome connector and KDE Connect. | 37 | # nodbus breaks various desktop integration features |
38 | # Also seems to break Ubuntu titlebar menu. | 38 | # among other things global menus, Gnome connector, KDE connect and power management on KDE Plasma |
39 | # Also breaks enigmail apparently? | ||
40 | # During a stream on Plasma it prevents the mechanism to temporarily bypass the power management, i.e. to keep the screen on. | ||
41 | # Therefore disable if you use that. | ||
42 | nodbus | 39 | nodbus |
43 | nodvd | 40 | nodvd |
44 | nogroups | 41 | nogroups |
@@ -57,5 +54,5 @@ shell none | |||
57 | disable-mnt | 54 | disable-mnt |
58 | private-dev | 55 | private-dev |
59 | # private-etc below works fine on most distributions. There are some problems on CentOS. | 56 | # private-etc below works fine on most distributions. There are some problems on CentOS. |
60 | #private-etc alternatives,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies,ld.so.cache | 57 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
61 | private-tmp | 58 | private-tmp |
diff --git a/etc/firefox.profile b/etc/firefox.profile index 830bbc6a7..84c647cb9 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -15,7 +15,7 @@ whitelist ${HOME}/.cache/mozilla/firefox | |||
15 | whitelist ${HOME}/.mozilla | 15 | whitelist ${HOME}/.mozilla |
16 | 16 | ||
17 | # firefox requires a shell to launch on Arch. | 17 | # firefox requires a shell to launch on Arch. |
18 | #private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash | 18 | #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which |
19 | # private-etc must first be enabled in firefox-common.profile | 19 | # private-etc must first be enabled in firefox-common.profile |
20 | #private-etc firefox | 20 | #private-etc firefox |
21 | 21 | ||
diff --git a/etc/flameshot.profile b/etc/flameshot.profile index cd3e07455..3aad9723b 100644 --- a/etc/flameshot.profile +++ b/etc/flameshot.profile | |||
@@ -37,7 +37,7 @@ shell none | |||
37 | disable-mnt | 37 | disable-mnt |
38 | private-bin flameshot | 38 | private-bin flameshot |
39 | private-cache | 39 | private-cache |
40 | private-etc alternatives,fonts,ld.so.conf,resolv.conf,ca-certificates,ssl,pki,crypto-policies | 40 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,pki,resolv.conf,ssl |
41 | private-dev | 41 | private-dev |
42 | private-tmp | 42 | private-tmp |
43 | 43 | ||
diff --git a/etc/flowblade.profile b/etc/flowblade.profile index 1e84d4ca6..40472ab93 100644 --- a/etc/flowblade.profile +++ b/etc/flowblade.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/flowblade | |||
10 | noblacklist ${HOME}/.flowblade | 10 | noblacklist ${HOME}/.flowblade |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/font-manager.profile b/etc/font-manager.profile index 98952e1cc..1699e5cfc 100644 --- a/etc/font-manager.profile +++ b/etc/font-manager.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.cache/font-manager | |||
10 | noblacklist ${HOME}/.config/font-manager | 10 | noblacklist ${HOME}/.config/font-manager |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
@@ -54,4 +50,4 @@ private-bin font-manager,python*,yelp | |||
54 | private-dev | 50 | private-dev |
55 | private-tmp | 51 | private-tmp |
56 | 52 | ||
57 | #memory-deny-write-execute - Breaks on Arch | 53 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/fontforge.profile b/etc/fontforge.profile index f98ad9983..6d305e2af 100644 --- a/etc/fontforge.profile +++ b/etc/fontforge.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.FontForge | |||
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/franz.profile b/etc/franz.profile index d6445ff8e..e917e5517 100644 --- a/etc/franz.profile +++ b/etc/franz.profile | |||
@@ -5,6 +5,8 @@ include franz.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | ignore noexec /tmp | ||
9 | |||
8 | noblacklist ${HOME}/.cache/Franz | 10 | noblacklist ${HOME}/.cache/Franz |
9 | noblacklist ${HOME}/.config/Franz | 11 | noblacklist ${HOME}/.config/Franz |
10 | noblacklist ${HOME}/.pki | 12 | noblacklist ${HOME}/.pki |
@@ -12,6 +14,7 @@ noblacklist ${HOME}/.local/share/pki | |||
12 | 14 | ||
13 | include disable-common.inc | 15 | include disable-common.inc |
14 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
16 | include disable-programs.inc | 19 | include disable-programs.inc |
17 | 20 | ||
@@ -41,5 +44,3 @@ shell none | |||
41 | disable-mnt | 44 | disable-mnt |
42 | private-dev | 45 | private-dev |
43 | private-tmp | 46 | private-tmp |
44 | |||
45 | noexec ${HOME} | ||
diff --git a/etc/freeciv.profile b/etc/freeciv.profile index 4813379a7..fa115d325 100644 --- a/etc/freeciv.profile +++ b/etc/freeciv.profile | |||
@@ -38,7 +38,7 @@ shell none | |||
38 | tracelog | 38 | tracelog |
39 | 39 | ||
40 | disable-mnt | 40 | disable-mnt |
41 | private-bin freeciv-gtk3,freeciv-mp-gtk3,freeciv-server,freeciv-manual | 41 | private-bin freeciv-gtk3,freeciv-manual,freeciv-mp-gtk3,freeciv-server |
42 | private-cache | 42 | private-cache |
43 | private-dev | 43 | private-dev |
44 | private-tmp | 44 | private-tmp |
diff --git a/etc/freecol.profile b/etc/freecol.profile index 7987cc076..baeb4c528 100644 --- a/etc/freecol.profile +++ b/etc/freecol.profile | |||
@@ -7,16 +7,12 @@ include freecol.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.freecol | 9 | noblacklist ${HOME}/.freecol |
10 | noblacklist ${HOME}/.java | ||
11 | noblacklist ${HOME}/.cache/freecol | 10 | noblacklist ${HOME}/.cache/freecol |
12 | noblacklist ${HOME}/.config/freecol | 11 | noblacklist ${HOME}/.config/freecol |
13 | noblacklist ${HOME}/.local/share/freecol | 12 | noblacklist ${HOME}/.local/share/freecol |
14 | 13 | ||
15 | # Allow access to java | 14 | # Allow java (blacklisted by disable-devel.inc) |
16 | noblacklist ${PATH}/java | 15 | include allow-java.inc |
17 | noblacklist /usr/lib/java | ||
18 | noblacklist /etc/java | ||
19 | noblacklist /usr/share/java | ||
20 | 16 | ||
21 | include disable-common.inc | 17 | include disable-common.inc |
22 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/freemind.profile b/etc/freemind.profile index 507bd564d..ba945c0fb 100644 --- a/etc/freemind.profile +++ b/etc/freemind.profile | |||
@@ -7,12 +7,11 @@ include freemind.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${DOCUMENTS} | 9 | noblacklist ${DOCUMENTS} |
10 | noblacklist ${PATH}/java | ||
11 | noblacklist /etc/java | ||
12 | noblacklist /usr/lib/java | ||
13 | noblacklist /usr/share/java | ||
14 | noblacklist ${HOME}/.freemind | 10 | noblacklist ${HOME}/.freemind |
15 | 11 | ||
12 | # Allow java (blacklisted by disable-devel.inc) | ||
13 | include allow-java.inc | ||
14 | |||
16 | include disable-common.inc | 15 | include disable-common.inc |
17 | include disable-devel.inc | 16 | include disable-devel.inc |
18 | include disable-exec.inc | 17 | include disable-exec.inc |
@@ -43,7 +42,7 @@ shell none | |||
43 | tracelog | 42 | tracelog |
44 | 43 | ||
45 | disable-mnt | 44 | disable-mnt |
46 | private-bin freemind,java,bash,sed,sh,grep,mkdir,echo,cp,uname,which,lsb_release,rpm,dpkg,dirname,readlink | 45 | private-bin bash,cp,dirname,dpkg,echo,freemind,grep,java,lsb_release,mkdir,readlink,rpm,sed,sh,uname,which |
47 | private-cache | 46 | private-cache |
48 | private-dev | 47 | private-dev |
49 | #private-etc alternatives,fonts,java | 48 | #private-etc alternatives,fonts,java |
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile index 6de61840c..3931aa64a 100644 --- a/etc/frozen-bubble.profile +++ b/etc/frozen-bubble.profile | |||
@@ -9,11 +9,7 @@ include globals.local | |||
9 | noblacklist ${HOME}/.frozen-bubble | 9 | noblacklist ${HOME}/.frozen-bubble |
10 | 10 | ||
11 | # Allow perl (blacklisted by disable-interpreters.inc) | 11 | # Allow perl (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/cpan* | 12 | include allow-perl.inc |
13 | noblacklist ${PATH}/core_perl | ||
14 | noblacklist ${PATH}/perl | ||
15 | noblacklist /usr/lib/perl* | ||
16 | noblacklist /usr/share/perl* | ||
17 | 13 | ||
18 | include disable-common.inc | 14 | include disable-common.inc |
19 | include disable-devel.inc | 15 | include disable-devel.inc |
@@ -42,5 +38,4 @@ shell none | |||
42 | disable-mnt | 38 | disable-mnt |
43 | # private-bin frozen-bubble | 39 | # private-bin frozen-bubble |
44 | private-dev | 40 | private-dev |
45 | # private-etc alternatives | ||
46 | private-tmp | 41 | private-tmp |
diff --git a/etc/gajim.profile b/etc/gajim.profile index 238b4fca9..74ab9f8b7 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile | |||
@@ -11,12 +11,8 @@ noblacklist ${HOME}/.config/gajim | |||
11 | noblacklist ${HOME}/.local/share/gajim | 11 | noblacklist ${HOME}/.local/share/gajim |
12 | 12 | ||
13 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
14 | #noblacklist ${PATH}/python2* | 14 | #include allow-python2.inc |
15 | noblacklist ${PATH}/python3* | 15 | include allow-python3.inc |
16 | #noblacklist /usr/lib/python2* | ||
17 | noblacklist /usr/lib/python3* | ||
18 | #noblacklist /usr/local/lib/python2* | ||
19 | noblacklist /usr/local/lib/python3* | ||
20 | 16 | ||
21 | include disable-common.inc | 17 | include disable-common.inc |
22 | include disable-devel.inc | 18 | include disable-devel.inc |
@@ -50,7 +46,7 @@ shell none | |||
50 | tracelog | 46 | tracelog |
51 | 47 | ||
52 | disable-mnt | 48 | disable-mnt |
53 | private-bin python,python3,sh,gpg,gpg2,gajim,bash,zsh,paplay,gajim-history-manager | 49 | private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python,python3,sh,zsh |
54 | private-dev | 50 | private-dev |
55 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl | 51 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl |
56 | private-tmp | 52 | private-tmp |
diff --git a/etc/gcloud.profile b/etc/gcloud.profile index a08aebf2c..7ca99f420 100644 --- a/etc/gcloud.profile +++ b/etc/gcloud.profile | |||
@@ -36,5 +36,5 @@ tracelog | |||
36 | 36 | ||
37 | disable-mnt | 37 | disable-mnt |
38 | private-dev | 38 | private-dev |
39 | private-etc alternatives,ca-certificates,ssl,hosts,localtime,nsswitch.conf,resolv.conf,pki,crypto-policies,ld.so.cache | 39 | private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,localtime,nsswitch.conf,pki,resolv.conf,ssl |
40 | private-tmp | 40 | private-tmp |
diff --git a/etc/gconf.profile b/etc/gconf.profile index 5cc6b87a0..4baf8c957 100644 --- a/etc/gconf.profile +++ b/etc/gconf.profile | |||
@@ -9,12 +9,8 @@ include globals.local | |||
9 | noblacklist ${HOME}/.config/gconf | 9 | noblacklist ${HOME}/.config/gconf |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 12 | include allow-python2.inc |
13 | #noblacklist ${PATH}/python3* | 13 | #include allow-python3.inc |
14 | noblacklist /usr/lib/python2* | ||
15 | #noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | #noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
@@ -46,6 +42,7 @@ protocol unix | |||
46 | seccomp | 42 | seccomp |
47 | shell none | 43 | shell none |
48 | tracelog | 44 | tracelog |
45 | x11 none | ||
49 | 46 | ||
50 | disable-mnt | 47 | disable-mnt |
51 | private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,python2* | 48 | private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,python2* |
diff --git a/etc/geany.profile b/etc/geany.profile index b9c0da12e..2cffb8777 100644 --- a/etc/geany.profile +++ b/etc/geany.profile | |||
@@ -11,6 +11,8 @@ noblacklist ${HOME}/.config/git | |||
11 | noblacklist ${HOME}/.gitconfig | 11 | noblacklist ${HOME}/.gitconfig |
12 | noblacklist ${HOME}/.git-credentials | 12 | noblacklist ${HOME}/.git-credentials |
13 | noblacklist ${HOME}/.python-history | 13 | noblacklist ${HOME}/.python-history |
14 | noblacklist ${HOME}/.python_history | ||
15 | noblacklist ${HOME}/.pythonhist | ||
14 | noblacklist ${HOME}/.pythonrc.py | 16 | noblacklist ${HOME}/.pythonrc.py |
15 | 17 | ||
16 | include disable-common.inc | 18 | include disable-common.inc |
diff --git a/etc/geary.profile b/etc/geary.profile index a21eed9f1..a446c81d0 100644 --- a/etc/geary.profile +++ b/etc/geary.profile | |||
@@ -4,27 +4,25 @@ | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include geary.local | 5 | include geary.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | # added by included profile |
8 | #include globals.local | ||
8 | 9 | ||
9 | # Users have Geary set to open a browser by clicking a link in an email | 10 | # Users have Geary set to open a browser by clicking a link in an email |
10 | # We are not allowed to blacklist browser-specific directories | 11 | # We are not allowed to blacklist browser-specific directories |
11 | 12 | ||
13 | ignore nodbus | ||
14 | ignore private-tmp | ||
15 | |||
12 | noblacklist ${HOME}/.gnupg | 16 | noblacklist ${HOME}/.gnupg |
13 | noblacklist ${HOME}/.local/share/geary | 17 | noblacklist ${HOME}/.local/share/geary |
14 | 18 | ||
15 | mkdir ${HOME}/.gnupg | 19 | mkdir ${HOME}/.gnupg |
16 | mkdir ${HOME}/.config/geary | 20 | mkdir ${HOME}/.config/geary |
17 | mkdir ${HOME}/.local/share/geary | 21 | mkdir ${HOME}/.local/share/geary |
18 | |||
19 | whitelist ${HOME}/.gnupg | 22 | whitelist ${HOME}/.gnupg |
20 | whitelist ${HOME}/.config/geary | 23 | whitelist ${HOME}/.config/geary |
21 | whitelist ${HOME}/.local/share/geary | 24 | whitelist ${HOME}/.local/share/geary |
22 | 25 | ||
23 | include whitelist-common.inc | ||
24 | |||
25 | ignore nodbus | ||
26 | ignore private-tmp | ||
27 | |||
28 | read-only ${HOME}/.config/mimeapps.list | 26 | read-only ${HOME}/.config/mimeapps.list |
29 | 27 | ||
30 | # allow browsers | 28 | # allow browsers |
diff --git a/etc/gedit.profile b/etc/gedit.profile index ca2cf6e92..ed6efc3b6 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile | |||
@@ -12,6 +12,8 @@ noblacklist ${HOME}/.config/git | |||
12 | noblacklist ${HOME}/.gitconfig | 12 | noblacklist ${HOME}/.gitconfig |
13 | noblacklist ${HOME}/.git-credentials | 13 | noblacklist ${HOME}/.git-credentials |
14 | noblacklist ${HOME}/.python-history | 14 | noblacklist ${HOME}/.python-history |
15 | noblacklist ${HOME}/.python_history | ||
16 | noblacklist ${HOME}/.pythonhist | ||
15 | noblacklist ${HOME}/.pythonrc.py | 17 | noblacklist ${HOME}/.pythonrc.py |
16 | 18 | ||
17 | include disable-common.inc | 19 | include disable-common.inc |
@@ -44,7 +46,6 @@ tracelog | |||
44 | 46 | ||
45 | # private-bin gedit | 47 | # private-bin gedit |
46 | private-dev | 48 | private-dev |
47 | # private-etc alternatives,fonts | 49 | private-lib aspell,gconv,gedit,libgspell-1.so.*,libreadline.so.*,libtinfo.so.* |
48 | private-lib /usr/bin/gedit,libtinfo.so.*,libreadline.so.*,gedit,libgspell-1.so.*,gconv,aspell | ||
49 | private-tmp | 50 | private-tmp |
50 | 51 | ||
diff --git a/etc/geekbench.profile b/etc/geekbench.profile index 764c68131..8d7dbd48e 100644 --- a/etc/geekbench.profile +++ b/etc/geekbench.profile | |||
@@ -41,11 +41,11 @@ disable-mnt | |||
41 | private-bin bash,geekbenc*,sh | 41 | private-bin bash,geekbenc*,sh |
42 | private-cache | 42 | private-cache |
43 | private-dev | 43 | private-dev |
44 | private-etc alternatives,group,passwd,lsb-release | 44 | private-etc alternatives,group,lsb-release,passwd |
45 | private-lib libstdc++.so.* | 45 | private-lib libstdc++.so.* |
46 | private-opt none | 46 | private-opt none |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | # memory-deny-write-execute - Breaks on Arch | 49 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
50 | 50 | ||
51 | read-only ${HOME} | 51 | read-only ${HOME} |
diff --git a/etc/geeqie.profile b/etc/geeqie.profile index adfc3ef1c..8810ca161 100644 --- a/etc/geeqie.profile +++ b/etc/geeqie.profile | |||
@@ -31,4 +31,3 @@ shell none | |||
31 | 31 | ||
32 | # private-bin geeqie | 32 | # private-bin geeqie |
33 | private-dev | 33 | private-dev |
34 | # private-etc alternatives,X11 | ||
diff --git a/etc/ghostwriter.profile b/etc/ghostwriter.profile index 76011df19..48c02f195 100644 --- a/etc/ghostwriter.profile +++ b/etc/ghostwriter.profile | |||
@@ -49,7 +49,7 @@ tracelog | |||
49 | #private-bin ghostwriter,pandoc | 49 | #private-bin ghostwriter,pandoc |
50 | private-cache | 50 | private-cache |
51 | private-dev | 51 | private-dev |
52 | private-etc alternatives,cups,crypto-policies,localtime,drirc,fonts,gtk-3.0,dconf,machine-id | 52 | private-etc alternatives,crypto-policies,cups,dconf,drirc,fonts,gtk-3.0,localtime,machine-id |
53 | # Breaks Translation | 53 | # Breaks Translation |
54 | #private-lib | 54 | #private-lib |
55 | private-tmp | 55 | private-tmp |
diff --git a/etc/gimp.profile b/etc/gimp.profile index 91001cd30..762e743c8 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile | |||
@@ -7,7 +7,8 @@ include gimp.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory | 9 | # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory |
10 | # if you are not using external plugins, you can disable ignore noexec statement below | 10 | # if you are not using external plugins, you can comment 'ignore noexec' statement below |
11 | # or put 'ignore ignore noexec ${HOME}' in your gimp.local | ||
11 | ignore noexec ${HOME} | 12 | ignore noexec ${HOME} |
12 | 13 | ||
13 | noblacklist ${HOME}/.config/GIMP | 14 | noblacklist ${HOME}/.config/GIMP |
diff --git a/etc/git.profile b/etc/git.profile index 0eb69faed..f7c812e65 100644 --- a/etc/git.profile +++ b/etc/git.profile | |||
@@ -7,8 +7,6 @@ include git.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | |||
12 | noblacklist ${HOME}/.config/git | 10 | noblacklist ${HOME}/.config/git |
13 | noblacklist ${HOME}/.config/nano | 11 | noblacklist ${HOME}/.config/nano |
14 | noblacklist ${HOME}/.emacs | 12 | noblacklist ${HOME}/.emacs |
@@ -22,6 +20,8 @@ noblacklist ${HOME}/.ssh | |||
22 | noblacklist ${HOME}/.vim | 20 | noblacklist ${HOME}/.vim |
23 | noblacklist ${HOME}/.viminfo | 21 | noblacklist ${HOME}/.viminfo |
24 | 22 | ||
23 | blacklist /tmp/.X11-unix | ||
24 | |||
25 | include disable-common.inc | 25 | include disable-common.inc |
26 | include disable-exec.inc | 26 | include disable-exec.inc |
27 | include disable-passwdmgr.inc | 27 | include disable-passwdmgr.inc |
diff --git a/etc/gitg.profile b/etc/gitg.profile index 656d5cfd8..f6f51ef6f 100644 --- a/etc/gitg.profile +++ b/etc/gitg.profile | |||
@@ -35,7 +35,7 @@ protocol unix,inet,inet6 | |||
35 | seccomp | 35 | seccomp |
36 | shell none | 36 | shell none |
37 | 37 | ||
38 | private-bin gitg,git,ssh | 38 | private-bin git,gitg,ssh |
39 | private-cache | 39 | private-cache |
40 | private-dev | 40 | private-dev |
41 | private-tmp | 41 | private-tmp |
diff --git a/etc/github-desktop.profile b/etc/github-desktop.profile index 4a969f9ad..b25b138ad 100644 --- a/etc/github-desktop.profile +++ b/etc/github-desktop.profile | |||
@@ -42,7 +42,6 @@ disable-mnt | |||
42 | private-cache | 42 | private-cache |
43 | ?HAS_APPIMAGE: ignore private-dev | 43 | ?HAS_APPIMAGE: ignore private-dev |
44 | private-dev | 44 | private-dev |
45 | # private-etc alternatives | ||
46 | # private-lib | 45 | # private-lib |
47 | private-tmp | 46 | private-tmp |
48 | 47 | ||
diff --git a/etc/gitter.profile b/etc/gitter.profile index 7d0831bc4..017b1765a 100644 --- a/etc/gitter.profile +++ b/etc/gitter.profile | |||
@@ -37,7 +37,7 @@ shell none | |||
37 | 37 | ||
38 | disable-mnt | 38 | disable-mnt |
39 | private-bin bash,env,gitter | 39 | private-bin bash,env,gitter |
40 | private-etc alternatives,fonts,pulse,resolv.conf,ca-certificates,ssl,pki,crypto-policies | 40 | private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,pulse,resolv.conf,ssl |
41 | private-opt Gitter | 41 | private-opt Gitter |
42 | private-dev | 42 | private-dev |
43 | private-tmp | 43 | private-tmp |
diff --git a/etc/gjs.profile b/etc/gjs.profile index f119e5b34..17b0aa5cf 100644 --- a/etc/gjs.profile +++ b/etc/gjs.profile | |||
@@ -32,7 +32,7 @@ seccomp | |||
32 | shell none | 32 | shell none |
33 | tracelog | 33 | tracelog |
34 | 34 | ||
35 | # private-bin gjs,gnome-books,gnome-documents,gnome-photos,gnome-maps,gnome-weather | 35 | # private-bin gjs,gnome-books,gnome-documents,gnome-maps,gnome-photos,gnome-weather |
36 | private-dev | 36 | private-dev |
37 | # private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies | 37 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl |
38 | private-tmp | 38 | private-tmp |
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile index 184751132..25cd94f0c 100644 --- a/etc/gnome-books.profile +++ b/etc/gnome-books.profile | |||
@@ -36,8 +36,7 @@ seccomp | |||
36 | shell none | 36 | shell none |
37 | tracelog | 37 | tracelog |
38 | 38 | ||
39 | # private-bin gjs gnome-books | 39 | # private-bin gjs,gnome-books |
40 | private-dev | 40 | private-dev |
41 | # private-etc alternatives,fonts | ||
42 | private-tmp | 41 | private-tmp |
43 | 42 | ||
diff --git a/etc/gnome-builder.profile b/etc/gnome-builder.profile index c2459e6ee..dfa1a5da8 100644 --- a/etc/gnome-builder.profile +++ b/etc/gnome-builder.profile | |||
@@ -12,6 +12,8 @@ noblacklist ${HOME}/.config/git | |||
12 | noblacklist ${HOME}/.gitconfig | 12 | noblacklist ${HOME}/.gitconfig |
13 | noblacklist ${HOME}/.git-credentials | 13 | noblacklist ${HOME}/.git-credentials |
14 | noblacklist ${HOME}/.python-history | 14 | noblacklist ${HOME}/.python-history |
15 | noblacklist ${HOME}/.python_history | ||
16 | noblacklist ${HOME}/.pythonhist | ||
15 | noblacklist ${HOME}/.pythonrc.py | 17 | noblacklist ${HOME}/.pythonrc.py |
16 | 18 | ||
17 | include disable-common.inc | 19 | include disable-common.inc |
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile index 04409a5e4..e657293ac 100644 --- a/etc/gnome-chess.profile +++ b/etc/gnome-chess.profile | |||
@@ -37,7 +37,7 @@ shell none | |||
37 | tracelog | 37 | tracelog |
38 | 38 | ||
39 | disable-mnt | 39 | disable-mnt |
40 | private-bin fairymax,gnome-chess,hoichess,gnuchess | 40 | private-bin fairymax,gnome-chess,gnuchess,hoichess |
41 | private-cache | 41 | private-cache |
42 | private-dev | 42 | private-dev |
43 | private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0 | 43 | private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0 |
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile index cb73a9477..2beee83e0 100644 --- a/etc/gnome-clocks.profile +++ b/etc/gnome-clocks.profile | |||
@@ -37,6 +37,6 @@ disable-mnt | |||
37 | private-bin gnome-clocks,gsound-play | 37 | private-bin gnome-clocks,gsound-play |
38 | private-cache | 38 | private-cache |
39 | private-dev | 39 | private-dev |
40 | private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies,machine-id,hosts,pkcs11,localtime,gtk-3.0,dconf | 40 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,localtime,machine-id,pkcs11,pki,ssl |
41 | private-tmp | 41 | private-tmp |
42 | 42 | ||
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile index 97de9c2be..be8e809ce 100644 --- a/etc/gnome-maps.profile +++ b/etc/gnome-maps.profile | |||
@@ -10,6 +10,7 @@ include globals.local | |||
10 | 10 | ||
11 | noblacklist ${HOME}/.cache/champlain | 11 | noblacklist ${HOME}/.cache/champlain |
12 | noblacklist ${HOME}/.local/share/flatpak | 12 | noblacklist ${HOME}/.local/share/flatpak |
13 | noblacklist ${HOME}/.local/share/maps-places.json | ||
13 | 14 | ||
14 | include disable-common.inc | 15 | include disable-common.inc |
15 | include disable-devel.inc | 16 | include disable-devel.inc |
@@ -19,6 +20,13 @@ include disable-passwdmgr.inc | |||
19 | include disable-programs.inc | 20 | include disable-programs.inc |
20 | include disable-xdg.inc | 21 | include disable-xdg.inc |
21 | 22 | ||
23 | mkdir ${HOME}/.cache/champlain | ||
24 | mkfile ${HOME}/.local/share/maps-places.json | ||
25 | whitelist ${HOME}/.cache/champlain | ||
26 | whitelist ${HOME}/.local/share/maps-places.json | ||
27 | whitelist ${DOWNLOADS} | ||
28 | whitelist ${PICTURES} | ||
29 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | 30 | include whitelist-var-common.inc |
23 | 31 | ||
24 | apparmor | 32 | apparmor |
@@ -39,8 +47,9 @@ shell none | |||
39 | tracelog | 47 | tracelog |
40 | 48 | ||
41 | disable-mnt | 49 | disable-mnt |
42 | # private-bin gjs gnome-maps | 50 | private-bin gjs,gnome-maps |
51 | # private-cache -- gnome-maps cache all maps/satelite-images | ||
43 | private-dev | 52 | private-dev |
44 | # private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies | 53 | private-etc alternatives,ca-certificates,clutter-1.0,crypto-policies,dconf,drirc,fonts,gconf,gcrypt,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pkcs11,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg |
45 | private-tmp | 54 | private-tmp |
46 | 55 | ||
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile index 6bebeb526..ad3fa1753 100644 --- a/etc/gnome-music.profile +++ b/etc/gnome-music.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.local/share/gnome-music | |||
10 | noblacklist ${MUSIC} | 10 | noblacklist ${MUSIC} |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
@@ -41,8 +37,8 @@ seccomp | |||
41 | shell none | 37 | shell none |
42 | tracelog | 38 | tracelog |
43 | 39 | ||
44 | private-bin gnome-music,python*,env,gio-launch-desktop,yelp | 40 | private-bin env,gio-launch-desktop,gnome-music,python*,yelp |
45 | private-dev | 41 | private-dev |
46 | private-etc alternatives,fonts,machine-id,pulse,asound.conf | 42 | private-etc alternatives,asound.conf,fonts,machine-id,pulse |
47 | private-tmp | 43 | private-tmp |
48 | 44 | ||
diff --git a/etc/gnome-nettool.profile b/etc/gnome-nettool.profile index 3f28b7efe..001274372 100644 --- a/etc/gnome-nettool.profile +++ b/etc/gnome-nettool.profile | |||
@@ -14,7 +14,7 @@ include disable-passwdmgr.inc | |||
14 | include disable-programs.inc | 14 | include disable-programs.inc |
15 | include disable-xdg.inc | 15 | include disable-xdg.inc |
16 | 16 | ||
17 | include whitelist-common.inc | 17 | #include whitelist-common.inc -- see #903 |
18 | include whitelist-var-common.inc | 18 | include whitelist-var-common.inc |
19 | 19 | ||
20 | caps.keep net_raw | 20 | caps.keep net_raw |
@@ -39,6 +39,6 @@ disable-mnt | |||
39 | private | 39 | private |
40 | private-cache | 40 | private-cache |
41 | private-dev | 41 | private-dev |
42 | private-lib libgtk-3.so.*,libgtop*,libbind9.so.*,libcrypto.so.*,libdns.so.*,libirs.so.*,liblua.so.*,libssh2.so.*,libssl.so.* | 42 | private-lib libbind9.so.*,libcrypto.so.*,libdns.so.*,libgtk-3.so.*,libgtop*,libirs.so.*,liblua.so.*,libssh2.so.*,libssl.so.* |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile index 4e5a3b109..3bbad67bb 100644 --- a/etc/gnome-photos.profile +++ b/etc/gnome-photos.profile | |||
@@ -33,8 +33,7 @@ seccomp | |||
33 | shell none | 33 | shell none |
34 | tracelog | 34 | tracelog |
35 | 35 | ||
36 | # private-bin gjs gnome-photos | 36 | # private-bin gjs,gnome-photos |
37 | private-dev | 37 | private-dev |
38 | # private-etc alternatives,fonts | ||
39 | private-tmp | 38 | private-tmp |
40 | 39 | ||
diff --git a/etc/gnome-recipes.profile b/etc/gnome-recipes.profile index 1a897a5d8..567fa262c 100644 --- a/etc/gnome-recipes.profile +++ b/etc/gnome-recipes.profile | |||
@@ -43,7 +43,7 @@ shell none | |||
43 | disable-mnt | 43 | disable-mnt |
44 | private-bin gnome-recipes,tar | 44 | private-bin gnome-recipes,tar |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,ca-certificates,fonts,ssl,crypto-policies,pki | 46 | private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl |
47 | private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.* | 47 | private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.* |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
diff --git a/etc/gnome-schedule.profile b/etc/gnome-schedule.profile index 931efbbab..0fca08505 100644 --- a/etc/gnome-schedule.profile +++ b/etc/gnome-schedule.profile | |||
@@ -36,12 +36,8 @@ noblacklist ${PATH}/xfce4-terminal | |||
36 | noblacklist ${PATH}/xfce4-terminal.wrapper | 36 | noblacklist ${PATH}/xfce4-terminal.wrapper |
37 | 37 | ||
38 | # Allow python (blacklisted by disable-interpreters.inc) | 38 | # Allow python (blacklisted by disable-interpreters.inc) |
39 | noblacklist ${PATH}/python2* | 39 | include allow-python2.inc |
40 | noblacklist ${PATH}/python3* | 40 | include allow-python3.inc |
41 | noblacklist /usr/lib/python2* | ||
42 | noblacklist /usr/lib/python3* | ||
43 | noblacklist /usr/local/lib/python2* | ||
44 | noblacklist /usr/local/lib/python3* | ||
45 | 41 | ||
46 | include disable-common.inc | 42 | include disable-common.inc |
47 | include disable-devel.inc | 43 | include disable-devel.inc |
@@ -73,6 +69,5 @@ tracelog | |||
73 | disable-mnt | 69 | disable-mnt |
74 | private-cache | 70 | private-cache |
75 | private-dev | 71 | private-dev |
76 | # private-etc alternatives | ||
77 | writable-var | 72 | writable-var |
78 | 73 | ||
diff --git a/etc/gnome-sound-recorder.profile b/etc/gnome-sound-recorder.profile new file mode 100644 index 000000000..135106c1e --- /dev/null +++ b/etc/gnome-sound-recorder.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Firejail profile for gnome-sound-recorder | ||
2 | # Description: simple sound recordings for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-sound-recorder.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${MUSIC} | ||
10 | noblacklist ${HOME}/.local/share/flatpak | ||
11 | noblacklist ${HOME}/.local/share/Trash | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | net none | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix | ||
33 | seccomp | ||
34 | shell none | ||
35 | tracelog | ||
36 | |||
37 | disable-mnt | ||
38 | private-cache | ||
39 | private-dev | ||
40 | private-etc alsa,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,machine-id,openal,pango,pulse,xdg | ||
41 | private-tmp | ||
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile index ef7255130..a43db7e2f 100644 --- a/etc/gnome-weather.profile +++ b/etc/gnome-weather.profile | |||
@@ -37,8 +37,8 @@ shell none | |||
37 | tracelog | 37 | tracelog |
38 | 38 | ||
39 | disable-mnt | 39 | disable-mnt |
40 | # private-bin gjs gnome-weather | 40 | # private-bin gjs,gnome-weather |
41 | private-dev | 41 | private-dev |
42 | # private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies | 42 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
diff --git a/etc/godot.profile b/etc/godot.profile new file mode 100644 index 000000000..2baf09b1d --- /dev/null +++ b/etc/godot.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for godot | ||
2 | # Description: multi-platform 2D and 3D game engine with a feature-rich editor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include godot.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/godot | ||
10 | noblacklist ${HOME}/.config/godot | ||
11 | noblacklist ${HOME}/.local/share/godot | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | netfilter | ||
25 | nodbus | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix,inet,inet6,netlink | ||
34 | seccomp | ||
35 | shell none | ||
36 | tracelog | ||
37 | |||
38 | |||
39 | # private-bin godot | ||
40 | private-cache | ||
41 | private-dev | ||
42 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl | ||
43 | private-tmp | ||
diff --git a/etc/goobox.profile b/etc/goobox.profile index be332665e..c932ad528 100644 --- a/etc/goobox.profile +++ b/etc/goobox.profile | |||
