aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--Makefile.in5
-rw-r--r--README2
-rw-r--r--README.md4
-rw-r--r--RELNOTES1
-rwxr-xr-xconfigure3
-rw-r--r--configure.ac2
-rw-r--r--etc/0ad.profile2
-rw-r--r--etc/2048-qt.profile2
-rw-r--r--etc/7z.profile3
-rw-r--r--etc/Cryptocat.profile2
-rw-r--r--etc/Cyberfox.profile1
-rw-r--r--etc/FossaMail.profile1
-rw-r--r--etc/Mathematica.profile2
-rw-r--r--etc/Telegram.profile1
-rw-r--r--etc/Thunar.profile2
-rw-r--r--etc/VirtualBox.profile1
-rw-r--r--etc/Wire.profile1
-rw-r--r--etc/Xephyr.profile2
-rw-r--r--etc/Xvfb.profile2
-rw-r--r--etc/abrowser.profile2
-rw-r--r--etc/akregator.profile2
-rw-r--r--etc/amarok.profile1
-rw-r--r--etc/android-studio.profile2
-rw-r--r--etc/apktool.profile3
-rw-r--r--etc/arduino.profile2
-rw-r--r--etc/ark.profile3
-rw-r--r--etc/arm.profile4
-rw-r--r--etc/atom-beta.profile2
-rw-r--r--etc/atom.profile2
-rw-r--r--etc/atool.profile2
-rw-r--r--etc/atril.profile2
-rw-r--r--etc/audacious.profile2
-rw-r--r--etc/audacity.profile2
-rw-r--r--etc/aweather.profile2
-rw-r--r--etc/baloo_file.profile4
-rw-r--r--etc/baobab.profile3
-rw-r--r--etc/bibletime.profile2
-rw-r--r--etc/bitlbee.profile2
-rw-r--r--etc/bleachbit.profile2
-rw-r--r--etc/blender.profile2
-rw-r--r--etc/bless.profile3
-rw-r--r--etc/brasero.profile1
-rw-r--r--etc/brave.profile2
-rw-r--r--etc/caja.profile2
-rw-r--r--etc/calibre.profile2
-rw-r--r--etc/catfish.profile2
-rw-r--r--etc/cherrytree.profile2
-rw-r--r--etc/chromium-browser.profile2
-rw-r--r--etc/chromium.profile6
-rw-r--r--etc/claws-mail.profile2
-rw-r--r--etc/clementine.profile2
-rw-r--r--etc/clipit.profile2
-rw-r--r--etc/cmus.profile1
-rw-r--r--etc/conkeror.profile2
-rw-r--r--etc/corebird.profile2
-rw-r--r--etc/cpio.profile2
-rw-r--r--etc/cryptocat.profile1
-rw-r--r--etc/curl.profile2
-rw-r--r--etc/cvlc.profile2
-rw-r--r--etc/cyberfox.profile2
-rw-r--r--etc/darktable.profile2
-rw-r--r--etc/deadbeef.profile1
-rw-r--r--etc/default.profile3
-rw-r--r--etc/deluge.profile2
-rw-r--r--etc/dex2jar.profile3
-rw-r--r--etc/dia.profile2
-rw-r--r--etc/digikam.profile2
-rw-r--r--etc/dillo.profile2
-rw-r--r--etc/dino.profile2
-rw-r--r--etc/disable-common.inc268
-rw-r--r--etc/disable-devel.inc34
-rw-r--r--etc/disable-passwdmgr.inc6
-rw-r--r--etc/disable-programs.inc70
-rw-r--r--etc/display.profile2
-rw-r--r--etc/dnscrypt-proxy.profile2
-rw-r--r--etc/dnsmasq.profile2
-rw-r--r--etc/dolphin.profile5
-rw-r--r--etc/dosbox.profile2
-rw-r--r--etc/dragon.profile2
-rw-r--r--etc/dropbox.profile2
-rw-r--r--etc/ebook-viewer.profile1
-rw-r--r--etc/electron.profile2
-rw-r--r--etc/elinks.profile2
-rw-r--r--etc/emacs.profile2
-rw-r--r--etc/empathy.profile2
-rw-r--r--etc/enchant.profile2
-rw-r--r--etc/engrampa.profile2
-rw-r--r--etc/eog.profile2
-rw-r--r--etc/eom.profile2
-rw-r--r--etc/epiphany.profile2
-rw-r--r--etc/etr.profile2
-rw-r--r--etc/evince.profile2
-rw-r--r--etc/evolution.profile2
-rw-r--r--etc/exiftool.profile2
-rw-r--r--etc/fbreader.profile2
-rw-r--r--etc/feh.profile2
-rw-r--r--etc/file-roller.profile2
-rw-r--r--etc/file.profile2
-rw-r--r--etc/filezilla.profile2
-rw-r--r--etc/firefox-esr.profile1
-rw-r--r--etc/firefox-nightly.profile10
-rw-r--r--etc/firefox.profile2
-rw-r--r--etc/flashpeak-slimjet.profile5
-rw-r--r--etc/flowblade.profile2
-rw-r--r--etc/fontforge.profile2
-rw-r--r--etc/fossamail.profile3
-rw-r--r--etc/franz.profile2
-rw-r--r--etc/frozen-bubble.profile2
-rw-r--r--etc/gajim.profile2
-rw-r--r--etc/galculator.profile2
-rw-r--r--etc/geany.profile2
-rw-r--r--etc/geary.profile3
-rw-r--r--etc/gedit.profile2
-rw-r--r--etc/geeqie.profile2
-rw-r--r--etc/ghb.profile1
-rw-r--r--etc/gimp-2.8.profile1
-rw-r--r--etc/gimp.profile2
-rw-r--r--etc/git.profile2
-rw-r--r--etc/gitg.profile3
-rw-r--r--etc/gitter.profile2
-rw-r--r--etc/gjs.profile2
-rw-r--r--etc/globaltime.profile2
-rw-r--r--etc/gnome-2048.profile2
-rw-r--r--etc/gnome-books.profile2
-rw-r--r--etc/gnome-calculator.profile2
-rw-r--r--etc/gnome-chess.profile2
-rw-r--r--etc/gnome-clocks.profile2
-rw-r--r--etc/gnome-contacts.profile2
-rw-r--r--etc/gnome-documents.profile2
-rw-r--r--etc/gnome-font-viewer.profile2
-rw-r--r--etc/gnome-maps.profile2
-rw-r--r--etc/gnome-music.profile1
-rw-r--r--etc/gnome-photos.profile2
-rw-r--r--etc/gnome-twitch.profile2
-rw-r--r--etc/gnome-weather.profile2
-rw-r--r--etc/goobox.profile2
-rw-r--r--etc/google-chrome-beta.profile5
-rw-r--r--etc/google-chrome-stable.profile1
-rw-r--r--etc/google-chrome-unstable.profile5
-rw-r--r--etc/google-chrome.profile5
-rw-r--r--etc/google-play-music-desktop-player.profile2
-rw-r--r--etc/gpa.profile2
-rw-r--r--etc/gpg-agent.profile2
-rw-r--r--etc/gpg.profile2
-rw-r--r--etc/gpicview.profile2
-rw-r--r--etc/gpredict.profile2
-rw-r--r--etc/gtar.profile1
-rw-r--r--etc/gthumb.profile2
-rw-r--r--etc/guayadeque.profile1
-rw-r--r--etc/gucharmap.profile2
-rw-r--r--etc/gwenview.profile3
-rw-r--r--etc/gzip.profile2
-rw-r--r--etc/handbrake-gtk.profile1
-rw-r--r--etc/handbrake.profile1
-rw-r--r--etc/hashcat.profile5
-rw-r--r--etc/hedgewars.profile2
-rw-r--r--etc/hexchat.profile2
-rw-r--r--etc/highlight.profile2
-rw-r--r--etc/hugin.profile2
-rw-r--r--etc/icecat.profile2
-rw-r--r--etc/icedove.profile1
-rw-r--r--etc/iceweasel.profile1
-rw-r--r--etc/idea.sh.profile2
-rw-r--r--etc/img2txt.profile2
-rw-r--r--etc/inkscape.profile2
-rw-r--r--etc/inox.profile2
-rw-r--r--etc/iridium-browser.profile1
-rw-r--r--etc/iridium.profile2
-rw-r--r--etc/jd-gui.profile3
-rw-r--r--etc/jitsi.profile2
-rw-r--r--etc/k3b.profile3
-rw-r--r--etc/kate.profile3
-rw-r--r--etc/kcalc.profile2
-rw-r--r--etc/keepass.profile3
-rw-r--r--etc/keepass2.profile1
-rw-r--r--etc/keepassx.profile3
-rw-r--r--etc/keepassx2.profile3
-rw-r--r--etc/keepassxc.profile2
-rw-r--r--etc/kino.profile1
-rw-r--r--etc/kmail.profile2
-rw-r--r--etc/knotes.profile2
-rw-r--r--etc/konversation.profile2
-rw-r--r--etc/ktorrent.profile2
-rw-r--r--etc/kwrite.profile3
-rw-r--r--etc/leafpad.profile2
-rw-r--r--etc/less.profile6
-rw-r--r--etc/libreoffice.profile2
-rw-r--r--etc/liferea.profile2
-rw-r--r--etc/localc.profile1
-rw-r--r--etc/lodraw.profile1
-rw-r--r--etc/loffice.profile1
-rw-r--r--etc/lofromtemplate.profile1
-rw-r--r--etc/loimpress.profile1
-rw-r--r--etc/lollypop.profile1
-rw-r--r--etc/lomath.profile1
-rw-r--r--etc/loweb.profile1
-rw-r--r--etc/lowriter.profile1
-rw-r--r--etc/luminance-hdr.profile2
-rw-r--r--etc/lximage-qt.profile2
-rw-r--r--etc/lxmusic.profile2
-rw-r--r--etc/lxterminal.profile2
-rw-r--r--etc/lynx.profile2
-rw-r--r--etc/mate-calc.profile2
-rw-r--r--etc/mate-calculator.profile9
-rw-r--r--etc/mate-color-select.profile2
-rw-r--r--etc/mate-dictionary.profile2
-rw-r--r--etc/mathematica.profile1
-rw-r--r--etc/mcabber.profile2
-rw-r--r--etc/mediainfo.profile2
-rw-r--r--etc/mediathekview.profile9
-rw-r--r--etc/meld.profile3
-rw-r--r--etc/midori.profile2
-rw-r--r--etc/mousepad.profile2
-rw-r--r--etc/multimc5.profile4
-rw-r--r--etc/mumble.profile2
-rw-r--r--etc/mupdf.profile3
-rw-r--r--etc/mupen64plus.profile2
-rw-r--r--etc/mutt.profile2
-rw-r--r--etc/nautilus.profile2
-rw-r--r--etc/nemo.profile2
-rw-r--r--etc/netsurf.profile2
-rw-r--r--etc/nylas.profile2
-rw-r--r--etc/obs.profile3
-rw-r--r--etc/odt2txt.profile2
-rw-r--r--etc/okular.profile3
-rw-r--r--etc/open-invaders.profile2
-rw-r--r--etc/openshot.profile2
-rw-r--r--etc/opera-beta.profile2
-rw-r--r--etc/opera.profile2
-rw-r--r--etc/orage.profile2
-rw-r--r--etc/palemoon.profile2
-rw-r--r--etc/parole.profile2
-rw-r--r--etc/pcmanfm.profile2
-rw-r--r--etc/pdfsam.profile3
-rw-r--r--etc/pdftotext.profile3
-rw-r--r--etc/peek.profile3
-rw-r--r--etc/picard.profile2
-rw-r--r--etc/pidgin.profile2
-rw-r--r--etc/pingus.profile2
-rw-r--r--etc/pithos.profile3
-rw-r--r--etc/pix.profile2
-rw-r--r--etc/pluma.profile2
-rw-r--r--etc/polari.profile2
-rw-r--r--etc/psi-plus.profile2
-rw-r--r--etc/qbittorrent.profile2
-rw-r--r--etc/qemu-launcher.profile2
-rw-r--r--etc/qemu-system-x86_64.profile2
-rw-r--r--etc/qlipper.profile2
-rw-r--r--etc/qpdfview.profile2
-rw-r--r--etc/qtox.profile2
-rw-r--r--etc/quassel.profile2
-rw-r--r--etc/quiterss.profile2
-rw-r--r--etc/qupzilla.profile2
-rw-r--r--etc/qutebrowser.profile2
-rw-r--r--etc/rambox.profile2
-rw-r--r--etc/ranger.profile2
-rw-r--r--etc/remmina.profile2
-rw-r--r--etc/rhythmbox.profile1
-rw-r--r--etc/riot-web.profile1
-rw-r--r--etc/ristretto.profile2
-rw-r--r--etc/rtorrent.profile2
-rw-r--r--etc/scribus.profile5
-rw-r--r--etc/sdat2img.profile3
-rw-r--r--etc/seamonkey-bin.profile1
-rw-r--r--etc/seamonkey.profile2
-rw-r--r--etc/server.profile3
-rw-r--r--etc/silentarmy.profile2
-rw-r--r--etc/simple-scan.profile2
-rw-r--r--etc/simutrans.profile2
-rw-r--r--etc/skanlite.profile2
-rw-r--r--etc/skype.profile2
-rw-r--r--etc/skypeforlinux.profile2
-rw-r--r--etc/slack.profile2
-rw-r--r--etc/smplayer.profile2
-rw-r--r--etc/snap.profile2
-rw-r--r--etc/soffice.profile1
-rw-r--r--etc/soundconverter.profile2
-rw-r--r--etc/spotify.profile1
-rw-r--r--etc/sqlitebrowser.profile2
-rw-r--r--etc/ssh-agent.profile2
-rw-r--r--etc/ssh.profile2
-rw-r--r--etc/start-tor-browser.profile2
-rw-r--r--etc/steam.profile2
-rw-r--r--etc/stellarium.profile2
-rw-r--r--etc/strings.profile4
-rw-r--r--etc/supertux2.profile2
-rw-r--r--etc/synfigstudio.profile2
-rw-r--r--etc/tar.profile2
-rw-r--r--etc/telegram-desktop.profile1
-rw-r--r--etc/telegram.profile2
-rw-r--r--etc/thunar.profile1
-rw-r--r--etc/thunderbird.profile3
-rw-r--r--etc/tracker.profile2
-rw-r--r--etc/transmission-cli.profile2
-rw-r--r--etc/transmission-gtk.profile2
-rw-r--r--etc/transmission-qt.profile2
-rw-r--r--etc/transmission-show.profile2
-rw-r--r--etc/truecraft.profile2
-rw-r--r--etc/tuxguitar.profile31
-rw-r--r--etc/uget-gtk.profile2
-rw-r--r--etc/unbound.profile2
-rw-r--r--etc/unknown-horizons.profile2
-rw-r--r--etc/unrar.profile2
-rw-r--r--etc/unzip.profile2
-rw-r--r--etc/uudeview.profile2
-rw-r--r--etc/uzbl-browser.profile2
-rw-r--r--etc/viewnior.profile2
-rw-r--r--etc/viking.profile2
-rw-r--r--etc/vim.profile2
-rw-r--r--etc/virtualbox.profile2
-rw-r--r--etc/vivaldi-beta.profile1
-rw-r--r--etc/vivaldi-stable.profile1
-rw-r--r--etc/vivaldi.profile2
-rw-r--r--etc/vym.profile2
-rw-r--r--etc/w3m.profile2
-rw-r--r--etc/warzone2100.profile2
-rw-r--r--etc/waterfox.profile2
-rw-r--r--etc/weechat-curses.profile1
-rw-r--r--etc/weechat.profile2
-rw-r--r--etc/wesnoth.profile2
-rw-r--r--etc/wget.profile2
-rw-r--r--etc/wine.profile2
-rw-r--r--etc/wire.profile2
-rw-r--r--etc/wireshark-gtk.profile1
-rw-r--r--etc/wireshark-qt.profile1
-rw-r--r--etc/wireshark.profile2
-rw-r--r--etc/xchat.profile2
-rw-r--r--etc/xed.profile2
-rw-r--r--etc/xfburn.profile2
-rw-r--r--etc/xfce4-dict.profile2
-rw-r--r--etc/xfce4-notes.profile2
-rw-r--r--etc/xiphos.profile2
-rw-r--r--etc/xmms.profile1
-rw-r--r--etc/xonotic-glx.profile1
-rw-r--r--etc/xonotic-sdl.profile1
-rw-r--r--etc/xonotic.profile2
-rw-r--r--etc/xpdf.profile2
-rw-r--r--etc/xplayer.profile1
-rw-r--r--etc/xpra.profile6
-rw-r--r--etc/xreader.profile2
-rw-r--r--etc/xviewer.profile2
-rw-r--r--etc/xz.profile1
-rw-r--r--etc/xzdec.profile2
-rw-r--r--etc/youtube-dl.profile2
-rw-r--r--etc/zathura.profile2
-rw-r--r--etc/zoom.profile2
-rw-r--r--platform/debian/conffiles1
-rw-r--r--platform/rpm/firejail.spec2
-rw-r--r--src/firecfg/firecfg.config2
-rw-r--r--src/firejail/firejail.h8
-rw-r--r--src/firejail/fs_dev.c162
-rw-r--r--src/firejail/fs_trace.c5
-rw-r--r--src/firejail/main.c22
-rw-r--r--src/firejail/output.c22
-rw-r--r--src/firejail/preproc.c5
-rw-r--r--src/firejail/profile.c8
-rw-r--r--src/firejail/sandbox.c28
-rw-r--r--src/firejail/seccomp.c36
-rw-r--r--src/firejail/usage.c5
-rw-r--r--src/fseccomp/fseccomp.h15
-rw-r--r--src/fseccomp/main.c30
-rw-r--r--src/fseccomp/seccomp.c116
-rw-r--r--src/fseccomp/seccomp_file.c9
-rw-r--r--src/fseccomp/syscall.c64
-rw-r--r--src/libpostexecseccomp/Makefile.in26
-rw-r--r--src/libpostexecseccomp/libpostexecseccomp.c54
-rw-r--r--src/libpostexecseccomp/libpostexecseccomp.h25
-rw-r--r--src/man/firejail-profile.txt6
-rw-r--r--src/man/firejail.txt49
369 files changed, 1463 insertions, 373 deletions
diff --git a/Makefile.in b/Makefile.in
index 6d8bf5f72..d9d7bcd37 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,6 +1,6 @@
1all: apps man filters 1all: apps man filters
2MYLIBS = src/lib 2MYLIBS = src/lib
3APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fcopy src/fldd 3APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fcopy src/fldd src/libpostexecseccomp
4MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 4MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5
5SECCOMP_FILTERS = seccomp seccomp.i386 seccomp.amd64 5SECCOMP_FILTERS = seccomp seccomp.i386 seccomp.amd64
6 6
@@ -85,6 +85,7 @@ realinstall:
85 install -m 0755 -d $(DESTDIR)/$(libdir)/firejail 85 install -m 0755 -d $(DESTDIR)/$(libdir)/firejail
86 install -c -m 0644 src/libtrace/libtrace.so $(DESTDIR)/$(libdir)/firejail/. 86 install -c -m 0644 src/libtrace/libtrace.so $(DESTDIR)/$(libdir)/firejail/.
87 install -c -m 0644 src/libtracelog/libtracelog.so $(DESTDIR)/$(libdir)/firejail/. 87 install -c -m 0644 src/libtracelog/libtracelog.so $(DESTDIR)/$(libdir)/firejail/.
88 install -c -m 0644 src/libpostexecseccomp/libpostexecseccomp.so $(DESTDIR)/$(libdir)/firejail/.
88 install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/. 89 install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/.
89 install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/. 90 install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/.
90ifeq ($(HAVE_GIT_INSTALL),-DHAVE_GIT_INSTALL) 91ifeq ($(HAVE_GIT_INSTALL),-DHAVE_GIT_INSTALL)
@@ -159,11 +160,13 @@ install-strip: all
159 strip src/firecfg/firecfg 160 strip src/firecfg/firecfg
160 strip src/libtrace/libtrace.so 161 strip src/libtrace/libtrace.so
161 strip src/libtracelog/libtracelog.so 162 strip src/libtracelog/libtracelog.so
163 strip src/libpostexecseccomp/libpostexecseccomp.so
162 strip src/ftee/ftee 164 strip src/ftee/ftee
163 strip src/faudit/faudit 165 strip src/faudit/faudit
164 strip src/fnet/fnet 166 strip src/fnet/fnet
165 strip src/fseccomp/fseccomp 167 strip src/fseccomp/fseccomp
166 strip src/fcopy/fcopy 168 strip src/fcopy/fcopy
169 strip src/fldd/fldd
167 $(MAKE) realinstall 170 $(MAKE) realinstall
168 171
169uninstall: 172uninstall:
diff --git a/README b/README
index fefdedd94..f2dc9ec91 100644
--- a/README
+++ b/README
@@ -336,6 +336,8 @@ pirate486743186 (https://github.com/pirate486743186)
336 - KMail profile 336 - KMail profile
337Pixel Fairy (https://github.com/xahare) 337Pixel Fairy (https://github.com/xahare)
338 - added fjclip.py, fjdisplay.py and fjresize.py in contrib section 338 - added fjclip.py, fjdisplay.py and fjresize.py in contrib section
339PizzaDude (https://github.com/pizzadude)
340 - add mpv support to smplayer
339pshpsh (https://github.com/pshpsh) 341pshpsh (https://github.com/pshpsh)
340 - added FossaMail profile 342 - added FossaMail profile
341pstn (https://github.com/pstn) 343pstn (https://github.com/pstn)
diff --git a/README.md b/README.md
index 63ee3f51a..58656e710 100644
--- a/README.md
+++ b/README.md
@@ -112,6 +112,10 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
112 Example: 112 Example:
113 $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 fire‐ 113 $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 fire‐
114 fox 114 fox
115
116 --output-stderr=logfile
117 Similar to --output, but stderr is also stored.
118
115````` 119`````
116 120
117## /etc/firejail/firejail.config 121## /etc/firejail/firejail.config
diff --git a/RELNOTES b/RELNOTES
index 8122d5abb..25cacb281 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,5 +1,6 @@
1firejail (0.9.49) baseline; urgency=low 1firejail (0.9.49) baseline; urgency=low
2 * work in progress! 2 * work in progress!
3 * modif: --output split in two commands, --output and --output-stderr
3 * feature: per-profile disable-mnt (--disable-mnt) 4 * feature: per-profile disable-mnt (--disable-mnt)
4 * feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen) 5 * feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen)
5 * enhancement: /proc/sys mounting 6 * enhancement: /proc/sys mounting
diff --git a/configure b/configure
index 3dda0918e..2d2059779 100755
--- a/configure
+++ b/configure
@@ -3823,7 +3823,7 @@ if test "$prefix" = /usr; then
3823 sysconfdir="/etc" 3823 sysconfdir="/etc"
3824fi 3824fi
3825 3825
3826ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile" 3826ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile"
3827 3827
3828cat >confcache <<\_ACEOF 3828cat >confcache <<\_ACEOF
3829# This file is a shell script that caches the results of configure 3829# This file is a shell script that caches the results of configure
@@ -4545,6 +4545,7 @@ do
4545 "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;; 4545 "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;;
4546 "src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;; 4546 "src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;;
4547 "src/fldd/Makefile") CONFIG_FILES="$CONFIG_FILES src/fldd/Makefile" ;; 4547 "src/fldd/Makefile") CONFIG_FILES="$CONFIG_FILES src/fldd/Makefile" ;;
4548 "src/libpostexecseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpostexecseccomp/Makefile" ;;
4548 4549
4549 *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; 4550 *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
4550 esac 4551 esac
diff --git a/configure.ac b/configure.ac
index 09fc3f587..8552c48eb 100644
--- a/configure.ac
+++ b/configure.ac
@@ -177,7 +177,7 @@ fi
177 177
178AC_OUTPUT(Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile \ 178AC_OUTPUT(Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile \
179src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile \ 179src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile \
180src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile) 180src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile)
181 181
182echo 182echo
183echo "Configuration options:" 183echo "Configuration options:"
diff --git a/etc/0ad.profile b/etc/0ad.profile
index af6e32947..9ca9834a8 100644
--- a/etc/0ad.profile
+++ b/etc/0ad.profile
@@ -24,9 +24,11 @@ include /etc/firejail/whitelist-common.inc
24 24
25caps.drop all 25caps.drop all
26netfilter 26netfilter
27nodvd
27nogroups 28nogroups
28nonewprivs 29nonewprivs
29noroot 30noroot
31notv
30novideo 32novideo
31protocol unix,inet,inet6 33protocol unix,inet,inet6
32seccomp 34seccomp
diff --git a/etc/2048-qt.profile b/etc/2048-qt.profile
index d8c402d34..06cc69503 100644
--- a/etc/2048-qt.profile
+++ b/etc/2048-qt.profile
@@ -15,10 +15,12 @@ include /etc/firejail/disable-programs.inc
15 15
16caps.drop all 16caps.drop all
17netfilter 17netfilter
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
22novideo 24novideo
23protocol unix 25protocol unix
24seccomp 26seccomp
diff --git a/etc/7z.profile b/etc/7z.profile
index 5e2b76f18..ea67bbe19 100644
--- a/etc/7z.profile
+++ b/etc/7z.profile
@@ -11,8 +11,9 @@ blacklist /tmp/.X11-unix
11ignore noroot 11ignore noroot
12net none 12net none
13no3d 13no3d
14nodvd
14nosound 15nosound
15nosound 16notv
16novideo 17novideo
17shell none 18shell none
18tracelog 19tracelog
diff --git a/etc/Cryptocat.profile b/etc/Cryptocat.profile
index dc45a32b7..add122a5e 100644
--- a/etc/Cryptocat.profile
+++ b/etc/Cryptocat.profile
@@ -14,10 +14,12 @@ include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
21protocol unix,inet,inet6,netlink 23protocol unix,inet,inet6,netlink
22seccomp 24seccomp
23shell none 25shell none
diff --git a/etc/Cyberfox.profile b/etc/Cyberfox.profile
index 4d0f7cac8..202bc26f4 100644
--- a/etc/Cyberfox.profile
+++ b/etc/Cyberfox.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/firejail/cyberfox.profile 6include /etc/firejail/cyberfox.profile
diff --git a/etc/FossaMail.profile b/etc/FossaMail.profile
index 3b8c093ef..01e338ef2 100644
--- a/etc/FossaMail.profile
+++ b/etc/FossaMail.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/firejail/fossamail.profile 6include /etc/firejail/fossamail.profile
diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile
index 8f6e33f7b..924f74389 100644
--- a/etc/Mathematica.profile
+++ b/etc/Mathematica.profile
@@ -21,6 +21,8 @@ whitelist ~/Documents/Wolfram Mathematica
21include /etc/firejail/whitelist-common.inc 21include /etc/firejail/whitelist-common.inc
22 22
23caps.drop all 23caps.drop all
24nodvd
24nonewprivs 25nonewprivs
25noroot 26noroot
27notv
26seccomp 28seccomp
diff --git a/etc/Telegram.profile b/etc/Telegram.profile
index 844595b3f..df6557a90 100644
--- a/etc/Telegram.profile
+++ b/etc/Telegram.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/firejail/telegram.profile 6include /etc/firejail/telegram.profile
diff --git a/etc/Thunar.profile b/etc/Thunar.profile
index 7bb66240e..f4a5c9f54 100644
--- a/etc/Thunar.profile
+++ b/etc/Thunar.profile
@@ -17,10 +17,12 @@ include /etc/firejail/disable-passwdmgr.inc
17caps.drop all 17caps.drop all
18netfilter 18netfilter
19no3d 19no3d
20nodvd
20nogroups 21nogroups
21nonewprivs 22nonewprivs
22noroot 23noroot
23nosound 24nosound
25notv
24novideo 26novideo
25protocol unix 27protocol unix
26seccomp 28seccomp
diff --git a/etc/VirtualBox.profile b/etc/VirtualBox.profile
index 706a3611b..dedf448ae 100644
--- a/etc/VirtualBox.profile
+++ b/etc/VirtualBox.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/firejail/virtualbox.profile 6include /etc/firejail/virtualbox.profile
diff --git a/etc/Wire.profile b/etc/Wire.profile
index a2c0f0099..26b683f84 100644
--- a/etc/Wire.profile
+++ b/etc/Wire.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/firejail/wire.profile 6include /etc/firejail/wire.profile
diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile
index db3b3858c..c0c322b67 100644
--- a/etc/Xephyr.profile
+++ b/etc/Xephyr.profile
@@ -22,11 +22,13 @@ include /etc/firejail/whitelist-common.inc
22 22
23caps.drop all 23caps.drop all
24# Xephyr needs to be allowed access to the abstract Unix socket namespace. 24# Xephyr needs to be allowed access to the abstract Unix socket namespace.
25nodvd
25nogroups 26nogroups
26nonewprivs 27nonewprivs
27# In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix. 28# In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix.
28# noroot 29# noroot
29nosound 30nosound
31notv
30protocol unix 32protocol unix
31seccomp 33seccomp
32shell none 34shell none
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile
index ce17a9732..7921e0d06 100644
--- a/etc/Xvfb.profile
+++ b/etc/Xvfb.profile
@@ -23,11 +23,13 @@ include /etc/firejail/whitelist-common.inc
23 23
24caps.drop all 24caps.drop all
25# Xvfb needs to be allowed access to the abstract Unix socket namespace. 25# Xvfb needs to be allowed access to the abstract Unix socket namespace.
26nodvd
26nogroups 27nogroups
27nonewprivs 28nonewprivs
28# In noroot mode, Xvfb cannot create a socket in the real /tmp/.X11-unix. 29# In noroot mode, Xvfb cannot create a socket in the real /tmp/.X11-unix.
29#noroot 30#noroot
30nosound 31nosound
32notv
31protocol unix 33protocol unix
32seccomp 34seccomp
33shell none 35shell none
diff --git a/etc/abrowser.profile b/etc/abrowser.profile
index a7fbb63d9..3251ef8aa 100644
--- a/etc/abrowser.profile
+++ b/etc/abrowser.profile
@@ -37,8 +37,10 @@ include /etc/firejail/whitelist-common.inc
37 37
38caps.drop all 38caps.drop all
39netfilter 39netfilter
40nodvd
40nonewprivs 41nonewprivs
41noroot 42noroot
43notv
42protocol unix,inet,inet6,netlink 44protocol unix,inet,inet6,netlink
43seccomp 45seccomp
44tracelog 46tracelog
diff --git a/etc/akregator.profile b/etc/akregator.profile
index 36886b961..12bb06fb5 100644
--- a/etc/akregator.profile
+++ b/etc/akregator.profile
@@ -16,9 +16,11 @@ include /etc/firejail/disable-programs.inc
16caps.drop all 16caps.drop all
17netfilter 17netfilter
18no3d 18no3d
19nodvd
19nogroups 20nogroups
20nonewprivs 21nonewprivs
21noroot 22noroot
23notv
22novideo 24novideo
23protocol unix,inet,inet6 25protocol unix,inet,inet6
24seccomp 26seccomp
diff --git a/etc/amarok.profile b/etc/amarok.profile
index 28398e2c1..e10cfbefe 100644
--- a/etc/amarok.profile
+++ b/etc/amarok.profile
@@ -16,6 +16,7 @@ netfilter
16nogroups 16nogroups
17nonewprivs 17nonewprivs
18noroot 18noroot
19notv
19protocol unix,inet,inet6 20protocol unix,inet,inet6
20# seccomp 21# seccomp
21shell none 22shell none
diff --git a/etc/android-studio.profile b/etc/android-studio.profile
index 3f4795195..1e1953780 100644
--- a/etc/android-studio.profile
+++ b/etc/android-studio.profile
@@ -20,9 +20,11 @@ include /etc/firejail/disable-programs.inc
20 20
21caps.drop all 21caps.drop all
22netfilter 22netfilter
23nodvd
23nogroups 24nogroups
24nonewprivs 25nonewprivs
25noroot 26noroot
27notv
26novideo 28novideo
27protocol unix,inet,inet6 29protocol unix,inet,inet6
28seccomp 30seccomp
diff --git a/etc/apktool.profile b/etc/apktool.profile
index e057e4c0f..bdd711964 100644
--- a/etc/apktool.profile
+++ b/etc/apktool.profile
@@ -14,15 +14,18 @@ include /etc/firejail/disable-programs.inc
14caps.drop all 14caps.drop all
15net none 15net none
16no3d 16no3d
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
21novideo 23novideo
22protocol unix 24protocol unix
23seccomp 25seccomp
24shell none 26shell none
25 27
28private-bin apktool,bash,java,dirname,basename,expr
26private-dev 29private-dev
27 30
28noexec ${HOME} 31noexec ${HOME}
diff --git a/etc/arduino.profile b/etc/arduino.profile
index 2734e59a4..b529ec266 100644
--- a/etc/arduino.profile
+++ b/etc/arduino.profile
@@ -17,10 +17,12 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 17caps.drop all
18netfilter 18netfilter
19no3d 19no3d
20nodvd
20nogroups 21nogroups
21nonewprivs 22nonewprivs
22noroot 23noroot
23nosound 24nosound
25notv
24novideo 26novideo
25protocol unix,inet,inet6 27protocol unix,inet,inet6
26seccomp 28seccomp
diff --git a/etc/ark.profile b/etc/ark.profile
index 7c8574973..2ed25a4e6 100644
--- a/etc/ark.profile
+++ b/etc/ark.profile
@@ -14,10 +14,13 @@ include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
23novideo
21protocol unix 24protocol unix
22seccomp 25seccomp
23shell none 26shell none
diff --git a/etc/arm.profile b/etc/arm.profile
index 5686c3301..53d290b49 100644
--- a/etc/arm.profile
+++ b/etc/arm.profile
@@ -20,10 +20,12 @@ caps.drop all
20ipc-namespace 20ipc-namespace
21netfilter 21netfilter
22no3d 22no3d
23nodvd
23nogroups 24nogroups
24nonewprivs 25nonewprivs
25noroot 26noroot
26nosound 27nosound
28notv
27novideo 29novideo
28protocol unix,inet,inet6 30protocol unix,inet,inet6
29seccomp 31seccomp
@@ -31,7 +33,7 @@ shell none
31tracelog 33tracelog
32 34
33disable-mnt 35disable-mnt
34# private-bin arm,tor,sh,python2,python2.7,ps,lsof,ldconfig 36# private-bin arm,tor,sh,bash,python2,python2.7,ps,lsof,ldconfig
35private-dev 37private-dev
36private-etc tor,passwd 38private-etc tor,passwd
37private-tmp 39private-tmp
diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile
index acce287c7..4869ef4ea 100644
--- a/etc/atom-beta.profile
+++ b/etc/atom-beta.profile
@@ -14,10 +14,12 @@ include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
21novideo 23novideo
22protocol unix,inet,inet6,netlink 24protocol unix,inet,inet6,netlink
23seccomp 25seccomp
diff --git a/etc/atom.profile b/etc/atom.profile
index 0b763997e..8629c3dd8 100644
--- a/etc/atom.profile
+++ b/etc/atom.profile
@@ -14,10 +14,12 @@ include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
21novideo 23novideo
22protocol unix,inet,inet6,netlink 24protocol unix,inet,inet6,netlink
23seccomp 25seccomp
diff --git a/etc/atool.profile b/etc/atool.profile
index a1da26076..c2e772f9d 100644
--- a/etc/atool.profile
+++ b/etc/atool.profile
@@ -15,10 +15,12 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17no3d 17no3d
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
22novideo 24novideo
23protocol unix 25protocol unix
24seccomp 26seccomp
diff --git a/etc/atril.profile b/etc/atril.profile
index 5cac339ca..7109d343e 100644
--- a/etc/atril.profile
+++ b/etc/atril.profile
@@ -14,10 +14,12 @@ include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc 14include /etc/firejail/disable-programs.inc
15 15
16caps.drop all 16caps.drop all
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
21novideo 23novideo
22protocol unix 24protocol unix
23seccomp 25seccomp
diff --git a/etc/audacious.profile b/etc/audacious.profile
index 15bf6c013..3baa0ddba 100644
--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@@ -17,6 +17,8 @@ caps.drop all
17netfilter 17netfilter
18nonewprivs 18nonewprivs
19noroot 19noroot
20notv
21novideo
20protocol unix,inet,inet6 22protocol unix,inet,inet6
21seccomp 23seccomp
22shell none 24shell none
diff --git a/etc/audacity.profile b/etc/audacity.profile
index 0f88886e7..b5a15b04c 100644
--- a/etc/audacity.profile
+++ b/etc/audacity.profile
@@ -15,9 +15,11 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 15caps.drop all
16net none 16net none
17no3d 17no3d
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
22notv
21novideo 23novideo
22protocol unix 24protocol unix
23seccomp 25seccomp
diff --git a/etc/aweather.profile b/etc/aweather.profile
index 9068c39c7..ef811b330 100644
--- a/etc/aweather.profile
+++ b/etc/aweather.profile
@@ -18,10 +18,12 @@ include /etc/firejail/whitelist-common.inc
18 18
19caps.drop all 19caps.drop all
20netfilter 20netfilter
21nodvd
21nogroups 22nogroups
22nonewprivs 23nonewprivs
23noroot 24noroot
24nosound 25nosound
26notv
25novideo 27novideo
26protocol unix,inet,inet6 28protocol unix,inet,inet6
27seccomp 29seccomp
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile
index 9c2909b0f..2809089e6 100644
--- a/etc/baloo_file.profile
+++ b/etc/baloo_file.profile
@@ -18,10 +18,12 @@ include /etc/firejail/disable-passwdmgr.inc
18include /etc/firejail/disable-programs.inc 18include /etc/firejail/disable-programs.inc
19 19
20caps.drop all 20caps.drop all
21nodvd
21nogroups 22nogroups
22nonewprivs 23nonewprivs
23noroot 24noroot
24nosound 25nosound
26notv
25novideo 27novideo
26protocol unix 28protocol unix
27# Baloo makes ioprio_set system calls, which are blacklisted by default. 29# Baloo makes ioprio_set system calls, which are blacklisted by default.
@@ -36,6 +38,6 @@ noexec /tmp
36 38
37# Make home directory read-only and allow writing only to ~/.local/share 39# Make home directory read-only and allow writing only to ~/.local/share
38# Note: Baloo will not be able to update the "first run" key in its configuration files. 40# Note: Baloo will not be able to update the "first run" key in its configuration files.
39# noexec ${HOME}/.local/share
40# read-only ${HOME} 41# read-only ${HOME}
41# read-write ${HOME}/.local/share 42# read-write ${HOME}/.local/share
43# noexec ${HOME}/.local/share
diff --git a/etc/baobab.profile b/etc/baobab.profile
index 1336a220c..ef733632d 100644
--- a/etc/baobab.profile
+++ b/etc/baobab.profile
@@ -14,15 +14,18 @@ include /etc/firejail/disable-passwdmgr.inc
14caps.drop all 14caps.drop all
15net none 15net none
16no3d 16no3d
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
21novideo 23novideo
22protocol unix 24protocol unix
23seccomp 25seccomp
24shell none 26shell none
25 27
28private-bin baobab
26private-dev 29private-dev
27private-tmp 30private-tmp
28 31
diff --git a/etc/bibletime.profile b/etc/bibletime.profile
index d59c8e05c..73d31c205 100644
--- a/etc/bibletime.profile
+++ b/etc/bibletime.profile
@@ -24,10 +24,12 @@ include /etc/firejail/whitelist-common.inc
24 24
25caps.drop all 25caps.drop all
26netfilter 26netfilter
27nodvd
27nogroups 28nogroups
28nonewprivs 29nonewprivs
29noroot 30noroot
30nosound 31nosound
32notv
31novideo 33novideo
32protocol unix,inet,inet6,netlink 34protocol unix,inet,inet6,netlink
33seccomp 35seccomp
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile
index 9c32cca44..0b61e7b9f 100644
--- a/etc/bitlbee.profile
+++ b/etc/bitlbee.profile
@@ -15,8 +15,10 @@ include /etc/firejail/disable-programs.inc
15 15
16netfilter 16netfilter
17no3d 17no3d
18nodvd
18nonewprivs 19nonewprivs
19nosound 20nosound
21notv
20novideo 22novideo
21protocol unix,inet,inet6 23protocol unix,inet,inet6
22seccomp 24seccomp
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile
index dab328163..f3498e9b9 100644
--- a/etc/bleachbit.profile
+++ b/etc/bleachbit.profile
@@ -14,10 +14,12 @@ include /etc/firejail/disable-passwdmgr.inc
14caps.drop all 14caps.drop all
15net none 15net none
16no3d 16no3d
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
21novideo 23novideo
22protocol unix 24protocol unix
23seccomp 25seccomp
diff --git a/etc/blender.profile b/etc/blender.profile
index f4c566c0d..f7ecbce55 100644
--- a/etc/blender.profile
+++ b/etc/blender.profile
@@ -14,9 +14,11 @@ include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
21notv
20protocol unix,inet,inet6,netlink 22protocol unix,inet,inet6,netlink
21seccomp 23seccomp
22shell none 24shell none
diff --git a/etc/bless.profile b/etc/bless.profile
index 6c6558b1c..e4d2f0730 100644
--- a/etc/bless.profile
+++ b/etc/bless.profile
@@ -15,15 +15,18 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 15caps.drop all
16net none 16net none
17no3d 17no3d
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
22novideo 24novideo
23protocol unix 25protocol unix
24seccomp 26seccomp
25shell none 27shell none
26 28
29# private-bin bless,sh,bash,mono
27private-dev 30private-dev
28private-etc fonts,mono 31private-etc fonts,mono
29private-tmp 32private-tmp
diff --git a/etc/brasero.profile b/etc/brasero.profile
index ee7fe8efa..eff4cba43 100644
--- a/etc/brasero.profile
+++ b/etc/brasero.profile
@@ -17,6 +17,7 @@ nogroups
17nonewprivs 17nonewprivs
18noroot 18noroot
19nosound 19nosound
20notv
20novideo 21novideo
21protocol unix 22protocol unix
22seccomp 23seccomp
diff --git a/etc/brave.profile b/etc/brave.profile
index 20dbf6c52..4a908c884 100644
--- a/etc/brave.profile
+++ b/etc/brave.profile
@@ -30,6 +30,8 @@ include /etc/firejail/whitelist-common.inc
30netfilter 30netfilter
31# nonewprivs 31# nonewprivs
32# noroot 32# noroot
33nodvd
34notv
33# protocol unix,inet,inet6,netlink 35# protocol unix,inet,inet6,netlink
34# seccomp 36# seccomp
35 37
diff --git a/etc/caja.profile b/etc/caja.profile
index 1350b63dd..d234e6c9b 100644
--- a/etc/caja.profile
+++ b/etc/caja.profile
@@ -19,9 +19,11 @@ include /etc/firejail/disable-passwdmgr.inc
19 19
20caps.drop all 20caps.drop all
21netfilter 21netfilter
22nodvd
22nogroups 23nogroups
23nonewprivs 24nonewprivs
24noroot 25noroot
26notv
25protocol unix 27protocol unix
26seccomp 28seccomp
27shell none 29shell none
diff --git a/etc/calibre.profile b/etc/calibre.profile
index 726a33db8..aa0de473c 100644
--- a/etc/calibre.profile
+++ b/etc/calibre.profile
@@ -16,10 +16,12 @@ include /etc/firejail/disable-programs.inc
16caps.drop all 16caps.drop all
17netfilter 17netfilter
18no3d 18no3d
19nodvd
19nogroups 20nogroups
20nonewprivs 21nonewprivs
21noroot 22noroot
22nosound 23nosound
24notv
23novideo 25novideo
24protocol unix,inet,inet6 26protocol unix,inet,inet6
25seccomp 27seccomp
diff --git a/etc/catfish.profile b/etc/catfish.profile
index 759b5e384..498f3b6ee 100644
--- a/etc/catfish.profile
+++ b/etc/catfish.profile
@@ -14,10 +14,12 @@ include /etc/firejail/disable-devel.inc
14caps.drop all 14caps.drop all
15net none 15net none
16no3d 16no3d
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
21novideo 23novideo
22protocol unix 24protocol unix
23seccomp 25seccomp
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile
index fe0153959..88be562c8 100644
--- a/etc/cherrytree.profile
+++ b/etc/cherrytree.profile
@@ -17,10 +17,12 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 17caps.drop all
18netfilter 18netfilter
19no3d 19no3d
20nodvd
20nogroups 21nogroups
21nonewprivs 22nonewprivs
22noroot 23noroot
23nosound 24nosound
25notv
24novideo 26novideo
25protocol unix,inet,inet6,netlink 27protocol unix,inet,inet6,netlink
26seccomp 28seccomp
diff --git a/etc/chromium-browser.profile b/etc/chromium-browser.profile
index dcafbaaa9..472841e92 100644
--- a/etc/chromium-browser.profile
+++ b/etc/chromium-browser.profile
@@ -1,5 +1,5 @@
1# Firejail profile alias for chromium 1# Firejail profile alias for chromium
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4# Redirect
5include /etc/firejail/chromium.profile 5include /etc/firejail/chromium.profile
diff --git a/etc/chromium.profile b/etc/chromium.profile
index cec5366d9..9be99e68a 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -11,8 +11,7 @@ noblacklist ~/.config/chromium-flags.conf
11noblacklist ~/.pki 11noblacklist ~/.pki
12 12
13include /etc/firejail/disable-common.inc 13include /etc/firejail/disable-common.inc
14# chromium is distributed with a perl script on Arch 14include /etc/firejail/disable-devel.inc
15# include /etc/firejail/disable-devel.inc
16include /etc/firejail/disable-programs.inc 15include /etc/firejail/disable-programs.inc
17 16
18mkdir ~/.cache/chromium 17mkdir ~/.cache/chromium
@@ -27,9 +26,12 @@ include /etc/firejail/whitelist-common.inc
27 26
28caps.keep sys_chroot,sys_admin 27caps.keep sys_chroot,sys_admin
29netfilter 28netfilter
29nodvd
30nogroups 30nogroups
31notv
31shell none 32shell none
32 33
34# private-bin chromium,chromium-browser,chromedriver
33private-dev 35private-dev
34# private-tmp - problems with multiple browser sessions 36# private-tmp - problems with multiple browser sessions
35 37
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile
index 730e27e33..bc045fb77 100644
--- a/etc/claws-mail.profile
+++ b/etc/claws-mail.profile
@@ -16,10 +16,12 @@ include /etc/firejail/disable-programs.inc
16 16
17caps.drop all 17caps.drop all
18netfilter 18netfilter
19nodvd
19nogroups 20nogroups
20nonewprivs 21nonewprivs
21noroot 22noroot
22nosound 23nosound
24notv
23protocol unix,inet,inet6 25protocol unix,inet,inet6
24seccomp 26seccomp
25shell none 27shell none
diff --git a/etc/clementine.profile b/etc/clementine.profile
index 13a14af3b..14437db3e 100644
--- a/etc/clementine.profile
+++ b/etc/clementine.profile
@@ -5,6 +5,7 @@ include /etc/firejail/clementine.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8noblacklist ~/.config/Clementine
8 9
9include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
10include /etc/firejail/disable-devel.inc 11include /etc/firejail/disable-devel.inc
@@ -14,6 +15,7 @@ include /etc/firejail/disable-programs.inc
14caps.drop all 15caps.drop all
15nonewprivs 16nonewprivs
16noroot 17noroot
18notv
17novideo 19novideo
18protocol unix,inet,inet6 20protocol unix,inet,inet6
19# Clementine makes ioprio_set system calls, which are blacklisted by default. 21# Clementine makes ioprio_set system calls, which are blacklisted by default.