@@ -31,5 +31,5 @@ tracelog | |||
31 | 31 | ||
32 | # private-bin goobox | 32 | # private-bin goobox |
33 | private-dev | 33 | private-dev |
34 | # private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies | 34 | # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl |
35 | # private-tmp | 35 | # private-tmp |
diff --git a/etc/google-earth.profile b/etc/google-earth.profile index a29e0d563..447a895d7 100644 --- a/etc/google-earth.profile +++ b/etc/google-earth.profile | |||
@@ -45,7 +45,7 @@ seccomp | |||
45 | shell none | 45 | shell none |
46 | 46 | ||
47 | disable-mnt | 47 | disable-mnt |
48 | private-bin google-earth,sh,bash,grep,sed,ls,dirname | 48 | private-bin bash,dirname,google-earth,grep,ls,sed,sh |
49 | private-dev | 49 | private-dev |
50 | private-opt google | 50 | private-opt google |
51 | 51 | ||
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile index 4932c9e42..daa385234 100644 --- a/etc/google-play-music-desktop-player.profile +++ b/etc/google-play-music-desktop-player.profile | |||
@@ -5,14 +5,19 @@ include google-play-music-desktop-player.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # noexec /tmp breaks mpris support | ||
9 | ignore noexec /tmp | ||
10 | |||
8 | noblacklist ${HOME}/.config/Google Play Music Desktop Player | 11 | noblacklist ${HOME}/.config/Google Play Music Desktop Player |
9 | 12 | ||
10 | include disable-common.inc | 13 | include disable-common.inc |
11 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
13 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 18 | include disable-programs.inc |
15 | 19 | ||
20 | mkdir ${HOME}/.config/Google Play Music Desktop Player | ||
16 | # whitelist ${HOME}/.config/pulse | 21 | # whitelist ${HOME}/.config/pulse |
17 | # whitelist ${HOME}/.pulse | 22 | # whitelist ${HOME}/.pulse |
18 | whitelist ${HOME}/.config/Google Play Music Desktop Player | 23 | whitelist ${HOME}/.config/Google Play Music Desktop Player |
@@ -35,7 +40,3 @@ shell none | |||
35 | disable-mnt | 40 | disable-mnt |
36 | private-dev | 41 | private-dev |
37 | private-tmp | 42 | private-tmp |
38 | |||
39 | noexec ${HOME} | ||
40 | # noexec /tmp breaks mpris support | ||
41 | #noexec /tmp | ||
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile index 7181837d5..61b485df5 100644 --- a/etc/gpg-agent.profile +++ b/etc/gpg-agent.profile | |||
@@ -6,10 +6,10 @@ include gpg-agent.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist ${HOME}/.gnupg | 9 | noblacklist ${HOME}/.gnupg |
12 | 10 | ||
11 | blacklist /tmp/.X11-unix | ||
12 | |||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
diff --git a/etc/gpg.profile b/etc/gpg.profile index 51662b59c..99ad1b888 100644 --- a/etc/gpg.profile +++ b/etc/gpg.profile | |||
@@ -6,10 +6,10 @@ include gpg.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist ${HOME}/.gnupg | 9 | noblacklist ${HOME}/.gnupg |
12 | 10 | ||
11 | blacklist /tmp/.X11-unix | ||
12 | |||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
diff --git a/etc/gpredict.profile b/etc/gpredict.profile index be3742fe3..c1f1b53a0 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile | |||
@@ -15,6 +15,7 @@ include disable-interpreters.inc | |||
15 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | mkdir ${HOME}/.config/Gpredict | ||
18 | whitelist ${HOME}/.config/Gpredict | 19 | whitelist ${HOME}/.config/Gpredict |
19 | include whitelist-common.inc | 20 | include whitelist-common.inc |
20 | 21 | ||
@@ -34,6 +35,6 @@ tracelog | |||
34 | 35 | ||
35 | private-bin gpredict | 36 | private-bin gpredict |
36 | private-dev | 37 | private-dev |
37 | private-etc alternatives,fonts,resolv.conf,ca-certificates,ssl,pki,crypto-policies | 38 | private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl |
38 | private-tmp | 39 | private-tmp |
39 | 40 | ||
diff --git a/etc/gradio.profile b/etc/gradio.profile index 75c793f61..82e2504b9 100644 --- a/etc/gradio.profile +++ b/etc/gradio.profile | |||
@@ -35,6 +35,6 @@ protocol unix,inet,inet6 | |||
35 | seccomp | 35 | seccomp |
36 | shell none | 36 | shell none |
37 | 37 | ||
38 | private-etc alternatives,asound.conf,ca-certificates,fonts,host.conf,hostname,hosts,pulse,resolv.conf,ssl,pki,crypto-policies,gtk-3.0,xdg,machine-id | 38 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg |
39 | private-tmp | 39 | private-tmp |
40 | 40 | ||
diff --git a/etc/gramps.profile b/etc/gramps.profile index 764c14b60..54b154964 100644 --- a/etc/gramps.profile +++ b/etc/gramps.profile | |||
@@ -9,12 +9,8 @@ include globals.local | |||
9 | noblacklist ${HOME}/.gramps | 9 | noblacklist ${HOME}/.gramps |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | #noblacklist ${PATH}/python2* | 12 | #include allow-python2.inc |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | #noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | #noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/gwenview.profile b/etc/gwenview.profile index d4af3ed1a..489be3931 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile | |||
@@ -43,7 +43,7 @@ seccomp | |||
43 | shell none | 43 | shell none |
44 | # tracelog | 44 | # tracelog |
45 | 45 | ||
46 | private-bin gwenview,gimp*,kbuildsycoca4,kdeinit4 | 46 | private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4 |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg | 48 | private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg |
49 | 49 | ||
diff --git a/etc/gzip.profile b/etc/gzip.profile index 27e262f87..38f6ee65e 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile | |||
@@ -7,14 +7,15 @@ include gzip.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | 10 | include disable-common.inc |
11 | 11 | include disable-devel.inc | |
12 | include disable-exec.inc | 12 | include disable-exec.inc |
13 | include disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | 14 | include disable-passwdmgr.inc | |
15 | ignore noroot | 15 | include disable-programs.inc |
16 | 16 | ||
17 | apparmor | 17 | apparmor |
18 | caps.drop all | ||
18 | hostname gzip | 19 | hostname gzip |
19 | ipc-namespace | 20 | ipc-namespace |
20 | machine-id | 21 | machine-id |
@@ -23,16 +24,19 @@ no3d | |||
23 | nodbus | 24 | nodbus |
24 | nodvd | 25 | nodvd |
25 | nogroups | 26 | nogroups |
27 | nonewprivs | ||
28 | #noroot | ||
26 | nosound | 29 | nosound |
27 | notv | 30 | notv |
28 | nou2f | 31 | nou2f |
29 | novideo | 32 | novideo |
33 | protocol unix | ||
34 | seccomp | ||
30 | shell none | 35 | shell none |
31 | tracelog | 36 | tracelog |
37 | x11 none | ||
32 | 38 | ||
33 | private-cache | 39 | private-cache |
34 | private-dev | 40 | private-dev |
35 | 41 | ||
36 | memory-deny-write-execute | 42 | memory-deny-write-execute |
37 | |||
38 | include default.profile | ||
diff --git a/etc/hashcat.profile b/etc/hashcat.profile index 4ed099fae..da59984d7 100644 --- a/etc/hashcat.profile +++ b/etc/hashcat.profile | |||
@@ -33,6 +33,7 @@ novideo | |||
33 | protocol unix | 33 | protocol unix |
34 | seccomp | 34 | seccomp |
35 | shell none | 35 | shell none |
36 | x11 none | ||
36 | 37 | ||
37 | disable-mnt | 38 | disable-mnt |
38 | private-bin hashcat | 39 | private-bin hashcat |
diff --git a/etc/hexchat.profile b/etc/hexchat.profile index ee70e6655..d032c93e6 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/hexchat | |||
10 | noblacklist /usr/share/perl* | 10 | noblacklist /usr/share/perl* |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/highlight.profile b/etc/highlight.profile index 243643aea..249d5cd17 100644 --- a/etc/highlight.profile +++ b/etc/highlight.profile | |||
@@ -6,8 +6,6 @@ include highlight.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | include disable-common.inc | 9 | include disable-common.inc |
12 | include disable-devel.inc | 10 | include disable-devel.inc |
13 | include disable-interpreters.inc | 11 | include disable-interpreters.inc |
@@ -30,9 +28,9 @@ protocol unix | |||
30 | seccomp | 28 | seccomp |
31 | shell none | 29 | shell none |
32 | tracelog | 30 | tracelog |
31 | x11 none | ||
33 | 32 | ||
34 | private-bin highlight | 33 | private-bin highlight |
35 | private-cache | 34 | private-cache |
36 | private-dev | 35 | private-dev |
37 | # private-etc alternatives | ||
38 | private-tmp | 36 | private-tmp |
diff --git a/etc/hugin.profile b/etc/hugin.profile index 3d8921120..07a697c05 100644 --- a/etc/hugin.profile +++ b/etc/hugin.profile | |||
@@ -33,7 +33,7 @@ protocol unix | |||
33 | seccomp | 33 | seccomp |
34 | shell none | 34 | shell none |
35 | 35 | ||
36 | private-bin PTBatcherGUI,calibrate_lens_gui,hugin,hugin_stitch_project,align_image_stack,autooptimiser,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,fulla,geocpset,hugin_executor,hugin_hdrmerge,hugin_lensdb,icpfind,linefind,nona,pano_modify,pano_trafo,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,tca_correct,verdandi,vig_optimize,enblend | 36 | private-bin align_image_stack,autooptimiser,calibrate_lens_gui,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,enblend,fulla,geocpset,hugin,hugin_executor,hugin_hdrmerge,hugin_lensdb,hugin_stitch_project,icpfind,linefind,nona,pano_modify,pano_trafo,PTBatcherGUI,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,tca_correct,verdandi,vig_optimize |
37 | private-cache | 37 | private-cache |
38 | private-dev | 38 | private-dev |
39 | private-tmp | 39 | private-tmp |
diff --git a/etc/imagej.profile b/etc/imagej.profile index 9d0ab43a0..00ee115ed 100644 --- a/etc/imagej.profile +++ b/etc/imagej.profile | |||
@@ -8,11 +8,8 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.imagej | 9 | noblacklist ${HOME}/.imagej |
10 | 10 | ||
11 | # Allow access to java | 11 | # Allow java (blacklisted by disable-devel.inc) |
12 | noblacklist ${PATH}/java | 12 | include allow-java.inc |
13 | noblacklist /usr/lib/java | ||
14 | noblacklist /etc/java | ||
15 | noblacklist /usr/share/java | ||
16 | 13 | ||
17 | include disable-common.inc | 14 | include disable-common.inc |
18 | include disable-devel.inc | 15 | include disable-devel.inc |
@@ -37,7 +34,7 @@ protocol unix | |||
37 | seccomp | 34 | seccomp |
38 | shell none | 35 | shell none |
39 | 36 | ||
40 | private-bin imagej,bash,grep,sort,tail,tr,cut,whoami,hostname,uname,mkdir,ls,touch,free,awk,update-java-alternatives,basename,xprop,rm,ln | 37 | private-bin awk,basename,bash,cut,free,grep,hostname,imagej,ln,ls,mkdir,rm,sort,tail,touch,tr,uname,update-java-alternatives,whoami,xprop |
41 | private-dev | 38 | private-dev |
42 | private-tmp | 39 | private-tmp |
43 | 40 | ||
diff --git a/etc/img2txt.profile b/etc/img2txt.profile index ade50048e..19b4e1ed7 100644 --- a/etc/img2txt.profile +++ b/etc/img2txt.profile | |||
@@ -34,11 +34,11 @@ protocol unix | |||
34 | seccomp | 34 | seccomp |
35 | shell none | 35 | shell none |
36 | tracelog | 36 | tracelog |
37 | x11 none | ||
37 | 38 | ||
38 | # private-bin img2txt | 39 | # private-bin img2txt |
39 | private-cache | 40 | private-cache |
40 | private-dev | 41 | private-dev |
41 | # private-etc alternatives | ||
42 | private-tmp | 42 | private-tmp |
43 | 43 | ||
44 | memory-deny-write-execute | 44 | memory-deny-write-execute |
diff --git a/etc/inkscape.profile b/etc/inkscape.profile index ecc5e5d35..a1b3bce23 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile | |||
@@ -13,12 +13,8 @@ noblacklist ${DOCUMENTS} | |||
13 | noblacklist ${PICTURES} | 13 | noblacklist ${PICTURES} |
14 | 14 | ||
15 | # Allow python (blacklisted by disable-interpreters.inc) | 15 | # Allow python (blacklisted by disable-interpreters.inc) |
16 | noblacklist ${PATH}/python2* | 16 | include allow-python2.inc |
17 | noblacklist ${PATH}/python3* | 17 | include allow-python3.inc |
18 | noblacklist /usr/lib/python2* | ||
19 | noblacklist /usr/lib/python3* | ||
20 | noblacklist /usr/local/lib/python2* | ||
21 | noblacklist /usr/local/lib/python3* | ||
22 | 18 | ||
23 | include disable-common.inc | 19 | include disable-common.inc |
24 | include disable-devel.inc | 20 | include disable-devel.inc |
@@ -47,8 +43,10 @@ novideo | |||
47 | protocol unix | 43 | protocol unix |
48 | seccomp | 44 | seccomp |
49 | shell none | 45 | shell none |
46 | tracelog | ||
50 | 47 | ||
51 | # private-bin inkscape,potrace,python* - problems on Debian stretch | 48 | # private-bin inkscape,potrace,python* - problems on Debian stretch |
49 | private-cache | ||
52 | private-dev | 50 | private-dev |
53 | private-tmp | 51 | private-tmp |
54 | 52 | ||
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index dce44e5d4..5b7275718 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile | |||
@@ -6,13 +6,9 @@ include jd-gui.local | |||
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/jd-gui.cfg | 8 | noblacklist ${HOME}/.config/jd-gui.cfg |
9 | noblacklist ${HOME}/.java | ||
10 | 9 | ||
11 | # Allow access to java | 10 | # Allow java (blacklisted by disable-devel.inc) |
12 | noblacklist ${PATH}/java | 11 | include allow-java.inc |
13 | noblacklist /usr/lib/java | ||
14 | noblacklist /etc/java | ||
15 | noblacklist /usr/share/java | ||
16 | 12 | ||
17 | include disable-common.inc | 13 | include disable-common.inc |
18 | include disable-devel.inc | 14 | include disable-devel.inc |
@@ -40,7 +36,7 @@ protocol unix | |||
40 | seccomp | 36 | seccomp |
41 | shell none | 37 | shell none |
42 | 38 | ||
43 | private-bin jd-gui,sh,bash | 39 | private-bin bash,jd-gui,sh |
44 | private-cache | 40 | private-cache |
45 | private-dev | 41 | private-dev |
46 | private-tmp | 42 | private-tmp |
diff --git a/etc/jitsi.profile b/etc/jitsi.profile index 5a575bb71..223c360b8 100644 --- a/etc/jitsi.profile +++ b/etc/jitsi.profile | |||
@@ -7,11 +7,8 @@ include globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.jitsi | 8 | noblacklist ${HOME}/.jitsi |
9 | 9 | ||
10 | # Allow access to java | 10 | # Allow java (blacklisted by disable-devel.inc) |
11 | noblacklist ${PATH}/java | 11 | include allow-java.inc |
12 | noblacklist /usr/lib/java | ||
13 | noblacklist /etc/java | ||
14 | noblacklist /usr/share/java | ||
15 | 12 | ||
16 | include disable-common.inc | 13 | include disable-common.inc |
17 | include disable-devel.inc | 14 | include disable-devel.inc |
diff --git a/etc/kdeinit4.profile b/etc/kdeinit4.profile index f786c78d5..082045c62 100644 --- a/etc/kdeinit4.profile +++ b/etc/kdeinit4.profile | |||
@@ -30,7 +30,7 @@ protocol unix,inet,inet6,netlink | |||
30 | seccomp | 30 | seccomp |
31 | shell none | 31 | shell none |
32 | 32 | ||
33 | private-bin kdeinit4,kbuildsycoca4,kded4,knotify4 | 33 | private-bin kbuildsycoca4,kded4,kdeinit4,knotify4 |
34 | private-dev | 34 | private-dev |
35 | private-tmp | 35 | private-tmp |
36 | 36 | ||
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index 82c8c6793..361109127 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile | |||
@@ -33,6 +33,6 @@ protocol unix,netlink | |||
33 | seccomp | 33 | seccomp |
34 | shell none | 34 | shell none |
35 | 35 | ||
36 | private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper,mlt-melt | 36 | private-bin dbus-launch,dvdauthor,ffmpeg,ffplay,ffprobe,genisoimage,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kdenlive,kdenlive_render,kshell4,kshell5,melt,mlt-melt,vlc,xine |
37 | private-dev | 37 | private-dev |
38 | # private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg,X11 | 38 | # private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,X11,xdg |
diff --git a/etc/keepassxc-cli.profile b/etc/keepassxc-cli.profile new file mode 100644 index 000000000..6f657e7de --- /dev/null +++ b/etc/keepassxc-cli.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for keepassxc-cli | ||
2 | # Description: command line interface for KeePassXC | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include keepassxc-cli.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | |||
11 | # Redirect | ||
12 | include keepassxc.profile | ||
diff --git a/etc/keepassxc-proxy.profile b/etc/keepassxc-proxy.profile new file mode 100644 index 000000000..79666aee2 --- /dev/null +++ b/etc/keepassxc-proxy.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for keepassxc-cli | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include keepassxc-proxy.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | |||
10 | # Redirect | ||
11 | include keepassxc.profile | ||
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile index c1adfd516..6ef02ad47 100644 --- a/etc/keepassxc.profile +++ b/etc/keepassxc.profile | |||
@@ -37,11 +37,11 @@ nosound | |||
37 | notv | 37 | notv |
38 | nou2f | 38 | nou2f |
39 | novideo | 39 | novideo |
40 | protocol netlink,unix | 40 | protocol unix,netlink |
41 | seccomp | 41 | seccomp |
42 | shell none | 42 | shell none |
43 | 43 | ||
44 | private-bin keepassxc,keepassxc-proxy | 44 | private-bin keepassxc,keepassxc-cli,keepassxc-proxy |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,fonts,ld.so.cache,machine-id | 46 | private-etc alternatives,fonts,ld.so.cache,machine-id |
47 | private-tmp | 47 | private-tmp |
diff --git a/etc/kid3.profile b/etc/kid3.profile index 3171e94fe..01064feb5 100644 --- a/etc/kid3.profile +++ b/etc/kid3.profile | |||
@@ -37,7 +37,7 @@ tracelog | |||
37 | 37 | ||
38 | private-cache | 38 | private-cache |
39 | private-dev | 39 | private-dev |
40 | private-etc alternatives,drirc,fonts,kde5rc,gtk-3.0,dconf,machine-id,ca-certificates,ssl,pki,hostname,hosts,resolv.conf,pulse,,crypto-policies | 40 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,machine-id,pki,pulse,resolv.conf,ssl |
41 | private-tmp | 41 | private-tmp |
42 | private-opt none | 42 | private-opt none |
43 | private-srv none | 43 | private-srv none |
diff --git a/etc/klatexformula.profile b/etc/klatexformula.profile new file mode 100644 index 000000000..d584f6a56 --- /dev/null +++ b/etc/klatexformula.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for klatexformula | ||
2 | # Description: generating images from LaTeX equations | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include klatexformula.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.kde/share/apps/klatexformula | ||
10 | noblacklist ${HOME}/.klatexformula | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python2.inc | ||
14 | include allow-python3.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | machine-id | ||
26 | net none | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | nosound | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix | ||
37 | seccomp | ||
38 | shell none | ||
39 | tracelog | ||
40 | |||
41 | private-cache | ||
42 | private-dev | ||
43 | private-tmp | ||
diff --git a/etc/klatexformula_cmdl.profile b/etc/klatexformula_cmdl.profile new file mode 100644 index 000000000..9137963c4 --- /dev/null +++ b/etc/klatexformula_cmdl.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for klatexformula_cmdl | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include klatexformula.profile | ||
diff --git a/etc/kmail.profile b/etc/kmail.profile index 009b2c063..0b602c79a 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
@@ -53,9 +53,8 @@ protocol unix,inet,inet6,netlink | |||
53 | # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls | 53 | # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls |
54 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 54 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
55 | # tracelog | 55 | # tracelog |
56 | # writable-run-user is needed for signing and encrypting emails | ||
57 | writable-run-user | ||
58 | 56 | ||
59 | private-dev | 57 | private-dev |
60 | # private-tmp - interrupts connection to akonadi, breaks opening of email attachments | 58 | # private-tmp - interrupts connection to akonadi, breaks opening of email attachments |
61 | 59 | # writable-run-user is needed for signing and encrypting emails | |
60 | writable-run-user | ||
diff --git a/etc/kodi.profile b/etc/kodi.profile index dad085967..86afe46b5 100644 --- a/etc/kodi.profile +++ b/etc/kodi.profile | |||
@@ -15,12 +15,8 @@ noblacklist ${PICTURES} | |||
15 | noblacklist ${VIDEOS} | 15 | noblacklist ${VIDEOS} |
16 | 16 | ||
17 | # Allow python (blacklisted by disable-interpreters.inc) | 17 | # Allow python (blacklisted by disable-interpreters.inc) |
18 | noblacklist ${PATH}/python2* | 18 | include allow-python2.inc |
19 | noblacklist ${PATH}/python3* | 19 | include allow-python3.inc |
20 | noblacklist /usr/lib/python2* | ||
21 | noblacklist /usr/lib/python3* | ||
22 | noblacklist /usr/local/lib/python2* | ||
23 | noblacklist /usr/local/lib/python3* | ||
24 | 20 | ||
25 | include disable-common.inc | 21 | include disable-common.inc |
26 | include disable-devel.inc | 22 | include disable-devel.inc |
diff --git a/etc/konversation.profile b/etc/konversation.profile index 19174459c..dd3e9617f 100644 --- a/etc/konversation.profile +++ b/etc/konversation.profile | |||
@@ -34,7 +34,7 @@ seccomp | |||
34 | shell none | 34 | shell none |
35 | tracelog | 35 | tracelog |
36 | 36 | ||
37 | private-bin konversation,kbuildsycoca4 | 37 | private-bin kbuildsycoca4,konversation |
38 | private-cache | 38 | private-cache |
39 | private-dev | 39 | private-dev |
40 | private-tmp | 40 | private-tmp |
diff --git a/etc/kopete.profile b/etc/kopete.profile index 5e931ddac..e0bdce059 100644 --- a/etc/kopete.profile +++ b/etc/kopete.profile | |||
@@ -31,8 +31,8 @@ notv | |||
31 | nou2f | 31 | nou2f |
32 | protocol unix,inet,inet6,netlink | 32 | protocol unix,inet,inet6,netlink |
33 | seccomp | 33 | seccomp |
34 | writable-var | ||
35 | 34 | ||
36 | private-dev | 35 | private-dev |
37 | private-tmp | 36 | private-tmp |
37 | writable-var | ||
38 | 38 | ||
diff --git a/etc/krita.profile b/etc/krita.profile index 8f275f8df..49c36274a 100644 --- a/etc/krita.profile +++ b/etc/krita.profile | |||
@@ -15,12 +15,8 @@ noblacklist ${DOCUMENTS} | |||
15 | noblacklist ${PICTURES} | 15 | noblacklist ${PICTURES} |
16 | 16 | ||
17 | # Allow python (blacklisted by disable-interpreters.inc) | 17 | # Allow python (blacklisted by disable-interpreters.inc) |
18 | noblacklist ${PATH}/python2* | 18 | include allow-python2.inc |
19 | noblacklist ${PATH}/python3* | 19 | include allow-python3.inc |
20 | noblacklist /usr/lib/python2* | ||
21 | noblacklist /usr/lib/python3* | ||
22 | noblacklist /usr/local/lib/python2* | ||
23 | noblacklist /usr/local/lib/python3* | ||
24 | 20 | ||
25 | include disable-common.inc | 21 | include disable-common.inc |
26 | include disable-devel.inc | 22 | include disable-devel.inc |
diff --git a/etc/ktorrent.profile b/etc/ktorrent.profile index f30a1b7e6..2eb46a7e8 100644 --- a/etc/ktorrent.profile +++ b/etc/ktorrent.profile | |||
@@ -52,7 +52,7 @@ protocol unix,inet,inet6,netlink | |||
52 | seccomp | 52 | seccomp |
53 | shell none | 53 | shell none |
54 | 54 | ||
55 | private-bin ktorrent,kbuildsycoca4,kdeinit4 | 55 | private-bin kbuildsycoca4,kdeinit4,ktorrent |
56 | private-dev | 56 | private-dev |
57 | # private-lib - problems on Arch | 57 | # private-lib - problems on Arch |
58 | private-tmp | 58 | private-tmp |
diff --git a/etc/kwrite.profile b/etc/kwrite.profile index 9b0640eab..31ac19039 100644 --- a/etc/kwrite.profile +++ b/etc/kwrite.profile | |||
@@ -43,7 +43,7 @@ seccomp | |||
43 | shell none | 43 | shell none |
44 | tracelog | 44 | tracelog |
45 | 45 | ||
46 | private-bin kwrite,kbuildsycoca4,kdeinit4 | 46 | private-bin kbuildsycoca4,kdeinit4,kwrite |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg | 48 | private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg |
49 | private-tmp | 49 | private-tmp |
diff --git a/etc/less.profile b/etc/less.profile index 5ad7cb959..e6366ad28 100644 --- a/etc/less.profile +++ b/etc/less.profile | |||
@@ -5,27 +5,36 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include less.local | 6 | include less.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included profile | 8 | include globals.local |
9 | #include globals.local | ||
10 | 9 | ||
11 | blacklist /tmp/.X11-unix | 10 | noblacklist ${HOME}/.lesshst |
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
12 | include disable-exec.inc | 14 | include disable-exec.inc |
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
13 | 18 | ||
14 | ignore noroot | ||
15 | apparmor | 19 | apparmor |
20 | caps.drop all | ||
16 | ipc-namespace | 21 | ipc-namespace |
17 | machine-id | 22 | machine-id |
18 | net none | 23 | net none |
19 | no3d | 24 | no3d |
20 | nodbus | 25 | nodbus |
21 | nodvd | 26 | nodvd |
27 | nonewprivs | ||
28 | #noroot | ||
22 | nosound | 29 | nosound |
23 | notv | 30 | notv |
24 | nou2f | 31 | nou2f |
25 | novideo | 32 | novideo |
33 | protocol unix | ||
34 | seccomp | ||
26 | shell none | 35 | shell none |
27 | tracelog | 36 | tracelog |
28 | writable-var-log | 37 | x11 none |
29 | 38 | ||
30 | # The user can have a custom coloring script configured in ${HOME}/.lessfilter. | 39 | # The user can have a custom coloring script configured in ${HOME}/.lessfilter. |
31 | # Enable private-bin and private-lib if you are not using any filter. | 40 | # Enable private-bin and private-lib if you are not using any filter. |
@@ -33,7 +42,6 @@ writable-var-log | |||
33 | # private-lib | 42 | # private-lib |
34 | private-cache | 43 | private-cache |
35 | private-dev | 44 | private-dev |
45 | writable-var-log | ||
36 | 46 | ||
37 | memory-deny-write-execute | 47 | memory-deny-write-execute |
38 | |||
39 | include default.profile | ||
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 5bb943323..b8a6201b2 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile | |||
@@ -6,16 +6,13 @@ include libreoffice.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.java | ||
10 | noblacklist /usr/local/sbin | 9 | noblacklist /usr/local/sbin |
11 | noblacklist ${HOME}/.config/libreoffice | 10 | noblacklist ${HOME}/.config/libreoffice |
12 | 11 | ||
13 | # libreoffice uses java; if you don't care about java functionality, | 12 | # libreoffice uses java for some certain operations |
14 | # comment the next four lines | 13 | # comment if you don't care about java functionality |
15 | noblacklist ${PATH}/java | 14 | # Allow java (blacklisted by disable-devel.inc) |
16 | noblacklist /usr/lib/java | 15 | include allow-java.inc |
17 | noblacklist /etc/java | ||
18 | noblacklist /usr/share/java | ||
19 | 16 | ||
20 | include disable-common.inc | 17 | include disable-common.inc |
21 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/liferea.profile b/etc/liferea.profile index e778d7b55..70d317199 100644 --- a/etc/liferea.profile +++ b/etc/liferea.profile | |||
@@ -11,12 +11,8 @@ noblacklist ${HOME}/.config/liferea | |||
11 | noblacklist ${HOME}/.local/share/liferea | 11 | noblacklist ${HOME}/.local/share/liferea |
12 | 12 | ||
13 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
14 | noblacklist ${PATH}/python2* | 14 | include allow-python2.inc |
15 | noblacklist ${PATH}/python3* | 15 | include allow-python3.inc |
16 | noblacklist /usr/lib/python2* | ||
17 | noblacklist /usr/lib/python3* | ||
18 | noblacklist /usr/local/lib/python2* | ||
19 | noblacklist /usr/local/lib/python3* | ||
20 | 16 | ||
21 | include disable-common.inc | 17 | include disable-common.inc |
22 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/links.profile b/etc/links.profile new file mode 100644 index 000000000..bd0b0cc92 --- /dev/null +++ b/etc/links.profile | |||
@@ -0,0 +1,64 @@ | |||
1 | # Firejail profile for links | ||
2 | # Description: Text WWW browser | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include links.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.links | ||
10 | |||
11 | blacklist /tmp/.X11-unix | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | # you may want to noblacklist files/directories blacklisted in | ||
19 | # disable-programs.inc and used as associated programs | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | mkdir ${HOME}/.links | ||
24 | whitelist ${HOME}/.links | ||
25 | whitelist ${DOWNLOADS} | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | # comment machine-id (or put 'ignore machine-id' in your links.local) if you want | ||
31 | # to allow access only to user-configured associated media player | ||
32 | machine-id | ||
33 | netfilter | ||
34 | # comment no3d (or put 'ignore no3d' in your links.local) if you want | ||
35 | # to allow access only to user-configured associated media player | ||
36 | no3d | ||
37 | nodvd | ||
38 | nogroups | ||
39 | nonewprivs | ||
40 | noroot | ||
41 | # comment nosound (or put 'ignore nosound' in your links.local) if you want | ||
42 | # to allow access only to user-configured associated media player | ||
43 | nosound | ||
44 | notv | ||
45 | nou2f | ||
46 | novideo | ||
47 | protocol unix,inet,inet6 | ||
48 | seccomp | ||
49 | shell none | ||
50 | tracelog | ||
51 | |||
52 | disable-mnt | ||
53 | # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' to your links.local | ||
54 | # or append 'PROGRAM1,PROGRAM2' to this private-bin line | ||
55 | private-bin links,sh | ||
56 | private-cache | ||
57 | private-dev | ||
58 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | ||
59 | # Uncomment the following line (or put it in your links.local) allow external | ||
60 | # media players | ||
61 | # private-etc alsa,asound.conf,machine-id,openal,pulse | ||
62 | private-tmp | ||
63 | |||
64 | memory-deny-write-execute | ||
diff --git a/etc/lollypop.profile b/etc/lollypop.profile index 76b8ed75c..1ce83822d 100644 --- a/etc/lollypop.profile +++ b/etc/lollypop.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.local/share/lollypop | |||
10 | noblacklist ${MUSIC} | 10 | noblacklist ${MUSIC} |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
@@ -41,6 +37,6 @@ seccomp | |||
41 | shell none | 37 | shell none |
42 | 38 | ||
43 | private-dev | 39 | private-dev |
44 | private-etc alternatives,asound.conf,ca-certificates,fonts,host.conf,hostname,hosts,pulse,resolv.conf,ssl,pki,crypto-policies,gtk-3.0,xdg,machine-id | 40 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg |
45 | private-tmp | 41 | private-tmp |
46 | 42 | ||
diff --git a/etc/lynx.profile b/etc/lynx.profile index 2f043c9b9..063285316 100644 --- a/etc/lynx.profile +++ b/etc/lynx.profile | |||
@@ -34,5 +34,5 @@ tracelog | |||
34 | # private-bin lynx | 34 | # private-bin lynx |
35 | private-cache | 35 | private-cache |
36 | private-dev | 36 | private-dev |
37 | # private-etc alternatives,ca-certificates,ssl,pki,crypto-policies | 37 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl |
38 | private-tmp | 38 | private-tmp |
diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile index 7d42f2bfe..94d90780b 100644 --- a/etc/macrofusion.profile +++ b/etc/macrofusion.profile | |||
@@ -9,12 +9,8 @@ noblacklist ${HOME}/.config/mfusion | |||
9 | noblacklist ${PICTURES} | 9 | noblacklist ${PICTURES} |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 12 | include allow-python2.inc |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
@@ -40,7 +36,7 @@ protocol unix | |||
40 | seccomp | 36 | seccomp |
41 | shell none | 37 | shell none |
42 | 38 | ||
43 | private-bin python*,macrofusion,env,enfuse,exiftool,align_image_stack | 39 | private-bin align_image_stack,enfuse,env,exiftool,macrofusion,python* |
44 | private-cache | 40 | private-cache |