diff --git a/etc/clipit.profile b/etc/clipit.profile
index 444943061..e6ee7b636 100644
--- a/etc/clipit.profile
+++ b/etc/clipit.profile
@@ -16,10 +16,12 @@ include /etc/firejail/disable-programs.inc
16caps.drop all 16caps.drop all
17netfilter 17netfilter
18no3d 18no3d
19nodvd
19nogroups 20nogroups
20nonewprivs 21nonewprivs
21noroot 22noroot
22nosound 23nosound
24notv
23novideo 25novideo
24protocol unix 26protocol unix
25seccomp 27seccomp
diff --git a/etc/cmus.profile b/etc/cmus.profile
index fc6476267..cf0830475 100644
--- a/etc/cmus.profile
+++ b/etc/cmus.profile
@@ -16,6 +16,7 @@ caps.drop all
16netfilter 16netfilter
17nonewprivs 17nonewprivs
18noroot 18noroot
19notv
19protocol unix,inet,inet6 20protocol unix,inet,inet6
20seccomp 21seccomp
21shell none 22shell none
diff --git a/etc/conkeror.profile b/etc/conkeror.profile
index b4cd3369a..f6a9eefb6 100644
--- a/etc/conkeror.profile
+++ b/etc/conkeror.profile
@@ -25,7 +25,9 @@ include /etc/firejail/whitelist-common.inc
25 25
26caps.drop all 26caps.drop all
27netfilter 27netfilter
28nodvd
28nonewprivs 29nonewprivs
29noroot 30noroot
31notv
30protocol unix,inet,inet6 32protocol unix,inet,inet6
31seccomp 33seccomp
diff --git a/etc/corebird.profile b/etc/corebird.profile
index 62941164f..87f7a970b 100644
--- a/etc/corebird.profile
+++ b/etc/corebird.profile
@@ -13,6 +13,8 @@ include /etc/firejail/disable-programs.inc
13 13
14caps.drop all 14caps.drop all
15netfilter 15netfilter
16nodvd
16noroot 17noroot
18notv
17protocol unix,inet,inet6 19protocol unix,inet,inet6
18seccomp 20seccomp
diff --git a/etc/cpio.profile b/etc/cpio.profile
index c5d7680a3..f082d2e40 100644
--- a/etc/cpio.profile
+++ b/etc/cpio.profile
@@ -19,7 +19,9 @@ caps.drop all
19net none 19net none
20net none 20net none
21no3d 21no3d
22nodvd
22nosound 23nosound
24notv
23seccomp 25seccomp
24shell none 26shell none
25tracelog 27tracelog
diff --git a/etc/cryptocat.profile b/etc/cryptocat.profile
index 021ce32d4..04301ffbd 100644
--- a/etc/cryptocat.profile
+++ b/etc/cryptocat.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/Cryptocat.profile 6include /etc/Cryptocat.profile
diff --git a/etc/curl.profile b/etc/curl.profile
index 34874d270..af7eabf59 100644
--- a/etc/curl.profile
+++ b/etc/curl.profile
@@ -17,10 +17,12 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 17caps.drop all
18netfilter 18netfilter
19no3d 19no3d
20nodvd
20nogroups 21nogroups
21nonewprivs 22nonewprivs
22noroot 23noroot
23nosound 24nosound
25notv
24protocol unix,inet,inet6 26protocol unix,inet,inet6
25seccomp 27seccomp
26shell none 28shell none
diff --git a/etc/cvlc.profile b/etc/cvlc.profile
index 460966321..ee1346617 100644
--- a/etc/cvlc.profile
+++ b/etc/cvlc.profile
@@ -14,9 +14,11 @@ include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
21notv
20protocol unix,inet,inet6,netlink 22protocol unix,inet,inet6,netlink
21seccomp 23seccomp
22shell none 24shell none
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile
index 3c18ef002..63f6ea845 100644
--- a/etc/cyberfox.profile
+++ b/etc/cyberfox.profile
@@ -52,9 +52,11 @@ include /etc/firejail/whitelist-common.inc
52 52
53caps.drop all 53caps.drop all
54netfilter 54netfilter
55nodvd
55nogroups 56nogroups
56nonewprivs 57nonewprivs
57noroot 58noroot
59notv
58protocol unix,inet,inet6,netlink 60protocol unix,inet,inet6,netlink
59seccomp 61seccomp
60shell none 62shell none
diff --git a/etc/darktable.profile b/etc/darktable.profile
index 47d4710ad..e04163486 100644
--- a/etc/darktable.profile
+++ b/etc/darktable.profile
@@ -15,10 +15,12 @@ include /etc/firejail/disable-programs.inc
15 15
16caps.drop all 16caps.drop all
17netfilter 17netfilter
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
22novideo 24novideo
23protocol unix,inet,inet6 25protocol unix,inet,inet6
24seccomp 26seccomp
diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile
index 905920d42..3367aa8f4 100644
--- a/etc/deadbeef.profile
+++ b/etc/deadbeef.profile
@@ -18,6 +18,7 @@ no3d
18nogroups 18nogroups
19nonewprivs 19nonewprivs
20noroot 20noroot
21notv
21novideo 22novideo
22protocol unix,inet,inet6 23protocol unix,inet,inet6
23seccomp 24seccomp
diff --git a/etc/default.profile b/etc/default.profile
index 693f89ad3..82eded802 100644
--- a/etc/default.profile
+++ b/etc/default.profile
@@ -16,10 +16,13 @@ include /etc/firejail/disable-programs.inc
16caps.drop all 16caps.drop all
17# ipc-namespace 17# ipc-namespace
18netfilter 18netfilter
19# no3d
20# nodvd
19# nogroups 21# nogroups
20nonewprivs 22nonewprivs
21noroot 23noroot
22# nosound 24# nosound
25# notv
23# novideo 26# novideo
24protocol unix,inet,inet6 27protocol unix,inet,inet6
25seccomp 28seccomp
diff --git a/etc/deluge.profile b/etc/deluge.profile
index bb45c4371..c311d2fa7 100644
--- a/etc/deluge.profile
+++ b/etc/deluge.profile
@@ -19,9 +19,11 @@ include /etc/firejail/whitelist-common.inc
19 19
20caps.drop all 20caps.drop all
21netfilter 21netfilter
22nodvd
22nonewprivs 23nonewprivs
23noroot 24noroot
24nosound 25nosound
26notv
25novideo 27novideo
26protocol unix,inet,inet6 28protocol unix,inet,inet6
27seccomp 29seccomp
diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile
index 5e971a5d4..5261bb865 100644
--- a/etc/dex2jar.profile
+++ b/etc/dex2jar.profile
@@ -15,15 +15,18 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 15caps.drop all
16net none 16net none
17no3d 17no3d
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
22novideo 24novideo
23protocol unix 25protocol unix
24seccomp 26seccomp
25shell none 27shell none
26 28
29private-bin dex2jar,java,sh,bash,expr,dirname,ls,uname,grep
27private-dev 30private-dev
28 31
29noexec ${HOME} 32noexec ${HOME}
diff --git a/etc/dia.profile b/etc/dia.profile
index 2072314cb..a625ab36d 100644
--- a/etc/dia.profile
+++ b/etc/dia.profile
@@ -15,10 +15,12 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17no3d 17no3d
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
22novideo 24novideo
23protocol unix 25protocol unix
24seccomp 26seccomp
diff --git a/etc/digikam.profile b/etc/digikam.profile
index 35365984e..43191ec06 100644
--- a/etc/digikam.profile
+++ b/etc/digikam.profile
@@ -16,9 +16,11 @@ include /etc/firejail/disable-programs.inc
16 16
17caps.drop all 17caps.drop all
18netfilter 18netfilter
19nodvd
19nogroups 20nogroups
20nonewprivs 21nonewprivs
21noroot 22noroot
23notv
22protocol unix,inet,inet6,netlink 24protocol unix,inet,inet6,netlink
23seccomp 25seccomp
24# seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group 26# seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group
diff --git a/etc/dillo.profile b/etc/dillo.profile
index 4601be8dc..aa8a395e1 100644
--- a/etc/dillo.profile
+++ b/etc/dillo.profile
@@ -21,8 +21,10 @@ include /etc/firejail/whitelist-common.inc
21 21
22caps.drop all 22caps.drop all
23netfilter 23netfilter
24nodvd
24nonewprivs 25nonewprivs
25noroot 26noroot
27notv
26protocol unix,inet,inet6 28protocol unix,inet,inet6
27seccomp 29seccomp
28tracelog 30tracelog
diff --git a/etc/dino.profile b/etc/dino.profile
index 0501cd408..72f4f40b2 100644
--- a/etc/dino.profile
+++ b/etc/dino.profile
@@ -20,10 +20,12 @@ include /etc/firejail/whitelist-common.inc
20caps.drop all 20caps.drop all
21netfilter 21netfilter
22no3d 22no3d
23nodvd
23nogroups 24nogroups
24nonewprivs 25nonewprivs
25noroot 26noroot
26nosound 27nosound
28notv
27novideo 29novideo
28protocol unix,inet,inet6 30protocol unix,inet,inet6
29seccomp 31seccomp
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index f23a03876..3606d6308 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -3,102 +3,102 @@
3include /etc/firejail/disable-common.local 3include /etc/firejail/disable-common.local
4 4
5# History files in $HOME 5# History files in $HOME
6blacklist-nolog ${HOME}/.history
7blacklist-nolog ${HOME}/.*_history 6blacklist-nolog ${HOME}/.*_history
7blacklist-nolog ${HOME}/.adobe
8blacklist-nolog ${HOME}/.bash_history 8blacklist-nolog ${HOME}/.bash_history
9blacklist-nolog ${HOME}/.history
9blacklist-nolog ${HOME}/.local/share/fish/fish_history 10blacklist-nolog ${HOME}/.local/share/fish/fish_history
10blacklist-nolog ${HOME}/.adobe
11blacklist-nolog ${HOME}/.macromedia 11blacklist-nolog ${HOME}/.macromedia
12 12
13# X11 session autostart 13# X11 session autostart
14blacklist ${HOME}/.xinitrc 14# blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs
15blacklist ${HOME}/.xserverrc
16blacklist /etc/X11/Xsession.d
17blacklist ${HOME}/.Xsession 15blacklist ${HOME}/.Xsession
18blacklist ${HOME}/.xsession
19blacklist ${HOME}/.xsessionrc
20blacklist ${HOME}/.xprofile
21blacklist ${HOME}/.gnomerc
22blacklist /etc/xdg/autostart
23blacklist ${HOME}/.config/autostart 16blacklist ${HOME}/.config/autostart
24blacklist ${HOME}/.local/share/autostart
25blacklist ${HOME}/.kde4/share/config/startupconfig
26blacklist ${HOME}/.kde4/env
27blacklist ${HOME}/.kde4/Autostart
28blacklist ${HOME}/.kde4/share/autostart
29blacklist ${HOME}/.kde4/shutdown
30blacklist ${HOME}/.kde/share/config/startupconfig
31blacklist ${HOME}/.kde/env
32blacklist ${HOME}/.kde/Autostart
33blacklist ${HOME}/.kde/share/autostart
34blacklist ${HOME}/.kde/shutdown
35blacklist ${HOME}/.config/startupconfig
36blacklist ${HOME}/.config/autostart-scripts 17blacklist ${HOME}/.config/autostart-scripts
37blacklist ${HOME}/.config/plasma-workspace/env
38blacklist ${HOME}/.config/plasma-workspace/shutdown
39blacklist ${HOME}/.config/lxsession/LXDE/autostart 18blacklist ${HOME}/.config/lxsession/LXDE/autostart
40blacklist ${HOME}/.config/openbox/autostart 19blacklist ${HOME}/.config/openbox/autostart
41blacklist ${HOME}/.config/openbox/environment 20blacklist ${HOME}/.config/openbox/environment
21blacklist ${HOME}/.config/plasma-workspace/env
22blacklist ${HOME}/.config/plasma-workspace/shutdown
23blacklist ${HOME}/.config/startupconfig
42blacklist ${HOME}/.fluxbox/startup 24blacklist ${HOME}/.fluxbox/startup
43# blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs 25blacklist ${HOME}/.gnomerc
26blacklist ${HOME}/.kde/Autostart
27blacklist ${HOME}/.kde/env
28blacklist ${HOME}/.kde/share/autostart
29blacklist ${HOME}/.kde/share/config/startupconfig
30blacklist ${HOME}/.kde/shutdown
31blacklist ${HOME}/.kde4/env
32blacklist ${HOME}/.kde4/Autostart
33blacklist ${HOME}/.kde4/share/autostart
34blacklist ${HOME}/.kde4/shutdown
35blacklist ${HOME}/.kde4/share/config/startupconfig
36blacklist ${HOME}/.local/share/autostart
37blacklist ${HOME}/.xinitrc
38blacklist ${HOME}/.xprofile
39blacklist ${HOME}/.xserverrc
40blacklist ${HOME}/.xsession
41blacklist ${HOME}/.xsessionrc
42blacklist /etc/X11/Xsession.d
43blacklist /etc/xdg/autostart
44 44
45# KDE config 45# KDE config
46blacklist ${HOME}/.kde4/share/apps/konsole 46blacklist ${HOME}/.config/*.notifyrc
47blacklist ${HOME}/.kde4/share/apps/kwin 47blacklist ${HOME}/.config/khotkeysrc
48blacklist ${HOME}/.kde4/share/apps/plasma 48blacklist ${HOME}/.config/krunnerrc
49blacklist ${HOME}/.kde4/share/apps/solid 49blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc
50blacklist ${HOME}/.kde4/share/config/*.notifyrc
51read-only ${HOME}/.kde4/share/config/kdeglobals
52blacklist ${HOME}/.kde4/share/config/khotkeysrc
53blacklist ${HOME}/.kde4/share/config/krunnerrc
54blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
55read-only ${HOME}/.kde4/share/kde4/services
56blacklist ${HOME}/.kde/share/apps/konsole 50blacklist ${HOME}/.kde/share/apps/konsole
57blacklist ${HOME}/.kde/share/apps/kwin 51blacklist ${HOME}/.kde/share/apps/kwin
58blacklist ${HOME}/.kde/share/apps/plasma 52blacklist ${HOME}/.kde/share/apps/plasma
59blacklist ${HOME}/.kde/share/apps/solid 53blacklist ${HOME}/.kde/share/apps/solid
60blacklist ${HOME}/.kde/share/config/*.notifyrc 54blacklist ${HOME}/.kde/share/config/*.notifyrc
61read-only ${HOME}/.kde/share/config/kdeglobals
62blacklist ${HOME}/.kde/share/config/khotkeysrc 55blacklist ${HOME}/.kde/share/config/khotkeysrc
63blacklist ${HOME}/.kde/share/config/krunnerrc 56blacklist ${HOME}/.kde/share/config/krunnerrc
64blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc 57blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc
65read-only ${HOME}/.kde/share/kde4/services 58blacklist ${HOME}/.kde4/share/apps/plasma
66blacklist ${HOME}/.config/*.notifyrc 59blacklist ${HOME}/.kde4/share/apps/konsole
67read-only ${HOME}/.config/kdeglobals 60blacklist ${HOME}/.kde4/share/apps/kwin
68blacklist ${HOME}/.config/khotkeysrc 61blacklist ${HOME}/.kde4/share/config/krunnerrc
69blacklist ${HOME}/.config/krunnerrc 62blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
70blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc 63blacklist ${HOME}/.kde4/share/config/khotkeysrc
64blacklist ${HOME}/.kde4/share/apps/solid
65blacklist ${HOME}/.kde4/share/config/*.notifyrc
71blacklist ${HOME}/.local/share/kglobalaccel 66blacklist ${HOME}/.local/share/kglobalaccel
72blacklist ${HOME}/.local/share/konsole 67blacklist ${HOME}/.local/share/konsole
73read-only ${HOME}/.local/share/kservices5
74blacklist ${HOME}/.local/share/kwin 68blacklist ${HOME}/.local/share/kwin
75blacklist ${HOME}/.local/share/plasma 69blacklist ${HOME}/.local/share/plasma
76blacklist ${HOME}/.local/share/solid 70blacklist ${HOME}/.local/share/solid
71read-only ${HOME}/.config/kdeglobals
72read-only ${HOME}/.kde/share/config/kdeglobals
73read-only ${HOME}/.kde/share/kde4/services
74read-only ${HOME}/.kde4/share/kde4/services
75read-only ${HOME}/.kde4/share/config/kdeglobals
76read-only ${HOME}/.local/share/kservices5
77 77
78# systemd 78# systemd
79blacklist ${HOME}/.local/share/systemd
80blacklist ${HOME}/.config/systemd 79blacklist ${HOME}/.config/systemd
80blacklist ${HOME}/.local/share/systemd
81 81
82# VirtualBox 82# VirtualBox
83blacklist ${HOME}/.VirtualBox 83blacklist ${HOME}/.VirtualBox
84blacklist ${HOME}/VirtualBox VMs
85blacklist ${HOME}/.config/VirtualBox 84blacklist ${HOME}/.config/VirtualBox
85blacklist ${HOME}/VirtualBox VMs
86 86
87# VeraCrypt 87# VeraCrypt
88blacklist ${HOME}/.VeraCrypt
88blacklist ${PATH}/veracrypt 89blacklist ${PATH}/veracrypt
89blacklist ${PATH}/veracrypt-uninstall.sh 90blacklist ${PATH}/veracrypt-uninstall.sh
90blacklist /usr/share/veracrypt
91blacklist /usr/share/applications/veracrypt.* 91blacklist /usr/share/applications/veracrypt.*
92blacklist /usr/share/pixmaps/veracrypt.* 92blacklist /usr/share/pixmaps/veracrypt.*
93blacklist ${HOME}/.VeraCrypt 93blacklist /usr/share/veracrypt
94 94
95# TrueCrypt 95# TrueCrypt
96blacklist ${HOME}/.TrueCrypt
96blacklist ${PATH}/truecrypt 97blacklist ${PATH}/truecrypt
97blacklist ${PATH}/truecrypt-uninstall.sh 98blacklist ${PATH}/truecrypt-uninstall.sh
98blacklist /usr/share/truecrypt
99blacklist /usr/share/applications/truecrypt.* 99blacklist /usr/share/applications/truecrypt.*
100blacklist /usr/share/pixmaps/truecrypt.* 100blacklist /usr/share/pixmaps/truecrypt.*
101blacklist ${HOME}/.TrueCrypt 101blacklist /usr/share/truecrypt
102 102
103# zuluCrypt 103# zuluCrypt
104blacklist ${HOME}/.zuluCrypt 104blacklist ${HOME}/.zuluCrypt
@@ -107,82 +107,82 @@ blacklist ${PATH}/zuluCrypt-cli
107blacklist ${PATH}/zuluMount-cli 107blacklist ${PATH}/zuluMount-cli
108 108
109# var 109# var
110blacklist /var/spool/cron 110blacklist /var/lib/mysql/mysql.sock
111blacklist /var/spool/anacron 111blacklist /var/lib/mysqld/mysql.sock
112blacklist /var/mail 112blacklist /var/mail
113blacklist /var/run/acpid.socket 113blacklist /var/run/acpid.socket
114blacklist /var/run/docker.sock
114blacklist /var/run/minissdpd.sock 115blacklist /var/run/minissdpd.sock
115blacklist /var/run/rpcbind.sock
116blacklist /var/run/mysqld/mysqld.sock
117blacklist /var/run/mysql/mysqld.sock 116blacklist /var/run/mysql/mysqld.sock
118blacklist /var/lib/mysqld/mysql.sock 117blacklist /var/run/mysqld/mysqld.sock
119blacklist /var/lib/mysql/mysql.sock 118blacklist /var/run/rpcbind.sock
120blacklist /var/run/docker.sock 119blacklist /var/spool/anacron
120blacklist /var/spool/cron
121 121
122# etc 122# etc
123blacklist /etc/anacrontab
123blacklist /etc/cron* 124blacklist /etc/cron*
124blacklist /etc/profile.d 125blacklist /etc/profile.d
125blacklist /etc/rc.local 126blacklist /etc/rc.local
126blacklist /etc/anacrontab
127 127
128# Startup files 128# Startup files
129read-only ${HOME}/.antigen 129read-only ${HOME}/.antigen
130read-only ${HOME}/.bash_login
131read-only ${HOME}/.bashrc
132read-only ${HOME}/.bash_aliases 130read-only ${HOME}/.bash_aliases
133read-only ${HOME}/.bash_profile 131read-only ${HOME}/.bash_login
134read-only ${HOME}/.bash_logout 132read-only ${HOME}/.bash_logout
135read-only ${HOME}/.zsh.d 133read-only ${HOME}/.bash_profile
136read-only ${HOME}/.zshenv 134read-only ${HOME}/.bashrc
137read-only ${HOME}/.zshrc
138read-only ${HOME}/.zshrc.local
139read-only ${HOME}/.zlogin
140read-only ${HOME}/.zprofile
141read-only ${HOME}/.zlogout
142read-only ${HOME}/.zsh_files
143read-only ${HOME}/.tcshrc
144read-only ${HOME}/.cshrc
145read-only ${HOME}/.csh_files
146read-only ${HOME}/.config/fish 135read-only ${HOME}/.config/fish
147read-only ${HOME}/.local/share/fish 136read-only ${HOME}/.csh_files
148read-only ${HOME}/.profile 137read-only ${HOME}/.cshrc
149read-only ${HOME}/.forward 138read-only ${HOME}/.forward
139read-only ${HOME}/.local/share/fish
150read-only ${HOME}/.login 140read-only ${HOME}/.login
151read-only ${HOME}/.logout 141read-only ${HOME}/.logout
142read-only ${HOME}/.pam_environment
152read-only ${HOME}/.pgpkey 143read-only ${HOME}/.pgpkey
153read-only ${HOME}/.plan 144read-only ${HOME}/.plan
145read-only ${HOME}/.profile
154read-only ${HOME}/.project 146read-only ${HOME}/.project
155read-only ${HOME}/.pam_environment 147read-only ${HOME}/.tcshrc
148read-only ${HOME}/.zlogin
149read-only ${HOME}/.zlogout
150read-only ${HOME}/.zprofile
151read-only ${HOME}/.zsh.d
152read-only ${HOME}/.zsh_files
153read-only ${HOME}/.zshenv
154read-only ${HOME}/.zshrc
155read-only ${HOME}/.zshrc.local
156 156
157# Initialization files that allow arbitrary command execution 157# Initialization files that allow arbitrary command execution
158read-only ${HOME}/.caffrc 158read-only ${HOME}/.caffrc
159read-only ${HOME}/.dotfiles 159read-only ${HOME}/.dotfiles
160read-only ${HOME}/dotfiles
161read-only ${HOME}/.mailcap
162read-only ${HOME}/.muttrc
163read-only ${HOME}/.mutt/muttrc
164read-only ${HOME}/.msmtprc
165read-only ${HOME}/.exrc
166read-only ${HOME}/_exrc
167read-only ${HOME}/.vimrc
168read-only ${HOME}/_vimrc
169read-only ${HOME}/.gvimrc
170read-only ${HOME}/_gvimrc
171read-only ${HOME}/.vim
172read-only ${HOME}/.emacs 160read-only ${HOME}/.emacs
173read-only ${HOME}/.emacs.d 161read-only ${HOME}/.emacs.d
174read-only ${HOME}/.nano 162read-only ${HOME}/.exrc
175read-only ${HOME}/.tmux.conf 163read-only ${HOME}/.gvimrc
176read-only ${HOME}/.iscreenrc 164read-only ${HOME}/.iscreenrc
165read-only ${HOME}/.mailcap
166read-only ${HOME}/.msmtprc
167read-only ${HOME}/.mutt/muttrc
168read-only ${HOME}/.muttrc
169read-only ${HOME}/.nano
177read-only ${HOME}/.reportbugrc 170read-only ${HOME}/.reportbugrc
171read-only ${HOME}/.tmux.conf
172read-only ${HOME}/.vim
173read-only ${HOME}/.vimrc
178read-only ${HOME}/.xmonad 174read-only ${HOME}/.xmonad
179read-only ${HOME}/.xscreensaver 175read-only ${HOME}/.xscreensaver
176read-only ${HOME}/_exrc
177read-only ${HOME}/_gvimrc
178read-only ${HOME}/_vimrc
179read-only ${HOME}/dotfiles
180 180
181# Make directories commonly found in $PATH read-only 181# Make directories commonly found in $PATH read-only
182read-only ${HOME}/bin
183read-only ${HOME}/.gem 182read-only ${HOME}/.gem
184read-only ${HOME}/.luarocks 183read-only ${HOME}/.luarocks
185read-only ${HOME}/.npm-packages 184read-only ${HOME}/.npm-packages
185read-only ${HOME}/bin
186 186
187# The following block breaks trash functionality in file managers 187# The following block breaks trash functionality in file managers
188#read-only ${HOME}/.local 188#read-only ${HOME}/.local
@@ -194,75 +194,75 @@ blacklist ${HOME}/.local/share/Trash
194read-only ${HOME}/.local/share/applications 194read-only ${HOME}/.local/share/applications
195 195
196# top secret 196# top secret
197blacklist ${HOME}/.ecryptfs 197blacklist ${HOME}/*.kdb
198blacklist ${HOME}/*.kdbx
199blacklist ${HOME}/*.key
198blacklist ${HOME}/.Private 200blacklist ${HOME}/.Private
199blacklist ${HOME}/.ssh 201blacklist ${HOME}/.caff
200blacklist ${HOME}/.cert 202blacklist ${HOME}/.cert
203blacklist ${HOME}/.config/keybase
204blacklist ${HOME}/.ecryptfs
201blacklist ${HOME}/.gnome2/keyrings 205blacklist ${HOME}/.gnome2/keyrings
202blacklist ${HOME}/.local/share/keyrings 206blacklist ${HOME}/.gnupg
203blacklist ${HOME}/.kde4/share/apps/kwallet
204blacklist ${HOME}/.kde/share/apps/kwallet 207blacklist ${HOME}/.kde/share/apps/kwallet
208blacklist ${HOME}/.kde4/share/apps/kwallet
209blacklist ${HOME}/.local/share/keyrings
205blacklist ${HOME}/.local/share/kwalletd 210blacklist ${HOME}/.local/share/kwalletd
206blacklist ${HOME}/.config/keybase
207blacklist ${HOME}/.netrc
208blacklist ${HOME}/.gnupg
209blacklist ${HOME}/.caff
210blacklist ${HOME}/.smbcredentials
211blacklist ${HOME}/*.kdbx
212blacklist ${HOME}/*.kdb
213blacklist ${HOME}/*.key
214blacklist ${HOME}/.muttrc
215blacklist ${HOME}/.mutt/muttrc
216blacklist ${HOME}/.msmtprc 211blacklist ${HOME}/.msmtprc
212blacklist ${HOME}/.mutt/muttrc
213blacklist ${HOME}/.muttrc
214blacklist ${HOME}/.netrc
217blacklist ${HOME}/.pki 215blacklist ${HOME}/.pki
218blacklist /etc/shadow 216blacklist ${HOME}/.smbcredentials
219blacklist /etc/gshadow 217blacklist ${HOME}/.ssh
220blacklist /etc/passwd- 218blacklist /etc/group+
221blacklist /etc/group- 219blacklist /etc/group-
222blacklist /etc/shadow- 220blacklist /etc/gshadow
221blacklist /etc/gshadow+
223blacklist /etc/gshadow- 222blacklist /etc/gshadow-
224blacklist /etc/passwd+ 223blacklist /etc/passwd+
225blacklist /etc/group+ 224blacklist /etc/passwd-
225blacklist /etc/shadow
226blacklist /etc/shadow+ 226blacklist /etc/shadow+
227blacklist /etc/gshadow+ 227blacklist /etc/shadow-
228blacklist /etc/ssh 228blacklist /etc/ssh
229blacklist /var/backup
230blacklist /home/.ecryptfs 229blacklist /home/.ecryptfs
230blacklist /var/backup
231 231
232# system directories 232# system directories
233blacklist /sbin 233blacklist /sbin
234blacklist /usr/sbin
235blacklist /usr/local/sbin 234blacklist /usr/local/sbin
235blacklist /usr/sbin
236 236
237# system management 237# system management
238blacklist ${PATH}/umount
239blacklist ${PATH}/mount
240blacklist ${PATH}/fusermount
241blacklist ${PATH}/ntfs-3g
242blacklist ${PATH}/at 238blacklist ${PATH}/at
243blacklist ${PATH}/su 239blacklist ${PATH}/chage
244blacklist ${PATH}/sudo 240blacklist ${PATH}/chfn
245blacklist ${PATH}/xinput 241blacklist ${PATH}/chsh
242blacklist ${PATH}/crontab
246blacklist ${PATH}/evtest 243blacklist ${PATH}/evtest
247blacklist ${PATH}/xev 244blacklist ${PATH}/expiry
248blacklist ${PATH}/strace 245blacklist ${PATH}/fusermount
246blacklist ${PATH}/gpasswd
247blacklist ${PATH}/ksu
248blacklist ${PATH}/mount
249blacklist ${PATH}/mount.ecryptfs_private
249blacklist ${PATH}/nc 250blacklist ${PATH}/nc
250blacklist ${PATH}/ncat 251blacklist ${PATH}/ncat
251blacklist ${PATH}/gpasswd
252blacklist ${PATH}/newgidmap 252blacklist ${PATH}/newgidmap
253blacklist ${PATH}/newgrp 253blacklist ${PATH}/newgrp
254blacklist ${PATH}/newuidmap 254blacklist ${PATH}/newuidmap
255blacklist ${PATH}/ntfs-3g
255blacklist ${PATH}/pkexec 256blacklist ${PATH}/pkexec
257blacklist ${PATH}/procmail
256blacklist ${PATH}/sg 258blacklist ${PATH}/sg
257blacklist ${PATH}/crontab 259blacklist ${PATH}/strace
258blacklist ${PATH}/ksu 260blacklist ${PATH}/su
259blacklist ${PATH}/chsh 261blacklist ${PATH}/sudo
260blacklist ${PATH}/chfn 262blacklist ${PATH}/umount
261blacklist ${PATH}/chage
262blacklist ${PATH}/expiry
263blacklist ${PATH}/unix_chkpwd 263blacklist ${PATH}/unix_chkpwd
264blacklist ${PATH}/procmail 264blacklist ${PATH}/xev
265blacklist ${PATH}/mount.ecryptfs_private 265blacklist ${PATH}/xinput
266 266
267# other SUID binaries 267# other SUID binaries
268blacklist /usr/lib/virtualbox 268blacklist /usr/lib/virtualbox
@@ -276,11 +276,9 @@ blacklist /tmp/tmux-*
276# disable terminals running as server resulting in sandbox escape 276# disable terminals running as server resulting in sandbox escape
277blacklist ${PATH}/gnome-terminal 277blacklist ${PATH}/gnome-terminal
278blacklist ${PATH}/gnome-terminal.wrapper 278blacklist ${PATH}/gnome-terminal.wrapper
279blacklist ${PATH}/xfce4-terminal 279blacklist ${PATH}/lilyterm
280blacklist ${PATH}/xfce4-terminal.wrapper
281blacklist ${PATH}/mate-terminal 280blacklist ${PATH}/mate-terminal
282blacklist ${PATH}/mate-terminal.wrapper 281blacklist ${PATH}/mate-terminal.wrapper
283blacklist ${PATH}/lilyterm
284blacklist ${PATH}/pantheon-terminal 282blacklist ${PATH}/pantheon-terminal
285blacklist ${PATH}/roxterm 283blacklist ${PATH}/roxterm
286blacklist ${PATH}/roxterm-config 284blacklist ${PATH}/roxterm-config
@@ -288,12 +286,14 @@ blacklist ${PATH}/terminix
288blacklist ${PATH}/tilix 286blacklist ${PATH}/tilix
289blacklist ${PATH}/urxvtc 287blacklist ${PATH}/urxvtc
290blacklist ${PATH}/urxvtcd 288blacklist ${PATH}/urxvtcd
291# konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 289blacklist ${PATH}/xfce4-terminal
290blacklist ${PATH}/xfce4-terminal.wrapper
292# blacklist ${PATH}/konsole 291# blacklist ${PATH}/konsole
292# konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
293 293
294# kernel files 294# kernel files
295blacklist /vmlinuz*
296blacklist /initrd* 295blacklist /initrd*
296blacklist /vmlinuz*
297 297
298# complement noexec ${HOME} and noexec /tmp 298# complement noexec ${HOME} and noexec /tmp
299noexec ${HOME}/.config/pulse 299noexec ${HOME}/.config/pulse
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc
index a546847f7..9ff58ae2a 100644
--- a/etc/disable-devel.inc
+++ b/etc/disable-devel.inc
@@ -1,30 +1,30 @@
1# This file is overwritten during software install. 1# This file is overwritten during software install.