45 | private-dev | 41 | private-dev |
46 | private-tmp | 42 | private-tmp |
diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile index ac5577b4c..2f6020ad3 100644 --- a/etc/mate-calc.profile +++ b/etc/mate-calc.profile | |||
@@ -15,12 +15,13 @@ include disable-interpreters.inc | |||
15 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | mkdir ${HOME}/.cache/mate-calc | ||
19 | mkdir ${HOME}/.config/caja | ||
20 | mkdir ${HOME}/.config/mate-menu | ||
18 | whitelist ${HOME}/.cache/mate-calc | 21 | whitelist ${HOME}/.cache/mate-calc |
19 | whitelist ${HOME}/.config/caja | 22 | whitelist ${HOME}/.config/caja |
20 | whitelist ${HOME}/.config/gtk-3.0 | ||
21 | whitelist ${HOME}/.config/dconf | ||
22 | whitelist ${HOME}/.config/mate-menu | 23 | whitelist ${HOME}/.config/mate-menu |
23 | whitelist ${HOME}/.themes | 24 | include whitelist-common.inc |
24 | 25 | ||
25 | caps.drop all | 26 | caps.drop all |
26 | net none | 27 | net none |
@@ -40,7 +41,7 @@ shell none | |||
40 | 41 | ||
41 | disable-mnt | 42 | disable-mnt |
42 | private-bin mate-calc,mate-calculator | 43 | private-bin mate-calc,mate-calculator |
43 | private-etc alternatives,fonts | 44 | private-etc alternatives,dconf,fonts,gtk-3.0 |
44 | private-dev | 45 | private-dev |
45 | private-opt none | 46 | private-opt none |
46 | private-tmp | 47 | private-tmp |
diff --git a/etc/mate-color-select.profile b/etc/mate-color-select.profile index bd3631445..f1a7ca18f 100644 --- a/etc/mate-color-select.profile +++ b/etc/mate-color-select.profile | |||
@@ -5,7 +5,6 @@ include mate-color-select.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | |||
9 | include disable-common.inc | 8 | include disable-common.inc |
10 | include disable-devel.inc | 9 | include disable-devel.inc |
11 | include disable-exec.inc | 10 | include disable-exec.inc |
@@ -13,10 +12,7 @@ include disable-interpreters.inc | |||
13 | include disable-passwdmgr.inc | 12 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 13 | include disable-programs.inc |
15 | 14 | ||
16 | whitelist ${HOME}/.config/gtk-3.0 | 15 | include whitelist-common.inc |
17 | whitelist ${HOME}/.fonts | ||
18 | whitelist ${HOME}/.icons | ||
19 | whitelist ${HOME}/.themes | ||
20 | 16 | ||
21 | caps.drop all | 17 | caps.drop all |
22 | netfilter | 18 | netfilter |
diff --git a/etc/mate-dictionary.profile b/etc/mate-dictionary.profile index 1217910a0..49a776766 100644 --- a/etc/mate-dictionary.profile +++ b/etc/mate-dictionary.profile | |||
@@ -14,11 +14,9 @@ include disable-interpreters.inc | |||
14 | include disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | mkdir ${HOME}/.config/mate/mate-dictionary | ||
17 | whitelist ${HOME}/.config/mate/mate-dictionary | 18 | whitelist ${HOME}/.config/mate/mate-dictionary |
18 | whitelist ${HOME}/.config/gtk-3.0 | 19 | include whitelist-common.inc |
19 | whitelist ${HOME}/.fonts | ||
20 | whitelist ${HOME}/.icons | ||
21 | whitelist ${HOME}/.themes | ||
22 | 20 | ||
23 | caps.drop all | 21 | caps.drop all |
24 | netfilter | 22 | netfilter |
@@ -37,7 +35,7 @@ shell none | |||
37 | 35 | ||
38 | disable-mnt | 36 | disable-mnt |
39 | private-bin mate-dictionary | 37 | private-bin mate-dictionary |
40 | private-etc alternatives,fonts,resolv.conf,ca-certificates,ssl,pki,crypto-policies | 38 | private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl |
41 | private-opt mate-dictionary | 39 | private-opt mate-dictionary |
42 | private-dev | 40 | private-dev |
43 | private-tmp | 41 | private-tmp |
diff --git a/etc/mcabber.profile b/etc/mcabber.profile index c65a25edc..134a6ae63 100644 --- a/etc/mcabber.profile +++ b/etc/mcabber.profile | |||
@@ -30,4 +30,4 @@ shell none | |||
30 | 30 | ||
31 | private-bin mcabber | 31 | private-bin mcabber |
32 | private-dev | 32 | private-dev |
33 | private-etc alternatives,ca-certificates,ssl,pki,crypto-policies | 33 | private-etc alternatives,ca-certificates,crypto-policies,pki,ssl |
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile index d2681f32d..02d4a937c 100644 --- a/etc/mediainfo.profile +++ b/etc/mediainfo.profile | |||
@@ -6,8 +6,6 @@ include mediainfo.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | include disable-common.inc | 9 | include disable-common.inc |
12 | include disable-devel.inc | 10 | include disable-devel.inc |
13 | include disable-exec.inc | 11 | include disable-exec.inc |
@@ -34,6 +32,7 @@ protocol unix | |||
34 | seccomp | 32 | seccomp |
35 | shell none | 33 | shell none |
36 | tracelog | 34 | tracelog |
35 | x11 none | ||
37 | 36 | ||
38 | private-bin mediainfo | 37 | private-bin mediainfo |
39 | private-cache | 38 | private-cache |
diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile index 497014dab..95cd673c6 100644 --- a/etc/mediathekview.profile +++ b/etc/mediathekview.profile | |||
@@ -11,18 +11,14 @@ noblacklist ${HOME}/.config/smplayer | |||
11 | noblacklist ${HOME}/.config/totem | 11 | noblacklist ${HOME}/.config/totem |
12 | noblacklist ${HOME}/.config/vlc | 12 | noblacklist ${HOME}/.config/vlc |
13 | noblacklist ${HOME}/.config/xplayer | 13 | noblacklist ${HOME}/.config/xplayer |
14 | noblacklist ${HOME}/.java | ||
15 | noblacklist ${HOME}/.local/share/totem | 14 | noblacklist ${HOME}/.local/share/totem |
16 | noblacklist ${HOME}/.local/share/xplayer | 15 | noblacklist ${HOME}/.local/share/xplayer |
17 | noblacklist ${HOME}/.mediathek3 | 16 | noblacklist ${HOME}/.mediathek3 |
18 | noblacklist ${HOME}/.mplayer | 17 | noblacklist ${HOME}/.mplayer |
19 | noblacklist ${VIDEOS} | 18 | noblacklist ${VIDEOS} |
20 | 19 | ||
21 | # Allow access to java | 20 | # Allow java (blacklisted by disable-devel.inc) |
22 | noblacklist ${PATH}/java | 21 | include allow-java.inc |
23 | noblacklist /usr/lib/java | ||
24 | noblacklist /etc/java | ||
25 | noblacklist /usr/share/java | ||
26 | 22 | ||
27 | include disable-common.inc | 23 | include disable-common.inc |
28 | include disable-devel.inc | 24 | include disable-devel.inc |
diff --git a/etc/meld.profile b/etc/meld.profile index 14e0f238d..4a9f64421 100644 --- a/etc/meld.profile +++ b/etc/meld.profile | |||
@@ -6,22 +6,24 @@ include meld.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.local/share/meld | 9 | # If you want to use meld as git-mergetool (and maybe some other VCS integrations) you need |
10 | 10 | # to bypass firejail, you can do this by removing the symlink or calling it by its absolute path | |
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Removing the symlink: |
12 | noblacklist ${PATH}/python2* | 12 | # sudo rm /usr/local/bin/meld |
13 | noblacklist ${PATH}/python3* | 13 | # Calling by its absolute path (example for git-mergetool): |
14 | noblacklist /usr/lib/python2* | 14 | # git config --global mergetool.meld.cmd /usr/bin/meld |
15 | noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 15 | ||
19 | noblacklist ${HOME}/.config/git | 16 | noblacklist ${HOME}/.config/git |
20 | noblacklist ${HOME}/.gitconfig | 17 | noblacklist ${HOME}/.gitconfig |
21 | noblacklist ${HOME}/.git-credentials | 18 | noblacklist ${HOME}/.git-credentials |
19 | noblacklist ${HOME}/.local/share/meld | ||
22 | noblacklist ${HOME}/.ssh | 20 | noblacklist ${HOME}/.ssh |
23 | noblacklist ${HOME}/.subversion | 21 | noblacklist ${HOME}/.subversion |
24 | 22 | ||
23 | # Allow python (blacklisted by disable-interpreters.inc) | ||
24 | include allow-python2.inc | ||
25 | include allow-python3.inc | ||
26 | |||
25 | # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-common.inc. | 27 | # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-common.inc. |
26 | #include disable-common.inc | 28 | #include disable-common.inc |
27 | include disable-devel.inc | 29 | include disable-devel.inc |
@@ -31,7 +33,8 @@ include disable-passwdmgr.inc | |||
31 | # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-programs.inc. | 33 | # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-programs.inc. |
32 | #include disable-programs.inc | 34 | #include disable-programs.inc |
33 | 35 | ||
34 | include whitelist-var-common.inc | 36 | # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in /var. |
37 | #include whitelist-var-common.inc | ||
35 | 38 | ||
36 | apparmor | 39 | apparmor |
37 | caps.drop all | 40 | caps.drop all |
@@ -59,3 +62,4 @@ private-dev | |||
59 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion | 62 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion |
60 | private-tmp | 63 | private-tmp |
61 | 64 | ||
65 | read-only ${HOME}/.ssh | ||
diff --git a/etc/mendeleydesktop.profile b/etc/mendeleydesktop.profile index d54371371..1f02ff5c0 100644 --- a/etc/mendeleydesktop.profile +++ b/etc/mendeleydesktop.profile | |||
@@ -15,12 +15,8 @@ noblacklist ${HOME}/.pki | |||
15 | noblacklist ${HOME}/.local/share/pki | 15 | noblacklist ${HOME}/.local/share/pki |
16 | 16 | ||
17 | # Allow python (blacklisted by disable-interpreters.inc) | 17 | # Allow python (blacklisted by disable-interpreters.inc) |
18 | noblacklist ${PATH}/python2* | 18 | include allow-python2.inc |
19 | noblacklist ${PATH}/python3* | 19 | include allow-python3.inc |
20 | noblacklist /usr/lib/python2* | ||
21 | noblacklist /usr/lib/python3* | ||
22 | noblacklist /usr/local/lib/python2* | ||
23 | noblacklist /usr/local/lib/python3* | ||
24 | 20 | ||
25 | include disable-common.inc | 21 | include disable-common.inc |
26 | include disable-devel.inc | 22 | include disable-devel.inc |
@@ -47,7 +43,7 @@ shell none | |||
47 | tracelog | 43 | tracelog |
48 | 44 | ||
49 | disable-mnt | 45 | disable-mnt |
50 | private-bin mendeleydesktop,python*,env,gconftool-2,which,sh,ln,cat,update-desktop-database | 46 | private-bin cat,env,gconftool-2,ln,mendeleydesktop,python*,sh,update-desktop-database,which |
51 | private-dev | 47 | private-dev |
52 | private-tmp | 48 | private-tmp |
53 | 49 | ||
diff --git a/etc/meteo-qt.profile b/etc/meteo-qt.profile index a769a97ec..4437d86ea 100644 --- a/etc/meteo-qt.profile +++ b/etc/meteo-qt.profile | |||
@@ -10,9 +10,7 @@ noblacklist ${HOME}/.config/autostart | |||
10 | noblacklist ${HOME}/.config/meteo-qt | 10 | noblacklist ${HOME}/.config/meteo-qt |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | noblacklist /usr/lib/python3* | ||
15 | noblacklist /usr/local/lib/python3* | ||
16 | 14 | ||
17 | include disable-common.inc | 15 | include disable-common.inc |
18 | include disable-devel.inc | 16 | include disable-devel.inc |
@@ -22,8 +20,8 @@ include disable-passwdmgr.inc | |||
22 | include disable-programs.inc | 20 | include disable-programs.inc |
23 | include disable-xdg.inc | 21 | include disable-xdg.inc |
24 | 22 | ||
25 | whitelist ${HOME}/.config/autostart | ||
26 | mkdir ${HOME}/.config/meteo-qt | 23 | mkdir ${HOME}/.config/meteo-qt |
24 | whitelist ${HOME}/.config/autostart | ||
27 | whitelist ${HOME}/.config/meteo-qt | 25 | whitelist ${HOME}/.config/meteo-qt |
28 | include whitelist-common.inc | 26 | include whitelist-common.inc |
29 | include whitelist-var-common.inc | 27 | include whitelist-var-common.inc |
diff --git a/etc/midori.profile b/etc/midori.profile index e4d39cd70..ffae4919f 100644 --- a/etc/midori.profile +++ b/etc/midori.profile | |||
@@ -6,6 +6,9 @@ include midori.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # noexec ${HOME} breaks DRM binaries. | ||
10 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} | ||
11 | |||
9 | noblacklist ${HOME}/.config/midori | 12 | noblacklist ${HOME}/.config/midori |
10 | noblacklist ${HOME}/.local/share/midori | 13 | noblacklist ${HOME}/.local/share/midori |
11 | # noblacklist ${HOME}/.local/share/webkit | 14 | # noblacklist ${HOME}/.local/share/webkit |
@@ -13,9 +16,6 @@ noblacklist ${HOME}/.local/share/midori | |||
13 | noblacklist ${HOME}/.pki | 16 | noblacklist ${HOME}/.pki |
14 | noblacklist ${HOME}/.local/share/pki | 17 | noblacklist ${HOME}/.local/share/pki |
15 | 18 | ||
16 | # noexec ${HOME} breaks DRM binaries. | ||
17 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} | ||
18 | |||
19 | include disable-common.inc | 19 | include disable-common.inc |
20 | include disable-devel.inc | 20 | include disable-devel.inc |
21 | include disable-exec.inc | 21 | include disable-exec.inc |
diff --git a/etc/minetest.profile b/etc/minetest.profile index b3e692446..0439a1ccc 100644 --- a/etc/minetest.profile +++ b/etc/minetest.profile | |||
@@ -6,6 +6,7 @@ include minetest.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/minetest | ||
9 | noblacklist ${HOME}/.minetest | 10 | noblacklist ${HOME}/.minetest |
10 | 11 | ||
11 | include disable-common.inc | 12 | include disable-common.inc |
@@ -16,7 +17,9 @@ include disable-passwdmgr.inc | |||
16 | include disable-programs.inc | 17 | include disable-programs.inc |
17 | include disable-xdg.inc | 18 | include disable-xdg.inc |
18 | 19 | ||
20 | mkdir ${HOME}/.cache/minetest | ||
19 | mkdir ${HOME}/.minetest | 21 | mkdir ${HOME}/.minetest |
22 | whitelist ${HOME}/.cache/minetest | ||
20 | whitelist ${HOME}/.minetest | 23 | whitelist ${HOME}/.minetest |
21 | include whitelist-common.inc | 24 | include whitelist-common.inc |
22 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
@@ -42,5 +45,5 @@ private-bin minetest | |||
42 | private-cache | 45 | private-cache |
43 | private-dev | 46 | private-dev |
44 | # private-etc needs to be updated, see #1702 | 47 | # private-etc needs to be updated, see #1702 |
45 | #private-etc alternatives,asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id | 48 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl |
46 | private-tmp | 49 | private-tmp |
diff --git a/etc/mp3splt-gtk.profile b/etc/mp3splt-gtk.profile index d14006112..e0936476b 100644 --- a/etc/mp3splt-gtk.profile +++ b/etc/mp3splt-gtk.profile | |||
@@ -37,5 +37,5 @@ tracelog | |||
37 | private-bin mp3splt-gtk | 37 | private-bin mp3splt-gtk |
38 | private-cache | 38 | private-cache |
39 | private-dev | 39 | private-dev |
40 | private-etc alsa,alternatives,asound.conf,fonts,gtk-3.0,dconf,machine-id,openal,pulse | 40 | private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,machine-id,openal,pulse |
41 | private-tmp | 41 | private-tmp |
diff --git a/etc/mp3splt.profile b/etc/mp3splt.profile index 6cf6f0409..95173a890 100644 --- a/etc/mp3splt.profile +++ b/etc/mp3splt.profile | |||
@@ -37,6 +37,7 @@ protocol unix | |||
37 | seccomp | 37 | seccomp |
38 | shell none | 38 | shell none |
39 | tracelog | 39 | tracelog |
40 | x11 none | ||
40 | 41 | ||
41 | disable-mnt | 42 | disable-mnt |
42 | private-bin flacsplt,mp3splt,mp3wrap,oggsplt | 43 | private-bin flacsplt,mp3splt,mp3wrap,oggsplt |
diff --git a/etc/mpDris2.profile b/etc/mpDris2.profile index 81bf88b8b..eb49b52ab 100644 --- a/etc/mpDris2.profile +++ b/etc/mpDris2.profile | |||
@@ -9,12 +9,10 @@ include globals.local | |||
9 | noblacklist ${HOME}/.config/mpDris2 | 9 | noblacklist ${HOME}/.config/mpDris2 |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 12 | include allow-python2.inc |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | noblacklist /usr/lib/python2* | 14 | |
15 | noblacklist /usr/lib/python3* | 15 | noblacklist ${MUSIC} |
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 16 | ||
19 | include disable-common.inc | 17 | include disable-common.inc |
20 | include disable-devel.inc | 18 | include disable-devel.inc |
@@ -24,6 +22,12 @@ include disable-passwdmgr.inc | |||
24 | include disable-programs.inc | 22 | include disable-programs.inc |
25 | include disable-xdg.inc | 23 | include disable-xdg.inc |
26 | 24 | ||
25 | whitelist ${MUSIC} | ||
26 | |||
27 | mkdir ${HOME}/.config/mpDris2 | ||
28 | whitelist ${HOME}/.config/mpDris2 | ||
29 | include whitelist-var-common.inc | ||
30 | |||
27 | caps.drop all | 31 | caps.drop all |
28 | machine-id | 32 | machine-id |
29 | netfilter | 33 | netfilter |
@@ -47,6 +51,6 @@ private-etc alternatives,hosts,nsswitch.conf | |||
47 | private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3* | 51 | private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3* |
48 | private-tmp | 52 | private-tmp |
49 | 53 | ||
50 | # memory-deny-write-execute - Breaks on Arch | 54 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
51 | 55 | ||
52 | read-only ${HOME} | 56 | read-only ${HOME} |
diff --git a/etc/mpd.profile b/etc/mpd.profile index 0a98de7c4..0b5ebf705 100644 --- a/etc/mpd.profile +++ b/etc/mpd.profile | |||
@@ -34,7 +34,7 @@ protocol unix,inet,inet6 | |||
34 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | 34 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice |
35 | shell none | 35 | shell none |
36 | 36 | ||
37 | #private-bin mpd,bash | 37 | #private-bin bash,mpd |
38 | private-cache | 38 | private-cache |
39 | private-dev | 39 | private-dev |
40 | private-tmp | 40 | private-tmp |
diff --git a/etc/mpsyt.profile b/etc/mpsyt.profile index 0808c5a1a..f0309da9a 100644 --- a/etc/mpsyt.profile +++ b/etc/mpsyt.profile | |||
@@ -6,19 +6,16 @@ include mpsyt.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Allow python (blacklisted by disable-interpreters.inc) | 9 | noblacklist ${HOME}/.config/mps-youtube |
10 | noblacklist ${PATH}/python2* | ||
11 | noblacklist ${PATH}/python3* | ||
12 | noblacklist /usr/lib/python2* | ||
13 | noblacklist /usr/lib/python3* | ||
14 | noblacklist /usr/local/lib/python2* | ||
15 | noblacklist /usr/local/lib/python3* | ||
16 | |||
17 | noblacklist ${HOME}/.config/mpv | 10 | noblacklist ${HOME}/.config/mpv |
18 | noblacklist ${HOME}/.mplayer | 11 | noblacklist ${HOME}/.mplayer |
19 | noblacklist ${HOME}/.config/mps-youtube | ||
20 | noblacklist ${HOME}/.netrc | 12 | noblacklist ${HOME}/.netrc |
21 | noblacklist ${HOME}/mps | 13 | noblacklist ${HOME}/mps |
14 | |||
15 | # Allow python (blacklisted by disable-interpreters.inc) | ||
16 | include allow-python2.inc | ||
17 | include allow-python3.inc | ||
18 | |||
22 | noblacklist ${MUSIC} | 19 | noblacklist ${MUSIC} |
23 | noblacklist ${VIDEOS} | 20 | noblacklist ${VIDEOS} |
24 | 21 | ||
@@ -31,14 +28,17 @@ include disable-programs.inc | |||
31 | include disable-xdg.inc | 28 | include disable-xdg.inc |
32 | 29 | ||
33 | mkdir ${HOME}/.config/mps-youtube | 30 | mkdir ${HOME}/.config/mps-youtube |
31 | mkdir ${HOME}/.config/mpv | ||
32 | mkdir ${HOME}/.mplayer | ||
33 | mkdir ${HOME}/mps | ||
34 | whitelist ${HOME}/.config/mps-youtube | ||
34 | whitelist ${HOME}/.config/mpv | 35 | whitelist ${HOME}/.config/mpv |
35 | whitelist ${HOME}/.mplayer | 36 | whitelist ${HOME}/.mplayer |
36 | whitelist ${HOME}/.config/mps-youtube | ||
37 | whitelist ${HOME}/.netrc | 37 | whitelist ${HOME}/.netrc |
38 | whitelist ${HOME}/mps | 38 | whitelist ${HOME}/mps |
39 | whitelist ${DOWNLOADS} | ||
39 | whitelist ${MUSIC} | 40 | whitelist ${MUSIC} |
40 | whitelist ${VIDEOS} | 41 | whitelist ${VIDEOS} |
41 | whitelist ${DOWNLOADS} | ||
42 | include whitelist-common.inc | 42 | include whitelist-common.inc |
43 | include whitelist-var-common.inc | 43 | include whitelist-var-common.inc |
44 | 44 | ||
@@ -54,7 +54,7 @@ seccomp | |||
54 | shell none | 54 | shell none |
55 | tracelog | 55 | tracelog |
56 | 56 | ||
57 | private-bin mpsyt,mplayer,mpv,youtube-dl,python*,env,ffmpeg | 57 | private-bin env,ffmpeg,mplayer,mpsyt,mpv,python*,youtube-dl |
58 | private-dev | 58 | private-dev |
59 | private-tmp | 59 | private-tmp |
60 | 60 | ||
diff --git a/etc/mpv.profile b/etc/mpv.profile index 34542b11b..07a6ba42b 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile | |||
@@ -9,16 +9,13 @@ include globals.local | |||
9 | 9 | ||
10 | noblacklist ${HOME}/.config/mpv | 10 | noblacklist ${HOME}/.config/mpv |
11 | noblacklist ${HOME}/.netrc | 11 | noblacklist ${HOME}/.netrc |
12 | noblacklist ${MUSIC} | ||
13 | noblacklist ${VIDEOS} | ||
14 | 12 | ||
15 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
16 | noblacklist ${PATH}/python2* | 14 | include allow-python2.inc |
17 | noblacklist ${PATH}/python3* | 15 | include allow-python3.inc |
18 | noblacklist /usr/lib/python2* | 16 | |
19 | noblacklist /usr/lib/python3* | 17 | noblacklist ${MUSIC} |
20 | noblacklist /usr/local/lib/python2* | 18 | noblacklist ${VIDEOS} |
21 | noblacklist /usr/local/lib/python3* | ||
22 | 19 | ||
23 | include disable-common.inc | 20 | include disable-common.inc |
24 | include disable-devel.inc | 21 | include disable-devel.inc |
@@ -44,6 +41,6 @@ seccomp | |||
44 | shell none | 41 | shell none |
45 | tracelog | 42 | tracelog |
46 | 43 | ||
47 | private-bin mpv,youtube-dl,python*,env | 44 | private-bin env,mpv,python*,youtube-dl |
48 | private-cache | 45 | private-cache |
49 | private-dev | 46 | private-dev |
diff --git a/etc/ms-office.profile b/etc/ms-office.profile index f8e75379e..3bc674134 100644 --- a/etc/ms-office.profile +++ b/etc/ms-office.profile | |||
@@ -9,12 +9,8 @@ noblacklist ${HOME}/.cache/ms-office-online | |||
9 | noblacklist ${HOME}/.jak | 9 | noblacklist ${HOME}/.jak |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 12 | include allow-python2.inc |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
@@ -39,8 +35,8 @@ shell none | |||
39 | tracelog | 35 | tracelog |
40 | 36 | ||
41 | disable-mnt | 37 | disable-mnt |
42 | private-bin bash,fonts,env,jak,ms-office,python*,sh | 38 | private-bin bash,env,fonts,jak,ms-office,python*,sh |
43 | private-etc alternatives,resolv.conf,ca-certificates,ssl,pki,crypto-policies | 39 | private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl |
44 | private-dev | 40 | private-dev |
45 | private-tmp | 41 | private-tmp |
46 | 42 | ||
diff --git a/etc/ms-skype.profile b/etc/ms-skype.profile index 02084d923..df1618361 100644 --- a/etc/ms-skype.profile +++ b/etc/ms-skype.profile | |||
@@ -3,10 +3,13 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include ms-skype.local | 4 | include ms-skype.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | # added by included profile |
7 | #include globals.local | ||
7 | 8 | ||
8 | noblacklist ${HOME}/.cache/ms-skype-online | ||
9 | ignore novideo | 9 | ignore novideo |
10 | |||
11 | noblacklist ${HOME}/.cache/ms-skype-online | ||
12 | |||
10 | private-bin ms-skype | 13 | private-bin ms-skype |
11 | 14 | ||
12 | # Redirect | 15 | # Redirect |
diff --git a/etc/multimc5.profile b/etc/multimc5.profile index b6407c4f9..475307418 100644 --- a/etc/multimc5.profile +++ b/etc/multimc5.profile | |||
@@ -5,16 +5,12 @@ include multimc5.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.java | ||
9 | noblacklist ${HOME}/.local/share/multimc | 8 | noblacklist ${HOME}/.local/share/multimc |
10 | noblacklist ${HOME}/.local/share/multimc5 | 9 | noblacklist ${HOME}/.local/share/multimc5 |
11 | noblacklist ${HOME}/.multimc5 | 10 | noblacklist ${HOME}/.multimc5 |
12 | 11 | ||
13 | # Allow access to java | 12 | # Allow java (blacklisted by disable-devel.inc) |
14 | noblacklist ${PATH}/java | 13 | include allow-java.inc |
15 | noblacklist /usr/lib/java | ||
16 | noblacklist /etc/java | ||
17 | noblacklist /usr/share/java | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
@@ -24,6 +20,8 @@ include disable-passwdmgr.inc | |||
24 | include disable-programs.inc | 20 | include disable-programs.inc |
25 | 21 | ||
26 | mkdir ${HOME}/.local/share/multimc | 22 | mkdir ${HOME}/.local/share/multimc |
23 | mkdir ${HOME}/.local/share/multimc5 | ||
24 | mkdir ${HOME}/.multimc5 | ||
27 | whitelist ${HOME}/.local/share/multimc | 25 | whitelist ${HOME}/.local/share/multimc |
28 | whitelist ${HOME}/.local/share/multimc5 | 26 | whitelist ${HOME}/.local/share/multimc5 |
29 | whitelist ${HOME}/.multimc5 | 27 | whitelist ${HOME}/.multimc5 |
@@ -44,7 +42,7 @@ shell none | |||
44 | 42 | ||
45 | disable-mnt | 43 | disable-mnt |
46 | # private-bin works, but causes weirdness | 44 | # private-bin works, but causes weirdness |
47 | # private-bin multimc5,bash,mkdir,which,zenity,kdialog,ldd,chmod,valgrind,apt-file,pkgfile,dnf,yum,zypper,pfl,java,grep,sort,awk,readlink,dirname | 45 | # private-bin apt-file,awk,bash,chmod,dirname,dnf,grep,java,kdialog,ldd,mkdir,multimc5,pfl,pkgfile,readlink,sort,valgrind,which,yum,zenity,zypper |
48 | private-dev | 46 | private-dev |
49 | private-tmp | 47 | private-tmp |
50 | 48 | ||
diff --git a/etc/mupdf.profile b/etc/mupdf.profile index 1d5953ff7..673c9fd0b 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile | |||
@@ -36,7 +36,7 @@ seccomp | |||
36 | shell none | 36 | shell none |
37 | tracelog | 37 | tracelog |
38 | 38 | ||
39 | # private-bin mupdf,sh,tempfile,rm | 39 | # private-bin mupdf,rm,sh,tempfile |
40 | private-dev | 40 | private-dev |
41 | private-etc alternatives,fonts | 41 | private-etc alternatives,fonts |
42 | private-tmp | 42 | private-tmp |
diff --git a/etc/musixmatch.profile b/etc/musixmatch.profile index 727269a61..a6b85a8e4 100644 --- a/etc/musixmatch.profile +++ b/etc/musixmatch.profile | |||
@@ -32,5 +32,5 @@ seccomp | |||
32 | 32 | ||
33 | disable-mnt | 33 | disable-mnt |
34 | private-dev | 34 | private-dev |
35 | private-etc alternatives,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies | 35 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl |
36 | 36 | ||
diff --git a/etc/mutt.profile b/etc/mutt.profile index cc3a323e0..c424dbb85 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile | |||
@@ -6,8 +6,6 @@ include mutt.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist /var/mail | 9 | noblacklist /var/mail |
12 | noblacklist /var/spool/mail | 10 | noblacklist /var/spool/mail |
13 | noblacklist ${HOME}/.Mail | 11 | noblacklist ${HOME}/.Mail |
@@ -34,6 +32,8 @@ noblacklist ${HOME}/mail | |||
34 | noblacklist ${HOME}/postponed | 32 | noblacklist ${HOME}/postponed |
35 | noblacklist ${HOME}/sent | 33 | noblacklist ${HOME}/sent |
36 | 34 | ||
35 | blacklist /tmp/.X11-unix | ||
36 | |||
37 | include disable-common.inc | 37 | include disable-common.inc |
38 | include disable-devel.inc | 38 | include disable-devel.inc |
39 | include disable-interpreters.inc | 39 | include disable-interpreters.inc |
@@ -54,6 +54,6 @@ novideo | |||
54 | protocol unix,inet,inet6 | 54 | protocol unix,inet,inet6 |
55 | seccomp | 55 | seccomp |
56 | shell none | 56 | shell none |
57 | writable-run-user | ||
58 | 57 | ||
59 | private-dev | 58 | private-dev |
59 | writable-run-user | ||
diff --git a/etc/mypaint.profile b/etc/mypaint.profile index 615bb60d1..d75651d78 100644 --- a/etc/mypaint.profile +++ b/etc/mypaint.profile | |||
@@ -9,10 +9,12 @@ include globals.local | |||
9 | noblacklist ${HOME}/.cache/mypaint | 9 | noblacklist ${HOME}/.cache/mypaint |
10 | noblacklist ${HOME}/.config/mypaint | 10 | noblacklist ${HOME}/.config/mypaint |
11 | noblacklist ${HOME}/.local/share/mypaint | 11 | noblacklist ${HOME}/.local/share/mypaint |
12 | noblacklist ${PATH}/python2* | ||
13 | noblacklist /usr/lib/python2* | ||
14 | noblacklist ${PICTURES} | 12 | noblacklist ${PICTURES} |
15 | 13 | ||
14 | # Allow python (blacklisted by disable-interpreters.inc) | ||
15 | include allow-python2.inc | ||
16 | include allow-python3.inc | ||
17 | |||
16 | include disable-common.inc | 18 | include disable-common.inc |
17 | include disable-devel.inc | 19 | include disable-devel.inc |
18 | include disable-exec.inc | 20 | include disable-exec.inc |
@@ -42,6 +44,6 @@ tracelog | |||
42 | 44 | ||
43 | private-cache | 45 | private-cache |
44 | private-dev | 46 | private-dev |
45 | private-etc alternatives,fonts,gtk-3.0,dconf | 47 | private-etc alternatives,dconf,fonts,gtk-3.0 |
46 | private-tmp | 48 | private-tmp |
47 | 49 | ||
diff --git a/etc/nano.profile b/etc/nano.profile index 50e251d49..30a6e03e7 100644 --- a/etc/nano.profile +++ b/etc/nano.profile | |||
@@ -35,6 +35,7 @@ protocol unix | |||
35 | seccomp | 35 | seccomp |
36 | shell none | 36 | shell none |
37 | tracelog | 37 | tracelog |
38 | x11 none | ||
38 | 39 | ||
39 | # disable-mnt | 40 | # disable-mnt |
40 | private-bin nano,rnano | 41 | private-bin nano,rnano |
diff --git a/etc/natron.profile b/etc/natron.profile index 3f997a7a0..7ad217b72 100644 --- a/etc/natron.profile +++ b/etc/natron.profile | |||
@@ -5,18 +5,13 @@ include natron.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Allow python (blacklisted by disable-interpreters.inc) | ||
9 | noblacklist ${PATH}/python2* | ||
10 | noblacklist ${PATH}/python3* | ||
11 | noblacklist /usr/lib/python2* | ||
12 | noblacklist /usr/lib/python3* | ||
13 | noblacklist /usr/local/lib/python2* | ||
14 | noblacklist /usr/local/lib/python3* | ||
15 | |||
16 | noblacklist ${HOME}/.Natron | 8 | noblacklist ${HOME}/.Natron |
17 | noblacklist ${HOME}/.cache/INRIA/Natron | 9 | noblacklist ${HOME}/.cache/INRIA/Natron |
18 | noblacklist ${HOME}/.config/INRIA | 10 | noblacklist ${HOME}/.config/INRIA |
19 | noblacklist /opt/natron | 11 | |
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python2.inc | ||
14 | include allow-python3.inc | ||
20 | 15 | ||
21 | include disable-common.inc | 16 | include disable-common.inc |
22 | include disable-devel.inc | 17 | include disable-devel.inc |
@@ -33,9 +28,9 @@ nogroups | |||
33 | nonewprivs | 28 | nonewprivs |
34 | noroot | 29 | noroot |
35 | notv | 30 | notv |
36 | protocol unix,inet,inet6 | 31 | nou2f |
32 | protocol unix | ||
37 | seccomp | 33 | seccomp |
38 | shell none | 34 | shell none |
39 | 35 | ||
40 | private-bin natron,Natron,NatronRenderer | 36 | private-bin natron,Natron,NatronRenderer |
41 | |||
diff --git a/etc/nautilus.profile b/etc/nautilus.profile index 1d68ef8e3..d6d08679b 100644 --- a/etc/nautilus.profile +++ b/etc/nautilus.profile | |||
@@ -15,12 +15,8 @@ noblacklist ${HOME}/.local/share/nautilus | |||
15 | noblacklist ${HOME}/.local/share/nautilus-python | 15 | noblacklist ${HOME}/.local/share/nautilus-python |
16 | 16 | ||
17 | # Allow python (blacklisted by disable-interpreters.inc) | 17 | # Allow python (blacklisted by disable-interpreters.inc) |
18 | noblacklist ${PATH}/python2* | 18 | include allow-python2.inc |
19 | noblacklist ${PATH}/python3* | 19 | include allow-python3.inc |
20 | noblacklist /usr/lib/python2* | ||
21 | noblacklist /usr/lib/python3* | ||
22 | noblacklist /usr/local/lib/python2* | ||
23 | noblacklist /usr/local/lib/python3* | ||
24 | 20 | ||
25 | include disable-common.inc | 21 | include disable-common.inc |
26 | include disable-devel.inc | 22 | include disable-devel.inc |
@@ -44,5 +40,4 @@ tracelog | |||
44 | # nautilus needs to be able to start arbitrary applications so we cannot blacklist their files | 40 | # nautilus needs to be able to start arbitrary applications so we cannot blacklist their files |
45 | # private-bin nautilus | 41 | # private-bin nautilus |
46 | # private-dev | 42 | # private-dev |
47 | # private-etc alternatives,fonts | ||
48 | # private-tmp | 43 | # private-tmp |
diff --git a/etc/ncdu.profile b/etc/ncdu.profile index c18e1c4bf..0d7915839 100644 --- a/etc/ncdu.profile +++ b/etc/ncdu.profile | |||
@@ -24,6 +24,7 @@ novideo | |||
24 | protocol unix | 24 | protocol unix |
25 | seccomp | 25 | seccomp |
26 | shell none | 26 | shell none |
27 | x11 none | ||
27 | 28 | ||
28 | private-dev | 29 | private-dev |
29 | # private-tmp | 30 | # private-tmp |
diff --git a/etc/nemo.profile b/etc/nemo.profile index a23ba1700..26cfedb66 100644 --- a/etc/nemo.profile +++ b/etc/nemo.profile | |||
@@ -12,12 +12,8 @@ noblacklist ${HOME}/.local/share/nemo | |||