2# Persistent customizations should go in a .local file. 2# Persistent customizations should go in a .local file.
3include /etc/firejail/disable-devel.local 3include /etc/firejail/disable-devel.local
4 4
5# development tools 5# development tools
6 6
7# GCC 7# GCC
8blacklist /usr/include
9#blacklist /usr/lib/gcc - seems to create problems on Gentoo 8#blacklist /usr/lib/gcc - seems to create problems on Gentoo
10blacklist /usr/bin/gcc*
11blacklist /usr/bin/cpp*
12blacklist /usr/bin/c9*
13blacklist /usr/bin/c8*
14blacklist /usr/bin/c++*
15blacklist /usr/bin/as 9blacklist /usr/bin/as
16blacklist /usr/bin/ld 10blacklist /usr/bin/c++*
17blacklist /usr/bin/gdb 11blacklist /usr/bin/c8*
12blacklist /usr/bin/c9*
13blacklist /usr/bin/cpp*
18blacklist /usr/bin/g++* 14blacklist /usr/bin/g++*
15blacklist /usr/bin/gcc*
16blacklist /usr/bin/gdb
17blacklist /usr/bin/ld
18blacklist /usr/bin/x86_64-unknown-linux-gnu-gcc*
19blacklist /usr/bin/x86_64-linux-gnu-g++* 19blacklist /usr/bin/x86_64-linux-gnu-g++*
20blacklist /usr/bin/x86_64-linux-gnu-gcc* 20blacklist /usr/bin/x86_64-linux-gnu-gcc*
21blacklist /usr/bin/x86_64-unknown-linux-gnu-g++* 21blacklist /usr/bin/x86_64-unknown-linux-gnu-g++*
22blacklist /usr/bin/x86_64-unknown-linux-gnu-gcc* 22blacklist /usr/include
23 23
24# clang/llvm 24# clang/llvm
25blacklist /usr/bin/clang* 25blacklist /usr/bin/clang*
26blacklist /usr/bin/llvm*
27blacklist /usr/bin/lldb* 26blacklist /usr/bin/lldb*
27blacklist /usr/bin/llvm*
28blacklist /usr/lib/llvm* 28blacklist /usr/lib/llvm*
29 29
30# tcc - Tiny C Compiler 30# tcc - Tiny C Compiler
@@ -37,15 +37,15 @@ blacklist /usr/bin/valgrind*
37blacklist /usr/lib/valgrind 37blacklist /usr/lib/valgrind
38 38
39# Perl 39# Perl
40blacklist /usr/bin/perl
41blacklist /usr/bin/cpan* 40blacklist /usr/bin/cpan*
42blacklist /usr/share/perl* 41blacklist /usr/bin/perl
43blacklist /usr/lib/perl* 42blacklist /usr/lib/perl*
43blacklist /usr/share/perl*
44 44
45# PHP 45# PHP
46blacklist /usr/bin/php* 46blacklist /usr/bin/php*
47blacklist /usr/share/php*
48blacklist /usr/lib/php* 47blacklist /usr/lib/php*
48blacklist /usr/share/php*
49 49
50# Ruby 50# Ruby
51blacklist /usr/bin/ruby 51blacklist /usr/bin/ruby
@@ -54,22 +54,22 @@ blacklist /usr/lib/ruby
54# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus 54# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus
55# Python 2 55# Python 2
56#blacklist /usr/bin/python2* 56#blacklist /usr/bin/python2*
57#blacklist /usr/include/python2*
57#blacklist /usr/lib/python2* 58#blacklist /usr/lib/python2*
58#blacklist /usr/local/lib/python2* 59#blacklist /usr/local/lib/python2*
59#blacklist /usr/include/python2*
60#blacklist /usr/share/python2* 60#blacklist /usr/share/python2*
61# 61#
62# Python 3 62# Python 3
63#blacklist /usr/bin/python3* 63#blacklist /usr/bin/python3*
64#blacklist /usr/include/python3*
64#blacklist /usr/lib/python3* 65#blacklist /usr/lib/python3*
65#blacklist /usr/local/lib/python3* 66#blacklist /usr/local/lib/python3*
66#blacklist /usr/share/python3* 67#blacklist /usr/share/python3*
67#blacklist /usr/include/python3*
68 68
69#Go 69#Go
70blacklist /usr/bin/gccgo
70blacklist /usr/bin/go 71blacklist /usr/bin/go
71blacklist /usr/bin/gofmt 72blacklist /usr/bin/gofmt
72blacklist /usr/bin/gccgo
73 73
74#Rust 74#Rust
75blacklist /usr/bin/rust-gdb 75blacklist /usr/bin/rust-gdb
diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc
index ae485c4c5..9507d3feb 100644
--- a/etc/disable-passwdmgr.inc
+++ b/etc/disable-passwdmgr.inc
@@ -1,9 +1,7 @@
1# This file is overwritten during software install. 1# This file is overwritten during software install.
2# Persistent customizations should go in a .local file. 2# Persistent customizations should go in a .local file.
3include /etc/firejail/disable-passwdmgr.local 3include /etc/firejail/disable-passwdmgr.local
4 4
5blacklist ${HOME}/.local/share/KeePass
6blacklist ${HOME}/.local/share/keepass
7blacklist ${HOME}/.config/KeePass 5blacklist ${HOME}/.config/KeePass
8blacklist ${HOME}/.config/keepass 6blacklist ${HOME}/.config/keepass
9blacklist ${HOME}/.config/keepassx 7blacklist ${HOME}/.config/keepassx
@@ -12,4 +10,6 @@ blacklist ${HOME}/.keepass
12blacklist ${HOME}/.keepassx 10blacklist ${HOME}/.keepassx
13blacklist ${HOME}/.keepassxc 11blacklist ${HOME}/.keepassxc
14blacklist ${HOME}/.lastpass 12blacklist ${HOME}/.lastpass
13blacklist ${HOME}/.local/share/KeePass
14blacklist ${HOME}/.local/share/keepass
15blacklist ${HOME}/.password-store 15blacklist ${HOME}/.password-store
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index c67a0b378..a54d2a739 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -7,6 +7,7 @@ blacklist ${HOME}/.8pecxstudios
7blacklist ${HOME}/.AndroidStudio* 7blacklist ${HOME}/.AndroidStudio*
8blacklist ${HOME}/.Atom 8blacklist ${HOME}/.Atom
9blacklist ${HOME}/.FBReader 9blacklist ${HOME}/.FBReader
10blacklist ${HOME}/.FontForge
10blacklist ${HOME}/.IdeaIC* 11blacklist ${HOME}/.IdeaIC*
11blacklist ${HOME}/.LuminanceHDR 12blacklist ${HOME}/.LuminanceHDR
12blacklist ${HOME}/.Mathematica 13blacklist ${HOME}/.Mathematica
@@ -28,10 +29,10 @@ blacklist ${HOME}/.bibletime
28blacklist ${HOME}/.claws-mail 29blacklist ${HOME}/.claws-mail
29blacklist ${HOME}/.config/0ad 30blacklist ${HOME}/.config/0ad
30blacklist ${HOME}/.config/2048-qt 31blacklist ${HOME}/.config/2048-qt
31blacklist ${HOME}/.config/akregatorrc
32blacklist ${HOME}/.config/Atom 32blacklist ${HOME}/.config/Atom
33blacklist ${HOME}/.config/Audaciousrc 33blacklist ${HOME}/.config/Audaciousrc
34blacklist ${HOME}/.config/Brackets 34blacklist ${HOME}/.config/Brackets
35blacklist ${HOME}/.config/Clementine
35blacklist ${HOME}/.config/Cryptocat 36blacklist ${HOME}/.config/Cryptocat
36blacklist ${HOME}/.config/Franz 37blacklist ${HOME}/.config/Franz
37blacklist ${HOME}/.config/Gitter 38blacklist ${HOME}/.config/Gitter
@@ -52,6 +53,7 @@ blacklist ${HOME}/.config/Slack
52blacklist ${HOME}/.config/Thunar 53blacklist ${HOME}/.config/Thunar
53blacklist ${HOME}/.config/VirtualBox 54blacklist ${HOME}/.config/VirtualBox
54blacklist ${HOME}/.config/Wire 55blacklist ${HOME}/.config/Wire
56blacklist ${HOME}/.config/akregatorrc
55blacklist ${HOME}/.config/ardour4 57blacklist ${HOME}/.config/ardour4
56blacklist ${HOME}/.config/ardour5 58blacklist ${HOME}/.config/ardour5
57blacklist ${HOME}/.config/arkrc 59blacklist ${HOME}/.config/arkrc
@@ -90,8 +92,8 @@ blacklist ${HOME}/.config/flowblade
90blacklist ${HOME}/.config/gajim 92blacklist ${HOME}/.config/gajim
91blacklist ${HOME}/.config/galculator 93blacklist ${HOME}/.config/galculator
92blacklist ${HOME}/.config/geany 94blacklist ${HOME}/.config/geany
93blacklist ${HOME}/.config/geeqie
94blacklist ${HOME}/.config/gedit 95blacklist ${HOME}/.config/gedit
96blacklist ${HOME}/.config/geeqie
95blacklist ${HOME}/.config/ghb 97blacklist ${HOME}/.config/ghb
96blacklist ${HOME}/.config/globaltime 98blacklist ${HOME}/.config/globaltime
97blacklist ${HOME}/.config/google-chrome 99blacklist ${HOME}/.config/google-chrome
@@ -115,9 +117,9 @@ blacklist ${HOME}/.config/ktorrentrc
115blacklist ${HOME}/.config/leafpad 117blacklist ${HOME}/.config/leafpad
116blacklist ${HOME}/.config/libreoffice 118blacklist ${HOME}/.config/libreoffice
117blacklist ${HOME}/.config/lximage-qt 119blacklist ${HOME}/.config/lximage-qt
120blacklist ${HOME}/.config/mate-calc
118blacklist ${HOME}/.config/mate/eom 121blacklist ${HOME}/.config/mate/eom
119blacklist ${HOME}/.config/mate/mate-dictionary 122blacklist ${HOME}/.config/mate/mate-dictionary
120blacklist ${HOME}/.config/mate-calc
121blacklist ${HOME}/.config/midori 123blacklist ${HOME}/.config/midori
122blacklist ${HOME}/.config/mpv 124blacklist ${HOME}/.config/mpv
123blacklist ${HOME}/.config/mupen64plus 125blacklist ${HOME}/.config/mupen64plus
@@ -134,7 +136,6 @@ blacklist ${HOME}/.config/pcmanfm
134blacklist ${HOME}/.config/pix 136blacklist ${HOME}/.config/pix
135blacklist ${HOME}/.config/pluma 137blacklist ${HOME}/.config/pluma
136blacklist ${HOME}/.config/psi+ 138blacklist ${HOME}/.config/psi+
137blacklist ${HOME}/.config/ristretto
138blacklist ${HOME}/.config/qBittorrent 139blacklist ${HOME}/.config/qBittorrent
139blacklist ${HOME}/.config/qBittorrentrc 140blacklist ${HOME}/.config/qBittorrentrc
140blacklist ${HOME}/.config/qpdfview 141blacklist ${HOME}/.config/qpdfview
@@ -143,6 +144,7 @@ blacklist ${HOME}/.config/qupzilla
143blacklist ${HOME}/.config/qutebrowser 144blacklist ${HOME}/.config/qutebrowser
144blacklist ${HOME}/.config/ranger 145blacklist ${HOME}/.config/ranger
145blacklist ${HOME}/.config/redshift.conf 146blacklist ${HOME}/.config/redshift.conf
147blacklist ${HOME}/.config/ristretto
146blacklist ${HOME}/.config/scribus 148blacklist ${HOME}/.config/scribus
147blacklist ${HOME}/.config/skypeforlinux 149blacklist ${HOME}/.config/skypeforlinux
148blacklist ${HOME}/.config/slimjet 150blacklist ${HOME}/.config/slimjet
@@ -165,9 +167,9 @@ blacklist ${HOME}/.config/wireshark
165blacklist ${HOME}/.config/xchat 167blacklist ${HOME}/.config/xchat
166blacklist ${HOME}/.config/xed 168blacklist ${HOME}/.config/xed
167blacklist ${HOME}/.config/xfburn 169blacklist ${HOME}/.config/xfburn
168blacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
169blacklist ${HOME}/.config/xfce4/xfce4-notes.rc
170blacklist ${HOME}/.config/xfce4/xfce4-notes.gtkrc 170blacklist ${HOME}/.config/xfce4/xfce4-notes.gtkrc
171blacklist ${HOME}/.config/xfce4/xfce4-notes.rc
172blacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
171blacklist ${HOME}/.config/xfce4-dict 173blacklist ${HOME}/.config/xfce4-dict
172blacklist ${HOME}/.config/xiaoyong 174blacklist ${HOME}/.config/xiaoyong
173blacklist ${HOME}/.config/xmms2 175blacklist ${HOME}/.config/xmms2
@@ -185,13 +187,12 @@ blacklist ${HOME}/.dropbox-dist
185blacklist ${HOME}/.electrum* 187blacklist ${HOME}/.electrum*
186blacklist ${HOME}/.elinks 188blacklist ${HOME}/.elinks
187blacklist ${HOME}/.emacs 189blacklist ${HOME}/.emacs
188blacklist ${HOME}/.emacs.d
189blacklist ${HOME}/.filezilla
190blacklist ${HOME}/.emacs 190blacklist ${HOME}/.emacs
191blacklist ${HOME}/.emacs.d
191blacklist ${HOME}/.etr 192blacklist ${HOME}/.etr
193blacklist ${HOME}/.filezilla
192blacklist ${HOME}/.flowblade 194blacklist ${HOME}/.flowblade
193blacklist ${HOME}/.fltk 195blacklist ${HOME}/.fltk
194blacklist ${HOME}/.FontForge
195blacklist ${HOME}/.frozen-bubble 196blacklist ${HOME}/.frozen-bubble
196blacklist ${HOME}/.gimp* 197blacklist ${HOME}/.gimp*
197blacklist ${HOME}/.git-credential-cache 198blacklist ${HOME}/.git-credential-cache
@@ -208,25 +209,6 @@ blacklist ${HOME}/.icedove
208blacklist ${HOME}/.inkscape 209blacklist ${HOME}/.inkscape
209blacklist ${HOME}/.java 210blacklist ${HOME}/.java
210blacklist ${HOME}/.jitsi 211blacklist ${HOME}/.jitsi
211blacklist ${HOME}/.kde4/share/apps/gwenview
212blacklist ${HOME}/.kde4/share/apps/kcookiejar
213blacklist ${HOME}/.kde4/share/apps/khtml
214blacklist ${HOME}/.kde4/share/apps/konqsidebartng
215blacklist ${HOME}/.kde4/share/apps/konqueror
216blacklist ${HOME}/.kde4/share/apps/okular
217blacklist ${HOME}/.kde4/share/config/baloofilerc
218blacklist ${HOME}/.kde4/share/config/baloorc
219blacklist ${HOME}/.kde4/share/config/gwenviewrc
220blacklist ${HOME}/.kde4/share/config/digikam
221blacklist ${HOME}/.kde4/share/config/k3brc
222blacklist ${HOME}/.kde4/share/config/kcookiejarrc
223blacklist ${HOME}/.kde4/share/config/khtmlrc
224blacklist ${HOME}/.kde4/share/config/konq_history
225blacklist ${HOME}/.kde4/share/config/konqsidebartngrc
226blacklist ${HOME}/.kde4/share/config/konquerorrc
227blacklist ${HOME}/.kde4/share/config/okularpartrc
228blacklist ${HOME}/.kde4/share/config/okularrc
229blacklist ${HOME}/.kde4/share/config/ktorrentrc
230blacklist ${HOME}/.kde/share/apps/gwenview 212blacklist ${HOME}/.kde/share/apps/gwenview
231blacklist ${HOME}/.kde/share/apps/kcookiejar 213blacklist ${HOME}/.kde/share/apps/kcookiejar
232blacklist ${HOME}/.kde/share/apps/khtml 214blacklist ${HOME}/.kde/share/apps/khtml
@@ -243,9 +225,28 @@ blacklist ${HOME}/.kde/share/config/khtmlrc
243blacklist ${HOME}/.kde/share/config/konq_history 225blacklist ${HOME}/.kde/share/config/konq_history
244blacklist ${HOME}/.kde/share/config/konqsidebartngrc 226blacklist ${HOME}/.kde/share/config/konqsidebartngrc
245blacklist ${HOME}/.kde/share/config/konquerorrc 227blacklist ${HOME}/.kde/share/config/konquerorrc
228blacklist ${HOME}/.kde/share/config/ktorrentrc
246blacklist ${HOME}/.kde/share/config/okularpartrc 229blacklist ${HOME}/.kde/share/config/okularpartrc
247blacklist ${HOME}/.kde/share/config/okularrc 230blacklist ${HOME}/.kde/share/config/okularrc
248blacklist ${HOME}/.kde/share/config/ktorrentrc 231blacklist ${HOME}/.kde4/share/config/baloorc
232blacklist ${HOME}/.kde4/share/config/baloofilerc
233blacklist ${HOME}/.kde4/share/apps/okular
234blacklist ${HOME}/.kde4/share/apps/konqueror
235blacklist ${HOME}/.kde4/share/apps/konqsidebartng
236blacklist ${HOME}/.kde4/share/apps/khtml
237blacklist ${HOME}/.kde4/share/apps/kcookiejar
238blacklist ${HOME}/.kde4/share/config/digikam
239blacklist ${HOME}/.kde4/share/apps/gwenview
240blacklist ${HOME}/.kde4/share/config/kcookiejarrc
241blacklist ${HOME}/.kde4/share/config/khtmlrc
242blacklist ${HOME}/.kde4/share/config/konq_history
243blacklist ${HOME}/.kde4/share/config/konqsidebartngrc
244blacklist ${HOME}/.kde4/share/config/konquerorrc
245blacklist ${HOME}/.kde4/share/config/okularpartrc
246blacklist ${HOME}/.kde4/share/config/okularrc
247blacklist ${HOME}/.kde4/share/config/ktorrentrc
248blacklist ${HOME}/.kde4/share/config/gwenviewrc
249blacklist ${HOME}/.kde4/share/config/k3brc
249blacklist ${HOME}/.killingfloor 250blacklist ${HOME}/.killingfloor
250blacklist ${HOME}/.kino-history 251blacklist ${HOME}/.kino-history
251blacklist ${HOME}/.kinorc 252blacklist ${HOME}/.kinorc
@@ -257,7 +258,6 @@ blacklist ${HOME}/.local/.share/maps-places.json
257blacklist ${HOME}/.local/lib/python2.7/site-packages 258blacklist ${HOME}/.local/lib/python2.7/site-packages
258blacklist ${HOME}/.local/share/0ad 259blacklist ${HOME}/.local/share/0ad
259blacklist ${HOME}/.local/share/3909/PapersPlease 260blacklist ${HOME}/.local/share/3909/PapersPlease
260blacklist ${HOME}/.local/share/akregator
261blacklist ${HOME}/.local/share/Empathy 261blacklist ${HOME}/.local/share/Empathy
262blacklist ${HOME}/.local/share/JetBrains 262blacklist ${HOME}/.local/share/JetBrains
263blacklist ${HOME}/.local/share/Mumble 263blacklist ${HOME}/.local/share/Mumble
@@ -267,6 +267,7 @@ blacklist ${HOME}/.local/share/Steam
267blacklist ${HOME}/.local/share/SuperHexagon 267blacklist ${HOME}/.local/share/SuperHexagon
268blacklist ${HOME}/.local/share/Terraria 268blacklist ${HOME}/.local/share/Terraria
269blacklist ${HOME}/.local/share/TpLogger 269blacklist ${HOME}/.local/share/TpLogger
270blacklist ${HOME}/.local/share/akregator
270blacklist ${HOME}/.local/share/aspyr-media 271blacklist ${HOME}/.local/share/aspyr-media
271blacklist ${HOME}/.local/share/baloo 272blacklist ${HOME}/.local/share/baloo
272blacklist ${HOME}/.local/share/caja-python 273blacklist ${HOME}/.local/share/caja-python
@@ -287,8 +288,8 @@ blacklist ${HOME}/.local/share/gnome-music
287blacklist ${HOME}/.local/share/gnome-photos 288blacklist ${HOME}/.local/share/gnome-photos
288blacklist ${HOME}/.local/share/gwenview 289blacklist ${HOME}/.local/share/gwenview
289blacklist ${HOME}/.local/share/kate 290blacklist ${HOME}/.local/share/kate
290blacklist ${HOME}/.local/share/kwrite
291blacklist ${HOME}/.local/share/ktorrentrc 291blacklist ${HOME}/.local/share/ktorrentrc
292blacklist ${HOME}/.local/share/kwrite
292blacklist ${HOME}/.local/share/lollypop 293blacklist ${HOME}/.local/share/lollypop
293blacklist ${HOME}/.local/share/meld 294blacklist ${HOME}/.local/share/meld
294blacklist ${HOME}/.local/share/multimc5 295blacklist ${HOME}/.local/share/multimc5
@@ -297,6 +298,7 @@ blacklist ${HOME}/.local/share/nautilus
297blacklist ${HOME}/.local/share/nautilus-python 298blacklist ${HOME}/.local/share/nautilus-python
298blacklist ${HOME}/.local/share/nemo 299blacklist ${HOME}/.local/share/nemo
299blacklist ${HOME}/.local/share/nemo-python 300blacklist ${HOME}/.local/share/nemo-python
301blacklist ${HOME}/.local/share/notes
300blacklist ${HOME}/.local/share/okular 302blacklist ${HOME}/.local/share/okular
301blacklist ${HOME}/.local/share/orage 303blacklist ${HOME}/.local/share/orage
302blacklist ${HOME}/.local/share/org.kde.gwenview 304blacklist ${HOME}/.local/share/org.kde.gwenview
@@ -314,7 +316,6 @@ blacklist ${HOME}/.local/share/vpltd
314blacklist ${HOME}/.local/share/vulkan 316blacklist ${HOME}/.local/share/vulkan
315blacklist ${HOME}/.local/share/wesnoth 317blacklist ${HOME}/.local/share/wesnoth
316blacklist ${HOME}/.local/share/xplayer 318blacklist ${HOME}/.local/share/xplayer
317blacklist ${HOME}/.local/share/notes
318blacklist ${HOME}/.local/share/xreader 319blacklist ${HOME}/.local/share/xreader
319blacklist ${HOME}/.local/share/zathura 320blacklist ${HOME}/.local/share/zathura
320blacklist ${HOME}/.lv2 321blacklist ${HOME}/.lv2
@@ -356,6 +357,7 @@ blacklist ${HOME}/.tconn
356blacklist ${HOME}/.thunderbird 357blacklist ${HOME}/.thunderbird
357blacklist ${HOME}/.tooling 358blacklist ${HOME}/.tooling
358blacklist ${HOME}/.ts3client 359blacklist ${HOME}/.ts3client
360blacklist ${HOME}/.tuxguitar*
359blacklist ${HOME}/.unknow-horizons 361blacklist ${HOME}/.unknow-horizons
360blacklist ${HOME}/.viking 362blacklist ${HOME}/.viking
361blacklist ${HOME}/.viking-maps 363blacklist ${HOME}/.viking-maps
@@ -385,7 +387,6 @@ blacklist ${HOME}/.cache/borg
385blacklist ${HOME}/.cache/calibre 387blacklist ${HOME}/.cache/calibre
386blacklist ${HOME}/.cache/champlain 388blacklist ${HOME}/.cache/champlain
387blacklist ${HOME}/.cache/chromium 389blacklist ${HOME}/.cache/chromium
388blacklist ${HOME}/.cache/qupzilla
389blacklist ${HOME}/.cache/chromium-dev 390blacklist ${HOME}/.cache/chromium-dev
390blacklist ${HOME}/.cache/darktable 391blacklist ${HOME}/.cache/darktable
391blacklist ${HOME}/.cache/epiphany 392blacklist ${HOME}/.cache/epiphany
@@ -407,6 +408,7 @@ blacklist ${HOME}/.cache/opera-beta
407blacklist ${HOME}/.cache/org.gnome.Books 408blacklist ${HOME}/.cache/org.gnome.Books
408blacklist ${HOME}/.cache/peek 409blacklist ${HOME}/.cache/peek
409blacklist ${HOME}/.cache/qBittorrent 410blacklist ${HOME}/.cache/qBittorrent
411blacklist ${HOME}/.cache/qupzilla
410blacklist ${HOME}/.cache/qutebrowser 412blacklist ${HOME}/.cache/qutebrowser
411blacklist ${HOME}/.cache/simple-scan 413blacklist ${HOME}/.cache/simple-scan
412blacklist ${HOME}/.cache/slimjet 414blacklist ${HOME}/.cache/slimjet
@@ -417,5 +419,5 @@ blacklist ${HOME}/.cache/torbrowser
417blacklist ${HOME}/.cache/transmission 419blacklist ${HOME}/.cache/transmission
418blacklist ${HOME}/.cache/vivaldi 420blacklist ${HOME}/.cache/vivaldi
419blacklist ${HOME}/.cache/wesnoth 421blacklist ${HOME}/.cache/wesnoth
420blacklist ${HOME}/.cache/xreader
421blacklist ${HOME}/.cache/xmms2 422blacklist ${HOME}/.cache/xmms2
423blacklist ${HOME}/.cache/xreader
diff --git a/etc/display.profile b/etc/display.profile
index ff5d3d2b9..44d37d5b2 100644
--- a/etc/display.profile
+++ b/etc/display.profile
@@ -13,10 +13,12 @@ include /etc/firejail/disable-programs.inc
13 13
14caps.drop all 14caps.drop all
15net none 15net none
16nodvd
16nogroups 17nogroups
17nonewprivs 18nonewprivs
18noroot 19noroot
19nosound 20nosound
21notv
20protocol unix 22protocol unix
21seccomp 23seccomp
22shell none 24shell none
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index 075b7ea15..d82efef04 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -14,7 +14,9 @@ include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc 14include /etc/firejail/disable-programs.inc
15 15
16no3d 16no3d
17nodvd
17nosound 18nosound
19notv
18seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open 20seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
19 21
20private 22private
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile
index 834805af9..bf52a5d8a 100644
--- a/etc/dnsmasq.profile
+++ b/etc/dnsmasq.profile
@@ -16,8 +16,10 @@ include /etc/firejail/disable-programs.inc
16caps 16caps
17netfilter 17netfilter
18no3d 18no3d
19nodvd
19nonewprivs 20nonewprivs
20nosound 21nosound
22notv
21protocol unix,inet,inet6,netlink 23protocol unix,inet,inet6,netlink
22seccomp 24seccomp
23 25
diff --git a/etc/dolphin.profile b/etc/dolphin.profile
index 93acbd09e..7566e927b 100644
--- a/etc/dolphin.profile
+++ b/etc/dolphin.profile
@@ -14,18 +14,21 @@ noblacklist ~/.local/share/dolphin
14include /etc/firejail/disable-common.inc 14include /etc/firejail/disable-common.inc
15include /etc/firejail/disable-devel.inc 15include /etc/firejail/disable-devel.inc
16include /etc/firejail/disable-passwdmgr.inc 16include /etc/firejail/disable-passwdmgr.inc
17# dolphin needs to be able to start arbitrary applications so we cannot blacklist their files
17# include /etc/firejail/disable-programs.inc 18# include /etc/firejail/disable-programs.inc
18 19
19caps.drop all 20caps.drop all
20netfilter 21netfilter
22nodvd
21nogroups 23nogroups
22nonewprivs 24nonewprivs
23noroot 25noroot
26notv
27novideo
24protocol unix 28protocol unix
25seccomp 29seccomp
26shell none 30shell none
27 31
28# dolphin needs to be able to start arbitrary applications so we cannot blacklist their files
29# private-bin 32# private-bin
30# private-dev 33# private-dev
31# private-etc 34# private-etc
diff --git a/etc/dosbox.profile b/etc/dosbox.profile
index ff8e26bf9..bec2960f1 100644
--- a/etc/dosbox.profile
+++ b/etc/dosbox.profile
@@ -14,9 +14,11 @@ include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
21notv
20protocol unix,inet,inet6 22protocol unix,inet,inet6
21seccomp 23seccomp
22shell none 24shell none
diff --git a/etc/dragon.profile b/etc/dragon.profile
index e8d82363b..211c2432f 100644
--- a/etc/dragon.profile
+++ b/etc/dragon.profile
@@ -14,9 +14,11 @@ include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
21notv
20novideo 22novideo
21protocol unix,inet,inet6 23protocol unix,inet,inet6
22seccomp 24seccomp
diff --git a/etc/dropbox.profile b/etc/dropbox.profile
index 564a4054d..c8670357c 100644
--- a/etc/dropbox.profile
+++ b/etc/dropbox.profile
@@ -26,10 +26,12 @@ include /etc/firejail/whitelist-common.inc
26caps.drop all 26caps.drop all
27netfilter 27netfilter
28no3d 28no3d
29nodvd
29nogroups 30nogroups
30nonewprivs 31nonewprivs
31noroot 32noroot
32nosound 33nosound
34notv
33novideo 35novideo
34protocol unix,inet,inet6 36protocol unix,inet,inet6
35seccomp 37seccomp
diff --git a/etc/ebook-viewer.profile b/etc/ebook-viewer.profile