12 | noblacklist ${HOME}/.local/share/nemo-python | 12 | noblacklist ${HOME}/.local/share/nemo-python |
13 | 13 | ||
14 | # Allow python (blacklisted by disable-interpreters.inc) | 14 | # Allow python (blacklisted by disable-interpreters.inc) |
15 | noblacklist ${PATH}/python2* | 15 | include allow-python2.inc |
16 | noblacklist ${PATH}/python3* | 16 | include allow-python3.inc |
17 | noblacklist /usr/lib/python2* | ||
18 | noblacklist /usr/lib/python3* | ||
19 | noblacklist /usr/local/lib/python2* | ||
20 | noblacklist /usr/local/lib/python3* | ||
21 | 17 | ||
22 | include disable-common.inc | 18 | include disable-common.inc |
23 | include disable-devel.inc | 19 | include disable-devel.inc |
diff --git a/etc/nethack-vultures.profile b/etc/nethack-vultures.profile index 2c23a4868..e1294153b 100644 --- a/etc/nethack-vultures.profile +++ b/etc/nethack-vultures.profile | |||
@@ -6,7 +6,6 @@ include nethack.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | |||
10 | noblacklist ${HOME}/.vultures | 9 | noblacklist ${HOME}/.vultures |
11 | noblacklist /var/log | 10 | noblacklist /var/log |
12 | 11 | ||
@@ -43,4 +42,3 @@ private-cache | |||
43 | private-dev | 42 | private-dev |
44 | private-tmp | 43 | private-tmp |
45 | writable-var | 44 | writable-var |
46 | |||
diff --git a/etc/nethack.profile b/etc/nethack.profile index 5375d2f4f..3df632451 100644 --- a/etc/nethack.profile +++ b/etc/nethack.profile | |||
@@ -6,7 +6,6 @@ include nethack.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | |||
10 | noblacklist /var/games/nethack | 9 | noblacklist /var/games/nethack |
11 | 10 | ||
12 | include disable-common.inc | 11 | include disable-common.inc |
diff --git a/etc/newsbeuter.profile b/etc/newsbeuter.profile new file mode 100644 index 000000000..059c2156d --- /dev/null +++ b/etc/newsbeuter.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # Firejail profile for Newsboat | ||
2 | # Description: Text based Atom/RSS feed reader | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include newsbeuter.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.config/newsbeuter | ||
11 | noblacklist ${HOME}/.newsbeuter | ||
12 | |||
13 | mkdir ${HOME}/.config/newsbeuter | ||
14 | mkdir ${HOME}/.newsbeuter | ||
15 | whitelist ${HOME}/.config/newsbeuter | ||
16 | whitelist ${HOME}/.newsbeuter | ||
17 | |||
18 | private-bin newsbeuter | ||
19 | |||
20 | # Redirect | ||
21 | include newsboat.profile | ||
diff --git a/etc/nheko.profile b/etc/nheko.profile index 2dfddf872..119b30239 100644 --- a/etc/nheko.profile +++ b/etc/nheko.profile | |||
@@ -18,11 +18,9 @@ include disable-programs.inc | |||
18 | 18 | ||
19 | mkdir ${HOME}/.config/nheko | 19 | mkdir ${HOME}/.config/nheko |
20 | mkdir ${HOME}/.cache/nheko/nheko | 20 | mkdir ${HOME}/.cache/nheko/nheko |
21 | |||
22 | whitelist ${HOME}/.config/nheko | 21 | whitelist ${HOME}/.config/nheko |
23 | whitelist ${HOME}/.cache/nheko/nheko | 22 | whitelist ${HOME}/.cache/nheko/nheko |
24 | whitelist ${DOWNLOADS} | 23 | whitelist ${DOWNLOADS} |
25 | |||
26 | include whitelist-common.inc | 24 | include whitelist-common.inc |
27 | 25 | ||
28 | caps.drop all | 26 | caps.drop all |
diff --git a/etc/nitroshare.profile b/etc/nitroshare.profile index 7aba69490..19b6615ef 100644 --- a/etc/nitroshare.profile +++ b/etc/nitroshare.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/Nathan Osman | |||
10 | noblacklist ${HOME}/.config/NitroShare | 10 | noblacklist ${HOME}/.config/NitroShare |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/nomacs.profile b/etc/nomacs.profile index fd154b1c4..7a7ff504a 100644 --- a/etc/nomacs.profile +++ b/etc/nomacs.profile | |||
@@ -41,7 +41,7 @@ tracelog | |||
41 | #private-bin nomacs | 41 | #private-bin nomacs |
42 | private-cache | 42 | private-cache |
43 | private-dev | 43 | private-dev |
44 | private-etc alternatives,hosts,ca-certificates,ssl,pki,crypto-policies,resolv.conf,drirc,fonts,gtk-3.0,dconf,machine-id,login.defs | 44 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,login.defs,machine-id,pki,resolv.conf,ssl |
45 | private-tmp | 45 | private-tmp |
46 | 46 | ||
47 | memory-deny-write-execute | 47 | memory-deny-write-execute |
diff --git a/etc/nylas.profile b/etc/nylas.profile index 263e09198..c959eb991 100644 --- a/etc/nylas.profile +++ b/etc/nylas.profile | |||
@@ -14,6 +14,8 @@ include disable-interpreters.inc | |||
14 | include disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | mkdir ${HOME}/.config/Nylas Mail | ||
18 | mkdir ${HOME}/.nylas-mail | ||
17 | whitelist ${DOWNLOADS} | 19 | whitelist ${DOWNLOADS} |
18 | whitelist ${HOME}/.config/Nylas Mail | 20 | whitelist ${HOME}/.config/Nylas Mail |
19 | whitelist ${HOME}/.nylas-mail | 21 | whitelist ${HOME}/.nylas-mail |
diff --git a/etc/nyx.profile b/etc/nyx.profile index ed39283b2..c4475c75c 100644 --- a/etc/nyx.profile +++ b/etc/nyx.profile | |||
@@ -6,14 +6,11 @@ include nyx.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${PATH}/python2* | 9 | # Allow python (blacklisted by disable-interpreters.inc) |
10 | noblacklist ${PATH}/python3* | 10 | include allow-python2.inc |
11 | noblacklist /usr/lib/python2* | 11 | include allow-python3.inc |
12 | noblacklist /usr/lib/python3* | ||
13 | 12 | ||
14 | noblacklist ${HOME}/.nyx | 13 | noblacklist ${HOME}/.nyx |
15 | mkdir ${HOME}/.nyx | ||
16 | whitelist ${HOME}/.nyx | ||
17 | 14 | ||
18 | include disable-common.inc | 15 | include disable-common.inc |
19 | include disable-devel.inc | 16 | include disable-devel.inc |
@@ -23,6 +20,11 @@ include disable-passwdmgr.inc | |||
23 | include disable-programs.inc | 20 | include disable-programs.inc |
24 | include disable-xdg.inc | 21 | include disable-xdg.inc |
25 | 22 | ||
23 | mkdir ${HOME}/.nyx | ||
24 | whitelist ${HOME}/.nyx | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
26 | caps.drop all | 28 | caps.drop all |
27 | netfilter | 29 | netfilter |
28 | no3d | 30 | no3d |
@@ -43,7 +45,7 @@ disable-mnt | |||
43 | private-bin nyx,python* | 45 | private-bin nyx,python* |
44 | private-cache | 46 | private-cache |
45 | private-dev | 47 | private-dev |
46 | private-etc alternatives,passwd,tor,fonts | 48 | private-etc alternatives,fonts,passwd,tor |
47 | private-opt none | 49 | private-opt none |
48 | private-srv none | 50 | private-srv none |
49 | private-tmp | 51 | private-tmp |
diff --git a/etc/obs.profile b/etc/obs.profile index 1f02efc7f..038242cae 100644 --- a/etc/obs.profile +++ b/etc/obs.profile | |||
@@ -11,12 +11,8 @@ noblacklist ${PICTURES} | |||
11 | noblacklist ${VIDEOS} | 11 | noblacklist ${VIDEOS} |
12 | 12 | ||
13 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
14 | noblacklist ${PATH}/python2* | 14 | include allow-python2.inc |
15 | noblacklist ${PATH}/python3* | 15 | include allow-python3.inc |
16 | noblacklist /usr/lib/python2* | ||
17 | noblacklist /usr/lib/python3* | ||
18 | noblacklist /usr/local/lib/python2* | ||
19 | noblacklist /usr/local/lib/python3* | ||
20 | 16 | ||
21 | include disable-common.inc | 17 | include disable-common.inc |
22 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/ocenaudio.profile b/etc/ocenaudio.profile index b2249f63b..ea89a259f 100644 --- a/etc/ocenaudio.profile +++ b/etc/ocenaudio.profile | |||
@@ -45,4 +45,4 @@ private-dev | |||
45 | private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse | 45 | private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | # memory-deny-write-execute - breaks on Arch | 48 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile index 3e1739bf9..719753c87 100644 --- a/etc/odt2txt.profile +++ b/etc/odt2txt.profile | |||
@@ -8,8 +8,6 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${DOCUMENTS} | 9 | noblacklist ${DOCUMENTS} |
10 | 10 | ||
11 | blacklist /tmp/.X11-unix | ||
12 | |||
13 | include disable-common.inc | 11 | include disable-common.inc |
14 | include disable-devel.inc | 12 | include disable-devel.inc |
15 | include disable-interpreters.inc | 13 | include disable-interpreters.inc |
@@ -33,6 +31,7 @@ protocol unix | |||
33 | seccomp | 31 | seccomp |
34 | shell none | 32 | shell none |
35 | tracelog | 33 | tracelog |
34 | x11 none | ||
36 | 35 | ||
37 | private-bin odt2txt | 36 | private-bin odt2txt |
38 | private-cache | 37 | private-cache |
diff --git a/etc/okular.profile b/etc/okular.profile index 48e45ca3f..99357934d 100644 --- a/etc/okular.profile +++ b/etc/okular.profile | |||
@@ -47,7 +47,7 @@ seccomp | |||
47 | shell none | 47 | shell none |
48 | tracelog | 48 | tracelog |
49 | 49 | ||
50 | private-bin okular,kbuildsycoca4,kdeinit4,lpr | 50 | private-bin kbuildsycoca4,kdeinit4,lpr,okular |
51 | private-dev | 51 | private-dev |
52 | private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg | 52 | private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg |
53 | # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients | 53 | # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients |
diff --git a/etc/onionshare-gui.profile b/etc/onionshare-gui.profile index 3ee78c59d..5bfcd0527 100644 --- a/etc/onionshare-gui.profile +++ b/etc/onionshare-gui.profile | |||
@@ -8,9 +8,7 @@ include globals.local | |||
8 | noblacklist ${HOME}/.config/onionshare | 8 | noblacklist ${HOME}/.config/onionshare |
9 | 9 | ||
10 | # Allow python (blacklisted by disable-interpreters.inc) | 10 | # Allow python (blacklisted by disable-interpreters.inc) |
11 | noblacklist ${PATH}/python3* | 11 | include allow-python3.inc |
12 | noblacklist /usr/lib/python3* | ||
13 | noblacklist /usr/local/lib/python3* | ||
14 | 12 | ||
15 | include disable-common.inc | 13 | include disable-common.inc |
16 | include disable-devel.inc | 14 | include disable-devel.inc |
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile index bff42fb19..d80b3d351 100644 --- a/etc/open-invaders.profile +++ b/etc/open-invaders.profile | |||
@@ -33,5 +33,4 @@ shell none | |||
33 | 33 | ||
34 | # private-bin open-invaders | 34 | # private-bin open-invaders |
35 | private-dev | 35 | private-dev |
36 | # private-etc alternatives | ||
37 | private-tmp | 36 | private-tmp |
diff --git a/etc/openarena.profile b/etc/openarena.profile new file mode 100644 index 000000000..c83e78e2c --- /dev/null +++ b/etc/openarena.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for OpenArena | ||
2 | # Description: deathmatch FPS game based on GPL idTech3 technology | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include openarena.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.openarena | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | include whitelist-var-common.inc | ||
20 | |||
21 | apparmor | ||
22 | caps.drop all | ||
23 | # ipc-namespace | ||
24 | # netfilter | ||
25 | # nodbus | ||
26 | # nodvd | ||
27 | # nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | notv | ||
31 | # nou2f | ||
32 | novideo | ||
33 | protocol unix,inet,inet6,netlink | ||
34 | seccomp | ||
35 | shell none | ||
36 | # tracelog | ||
37 | |||
38 | # disable-mnt | ||
39 | # private-bin openarena | ||
40 | private-cache | ||
41 | private-dev | ||
42 | # private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg | ||
43 | private-tmp | ||
diff --git a/etc/openclonk.profile b/etc/openclonk.profile index 02663c2f4..da60006b3 100644 --- a/etc/openclonk.profile +++ b/etc/openclonk.profile | |||
@@ -38,7 +38,7 @@ shell none | |||
38 | tracelog | 38 | tracelog |
39 | 39 | ||
40 | disable-mnt | 40 | disable-mnt |
41 | private-bin openclonk,c4group | 41 | private-bin c4group,openclonk |
42 | private-cache | 42 | private-cache |
43 | private-dev | 43 | private-dev |
44 | private-tmp | 44 | private-tmp |
diff --git a/etc/openshot.profile b/etc/openshot.profile index cfda1d0ce..0222243ed 100644 --- a/etc/openshot.profile +++ b/etc/openshot.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.openshot | |||
10 | noblacklist ${HOME}/.openshot_qt | 10 | noblacklist ${HOME}/.openshot_qt |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/pandoc.profile b/etc/pandoc.profile new file mode 100644 index 000000000..788324855 --- /dev/null +++ b/etc/pandoc.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for pandoc | ||
2 | # Description: general markup converter | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include pandoc.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${DOCUMENTS} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | # breaks pdf output | ||
21 | #include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | machine-id | ||
27 | net none | ||
28 | no3d | ||
29 | nodbus | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | x11 none | ||
43 | |||
44 | disable-mnt | ||
45 | private-bin context,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-tmp | ||
49 | |||
50 | memory-deny-write-execute | ||
diff --git a/etc/parole.profile b/etc/parole.profile index 69ed5a2ca..e7a0694ed 100644 --- a/etc/parole.profile +++ b/etc/parole.profile | |||
@@ -25,6 +25,6 @@ protocol unix,inet,inet6 | |||
25 | seccomp | 25 | seccomp |
26 | shell none | 26 | shell none |
27 | 27 | ||
28 | private-bin parole,dbus-launch | 28 | private-bin dbus-launch,parole |
29 | private-cache | 29 | private-cache |
30 | private-etc alternatives,passwd,group,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies | 30 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,pulse,ssl |
diff --git a/etc/patch.profile b/etc/patch.profile index 9515bffdf..60cc1adbe 100644 --- a/etc/patch.profile +++ b/etc/patch.profile | |||
@@ -34,6 +34,7 @@ novideo | |||
34 | protocol unix | 34 | protocol unix |
35 | seccomp | 35 | seccomp |
36 | shell none | 36 | shell none |
37 | x11 none | ||
37 | 38 | ||
38 | private-bin patch,red | 39 | private-bin patch,red |
39 | private-dev | 40 | private-dev |
diff --git a/etc/pavucontrol.profile b/etc/pavucontrol.profile index 18b9b7fc6..3fd4f3668 100644 --- a/etc/pavucontrol.profile +++ b/etc/pavucontrol.profile | |||
@@ -16,6 +16,9 @@ include disable-passwdmgr.inc | |||
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | mkdir ${HOME}/.config/pavucontrol.ini | ||
20 | whitelist ${HOME}/.config/pavucontrol.ini | ||
21 | include whitelist-common.inc | ||
19 | include whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
20 | 23 | ||
21 | apparmor | 24 | apparmor |
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index 98dcce0b7..48f424190 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile | |||
@@ -6,14 +6,10 @@ include pdfsam.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.java | ||
10 | noblacklist ${DOCUMENTS} | 9 | noblacklist ${DOCUMENTS} |
11 | 10 | ||
12 | # Allow access to java | 11 | # Allow java (blacklisted by disable-devel.inc) |
13 | noblacklist ${PATH}/java | 12 | include allow-java.inc |
14 | noblacklist /usr/lib/java | ||
15 | noblacklist /etc/java | ||
16 | noblacklist /usr/share/java | ||
17 | 13 | ||
18 | include disable-common.inc | 14 | include disable-common.inc |
19 | include disable-devel.inc | 15 | include disable-devel.inc |
@@ -40,7 +36,7 @@ protocol unix | |||
40 | seccomp | 36 | seccomp |
41 | shell none | 37 | shell none |
42 | 38 | ||
43 | private-bin pdfsam,sh,bash,java,archlinux-java,grep,awk,dirname,uname,which,sort,find,readlink,expr,ls,java-config | 39 | private-bin archlinux-java,awk,bash,dirname,expr,find,grep,java,java-config,ls,pdfsam,readlink,sh,sort,uname,which |
44 | private-cache | 40 | private-cache |
45 | private-dev | 41 | private-dev |
46 | private-tmp | 42 | private-tmp |
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile index 85e28372e..c5016201d 100644 --- a/etc/pdftotext.profile +++ b/etc/pdftotext.profile | |||
@@ -7,8 +7,6 @@ include globals.local | |||
7 | 7 | ||
8 | noblacklist ${DOCUMENTS} | 8 | noblacklist ${DOCUMENTS} |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | |||
12 | include disable-common.inc | 10 | include disable-common.inc |
13 | include disable-devel.inc | 11 | include disable-devel.inc |
14 | include disable-interpreters.inc | 12 | include disable-interpreters.inc |
@@ -16,6 +14,8 @@ include disable-passwdmgr.inc | |||
16 | include disable-programs.inc | 14 | include disable-programs.inc |
17 | include disable-xdg.inc | 15 | include disable-xdg.inc |
18 | 16 | ||
17 | whitelist ${DOCUMENTS} | ||
18 | whitelist ${DOWNLOADS} | ||
19 | include whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
@@ -35,6 +35,7 @@ protocol unix | |||
35 | seccomp | 35 | seccomp |
36 | shell none | 36 | shell none |
37 | tracelog | 37 | tracelog |
38 | x11 none | ||
38 | 39 | ||
39 | private-bin pdftotext | 40 | private-bin pdftotext |
40 | private-dev | 41 | private-dev |
diff --git a/etc/peek.profile b/etc/peek.profile index fd836560e..8cbff0c64 100644 --- a/etc/peek.profile +++ b/etc/peek.profile | |||
@@ -34,7 +34,7 @@ seccomp | |||
34 | shell none | 34 | shell none |
35 | 35 | ||
36 | # private-bin breaks gif mode, mp4 and webm mode work fine however | 36 | # private-bin breaks gif mode, mp4 and webm mode work fine however |
37 | # private-bin peek,convert,ffmpeg | 37 | # private-bin convert,ffmpeg,peek |
38 | private-dev | 38 | private-dev |
39 | private-tmp | 39 | private-tmp |
40 | 40 | ||
diff --git a/etc/picard.profile b/etc/picard.profile index b756ed629..15fc7a454 100644 --- a/etc/picard.profile +++ b/etc/picard.profile | |||
@@ -11,12 +11,8 @@ noblacklist ${HOME}/.config/MusicBrainz | |||
11 | noblacklist ${MUSIC} | 11 | noblacklist ${MUSIC} |
12 | 12 | ||
13 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
14 | noblacklist ${PATH}/python2* | 14 | include allow-python2.inc |
15 | noblacklist ${PATH}/python3* | 15 | include allow-python3.inc |
16 | noblacklist /usr/lib/python2* | ||
17 | noblacklist /usr/lib/python3* | ||
18 | noblacklist /usr/local/lib/python2* | ||
19 | noblacklist /usr/local/lib/python3* | ||
20 | 16 | ||
21 | include disable-common.inc | 17 | include disable-common.inc |
22 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/pidgin.profile b/etc/pidgin.profile index bdd5404f5..299f807af 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile | |||
@@ -6,11 +6,11 @@ include pidgin.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.purple | ||
10 | |||
11 | ignore noexec ${RUNUSER} | 9 | ignore noexec ${RUNUSER} |
12 | ignore noexec /dev/shm | 10 | ignore noexec /dev/shm |
13 | 11 | ||
12 | noblacklist ${HOME}/.purple | ||
13 | |||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-exec.inc | 16 | include disable-exec.inc |
diff --git a/etc/ping.profile b/etc/ping.profile index 66574bab5..00ac45c5a 100644 --- a/etc/ping.profile +++ b/etc/ping.profile | |||
@@ -30,10 +30,8 @@ nosound | |||
30 | notv | 30 | notv |
31 | nou2f | 31 | nou2f |
32 | novideo | 32 | novideo |
33 | |||
34 | # protocol command is built using seccomp; nonewprivs will kill it | 33 | # protocol command is built using seccomp; nonewprivs will kill it |
35 | #protocol unix,inet,inet6,netlink,packet | 34 | #protocol unix,inet,inet6,netlink,packet |
36 | |||
37 | # killed by no-new-privs | 35 | # killed by no-new-privs |
38 | #seccomp | 36 | #seccomp |
39 | 37 | ||
@@ -42,7 +40,7 @@ private | |||
42 | #private-bin has mammoth problems with execvp: "No such file or directory" | 40 | #private-bin has mammoth problems with execvp: "No such file or directory" |
43 | private-dev | 41 | private-dev |
44 | # /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem! | 42 | # /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem! |
45 | #private-etc resolv.conf,hosts,ca-certificates,ssl,pki,crypto-policies | 43 | #private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl |
46 | private-tmp | 44 | private-tmp |
47 | 45 | ||
48 | # memory-deny-write-execute is built using seccomp; nonewprivs will kill it | 46 | # memory-deny-write-execute is built using seccomp; nonewprivs will kill it |
diff --git a/etc/pingus.profile b/etc/pingus.profile index 6b664248f..782ee200d 100644 --- a/etc/pingus.profile +++ b/etc/pingus.profile | |||
@@ -33,5 +33,4 @@ shell none | |||
33 | 33 | ||
34 | # private-bin pingus | 34 | # private-bin pingus |
35 | private-dev | 35 | private-dev |
36 | # private-etc alternatives | ||
37 | private-tmp | 36 | private-tmp |
diff --git a/etc/pioneer.profile b/etc/pioneer.profile index a240aa5fc..c5b936617 100644 --- a/etc/pioneer.profile +++ b/etc/pioneer.profile | |||
@@ -38,7 +38,7 @@ shell none | |||
38 | tracelog | 38 | tracelog |
39 | 39 | ||
40 | disable-mnt | 40 | disable-mnt |
41 | private-bin pioneer,modelcompiler,savegamedump | 41 | private-bin modelcompiler,pioneer,savegamedump |
42 | private-cache | 42 | private-cache |
43 | private-dev | 43 | private-dev |
44 | private-tmp | 44 | private-tmp |
diff --git a/etc/pithos.profile b/etc/pithos.profile index d6a0a7822..ad56ce525 100644 --- a/etc/pithos.profile +++ b/etc/pithos.profile | |||
@@ -7,12 +7,8 @@ include pithos.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Allow python (blacklisted by disable-interpreters.inc) | 9 | # Allow python (blacklisted by disable-interpreters.inc) |
10 | noblacklist ${PATH}/python2* | 10 | include allow-python2.inc |
11 | noblacklist ${PATH}/python3* | 11 | include allow-python3.inc |
12 | noblacklist /usr/lib/python2* | ||
13 | noblacklist /usr/lib/python3* | ||
14 | noblacklist /usr/local/lib/python2* | ||
15 | noblacklist /usr/local/lib/python3* | ||
16 | 12 | ||
17 | include disable-common.inc | 13 | include disable-common.inc |
18 | include disable-devel.inc | 14 | include disable-devel.inc |
@@ -40,7 +36,7 @@ seccomp | |||
40 | shell none | 36 | shell none |
41 | 37 | ||
42 | disable-mnt | 38 | disable-mnt |
43 | private-bin pithos,env,python* | 39 | private-bin env,pithos,python* |
44 | private-dev | 40 | private-dev |
45 | private-tmp | 41 | private-tmp |
46 | 42 | ||
diff --git a/etc/pitivi.profile b/etc/pitivi.profile index 83f5ccbb9..89a6a020b 100644 --- a/etc/pitivi.profile +++ b/etc/pitivi.profile | |||
@@ -10,12 +10,8 @@ include globals.local | |||
10 | noblacklist ${HOME}/.config/pitivi | 10 | noblacklist ${HOME}/.config/pitivi |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/playonlinux.profile b/etc/playonlinux.profile index 2f287223b..03091af6d 100644 --- a/etc/playonlinux.profile +++ b/etc/playonlinux.profile | |||
@@ -16,19 +16,11 @@ noblacklist ${HOME}/.PlayOnLinux | |||
16 | noblacklist ${PATH}/nc | 16 | noblacklist ${PATH}/nc |
17 | 17 | ||
18 | # Allow python (blacklisted by disable-interpreters.inc) | 18 | # Allow python (blacklisted by disable-interpreters.inc) |
19 | noblacklist ${PATH}/python2* | 19 | include allow-python2.inc |
20 | noblacklist ${PATH}/python3* | 20 | include allow-python3.inc |
21 | noblacklist /usr/lib/python2* | ||
22 | noblacklist /usr/lib/python3* | ||
23 | noblacklist /usr/local/lib/python2* | ||
24 | noblacklist /usr/local/lib/python3* | ||
25 | 21 | ||
26 | # Allow perl (blacklisted by disable-interpreters.inc) | 22 | # Allow perl (blacklisted by disable-interpreters.inc) |
27 | noblacklist ${PATH}/cpan* | 23 | include allow-perl.inc |
28 | noblacklist ${PATH}/core_perl | ||
29 | noblacklist ${PATH}/perl | ||
30 | noblacklist /usr/lib/perl* | ||
31 | noblacklist /usr/share/perl* | ||
32 | 24 | ||
33 | include disable-common.inc | 25 | include disable-common.inc |
34 | include disable-devel.inc | 26 | include disable-devel.inc |
diff --git a/etc/pluma.profile b/etc/pluma.profile index 47626753a..81b2b1481 100644 --- a/etc/pluma.profile +++ b/etc/pluma.profile | |||
@@ -7,6 +7,9 @@ include pluma.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/pluma | 9 | noblacklist ${HOME}/.config/pluma |
10 | noblacklist ${HOME}/.python-history | ||
11 | noblacklist ${HOME}/.python_history | ||
12 | noblacklist ${HOME}/.pythonhist | ||
10 | noblacklist ${HOME}/.pythonrc.py | 13 | noblacklist ${HOME}/.pythonrc.py |
11 | 14 | ||
12 | include disable-common.inc | 15 | include disable-common.inc |
@@ -39,7 +42,6 @@ tracelog | |||
39 | 42 | ||
40 | private-bin pluma | 43 | private-bin pluma |
41 | private-dev | 44 | private-dev |
42 | # private-etc alternatives,fonts | ||
43 | private-lib pluma | 45 | private-lib pluma |
44 | private-tmp | 46 | private-tmp |
45 | 47 | ||
diff --git a/etc/ppsspp.profile b/etc/ppsspp.profile index 480a03e49..116698312 100644 --- a/etc/ppsspp.profile +++ b/etc/ppsspp.profile | |||
@@ -38,7 +38,7 @@ shell none | |||
38 | 38 | ||
39 | # private-dev is disabled to allow controller support | 39 | # private-dev is disabled to allow controller support |
40 | #private-dev | 40 | #private-dev |
41 | private-etc alternatives,asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id | 41 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl |
42 | private-opt ppsspp | 42 | private-opt ppsspp |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
diff --git a/etc/pragha.profile b/etc/pragha.profile index 4e6840636..019c1a547 100644 --- a/etc/pragha.profile +++ b/etc/pragha.profile | |||
@@ -33,6 +33,6 @@ seccomp | |||
33 | shell none | 33 | shell none |
34 | 34 | ||
35 | private-dev | 35 | private-dev |
36 | private-etc alternatives,asound.conf,ca-certificates,fonts,host.conf,hostname,hosts,pulse,resolv.conf,ssl,pki,crypto-policies,gtk-3.0,xdg,machine-id | 36 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg |
37 | private-tmp | 37 | private-tmp |
38 | 38 | ||
diff --git a/etc/pybitmessage.profile b/etc/pybitmessage.profile index 28ab8caa6..034c144c7 100644 --- a/etc/pybitmessage.profile +++ b/etc/pybitmessage.profile | |||
@@ -10,12 +10,8 @@ noblacklist /usr/local/sbin | |||
10 | noblacklist /usr/sbin | 10 | noblacklist /usr/sbin |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
@@ -43,8 +39,8 @@ seccomp | |||
43 | shell none | 39 | shell none |
44 | 40 | ||
45 | disable-mnt | 41 | disable-mnt |
46 | private-bin pybitmessage,python*,sh,ldconfig,env,bash,stat | 42 | private-bin bash,env,ldconfig,pybitmessage,python*,sh,stat |
47 | private-dev | 43 | private-dev |
48 | private-etc alternatives,PyBitmessage,PyBitmessage.conf,Trolltech.conf,fonts,gtk-2.0,hosts,ld.so.cache,ld.so.preload,localtime,pki,resolv.conf,selinux,sni-qt.conf,system-fips,xdg,ca-certificates,ssl,pki,crypto-policies | 44 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,hosts,ld.so.cache,ld.so.preload,localtime,pki,pki,PyBitmessage,PyBitmessage.conf,resolv.conf,selinux,sni-qt.conf,ssl,system-fips,Trolltech.conf,xdg |
49 | private-tmp | 45 | private-tmp |
50 | 46 | ||
diff --git a/etc/pycharm-community.profile b/etc/pycharm-community.profile index 1a6f171c8..17218adee 100644 --- a/etc/pycharm-community.profile +++ b/etc/pycharm-community.profile | |||
@@ -7,14 +7,12 @@ include globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.PyCharmCE* | 8 | noblacklist ${HOME}/.PyCharmCE* |
9 | noblacklist ${HOME}/.python-history | 9 | noblacklist ${HOME}/.python-history |
10 | noblacklist ${HOME}/.python_history | ||
11 | noblacklist ${HOME}/.pythonhist | ||
10 | noblacklist ${HOME}/.pythonrc.py | 12 | noblacklist ${HOME}/.pythonrc.py |
11 | noblacklist ${HOME}/.java | ||
12 | 13 | ||
13 | # Allow access to java | 14 | # Allow java (blacklisted by disable-devel.inc) |
14 | noblacklist ${PATH}/java | 15 | include allow-java.inc |
15 | noblacklist /usr/lib/java | ||
16 | noblacklist /etc/java | ||
17 | noblacklist /usr/share/java | ||
18 | 16 | ||
19 | include disable-common.inc | 17 | include disable-common.inc |
20 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index b0a6a0016..fe9caec77 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
@@ -12,12 +12,8 @@ noblacklist ${HOME}/.config/qBittorrentrc | |||
12 | noblacklist ${HOME}/.local/share/data/qBittorrent | 12 | noblacklist ${HOME}/.local/share/data/qBittorrent |
13 | 13 | ||
14 | # Allow python (blacklisted by disable-interpreters.inc) | 14 | # Allow python (blacklisted by disable-interpreters.inc) |
15 | noblacklist ${PATH}/python2* | 15 | include allow-python2.inc |
16 | noblacklist ${PATH}/python3* | 16 | include allow-python3.inc |
17 | noblacklist /usr/lib/python2* | ||
18 | noblacklist /usr/lib/python3* | ||
19 | noblacklist /usr/local/lib/python2* | ||
20 | noblacklist /usr/local/lib/python3* | ||
21 | 17 | ||
22 | include disable-common.inc | 18 | include disable-common.inc |
23 | include disable-devel.inc | 19 | include disable-devel.inc |
@@ -55,10 +51,9 @@ protocol unix,inet,inet6,netlink | |||
55 | seccomp | 51 | seccomp |
56 | shell none | 52 | shell none |
57 | 53 | ||
58 | private-bin qbittorrent,python* | 54 | private-bin python*,qbittorrent |
59 | private-dev | 55 | private-dev |
60 | # private-etc alternatives,X11,fonts,xdg,resolv.conf,ca-certificates,ssl,pki,crypto-policies | 56 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl,X11,xdg |
61 | # private-lib - problems on Arch | ||
62 | private-tmp | 57 | private-tmp |
63 | 58 | ||
64 | # memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo | 59 | # memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo |
diff --git a/etc/qgis.profile b/etc/qgis.profile index 45fe59cf7..80a10efce 100644 --- a/etc/qgis.profile +++ b/etc/qgis.profile | |||
@@ -6,16 +6,13 @@ include qgis.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/QtProject.conf | ||
10 | noblacklist ${HOME}/.config/QGIS | 9 | noblacklist ${HOME}/.config/QGIS |
11 | noblacklist ${HOME}/.local/share/QGIS | 10 | noblacklist ${HOME}/.local/share/QGIS |
12 | noblacklist ${HOME}/.qgis2 | 11 | noblacklist ${HOME}/.qgis2 |
13 | noblacklist ${DOCUMENTS} | 12 | noblacklist ${DOCUMENTS} |
14 | 13 | ||
15 | # Allow python (blacklisted by disable-interpreters.inc) | 14 | # Allow python (blacklisted by disable-interpreters.inc) |
16 | noblacklist ${PATH}/python3* | 15 | include allow-python3.inc |
17 | noblacklist /usr/lib/python3* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 16 | ||
20 | include disable-common.inc | 17 | include disable-common.inc |
21 | include disable-devel.inc | 18 | include disable-devel.inc |
@@ -48,7 +45,7 @@ notv | |||
48 | nou2f | 45 | nou2f |
49 | novideo | 46 | novideo |
50 | # blacklisting of mbind system calls breaks old version | 47 | # blacklisting of mbind system calls breaks old version |
51 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,set_mempolicy,migrate_pages,move_pages,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,vmsplice,umount,userfaultfd,mincore | 48 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,migrate_pages,mincore,move_pages,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,set_mempolicy,syslog,umount,userfaultfd,vmsplice |
52 | protocol unix,inet,inet6,netlink | 49 | protocol unix,inet,inet6,netlink |
53 | shell none | 50 | shell none |
54 | tracelog | 51 | tracelog |
@@ -56,5 +53,5 @@ tracelog | |||
56 | disable-mnt | 53 | disable-mnt |
57 | private-cache | 54 | private-cache |
58 | private-dev | 55 | private-dev |
59 | private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl,QGIS,QGIS.conf,Trolltech.conf | 56 | private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf |
60 | private-tmp | 57 | private-tmp |
diff --git a/etc/qmmp.profile b/etc/qmmp.profile index f786e73b7..b69bbdef1 100644 --- a/etc/qmmp.profile +++ b/etc/qmmp.profile | |||
@@ -31,7 +31,7 @@ seccomp | |||
31 | shell none | 31 | shell none |
32 | tracelog | 32 | tracelog |
33 | 33 | ||
34 | private-bin qmmp,tar,unzip,bzip2,gzip | 34 | private-bin bzip2,gzip,qmmp,tar,unzip |