index 1e8e7bb6c..11499aba0 100644
--- a/etc/ebook-viewer.profile
+++ b/etc/ebook-viewer.profile
@@ -4,4 +4,5 @@
4 4
5net none 5net none
6 6
7# Redirect
7include /etc/firejail/calibre.profile 8include /etc/firejail/calibre.profile
diff --git a/etc/electron.profile b/etc/electron.profile
index 0377ac073..9b21c1bfd 100644
--- a/etc/electron.profile
+++ b/etc/electron.profile
@@ -12,8 +12,10 @@ include /etc/firejail/disable-programs.inc
12 12
13caps.drop all 13caps.drop all
14netfilter 14netfilter
15nodvd
15nogroups 16nogroups
16nonewprivs 17nonewprivs
17noroot 18noroot
19notv
18protocol unix,inet,inet6,netlink 20protocol unix,inet,inet6,netlink
19seccomp 21seccomp
diff --git a/etc/elinks.profile b/etc/elinks.profile
index bd2c090a6..10fd19f71 100644
--- a/etc/elinks.profile
+++ b/etc/elinks.profile
@@ -17,10 +17,12 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 17caps.drop all
18netfilter 18netfilter
19no3d 19no3d
20nodvd
20nogroups 21nogroups
21nonewprivs 22nonewprivs
22noroot 23noroot
23nosound 24nosound
25notv
24novideo 26novideo
25protocol unix,inet,inet6 27protocol unix,inet,inet6
26seccomp 28seccomp
diff --git a/etc/emacs.profile b/etc/emacs.profile
index db823c029..8351d6c42 100644
--- a/etc/emacs.profile
+++ b/etc/emacs.profile
@@ -14,8 +14,10 @@ include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
21notv
20protocol unix,inet,inet6 22protocol unix,inet,inet6
21seccomp 23seccomp
diff --git a/etc/empathy.profile b/etc/empathy.profile
index 5eb8d6868..b2cfa369c 100644
--- a/etc/empathy.profile
+++ b/etc/empathy.profile
@@ -12,8 +12,10 @@ include /etc/firejail/disable-programs.inc
12 12
13caps.drop all 13caps.drop all
14netfilter 14netfilter
15nodvd
15nogroups 16nogroups
16nonewprivs 17nonewprivs
17noroot 18noroot
19notv
18protocol unix,inet,inet6 20protocol unix,inet,inet6
19seccomp 21seccomp
diff --git a/etc/enchant.profile b/etc/enchant.profile
index 5b0d190fa..a7b549a4c 100644
--- a/etc/enchant.profile
+++ b/etc/enchant.profile
@@ -14,10 +14,12 @@ include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
21protocol unix 23protocol unix
22seccomp 24seccomp
23shell none 25shell none
diff --git a/etc/engrampa.profile b/etc/engrampa.profile
index b6d8e501f..e10fd6084 100644
--- a/etc/engrampa.profile
+++ b/etc/engrampa.profile
@@ -13,10 +13,12 @@ include /etc/firejail/disable-programs.inc
13 13
14caps.drop all 14caps.drop all
15netfilter 15netfilter
16nodvd
16nogroups 17nogroups
17nonewprivs 18nonewprivs
18noroot 19noroot
19nosound 20nosound
21notv
20novideo 22novideo
21protocol unix 23protocol unix
22seccomp 24seccomp
diff --git a/etc/eog.profile b/etc/eog.profile
index 452bb1a36..54d5a1a88 100644
--- a/etc/eog.profile
+++ b/etc/eog.profile
@@ -18,10 +18,12 @@ include /etc/firejail/disable-programs.inc
18caps.drop all 18caps.drop all
19net none 19net none
20no3d 20no3d
21nodvd
21nogroups 22nogroups
22nonewprivs 23nonewprivs
23noroot 24noroot
24nosound 25nosound
26notv
25novideo 27novideo
26protocol unix 28protocol unix
27seccomp 29seccomp
diff --git a/etc/eom.profile b/etc/eom.profile
index 75a9e6764..6fd069b5c 100644
--- a/etc/eom.profile
+++ b/etc/eom.profile
@@ -16,10 +16,12 @@ include /etc/firejail/disable-passwdmgr.inc
16include /etc/firejail/disable-programs.inc 16include /etc/firejail/disable-programs.inc
17 17
18caps.drop all 18caps.drop all
19nodvd
19nogroups 20nogroups
20nonewprivs 21nonewprivs
21noroot 22noroot
22nosound 23nosound
24notv
23novideo 25novideo
24protocol unix 26protocol unix
25seccomp 27seccomp
diff --git a/etc/epiphany.profile b/etc/epiphany.profile
index 86fddace0..0f9a9cf55 100644
--- a/etc/epiphany.profile
+++ b/etc/epiphany.profile
@@ -24,6 +24,8 @@ include /etc/firejail/whitelist-common.inc
24 24
25caps.drop all 25caps.drop all
26netfilter 26netfilter
27nodvd
27nonewprivs 28nonewprivs
29notv
28protocol unix,inet,inet6 30protocol unix,inet,inet6
29seccomp 31seccomp
diff --git a/etc/etr.profile b/etc/etr.profile
index dedc1e224..96e8b46d9 100644
--- a/etc/etr.profile
+++ b/etc/etr.profile
@@ -17,9 +17,11 @@ include /etc/firejail/whitelist-common.inc
17 17
18caps.drop all 18caps.drop all
19net none 19net none
20nodvd
20nogroups 21nogroups
21nonewprivs 22nonewprivs
22noroot 23noroot
24notv
23protocol unix,netlink 25protocol unix,netlink
24seccomp 26seccomp
25shell none 27shell none
diff --git a/etc/evince.profile b/etc/evince.profile
index 1a2b04160..5c6215bb2 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -15,10 +15,12 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17no3d 17no3d
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
22novideo 24novideo
23protocol unix 25protocol unix
24seccomp 26seccomp
diff --git a/etc/evolution.profile b/etc/evolution.profile
index d41ef965a..2f7f25ff8 100644
--- a/etc/evolution.profile
+++ b/etc/evolution.profile
@@ -23,10 +23,12 @@ include /etc/firejail/disable-programs.inc
23caps.drop all 23caps.drop all
24netfilter 24netfilter
25no3d 25no3d
26nodvd
26nogroups 27nogroups
27nonewprivs 28nonewprivs
28noroot 29noroot
29nosound 30nosound
31notv
30protocol unix,inet,inet6 32protocol unix,inet,inet6
31seccomp 33seccomp
32shell none 34shell none
diff --git a/etc/exiftool.profile b/etc/exiftool.profile
index 3637fc989..565212161 100644
--- a/etc/exiftool.profile
+++ b/etc/exiftool.profile
@@ -20,10 +20,12 @@ include /etc/firejail/disable-programs.inc
20caps.drop all 20caps.drop all
21net none 21net none
22no3d 22no3d
23nodvd
23nogroups 24nogroups
24nonewprivs 25nonewprivs
25noroot 26noroot
26nosound 27nosound
28notv
27protocol unix 29protocol unix
28seccomp 30seccomp
29shell none 31shell none
diff --git a/etc/fbreader.profile b/etc/fbreader.profile
index 663ee3bbb..19d45a1d8 100644
--- a/etc/fbreader.profile
+++ b/etc/fbreader.profile
@@ -14,9 +14,11 @@ include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17nodvd
17nonewprivs 18nonewprivs
18noroot 19noroot
19nosound 20nosound
21notv
20protocol unix,inet,inet6 22protocol unix,inet,inet6
21seccomp 23seccomp
22shell none 24shell none
diff --git a/etc/feh.profile b/etc/feh.profile
index 1e0d7acc7..61b456e34 100644
--- a/etc/feh.profile
+++ b/etc/feh.profile
@@ -13,10 +13,12 @@ include /etc/firejail/disable-programs.inc
13 13
14caps.drop all 14caps.drop all
15net none 15net none
16nodvd
16nogroups 17nogroups
17nonewprivs 18nonewprivs
18noroot 19noroot
19nosound 20nosound
21notv
20protocol unix 22protocol unix
21seccomp 23seccomp
22shell none 24shell none
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
index 173bb344f..1ecb3c632 100644
--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@@ -14,10 +14,12 @@ include /etc/firejail/disable-programs.inc
14caps.drop all 14caps.drop all
15net none 15net none
16no3d 16no3d
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
21novideo 23novideo
22protocol unix 24protocol unix
23seccomp 25seccomp
diff --git a/etc/file.profile b/etc/file.profile
index 99d2fd865..9a4dba7ef 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -16,9 +16,11 @@ caps.drop all
16hostname file 16hostname file
17net none 17net none
18no3d 18no3d
19nodvd
19nogroups 20nogroups
20nonewprivs 21nonewprivs
21nosound 22nosound
23notv
22protocol unix 24protocol unix
23seccomp 25seccomp
24shell none 26shell none
diff --git a/etc/filezilla.profile b/etc/filezilla.profile
index c349a9e94..63bfd1e0d 100644
--- a/etc/filezilla.profile
+++ b/etc/filezilla.profile
@@ -14,9 +14,11 @@ include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17nodvd
17nonewprivs 18nonewprivs
18noroot 19noroot
19nosound 20nosound
21notv
20protocol unix,inet,inet6 22protocol unix,inet,inet6
21seccomp 23seccomp
22shell none 24shell none
diff --git a/etc/firefox-esr.profile b/etc/firefox-esr.profile
index f3400b1e1..9821c7150 100644
--- a/etc/firefox-esr.profile
+++ b/etc/firefox-esr.profile
@@ -6,4 +6,5 @@ include /etc/firejail/firefox-esr.local
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8 8
9# Redirect
9include /etc/firejail/firefox.profile 10include /etc/firejail/firefox.profile
diff --git a/etc/firefox-nightly.profile b/etc/firefox-nightly.profile
new file mode 100644
index 000000000..302f6eb24
--- /dev/null
+++ b/etc/firefox-nightly.profile
@@ -0,0 +1,10 @@
1# Firejail profile for firefox-nightly
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/firefox-nightly.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9# Redirect
10include /etc/firejail/firefox.profile
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 27f436c4f..7229ba45b 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -52,9 +52,11 @@ include /etc/firejail/whitelist-common.inc
52 52
53caps.drop all 53caps.drop all
54netfilter 54netfilter
55nodvd
55nogroups 56nogroups
56nonewprivs 57nonewprivs
57noroot 58noroot
59notv
58protocol unix,inet,inet6,netlink 60protocol unix,inet,inet6,netlink
59seccomp 61seccomp
60shell none 62shell none
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile
index be06dc460..18db4c597 100644
--- a/etc/flashpeak-slimjet.profile
+++ b/etc/flashpeak-slimjet.profile
@@ -15,8 +15,7 @@ noblacklist ~/.config/slimjet
15noblacklist ~/.pki 15noblacklist ~/.pki
16 16
17include /etc/firejail/disable-common.inc 17include /etc/firejail/disable-common.inc
18# chromium is distributed with a perl script on Arch 18include /etc/firejail/disable-devel.inc
19# include /etc/firejail/disable-devel.inc
20include /etc/firejail/disable-programs.inc 19include /etc/firejail/disable-programs.inc
21 20
22mkdir ~/.cache/slimjet 21mkdir ~/.cache/slimjet
@@ -30,7 +29,9 @@ include /etc/firejail/whitelist-common.inc
30 29
31caps.drop all 30caps.drop all
32netfilter 31netfilter
32nodvd
33nonewprivs 33nonewprivs
34noroot 34noroot
35notv
35protocol unix,inet,inet6,netlink 36protocol unix,inet,inet6,netlink
36seccomp 37seccomp
diff --git a/etc/flowblade.profile b/etc/flowblade.profile
index b5cc8160b..79dab0751 100644
--- a/etc/flowblade.profile
+++ b/etc/flowblade.profile
@@ -15,9 +15,11 @@ include /etc/firejail/disable-programs.inc
15 15
16caps.drop all 16caps.drop all
17netfilter 17netfilter
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
22notv
21protocol unix,inet,inet6,netlink 23protocol unix,inet,inet6,netlink
22seccomp 24seccomp
23shell none 25shell none
diff --git a/etc/fontforge.profile b/etc/fontforge.profile
index 4b43602b8..29295f8a0 100644
--- a/etc/fontforge.profile
+++ b/etc/fontforge.profile
@@ -14,10 +14,12 @@ include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
21novideo 23novideo
22protocol unix 24protocol unix
23seccomp 25seccomp
diff --git a/etc/fossamail.profile b/etc/fossamail.profile
index d49027917..74073d8d1 100644
--- a/etc/fossamail.profile
+++ b/etc/fossamail.profile
@@ -17,4 +17,7 @@ whitelist ~/.fossamail
17whitelist ~/.gnupg 17whitelist ~/.gnupg
18include /etc/firejail/whitelist-common.inc 18include /etc/firejail/whitelist-common.inc
19 19
20nodvd
21notv
22
20include /etc/firejail/firefox.profile 23include /etc/firejail/firefox.profile
diff --git a/etc/franz.profile b/etc/franz.profile
index 82bdabfcd..f83b5018c 100644
--- a/etc/franz.profile
+++ b/etc/franz.profile
@@ -24,9 +24,11 @@ include /etc/firejail/whitelist-common.inc
24 24
25caps.drop all 25caps.drop all
26netfilter 26netfilter
27nodvd
27nogroups 28nogroups
28nonewprivs 29nonewprivs
29noroot 30noroot
31notv
30protocol unix,inet,inet6,netlink 32protocol unix,inet,inet6,netlink
31seccomp 33seccomp
32shell none 34shell none
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile
index b1d9798bc..40aa6d58d 100644
--- a/etc/frozen-bubble.profile
+++ b/etc/frozen-bubble.profile
@@ -17,9 +17,11 @@ include /etc/firejail/whitelist-common.inc
17 17
18caps.drop all 18caps.drop all
19net none 19net none
20nodvd
20nogroups 21nogroups
21nonewprivs 22nonewprivs
22noroot 23noroot
24notv
23protocol unix,netlink 25protocol unix,netlink
24seccomp 26seccomp
25shell none 27shell none
diff --git a/etc/gajim.profile b/etc/gajim.profile
index 451a93c31..f1929c015 100644
--- a/etc/gajim.profile
+++ b/etc/gajim.profile
@@ -28,9 +28,11 @@ include /etc/firejail/whitelist-common.inc
28 28
29caps.drop all 29caps.drop all
30netfilter 30netfilter
31nodvd
31nogroups 32nogroups
32nonewprivs 33nonewprivs
33noroot 34noroot
35notv
34protocol unix,inet,inet6 36protocol unix,inet,inet6
35seccomp 37seccomp
36shell none 38shell none
diff --git a/etc/galculator.profile b/etc/galculator.profile
index 48ecccd59..a2e855656 100644
--- a/etc/galculator.profile
+++ b/etc/galculator.profile
@@ -18,10 +18,12 @@ include /etc/firejail/whitelist-common.inc
18 18
19caps.drop all 19caps.drop all
20net none 20net none
21nodvd
21nogroups 22nogroups
22nonewprivs 23nonewprivs
23noroot 24noroot
24nosound 25nosound
26notv
25protocol unix 27protocol unix
26seccomp 28seccomp
27shell none 29shell none
diff --git a/etc/geany.profile b/etc/geany.profile
index 9ec334fc0..35e405319 100644
--- a/etc/geany.profile
+++ b/etc/geany.profile
@@ -14,10 +14,12 @@ include /etc/firejail/disable-programs.inc
14caps.drop all 14caps.drop all
15netfilter 15netfilter
16no3d 16no3d
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
21novideo 23novideo
22protocol unix,inet,inet6 24protocol unix,inet,inet6
23seccomp 25seccomp
diff --git a/etc/geary.profile b/etc/geary.profile
index 3f9faf058..7878154a6 100644
--- a/etc/geary.profile
+++ b/etc/geary.profile
@@ -13,7 +13,6 @@ noblacklist ~/.local/share/geary
13 13
14mkdir ~/.gnupg 14mkdir ~/.gnupg
15mkdir ~/.local/share/geary 15mkdir ~/.local/share/geary
16whitelist ~/.config/mimeapps.list
17whitelist ~/.gnupg 16whitelist ~/.gnupg
18whitelist ~/.local/share/applications 17whitelist ~/.local/share/applications
19whitelist ~/.local/share/geary 18whitelist ~/.local/share/geary
@@ -22,7 +21,7 @@ include /etc/firejail/whitelist-common.inc
22ignore private-tmp 21ignore private-tmp
23 22
24read-only ~/.config/mimeapps.list 23read-only ~/.config/mimeapps.list
25read-only ~/.local/share/applications
26 24
27# allow browsers 25# allow browsers
26# Redirect
28include /etc/firejail/firefox.profile 27include /etc/firejail/firefox.profile
diff --git a/etc/gedit.profile b/etc/gedit.profile
index aa91d9518..418575e09 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -17,10 +17,12 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 17caps.drop all
18net none 18net none
19no3d 19no3d
20nodvd
20nogroups 21nogroups
21nonewprivs 22nonewprivs
22noroot 23noroot
23nosound 24nosound
25notv
24protocol unix 26protocol unix
25seccomp 27seccomp
26shell none 28shell none
diff --git a/etc/geeqie.profile b/etc/geeqie.profile
index 5936787dd..c9f9d0074 100644
--- a/etc/geeqie.profile
+++ b/etc/geeqie.profile
@@ -15,10 +15,12 @@ include /etc/firejail/disable-passwdmgr.inc
15include /etc/firejail/disable-programs.inc 15include /etc/firejail/disable-programs.inc
16 16
17caps.drop all 17caps.drop all
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
22protocol unix 24protocol unix
23seccomp 25seccomp
24shell none 26shell none
diff --git a/etc/ghb.profile b/etc/ghb.profile
index 9437cea9e..de6244a32 100644
--- a/etc/ghb.profile
+++ b/etc/ghb.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/firejail/handbrake.profile 6include /etc/firejail/handbrake.profile
diff --git a/etc/gimp-2.8.profile b/etc/gimp-2.8.profile
index 5228078d9..a4e04af20 100644
--- a/etc/gimp-2.8.profile
+++ b/etc/gimp-2.8.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/firejail/gimp.profile 6include /etc/firejail/gimp.profile
diff --git a/etc/gimp.profile b/etc/gimp.profile
index d77c4df8d..aa77d6105 100644
--- a/etc/gimp.profile
+++ b/etc/gimp.profile
@@ -13,10 +13,12 @@ include /etc/firejail/disable-programs.inc
13 13
14caps.drop all 14caps.drop all
15net none 15net none
16nodvd
16nogroups 17nogroups
17nonewprivs 18nonewprivs
18noroot 19noroot
19nosound 20nosound
21notv
20protocol unix 22protocol unix
21seccomp 23seccomp
22shell none 24shell none
diff --git a/etc/git.profile b/etc/git.profile
index a565f3b5a..92bf66b92 100644
--- a/etc/git.profile
+++ b/etc/git.profile
@@ -23,10 +23,12 @@ include /etc/firejail/disable-programs.inc
23caps.drop all 23caps.drop all
24netfilter 24netfilter
25no3d 25no3d
26nodvd
26nogroups 27nogroups
27nonewprivs 28nonewprivs
28noroot 29noroot
29nosound 30nosound
31notv
30protocol unix,inet,inet6 32protocol unix,inet,inet6
31seccomp 33seccomp
32shell none 34shell none
diff --git a/etc/gitg.profile b/etc/gitg.profile
index a66ef1f92..1a731d507 100644
--- a/etc/gitg.profile
+++ b/etc/gitg.profile
@@ -16,15 +16,18 @@ include /etc/firejail/disable-programs.inc
16 16
17caps.drop all 17caps.drop all
18no3d 18no3d
19nodvd
19nogroups 20nogroups
20nonewprivs 21nonewprivs
21noroot 22noroot
22nosound 23nosound
24notv
23novideo 25novideo
24protocol unix,inet,inet6 26protocol unix,inet,inet6
25seccomp 27seccomp
26shell none 28shell none
27 29
30private-bin gitg,git,ssh
28private-dev 31private-dev
29private-tmp 32private-tmp
30 33
diff --git a/etc/gitter.profile b/etc/gitter.profile
index 1864044d8..f92f4b167 100644
--- a/etc/gitter.profile
+++ b/etc/gitter.profile
@@ -14,10 +14,12 @@ include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
21protocol unix,inet,inet6,netlink 23protocol unix,inet,inet6,netlink
22seccomp 24seccomp
23shell none 25shell none
diff --git a/etc/gjs.profile b/etc/gjs.profile
index 739100888..a856d35b5 100644
--- a/etc/gjs.profile
+++ b/etc/gjs.profile
@@ -19,9 +19,11 @@ include /etc/firejail/disable-programs.inc
19 19
20caps.drop all 20caps.drop all
21netfilter 21netfilter
22nodvd
22nogroups 23nogroups
23nonewprivs 24nonewprivs
24noroot 25noroot
26notv
25protocol unix,inet,inet6 27protocol unix,inet,inet6
26seccomp 28seccomp
27shell none 29shell none
diff --git a/etc/globaltime.profile b/etc/globaltime.profile
index 726619f26..6961a56e9 100644
--- a/etc/globaltime.profile
+++ b/etc/globaltime.profile
@@ -15,10 +15,12 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17no3d 17no3d
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
22novideo 24novideo
23protocol unix,inet,inet6 25protocol unix,inet,inet6
24seccomp 26seccomp
diff --git a/etc/gnome-2048.profile b/etc/gnome-2048.profile
index 996c8e1f4..7aea3f5a8 100644
--- a/etc/gnome-2048.profile
+++ b/etc/gnome-2048.profile
@@ -19,8 +19,10 @@ include /etc/firejail/whitelist-common.inc
19caps.drop all 19caps.drop all
20netfilter 20netfilter
21no3d 21no3d
22nodvd
22nonewprivs 23nonewprivs
23noroot 24noroot
25notv
24novideo 26novideo
25protocol unix,inet,inet6 27protocol unix,inet,inet6
26seccomp 28seccomp
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile
index 60bd2f68d..5c1d5f137 100644
--- a/etc/gnome-books.profile
+++ b/etc/gnome-books.profile
@@ -17,10 +17,12 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 17caps.drop all
18netfilter 18netfilter
19no3d 19no3d
20nodvd
20nogroups 21nogroups
21nonewprivs 22nonewprivs
22noroot 23noroot
23nosound 24nosound
25notv
24novideo 26novideo
25protocol unix 27protocol unix
26seccomp 28seccomp
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
index 995415edc..4921fb0c4 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@@ -15,10 +15,12 @@ include /etc/firejail/whitelist-common.inc
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17no3d 17no3d
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
22protocol unix,inet,inet6 24protocol unix,inet,inet6
23seccomp 25seccomp
24shell none 26shell none
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile
index 8fd6a2eca..688df6dfe 100644
--- a/etc/gnome-chess.profile
+++ b/etc/gnome-chess.profile
@@ -14,10 +14,12 @@ include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16no3d 16no3d
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
21novideo 23novideo
22protocol unix 24protocol unix
23seccomp 25seccomp
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile
index e20cbd9fe..d9bac48eb 100644
--- a/etc/gnome-clocks.profile
+++ b/etc/gnome-clocks.profile
@@ -14,9 +14,11 @@ include /etc/firejail/disable-programs.inc
14caps.drop all 14caps.drop all
15netfilter 15netfilter
16no3d 16no3d
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
21notv
20novideo 22novideo
21protocol unix,inet,inet6 23protocol unix,inet,inet6
22seccomp 24seccomp
diff --git a/etc/gnome-contacts.profile b/etc/gnome-contacts.profile
index 1be74bfd3..90c2c2628 100644
--- a/etc/gnome-contacts.profile
+++ b/etc/gnome-contacts.profile
@@ -15,9 +15,11 @@ include /etc/firejail/whitelist-common.inc
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17no3d 17no3d
18nodvd
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
21novideo 23novideo
22protocol unix,inet,inet6 24protocol unix,inet,inet6
23seccomp 25seccomp
diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile
index e56a32a4a..3254f3fbc 100644
--- a/etc/gnome-documents.profile
+++ b/etc/gnome-documents.profile
@@ -17,10 +17,12 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 17caps.drop all
18netfilter 18netfilter
19no3d 19no3d
20nodvd
20nogroups 21nogroups
21nonewprivs 22nonewprivs
22noroot 23noroot
23nosound 24nosound
25notv
24novideo 26novideo
25protocol unix 27protocol unix
26seccomp 28seccomp
diff --git a/etc/gnome-font-viewer.profile b/etc/gnome-font-viewer.profile
index f122f066a..5ccb28840 100644
--- a/etc/gnome-font-viewer.profile
+++ b/etc/gnome-font-viewer.profile
@@ -14,9 +14,11 @@ include /etc/firejail/disable-programs.inc
14caps.drop all 14caps.drop all
15netfilter 15netfilter
16no3d 16no3d
17nodvd
17nonewprivs 18nonewprivs
18noroot 19noroot
19nosound 20nosound
21notv
20novideo 22novideo
21protocol unix,inet,inet6 23protocol unix,inet,inet6
22seccomp 24seccomp
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile
index 1e60c4470..cdbf5cbe0 100644
--- a/etc/gnome-maps.profile
+++ b/etc/gnome-maps.profile
@@ -16,10 +16,12 @@ include /etc/firejail/disable-programs.inc
16 16
17caps.drop all 17caps.drop all
18netfilter 18netfilter
19nodvd
19nogroups 20nogroups
20nonewprivs 21nonewprivs
21noroot 22noroot
22nosound 23nosound
24notv
23novideo 25novideo
24protocol unix,inet,inet6 26protocol unix,inet,inet6
25seccomp 27seccomp
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile
index 9d7b878cd..d3c61d9b4 100644
--- a/etc/gnome-music.profile
+++ b/etc/gnome-music.profile
@@ -18,6 +18,7 @@ no3d
18nogroups 18nogroups
19nonewprivs 19nonewprivs
20noroot 20noroot
21notv
21novideo 22novideo
22protocol unix 23protocol unix
23seccomp 24seccomp
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile
index 5982b9dbd..0e150f525 100644
--- a/etc/gnome-photos.profile
+++ b/etc/gnome-photos.profile
@@ -16,10 +16,12 @@ include /etc/firejail/disable-programs.inc
16 16
17caps.drop all 17caps.drop all
18netfilter 18netfilter
19nodvd