35 | private-dev | 35 | private-dev |
36 | private-tmp | 36 | private-tmp |
37 | 37 | ||
diff --git a/etc/qtox.profile b/etc/qtox.profile index 0ca5a5ef0..c3e8fb95c 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile | |||
@@ -42,7 +42,7 @@ disable-mnt | |||
42 | private-bin qtox | 42 | private-bin qtox |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives,fonts,resolv.conf,ld.so.cache,localtime,ca-certificates,ssl,pki,crypto-policies,machine-id,pulse | 45 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | memory-deny-write-execute | 48 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/quiterss.profile b/etc/quiterss.profile index 41c84425b..ca1abcdc9 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile | |||
@@ -22,6 +22,8 @@ mkdir ${HOME}/.cache/QuiteRss | |||
22 | mkdir ${HOME}/.config/QuiteRss | 22 | mkdir ${HOME}/.config/QuiteRss |
23 | mkdir ${HOME}/.local/share/data | 23 | mkdir ${HOME}/.local/share/data |
24 | mkdir ${HOME}/.local/share/data/QuiteRss | 24 | mkdir ${HOME}/.local/share/data/QuiteRss |
25 | mkdir ${HOME}/.local/share/QuiteRss | ||
26 | mkfile ${HOME}/quiterssfeeds.opml | ||
25 | whitelist ${HOME}/.cache/QuiteRss | 27 | whitelist ${HOME}/.cache/QuiteRss |
26 | whitelist ${HOME}/.config/QuiteRss/ | 28 | whitelist ${HOME}/.config/QuiteRss/ |
27 | whitelist ${HOME}/.config/QuiteRssrc | 29 | whitelist ${HOME}/.config/QuiteRssrc |
@@ -48,5 +50,5 @@ tracelog | |||
48 | disable-mnt | 50 | disable-mnt |
49 | private-bin quiterss | 51 | private-bin quiterss |
50 | private-dev | 52 | private-dev |
51 | # private-etc alternatives,X11,ssl,pki,ca-certificates,crypto-policies | 53 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl,X11 |
52 | 54 | ||
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile index 1b23b2baf..954b1a3b4 100644 --- a/etc/qupzilla.profile +++ b/etc/qupzilla.profile | |||
@@ -15,6 +15,8 @@ include disable-interpreters.inc | |||
15 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | mkdir ${HOME}/.cache/qupzilla | ||
19 | mkdir ${HOME}/.config/qupzilla | ||
18 | whitelist ${DOWNLOADS} | 20 | whitelist ${DOWNLOADS} |
19 | whitelist ${HOME}/.cache/qupzilla | 21 | whitelist ${HOME}/.cache/qupzilla |
20 | whitelist ${HOME}/.config/qupzilla | 22 | whitelist ${HOME}/.config/qupzilla |
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index 9e3853a09..e556ecf1f 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile | |||
@@ -9,18 +9,13 @@ include globals.local | |||
9 | noblacklist ${HOME}/.cache/qutebrowser | 9 | noblacklist ${HOME}/.cache/qutebrowser |
10 | noblacklist ${HOME}/.config/qutebrowser | 10 | noblacklist ${HOME}/.config/qutebrowser |
11 | noblacklist ${HOME}/.local/share/qutebrowser | 11 | noblacklist ${HOME}/.local/share/qutebrowser |
12 | |||
13 | # Allow python (blacklisted by disable-interpreters.inc) | ||
14 | noblacklist ${PATH}/python2* | ||
15 | noblacklist ${PATH}/python3* | ||
16 | noblacklist /usr/lib/python2* | ||
17 | noblacklist /usr/lib/python3* | ||
18 | noblacklist /usr/local/lib/python2* | ||
19 | noblacklist /usr/local/lib/python3* | ||
20 | |||
21 | # with >=llvm-4 mesa drivers need llvm stuff | 12 | # with >=llvm-4 mesa drivers need llvm stuff |
22 | noblacklist /usr/lib/llvm* | 13 | noblacklist /usr/lib/llvm* |
23 | 14 | ||
15 | # Allow python (blacklisted by disable-interpreters.inc) | ||
16 | include allow-python2.inc | ||
17 | include allow-python3.inc | ||
18 | |||
24 | include disable-common.inc | 19 | include disable-common.inc |
25 | include disable-devel.inc | 20 | include disable-devel.inc |
26 | include disable-interpreters.inc | 21 | include disable-interpreters.inc |
diff --git a/etc/ranger.profile b/etc/ranger.profile index 1e50ca9fa..4bbc3ea56 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile | |||
@@ -11,18 +11,11 @@ noblacklist ${HOME}/.config/ranger | |||
11 | noblacklist ${HOME}/.nanorc | 11 | noblacklist ${HOME}/.nanorc |
12 | 12 | ||
13 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
14 | noblacklist ${PATH}/python2* | 14 | include allow-python2.inc |
15 | noblacklist ${PATH}/python3* | 15 | include allow-python3.inc |
16 | noblacklist /usr/lib/python2* | ||
17 | noblacklist /usr/lib/python3* | ||
18 | noblacklist /usr/local/lib/python2* | ||
19 | noblacklist /usr/local/lib/python3* | ||
20 | 16 | ||
21 | # Allow perl | 17 | # Allow perl |
22 | # noblacklist ${PATH}/cpan* | 18 | include allow-perl.inc |
23 | noblacklist ${PATH}/perl | ||
24 | noblacklist /usr/lib/perl* | ||
25 | noblacklist /usr/share/perl* | ||
26 | 19 | ||
27 | include disable-common.inc | 20 | include disable-common.inc |
28 | include disable-devel.inc | 21 | include disable-devel.inc |
@@ -43,5 +36,6 @@ nou2f | |||
43 | novideo | 36 | novideo |
44 | protocol unix | 37 | protocol unix |
45 | seccomp | 38 | seccomp |
39 | #x11 none | ||
46 | 40 | ||
47 | private-dev | 41 | private-dev |
diff --git a/etc/redshift.profile b/etc/redshift.profile index e60877172..0f6d34ed0 100644 --- a/etc/redshift.profile +++ b/etc/redshift.profile | |||
@@ -18,6 +18,9 @@ include disable-interpreters.inc | |||
18 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | include disable-xdg.inc | 19 | include disable-xdg.inc |
20 | 20 | ||
21 | mkdir ${HOME}/.config/redshift | ||
22 | whitelist ${HOME}/.config/redshift | ||
23 | whitelist ${HOME}/.config/redshift.conf | ||
21 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
22 | 25 | ||
23 | apparmor | 26 | apparmor |
diff --git a/etc/remmina.profile b/etc/remmina.profile index a77f2d8aa..e85ceca13 100644 --- a/etc/remmina.profile +++ b/etc/remmina.profile | |||
@@ -31,7 +31,6 @@ nou2f | |||
31 | novideo | 31 | novideo |
32 | protocol unix,inet,inet6 | 32 | protocol unix,inet,inet6 |
33 | seccomp | 33 | seccomp |
34 | # seccomp.keep access,arch_prctl,brk,chmod,clock_getres,clock_gettime,clone,close,connect,dup3,eventfd2,execve,fadvise64,fallocate,fcntl,flock,fstat,fstatfs,fsync,ftruncate,futex,getdents,getegid,geteuid,getgid,getpeername,getpid,getrandom,getresgid,getresuid,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,memfd_create,mmap,mprotect,mremap,munmap,nanosleep,open,openat,pipe,pipe2,poll,prctl,prlimit64,pwrite64,read,readlink,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,sendmmsg,sendmsg,sendto,set_robust_list,setsockopt,set_tid_address,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,tgkill,uname,utimensat,write,writev | ||
35 | shell none | 34 | shell none |
36 | 35 | ||
37 | private-cache | 36 | private-cache |
diff --git a/etc/rhythmbox-client.profile b/etc/rhythmbox-client.profile new file mode 100644 index 000000000..29e65d716 --- /dev/null +++ b/etc/rhythmbox-client.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for rhythmbox-client | ||
2 | # Description: controls a running instance of rhythmbox | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include rhythmbox-client.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include rhythmbox.profile | ||
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index df874f378..9bcbdb561 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile | |||
@@ -9,11 +9,14 @@ include globals.local | |||
9 | noblacklist ${MUSIC} | 9 | noblacklist ${MUSIC} |
10 | noblacklist ${HOME}/.local/share/rhythmbox | 10 | noblacklist ${HOME}/.local/share/rhythmbox |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python2.inc | ||
14 | include allow-python3.inc | ||
15 | |||
12 | include disable-common.inc | 16 | include disable-common.inc |
13 | include disable-devel.inc | 17 | include disable-devel.inc |
14 | # rhythmbox is using Python | ||
15 | include disable-exec.inc | 18 | include disable-exec.inc |
16 | #include disable-interpreters.inc | 19 | include disable-interpreters.inc |
17 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 21 | include disable-programs.inc |
19 | include disable-xdg.inc | 22 | include disable-xdg.inc |
@@ -23,7 +26,6 @@ include whitelist-var-common.inc | |||
23 | # apparmor - makes settings immutable | 26 | # apparmor - makes settings immutable |
24 | caps.drop all | 27 | caps.drop all |
25 | netfilter | 28 | netfilter |
26 | # no3d | ||
27 | # nodbus - makes settings immutable | 29 | # nodbus - makes settings immutable |
28 | nogroups | 30 | nogroups |
29 | nonewprivs | 31 | nonewprivs |
@@ -36,7 +38,6 @@ seccomp | |||
36 | shell none | 38 | shell none |
37 | tracelog | 39 | tracelog |
38 | 40 | ||
39 | private-bin rhythmbox | 41 | private-bin rhythmbox,rhythmbox-client |
40 | private-dev | 42 | private-dev |
41 | private-tmp | 43 | private-tmp |
42 | |||
diff --git a/etc/ricochet.profile b/etc/ricochet.profile index 3cb30c459..1b8fbbc97 100644 --- a/etc/ricochet.profile +++ b/etc/ricochet.profile | |||
@@ -5,7 +5,6 @@ include ricochet.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/Ricochet | 8 | noblacklist ${HOME}/.local/share/Ricochet |
10 | 9 | ||
11 | include disable-common.inc | 10 | include disable-common.inc |
@@ -15,6 +14,7 @@ include disable-interpreters.inc | |||
15 | include disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 15 | include disable-programs.inc |
17 | 16 | ||
17 | mkdir ${HOME}/.local/share/Ricochet | ||
18 | whitelist ${DOWNLOADS} | 18 | whitelist ${DOWNLOADS} |
19 | whitelist ${HOME}/.local/share/Ricochet | 19 | whitelist ${HOME}/.local/share/Ricochet |
20 | include whitelist-common.inc | 20 | include whitelist-common.inc |
@@ -37,5 +37,5 @@ shell none | |||
37 | disable-mnt | 37 | disable-mnt |
38 | private-bin ricochet,tor | 38 | private-bin ricochet,tor |
39 | private-dev | 39 | private-dev |
40 | #private-etc alternatives,fonts,tor,X11,alternatives,ca-certificates,ssl,pki,crypto-policies | 40 | #private-etc alternatives,alternatives,ca-certificates,crypto-policies,fonts,pki,ssl,tor,X11 |
41 | 41 | ||
diff --git a/etc/rocketchat.profile b/etc/rocketchat.profile index c95bc3c3d..8170c62e7 100644 --- a/etc/rocketchat.profile +++ b/etc/rocketchat.profile | |||
@@ -7,6 +7,7 @@ include globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.config/Rocket.Chat | 8 | noblacklist ${HOME}/.config/Rocket.Chat |
9 | 9 | ||
10 | mkdir ${HOME}/.config/Rocket.Chat | ||
10 | whitelist ${HOME}/.config/Rocket.Chat | 11 | whitelist ${HOME}/.config/Rocket.Chat |
11 | include whitelist-common.inc | 12 | include whitelist-common.inc |
12 | 13 | ||
diff --git a/etc/scribus.profile b/etc/scribus.profile index d8dc7b0e0..e20cd1b5a 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile | |||
@@ -27,12 +27,8 @@ noblacklist ${DOCUMENTS} | |||
27 | noblacklist ${PICTURES} | 27 | noblacklist ${PICTURES} |
28 | 28 | ||
29 | # Allow python (blacklisted by disable-interpreters.inc) | 29 | # Allow python (blacklisted by disable-interpreters.inc) |
30 | noblacklist ${PATH}/python2* | 30 | include allow-python2.inc |
31 | noblacklist ${PATH}/python3* | 31 | include allow-python3.inc |
32 | noblacklist /usr/lib/python2* | ||
33 | noblacklist /usr/lib/python3* | ||
34 | noblacklist /usr/local/lib/python2* | ||
35 | noblacklist /usr/local/lib/python3* | ||
36 | 32 | ||
37 | include disable-common.inc | 33 | include disable-common.inc |
38 | include disable-devel.inc | 34 | include disable-devel.inc |
@@ -60,7 +56,7 @@ seccomp | |||
60 | shell none | 56 | shell none |
61 | tracelog | 57 | tracelog |
62 | 58 | ||
63 | # private-bin scribus,gs,gimp* | 59 | # private-bin gimp*,gs,scribus |
64 | private-dev | 60 | private-dev |
65 | private-tmp | 61 | private-tmp |
66 | 62 | ||
diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile index 485326fcc..a367acad5 100644 --- a/etc/sdat2img.profile +++ b/etc/sdat2img.profile | |||
@@ -7,12 +7,8 @@ include sdat2img.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Allow python (blacklisted by disable-interpreters.inc) | 9 | # Allow python (blacklisted by disable-interpreters.inc) |
10 | noblacklist ${PATH}/python2* | 10 | include allow-python2.inc |
11 | noblacklist ${PATH}/python3* | 11 | include allow-python3.inc |
12 | noblacklist /usr/lib/python2* | ||
13 | noblacklist /usr/lib/python3* | ||
14 | noblacklist /usr/local/lib/python2* | ||
15 | noblacklist /usr/local/lib/python3* | ||
16 | 12 | ||
17 | include disable-common.inc | 13 | include disable-common.inc |
18 | include disable-devel.inc | 14 | include disable-devel.inc |
@@ -40,7 +36,7 @@ protocol unix | |||
40 | seccomp | 36 | seccomp |
41 | shell none | 37 | shell none |
42 | 38 | ||
43 | private-bin sdat2img,env,python* | 39 | private-bin env,python*,sdat2img |
44 | private-cache | 40 | private-cache |
45 | private-dev | 41 | private-dev |
46 | 42 | ||
diff --git a/etc/seahorse.profile b/etc/seahorse.profile index fc54a0716..a7c95c073 100644 --- a/etc/seahorse.profile +++ b/etc/seahorse.profile | |||
@@ -6,24 +6,10 @@ include seahorse.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # dconf | ||
10 | noblacklist ${HOME}/.config/dconf | 9 | noblacklist ${HOME}/.config/dconf |
11 | whitelist ${HOME}/.config/dconf | ||
12 | |||
13 | # gpg | ||
14 | mkdir ${HOME}/.gnupg | ||
15 | noblacklist ${HOME}/.gnupg | 10 | noblacklist ${HOME}/.gnupg |
16 | whitelist ${HOME}/.gnupg | ||
17 | |||
18 | # ssh | ||
19 | whitelist /etc/ld.so.preload | ||
20 | noblacklist /etc/ssh | ||
21 | whitelist /etc/ssh | ||
22 | noblacklist /tmp/ssh-* | ||
23 | whitelist /tmp/ssh-* | ||
24 | mkdir ${HOME}/.ssh | ||
25 | noblacklist ${HOME}/.ssh | 11 | noblacklist ${HOME}/.ssh |
26 | whitelist ${HOME}/.ssh | 12 | noblacklist /tmp/ssh-* |
27 | 13 | ||
28 | include disable-common.inc | 14 | include disable-common.inc |
29 | include disable-devel.inc | 15 | include disable-devel.inc |
@@ -32,6 +18,14 @@ include disable-interpreters.inc | |||
32 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
33 | include disable-programs.inc | 19 | include disable-programs.inc |
34 | include disable-xdg.inc | 20 | include disable-xdg.inc |
21 | |||
22 | mkdir ${HOME}/.config/dconf | ||
23 | mkdir ${HOME}/.gnupg | ||
24 | mkdir ${HOME}/.ssh | ||
25 | whitelist ${HOME}/.config/dconf | ||
26 | whitelist ${HOME}/.gnupg | ||
27 | whitelist ${HOME}/.ssh | ||
28 | whitelist /tmp/ssh-* | ||
35 | include whitelist-common.inc | 29 | include whitelist-common.inc |
36 | include whitelist-var-common.inc | 30 | include whitelist-var-common.inc |
37 | 31 | ||
@@ -56,5 +50,5 @@ tracelog | |||
56 | disable-mnt | 50 | disable-mnt |
57 | private-cache | 51 | private-cache |
58 | private-dev | 52 | private-dev |
59 | 53 | private-etc ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11 | |
60 | writable-run-user | 54 | writable-run-user |
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index d92c62a52..807effbeb 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile | |||
@@ -18,6 +18,8 @@ include disable-programs.inc | |||
18 | 18 | ||
19 | mkdir ${HOME}/.cache/mozilla | 19 | mkdir ${HOME}/.cache/mozilla |
20 | mkdir ${HOME}/.mozilla | 20 | mkdir ${HOME}/.mozilla |
21 | mkdir ${HOME}/.pki | ||
22 | mkdir ${HOME}/.local/share/pki | ||
21 | whitelist ${DOWNLOADS} | 23 | whitelist ${DOWNLOADS} |
22 | whitelist ${HOME}/.cache/gnome-mplayer/plugin | 24 | whitelist ${HOME}/.cache/gnome-mplayer/plugin |
23 | whitelist ${HOME}/.cache/mozilla | 25 | whitelist ${HOME}/.cache/mozilla |
@@ -50,4 +52,4 @@ seccomp | |||
50 | tracelog | 52 | tracelog |
51 | 53 | ||
52 | disable-mnt | 54 | disable-mnt |
53 | # private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies | 55 | # private-etc adobe,alternatives,asound.conf,ca-certificates,crypto-policies,firefox,fonts,group,gtk-2.0,hostname,hosts,iceweasel,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl |
diff --git a/etc/server.profile b/etc/server.profile index 686268a18..6e077ff84 100644 --- a/etc/server.profile +++ b/etc/server.profile | |||
@@ -9,12 +9,12 @@ include globals.local | |||
9 | # it allows /sbin and /usr/sbin directories - this is where servers are installed | 9 | # it allows /sbin and /usr/sbin directories - this is where servers are installed |
10 | # depending on your usage, you can enable some of the commands below: | 10 | # depending on your usage, you can enable some of the commands below: |
11 | 11 | ||
12 | blacklist /tmp/.X11-unix | ||
13 | |||
14 | noblacklist /sbin | 12 | noblacklist /sbin |
15 | noblacklist /usr/sbin | 13 | noblacklist /usr/sbin |
16 | # noblacklist /var/opt | 14 | # noblacklist /var/opt |
17 | 15 | ||
16 | blacklist /tmp/.X11-unix | ||
17 | |||
18 | include disable-common.inc | 18 | include disable-common.inc |
19 | # include disable-devel.inc | 19 | # include disable-devel.inc |
20 | # include disable-exec.inc | 20 | # include disable-exec.inc |
diff --git a/etc/shellcheck.profile b/etc/shellcheck.profile index b8974e416..da5b4258b 100644 --- a/etc/shellcheck.profile +++ b/etc/shellcheck.profile | |||
@@ -35,6 +35,7 @@ novideo | |||
35 | protocol unix | 35 | protocol unix |
36 | seccomp | 36 | seccomp |
37 | shell none | 37 | shell none |
38 | x11 none | ||
38 | 39 | ||
39 | private-dev | 40 | private-dev |
40 | private-tmp | 41 | private-tmp |
diff --git a/etc/shotcut.profile b/etc/shotcut.profile index 264566dcd..e6c48561f 100644 --- a/etc/shotcut.profile +++ b/etc/shotcut.profile | |||
@@ -5,10 +5,13 @@ include shotcut.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | ignore noexec ${HOME} | ||
9 | |||
8 | noblacklist ${HOME}/.config/Meltytech | 10 | noblacklist ${HOME}/.config/Meltytech |
9 | 11 | ||
10 | include disable-common.inc | 12 | include disable-common.inc |
11 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
13 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 17 | include disable-programs.inc |
@@ -26,9 +29,6 @@ protocol unix | |||
26 | seccomp | 29 | seccomp |
27 | shell none | 30 | shell none |
28 | 31 | ||
29 | #private-bin shotcut,melt,qmelt,nice | 32 | #private-bin melt,nice,qmelt,shotcut |
30 | private-cache | 33 | private-cache |
31 | private-dev | 34 | private-dev |
32 | |||
33 | #noexec ${HOME} | ||
34 | noexec /tmp | ||
diff --git a/etc/signal-desktop.profile b/etc/signal-desktop.profile index 008cd218e..04696a918 100644 --- a/etc/signal-desktop.profile +++ b/etc/signal-desktop.profile | |||
@@ -5,10 +5,13 @@ include signal-desktop.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | ignore noexec /tmp | ||
9 | |||
8 | noblacklist ${HOME}/.config/Signal | 10 | noblacklist ${HOME}/.config/Signal |
9 | 11 | ||
10 | include disable-common.inc | 12 | include disable-common.inc |
11 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
13 | include disable-programs.inc | 16 | include disable-programs.inc |
14 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
@@ -34,5 +37,3 @@ shell none | |||
34 | disable-mnt | 37 | disable-mnt |
35 | private-dev | 38 | private-dev |
36 | private-tmp | 39 | private-tmp |
37 | |||
38 | noexec ${HOME} | ||
diff --git a/etc/silentarmy.profile b/etc/silentarmy.profile index 7aeb2909b..cfc33d074 100644 --- a/etc/silentarmy.profile +++ b/etc/silentarmy.profile | |||
@@ -32,7 +32,7 @@ shell none | |||
32 | 32 | ||
33 | disable-mnt | 33 | disable-mnt |
34 | private | 34 | private |
35 | private-bin silentarmy,sa-solver,python* | 35 | private-bin python*,sa-solver,silentarmy |
36 | private-dev | 36 | private-dev |
37 | private-opt none | 37 | private-opt none |
38 | private-tmp | 38 | private-tmp |
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile index 4ad841880..64441483d 100644 --- a/etc/simple-scan.profile +++ b/etc/simple-scan.profile | |||
@@ -33,5 +33,5 @@ tracelog | |||
33 | 33 | ||
34 | # private-bin simple-scan | 34 | # private-bin simple-scan |
35 | # private-dev | 35 | # private-dev |
36 | # private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies | 36 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl |
37 | # private-tmp | 37 | # private-tmp |
diff --git a/etc/simplescreenrecorder.profile b/etc/simplescreenrecorder.profile index ead475e07..a3caedf88 100644 --- a/etc/simplescreenrecorder.profile +++ b/etc/simplescreenrecorder.profile | |||
@@ -31,7 +31,6 @@ tracelog | |||
31 | 31 | ||
32 | private-cache | 32 | private-cache |
33 | private-dev | 33 | private-dev |
34 | # private-etc alternatives | ||
35 | private-tmp | 34 | private-tmp |
36 | 35 | ||
37 | memory-deny-write-execute | 36 | memory-deny-write-execute |
diff --git a/etc/simutrans.profile b/etc/simutrans.profile index c07b1c145..7febcde46 100644 --- a/etc/simutrans.profile +++ b/etc/simutrans.profile | |||
@@ -33,5 +33,4 @@ shell none | |||
33 | 33 | ||
34 | # private-bin simutrans | 34 | # private-bin simutrans |
35 | private-dev | 35 | private-dev |
36 | # private-etc alternatives | ||
37 | private-tmp | 36 | private-tmp |
diff --git a/etc/skanlite.profile b/etc/skanlite.profile index 76b050d18..c10be717b 100644 --- a/etc/skanlite.profile +++ b/etc/skanlite.profile | |||
@@ -16,7 +16,6 @@ include disable-programs.inc | |||
16 | include disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | # net none | ||
20 | netfilter | 19 | netfilter |
21 | # nodbus | 20 | # nodbus |
22 | nodvd | 21 | nodvd |
@@ -31,6 +30,6 @@ protocol unix,inet,inet6,netlink | |||
31 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 30 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
32 | shell none | 31 | shell none |
33 | 32 | ||
34 | # private-bin skanlite,kbuildsycoca4,kdeinit4 | 33 | # private-bin kbuildsycoca4,kdeinit4,skanlite |
35 | # private-dev | 34 | # private-dev |
36 | # private-tmp | 35 | # private-tmp |
diff --git a/etc/skype.profile b/etc/skype.profile index 55057c546..5fab8bdc7 100644 --- a/etc/skype.profile +++ b/etc/skype.profile | |||
@@ -28,7 +28,7 @@ seccomp | |||
28 | shell none | 28 | shell none |
29 | 29 | ||
30 | disable-mnt | 30 | disable-mnt |
31 | #private-bin skype,bash | 31 | #private-bin bash,skype |
32 | private-cache | 32 | private-cache |
33 | private-dev | 33 | private-dev |
34 | private-tmp | 34 | private-tmp |
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile index ad200be37..eae7dada0 100644 --- a/etc/skypeforlinux.profile +++ b/etc/skypeforlinux.profile | |||
@@ -5,10 +5,14 @@ include skypeforlinux.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # breaks Skype | ||
9 | ignore noexec /tmp | ||
10 | |||
8 | noblacklist ${HOME}/.config/skypeforlinux | 11 | noblacklist ${HOME}/.config/skypeforlinux |
9 | 12 | ||
10 | include disable-common.inc | 13 | include disable-common.inc |
11 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
13 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -28,6 +32,3 @@ disable-mnt | |||
28 | private-cache | 32 | private-cache |
29 | # private-dev - needs /dev/disk | 33 | # private-dev - needs /dev/disk |
30 | private-tmp | 34 | private-tmp |
31 | |||
32 | noexec ${HOME} | ||
33 | # noexec /tmp - breaks Skype | ||
diff --git a/etc/slack.profile b/etc/slack.profile index ed76be373..5c10ef0ba 100644 --- a/etc/slack.profile +++ b/etc/slack.profile | |||
@@ -13,7 +13,6 @@ include disable-interpreters.inc | |||
13 | include disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | mkdir ${HOME}/.config | ||
17 | mkdir ${HOME}/.config/Slack | 16 | mkdir ${HOME}/.config/Slack |
18 | whitelist ${HOME}/.config/Slack | 17 | whitelist ${HOME}/.config/Slack |
19 | whitelist ${DOWNLOADS} | 18 | whitelist ${DOWNLOADS} |
@@ -34,7 +33,7 @@ seccomp | |||
34 | shell none | 33 | shell none |
35 | 34 | ||
36 | disable-mnt | 35 | disable-mnt |
37 | private-bin slack,locale | 36 | private-bin locale,slack |
38 | private-dev | 37 | private-dev |
39 | private-etc alternatives,asound.conf,ca-certificates,fonts,group,passwd,pulse,resolv.conf,ssl,ld.so.conf,ld.so.cache,localtime,pki,crypto-policies,machine-id | 38 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl |
40 | private-tmp | 39 | private-tmp |
diff --git a/etc/slashem.profile b/etc/slashem.profile index 011698e1f..8c84180d7 100644 --- a/etc/slashem.profile +++ b/etc/slashem.profile | |||
@@ -6,7 +6,6 @@ include slashem.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | |||
10 | noblacklist /var/games/slashem | 9 | noblacklist /var/games/slashem |
11 | 10 | ||
12 | include disable-common.inc | 11 | include disable-common.inc |
diff --git a/etc/smplayer.profile b/etc/smplayer.profile index 5ae498ab2..f83caee8a 100644 --- a/etc/smplayer.profile +++ b/etc/smplayer.profile | |||
@@ -8,16 +8,13 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/smplayer | 9 | noblacklist ${HOME}/.config/smplayer |
10 | noblacklist ${HOME}/.mplayer | 10 | noblacklist ${HOME}/.mplayer |
11 | noblacklist ${MUSIC} | ||
12 | noblacklist ${VIDEOS} | ||
13 | 11 | ||
14 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
15 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
16 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
17 | noblacklist /usr/lib/python2* | 15 | |
18 | noblacklist /usr/lib/python3* | 16 | noblacklist ${MUSIC} |
19 | noblacklist /usr/local/lib/python2* | 17 | noblacklist ${VIDEOS} |
20 | noblacklist /usr/local/lib/python3* | ||
21 | 18 | ||
22 | include disable-common.inc | 19 | include disable-common.inc |
23 | include disable-devel.inc | 20 | include disable-devel.inc |
@@ -41,7 +38,7 @@ protocol unix,inet,inet6,netlink | |||
41 | seccomp | 38 | seccomp |
42 | shell none | 39 | shell none |
43 | 40 | ||
44 | private-bin smplayer,smtube,mplayer,mpv,youtube-dl,python*,env | 41 | private-bin env,mplayer,mpv,python*,smplayer,smtube,youtube-dl |
45 | private-dev | 42 | private-dev |
46 | private-tmp | 43 | private-tmp |
47 | 44 | ||
diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile index 4d6e80840..efd600eb2 100644 --- a/etc/soundconverter.profile +++ b/etc/soundconverter.profile | |||
@@ -6,15 +6,11 @@ include soundconverter.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${MUSIC} | ||
10 | |||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 9 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 10 | include allow-python2.inc |
13 | noblacklist ${PATH}/python3* | 11 | include allow-python3.inc |
14 | noblacklist /usr/lib/python2* | 12 | |
15 | noblacklist /usr/lib/python3* | 13 | noblacklist ${MUSIC} |
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
@@ -24,6 +20,9 @@ include disable-passwdmgr.inc | |||
24 | include disable-programs.inc | 20 | include disable-programs.inc |
25 | include disable-xdg.inc | 21 | include disable-xdg.inc |
26 | 22 | ||
23 | whitelist ${DOWNLOADS} | ||
24 | whitelist ${MUSIC} | ||
25 | include whitelist-common.inc | ||
27 | include whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
28 | 27 | ||
29 | apparmor | 28 | apparmor |
diff --git a/etc/spectre-meltdown-checker.profile b/etc/spectre-meltdown-checker.profile index 74582dd2f..ca2c2b435 100644 --- a/etc/spectre-meltdown-checker.profile +++ b/etc/spectre-meltdown-checker.profile | |||
@@ -11,12 +11,8 @@ include globals.local | |||
11 | noblacklist ${PATH}/mount | 11 | noblacklist ${PATH}/mount |
12 | noblacklist ${PATH}/umount | 12 | noblacklist ${PATH}/umount |
13 | 13 | ||
14 | # Allow access to perl | 14 | # Allow perl (blacklisted by disable-interpreters.inc) |
15 | noblacklist ${PATH}/cpan* | 15 | include allow-perl.inc |
16 | noblacklist ${PATH}/core_perl | ||
17 | noblacklist ${PATH}/perl | ||
18 | noblacklist /usr/lib/perl* | ||
19 | noblacklist /usr/share/perl* | ||
20 | 16 | ||
21 | include disable-common.inc | 17 | include disable-common.inc |
22 | include disable-devel.inc | 18 | include disable-devel.inc |
@@ -42,6 +38,7 @@ novideo | |||
42 | protocol unix | 38 | protocol unix |
43 | seccomp.drop @clock,@cpu-emulation,@module,@obsolete,@reboot,@resources,@swap | 39 | seccomp.drop @clock,@cpu-emulation,@module,@obsolete,@reboot,@resources,@swap |
44 | shell none | 40 | shell none |
41 | x11 none | ||
45 | 42 | ||
46 | disable-mnt | 43 | disable-mnt |
47 | private | 44 | private |
diff --git a/etc/spotify.profile b/etc/spotify.profile index 00c2aabe2..59692f1d6 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile | |||
@@ -5,12 +5,12 @@ include spotify.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | blacklist ${HOME}/.bashrc | ||
9 | |||
10 | noblacklist ${HOME}/.cache/spotify | 8 | noblacklist ${HOME}/.cache/spotify |
11 | noblacklist ${HOME}/.config/spotify | 9 | noblacklist ${HOME}/.config/spotify |
12 | noblacklist ${HOME}/.local/share/spotify | 10 | noblacklist ${HOME}/.local/share/spotify |
13 | 11 | ||
12 | blacklist ${HOME}/.bashrc | ||
13 | |||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-exec.inc | 16 | include disable-exec.inc |
@@ -42,9 +42,10 @@ shell none | |||
42 | tracelog | 42 | tracelog |
43 | 43 | ||
44 | disable-mnt | 44 | disable-mnt |
45 | private-bin spotify,bash,sh,zenity | 45 | private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity |
46 | private-dev | 46 | private-dev |
47 | private-etc alternatives,fonts,group,ld.so.cache,machine-id,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies | 47 | # Comment the next line or put 'ignore private-etc' in your spotify.local if want to see the albums covers or if you want to use the radio |
48 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl | ||
48 | private-opt spotify | 49 | private-opt spotify |
49 | private-srv none | 50 | private-srv none |
50 | private-tmp | 51 | private-tmp |
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile index 8aafca8aa..9af747b62 100644 --- a/etc/ssh-agent.profile +++ b/etc/ssh-agent.profile | |||
@@ -6,12 +6,12 @@ include ssh-agent.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist /etc/ssh | 9 | noblacklist /etc/ssh |
12 | noblacklist /tmp/ssh-* | 10 | noblacklist /tmp/ssh-* |
13 | noblacklist ${HOME}/.ssh | 11 | noblacklist ${HOME}/.ssh |
14 | 12 | ||
13 | blacklist /tmp/.X11-unix | ||
14 | |||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 17 | include disable-programs.inc |
diff --git a/etc/ssh.profile b/etc/ssh.profile index 4c8af65b8..ce0e54a0d 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile | |||
@@ -10,6 +10,8 @@ include globals.local | |||
10 | noblacklist /etc/ssh | 10 | noblacklist /etc/ssh |
11 | noblacklist /tmp/ssh-* | 11 | noblacklist /tmp/ssh-* |
12 | noblacklist ${HOME}/.ssh | 12 | noblacklist ${HOME}/.ssh |
13 | # If you want to use tor, uncomment the next line or put it in your ssh.local | ||
14 | #noblacklist ${PATH}/nc | ||
13 | 15 | ||
14 | include disable-common.inc | 16 | include disable-common.inc |
15 | include disable-exec.inc | 17 | include disable-exec.inc |
@@ -35,6 +37,6 @@ tracelog | |||
35 | private-cache | 37 | private-cache |
36 | private-dev | 38 | private-dev |
37 | # private-tmp # Breaks when exiting | 39 | # private-tmp # Breaks when exiting |
40 | writable-run-user | ||
38 | 41 | ||
39 | memory-deny-write-execute | 42 | memory-deny-write-execute |
40 | writable-run-user | ||
diff --git a/etc/standardnotes-desktop.profile b/etc/standardnotes-desktop.profile index 5458120ef..297392b9a 100644 --- a/etc/standardnotes-desktop.profile +++ b/etc/standardnotes-desktop.profile | |||
@@ -39,5 +39,5 @@ seccomp | |||
39 | disable-mnt | 39 | disable-mnt |
40 | private-dev | 40 | private-dev |
41 | private-tmp | 41 | private-tmp |
42 | private-etc alternatives,ca-certificates,fonts,host.conf,hostname,hosts,resolv.conf,ssl,pki,crypto-policies,xdg | 42 | private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,pki,resolv.conf,ssl,xdg |
43 | 43 | ||
diff --git a/etc/start-tor-browser.desktop.profile b/etc/start-tor-browser.desktop.profile index a61038157..d5d7a17e4 100644 --- a/etc/start-tor-browser.desktop.profile +++ b/etc/start-tor-browser.desktop.profile | |||
@@ -3,7 +3,6 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include start-tor-browser.desktop.local | 4 | include start-tor-browser.desktop.local |
5 | 5 | ||
6 | |||
7 | noblacklist ${HOME}/.tor-browser-* | 6 | noblacklist ${HOME}/.tor-browser-* |
8 | noblacklist ${HOME}/.tor-browser_* | 7 | noblacklist ${HOME}/.tor-browser_* |
9 | 8 | ||
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile index 8acf77349..0145f3de6 100644 --- a/etc/start-tor-browser.profile +++ b/etc/start-tor-browser.profile | |||
@@ -34,7 +34,7 @@ shell none | |||
34 | #tracelog | 34 | #tracelog |
35 | 35 | ||
36 | disable-mnt | 36 | disable-mnt |
37 | private-bin bash,sh,grep,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf | 37 | private-bin bash,cp,dirname,env,getconf,gpg,grep,id,ln,mkdir,readlink,rm,sed,sh,tail,test |
38 | private-dev | 38 | private-dev |
39 | private-etc alternatives,fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache | 39 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl |
40 | private-tmp | 40 | private-tmp |
diff --git a/etc/steam.profile b/etc/steam.profile index 8f08b18f0..b6b340980 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -6,7 +6,6 @@ include steam.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.java | ||
10 | noblacklist ${HOME}/.killingfloor | 9 | noblacklist ${HOME}/.killingfloor |
11 | noblacklist ${HOME}/.local/share/3909/PapersPlease | 10 | noblacklist ${HOME}/.local/share/3909/PapersPlease |
12 | noblacklist ${HOME}/.local/share/aspyr-media | 11 | noblacklist ${HOME}/.local/share/aspyr-media |
@@ -25,19 +24,12 @@ noblacklist /usr/lib/llvm* | |||
25 | # needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work | 24 | # needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work |
26 | noblacklist /sbin | 25 | noblacklist /sbin |
27 | 26 | ||
28 | # Allow access to java | 27 | # Allow java (blacklisted by disable-devel.inc) |
29 | noblacklist ${PATH}/java | 28 | include allow-java.inc |
30 | noblacklist /usr/lib/java | ||
31 | noblacklist /etc/java | ||
32 | noblacklist /usr/share/java | ||
33 | 29 | ||
34 | # Allow python (blacklisted by disable-interpreters.inc) | 30 | # Allow python (blacklisted by disable-interpreters.inc) |
35 | noblacklist ${PATH}/python2* | 31 | include allow-python2.inc |
36 | noblacklist ${PATH}/python3* | 32 | include allow-python3.inc |
37 | noblacklist /usr/lib/python2* | ||
38 | noblacklist /usr/lib/python3* | ||
39 | noblacklist /usr/local/lib/python2* | ||
40 | noblacklist /usr/local/lib/python3* | ||
41 | 33 | ||
42 | include disable-common.inc | 34 | include disable-common.inc |
43 | include disable-devel.inc | 35 | include disable-devel.inc |
@@ -67,7 +59,7 @@ shell none | |||
67 | #tracelog | 59 | #tracelog |
68 | 60 | ||
69 | # private-bin is disabled while in testing, but has been tested working with multiple games | 61 | # private-bin is disabled while in testing, but has been tested working with multiple games |
70 | #private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lspci,lsof,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity | 62 | #private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lsof,lspci,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity |
71 | # extra programs are available which might be needed for select games | 63 | # extra programs are available which might be needed for select games |
72 | #private-bin java,java-config,mono | 64 | #private-bin java,java-config,mono |
73 | # picture viewers are needed for viewing screenshots | 65 | # picture viewers are needed for viewing screenshots |
@@ -76,5 +68,5 @@ shell none | |||
76 | # private-dev should be commented for controllers | 68 | # private-dev should be commented for controllers |
77 | private-dev | 69 | private-dev |
78 | # private-etc breaks a small selection of games on some systems, comment to support those | 70 | # private-etc breaks a small selection of games on some systems, comment to support those |
79 | private-etc alternatives,asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies,alternatives,bumblebee,nvidia,os-release | 71 | private-etc alternatives,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl |
80 | private-tmp | 72 | private-tmp |
diff --git a/etc/strings.profile b/etc/strings.profile index 0caecdf7b..621e8e177 100644 --- a/etc/strings.profile +++ b/etc/strings.profile | |||
@@ -4,30 +4,42 @@ quiet | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include strings.local | 5 | include strings.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | # added by included profile | 7 | include globals.local |
8 | #include globals.local | ||
9 | 8 | ||
10 | blacklist /tmp/.X11-unix | 9 | include disable-common.inc |
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | 11 | include disable-exec.inc |
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
12 | 15 | ||
13 | ignore noroot | 16 | apparmor |
17 | caps.drop all | ||
18 | ipc-namespace | ||
19 | machine-id | ||
14 | net none | 20 | net none |
15 | no3d | 21 | no3d |
16 | nodbus | 22 | nodbus |
17 | nodvd | 23 | nodvd |
24 | nogroups | ||
25 | nonewprivs | ||
26 | #noroot | ||
18 | nosound | 27 | nosound |
19 | notv | 28 | notv |
20 | nou2f | 29 | nou2f |
21 | novideo | 30 | novideo |
31 | protocol unix | ||
32 | seccomp | ||
22 | shell none | 33 | shell none |
23 | tracelog | 34 | tracelog |
35 | x11 none | ||
24 | 36 | ||
37 | #private | ||
25 | private-bin strings | 38 | private-bin strings |
26 | private-cache | 39 | private-cache |
27 | private-dev | 40 | private-dev |
28 | private-etc alternatives | 41 | private-etc alternatives |
29 | private-lib libfakeroot | 42 | private-lib libfakeroot |
43 | private-tmp | ||
30 | 44 | ||
31 | memory-deny-write-execute | 45 | memory-deny-write-execute |
32 | |||
33 | include default.profile | ||
diff --git a/etc/subdownloader.profile b/etc/subdownloader.profile index c07131893..d0176a657 100644 --- a/etc/subdownloader.profile +++ b/etc/subdownloader.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/SubDownloader | |||
10 | noblacklist ${VIDEOS} | 10 | noblacklist ${VIDEOS} |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
@@ -44,4 +40,4 @@ private-dev | |||
44 | private-etc alternatives,fonts | 40 | private-etc alternatives,fonts |
45 | private-tmp | 41 | private-tmp |
46 | 42 | ||
47 | # memory-deny-write-execute - Breaks on Arch | 43 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/supertux2.profile b/etc/supertux2.profile index 793e4126c..287a078b3 100644 --- a/etc/supertux2.profile +++ b/etc/supertux2.profile | |||
@@ -34,5 +34,4 @@ shell none | |||
34 | disable-mnt | 34 | disable-mnt |
35 | # private-bin supertux2 | 35 | # private-bin supertux2 |
36 | private-dev | 36 | private-dev |
37 | # private-etc alternatives | ||
38 | private-tmp | 37 | private-tmp |
diff --git a/etc/supertuxkart.profile b/etc/supertuxkart.profile index 60d80ecd4..2cd5ec3ad 100644 --- a/etc/supertuxkart.profile +++ b/etc/supertuxkart.profile | |||
@@ -47,7 +47,7 @@ disable-mnt | |||
47 | private-bin supertuxkart | 47 | private-bin supertuxkart |
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives,resolv.conf,ca-certificates,ssl,hosts,machine-id,xdg,openal,crypto-policies,pki,drirc,system-fips,selinux | 50 | private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,selinux,ssl,system-fips,xdg |
51 | private-tmp | 51 | private-tmp |
52 | private-opt none | 52 | private-opt none |
53 | private-srv none | 53 | private-srv none |
diff --git a/etc/surf.profile b/etc/surf.profile index 0504b5fe5..d4c6d9afc 100644 --- a/etc/surf.profile +++ b/etc/surf.profile | |||
@@ -15,6 +15,7 @@ include disable-passwdmgr.inc | |||
15 | include disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | mkdir ${HOME}/.surf | 17 | mkdir ${HOME}/.surf |
18 | whitelist ${HOME}/.surf | ||
18 | whitelist ${DOWNLOADS} | 19 | whitelist ${DOWNLOADS} |
19 | include whitelist-common.inc | 20 | include whitelist-common.inc |
20 | 21 | ||
@@ -31,8 +32,8 @@ shell none | |||
31 | tracelog | 32 | tracelog |
32 | 33 | ||
33 | disable-mnt | 34 | disable-mnt |
34 | private-bin ls,surf,sh,bash,curl,dmenu,printf,sed,sleep,st,stterm,xargs,xprop | 35 | private-bin bash,curl,dmenu,ls,printf,sed,sh,sleep,st,stterm,surf,xargs,xprop |
35 | private-dev | 36 | private-dev |
36 | private-etc alternatives,passwd,group,hosts,resolv.conf,fonts,ssl,pki,ca-certificates,crypto-policies | 37 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,passwd,pki,resolv.conf,ssl |
37 | private-tmp | 38 | private-tmp |
38 | 39 | ||
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index 33086a99d..30b0ad762 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile | |||
@@ -31,7 +31,7 @@ protocol unix | |||
31 | seccomp | 31 | seccomp |
32 | shell none | 32 | shell none |
33 | 33 | ||
34 | #private-bin synfigstudio,synfig,ffmpeg | 34 | #private-bin ffmpeg,synfig,synfigstudio |
35 | private-cache | 35 | private-cache |
36 | private-dev | 36 | private-dev |
37 | private-tmp | 37 | private-tmp |
diff --git a/etc/tar.profile b/etc/tar.profile index 14fc00d21..1232bb372 100644 --- a/etc/tar.profile +++ b/etc/tar.profile | |||
@@ -5,17 +5,17 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include tar.local | 6 | include tar.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included profile | 8 | include globals.local |
9 | #include globals.local | ||
10 | |||
11 | blacklist /tmp/.X11-unix | ||
12 | 9 | ||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
13 | include disable-exec.inc | 12 | include disable-exec.inc |
14 | include disable-interpreters.inc | 13 | include disable-interpreters.inc |
15 | 14 | include disable-passwdmgr.inc | |
16 | ignore noroot | 15 | include disable-programs.inc |
17 | 16 | ||
18 | apparmor | 17 | apparmor |
18 | caps.drop all | ||
19 | hostname tar | 19 | hostname tar |
20 | ipc-namespace | 20 | ipc-namespace |
21 | machine-id | 21 | machine-id |
@@ -24,23 +24,25 @@ no3d | |||
24 | nodbus | 24 | nodbus |
25 | nodvd | 25 | nodvd |
26 | nogroups | 26 | nogroups |
27 | nonewprivs | ||
28 | #noroot | ||
27 | nosound | 29 | nosound |
28 | notv | 30 | notv |
29 | nou2f | 31 | nou2f |
30 | novideo | 32 | novideo |
33 | protocol unix | ||
34 | seccomp | ||
31 | shell none | 35 | shell none |
32 | tracelog | 36 | tracelog |
37 | x11 none | ||
33 | 38 | ||
34 | # support compressed archives | 39 | # support compressed archives |
35 | private-bin sh,bash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop | 40 | private-bin bash,bzip2,compress,gtar,gzip,lbzip2,lzip,lzma,lzop,sh,tar,xz |
36 | private-cache | 41 | private-cache |
37 | private-dev | 42 | private-dev |
38 | private-etc alternatives,passwd,group,localtime | 43 | private-etc alternatives,group,localtime,passwd |
39 | private-lib libfakeroot | 44 | private-lib libfakeroot |
40 | |||
41 | memory-deny-write-execute | ||
42 | |||
43 | # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) | 45 | # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) |
44 | writable-var | 46 | writable-var |
45 | 47 | ||
46 | include default.profile | 48 | memory-deny-write-execute |
diff --git a/etc/tcpdump.profile b/etc/tcpdump.profile new file mode 100644 index 000000000..3c46dfdcb --- /dev/null +++ b/etc/tcpdump.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for tcpdump | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include tcpdump.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist /sbin | ||
10 | noblacklist /usr/sbin | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | include whitelist-common.inc | ||
21 | |||
22 | caps.keep net_raw | ||
23 | ipc-namespace | ||
24 | #net tun0 | ||
25 | netfilter | ||
26 | no3d | ||
27 | nodvd | ||
28 | #nogroups | ||
29 | nonewprivs | ||
30 | #noroot | ||
31 | nosound | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6,netlink,packet | ||
36 | seccomp | ||
37 | |||
38 | disable-mnt | ||
39 | #private | ||
40 | #private-bin tcpdump | ||
41 | private-dev | ||
42 | private-tmp | ||
43 | |||
44 | memory-deny-write-execute | ||
diff --git a/etc/teams-for-linux.profile b/etc/teams-for-linux.profile new file mode 100644 index 000000000..d9e874be2 --- /dev/null +++ b/etc/teams-for-linux.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for teams-for-linux | ||
2 | # Description: Teams for Linux is an Electron application for Microsoft's team collaboration and chat program | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include teams-for-linux.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/teams-for-linux | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | mkdir ${HOME}/.config/teams-for-linux | ||
19 | whitelist ${HOME}/.config/teams-for-linux | ||
20 | whitelist ${DOWNLOADS} | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | netfilter | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix,inet,inet6,netlink | ||
34 | seccomp | ||
35 | shell none | ||
36 | |||
37 | disable-mnt | ||
38 | private-bin bash,cut,echo,egrep,grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh | ||
39 | private-cache | ||
40 | private-dev | ||
41 | private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,resolv.conf,ssl | ||
42 | private-tmp | ||
diff --git a/etc/templates/Notes b/etc/templates/Notes deleted file mode 100644 index a4170207b..000000000 --- a/etc/templates/Notes +++ /dev/null | |||
@@ -1,7 +0,0 @@ | |||
1 | Notes | ||
2 | ===== | ||
3 | |||
4 | * Lines with one # are often used | ||
5 | * Lines with two ## are only in special situation needed | ||
6 | * Add programs specific paths like .config/program to disable-programs.inc | ||
7 | * Add the name of the profile/program to src/firecfg/firecfg.config | ||
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index d7da0ed20..892fd71ef 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -1,25 +1,91 @@ | |||
1 | # Firejail profile for PROGRAM_NAME | 1 | # Firejail profile for PROGRAM_NAME |
2 | # Description: DESCRIPTION | 2 | # Description: DESCRIPTION |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # --- CUT HERE --- | ||
5 | # This is a generic template to help you with creation of profiles | ||
6 | # for new programs. PRs welcome at https://github.com/netblue30/firejail/ | ||
7 | # | ||
8 | # Rules to follow: | ||
9 | # - lines with one # are often used in profiles | ||
10 | # - lines with two ## are only needed in special situations | ||
11 | # - make the profile as restrictive as possible while still keeping the program useful | ||
12 | # (e. g. a program that is unable to save user's work is considered a bad practice) | ||
13 | # - dedicate some time (based on how complex the application is) to profile testing before raising | ||
14 | # a pull request | ||
15 | # - keep the sections structure, use a single empty line as a separator | ||
16 | # - entries within sections are alphabetically sorted | ||
17 | # - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware | ||
18 | # to not do this for essential utilities as this may *break* your OS! (related discussion: | ||
19 | # https://github.com/netblue30/firejail/issues/2507) | ||
20 | # - remove this comment section and any generic comment past 'Persistent global definitions' | ||
21 | # | ||
22 | # Sections structure | ||
23 | # HEADER | ||
24 | # COMMENTS | ||
25 | # IGNORES | ||
26 | # NOBLACKLISTS | ||
27 | # ALLOW INCLUDES | ||
28 | # BLACKLISTS | ||
29 | # DISABLE INCLUDES | ||
30 | # MKDIRS | ||
31 | # WHITELISTS | ||
32 | # WHITELIST INCLUDES | ||
33 | # OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog) | ||
34 | # PRIVATE OPTIONS (disable-mnt, private-*, writable-*) | ||
35 | # SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start) | ||
36 | # REDIRECT INCLUDES | ||
37 | # | ||
38 | # The following macros may be used in path names to substitute common locations: | ||
39 | # ${DESKTOP} | ||
40 | # ${DOCUMENTS} | ||
41 | # ${DOWNLOADS} | ||
42 | # ${HOME} (user's home) | ||
43 | # ${PATH} (contents of PATH envvar) | ||
44 | # ${MUSIC} | ||
45 | # ${VIDEOS} | ||
46 | # | ||
47 | # Check contents of ~/.config/user-dirs.dirs to see how they translate to actual paths. | ||
48 | # | ||
49 | # --- CUT HERE --- | ||
4 | ##quiet | 50 | ##quiet |
5 | # Persistent local customizations | 51 | # Persistent local customizations |
6 | #include PROFILE.local | 52 | include PROFILE.local |
7 | # Persistent global definitions | 53 | # Persistent global definitions |
8 | #include globals.local | 54 | include globals.local |
9 | 55 | ||
10 | ##ignore noexec ${HOME} | 56 | ##ignore noexec ${HOME} |
57 | ##ignore noexec /tmp | ||
11 | 58 | ||
12 | ##blacklist PATH | 59 | ##blacklist PATH |
60 | # Disable X11 (CLI only), see also 'x11 none' below | ||
61 | #blacklist /tmp/.X11-unix | ||
13 | 62 | ||
63 | # It is common practice to add files/dirs containing program-specific configuration | ||
64 | # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc | ||
65 | # (keep list sorted) and then disable blacklisting below. | ||
66 | # One way to retrieve the files a program uses is: | ||
67 | # - launch binary with --private naming a sandbox | ||
68 | # `firejail --name=test --ignore=private-bin [--profile=PROFILE] --private BINARY` | ||
69 | # - work with the program, do some configuration changes and save them, open new documents, | ||
70 | # install plugins if they exists, etc | ||
71 | # - join the sandbox with bash: | ||
72 | # `firejail --join=test bash` | ||
73 | # - look what has changed and use that information to populate blacklist and whitelist sections | ||
74 | # `ls -aR` | ||
14 | #noblacklist PATH | 75 | #noblacklist PATH |
15 | 76 | ||
16 | # Allow python (blacklisted by disable-interpreters.inc) | 77 | # Allow python (blacklisted by disable-interpreters.inc) |
17 | #noblacklist ${PATH}/python2* | 78 | #include allow-python2.inc |
18 | #noblacklist ${PATH}/python3* | 79 | #include allow-python3.inc |
19 | #noblacklist /usr/lib/python2* | 80 | |
20 | #noblacklist /usr/lib/python3* | 81 | # Allow perl (blacklisted by disable-interpreters.inc) |
21 | #noblacklist /usr/local/lib/python2* | 82 | #include allow-perl.inc |
22 | #noblacklist /usr/local/lib/python3* | 83 | |
84 | # Allow java (blacklisted by disable-devel.inc) | ||
85 | #include allow-java.inc | ||
86 | |||
87 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
88 | #include allow-lua.inc | ||
23 | 89 | ||
24 | #include disable-common.inc | 90 | #include disable-common.inc |
25 | #include disable-devel.inc | 91 | #include disable-devel.inc |
@@ -29,16 +95,24 @@ | |||
29 | #include disable-programs.inc | 95 | #include disable-programs.inc |
30 | #include disable-xdg.inc | 96 | #include disable-xdg.inc |
31 | 97 | ||
98 | # This section often mirrors noblacklist section above. The idea is | ||
99 | # that if a user feels too restricted (he's unable to save files into | ||
100 | # home directory for instance) he/she may disable whitelist (nowhitelist) | ||
101 | # in PROFILE.local but still be protected by BLACKLISTS section | ||
102 | # (further explanation at https://github.com/netblue30/firejail/issues/1569) | ||
32 | #mkdir PATH | 103 | #mkdir PATH |
33 | #mkfile PATH | 104 | ##mkfile PATH |
34 | #whitelist PATH | 105 | #whitelist PATH |
35 | #include whitelist-common.inc | 106 | #include whitelist-common.inc |
36 | #include whitelist-var-common.inc | 107 | #include whitelist-var-common.inc |
37 | 108 | ||
38 | #apparmor | 109 | #apparmor |
39 | #caps.drop all | 110 | #caps.drop all |
111 | ##caps.keep CAPS | ||
112 | ##hostname NAME | ||
40 | # CLI only | 113 | # CLI only |
41 | ##ipc-namespace | 114 | ##ipc-namespace |
115 | # breaks sound and sometime dbus related functions | ||
42 | #machine-id | 116 | #machine-id |
43 | # 'net none' or 'netfilter' | 117 | # 'net none' or 'netfilter' |
44 | #net none | 118 | #net none |
@@ -53,30 +127,48 @@ | |||
53 | #notv | 127 | #notv |
54 | #nou2f | 128 | #nou2f |
55 | #novideo | 129 | #novideo |
56 | #protocol unix,inet,inet6,netlink | 130 | # Remove every not needed protocol |
131 | # - unix is usually needed | ||
132 | # - inet,inet6 only if internet access is requiered (see 'net none'/'netfilter' above) | ||
133 | # - netlink is rarely needed | ||
134 | # - packet almost never | ||
135 | #protocol unix,inet,inet6,netlink,packet | ||
57 | #seccomp | 136 | #seccomp |
58 | ##seccomp.drop SYSCALLS | 137 | ##seccomp.drop SYSCALLS (see also syscalls.txt) |
59 | #shell none | 138 | #shell none |
60 | #tracelog | 139 | #tracelog |
140 | # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set | ||
141 | ##x11 none | ||
61 | 142 | ||
62 | #disable-mnt | 143 | #disable-mnt |
63 | ##private | 144 | ##private |
145 | # It's common practice to refer to the python executable(s) in private-bin with `python*`, which covers both v2 and v3 | ||
64 | #private-bin PROGRAMS | 146 | #private-bin PROGRAMS |
65 | #private-cache | 147 | #private-cache |
66 | #private-dev | 148 | #private-dev |
67 | #private-etc FILES | 149 | #private-etc FILES |
68 | # private-etc templates (see also #1734) | 150 | # private-etc templates (see also #1734, #2093) |
69 | # Internet: ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | 151 | # Common: alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg |
70 | # Sound: alsa,asound.conf,machine-id,openal,pulse | 152 | # Extra: magic,magic.mgc,passwd,group |
71 | # GTK: dconf,fonts,gtk-2.0,gtk-3.0,pango,xdg | 153 | # Networking: ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf,hosts,host.conf,hostname,protocols,services,rpc |
72 | # KDE/QT: fonts,kde4rc,kde5rc,ld.so.cache,machine-id,Trolltech.conf,xdg | 154 | # Extra: proxychains.conf,gai.conf |
73 | # GUIs: fonts | 155 | # Sound: alsa,asound.conf,pulse,machine-id |
74 | # Alternatives: alternatives | 156 | # GUI: fonts,pango,X11 |
157 | # GTK: dconf,gconf,gtk-2.0,gtk-3.0 | ||
158 | # Qt: Trolltech.conf | ||
159 | # KDE: kde4rc,kde5rc | ||
160 | # 3D: drirc,glvnd,bumblebee,nvidia | ||
161 | # D-Bus: dbus-1,machine-id | ||
75 | ##private-lib LIBS | 162 | ##private-lib LIBS |
76 | ##private-opt NAME | 163 | ##private-opt NAME |
77 | #private-tmp | 164 | #private-tmp |
165 | ##writable-etc | ||
166 | ##writable-run-user | ||
167 | ##writable-var | ||
168 | ##writable-var-log | ||
78 | 169 | ||
79 | ##env VAR=VALUE | 170 | ##env VAR=VALUE |
80 | #memory-deny-write-execute | 171 | #memory-deny-write-execute |
172 | ##noexec PATH | ||
81 | ##read-only ${HOME} | 173 | ##read-only ${HOME} |
82 | ##join-or-start NAME | 174 | ##join-or-start NAME |
diff --git a/etc/templates/redirect_alias-profile.template b/etc/templates/redirect_alias-profile.template index 56dd43ca4..0a0788e96 100644 --- a/etc/templates/redirect_alias-profile.template +++ b/etc/templates/redirect_alias-profile.template | |||
@@ -1,4 +1,4 @@ | |||
1 | # Firejail profile for PRGOGRAM_NAME | 1 | # Firejail profile for PROGRAM_NAME |
2 | # Description: DESCRIPTION | 2 | # Description: DESCRIPTION |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
@@ -8,29 +8,36 @@ include PROFILE.local | |||
8 | #include globals.local | 8 | #include globals.local |
9 | #NOTE: let include globals.local commented | 9 | #NOTE: let include globals.local commented |
10 | 10 | ||
11 | # Additional blacklisting (if needed) | 11 | # For more informations see profile.template |
12 | #blacklist PATH | 12 | |
13 | # Ignore something that is in the included profile | ||
14 | #ignore net none | ||
15 | #ignore private-bin | ||
16 | #ignore seccomp | ||
17 | #... | ||
13 | 18 | ||
14 | # Additional noblacklisting (if needed) | 19 | # Additional noblacklisting (if needed) |
15 | #noblacklist PATH | 20 | #noblacklist PATH |
16 | 21 | ||
22 | # Additional allow includes (if needed) | ||
23 | |||
24 | # Additional blacklisting (if needed) | ||
25 | #blacklist PATH | ||
26 | |||
17 | # Additional whitelisting (if needed) | 27 | # Additional whitelisting (if needed) |
18 | #mkdir PATH | 28 | #mkdir PATH |
19 | #mkfile PATH | 29 | ##mkfile PATH |
20 | #whitelist PATH | 30 | #whitelist PATH |
21 | 31 | ||
22 | # Additional options if needed (see firejail-profile.example) | 32 | # Additional options (if needed) |
23 | 33 | ||
34 | # Additional private-options (if needed) | ||
24 | # Add programs to private-bin (if needed) | 35 | # Add programs to private-bin (if needed) |
25 | #private-bin PROGRAMS | 36 | #private-bin PROGRAMS |
26 | # Add files to private-etc (if needed) | 37 | # Add files to private-etc (if needed) |
27 | #private-etc FILES | 38 | #private-etc FILES |
28 | 39 | ||
29 | # Ignore something that is in the included profile | 40 | # Additional special options (if needed) |
30 | #ignore net none | ||
31 | #ignore private-bin | ||
32 | #ignore seccomp | ||
33 | #... | ||
34 | 41 | ||
35 | # Redirect | 42 | # Redirect |
36 | include PROFILE.profile | 43 | include PROFILE.profile |
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index ec8247517..2464df9ee 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt | |||
@@ -4,19 +4,19 @@ Hints for writing seccomp.drop lines | |||
4 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime | 4 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime |
5 | @module=delete_module,finit_module,init_module | 5 | @module=delete_module,finit_module,init_module |
6 | @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write | 6 | @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write |
7 | @reboot=kexec_load,kexec_file_load,reboot, | 7 | @reboot=kexec_file_load,kexec_load,reboot |
8 | @swap=swapon,swapoff | 8 | @swap=swapoff,swapon |
9 | 9 | ||
10 | @privileged=@clock,@module,@raw-io,@reboot,@swap,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup | 10 | @privileged=@clock,@module,@raw-io,@reboot,@swap,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup |
11 | 11 | ||
12 | @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old | 12 | @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old |
13 | @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext | 13 | @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext |
14 | @obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver | 14 | @obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver |
15 | @resources=set_mempolicy,migrate_pages,move_pages,mbind | 15 | @resources=mbind,migrate_pages,move_pages,set_mempolicy |
16 | 16 | ||
17 | @default=@cpu-emulation,@debug,@obsolete,@privileged,@resources,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,vmsplice,umount,userfaultfd,mincore | 17 | @default=@cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,ioprio_set,io_setup,io_submit,kcmp,keyctl,mincore,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice |
18 | 18 | ||
19 | @default-nodebuggers=@default,ptrace,personality,process_vm_readv | 19 | @default-nodebuggers=@default,personality,process_vm_readv,ptrace |
20 | 20 | ||
21 | @default-keep=execve,prctl | 21 | @default-keep=execve,prctl |
22 | 22 | ||
diff --git a/etc/terasology.profile b/etc/terasology.profile index 43865b6fb..9a8426435 100644 --- a/etc/terasology.profile +++ b/etc/terasology.profile | |||
@@ -5,17 +5,16 @@ include terasology.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.java | 8 | ignore noexec /tmp |
9 | |||
9 | noblacklist ${HOME}/.local/share/terasology | 10 | noblacklist ${HOME}/.local/share/terasology |
10 | 11 | ||
11 | # Allow access to java | 12 | # Allow java (blacklisted by disable-devel.inc) |
12 | noblacklist ${PATH}/java | 13 | include allow-java.inc |
13 | noblacklist /usr/lib/java | ||
14 | noblacklist /etc/java | ||
15 | noblacklist /usr/share/java | ||
16 | 14 | ||
17 | include disable-common.inc | 15 | include disable-common.inc |
18 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
20 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
21 | include disable-programs.inc | 20 | include disable-programs.inc |
@@ -44,7 +43,5 @@ shell none | |||
44 | 43 | ||
45 | disable-mnt | 44 | disable-mnt |
46 | private-dev | 45 | private-dev |
47 | private-etc alternatives,asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,java-8-openjdk,java-7-openjdk,pki,crypto-policies | 46 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,java-7-openjdk,java-8-openjdk,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pki,pulse,resolv.conf,ssl |
48 | private-tmp | 47 | private-tmp |
49 | |||
50 | noexec ${HOME} | ||
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index e4f6e6df3..5ad57a8f5 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile | |||
@@ -32,17 +32,15 @@ ignore private-tmp | |||
32 | # machine-id breaks audio in browsers; enable it when sound is not required | 32 | # machine-id breaks audio in browsers; enable it when sound is not required |
33 | # machine-id | 33 | # machine-id |
34 | read-only ${HOME}/.config/mimeapps.list | 34 | read-only ${HOME}/.config/mimeapps.list |
35 | # writable-run-user is needed for signing and encrypting emails | 35 | # writable-run-user and dbus are needed by enigmail |
36 | writable-run-user | 36 | writable-run-user |
37 | ignore nodbus | ||
37 | 38 | ||
38 | # If you want to read local mail stored in /var/mail, add the following to thunderbird.local: | 39 | # If you want to read local mail stored in /var/mail, add the following to thunderbird.local: |
39 | # noblacklist /var/mail | 40 | # noblacklist /var/mail |
40 | # noblacklist /var/spool/mail | 41 | # noblacklist /var/spool/mail |
41 | # writable-var | 42 | # writable-var |
42 | 43 | ||
43 | # Uncomment (or put in thunderbird.local) if you use enigmail | ||
44 | #ignore nodbus | ||
45 | |||
46 | # allow browsers | 44 | # allow browsers |
47 | # Redirect | 45 | # Redirect |
48 | include firefox-common.profile | 46 | include firefox-common.profile |
diff --git a/etc/tor.profile b/etc/tor.profile index e80fbadb0..13d071635 100644 --- a/etc/tor.profile +++ b/etc/tor.profile | |||
@@ -25,7 +25,7 @@ include disable-passwdmgr.inc | |||
25 | include disable-programs.inc | 25 | include disable-programs.inc |
26 | include disable-xdg.inc | 26 | include disable-xdg.inc |
27 | 27 | ||
28 | caps.keep setuid,setgid,net_bind_service,dac_read_search | 28 | caps.keep dac_read_search,net_bind_service,setgid,setuid |
29 | ipc-namespace | 29 | ipc-namespace |
30 | machine-id | 30 | machine-id |
31 | netfilter | 31 | netfilter |
@@ -40,13 +40,12 @@ novideo | |||
40 | protocol unix,inet,inet6 | 40 | protocol unix,inet,inet6 |
41 | seccomp | 41 | seccomp |
42 | shell none | 42 | shell none |
43 | writable-var | ||
44 | 43 | ||
45 | disable-mnt | 44 | disable-mnt |
46 | private | 45 | private |
47 | private-bin tor,bash | 46 | private-bin bash,tor |
48 | private-cache | 47 | private-cache |
49 | private-dev | 48 | private-dev |
50 | private-etc alternatives,tor,passwd,ca-certificates,ssl,pki,crypto-policies | 49 | private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor |
51 | private-tmp | 50 | private-tmp |
52 | 51 | writable-var | |