19nogroups 20nogroups
20nonewprivs 21nonewprivs
21noroot 22noroot
22nosound 23nosound
24notv
23protocol unix 25protocol unix
24seccomp 26seccomp
25shell none 27shell none
diff --git a/etc/gnome-twitch.profile b/etc/gnome-twitch.profile
index 9ef09a87b..9c94404d1 100644
--- a/etc/gnome-twitch.profile
+++ b/etc/gnome-twitch.profile
@@ -20,9 +20,11 @@ whitelist ${HOME}/.local/share/gnome-twitch
20include /etc/firejail/whitelist-common.inc 20include /etc/firejail/whitelist-common.inc
21 21
22caps.drop all 22caps.drop all
23nodvd
23nogroups 24nogroups
24nonewprivs 25nonewprivs
25noroot 26noroot
27notv
26novideo 28novideo
27protocol unix,inet,inet6 29protocol unix,inet,inet6
28seccomp 30seccomp
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile
index 514ef6f15..4ddbbbde2 100644
--- a/etc/gnome-weather.profile
+++ b/etc/gnome-weather.profile
@@ -17,10 +17,12 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 17caps.drop all
18netfilter 18netfilter
19no3d 19no3d
20nodvd
20nogroups 21nogroups
21nonewprivs 22nonewprivs
22noroot 23noroot
23nosound 24nosound
25notv
24novideo 26novideo
25protocol unix,inet,inet6 27protocol unix,inet,inet6
26seccomp 28seccomp
diff --git a/etc/goobox.profile b/etc/goobox.profile
index 45715f9ce..9bedaa431 100644
--- a/etc/goobox.profile
+++ b/etc/goobox.profile
@@ -13,9 +13,11 @@ include /etc/firejail/disable-programs.inc
13 13
14caps.drop all 14caps.drop all
15netfilter 15netfilter
16nodvd
16nogroups 17nogroups
17nonewprivs 18nonewprivs
18noroot 19noroot
20notv
19protocol unix 21protocol unix
20seccomp 22seccomp
21shell none 23shell none
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile
index b6c39bfd2..ac457b92f 100644
--- a/etc/google-chrome-beta.profile
+++ b/etc/google-chrome-beta.profile
@@ -10,8 +10,7 @@ noblacklist ~/.config/google-chrome-beta
10noblacklist ~/.pki 10noblacklist ~/.pki
11 11
12include /etc/firejail/disable-common.inc 12include /etc/firejail/disable-common.inc
13# chromium is distributed with a perl script on Arch 13include /etc/firejail/disable-devel.inc
14# include /etc/firejail/disable-devel.inc
15include /etc/firejail/disable-programs.inc 14include /etc/firejail/disable-programs.inc
16 15
17mkdir ~/.cache/google-chrome-beta 16mkdir ~/.cache/google-chrome-beta
@@ -25,7 +24,9 @@ include /etc/firejail/whitelist-common.inc
25 24
26caps.keep sys_chroot,sys_admin 25caps.keep sys_chroot,sys_admin
27netfilter 26netfilter
27nodvd
28nogroups 28nogroups
29notv
29shell none 30shell none
30 31
31private-dev 32private-dev
diff --git a/etc/google-chrome-stable.profile b/etc/google-chrome-stable.profile
index df4bd001f..6ade19021 100644
--- a/etc/google-chrome-stable.profile
+++ b/etc/google-chrome-stable.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/firejail/google-chrome.profile 6include /etc/firejail/google-chrome.profile
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile
index ea111c7f6..3d7a9a715 100644
--- a/etc/google-chrome-unstable.profile
+++ b/etc/google-chrome-unstable.profile
@@ -10,8 +10,7 @@ noblacklist ~/.config/google-chrome-unstable
10noblacklist ~/.pki 10noblacklist ~/.pki
11 11
12include /etc/firejail/disable-common.inc 12include /etc/firejail/disable-common.inc
13# chromium is distributed with a perl script on Arch 13include /etc/firejail/disable-devel.inc
14# include /etc/firejail/disable-devel.inc
15include /etc/firejail/disable-programs.inc 14include /etc/firejail/disable-programs.inc
16 15
17mkdir ~/.cache/google-chrome-unstable 16mkdir ~/.cache/google-chrome-unstable
@@ -25,7 +24,9 @@ include /etc/firejail/whitelist-common.inc
25 24
26caps.keep sys_chroot,sys_admin 25caps.keep sys_chroot,sys_admin
27netfilter 26netfilter
27nodvd
28nogroups 28nogroups
29notv
29shell none 30shell none
30 31
31private-dev 32private-dev
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile
index f0d452841..a50e0e89d 100644
--- a/etc/google-chrome.profile
+++ b/etc/google-chrome.profile
@@ -10,8 +10,7 @@ noblacklist ~/.config/google-chrome
10noblacklist ~/.pki 10noblacklist ~/.pki
11 11
12include /etc/firejail/disable-common.inc 12include /etc/firejail/disable-common.inc
13# chromium is distributed with a perl script on Arch 13include /etc/firejail/disable-devel.inc
14# include /etc/firejail/disable-devel.inc
15include /etc/firejail/disable-programs.inc 14include /etc/firejail/disable-programs.inc
16 15
17mkdir ~/.cache/google-chrome 16mkdir ~/.cache/google-chrome
@@ -25,7 +24,9 @@ include /etc/firejail/whitelist-common.inc
25 24
26caps.keep sys_chroot,sys_admin 25caps.keep sys_chroot,sys_admin
27netfilter 26netfilter
27nodvd
28nogroups 28nogroups
29notv
29shell none 30shell none
30 31
31private-dev 32private-dev
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile
index 9c6c70f9f..704de6e40 100644
--- a/etc/google-play-music-desktop-player.profile
+++ b/etc/google-play-music-desktop-player.profile
@@ -20,9 +20,11 @@ include /etc/firejail/whitelist-common.inc
20caps.drop all 20caps.drop all
21netfilter 21netfilter
22no3d 22no3d
23nodvd
23nogroups 24nogroups
24nonewprivs 25nonewprivs
25noroot 26noroot
27notv
26novideo 28novideo
27protocol unix,inet,inet6,netlink 29protocol unix,inet,inet6,netlink
28seccomp 30seccomp
diff --git a/etc/gpa.profile b/etc/gpa.profile
index 9ffb3abd3..58dfcd3e1 100644
--- a/etc/gpa.profile
+++ b/etc/gpa.profile
@@ -14,10 +14,12 @@ include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
21protocol unix,inet,inet6 23protocol unix,inet,inet6
22seccomp 24seccomp
23shell none 25shell none
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile
index 0592bd113..13bceaa5a 100644
--- a/etc/gpg-agent.profile
+++ b/etc/gpg-agent.profile
@@ -17,10 +17,12 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 17caps.drop all
18netfilter 18netfilter
19no3d 19no3d
20nodvd
20nogroups 21nogroups
21nonewprivs 22nonewprivs
22noroot 23noroot
23nosound 24nosound
25notv
24protocol unix,inet,inet6 26protocol unix,inet,inet6
25seccomp 27seccomp
26shell none 28shell none
diff --git a/etc/gpg.profile b/etc/gpg.profile
index 2d745b435..d99afdfe2 100644
--- a/etc/gpg.profile
+++ b/etc/gpg.profile
@@ -17,10 +17,12 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 17caps.drop all
18netfilter 18netfilter
19no3d 19no3d
20nodvd
20nogroups 21nogroups
21nonewprivs 22nonewprivs
22noroot 23noroot
23nosound 24nosound
25notv
24protocol unix,inet,inet6 26protocol unix,inet,inet6
25seccomp 27seccomp
26shell none 28shell none
diff --git a/etc/gpicview.profile b/etc/gpicview.profile
index f9c56b7ad..ec9245e58 100644
--- a/etc/gpicview.profile
+++ b/etc/gpicview.profile
@@ -14,10 +14,12 @@ include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16net none 16net none
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
21protocol unix 23protocol unix
22seccomp 24seccomp
23shell none 25shell none
diff --git a/etc/gpredict.profile b/etc/gpredict.profile
index 475f3deef..f204366c5 100644
--- a/etc/gpredict.profile
+++ b/etc/gpredict.profile
@@ -17,10 +17,12 @@ include /etc/firejail/whitelist-common.inc
17 17
18caps.drop all 18caps.drop all
19netfilter 19netfilter
20nodvd
20nogroups 21nogroups
21nonewprivs 22nonewprivs
22noroot 23noroot
23nosound 24nosound
25notv
24protocol unix,inet,inet6 26protocol unix,inet,inet6
25seccomp 27seccomp
26shell none 28shell none
diff --git a/etc/gtar.profile b/etc/gtar.profile
index 9d28393bf..d4bf18f95 100644
--- a/etc/gtar.profile
+++ b/etc/gtar.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/firejail/tar.profile 6include /etc/firejail/tar.profile
diff --git a/etc/gthumb.profile b/etc/gthumb.profile
index 2e1503970..63ad07894 100644
--- a/etc/gthumb.profile
+++ b/etc/gthumb.profile
@@ -15,10 +15,12 @@ include /etc/firejail/disable-passwdmgr.inc
15include /etc/firejail/disable-programs.inc 15include /etc/firejail/disable-programs.inc
16 16
17caps.drop all 17caps.drop all
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
22protocol unix 24protocol unix
23seccomp 25seccomp
24shell none 26shell none
diff --git a/etc/guayadeque.profile b/etc/guayadeque.profile
index 22adb9e65..7713f216f 100644
--- a/etc/guayadeque.profile
+++ b/etc/guayadeque.profile
@@ -17,6 +17,7 @@ netfilter
17nogroups 17nogroups
18nonewprivs 18nonewprivs
19noroot 19noroot
20notv
20protocol unix,inet,inet6,netlink 21protocol unix,inet,inet6,netlink
21seccomp 22seccomp
22shell none 23shell none
diff --git a/etc/gucharmap.profile b/etc/gucharmap.profile
index 96bf783c4..b6be37439 100644
--- a/etc/gucharmap.profile
+++ b/etc/gucharmap.profile
@@ -14,10 +14,12 @@ include /etc/firejail/disable-programs.inc
14caps.drop all 14caps.drop all
15netfilter 15netfilter
16no3d 16no3d
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
21novideo 23novideo
22protocol unix 24protocol unix
23seccomp 25seccomp
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
index 0f2be604b..745468912 100644
--- a/etc/gwenview.profile
+++ b/etc/gwenview.profile
@@ -20,9 +20,12 @@ include /etc/firejail/disable-passwdmgr.inc
20include /etc/firejail/disable-programs.inc 20include /etc/firejail/disable-programs.inc
21 21
22caps.drop all 22caps.drop all
23nodvd
23nogroups 24nogroups
24nonewprivs 25nonewprivs
25noroot 26noroot
27notv
28novideo
26protocol unix 29protocol unix
27seccomp 30seccomp
28shell none 31shell none
diff --git a/etc/gzip.profile b/etc/gzip.profile
index 13960eda0..3f6ecec2c 100644
--- a/etc/gzip.profile
+++ b/etc/gzip.profile
@@ -11,7 +11,9 @@ blacklist /tmp/.X11-unix
11ignore noroot 11ignore noroot
12net none 12net none
13no3d 13no3d
14nodvd
14nosound 15nosound
16notv
15shell none 17shell none
16tracelog 18tracelog
17 19
diff --git a/etc/handbrake-gtk.profile b/etc/handbrake-gtk.profile
index 9437cea9e..de6244a32 100644
--- a/etc/handbrake-gtk.profile
+++ b/etc/handbrake-gtk.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/firejail/handbrake.profile 6include /etc/firejail/handbrake.profile
diff --git a/etc/handbrake.profile b/etc/handbrake.profile
index 2b33051e2..2b32abca6 100644
--- a/etc/handbrake.profile
+++ b/etc/handbrake.profile
@@ -18,6 +18,7 @@ nogroups
18nonewprivs 18nonewprivs
19noroot 19noroot
20nosound 20nosound
21notv
21novideo 22novideo
22protocol unix,inet,inet6,netlink 23protocol unix,inet,inet6,netlink
23seccomp 24seccomp
diff --git a/etc/hashcat.profile b/etc/hashcat.profile
index 662b8a06c..5f08d7cb8 100644
--- a/etc/hashcat.profile
+++ b/etc/hashcat.profile
@@ -7,23 +7,28 @@ include /etc/firejail/hashcat.local
7include /etc/firejail/globals.local 7include /etc/firejail/globals.local
8 8
9noblacklist ${HOME}/.hashcat 9noblacklist ${HOME}/.hashcat
10noblacklist /usr/include
10 11
11include /etc/firejail/disable-common.inc 12include /etc/firejail/disable-common.inc
13include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 14include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc 15include /etc/firejail/disable-programs.inc
14 16
15caps.drop all 17caps.drop all
16net none 18net none
19nodvd
17nogroups 20nogroups
18nonewprivs 21nonewprivs
19noroot 22noroot
20nosound 23nosound
24notv
21novideo 25novideo
22protocol unix 26protocol unix
23seccomp 27seccomp
24shell none 28shell none
25 29
26disable-mnt 30disable-mnt
31private-bin hashcat
27private-dev 32private-dev
28private-tmp 33private-tmp
29 34
diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile
index b6dc1f945..e2775ffce 100644
--- a/etc/hedgewars.profile
+++ b/etc/hedgewars.profile
@@ -18,9 +18,11 @@ include /etc/firejail/whitelist-common.inc
18 18
19caps.drop all 19caps.drop all
20netfilter 20netfilter
21nodvd
21nogroups 22nogroups
22nonewprivs 23nonewprivs
23noroot 24noroot
25notv
24seccomp 26seccomp
25tracelog 27tracelog
26 28
diff --git a/etc/hexchat.profile b/etc/hexchat.profile
index ceebb6d18..fc817d9f9 100644
--- a/etc/hexchat.profile
+++ b/etc/hexchat.profile
@@ -20,10 +20,12 @@ include /etc/firejail/whitelist-common.inc
20caps.drop all 20caps.drop all
21netfilter 21netfilter
22no3d 22no3d
23nodvd
23nogroups 24nogroups
24nonewprivs 25nonewprivs
25noroot 26noroot
26nosound 27nosound
28notv
27novideo 29novideo
28protocol unix,inet,inet6 30protocol unix,inet,inet6
29seccomp 31seccomp
diff --git a/etc/highlight.profile b/etc/highlight.profile
index c314d34cb..83b023a90 100644
--- a/etc/highlight.profile
+++ b/etc/highlight.profile
@@ -15,10 +15,12 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 15caps.drop all
16net none 16net none
17no3d 17no3d
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
22protocol unix 24protocol unix
23seccomp 25seccomp
24shell none 26shell none
diff --git a/etc/hugin.profile b/etc/hugin.profile
index 8eb7410ff..d3cd181b1 100644
--- a/etc/hugin.profile
+++ b/etc/hugin.profile
@@ -14,10 +14,12 @@ include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
21novideo 23novideo
22protocol unix 24protocol unix
23seccomp 25seccomp
diff --git a/etc/icecat.profile b/etc/icecat.profile
index b8b267dff..ab7e62180 100644
--- a/etc/icecat.profile
+++ b/etc/icecat.profile
@@ -37,8 +37,10 @@ include /etc/firejail/whitelist-common.inc
37 37
38caps.drop all 38caps.drop all
39netfilter 39netfilter
40nodvd
40nonewprivs 41nonewprivs
41noroot 42noroot
43notv
42protocol unix,inet,inet6,netlink 44protocol unix,inet,inet6,netlink
43seccomp 45seccomp
44tracelog 46tracelog
diff --git a/etc/icedove.profile b/etc/icedove.profile
index 3931fd0c0..46861d9f2 100644
--- a/etc/icedove.profile
+++ b/etc/icedove.profile
@@ -23,4 +23,5 @@ include /etc/firejail/whitelist-common.inc
23ignore private-tmp 23ignore private-tmp
24 24
25# allow browsers 25# allow browsers
26# Redirect
26include /etc/firejail/firefox.profile 27include /etc/firejail/firefox.profile
diff --git a/etc/iceweasel.profile b/etc/iceweasel.profile
index 62671cb67..f6b57dde0 100644
--- a/etc/iceweasel.profile
+++ b/etc/iceweasel.profile
@@ -6,4 +6,5 @@ include /etc/firejail/iceweasel.local
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8 8
9# Redirect
9include /etc/firejail/firefox.profile 10include /etc/firejail/firefox.profile
diff --git a/etc/idea.sh.profile b/etc/idea.sh.profile
index f0f0637d9..928ec7327 100644
--- a/etc/idea.sh.profile
+++ b/etc/idea.sh.profile
@@ -20,9 +20,11 @@ include /etc/firejail/disable-programs.inc
20 20
21caps.drop all 21caps.drop all
22netfilter 22netfilter
23nodvd
23nogroups 24nogroups
24nonewprivs 25nonewprivs
25noroot 26noroot
27notv
26novideo 28novideo
27protocol unix,inet,inet6 29protocol unix,inet,inet6
28seccomp 30seccomp
diff --git a/etc/img2txt.profile b/etc/img2txt.profile
index 5117e887b..bd454a2c8 100644
--- a/etc/img2txt.profile
+++ b/etc/img2txt.profile
@@ -13,10 +13,12 @@ include /etc/firejail/disable-programs.inc
13 13
14caps.drop all 14caps.drop all
15net none 15net none
16nodvd
16nogroups 17nogroups
17nonewprivs 18nonewprivs
18noroot 19noroot
19nosound 20nosound
21notv
20protocol unix 22protocol unix
21seccomp 23seccomp
22shell none 24shell none
diff --git a/etc/inkscape.profile b/etc/inkscape.profile
index 6bba90d14..1d24f5d7d 100644
--- a/etc/inkscape.profile
+++ b/etc/inkscape.profile
@@ -14,10 +14,12 @@ include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
21novideo 23novideo
22protocol unix 24protocol unix
23seccomp 25seccomp
diff --git a/etc/inox.profile b/etc/inox.profile
index 98a1ea6a9..6273c4de6 100644
--- a/etc/inox.profile
+++ b/etc/inox.profile
@@ -22,3 +22,5 @@ whitelist ~/.pki
22include /etc/firejail/whitelist-common.inc 22include /etc/firejail/whitelist-common.inc
23 23
24netfilter 24netfilter
25nodvd
26notv
diff --git a/etc/iridium-browser.profile b/etc/iridium-browser.profile
index 9e1a4fcc2..1baa07cb7 100644
--- a/etc/iridium-browser.profile
+++ b/etc/iridium-browser.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/firejail/iridium.profile 6include /etc/firejail/iridium.profile
diff --git a/etc/iridium.profile b/etc/iridium.profile
index 95e94cbf9..db9c5c7cf 100644
--- a/etc/iridium.profile
+++ b/etc/iridium.profile
@@ -23,3 +23,5 @@ whitelist ~/.pki
23include /etc/firejail/whitelist-common.inc 23include /etc/firejail/whitelist-common.inc
24 24
25netfilter 25netfilter
26nodvd
27notv
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile
index 96d4a57ce..5cb1e1828 100644
--- a/etc/jd-gui.profile
+++ b/etc/jd-gui.profile
@@ -16,15 +16,18 @@ include /etc/firejail/disable-programs.inc
16caps.drop all 16caps.drop all
17net none 17net none
18no3d 18no3d
19nodvd
19nogroups 20nogroups
20nonewprivs 21nonewprivs
21noroot 22noroot
22nosound 23nosound
24notv
23novideo 25novideo
24protocol unix 26protocol unix
25seccomp 27seccomp
26shell none 28shell none
27 29
30private-bin jd-gui,sh,bash
28private-dev 31private-dev
29private-tmp 32private-tmp
30 33
diff --git a/etc/jitsi.profile b/etc/jitsi.profile
index 72f9b5f5b..78a57ff46 100644
--- a/etc/jitsi.profile
+++ b/etc/jitsi.profile
@@ -13,9 +13,11 @@ include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc 13include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16nodvd
16nogroups 17nogroups
17nonewprivs 18nonewprivs
18noroot 19noroot
20notv
19protocol unix,inet,inet6 21protocol unix,inet,inet6
20seccomp 22seccomp
21shell none 23shell none
diff --git a/etc/k3b.profile b/etc/k3b.profile
index c2aed68c9..87132e775 100644
--- a/etc/k3b.profile
+++ b/etc/k3b.profile
@@ -16,9 +16,12 @@ include /etc/firejail/disable-programs.inc
16 16
17caps.drop all 17caps.drop all
18no3d 18no3d
19nodvd
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
24novideo
22protocol unix 25protocol unix
23seccomp 26seccomp
24shell none 27shell none
diff --git a/etc/kate.profile b/etc/kate.profile
index 12d9127b4..ec5d09ce2 100644
--- a/etc/kate.profile
+++ b/etc/kate.profile
@@ -19,10 +19,13 @@ include /etc/firejail/disable-programs.inc
19 19
20caps.drop all 20caps.drop all
21netfilter 21netfilter
22nodvd
22nogroups 23nogroups
23nonewprivs 24nonewprivs
24noroot 25noroot
25nosound 26nosound
27notv
28novideo
26protocol unix 29protocol unix
27seccomp 30seccomp
28shell none 31shell none
diff --git a/etc/kcalc.profile b/etc/kcalc.profile
index ac4e11195..f334c4c72 100644
--- a/etc/kcalc.profile
+++ b/etc/kcalc.profile
@@ -14,10 +14,12 @@ include /etc/firejail/disable-programs.inc
14caps.drop all 14caps.drop all
15netfilter 15netfilter
16no3d 16no3d
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
21novideo 23novideo
22protocol unix 24protocol unix
23seccomp 25seccomp
diff --git a/etc/keepass.profile b/etc/keepass.profile
index 543bc01eb..c133ce0fb 100644
--- a/etc/keepass.profile
+++ b/etc/keepass.profile
@@ -21,10 +21,13 @@ include /etc/firejail/disable-programs.inc
21caps.drop all 21caps.drop all
22netfilter 22netfilter
23no3d 23no3d
24nodvd
24nogroups 25nogroups
25nonewprivs 26nonewprivs
26noroot 27noroot
27nosound 28nosound
29notv
30novideo
28protocol unix,inet,inet6 31protocol unix,inet,inet6
29seccomp 32seccomp
30shell none 33shell none
diff --git a/etc/keepass2.profile b/etc/keepass2.profile
index 7d2881099..d29fc6abc 100644
--- a/etc/keepass2.profile
+++ b/etc/keepass2.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/firejail/keepass.profile 6include /etc/firejail/keepass.profile
diff --git a/etc/keepassx.profile b/etc/keepassx.profile
index 892dd7053..9d943d89c 100644
--- a/etc/keepassx.profile
+++ b/etc/keepassx.profile
@@ -19,10 +19,13 @@ caps.drop all
19machine-id 19machine-id
20net none 20net none
21no3d 21no3d
22nodvd
22nogroups 23nogroups
23nonewprivs 24nonewprivs
24noroot 25noroot
25nosound 26nosound
27notv
28novideo
26protocol unix 29protocol unix
27seccomp 30seccomp
28shell none 31shell none
diff --git a/etc/keepassx2.profile b/etc/keepassx2.profile
index ab56e0317..e20e06b76 100644
--- a/etc/keepassx2.profile
+++ b/etc/keepassx2.profile
@@ -18,10 +18,13 @@ include /etc/firejail/disable-programs.inc
18caps.drop all 18caps.drop all
19net none 19net none
20no3d 20no3d
21nodvd
21nogroups 22nogroups
22nonewprivs 23nonewprivs
23noroot 24noroot
24nosound 25nosound
26notv
27novideo
25protocol unix 28protocol unix
26seccomp 29seccomp
27shell none 30shell none
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile
index c8a494361..f79cda80d 100644
--- a/etc/keepassxc.profile
+++ b/etc/keepassxc.profile
@@ -18,10 +18,12 @@ include /etc/firejail/disable-programs.inc
18caps.drop all 18caps.drop all
19net none 19net none
20no3d 20no3d
21nodvd
21nogroups 22nogroups
22nonewprivs 23nonewprivs
23noroot 24noroot
24nosound 25nosound
26notv
25novideo 27novideo
26protocol unix 28protocol unix
27seccomp 29seccomp
diff --git a/etc/kino.profile b/etc/kino.profile
index c64f2d599..240dab8ef 100644
--- a/etc/kino.profile
+++ b/etc/kino.profile
@@ -18,6 +18,7 @@ netfilter
18nogroups 18nogroups
19nonewprivs 19nonewprivs
20noroot 20noroot
21notv
21novideo 22novideo
22protocol unix 23protocol unix
23seccomp 24seccomp
diff --git a/etc/kmail.profile b/etc/kmail.profile
index 876e80cbb..fdc96c97f 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -14,9 +14,11 @@ include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
21notv
20protocol unix,inet,inet6,netlink 22protocol unix,inet,inet6,netlink
21seccomp 23seccomp
22tracelog 24tracelog
diff --git a/etc/knotes.profile b/etc/knotes.profile
index 26b607257..a1d303ded 100644
--- a/etc/knotes.profile
+++ b/etc/knotes.profile
@@ -14,10 +14,12 @@ include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
21protocol unix 23protocol unix
22seccomp 24seccomp
23shell none 25shell none
diff --git a/etc/konversation.profile b/etc/konversation.profile
index d1c78afbe..8bc263d4d 100644
--- a/etc/konversation.profile
+++ b/etc/konversation.profile
@@ -13,8 +13,10 @@ include /etc/firejail/disable-programs.inc
13 13
14caps.drop all 14caps.drop all
15netfilter 15netfilter
16nodvd
16nogroups 17nogroups
17noroot 18noroot
19notv
18protocol unix,inet,inet6 20protocol unix,inet,inet6
19seccomp 21seccomp
20 22
diff --git a/etc/ktorrent.profile b/etc/ktorrent.profile
index 8e396a464..c5b887118 100644
--- a/etc/ktorrent.profile
+++ b/etc/ktorrent.profile
@@ -35,10 +35,12 @@ include /etc/firejail/whitelist-common.inc
35caps.drop all 35caps.drop all
36netfilter 36netfilter
37no3d 37no3d
38nodvd
38nogroups 39nogroups
39nonewprivs 40nonewprivs
40noroot 41noroot
41nosound 42nosound
43notv
42novideo 44novideo
43protocol unix,inet,inet6 45protocol unix,inet,inet6
44seccomp 46seccomp
diff --git a/etc/kwrite.profile b/etc/kwrite.profile
index b6406cc0d..6ba076dc0 100644
--- a/etc/kwrite.profile
+++ b/etc/kwrite.profile
@@ -19,10 +19,13 @@ include /etc/firejail/disable-programs.inc
19 19
20caps.drop all 20caps.drop all
21netfilter 21netfilter
22nodvd
22nogroups 23nogroups
23nonewprivs 24nonewprivs
24noroot 25noroot
25# nosound - KWrite is using ALSA! 26# nosound - KWrite is using ALSA!
27notv
28novideo
26protocol unix 29protocol unix
27seccomp 30seccomp
28shell none 31shell none
diff --git a/etc/leafpad.profile b/etc/leafpad.profile
index de44a6771..e7557651b 100644
--- a/etc/leafpad.profile
+++ b/etc/leafpad.profile
@@ -15,10 +15,12 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17no3d 17no3d
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
22novideo 24novideo
23protocol unix 25protocol unix
24seccomp 26seccomp
diff --git a/etc/less.profile b/etc/less.profile
index fe8a8fa24..e1c42ed76 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -11,11 +11,17 @@ blacklist /tmp/.X11-unix
11ignore noroot 11ignore noroot
12net none 12net none
13no3d 13no3d
14nodvd
14nosound 15nosound
16notv
15novideo 17novideo
16shell none 18shell none
17tracelog 19tracelog
20writable-var-log
18 21
22# The user can have a custom coloring scritps configured in ~/.lessfilter.
23# Enable private-bin if you are not using any filter.
24# private-bin less
19private-dev 25private-dev
20 26
21memory-deny-write-execute 27memory-deny-write-execute
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
index 8387fef98..ec7356002 100644
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@@ -16,9 +16,11 @@ include /etc/firejail/disable-programs.inc
16 16
17caps.drop all 17caps.drop all
18netfilter 18netfilter
19nodvd
19nogroups 20nogroups
20nonewprivs 21nonewprivs
21noroot 22noroot
23notv
22protocol unix,inet,inet6 24protocol unix,inet,inet6
23seccomp 25seccomp
24shell none 26shell none
diff --git a/etc/liferea.profile b/etc/liferea.profile
index f9c050acb..afd5fed6b 100644
--- a/etc/liferea.profile
+++ b/etc/liferea.profile
@@ -25,10 +25,12 @@ include /etc/firejail/whitelist-common.inc
25caps.drop all 25caps.drop all
26netfilter 26netfilter
27# no3d 27# no3d
28nodvd
28nogroups 29nogroups
29nonewprivs 30nonewprivs
30noroot 31noroot
31# nosound 32# nosound
33notv
32novideo 34novideo
33protocol unix,inet,inet6 35protocol unix,inet,inet6
34seccomp 36seccomp
diff --git a/etc/localc.profile b/etc/localc.profile
index c30bb5550..c702a4ece 100644
--- a/etc/localc.profile
+++ b/etc/localc.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/firejail/libreoffice.profile 6include /etc/firejail/libreoffice.profile
diff --git a/etc/lodraw.profile b/etc/lodraw.profile
index c30bb5550..c702a4ece 100644
--- a/etc/lodraw.profile
+++ b/etc/lodraw.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/firejail/libreoffice.profile 6include /etc/firejail/libreoffice.profile
diff --git a/etc/loffice.profile b/etc/loffice.profile
index c30bb5550..c702a4ece 100644
--- a/etc/loffice.profile
+++ b/etc/loffice.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/firejail/libreoffice.profile 6include /etc/firejail/libreoffice.profile
diff --git a/etc/lofromtemplate.profile b/etc/lofromtemplate.profile
index c30bb5550..c702a4ece 100644
--- a/etc/lofromtemplate.profile
+++ b/etc/lofromtemplate.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/firejail/libreoffice.profile 6include /etc/firejail/libreoffice.profile
diff --git a/etc/loimpress.profile b/etc/loimpress.profile
index c30bb5550..c702a4ece 100644
--- a/etc/loimpress.profile
+++ b/etc/loimpress.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/firejail/libreoffice.profile 6include /etc/firejail/libreoffice.profile
diff --git a/etc/lollypop.profile b/etc/lollypop.profile
index 22004d95e..587a46353 100644
--- a/etc/lollypop.profile
+++ b/etc/lollypop.profile
@@ -18,6 +18,7 @@ no3d
18nogroups 18nogroups
19nonewprivs 19nonewprivs
20noroot 20noroot
21notv
21novideo 22novideo
22protocol unix,inet,inet6 23protocol unix,inet,inet6
23seccomp 24seccomp
diff --git a/etc/lomath.profile b/etc/lomath.profile
index c30bb5550..c702a4ece 100644
--- a/etc/lomath.profile
+++ b/etc/lomath.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/firejail/libreoffice.profile 6include /etc/firejail/libreoffice.profile
diff --git a/etc/loweb.profile b/etc/loweb.profile
index c30bb5550..c702a4ece 100644
--- a/etc/loweb.profile
+++ b/etc/loweb.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/firejail/libreoffice.profile 6include /etc/firejail/libreoffice.profile
diff --git a/etc/lowriter.profile b/etc/lowriter.profile
index c30bb5550..c702a4ece 100644
--- a/etc/lowriter.profile
+++ b/etc/lowriter.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/firejail/libreoffice.profile 6include /etc/firejail/libreoffice.profile
diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile
index bbceee7c7..bd32e0c70 100644
--- a/etc/luminance-hdr.profile
+++ b/etc/luminance-hdr.profile
@@ -14,10 +14,12 @@ include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
21novideo 23novideo
22protocol unix 24protocol unix
23seccomp 25seccomp
diff --git a/etc/lximage-qt.profile b/etc/lximage-qt.profile
index f0eda6fbe..734f16e92 100644
--- a/etc/lximage-qt.profile
+++ b/etc/lximage-qt.profile
@@ -15,10 +15,12 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17no3d 17no3d
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
22novideo 24novideo
23protocol unix 25protocol unix
24seccomp 26seccomp
diff --git a/etc/lxmusic.profile b/etc/lxmusic.profile
index 230ceaafb..901bdb408 100644
--- a/etc/lxmusic.profile
+++ b/etc/lxmusic.profile
@@ -16,9 +16,11 @@ include /etc/firejail/disable-programs.inc
16caps.drop all 16caps.drop all
17netfilter 17netfilter
18no3d 18no3d
19nodvd
19nogroups 20nogroups
20nonewprivs 21nonewprivs
21noroot 22noroot
23notv
22novideo 24novideo
23protocol unix 25protocol unix
24seccomp 26seccomp
diff --git a/etc/lxterminal.profile b/etc/lxterminal.profile
index 771211b31..dbbd1ace0 100644
--- a/etc/lxterminal.profile
+++ b/etc/lxterminal.profile
@@ -13,5 +13,7 @@ include /etc/firejail/disable-programs.inc
13caps.drop all 13caps.drop all
14netfilter 14netfilter
15# noroot - somehow this breaks on Debian Jessie! 15# noroot - somehow this breaks on Debian Jessie!
16nodvd
17notv
16protocol unix,inet,inet6 18protocol unix,inet,inet6
17seccomp 19seccomp
diff --git a/etc/lynx.profile b/etc/lynx.profile
index 8ff1f88b3..db01a5b8f 100644
--- a/etc/lynx.profile
+++ b/etc/lynx.profile
@@ -15,10 +15,12 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17no3d 17no3d
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
22protocol unix,inet,inet6 24protocol unix,inet,inet6
23seccomp 25seccomp
24shell none 26shell none
diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile
index 220807447..caf3095a5 100644
--- a/etc/mate-calc.profile
+++ b/etc/mate-calc.profile
@@ -15,10 +15,12 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17no3d 17no3d
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
22novideo 24novideo
23protocol unix 25protocol unix
24seccomp 26seccomp
diff --git a/etc/mate-calculator.profile b/etc/mate-calculator.profile
index 155ccfe7e..43bb3ebb4 100644
--- a/etc/mate-calculator.profile
+++ b/etc/mate-calculator.profile
@@ -1,7 +1,6 @@
1# Firejail profile for mate-calculator 1# Firejail profile alias for mate-calc
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/mate-calculator.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7 3
4
5# Redirect
6include /etc/firejail/mate-calc.profile
diff --git a/etc/mate-color-select.profile b/etc/mate-color-select.profile
index 42456d1f6..26ce42fbf 100644
--- a/etc/mate-color-select.profile
+++ b/etc/mate-color-select.profile
@@ -14,10 +14,12 @@ include /etc/firejail/disable-programs.inc
14caps.drop all 14caps.drop all
15netfilter 15netfilter
16no3d 16no3d
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
21novideo 23novideo
22protocol unix 24protocol unix
23seccomp 25seccomp
diff --git a/etc/mate-dictionary.profile b/etc/mate-dictionary.profile
index bc148fba3..f0de57e0d 100644
--- a/etc/mate-dictionary.profile
+++ b/etc/mate-dictionary.profile
@@ -15,10 +15,12 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17no3d 17no3d
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
22novideo 24novideo
23protocol unix,inet,inet6 25protocol unix,inet,inet6
24seccomp 26seccomp
diff --git a/etc/mathematica.profile b/etc/mathematica.profile
index 64cae12dd..984ea9e97 100644
--- a/etc/mathematica.profile
+++ b/etc/mathematica.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/firejail/Mathematica.profile 6include /etc/firejail/Mathematica.profile
diff --git a/etc/mcabber.profile b/etc/mcabber.profile
index 8563201ac..bd1ada2b5 100644
--- a/etc/mcabber.profile
+++ b/etc/mcabber.profile
@@ -15,9 +15,11 @@ include /etc/firejail/disable-programs.inc
15 15
16caps.drop all 16caps.drop all
17netfilter 17netfilter
18nodvd
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
21protocol inet,inet6 23protocol inet,inet6
22seccomp 24seccomp
23shell none 25shell none
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile
index 4a2e9246e..d6a55610f 100644
--- a/etc/mediainfo.profile
+++ b/etc/mediainfo.profile
@@ -15,10 +15,12 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 15caps.drop all
16net none 16net none
17no3d 17no3d
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
22protocol unix 24protocol unix
23seccomp 25seccomp
24shell none 26shell none
diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile
index 5e980909b..b90e21e66 100644
--- a/etc/mediathekview.profile
+++ b/etc/mediathekview.profile
@@ -5,8 +5,14 @@ include /etc/firejail/mediathekview.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8noblacklist ~/.config/mpv
9noblacklist ~/.config/smplayer
10noblacklist ~/.config/totem
8noblacklist ~/.config/vlc 11noblacklist ~/.config/vlc
12noblacklist ~/.java
13noblacklist ~/.local/share/totem
9noblacklist ~/.mediathek3 14noblacklist ~/.mediathek3
15noblacklist ~/.mplayer
10 16
11include /etc/firejail/disable-common.inc 17include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc 18include /etc/firejail/disable-devel.inc
@@ -15,8 +21,11 @@ include /etc/firejail/disable-programs.inc
15 21
16caps.drop all 22caps.drop all
17netfilter 23netfilter
24nodvd
18nonewprivs 25nonewprivs
19noroot 26noroot
27notv
28novideo
20protocol unix,inet,inet6 29protocol unix,inet,inet6
21seccomp 30seccomp
22tracelog 31tracelog
diff --git a/etc/meld.profile b/etc/meld.profile
index 4aeca3771..f1910d0f4 100644
--- a/etc/meld.profile
+++ b/etc/meld.profile
@@ -15,15 +15,18 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 15caps.drop all
16net none 16net none
17no3d 17no3d
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
22novideo 24novideo
23protocol unix 25protocol unix
24seccomp 26seccomp
25shell none 27shell none
26 28
29# private-bin meld,python2,python2.7
27private-dev 30private-dev
28private-tmp 31private-tmp
29 32
diff --git a/etc/midori.profile b/etc/midori.profile
index 5b390a170..8ddb37776 100644
--- a/etc/midori.profile
+++ b/etc/midori.profile
@@ -35,8 +35,10 @@ include /etc/firejail/whitelist-common.inc
35 35
36caps.drop all 36caps.drop all
37netfilter 37netfilter
38nodvd
38nonewprivs 39nonewprivs
39# noroot - problems on Ubuntu 14.04 40# noroot - problems on Ubuntu 14.04
41notv
40protocol unix,inet,inet6,netlink 42protocol unix,inet,inet6,netlink
41seccomp 43seccomp
42tracelog 44tracelog
diff --git a/etc/mousepad.profile b/etc/mousepad.profile
index 5a54afb5b..36365fc2f 100644
--- a/etc/mousepad.profile
+++ b/etc/mousepad.profile
@@ -14,10 +14,12 @@ include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
21protocol unix 23protocol unix
22seccomp 24seccomp
23shell none 25shell none
diff --git a/etc/multimc5.profile b/etc/multimc5.profile
index a2f5d46b4..91a269ffb 100644
--- a/etc/multimc5.profile
+++ b/etc/multimc5.profile
@@ -22,15 +22,19 @@ include /etc/firejail/whitelist-common.inc
22 22
23caps.drop all 23caps.drop all
24netfilter 24netfilter
25nodvd
25nogroups 26nogroups
26nonewprivs 27nonewprivs
27noroot 28noroot
29notv
28novideo 30novideo
29protocol unix,inet,inet6 31protocol unix,inet,inet6
30# seccomp 32# seccomp
31shell none 33shell none
32 34
33disable-mnt 35disable-mnt
36# private-bin works, but causes weirdness
37# private-bin multimc5,bash,mkdir,which,zenity,kdialog,ldd,chmod,valgrind,apt-file,pkgfile,dnf,yum,zypper,pfl,java,grep,sort,awk,readlink,dirname
34private-dev 38private-dev
35private-tmp 39private-tmp
36 40
diff --git a/etc/mumble.profile b/etc/mumble.profile
index 048b31b81..e58dc93f4 100644
--- a/etc/mumble.profile
+++ b/etc/mumble.profile
@@ -22,9 +22,11 @@ include /etc/firejail/whitelist-common.inc
22caps.drop all 22caps.drop all
23netfilter 23netfilter
24no3d 24no3d
25nodvd
25nogroups 26nogroups
26nonewprivs 27nonewprivs
27noroot 28noroot
29notv
28protocol unix,inet,inet6 30protocol unix,inet,inet6
29seccomp 31seccomp
30shell none 32shell none
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
index 4b98552c4..c7bb458df 100644
--- a/etc/mupdf.profile
+++ b/etc/mupdf.profile
@@ -13,10 +13,12 @@ include /etc/firejail/disable-programs.inc
13 13
14caps.drop all 14caps.drop all
15net none 15net none
16nodvd
16nogroups 17nogroups
17nonewprivs 18nonewprivs
18noroot 19noroot
19nosound 20nosound
21notv
20protocol unix 22protocol unix
21seccomp 23seccomp
22# seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev 24# seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev
@@ -27,5 +29,6 @@ tracelog
27private-dev 29private-dev
28private-etc fonts 30private-etc fonts
29private-tmp 31private-tmp
32
30# mupdf will never write anything 33# mupdf will never write anything
31read-only ${HOME} 34read-only ${HOME}
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile
index f0680c4ce..9f3be0d27 100644
--- a/etc/mupen64plus.profile
+++ b/etc/mupen64plus.profile
@@ -22,6 +22,8 @@ include /etc/firejail/whitelist-common.inc
22 22
23caps.drop all 23caps.drop all
24net none 24net none
25nodvd
25nonewprivs 26nonewprivs
26noroot 27noroot
28notv
27seccomp 29seccomp
diff --git a/etc/mutt.profile b/etc/mutt.profile
index e2b9b38ec..206edefae 100644
--- a/etc/mutt.profile
+++ b/etc/mutt.profile
@@ -38,10 +38,12 @@ include /etc/firejail/disable-programs.inc
38caps.drop all 38caps.drop all
39netfilter 39netfilter
40no3d 40no3d
41nodvd
41nogroups 42nogroups
42nonewprivs 43nonewprivs
43noroot 44noroot
44nosound 45nosound
46notv
45protocol unix,inet,inet6 47protocol unix,inet,inet6
46seccomp 48seccomp
47shell none 49shell none
diff --git a/etc/nautilus.profile b/etc/nautilus.profile
index 2da8f32d7..57d6faa17 100644
--- a/etc/nautilus.profile
+++ b/etc/nautilus.profile
@@ -20,9 +20,11 @@ include /etc/firejail/disable-passwdmgr.inc
20 20
21caps.drop all 21caps.drop all
22netfilter 22netfilter
23nodvd
23nogroups 24nogroups
24nonewprivs 25nonewprivs
25noroot 26noroot
27notv
26protocol unix 28protocol unix
27seccomp 29seccomp
28shell none 30shell none
diff --git a/etc/nemo.profile b/etc/nemo.profile
index e2219825a..b11ad645a 100644
--- a/etc/nemo.profile
+++ b/etc/nemo.profile
@@ -17,10 +17,12 @@ include /etc/firejail/disable-passwdmgr.inc
17caps.drop all 17caps.drop all
18netfilter 18netfilter
19no3d 19no3d
20nodvd
20nogroups 21nogroups
21nonewprivs 22nonewprivs
22noroot 23noroot
23nosound 24nosound
25notv
24novideo 26novideo
25protocol unix,inet,inet6 27protocol unix,inet,inet6
26seccomp 28seccomp
diff --git a/etc/netsurf.profile b/etc/netsurf.profile
index 68df57539..64aa068b1 100644
--- a/etc/netsurf.profile
+++ b/etc/netsurf.profile
@@ -21,8 +21,10 @@ include /etc/firejail/whitelist-common.inc
21 21
22caps.drop all 22caps.drop all
23netfilter 23netfilter
24nodvd
24nonewprivs 25nonewprivs
25noroot 26noroot
27notv
26protocol unix,inet,inet6,netlink 28protocol unix,inet,inet6,netlink
27seccomp 29seccomp
28tracelog 30tracelog
diff --git a/etc/nylas.profile b/etc/nylas.profile
index 6b6697522..5d84d1326 100644
--- a/etc/nylas.profile
+++ b/etc/nylas.profile
@@ -20,10 +20,12 @@ include /etc/firejail/whitelist-common.inc
20 20
21caps.drop all 21caps.drop all
22netfilter 22netfilter
23nodvd
23nogroups 24nogroups
24nonewprivs 25nonewprivs
25noroot 26noroot
26nosound 27nosound
28notv
27protocol unix,inet,inet6,netlink 29protocol unix,inet,inet6,netlink
28seccomp 30seccomp
29shell none 31shell none
diff --git a/etc/obs.profile b/etc/obs.profile
index 3dbacbf57..187862752 100644
--- a/etc/obs.profile
+++ b/etc/obs.profile
@@ -13,14 +13,17 @@ include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc 13include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16nodvd
16nogroups 17nogroups
17nonewprivs 18nonewprivs
18noroot 19noroot
20notv
19protocol unix,inet,inet6 21protocol unix,inet,inet6
20seccomp 22seccomp
21shell none 23shell none
22tracelog 24tracelog
23 25
26private-bin obs
24private-dev 27private-dev
25private-tmp 28private-tmp
26 29
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile
index 06b4c16e0..da2d03635 100644
--- a/etc/odt2txt.profile
+++ b/etc/odt2txt.profile
@@ -15,10 +15,12 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 15caps.drop all
16net none 16net none
17no3d 17no3d
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
22protocol unix 24protocol unix
23seccomp 25seccomp
24shell none 26shell none
diff --git a/etc/okular.profile b/etc/okular.profile
index 331b625b8..d03891ebe 100644
--- a/etc/okular.profile
+++ b/etc/okular.profile
@@ -22,10 +22,13 @@ include /etc/firejail/disable-programs.inc
22 22
23caps.drop all 23caps.drop all
24netfilter 24netfilter
25nodvd
25nogroups 26nogroups
26nonewprivs 27nonewprivs
27noroot 28noroot
28nosound 29nosound
30notv
31novideo
29protocol unix 32protocol unix
30seccomp 33seccomp
31shell none 34shell none
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile
index 2587027ab..998d57f62 100644
--- a/etc/open-invaders.profile
+++ b/etc/open-invaders.profile
@@ -17,9 +17,11 @@ include /etc/firejail/whitelist-common.inc
17 17
18caps.drop all 18caps.drop all
19net none 19net none
20nodvd
20nogroups 21nogroups
21nonewprivs 22nonewprivs
22noroot 23noroot
24notv
23protocol unix,netlink 25protocol unix,netlink
24seccomp 26seccomp
25shell none 27shell none
diff --git a/etc/openshot.profile b/etc/openshot.profile
index b5ace455e..02f4665d6 100644
--- a/etc/openshot.profile
+++ b/etc/openshot.profile
@@ -15,9 +15,11 @@ include /etc/firejail/disable-programs.inc
15 15
16caps.drop all 16caps.drop all
17netfilter 17netfilter
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
22notv
21protocol unix,inet,inet6,netlink 23protocol unix,inet,inet6,netlink
22seccomp 24seccomp
23shell none 25shell none
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile
index 078f5a0dd..c295a2082 100644
--- a/etc/opera-beta.profile
+++ b/etc/opera-beta.profile
@@ -22,3 +22,5 @@ whitelist ~/.pki
22include /etc/firejail/whitelist-common.inc 22include /etc/firejail/whitelist-common.inc
23 23
24netfilter 24netfilter
25nodvd
26notv
diff --git a/etc/opera.profile b/etc/opera.profile
index 7802a124a..553ea6790 100644
--- a/etc/opera.profile
+++ b/etc/opera.profile
@@ -26,3 +26,5 @@ whitelist ~/.pki
26include /etc/firejail/whitelist-common.inc 26include /etc/firejail/whitelist-common.inc
27 27
28netfilter 28netfilter
29nodvd
30notv
diff --git a/etc/orage.profile b/etc/orage.profile
index 132b526b4..209c7e9db 100644
--- a/etc/orage.profile
+++ b/etc/orage.profile
@@ -16,10 +16,12 @@ include /etc/firejail/disable-programs.inc
16caps.drop all 16caps.drop all
17netfilter 17netfilter
18no3d 18no3d
19nodvd
19nogroups 20nogroups
20nonewprivs 21nonewprivs
21noroot 22noroot
22nosound 23nosound
24notv
23novideo 25novideo
24protocol unix 26protocol unix
25seccomp 27seccomp
diff --git a/etc/palemoon.profile b/etc/palemoon.profile
index e3e498195..054e876c5 100644
--- a/etc/palemoon.profile
+++ b/etc/palemoon.profile
@@ -41,9 +41,11 @@ include /etc/firejail/whitelist-common.inc
41 41
42caps.drop all 42caps.drop all
43netfilter 43netfilter
44nodvd
44nogroups 45nogroups
45nonewprivs 46nonewprivs
46noroot 47noroot
48notv
47protocol unix,inet,inet6,netlink 49protocol unix,inet,inet6,netlink
48seccomp 50seccomp
49shell none 51shell none
diff --git a/etc/parole.profile b/etc/parole.profile
index 00a12afd9..794d91481 100644
--- a/etc/parole.profile
+++ b/etc/parole.profile
@@ -13,8 +13,10 @@ include /etc/firejail/disable-programs.inc
13 13