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile index c7c810cda..33e87e6a7 100644 --- a/etc/torbrowser-launcher.profile +++ b/etc/torbrowser-launcher.profile | |||
@@ -12,12 +12,8 @@ noblacklist ${HOME}/.config/torbrowser | |||
12 | noblacklist ${HOME}/.local/share/torbrowser | 12 | noblacklist ${HOME}/.local/share/torbrowser |
13 | 13 | ||
14 | # Allow python (blacklisted by disable-interpreters.inc) | 14 | # Allow python (blacklisted by disable-interpreters.inc) |
15 | noblacklist ${PATH}/python2* | 15 | include allow-python2.inc |
16 | noblacklist ${PATH}/python3* | 16 | include allow-python3.inc |
17 | noblacklist /usr/lib/python2* | ||
18 | noblacklist /usr/lib/python3* | ||
19 | noblacklist /usr/local/lib/python2* | ||
20 | noblacklist /usr/local/lib/python3* | ||
21 | 17 | ||
22 | include disable-common.inc | 18 | include disable-common.inc |
23 | include disable-devel.inc | 19 | include disable-devel.inc |
@@ -54,5 +50,5 @@ shell none | |||
54 | disable-mnt | 50 | disable-mnt |
55 | private-bin bash,cp,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python*,readlink,rm,sed,sh,tail,tar,tclsh,test,tor-browser-en,torbrowser-launcher,xz | 51 | private-bin bash,cp,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python*,readlink,rm,sed,sh,tail,tar,tclsh,test,tor-browser-en,torbrowser-launcher,xz |
56 | private-dev | 52 | private-dev |
57 | private-etc alternatives,fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache | 53 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl |
58 | private-tmp | 54 | private-tmp |
diff --git a/etc/totem.profile b/etc/totem.profile index f541d3cc2..5b74709e3 100644 --- a/etc/totem.profile +++ b/etc/totem.profile | |||
@@ -6,6 +6,9 @@ include totem.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Allow lua (required for youtube video) | ||
10 | include allow-lua.inc | ||
11 | |||
9 | noblacklist ${HOME}/.config/totem | 12 | noblacklist ${HOME}/.config/totem |
10 | noblacklist ${HOME}/.local/share/totem | 13 | noblacklist ${HOME}/.local/share/totem |
11 | noblacklist ${MUSIC} | 14 | noblacklist ${MUSIC} |
@@ -37,6 +40,6 @@ private-bin totem | |||
37 | # totem needs access to ~/.cache/tracker or it exits | 40 | # totem needs access to ~/.cache/tracker or it exits |
38 | #private-cache | 41 | #private-cache |
39 | private-dev | 42 | private-dev |
40 | # private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies | 43 | # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl |
41 | private-tmp | 44 | private-tmp |
42 | 45 | ||
diff --git a/etc/tracker.profile b/etc/tracker.profile index c1779ae3e..6e107d99e 100644 --- a/etc/tracker.profile +++ b/etc/tracker.profile | |||
@@ -33,5 +33,4 @@ tracelog | |||
33 | 33 | ||
34 | # private-bin tracker | 34 | # private-bin tracker |
35 | # private-dev | 35 | # private-dev |
36 | # private-etc alternatives,fonts | ||
37 | # private-tmp | 36 | # private-tmp |
diff --git a/etc/transmission-daemon.profile b/etc/transmission-daemon.profile index c67200826..9a6052ada 100644 --- a/etc/transmission-daemon.profile +++ b/etc/transmission-daemon.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for transmission-daemon | 1 | # Firejail profile for transmission-daemon |
2 | # Description: Fast, easy and free BitTorrent client (daemon) | 2 | # Description: Fast, easy and free BitTorrent client (daemon) |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/transmission-remote-cli.profile b/etc/transmission-remote-cli.profile index 3e3ad1a07..7b7a47f14 100644 --- a/etc/transmission-remote-cli.profile +++ b/etc/transmission-remote-cli.profile | |||
@@ -8,12 +8,8 @@ include transmission-remote-cli.local | |||
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | # Allow python (blacklisted by disable-interpreters.inc) | 10 | # Allow python (blacklisted by disable-interpreters.inc) |
11 | noblacklist ${PATH}/python2* | 11 | include allow-python2.inc |
12 | noblacklist ${PATH}/python3* | 12 | include allow-python3.inc |
13 | noblacklist /usr/lib/python2* | ||
14 | noblacklist /usr/lib/python3* | ||
15 | noblacklist /usr/local/lib/python2* | ||
16 | noblacklist /usr/local/lib/python3* | ||
17 | 13 | ||
18 | mkdir ${HOME}/.cache/transmission | 14 | mkdir ${HOME}/.cache/transmission |
19 | mkdir ${HOME}/.config/transmission | 15 | mkdir ${HOME}/.config/transmission |
diff --git a/etc/tremulous.profile b/etc/tremulous.profile index a56ac2c07..e148298ae 100644 --- a/etc/tremulous.profile +++ b/etc/tremulous.profile | |||
@@ -38,7 +38,7 @@ shell none | |||
38 | tracelog | 38 | tracelog |
39 | 39 | ||
40 | disable-mnt | 40 | disable-mnt |
41 | private-bin tremulous,tremulous-wrapper,tremded | 41 | private-bin tremded,tremulous,tremulous-wrapper |
42 | private-cache | 42 | private-cache |
43 | private-dev | 43 | private-dev |
44 | private-tmp | 44 | private-tmp |
diff --git a/etc/tshark.profile b/etc/tshark.profile new file mode 100644 index 000000000..ea85f4e8a --- /dev/null +++ b/etc/tshark.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Firejail profile for tshark | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include tshark.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | include whitelist-common.inc | ||
18 | |||
19 | #caps.keep net_raw | ||
20 | caps.keep dac_override,net_admin,net_raw | ||
21 | ipc-namespace | ||
22 | #net tun0 | ||
23 | netfilter | ||
24 | no3d | ||
25 | nodvd | ||
26 | # nogroups - breaks network traffic capture for unprivileged users | ||
27 | # nonewprivs - breaks network traffic capture for unprivileged users | ||
28 | # noroot | ||
29 | nosound | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | #protocol unix,inet,inet6,netlink,packet | ||
34 | #seccomp | ||
35 | |||
36 | disable-mnt | ||
37 | #private | ||
38 | private-cache | ||
39 | #private-bin tshark | ||
40 | private-dev | ||
41 | private-tmp | ||
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile index 1b657d083..ae868a022 100644 --- a/etc/tuxguitar.profile +++ b/etc/tuxguitar.profile | |||
@@ -6,16 +6,12 @@ include tuxguitar.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.java | ||
10 | noblacklist ${HOME}/.tuxguitar* | 9 | noblacklist ${HOME}/.tuxguitar* |
11 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
12 | noblacklist ${MUSIC} | 11 | noblacklist ${MUSIC} |
13 | 12 | ||
14 | # Allow access to java | 13 | # Allow java (blacklisted by disable-devel.inc) |
15 | noblacklist ${PATH}/java | 14 | include allow-java.inc |
16 | noblacklist /usr/lib/java | ||
17 | noblacklist /etc/java | ||
18 | noblacklist /usr/share/java | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/udiskie.profile b/etc/udiskie.profile new file mode 100644 index 000000000..8cc443bff --- /dev/null +++ b/etc/udiskie.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for udiskie | ||
2 | # Description: Removable disk automounter using udisks | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include udiskie.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Allow python (blacklisted by disable-interpreters.inc) | ||
10 | include allow-python3.inc | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | caps.drop all | ||
23 | machine-id | ||
24 | net none | ||
25 | no3d | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | nosound | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix | ||
34 | seccomp | ||
35 | shell none | ||
36 | tracelog | ||
37 | |||
38 | private-bin awk,cut,dbus-send,egrep,file,grep,head,python*,readlink,sed,sh,udiskie,uname,which,xdg-mime,xdg-open,xprop | ||
39 | # add your configured file browser in udiskie.local, e. g. | ||
40 | # private-bin nautilus | ||
41 | # private-bin thunar | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-etc alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg | ||
45 | private-tmp | ||
diff --git a/etc/unbound.profile b/etc/unbound.profile index 6e4b5ed1c..e152ee7ea 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile | |||
@@ -6,11 +6,11 @@ include unbound.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist /sbin | 9 | noblacklist /sbin |
12 | noblacklist /usr/sbin | 10 | noblacklist /usr/sbin |
13 | 11 | ||
12 | blacklist /tmp/.X11-unix | ||
13 | |||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
@@ -29,12 +29,12 @@ nosound | |||
29 | notv | 29 | notv |
30 | nou2f | 30 | nou2f |
31 | novideo | 31 | novideo |
32 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 32 | seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice |
33 | writable-var | ||
34 | 33 | ||
35 | disable-mnt | 34 | disable-mnt |
36 | private | 35 | private |
37 | private-dev | 36 | private-dev |
37 | writable-var | ||
38 | 38 | ||
39 | # mdwe can break modules/plugins | 39 | # mdwe can break modules/plugins |
40 | memory-deny-write-execute | 40 | memory-deny-write-execute |
diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile index 36d1319d1..b62d3111d 100644 --- a/etc/unknown-horizons.profile +++ b/etc/unknown-horizons.profile | |||
@@ -23,11 +23,11 @@ nonewprivs | |||
23 | noroot | 23 | noroot |
24 | notv | 24 | notv |
25 | nou2f | 25 | nou2f |
26 | protocol unix,netlink,inet,inet6 | 26 | protocol unix,inet,inet6,netlink |
27 | seccomp | 27 | seccomp |
28 | shell none | 28 | shell none |
29 | 29 | ||
30 | # private-bin unknown-horizons | 30 | # private-bin unknown-horizons |
31 | private-dev | 31 | private-dev |
32 | # private-etc alternatives,ca-certificates,ssl,pki,crypto-policies | 32 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl |
33 | private-tmp | 33 | private-tmp |
diff --git a/etc/unrar.profile b/etc/unrar.profile index 7fe37f061..428173e7d 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile | |||
@@ -5,27 +5,37 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include unrar.local | 6 | include unrar.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included profile | 8 | include globals.local |
9 | #include globals.local | ||
10 | 9 | ||
11 | blacklist /tmp/.X11-unix | 10 | include disable-common.inc |
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
12 | 16 | ||
17 | caps.drop all | ||
13 | hostname unrar | 18 | hostname unrar |
14 | ignore noroot | 19 | ipc-namespace |
20 | machine-id | ||
15 | net none | 21 | net none |
16 | no3d | 22 | no3d |
17 | nodbus | 23 | nodbus |
18 | nodvd | 24 | nodvd |
25 | #nogroups | ||
26 | nonewprivs | ||
27 | #noroot | ||
19 | nosound | 28 | nosound |
20 | notv | 29 | notv |
21 | nou2f | 30 | nou2f |
22 | novideo | 31 | novideo |
32 | protocol unix | ||
33 | seccomp | ||
23 | shell none | 34 | shell none |
24 | tracelog | 35 | tracelog |
36 | x11 none | ||
25 | 37 | ||
26 | private-bin unrar | 38 | private-bin unrar |
27 | private-dev | 39 | private-dev |
28 | private-etc alternatives,passwd,group,localtime | 40 | private-etc alternatives,group,localtime,passwd |
29 | private-tmp | 41 | private-tmp |
30 | |||
31 | include default.profile | ||
diff --git a/etc/unzip.profile b/etc/unzip.profile index be6b6c321..94aee724d 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile | |||
@@ -5,29 +5,40 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include unzip.local | 6 | include unzip.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included profile | 8 | include globals.local |
9 | #include globals.local | ||
10 | 9 | ||
11 | blacklist /tmp/.X11-unix | 10 | # GNOME Shell integration (chrome-gnome-shell) |
11 | noblacklist ${HOME}/.local/share/gnome-shell | ||
12 | 12 | ||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | caps.drop all | ||
13 | hostname unzip | 21 | hostname unzip |
14 | ignore noroot | 22 | ipc-namespace |
23 | machine-id | ||
15 | net none | 24 | net none |
16 | no3d | 25 | no3d |
17 | nodbus | 26 | nodbus |
18 | nodvd | 27 | nodvd |
28 | #nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
19 | nosound | 31 | nosound |
20 | notv | 32 | notv |
21 | nou2f | 33 | nou2f |
22 | novideo | 34 | novideo |
35 | protocol unix | ||
36 | seccomp | ||
23 | shell none | 37 | shell none |
24 | tracelog | 38 | tracelog |
39 | x11 none | ||
25 | 40 | ||
26 | private-bin unzip | 41 | private-bin unzip |
42 | private-cache | ||
27 | private-dev | 43 | private-dev |
28 | private-etc alternatives,passwd,group,localtime | 44 | private-etc alternatives,group,localtime,passwd |
29 | |||
30 | # GNOME Shell integration (chrome-gnome-shell) | ||
31 | noblacklist ${HOME}/.local/share/gnome-shell | ||
32 | |||
33 | include default.profile | ||
diff --git a/etc/utox.profile b/etc/utox.profile index 9216a6a05..454e3260b 100644 --- a/etc/utox.profile +++ b/etc/utox.profile | |||
@@ -41,7 +41,7 @@ disable-mnt | |||
41 | private-bin utox | 41 | private-bin utox |
42 | private-cache | 42 | private-cache |
43 | private-dev | 43 | private-dev |
44 | private-etc alternatives,fonts,resolv.conf,ld.so.cache,localtime,ca-certificates,ssl,pki,crypto-policies,machine-id,pulse,openal | 44 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,openal,pki,pulse,resolv.conf,ssl |
45 | private-tmp | 45 | private-tmp |
46 | 46 | ||
47 | memory-deny-write-execute | 47 | memory-deny-write-execute |
diff --git a/etc/uudeview.profile b/etc/uudeview.profile index 859656fa5..af6cd620f 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile | |||
@@ -5,24 +5,36 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include uudeview.local | 6 | include uudeview.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included profile | 8 | include globals.local |
9 | #include globals.local | ||
10 | 9 | ||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | |||
17 | caps.drop all | ||
11 | hostname uudeview | 18 | hostname uudeview |
12 | ignore noroot | 19 | ipc-namespace |
20 | machine-id | ||
13 | net none | 21 | net none |
14 | nodbus | 22 | nodbus |
15 | nodvd | 23 | nodvd |
24 | #nogroups | ||
25 | nonewprivs | ||
26 | #noroot | ||
16 | nosound | 27 | nosound |
17 | notv | 28 | notv |
18 | nou2f | 29 | nou2f |
19 | novideo | 30 | novideo |
31 | protocol unix | ||
32 | seccomp | ||
20 | shell none | 33 | shell none |
21 | tracelog | 34 | tracelog |
35 | x11 none | ||
22 | 36 | ||
23 | private-bin uudeview | 37 | private-bin uudeview |
24 | private-cache | 38 | private-cache |
25 | private-dev | 39 | private-dev |
26 | private-etc alternatives,ld.so.preload | 40 | private-etc alternatives,ld.so.preload |
27 | |||
28 | include default.profile | ||
diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile index dbee819cd..d4e54235b 100644 --- a/etc/uzbl-browser.profile +++ b/etc/uzbl-browser.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.gnupg | |||
10 | noblacklist ${HOME}/.local/share/uzbl | 10 | noblacklist ${HOME}/.local/share/uzbl |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/viewnior.profile b/etc/viewnior.profile index f9fb1cefe..e238db8ce 100644 --- a/etc/viewnior.profile +++ b/etc/viewnior.profile | |||
@@ -6,12 +6,12 @@ include viewnior.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${HOME}/.bashrc | ||
10 | |||
11 | noblacklist ${HOME}/.Steam | 9 | noblacklist ${HOME}/.Steam |
12 | noblacklist ${HOME}/.config/viewnior | 10 | noblacklist ${HOME}/.config/viewnior |
13 | noblacklist ${HOME}/.steam | 11 | noblacklist ${HOME}/.steam |
14 | 12 | ||
13 | blacklist ${HOME}/.bashrc | ||
14 | |||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | 17 | include disable-exec.inc |
@@ -43,5 +43,4 @@ private-dev | |||
43 | private-etc alternatives,fonts,machine-id | 43 | private-etc alternatives,fonts,machine-id |
44 | private-tmp | 44 | private-tmp |
45 | 45 | ||
46 | # memory-deny-write-executes breaks on Arch - see issue #1808 | 46 | #memory-deny-write-execute - breaks on Arch (see issues #1803 and #1808) |
47 | #memory-deny-write-execute | ||
diff --git a/etc/vim.profile b/etc/vim.profile index 55fa22a54..49abb0d44 100644 --- a/etc/vim.profile +++ b/etc/vim.profile | |||
@@ -7,6 +7,9 @@ include vim.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.python-history | 9 | noblacklist ${HOME}/.python-history |
10 | noblacklist ${HOME}/.python_history | ||
11 | noblacklist ${HOME}/.pythonhist | ||
12 | noblacklist ${HOME}/.pythonrc.py | ||
10 | noblacklist ${HOME}/.vim | 13 | noblacklist ${HOME}/.vim |
11 | noblacklist ${HOME}/.viminfo | 14 | noblacklist ${HOME}/.viminfo |
12 | noblacklist ${HOME}/.vimrc | 15 | noblacklist ${HOME}/.vimrc |
diff --git a/etc/vlc.profile b/etc/vlc.profile index 64ac7a4f0..572758f28 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -34,7 +34,7 @@ protocol unix,inet,inet6,netlink | |||
34 | seccomp | 34 | seccomp |
35 | shell none | 35 | shell none |
36 | 36 | ||
37 | private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc | 37 | private-bin cvlc,nvlc,qvlc,rvlc,svlc,vlc |
38 | private-dev | 38 | private-dev |
39 | private-tmp | 39 | private-tmp |
40 | 40 | ||
diff --git a/etc/w3m.profile b/etc/w3m.profile index 143ac4f63..9b6cc8238 100644 --- a/etc/w3m.profile +++ b/etc/w3m.profile | |||
@@ -6,10 +6,10 @@ include w3m.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist ${HOME}/.w3m | 9 | noblacklist ${HOME}/.w3m |
12 | 10 | ||
11 | blacklist /tmp/.X11-unix | ||
12 | |||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
@@ -36,5 +36,5 @@ tracelog | |||
36 | # private-bin w3m | 36 | # private-bin w3m |
37 | private-cache | 37 | private-cache |
38 | private-dev | 38 | private-dev |
39 | private-etc alternatives,resolv.conf,ssl,pki,ca-certificates,crypto-policies | 39 | private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl |
40 | private-tmp | 40 | private-tmp |
diff --git a/etc/waterfox.profile b/etc/waterfox.profile index 3dc21958d..b8ee67ae0 100644 --- a/etc/waterfox.profile +++ b/etc/waterfox.profile | |||
@@ -20,7 +20,7 @@ whitelist ${HOME}/.mozilla | |||
20 | whitelist ${HOME}/.waterfox | 20 | whitelist ${HOME}/.waterfox |
21 | 21 | ||
22 | # waterfox requires a shell to launch on Arch. We can possibly remove sh though. | 22 | # waterfox requires a shell to launch on Arch. We can possibly remove sh though. |
23 | #private-bin waterfox,which,sh,dbus-launch,dbus-send,env,bash | 23 | #private-bin bash,dbus-launch,dbus-send,env,sh,waterfox,which |
24 | # private-etc must first be enabled in firefox-common.profile | 24 | # private-etc must first be enabled in firefox-common.profile |
25 | #private-etc waterfox | 25 | #private-etc waterfox |
26 | 26 | ||
diff --git a/etc/webstorm.profile b/etc/webstorm.profile index b97ea8d2f..e820bae00 100644 --- a/etc/webstorm.profile +++ b/etc/webstorm.profile | |||
@@ -11,7 +11,6 @@ noblacklist ${HOME}/.config/git | |||
11 | noblacklist ${HOME}/.gitconfig | 11 | noblacklist ${HOME}/.gitconfig |
12 | noblacklist ${HOME}/.git-credentials | 12 | noblacklist ${HOME}/.git-credentials |
13 | noblacklist ${HOME}/.gradle | 13 | noblacklist ${HOME}/.gradle |
14 | noblacklist ${HOME}/.java | ||
15 | noblacklist ${HOME}/.local/share/JetBrains | 14 | noblacklist ${HOME}/.local/share/JetBrains |
16 | noblacklist ${HOME}/.ssh | 15 | noblacklist ${HOME}/.ssh |
17 | noblacklist ${HOME}/.tooling | 16 | noblacklist ${HOME}/.tooling |
diff --git a/etc/wget.profile b/etc/wget.profile index a7ef32e2c..2d5c0c4d6 100644 --- a/etc/wget.profile +++ b/etc/wget.profile | |||
@@ -7,11 +7,11 @@ include wget.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | |||
12 | noblacklist ${HOME}/.wget-hsts | 10 | noblacklist ${HOME}/.wget-hsts |
13 | noblacklist ${HOME}/.wgetrc | 11 | noblacklist ${HOME}/.wgetrc |
14 | 12 | ||
13 | blacklist /tmp/.X11-unix | ||
14 | |||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-exec.inc | 16 | include disable-exec.inc |
17 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
@@ -36,6 +36,6 @@ shell none | |||
36 | 36 | ||
37 | # private-bin wget | 37 | # private-bin wget |
38 | private-dev | 38 | private-dev |
39 | # private-etc alternatives,resolv.conf,ca-certificates,ssl,pki,crypto-policies | 39 | # private-etc alternatives,ca-certificates,crypto-policie,pki,resolv.conf,ssl |
40 | # private-tmp | 40 | # private-tmp |
41 | 41 | ||
diff --git a/etc/whois.profile b/etc/whois.profile index cc2494f95..f101ee637 100644 --- a/etc/whois.profile +++ b/etc/whois.profile | |||
@@ -36,7 +36,7 @@ shell none | |||
36 | 36 | ||
37 | disable-mnt | 37 | disable-mnt |
38 | private | 38 | private |
39 | private-bin sh,bash,whois | 39 | private-bin bash,sh,whois |
40 | private-cache | 40 | private-cache |
41 | private-dev | 41 | private-dev |
42 | # private-etc alternatives,hosts,services,whois.conf | 42 | # private-etc alternatives,hosts,services,whois.conf |
diff --git a/etc/wire-desktop.profile b/etc/wire-desktop.profile index 3953de614..f41453bf3 100644 --- a/etc/wire-desktop.profile +++ b/etc/wire-desktop.profile | |||
@@ -16,7 +16,6 @@ include disable-programs.inc | |||
16 | mkdir ${HOME}/.config/Wire | 16 | mkdir ${HOME}/.config/Wire |
17 | whitelist ${HOME}/.config/Wire | 17 | whitelist ${HOME}/.config/Wire |
18 | whitelist ${DOWNLOADS} | 18 | whitelist ${DOWNLOADS} |
19 | |||
20 | include whitelist-common.inc | 19 | include whitelist-common.inc |
21 | 20 | ||
22 | caps.drop all | 21 | caps.drop all |
@@ -35,7 +34,7 @@ shell none | |||
35 | # it is not in PATH. To use Wire with firejail, run "firejail /opt/wire-desktop/wire-desktop" | 34 | # it is not in PATH. To use Wire with firejail, run "firejail /opt/wire-desktop/wire-desktop" |
36 | 35 | ||
37 | disable-mnt | 36 | disable-mnt |
38 | private-bin wire-desktop,bash,sh,env,electron | 37 | private-bin bash,electron,env,sh,wire-desktop |
39 | private-dev | 38 | private-dev |
40 | private-etc alternatives,fonts,machine-id,resolv.conf,ca-certificates,ssl,pki,crypto-policies | 39 | private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl |
41 | private-tmp | 40 | private-tmp |
diff --git a/etc/wireshark.profile b/etc/wireshark.profile index 9b9757cd5..58ff93750 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile | |||
@@ -10,11 +10,8 @@ noblacklist ${HOME}/.config/wireshark | |||
10 | noblacklist ${HOME}/.wireshark | 10 | noblacklist ${HOME}/.wireshark |
11 | noblacklist ${DOCUMENTS} | 11 | noblacklist ${DOCUMENTS} |
12 | 12 | ||
13 | # Wireshark can use Lua for scripting | 13 | # Allow lua (blacklisted by disable-interpreters.inc) |
14 | noblacklist ${PATH}/lua* | 14 | include allow-lua.inc |
15 | noblacklist /usr/lib/lua | ||
16 | noblacklist /usr/include/lua* | ||
17 | noblacklist /usr/share/lua | ||
18 | 15 | ||
19 | include disable-common.inc | 16 | include disable-common.inc |
20 | include disable-devel.inc | 17 | include disable-devel.inc |
@@ -46,6 +43,6 @@ tracelog | |||
46 | 43 | ||
47 | # private-bin wireshark | 44 | # private-bin wireshark |
48 | private-dev | 45 | private-dev |
49 | # private-etc alternatives,fonts,group,hosts,machine-id,passwd,ca-certificates,ssl,pki,crypto-policies | 46 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,ssl |
50 | private-tmp | 47 | private-tmp |
51 | 48 | ||
diff --git a/etc/xed.profile b/etc/xed.profile index cce0432a4..a02f1ef51 100644 --- a/etc/xed.profile +++ b/etc/xed.profile | |||
@@ -6,15 +6,14 @@ include xed.local | |||
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/xed | 8 | noblacklist ${HOME}/.config/xed |
9 | noblacklist ${HOME}/.python-history | ||
10 | noblacklist ${HOME}/.python_history | ||
11 | noblacklist ${HOME}/.pythonhist | ||
9 | noblacklist ${HOME}/.pythonrc.py | 12 | noblacklist ${HOME}/.pythonrc.py |
10 | 13 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 14 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 15 | include allow-python2.inc |
13 | noblacklist ${PATH}/python3* | 16 | include allow-python3.inc |
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 17 | ||
19 | include disable-common.inc | 18 | include disable-common.inc |
20 | include disable-devel.inc | 19 | include disable-devel.inc |
@@ -46,7 +45,6 @@ tracelog | |||
46 | 45 | ||
47 | private-bin xed | 46 | private-bin xed |
48 | private-dev | 47 | private-dev |
49 | # private-etc alternatives,fonts | ||
50 | private-tmp | 48 | private-tmp |
51 | 49 | ||
52 | # xed uses python plugins, memory-deny-write-execute breaks python | 50 | # xed uses python plugins, memory-deny-write-execute breaks python |
diff --git a/etc/xfburn.profile b/etc/xfburn.profile index 1cb7f568a..cd9561e74 100644 --- a/etc/xfburn.profile +++ b/etc/xfburn.profile | |||
@@ -29,5 +29,4 @@ tracelog | |||
29 | 29 | ||
30 | # private-bin xfburn | 30 | # private-bin xfburn |
31 | # private-dev | 31 | # private-dev |
32 | # private-etc alternatives,fonts | ||
33 | # private-tmp | 32 | # private-tmp |
diff --git a/etc/xfce4-mixer.profile b/etc/xfce4-mixer.profile index 952625ef8..e6bbb4259 100644 --- a/etc/xfce4-mixer.profile +++ b/etc/xfce4-mixer.profile | |||
@@ -42,7 +42,7 @@ disable-mnt | |||
42 | private-bin xfce4-mixer,xfconf-query | 42 | private-bin xfce4-mixer,xfconf-query |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives,asound.conf,fonts,pulse,machine-id | 45 | private-etc alternatives,asound.conf,fonts,machine-id,pulse |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | memory-deny-write-execute | 48 | memory-deny-write-execute |
diff --git a/etc/xiphos.profile b/etc/xiphos.profile index 33056395e..7114f0469 100644 --- a/etc/xiphos.profile +++ b/etc/xiphos.profile | |||
@@ -6,11 +6,11 @@ include xiphos.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${HOME}/.bashrc | ||
10 | |||
11 | noblacklist ${HOME}/.sword | 9 | noblacklist ${HOME}/.sword |
12 | noblacklist ${HOME}/.xiphos | 10 | noblacklist ${HOME}/.xiphos |
13 | 11 | ||
12 | blacklist ${HOME}/.bashrc | ||
13 | |||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-exec.inc | 16 | include disable-exec.inc |
@@ -18,6 +18,8 @@ include disable-interpreters.inc | |||
18 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | 20 | ||
21 | mkdir ${HOME}/.sword | ||
22 | mkdir ${HOME}/.xiphos | ||
21 | whitelist ${HOME}/.sword | 23 | whitelist ${HOME}/.sword |
22 | whitelist ${HOME}/.xiphos | 24 | whitelist ${HOME}/.xiphos |
23 | include whitelist-common.inc | 25 | include whitelist-common.inc |
@@ -44,5 +46,5 @@ disable-mnt | |||
44 | private-bin xiphos | 46 | private-bin xiphos |
45 | private-cache | 47 | private-cache |
46 | private-dev | 48 | private-dev |
47 | private-etc alternatives,fonts,resolv.conf,sword,ca-certificates,ssli,sword.conf,pki,crypto-policies | 49 | private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssli,sword,sword.conf |
48 | private-tmp | 50 | private-tmp |
diff --git a/etc/xlinks.profile b/etc/xlinks.profile new file mode 100644 index 000000000..ad1511791 --- /dev/null +++ b/etc/xlinks.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # Firejail profile for xlinks | ||
2 | # Description: Text WWW browser (X11) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include xlinks.local | ||
6 | |||
7 | noblacklist /tmp/.X11-unix | ||
8 | noblacklist ${HOME}/.links | ||
9 | |||
10 | include whitelist-common.inc | ||
11 | |||
12 | # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' | ||
13 | # to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line | ||
14 | private-bin xlinks | ||
15 | private-etc fonts | ||
16 | |||
17 | # Redirect | ||
18 | include links.profile | ||
diff --git a/etc/xonotic.profile b/etc/xonotic.profile index 09c0639f8..f4f828eda 100644 --- a/etc/xonotic.profile +++ b/etc/xonotic.profile | |||
@@ -37,6 +37,6 @@ shell none | |||
37 | disable-mnt | 37 | disable-mnt |
38 | private-bin bash,blind-id,darkplaces-glx,darkplaces-sdl,dirname,grep,ldd,netstat,ps,readlink,sh,uname,xonotic,xonotic-glx,xonotic-linux32-dedicated,xonotic-linux32-glx,xonotic-linux32-sdl,xonotic-linux64-dedicated,xonotic-linux64-glx,xonotic-linux64-sdl,xonotic-sdl | 38 | private-bin bash,blind-id,darkplaces-glx,darkplaces-sdl,dirname,grep,ldd,netstat,ps,readlink,sh,uname,xonotic,xonotic-glx,xonotic-linux32-dedicated,xonotic-linux32-glx,xonotic-linux32-sdl,xonotic-linux64-dedicated,xonotic-linux64-glx,xonotic-linux64-sdl,xonotic-sdl |
39 | private-dev | 39 | private-dev |
40 | private-etc alternatives,asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id | 40 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl |
41 | private-tmp | 41 | private-tmp |
42 | 42 | ||
diff --git a/etc/xplayer.profile b/etc/xplayer.profile index b4932c99e..325ce7627 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile | |||
@@ -11,12 +11,8 @@ noblacklist ${MUSIC} | |||
11 | noblacklist ${VIDEOS} | 11 | noblacklist ${VIDEOS} |
12 | 12 | ||
13 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
14 | noblacklist ${PATH}/python2* | 14 | include allow-python2.inc |
15 | noblacklist ${PATH}/python3* | 15 | include allow-python3.inc |
16 | noblacklist /usr/lib/python2* | ||
17 | noblacklist /usr/lib/python3* | ||
18 | noblacklist /usr/local/lib/python2* | ||
19 | noblacklist /usr/local/lib/python3* | ||
20 | 16 | ||
21 | include disable-common.inc | 17 | include disable-common.inc |
22 | include disable-devel.inc | 18 | include disable-devel.inc |
@@ -43,6 +39,6 @@ tracelog | |||
43 | 39 | ||
44 | private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer | 40 | private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer |
45 | private-dev | 41 | private-dev |
46 | # private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies | 42 | # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl |
47 | private-tmp | 43 | private-tmp |
48 | 44 | ||
diff --git a/etc/xpra.profile b/etc/xpra.profile index d967c1da2..6f66b9300 100644 --- a/etc/xpra.profile +++ b/etc/xpra.profile | |||
@@ -8,21 +8,15 @@ include globals.local | |||
8 | 8 | ||
9 | # | 9 | # |
10 | # This profile will sandbox Xpra server itself when used with firejail --x11=xpra. | 10 | # This profile will sandbox Xpra server itself when used with firejail --x11=xpra. |
11 | # To enable it, create a firejail-xpra symlink in /usr/local/bin: | 11 | # To enable it, create a firejail-xpra symlink in /usr/local/bin: |
12 | # | 12 | # |
13 | # $ sudo ln -s /usr/bin/firejail /usr/local/bin/xpra | 13 | # $ sudo ln -s /usr/bin/firejail /usr/local/bin/xpra |
14 | # | 14 | # |
15 | # or run "sudo firecfg" | 15 | # or run "sudo firecfg" |
16 | 16 | ||
17 | blacklist /media | ||
18 | |||
19 | # Allow python (blacklisted by disable-interpreters.inc) | 17 | # Allow python (blacklisted by disable-interpreters.inc) |
20 | noblacklist ${PATH}/python2* | 18 | include allow-python2.inc |
21 | noblacklist ${PATH}/python3* | 19 | include allow-python3.inc |
22 | noblacklist /usr/lib/python2* | ||
23 | noblacklist /usr/lib/python3* | ||
24 | noblacklist /usr/local/lib/python2* | ||
25 | noblacklist /usr/local/lib/python3* | ||
26 | 20 | ||
27 | include disable-common.inc | 21 | include disable-common.inc |
28 | include disable-devel.inc | 22 | include disable-devel.inc |
@@ -49,10 +43,11 @@ protocol unix | |||
49 | seccomp | 43 | seccomp |
50 | shell none | 44 | shell none |
51 | 45 | ||
46 | disable-mnt | ||
52 | # private home directory doesn't work on some distros, so we go for a regular home | 47 | # private home directory doesn't work on some distros, so we go for a regular home |
53 | # private | 48 | # private |
54 | # older Xpra versions also use Xvfb | 49 | # older Xpra versions also use Xvfb |
55 | # private-bin xpra,python*,Xvfb,Xorg,sh,xkbcomp,xauth,dbus-launch,pactl,ldconfig,which,strace,bash,cat,ls | 50 | # private-bin bash,cat,dbus-launch,ldconfig,ls,pactl,python*,sh,strace,which,xauth,xkbcomp,Xorg,xpra,Xvfb |
56 | private-dev | 51 | private-dev |
57 | # private-etc alternatives,ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11 | 52 | # private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,nsswitch.conf,resolv.conf,X11,xpra |
58 | private-tmp | 53 | private-tmp |
diff --git a/etc/xviewer.profile b/etc/xviewer.profile index b483e9404..b09bf8ab1 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile | |||
@@ -39,7 +39,6 @@ tracelog | |||
39 | 39 | ||
40 | private-bin xviewer | 40 | private-bin xviewer |
41 | private-dev | 41 | private-dev |
42 | #private-etc alternatives,fonts | ||
43 | private-lib | 42 | private-lib |
44 | private-tmp | 43 | private-tmp |
45 | 44 | ||
diff --git a/etc/xzdec.profile b/etc/xzdec.profile index a1f265c1e..93c288d6e 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile | |||
@@ -5,23 +5,33 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include xzdec.local | 6 | include xzdec.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included profile | 8 | include globals.local |
9 | #include globals.local | ||
10 | 9 | ||
11 | blacklist /tmp/.X11-unix | 10 | include disable-common.inc |
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
12 | 16 | ||
13 | ignore noroot | 17 | caps.drop all |
18 | ipc-namespace | ||
19 | machine-id | ||
14 | net none | 20 | net none |
15 | no3d | 21 | no3d |
16 | nodbus | 22 | nodbus |
17 | nodvd | 23 | nodvd |
24 | #nogroups | ||
25 | nonewprivs | ||
26 | #noroot | ||
18 | nosound | 27 | nosound |
19 | notv | 28 | notv |
20 | nou2f | 29 | nou2f |
21 | novideo | 30 | novideo |
31 | protocol unix | ||
32 | seccomp | ||
22 | shell none | 33 | shell none |
23 | tracelog | 34 | tracelog |
35 | x11 none | ||
24 | 36 | ||
25 | private-dev | 37 | private-dev |
26 | |||
27 | include default.profile | ||
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index 621ffb2b0..28b5f2376 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile | |||
@@ -7,20 +7,16 @@ include youtube-dl.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | # breaks when installed via pip | ||
11 | ignore noexec ${HOME} | ||
12 | |||
10 | noblacklist ${HOME}/.netrc | 13 | noblacklist ${HOME}/.netrc |
11 | noblacklist ${MUSIC} | 14 | noblacklist ${MUSIC} |
12 | noblacklist ${VIDEOS} | 15 | noblacklist ${VIDEOS} |
13 | 16 | ||
14 | # Allow python (blacklisted by disable-interpreters.inc) | 17 | # Allow python (blacklisted by disable-interpreters.inc) |
15 | noblacklist ${PATH}/python2* | 18 | include allow-python2.inc |
16 | noblacklist ${PATH}/python3* | 19 | include allow-python3.inc |
17 | noblacklist /usr/lib/python2* | ||
18 | noblacklist /usr/lib/python3* | ||
19 | noblacklist /usr/local/lib/python2* | ||
20 | noblacklist /usr/local/lib/python3* | ||
21 | |||
22 | # breaks when installed via pip | ||
23 | ignore noexec ${HOME} | ||
24 | 20 | ||
25 | include disable-common.inc | 21 | include disable-common.inc |
26 | include disable-devel.inc | 22 | include disable-devel.inc |
@@ -53,10 +49,10 @@ shell none | |||
53 | tracelog | 49 | tracelog |
54 | 50 | ||
55 | disable-mnt | 51 | disable-mnt |
56 | private-bin youtube-dl,python*,ffmpeg | 52 | private-bin env,ffmpeg,python*,youtube-dl |
57 | private-cache | 53 | private-cache |
58 | private-dev | 54 | private-dev |
59 | private-etc alternatives,ssl,pki,ca-certificates,hostname,hosts,resolv.conf,youtube-dl.conf,crypto-policies,mime.types | 55 | private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,mime.types,pki,resolv.conf,ssl,youtube-dl.conf |
60 | private-tmp | 56 | private-tmp |
61 | 57 | ||
62 | # memory-deny-write-execute - breaks on Arch | 58 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/zaproxy.profile b/etc/zaproxy.profile index dc3164da1..6228ff3bd 100644 --- a/etc/zaproxy.profile +++ b/etc/zaproxy.profile | |||
@@ -6,14 +6,10 @@ include zaproxy.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.java | ||
10 | noblacklist ${HOME}/.ZAP | 9 | noblacklist ${HOME}/.ZAP |
11 | 10 | ||
12 | # Allow access to java | 11 | # Allow java (blacklisted by disable-devel.inc) |
13 | noblacklist ${PATH}/java | 12 | include allow-java.inc |
14 | noblacklist /usr/lib/java | ||
15 | noblacklist /etc/java | ||
16 | noblacklist /usr/share/java | ||
17 | 13 | ||
18 | include disable-common.inc | 14 | include disable-common.inc |
19 | include disable-devel.inc | 15 | include disable-devel.inc |
@@ -22,6 +18,7 @@ include disable-interpreters.inc | |||
22 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
23 | include disable-programs.inc | 19 | include disable-programs.inc |
24 | 20 | ||
21 | mkdir ${HOME}/.java | ||
25 | mkdir ${HOME}/.ZAP | 22 | mkdir ${HOME}/.ZAP |
26 | whitelist ${HOME}/.java | 23 | whitelist ${HOME}/.java |
27 | whitelist ${HOME}/.ZAP | 24 | whitelist ${HOME}/.ZAP |
diff --git a/etc/zart.profile b/etc/zart.profile index f380e93f0..347bed8b6 100644 --- a/etc/zart.profile +++ b/etc/zart.profile | |||
@@ -31,6 +31,6 @@ protocol unix | |||
31 | seccomp | 31 | seccomp |
32 | shell none | 32 | shell none |
33 | 33 | ||
34 | private-bin zart,ffmpeg,melt,ffprobe,ffplay | 34 | private-bin ffmpeg,ffplay,ffprobe,melt,zart |
35 | private-dev | 35 | private-dev |
36 | 36 | ||
diff --git a/etc/zoom.profile b/etc/zoom.profile index 456b197f3..6d312aff6 100644 --- a/etc/zoom.profile +++ b/etc/zoom.profile | |||
@@ -13,6 +13,8 @@ include disable-devel.inc | |||
13 | include disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | mkdir ${HOME}/.cache/zoom | ||
17 | mkfile ${HOME}/.config/zoomus.conf | ||
16 | mkdir ${HOME}/.zoom | 18 | mkdir ${HOME}/.zoom |
17 | whitelist ${HOME}/.cache/zoom | 19 | whitelist ${HOME}/.cache/zoom |
18 | whitelist ${HOME}/.config/zoomus.conf | 20 | whitelist ${HOME}/.config/zoomus.conf |
diff --git a/etc/zpaq.profile b/etc/zpaq.profile index 6d4501e4f..6bf3605eb 100644 --- a/etc/zpaq.profile +++ b/etc/zpaq.profile | |||
@@ -10,6 +10,5 @@ include zpaq.local | |||
10 | # mdwx breaks 'list' functionality | 10 | # mdwx breaks 'list' functionality |
11 | ignore memory-deny-write-execute | 11 | ignore memory-deny-write-execute |
12 | 12 | ||
13 | |||
14 | # Redirect | 13 | # Redirect |
15 | include cpio.profile | 14 | include cpio.profile |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 48789359d..b4efa3add 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -25,8 +25,8 @@ QOwnNotes | |||
25 | Telegram | 25 | Telegram |
26 | Viber | 26 | Viber |
27 | VirtualBox | 27 | VirtualBox |
28 | Xephyr | ||
29 | XMind | 28 | XMind |
29 | Xephyr | ||
30 | abrowser | 30 | abrowser |
31 | akonadi_control | 31 | akonadi_control |
32 | akregator | 32 | akregator |
@@ -186,8 +186,8 @@ firefox-developer-edition | |||
186 | firefox-esr | 186 | firefox-esr |
187 | firefox-nightly | 187 | firefox-nightly |
188 | firefox-wayland | 188 | firefox-wayland |
189 | flameshot | ||
190 | flacsplt | 189 | flacsplt |
190 | flameshot | ||
191 | flashpeak-slimjet | 191 | flashpeak-slimjet |
192 | flowblade | 192 | flowblade |
193 | font-manager | 193 | font-manager |
@@ -248,6 +248,7 @@ gnome-schedule | |||
248 | gnome-system-log | 248 | gnome-system-log |
249 | gnome-twitch | 249 | gnome-twitch |
250 | gnome-weather | 250 | gnome-weather |
251 | godot | ||
251 | goobox | 252 | goobox |
252 | google-chrome | 253 | google-chrome |
253 | google-chrome-beta | 254 | google-chrome-beta |
@@ -300,11 +301,15 @@ keepass2 | |||
300 | keepassx | 301 | keepassx |
301 | keepassx2 | 302 | keepassx2 |
302 | keepassxc | 303 | keepassxc |
304 | keepassxc-cli | ||
305 | keepassxc-proxy | ||
303 | kget | 306 | kget |
304 | kid3 | 307 | kid3 |
305 | kid3-cli | 308 | kid3-cli |
306 | kid3-qt | 309 | kid3-qt |
307 | kino | 310 | kino |
311 | klatexformula | ||
312 | klatexformula_cmdl | ||
308 | klavaro | 313 | klavaro |
309 | kmail | 314 | kmail |
310 | knotes | 315 | knotes |
@@ -322,6 +327,7 @@ less | |||
322 | libreoffice | 327 | libreoffice |
323 | liferea | 328 | liferea |
324 | lincity-ng | 329 | lincity-ng |
330 | links | ||
325 | linphone | 331 | linphone |
326 | lmms | 332 | lmms |
327 | lobase | 333 | lobase |
@@ -396,6 +402,7 @@ netactview | |||
396 | nethack | 402 | nethack |
397 | netsurf | 403 | netsurf |
398 | neverball | 404 | neverball |
405 | newsbeuter | ||
399 | newsboat | 406 | newsboat |
400 | nheko | 407 | nheko |
401 | nitroshare | 408 | nitroshare |
@@ -413,6 +420,7 @@ oggsplt | |||
413 | okular | 420 | okular |
414 | onionshare-gui | 421 | onionshare-gui |
415 | open-invaders | 422 | open-invaders |
423 | openarena | ||
416 | opencity | 424 | opencity |
417 | openshot | 425 | openshot |
418 | openshot-qt | 426 | openshot-qt |
@@ -422,6 +430,7 @@ opera-beta | |||
422 | orage | 430 | orage |
423 | ostrichriders | 431 | ostrichriders |
424 | palemoon | 432 | palemoon |
433 | pandoc | ||
425 | parole | 434 | parole |
426 | patch | 435 | patch |
427 | pavucontrol | 436 | pavucontrol |
@@ -466,6 +475,7 @@ redshift | |||
466 | regextester | 475 | regextester |
467 | remmina | 476 | remmina |
468 | rhythmbox | 477 | rhythmbox |
478 | rhythmbox-client | ||
469 | ricochet | 479 | ricochet |
470 | riot-desktop | 480 | riot-desktop |
471 | riot-web | 481 | riot-web |
@@ -521,6 +531,7 @@ sylpheed | |||
521 | synfigstudio | 531 | synfigstudio |
522 | sysprof | 532 | sysprof |
523 | sysprof-cli | 533 | sysprof-cli |
534 | teams-for-linux | ||
524 | teamspeak3 | 535 | teamspeak3 |
525 | teeworlds | 536 | teeworlds |
526 | telegram | 537 | telegram |
@@ -578,7 +589,9 @@ transmission-remote-gtk | |||
578 | transmission-show | 589 | transmission-show |
579 | tremulous | 590 | tremulous |
580 | truecraft | 591 | truecraft |
592 | tshark | ||
581 | tuxguitar | 593 | tuxguitar |
594 | udiskie | ||
582 | uefitool | 595 | uefitool |
583 | uget-gtk | 596 | uget-gtk |
584 | unbound | 597 | unbound |
@@ -622,6 +635,7 @@ xfce4-dict | |||
622 | xfce4-mixer | 635 | xfce4-mixer |
623 | xfce4-notes | 636 | xfce4-notes |
624 | xiphos | 637 | xiphos |
638 | xlinks | ||
625 | xmms | 639 | xmms |
626 | xmr-stak | 640 | xmr-stak |
627 | xonotic | 641 | xonotic |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index fd6cb9ff2..630adc3d7 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -364,16 +364,23 @@ void preproc_mount_mnt_dir(void); | |||
364 | void preproc_clean_run(void); | 364 | void preproc_clean_run(void); |
365 | 365 | ||
366 | // fs.c | 366 | // fs.c |
367 | typedef enum { | ||
368 | BLACKLIST_FILE, | ||
369 | BLACKLIST_NOLOG, | ||
370 | MOUNT_READONLY, | ||
371 | MOUNT_TMPFS, | ||
372 | MOUNT_NOEXEC, | ||
373 | MOUNT_RDWR, | ||
374 | OPERATION_MAX | ||
375 | } OPERATION; | ||
376 | |||
367 | // blacklist files or directories by mounting empty files on top of them | 377 | // blacklist files or directories by mounting empty files on top of them |
368 | void fs_blacklist(void); | 378 | void fs_blacklist(void); |
369 | // mount a writable tmpfs | 379 | // mount a writable tmpfs |
370 | void fs_tmpfs(const char *dir, unsigned check_owner); | 380 | void fs_tmpfs(const char *dir, unsigned check_owner); |
371 | // remount a directory read-only | 381 | // remount noexec/nodev/nosuid or read-only or read-write |
372 | void fs_rdonly(const char *dir); | 382 | void fs_remount(const char *dir, OPERATION op, unsigned check_mnt); |
373 | void fs_rdonly_rec(const char *dir); | 383 | void fs_remount_rec(const char *dir, OPERATION op, unsigned check_mnt); |
374 | // remount a directory noexec, nodev and nosuid | ||
375 | void fs_noexec(const char *dir); | ||
376 | void fs_noexec_rec(const char *dir); | ||
377 | // mount /proc and /sys directories | 384 | // mount /proc and /sys directories |
378 | void fs_proc_sys_dev_boot(void); | 385 | void fs_proc_sys_dev_boot(void); |
379 | // build a basic read-only filesystem | 386 | // build a basic read-only filesystem |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 411f2e778..14d7d7156 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -39,24 +39,17 @@ | |||
39 | //#define TEST_NO_BLACKLIST_MATCHING | 39 | //#define TEST_NO_BLACKLIST_MATCHING |
40 | 40 | ||
41 | 41 | ||
42 | static int mount_warning = 0; | ||
43 | static void fs_rdwr(const char *dir); | ||
44 | static void fs_rdwr_rec(const char *dir); | ||
45 | |||
46 | |||
47 | |||
48 | //*********************************************** | 42 | //*********************************************** |
49 | // process profile file | 43 | // process profile file |
50 | //*********************************************** | 44 | //*********************************************** |
51 | typedef enum { | 45 | static char *opstr[] = { |
52 | BLACKLIST_FILE, | 46 | [BLACKLIST_FILE] = "blacklist", |
53 | BLACKLIST_NOLOG, | 47 | [BLACKLIST_NOLOG] = "blacklist-nolog", |
54 | MOUNT_READONLY, | 48 | [MOUNT_READONLY] = "read-only", |
55 | MOUNT_TMPFS, | 49 | [MOUNT_TMPFS] = "tmpfs", |
56 | MOUNT_NOEXEC, | 50 | [MOUNT_NOEXEC] = "noexec", |
57 | MOUNT_RDWR, | 51 | [MOUNT_RDWR] = "read-write", |
58 | OPERATION_MAX | 52 | }; |
59 | } OPERATION; | ||
60 | 53 | ||
61 | typedef enum { | 54 | typedef enum { |
62 | UNSUCCESSFUL, | 55 | UNSUCCESSFUL, |
@@ -153,17 +146,9 @@ static void disable_file(OPERATION op, const char *filename) { | |||
153 | fs_logger2("blacklist-nolog", fname); | 146 | fs_logger2("blacklist-nolog", fname); |
154 | } | 147 | } |
155 | } | 148 | } |
156 | else if (op == MOUNT_READONLY) { | 149 | else if (op == MOUNT_READONLY || op == MOUNT_RDWR || op == MOUNT_NOEXEC) { |
157 | fs_rdonly_rec(fname); | 150 | fs_remount_rec(fname, op, 1); |
158 | // todo: last_disable = SUCCESSFUL; | 151 | // todo: last_disable = SUCCESSFUL; |
159 | } | ||
160 | else if (op == MOUNT_RDWR) { | ||
161 | fs_rdwr_rec(fname); | ||
162 | // todo: last_disable = SUCCESSFUL; | ||
163 | } | ||
164 | else if (op == MOUNT_NOEXEC) { | ||
165 | fs_noexec_rec(fname); | ||
166 | // todo: last_disable = SUCCESSFUL; | ||
167 | } | 152 | } |
168 | else if (op == MOUNT_TMPFS) { | 153 | else if (op == MOUNT_TMPFS) { |
169 | if (S_ISDIR(s.st_mode)) { | 154 | if (S_ISDIR(s.st_mode)) { |
@@ -493,145 +478,60 @@ void fs_tmpfs(const char *dir, unsigned check_owner) { | |||
493 | close(fd); | 478 | close(fd); |
494 | } | 479 | } |
495 | 480 | ||
496 | // remount directory read-only | 481 | void fs_remount(const char *dir, OPERATION op, unsigned check_mnt) { |
497 | void fs_rdonly(const char *dir) { | ||
498 | assert(dir); | 482 | assert(dir); |
499 | // check directory exists | 483 | // check directory exists |
500 | struct stat s; | 484 | struct stat s; |
501 | int rv = stat(dir, &s); | 485 | int rv = stat(dir, &s); |
502 | if (rv == 0) { | 486 | if (rv == 0) { |
503 | unsigned long flags = 0; | 487 | unsigned long flags = 0; |
504 | get_mount_flags(dir, &flags); | 488 | if (get_mount_flags(dir, &flags) != 0) { |
505 | if ((flags & MS_RDONLY) == MS_RDONLY) | 489 | fwarning("cannot remount %s\n", dir); |
506 | return; | 490 | return; |
507 | flags |= MS_RDONLY; | ||
508 | if (arg_debug) | ||
509 | printf("Mounting read-only %s\n", dir); | ||
510 | // mount --bind /bin /bin | ||
511 | // mount --bind -o remount,ro /bin | ||
512 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || | ||
513 | mount(NULL, dir, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0) | ||
514 | errExit("mount read-only"); | ||
515 | fs_logger2("read-only", dir); | ||
516 | } | ||
517 | } | ||
518 | |||
519 | // remount directory read-only recursively | ||
520 | void fs_rdonly_rec(const char *dir) { | ||
521 | assert(dir); | ||
522 | // get mount point of the directory | ||
523 | int mountid = get_mount_id(dir); | ||
524 | if (mountid == -1) | ||
525 | return; | ||
526 | if (mountid == -2) { | ||
527 | // falling back to a simple remount on old kernels | ||
528 | if (!mount_warning) { | ||
529 | fwarning("read-only, read-write and noexec options are not applied recursively\n"); | ||
530 | mount_warning = 1; | ||
531 | } | 491 | } |
532 | fs_rdonly(dir); | 492 | if (op == MOUNT_RDWR) { |
533 | return; | 493 | // allow only user owned directories, except the user is root |
534 | } | 494 | if (getuid() != 0 && s.st_uid != getuid()) { |
535 | // build array with all mount points that need to get remounted | 495 | fwarning("you are not allowed to change %s to read-write\n", dir); |
536 | char **arr = build_mount_array(mountid, dir); | 496 | return; |
537 | assert(arr); | 497 | } |
538 | // remount | 498 | if ((flags & MS_RDONLY) == 0) |
539 | char **tmp = arr; | 499 | return; |
540 | while (*tmp) { | 500 | flags &= ~MS_RDONLY; |
541 | fs_rdonly(*tmp); | ||
542 | free(*tmp++); | ||
543 | } | ||
544 | free(arr); | ||
545 | } | ||
546 | |||
547 | // remount directory read-write | ||
548 | static void fs_rdwr(const char *dir) { | ||
549 | assert(dir); | ||
550 | // check directory exists | ||
551 | struct stat s; | ||
552 | int rv = stat(dir, &s); | ||
553 | if (rv == 0) { | ||
554 | // allow only user owned directories, except the user is root | ||
555 | uid_t u = getuid(); | ||
556 | if (u != 0 && s.st_uid != u) { | ||
557 | fwarning("you are not allowed to change %s to read-write\n", dir); | ||
558 | return; | ||
559 | } | 501 | } |
560 | unsigned long flags = 0; | 502 | else if (op == MOUNT_NOEXEC) { |
561 | get_mount_flags(dir, &flags); | 503 | if ((flags & (MS_NOEXEC|MS_NODEV|MS_NOSUID)) == (MS_NOEXEC|MS_NODEV|MS_NOSUID)) |
562 | if ((flags & MS_RDONLY) == 0) | 504 | return; |
563 | return; | 505 | flags |= MS_NOEXEC|MS_NODEV|MS_NOSUID; |
564 | flags &= ~MS_RDONLY; | ||
565 | if (arg_debug) | ||
566 | printf("Mounting read-write %s\n", dir); | ||
567 | // mount --bind /bin /bin | ||
568 | // mount --bind -o remount,rw /bin | ||
569 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || | ||
570 | mount(NULL, dir, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0) | ||
571 | errExit("mount read-write"); | ||
572 | fs_logger2("read-write", dir); | ||
573 | // run a sanity check on /proc/self/mountinfo | ||
574 | MountData *mptr = get_last_mount(); | ||
575 | size_t len = strlen(dir); | ||
576 | if (strncmp(mptr->dir, dir, len) != 0 || | ||
577 | (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/')) | ||
578 | errLogExit("invalid read-write mount"); | ||
579 | } | ||
580 | } | ||
581 | |||
582 | // remount directory read-write recursively | ||
583 | static void fs_rdwr_rec(const char *dir) { | ||
584 | assert(dir); | ||
585 | // get mount point of the directory | ||
586 | int mountid = get_mount_id(dir); | ||
587 | if (mountid == -1) | ||
588 | return; | ||
589 | if (mountid == -2) { | ||
590 | // falling back to a simple remount on old kernels | ||
591 | if (!mount_warning) { | ||
592 | fwarning("read-only, read-write and noexec options are not applied recursively\n"); | ||
593 | mount_warning = 1; | ||
594 | } | 506 | } |
595 | fs_rdwr(dir); | 507 | else if (op == MOUNT_READONLY) { |
596 | return; | 508 | if ((flags & MS_RDONLY) == MS_RDONLY) |
597 | } | 509 | return; |
598 | // build array with all mount points that need to get remounted | 510 | flags |= MS_RDONLY; |
599 | char **arr = build_mount_array(mountid, dir); | 511 | } |
600 | assert(arr); | 512 | else |
601 | // remount | 513 | assert(0); |
602 | char **tmp = arr; | ||
603 | while (*tmp) { | ||
604 | fs_rdwr(*tmp); | ||
605 | free(*tmp++); | ||
606 | } | ||
607 | free(arr); | ||
608 | } | ||
609 | 514 | ||
610 | // remount directory noexec, nodev, nosuid | ||
611 | void fs_noexec(const char *dir) { | ||
612 | assert(dir); | ||
613 | // check directory exists | ||
614 | struct stat s; | ||
615 | int rv = stat(dir, &s); | ||
616 | if (rv == 0) { | ||
617 | unsigned long flags = 0; | ||
618 | get_mount_flags(dir, &flags); | ||
619 | if ((flags & (MS_NOEXEC|MS_NODEV|MS_NOSUID)) == (MS_NOEXEC|MS_NODEV|MS_NOSUID)) | ||
620 | return; | ||
621 | flags |= MS_NOEXEC|MS_NODEV|MS_NOSUID; | ||
622 | if (arg_debug) | 515 | if (arg_debug) |
623 | printf("Mounting noexec %s\n", dir); | 516 | printf("Mounting %s %s\n", opstr[op], dir); |
624 | // mount --bind /bin /bin | 517 | // mount --bind /bin /bin |
625 | // mount --bind -o remount,noexec /bin | 518 | // mount --bind -o remount,rw /bin |
626 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || | 519 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || |
627 | mount(NULL, dir, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0) | 520 | mount(NULL, dir, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0) |
628 | errExit("mount noexec"); | 521 | errExit("remounting"); |
629 | fs_logger2("noexec", dir); | 522 | if (check_mnt) { |
523 | // run a sanity check on /proc/self/mountinfo | ||
524 | MountData *mptr = get_last_mount(); | ||
525 | size_t len = strlen(dir); | ||
526 | if (strncmp(mptr->dir, dir, len) != 0 || | ||
527 | (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/')) | ||
528 | errLogExit("invalid %s mount", opstr[op]); | ||
529 | } | ||
530 | fs_logger2(opstr[op], dir); | ||
630 | } | 531 | } |
631 | } | 532 | } |
632 | 533 | ||
633 | // remount directory noexec, nodev, nosuid recursively | 534 | void fs_remount_rec(const char *dir, OPERATION op, unsigned check_mnt) { |
634 | void fs_noexec_rec(const char *dir) { | ||
635 | assert(dir); | 535 | assert(dir); |
636 | // get mount point of the directory | 536 | // get mount point of the directory |
637 | int mountid = get_mount_id(dir); | 537 | int mountid = get_mount_id(dir); |
@@ -639,11 +539,12 @@ void fs_noexec_rec(const char *dir) { | |||
639 | return; | 539 | return; |
640 | if (mountid == -2) { | 540 | if (mountid == -2) { |
641 | // falling back to a simple remount on old kernels | 541 | // falling back to a simple remount on old kernels |
542 | static int mount_warning = 0; | ||
642 | if (!mount_warning) { | 543 | if (!mount_warning) { |
643 | fwarning("read-only, read-write and noexec options are not applied recursively\n"); | 544 | fwarning("read-only, read-write and noexec options are not applied recursively\n"); |
644 | mount_warning = 1; | 545 | mount_warning = 1; |
645 | } | 546 | } |
646 | fs_noexec(dir); | 547 | fs_remount(dir, op, check_mnt); |
647 | return; | 548 | return; |
648 | } | 549 | } |
649 | // build array with all mount points that need to get remounted | 550 | // build array with all mount points that need to get remounted |
@@ -652,7 +553,7 @@ void fs_noexec_rec(const char *dir) { | |||
652 | // remount | 553 | // remount |
653 | char **tmp = arr; | 554 | char **tmp = arr; |
654 | while (*tmp) { | 555 | while (*tmp) { |
655 | fs_noexec(*tmp); | 556 | fs_remount(*tmp, op, check_mnt); |
656 | free(*tmp++); | 557 | free(*tmp++); |
657 | } | 558 | } |
658 | free(arr); | 559 | free(arr); |
@@ -818,28 +719,29 @@ static void disable_config(void) { | |||
818 | 719 | ||
819 | 720 | ||
820 | // build a basic read-only filesystem | 721 | // build a basic read-only filesystem |
722 | // top level directories could be links, run no after-mount checks | ||
821 | void fs_basic_fs(void) { | 723 | void fs_basic_fs(void) { |
822 | uid_t uid = getuid(); | 724 | uid_t uid = getuid(); |
823 | 725 | ||
824 | if (arg_debug) | 726 | if (arg_debug) |
825 | printf("Basic read-only filesystem:\n"); | 727 | printf("Basic read-only filesystem:\n"); |
826 | if (!arg_writable_etc) { | 728 | if (!arg_writable_etc) { |
827 | fs_rdonly("/etc"); | 729 | fs_remount("/etc", MOUNT_READONLY, 0); |
828 | if (uid) | 730 | if (uid) |
829 | fs_noexec("/etc"); | 731 | fs_remount("/etc", MOUNT_NOEXEC, 0); |
830 | } | 732 | } |
831 | if (!arg_writable_var) { | 733 | if (!arg_writable_var) { |
832 | fs_rdonly("/var"); | 734 | fs_remount("/var", MOUNT_READONLY, 0); |
833 | if (uid) | 735 | if (uid) |
834 | fs_noexec("/var"); | 736 | fs_remount("/var", MOUNT_NOEXEC, 0); |
835 | } | 737 | } |
836 | fs_rdonly("/bin"); | 738 | fs_remount("/bin", MOUNT_READONLY, 0); |
837 | fs_rdonly("/sbin"); | 739 | fs_remount("/sbin", MOUNT_READONLY, 0); |
838 | fs_rdonly("/lib"); | 740 | fs_remount("/lib", MOUNT_READONLY, 0); |
839 | fs_rdonly("/lib64"); | 741 | fs_remount("/lib64", MOUNT_READONLY, 0); |
840 | fs_rdonly("/lib32"); | 742 | fs_remount("/lib32", MOUNT_READONLY, 0); |
841 | fs_rdonly("/libx32"); | 743 | fs_remount("/libx32", MOUNT_READONLY, 0); |
842 | fs_rdonly("/usr"); | 744 | fs_remount("/usr", MOUNT_READONLY, 0); |
843 | 745 | ||
844 | // update /var directory in order to support multiple sandboxes running on the same root directory | 746 | // update /var directory in order to support multiple sandboxes running on the same root directory |
845 | fs_var_lock(); | 747 | fs_var_lock(); |
@@ -848,7 +750,7 @@ void fs_basic_fs(void) { | |||
848 | if (!arg_writable_var_log) | 750 | if (!arg_writable_var_log) |
849 | fs_var_log(); | 751 | fs_var_log(); |
850 | else | 752 | else |
851 | fs_rdwr("/var/log"); | 753 | fs_remount("/var/log", MOUNT_RDWR, 0); |
852 | 754 | ||
853 | fs_var_lib(); | 755 | fs_var_lib(); |
854 | fs_var_cache(); | 756 | fs_var_cache(); |
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index e3f237b8e..b82473476 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
@@ -88,7 +88,7 @@ void pulseaudio_init(void) { | |||
88 | if (mkdir(RUN_PULSE_DIR, 0700) == -1) | 88 | if (mkdir(RUN_PULSE_DIR, 0700) == -1) |
89 | errExit("mkdir"); | 89 | errExit("mkdir"); |
90 | // mount it nosuid, noexec, nodev | 90 | // mount it nosuid, noexec, nodev |
91 | fs_noexec(RUN_PULSE_DIR); | 91 | fs_remount(RUN_PULSE_DIR, MOUNT_NOEXEC, 0); |
92 | 92 | ||
93 | // create the new client.conf file | 93 | // create the new client.conf file |
94 | char *pulsecfg = NULL; | 94 | char *pulsecfg = NULL; |
@@ -155,8 +155,10 @@ void pulseaudio_init(void) { | |||
155 | if (fstatvfs(fd, &vfs) == -1) | 155 | if (fstatvfs(fd, &vfs) == -1) |
156 | errExit("fstatvfs"); | 156 | errExit("fstatvfs"); |
157 | if ((vfs.f_flag & MS_RDONLY) == MS_RDONLY) | 157 | if ((vfs.f_flag & MS_RDONLY) == MS_RDONLY) |
158 | fs_rdonly(RUN_PULSE_DIR); | 158 | fs_remount(RUN_PULSE_DIR, MOUNT_READONLY, 0); |
159 | // mount via the link in /proc/self/fd | 159 | // mount via the link in /proc/self/fd |
160 | if (arg_debug) | ||
161 | printf("Mounting %s on %s\n", RUN_PULSE_DIR, homeusercfg); | ||
160 | char *proc; | 162 | char *proc; |
161 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | 163 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) |
162 | errExit("asprintf"); | 164 | errExit("asprintf"); |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 841d57c89..f91e5ab7c 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -1116,7 +1116,7 @@ int sandbox(void* sandbox_arg) { | |||
1116 | (void) rv; | 1116 | (void) rv; |
1117 | } | 1117 | } |
1118 | // make seccomp filters read-only | 1118 | // make seccomp filters read-only |
1119 | fs_rdonly(RUN_SECCOMP_DIR); | 1119 | fs_remount(RUN_SECCOMP_DIR, MOUNT_READONLY, 0); |
1120 | #endif | 1120 | #endif |
1121 | 1121 | ||
1122 | // set capabilities | 1122 | // set capabilities |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 9d821d980..69a9a7bee 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -1169,7 +1169,7 @@ void x11_xorg(void) { | |||
1169 | umount("/tmp"); | 1169 | umount("/tmp"); |
1170 | 1170 | ||
1171 | // remount RUN_XAUTHORITY_SEC_FILE noexec, nodev, nosuid | 1171 | // remount RUN_XAUTHORITY_SEC_FILE noexec, nodev, nosuid |
1172 | fs_noexec(RUN_XAUTHORITY_SEC_FILE); | 1172 | fs_remount(RUN_XAUTHORITY_SEC_FILE, MOUNT_NOEXEC, 0); |
1173 | 1173 | ||
1174 | // Ensure there is already a file in the usual location, so that bind-mount below will work. | 1174 | // Ensure there is already a file in the usual location, so that bind-mount below will work. |
1175 | char *dest; | 1175 | char *dest; |
@@ -1202,9 +1202,11 @@ void x11_xorg(void) { | |||
1202 | if (fstatvfs(fd, &vfs) == -1) | 1202 | if (fstatvfs(fd, &vfs) == -1) |
1203 | errExit("fstatvfs"); | 1203 | errExit("fstatvfs"); |
1204 | if ((vfs.f_flag & MS_RDONLY) == MS_RDONLY) | 1204 | if ((vfs.f_flag & MS_RDONLY) == MS_RDONLY) |
1205 | fs_rdonly(RUN_XAUTHORITY_SEC_FILE); | 1205 | fs_remount(RUN_XAUTHORITY_SEC_FILE, MOUNT_READONLY, 0); |
1206 | 1206 | ||
1207 | // mount via the link in /proc/self/fd | 1207 | // mount via the link in /proc/self/fd |
1208 | if (arg_debug) | ||
1209 | printf("Mounting %s on %s\n", RUN_XAUTHORITY_SEC_FILE, dest); | ||
1208 | char *proc; | 1210 | char *proc; |
1209 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | 1211 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) |
1210 | errExit("asprintf"); | 1212 | errExit("asprintf"); |
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c index e5f1b6f9a..b3c435d9e 100644 --- a/src/firemon/firemon.c +++ b/src/firemon/firemon.c | |||
@@ -83,7 +83,9 @@ int find_child(int id) { | |||
83 | return i; | 83 | return i; |
84 | } | 84 | } |
85 | 85 | ||
86 | return -1; | 86 | // if a second child is not found, return the first child pid |
87 | // this happens for processes sandboxed with --join | ||
88 | return first_child; | ||
87 | } | 89 | } |
88 | 90 | ||
89 | // sleep and wait for a key to be pressed | 91 | // sleep and wait for a key to be pressed |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 8c9989970..f97261456 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -74,6 +74,9 @@ Child process initialized | |||
74 | [...] | 74 | [...] |
75 | .RE | 75 | .RE |
76 | 76 | ||
77 | .SH Templates | ||
78 | Templates for writing own profiles can be found in /usr/share/doc/firejail. | ||
79 | |||
77 | .SH Scripting | 80 | .SH Scripting |
78 | Scripting commands: | 81 | Scripting commands: |
79 | 82 | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 67b84de0e..201339c8b 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -2318,9 +2318,9 @@ $ sudo firejail --writable-var-log | |||
2318 | .TP | 2318 | .TP |
2319 | \fB\-\-x11 | 2319 | \fB\-\-x11 |
2320 | Sandbox the application using Xpra, Xephyr, Xvfb or Xorg security extension. | 2320 | Sandbox the application using Xpra, Xephyr, Xvfb or Xorg security extension. |
2321 | The sandbox will prevents screenshot and keylogger applications started inside the sandbox from accessing | 2321 | The sandbox will prevent screenshot and keylogger applications started inside the sandbox from accessing |
2322 | clients running outside the sandbox. | 2322 | clients running outside the sandbox. |
2323 | Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr. | 2323 | Firejail will try Xpra first, and if Xpra is not installed on the system, it will try to find Xephyr. |
2324 | If all fails, Firejail will not attempt to use Xvfb or X11 security extension. | 2324 | If all fails, Firejail will not attempt to use Xvfb or X11 security extension. |
2325 | .br | 2325 | .br |
2326 | 2326 | ||
diff --git a/test/environment/rlimit.profile b/test/environment/rlimit.profile index a57471604..a569edc6d 100644 --- a/test/environment/rlimit.profile +++ b/test/environment/rlimit.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | rlimit-fsize 1024 | 1 | rlimit-fsize 1024 |
2 | rlimit-nproc 1000 | 2 | rlimit-nproc 1000 |
3 | rlimit-nofile 500 | 3 | rlimit-nofile 500 |
4 | rlimit-sigpending 200 | 4 | rlimit-sigpending 200 |
5 | rlimit-as 123456789012 | 5 | rlimit-as 123456789012 |