14caps.drop all 14caps.drop all
15netfilter 15netfilter
16nodvd
16nonewprivs 17nonewprivs
17noroot 18noroot
19notv
18protocol unix,inet,inet6 20protocol unix,inet,inet6
19seccomp 21seccomp
20shell none 22shell none
diff --git a/etc/pcmanfm.profile b/etc/pcmanfm.profile
index f2bc908df..3b739b2ac 100644
--- a/etc/pcmanfm.profile
+++ b/etc/pcmanfm.profile
@@ -17,9 +17,11 @@ include /etc/firejail/disable-passwdmgr.inc
17caps.drop all 17caps.drop all
18net none 18net none
19no3d 19no3d
20nodvd
20nonewprivs 21nonewprivs
21noroot 22noroot
22nosound 23nosound
24notv
23novideo 25novideo
24protocol unix 26protocol unix
25seccomp 27seccomp
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile
index 0f25f1fa5..fd52fb9ee 100644
--- a/etc/pdfsam.profile
+++ b/etc/pdfsam.profile
@@ -15,15 +15,18 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 15caps.drop all
16net none 16net none
17no3d 17no3d
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
22novideo 24novideo
23protocol unix 25protocol unix
24seccomp 26seccomp
25shell none 27shell none
26 28
29private-bin pdfsam,sh,bash,java,archlinux-java,grep,awk,dirname,uname,which,sort,find,readlink,expr,ls,java-config
27private-dev 30private-dev
28private-tmp 31private-tmp
29 32
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile
index 89fb295dd..540a428cc 100644
--- a/etc/pdftotext.profile
+++ b/etc/pdftotext.profile
@@ -15,10 +15,13 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 15caps.drop all
16net none 16net none
17no3d 17no3d
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
24novideo
22protocol unix 25protocol unix
23seccomp 26seccomp
24shell none 27shell none
diff --git a/etc/peek.profile b/etc/peek.profile
index 2860d3663..13c0c72e0 100644
--- a/etc/peek.profile
+++ b/etc/peek.profile
@@ -15,15 +15,18 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 15caps.drop all
16net none 16net none
17no3d 17no3d
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
22novideo 24novideo
23protocol unix 25protocol unix
24seccomp 26seccomp
25shell none 27shell none
26 28
29# private-bin breaks gif mode, mp4 and webm mode work fine however
27# private-bin peek,convert,ffmpeg 30# private-bin peek,convert,ffmpeg
28private-dev 31private-dev
29private-tmp 32private-tmp
diff --git a/etc/picard.profile b/etc/picard.profile
index ccdbc5116..8dc79b4ad 100644
--- a/etc/picard.profile
+++ b/etc/picard.profile
@@ -15,10 +15,12 @@ include /etc/firejail/disable-programs.inc
15 15
16caps.drop all 16caps.drop all
17no3d 17no3d
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
22novideo 24novideo
23protocol unix,inet,inet6 25protocol unix,inet,inet6
24seccomp 26seccomp
diff --git a/etc/pidgin.profile b/etc/pidgin.profile
index 7bc88a814..dd610920a 100644
--- a/etc/pidgin.profile
+++ b/etc/pidgin.profile
@@ -14,9 +14,11 @@ include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
21notv
20protocol unix,inet,inet6 22protocol unix,inet,inet6
21seccomp 23seccomp
22shell none 24shell none
diff --git a/etc/pingus.profile b/etc/pingus.profile
index 848bf88ad..68d5a98ad 100644
--- a/etc/pingus.profile
+++ b/etc/pingus.profile
@@ -17,9 +17,11 @@ include /etc/firejail/whitelist-common.inc
17 17
18caps.drop all 18caps.drop all
19net none 19net none
20nodvd
20nogroups 21nogroups
21nonewprivs 22nonewprivs
22noroot 23noroot
24notv
23protocol unix,netlink 25protocol unix,netlink
24seccomp 26seccomp
25shell none 27shell none
diff --git a/etc/pithos.profile b/etc/pithos.profile
index 7eea5d8c2..b81e0b634 100644
--- a/etc/pithos.profile
+++ b/etc/pithos.profile
@@ -15,15 +15,18 @@ include /etc/firejail/whitelist-common.inc
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17no3d 17no3d
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
22notv
21novideo 23novideo
22protocol unix,inet,inet6 24protocol unix,inet,inet6
23seccomp 25seccomp
24shell none 26shell none
25 27
26disable-mnt 28disable-mnt
29# private-bin pithos,python,python3,python3.6
27private-dev 30private-dev
28private-tmp 31private-tmp
29 32
diff --git a/etc/pix.profile b/etc/pix.profile
index 0d1d46fd6..ed9298727 100644
--- a/etc/pix.profile
+++ b/etc/pix.profile
@@ -16,10 +16,12 @@ include /etc/firejail/disable-passwdmgr.inc
16include /etc/firejail/disable-programs.inc 16include /etc/firejail/disable-programs.inc
17 17
18caps.drop all 18caps.drop all
19nodvd
19nogroups 20nogroups
20nonewprivs 21nonewprivs
21noroot 22noroot
22nosound 23nosound
24notv
23protocol unix 25protocol unix
24seccomp 26seccomp
25shell none 27shell none
diff --git a/etc/pluma.profile b/etc/pluma.profile
index 75bdeadc4..d17a64d1d 100644
--- a/etc/pluma.profile
+++ b/etc/pluma.profile
@@ -14,10 +14,12 @@ include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16net none 16net none
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
21seccomp 23seccomp
22shell none 24shell none
23tracelog 25tracelog
diff --git a/etc/polari.profile b/etc/polari.profile
index e2788b7d0..a990194c9 100644
--- a/etc/polari.profile
+++ b/etc/polari.profile
@@ -27,10 +27,12 @@ include /etc/firejail/whitelist-common.inc
27caps.drop all 27caps.drop all
28netfilter 28netfilter
29no3d 29no3d
30nodvd
30nogroups 31nogroups
31nonewprivs 32nonewprivs
32noroot 33noroot
33nosound 34nosound
35notv
34protocol unix,inet,inet6 36protocol unix,inet,inet6
35seccomp 37seccomp
36shell none 38shell none
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile
index 27ee2500c..72c52d967 100644
--- a/etc/psi-plus.profile
+++ b/etc/psi-plus.profile
@@ -25,9 +25,11 @@ include /etc/firejail/whitelist-common.inc
25caps.drop all 25caps.drop all
26netfilter 26netfilter
27no3d 27no3d
28nodvd
28nogroups 29nogroups
29nonewprivs 30nonewprivs
30noroot 31noroot
32notv
31novideo 33novideo
32protocol unix,inet,inet6 34protocol unix,inet,inet6
33seccomp 35seccomp
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index 025a6fa61..ea635ab6e 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -29,10 +29,12 @@ include /etc/firejail/whitelist-common.inc
29caps.drop all 29caps.drop all
30machine-id 30machine-id
31netfilter 31netfilter
32nodvd
32nogroups 33nogroups
33nonewprivs 34nonewprivs
34noroot 35noroot
35nosound 36nosound
37notv
36protocol unix,inet,inet6,netlink 38protocol unix,inet,inet6,netlink
37seccomp 39seccomp
38# shell none 40# shell none
diff --git a/etc/qemu-launcher.profile b/etc/qemu-launcher.profile
index 0f3235266..2738e04bb 100644
--- a/etc/qemu-launcher.profile
+++ b/etc/qemu-launcher.profile
@@ -13,9 +13,11 @@ include /etc/firejail/disable-programs.inc
13 13
14caps.drop all 14caps.drop all
15netfilter 15netfilter
16nodvd
16nogroups 17nogroups
17nonewprivs 18nonewprivs
18noroot 19noroot
20notv
19protocol unix,inet,inet6 21protocol unix,inet,inet6
20seccomp 22seccomp
21shell none 23shell none
diff --git a/etc/qemu-system-x86_64.profile b/etc/qemu-system-x86_64.profile
index b1b8e9319..7a60007fe 100644
--- a/etc/qemu-system-x86_64.profile
+++ b/etc/qemu-system-x86_64.profile
@@ -12,9 +12,11 @@ include /etc/firejail/disable-programs.inc
12 12
13caps.drop all 13caps.drop all
14netfilter 14netfilter
15nodvd
15nogroups 16nogroups
16nonewprivs 17nonewprivs
17noroot 18noroot
19notv
18protocol unix,inet,inet6 20protocol unix,inet,inet6
19seccomp 21seccomp
20shell none 22shell none
diff --git a/etc/qlipper.profile b/etc/qlipper.profile
index 98c794624..796015654 100644
--- a/etc/qlipper.profile
+++ b/etc/qlipper.profile
@@ -15,10 +15,12 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17no3d 17no3d
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
22novideo 24novideo
23protocol unix 25protocol unix
24seccomp 26seccomp
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile
index 596171420..2c652c688 100644
--- a/etc/qpdfview.profile
+++ b/etc/qpdfview.profile
@@ -15,10 +15,12 @@ include /etc/firejail/disable-passwdmgr.inc
15include /etc/firejail/disable-programs.inc 15include /etc/firejail/disable-programs.inc
16 16
17caps.drop all 17caps.drop all
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
22protocol unix 24protocol unix
23seccomp 25seccomp
24shell none 26shell none
diff --git a/etc/qtox.profile b/etc/qtox.profile
index 08cbcd332..5cbe68c90 100644
--- a/etc/qtox.profile
+++ b/etc/qtox.profile
@@ -22,9 +22,11 @@ include /etc/firejail/whitelist-common.inc
22 22
23caps.drop all 23caps.drop all
24netfilter 24netfilter
25nodvd
25nogroups 26nogroups
26nonewprivs 27nonewprivs
27noroot 28noroot
29notv
28protocol unix,inet,inet6 30protocol unix,inet,inet6
29seccomp 31seccomp
30shell none 32shell none
diff --git a/etc/quassel.profile b/etc/quassel.profile
index 9e9ecfce9..af0f723f1 100644
--- a/etc/quassel.profile
+++ b/etc/quassel.profile
@@ -12,7 +12,9 @@ include /etc/firejail/disable-programs.inc
12 12
13caps.drop all 13caps.drop all
14netfilter 14netfilter
15nodvd
15nonewprivs 16nonewprivs
16noroot 17noroot
18notv
17protocol unix,inet,inet6 19protocol unix,inet,inet6
18seccomp 20seccomp
diff --git a/etc/quiterss.profile b/etc/quiterss.profile
index 934763a25..6f20f6d7f 100644
--- a/etc/quiterss.profile
+++ b/etc/quiterss.profile
@@ -28,10 +28,12 @@ include /etc/firejail/whitelist-common.inc
28 28
29caps.drop all 29caps.drop all
30netfilter 30netfilter
31nodvd
31nogroups 32nogroups
32nonewprivs 33nonewprivs
33noroot 34noroot
34nosound 35nosound
36notv
35protocol unix,inet,inet6 37protocol unix,inet,inet6
36seccomp 38seccomp
37shell none 39shell none
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile
index 6d0c16785..7b7086bde 100644
--- a/etc/qupzilla.profile
+++ b/etc/qupzilla.profile
@@ -20,7 +20,9 @@ include /etc/firejail/whitelist-common.inc
20 20
21caps.drop all 21caps.drop all
22netfilter 22netfilter
23nodvd
23noroot 24noroot
25notv
24protocol unix,inet,inet6,netlink 26protocol unix,inet,inet6,netlink
25seccomp 27seccomp
26tracelog 28tracelog
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile
index 9eb0c9075..31721617f 100644
--- a/etc/qutebrowser.profile
+++ b/etc/qutebrowser.profile
@@ -23,8 +23,10 @@ include /etc/firejail/whitelist-common.inc
23 23
24caps.drop all 24caps.drop all
25netfilter 25netfilter
26nodvd
26nonewprivs 27nonewprivs
27noroot 28noroot
29notv
28protocol unix,inet,inet6,netlink 30protocol unix,inet,inet6,netlink
29seccomp 31seccomp
30tracelog 32tracelog
diff --git a/etc/rambox.profile b/etc/rambox.profile
index a5b87e901..2696df86b 100644
--- a/etc/rambox.profile
+++ b/etc/rambox.profile
@@ -21,9 +21,11 @@ include /etc/firejail/whitelist-common.inc
21 21
22caps.drop all 22caps.drop all
23netfilter 23netfilter
24nodvd
24nogroups 25nogroups
25nonewprivs 26nonewprivs
26noroot 27noroot
28notv
27protocol unix,inet,inet6,netlink 29protocol unix,inet,inet6,netlink
28seccomp 30seccomp
29# tracelog 31# tracelog
diff --git a/etc/ranger.profile b/etc/ranger.profile
index 3767c7ba8..717eca099 100644
--- a/etc/ranger.profile
+++ b/etc/ranger.profile
@@ -18,10 +18,12 @@ include /etc/firejail/disable-programs.inc
18 18
19caps.drop all 19caps.drop all
20net none 20net none
21nodvd
21nogroups 22nogroups
22nonewprivs 23nonewprivs
23noroot 24noroot
24nosound 25nosound
26notv
25protocol unix 27protocol unix
26seccomp 28seccomp
27 29
diff --git a/etc/remmina.profile b/etc/remmina.profile
index 39b5b2acd..3bb6aa0b1 100644
--- a/etc/remmina.profile
+++ b/etc/remmina.profile
@@ -15,9 +15,11 @@ include /etc/firejail/disable-passwdmgr.inc
15include /etc/firejail/disable-programs.inc 15include /etc/firejail/disable-programs.inc
16 16
17caps.drop all 17caps.drop all
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
22notv
21novideo 23novideo
22protocol unix,inet,inet6 24protocol unix,inet,inet6
23seccomp 25seccomp
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile
index ac8882165..bcd72be9a 100644
--- a/etc/rhythmbox.profile
+++ b/etc/rhythmbox.profile
@@ -17,6 +17,7 @@ netfilter
17nogroups 17nogroups
18nonewprivs 18nonewprivs
19noroot 19noroot
20notv
20novideo 21novideo
21protocol unix,inet,inet6 22protocol unix,inet,inet6
22seccomp 23seccomp
diff --git a/etc/riot-web.profile b/etc/riot-web.profile
index 93f389bbc..c714652df 100644
--- a/etc/riot-web.profile
+++ b/etc/riot-web.profile
@@ -10,4 +10,5 @@ noblacklist ~/.config/Riot
10whitelist ~/.config/Riot 10whitelist ~/.config/Riot
11include /etc/firejail/whitelist-common.inc 11include /etc/firejail/whitelist-common.inc
12 12
13# Redirect
13include /etc/firejail/electron.profile 14include /etc/firejail/electron.profile
diff --git a/etc/ristretto.profile b/etc/ristretto.profile
index 8070254ac..3de5de34a 100644
--- a/etc/ristretto.profile
+++ b/etc/ristretto.profile
@@ -17,10 +17,12 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 17caps.drop all
18netfilter 18netfilter
19no3d 19no3d
20nodvd
20nogroups 21nogroups
21nonewprivs 22nonewprivs
22noroot 23noroot
23nosound 24nosound
25notv
24novideo 26novideo
25protocol unix 27protocol unix
26seccomp 28seccomp
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile
index b9f9960f4..a44d99e5b 100644
--- a/etc/rtorrent.profile
+++ b/etc/rtorrent.profile
@@ -13,9 +13,11 @@ include /etc/firejail/disable-programs.inc
13 13
14caps.drop all 14caps.drop all
15netfilter 15netfilter
16nodvd
16nonewprivs 17nonewprivs
17noroot 18noroot
18nosound 19nosound
20notv
19protocol unix,inet,inet6 21protocol unix,inet,inet6
20seccomp 22seccomp
21shell none 23shell none
diff --git a/etc/scribus.profile b/etc/scribus.profile
index 7e117dcd1..acd6b2239 100644
--- a/etc/scribus.profile
+++ b/etc/scribus.profile
@@ -5,7 +5,7 @@ include /etc/firejail/scribus.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# Support for PDF readers (Scribus 1.5 and higher) 8# Support for PDF readers comes with Scribus 1.5 and higher
9noblacklist ~/.config/okularpartrc 9noblacklist ~/.config/okularpartrc
10noblacklist ~/.config/okularrc 10noblacklist ~/.config/okularrc
11noblacklist ~/.config/scribus 11noblacklist ~/.config/scribus
@@ -27,9 +27,12 @@ include /etc/firejail/disable-passwdmgr.inc
27include /etc/firejail/disable-programs.inc 27include /etc/firejail/disable-programs.inc
28 28
29caps.drop all 29caps.drop all
30nodvd
30nonewprivs 31nonewprivs
31noroot 32noroot
32nosound 33nosound
34notv
35novideo
33protocol unix 36protocol unix
34seccomp 37seccomp
35tracelog 38tracelog
diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile
index 7311594c0..ce4c4d416 100644
--- a/etc/sdat2img.profile
+++ b/etc/sdat2img.profile
@@ -15,15 +15,18 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 15caps.drop all
16net none 16net none
17no3d 17no3d
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
22novideo 24novideo
23protocol unix 25protocol unix
24seccomp 26seccomp
25shell none 27shell none
26 28
29# private-bin sdat2img,env,python,python3,python3.6
27private-dev 30private-dev
28 31
29noexec ${HOME} 32noexec ${HOME}
diff --git a/etc/seamonkey-bin.profile b/etc/seamonkey-bin.profile
index 25e882b32..1ceed99fd 100644
--- a/etc/seamonkey-bin.profile
+++ b/etc/seamonkey-bin.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/firejail/seamonkey.profile 6include /etc/firejail/seamonkey.profile
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile
index 072a9fef5..36dde66b0 100644
--- a/etc/seamonkey.profile
+++ b/etc/seamonkey.profile
@@ -37,8 +37,10 @@ include /etc/firejail/whitelist-common.inc
37 37
38caps.drop all 38caps.drop all
39netfilter 39netfilter
40nodvd
40nonewprivs 41nonewprivs
41noroot 42noroot
43notv
42protocol unix,inet,inet6,netlink 44protocol unix,inet,inet6,netlink
43seccomp 45seccomp
44tracelog 46tracelog
diff --git a/etc/server.profile b/etc/server.profile
index b0dd13f80..04ef555de 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -21,7 +21,10 @@ include /etc/firejail/disable-programs.inc
21 21
22caps 22caps
23no3d 23no3d
24nodvd
24nosound 25nosound
26notv
27novideo
25seccomp 28seccomp
26 29
27# disable-mnt 30# disable-mnt
diff --git a/etc/silentarmy.profile b/etc/silentarmy.profile
index d5d92670b..abc68a499 100644
--- a/etc/silentarmy.profile
+++ b/etc/silentarmy.profile
@@ -13,10 +13,12 @@ include /etc/firejail/disable-programs.inc
13 13
14caps.drop all 14caps.drop all
15netfilter 15netfilter
16nodvd
16nogroups 17nogroups
17nonewprivs 18nonewprivs
18noroot 19noroot
19nosound 20nosound
21notv
20novideo 22novideo
21protocol unix,inet,inet6 23protocol unix,inet,inet6
22seccomp 24seccomp
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile
index a55388fee..05ed9f813 100644
--- a/etc/simple-scan.profile
+++ b/etc/simple-scan.profile
@@ -14,10 +14,12 @@ include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
21protocol unix,inet,inet6 23protocol unix,inet,inet6
22shell none 24shell none
23# seccomp 25# seccomp
diff --git a/etc/simutrans.profile b/etc/simutrans.profile
index d67d2a575..fda5204e2 100644
--- a/etc/simutrans.profile
+++ b/etc/simutrans.profile
@@ -17,9 +17,11 @@ include /etc/firejail/whitelist-common.inc
17 17
18caps.drop all 18caps.drop all
19net none 19net none
20nodvd
20nogroups 21nogroups
21nonewprivs 22nonewprivs
22noroot 23noroot
24notv
23protocol unix 25protocol unix
24seccomp 26seccomp
25shell none 27shell none
diff --git a/etc/skanlite.profile b/etc/skanlite.profile
index 25f0107f8..0338bc452 100644
--- a/etc/skanlite.profile
+++ b/etc/skanlite.profile
@@ -13,10 +13,12 @@ include /etc/firejail/disable-programs.inc
13 13
14caps.drop all 14caps.drop all
15netfilter 15netfilter
16nodvd
16nogroups 17nogroups
17nonewprivs 18nonewprivs
18noroot 19noroot
19nosound 20nosound
21notv
20# protocol unix,inet,inet6 22# protocol unix,inet,inet6
21seccomp 23seccomp
22shell none 24shell none
diff --git a/etc/skype.profile b/etc/skype.profile
index 396563f0c..f3e504a3f 100644
--- a/etc/skype.profile
+++ b/etc/skype.profile
@@ -14,9 +14,11 @@ include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
21notv
20protocol unix,inet,inet6 22protocol unix,inet,inet6
21seccomp 23seccomp
22shell none 24shell none
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile
index 7037961f8..b69a208a8 100644
--- a/etc/skypeforlinux.profile
+++ b/etc/skypeforlinux.profile
@@ -14,9 +14,11 @@ include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
21notv
20protocol unix,inet,inet6,netlink 22protocol unix,inet,inet6,netlink
21seccomp 23seccomp
22shell none 24shell none
diff --git a/etc/slack.profile b/etc/slack.profile
index d2fb74af8..9025e4f75 100644
--- a/etc/slack.profile
+++ b/etc/slack.profile
@@ -24,9 +24,11 @@ include /etc/firejail/whitelist-common.inc
24caps.drop all 24caps.drop all
25name slack 25name slack
26netfilter 26netfilter
27nodvd
27nogroups 28nogroups
28nonewprivs 29nonewprivs
29noroot 30noroot
31notv
30protocol unix,inet,inet6,netlink 32protocol unix,inet,inet6,netlink
31seccomp 33seccomp
32shell none 34shell none
diff --git a/etc/smplayer.profile b/etc/smplayer.profile
index d8861f937..ea80b2b0a 100644
--- a/etc/smplayer.profile
+++ b/etc/smplayer.profile
@@ -22,7 +22,7 @@ protocol unix,inet,inet6,netlink
22seccomp 22seccomp
23shell none 23shell none
24 24
25private-bin smplayer,mplayer 25private-bin smplayer,mplayer,mpv
26private-dev 26private-dev
27private-tmp 27private-tmp
28 28
diff --git a/etc/snap.profile b/etc/snap.profile
index 38aef7c23..238dffeab 100644
--- a/etc/snap.profile
+++ b/etc/snap.profile
@@ -14,3 +14,5 @@ include /etc/firejail/disable-programs.inc
14whitelist ${DOWNLOADS} 14whitelist ${DOWNLOADS}
15whitelist ~/snap 15whitelist ~/snap
16include /etc/firejail/whitelist-common.inc 16include /etc/firejail/whitelist-common.inc
17nodvd
18notv
diff --git a/etc/soffice.profile b/etc/soffice.profile
index c30bb5550..c702a4ece 100644
--- a/etc/soffice.profile
+++ b/etc/soffice.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/firejail/libreoffice.profile 6include /etc/firejail/libreoffice.profile
diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile
index 12ae63cf9..5d7129b5a 100644
--- a/etc/soundconverter.profile
+++ b/etc/soundconverter.profile
@@ -14,10 +14,12 @@ include /etc/firejail/disable-programs.inc
14caps.drop all 14caps.drop all
15net none 15net none
16no3d 16no3d
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
21novideo 23novideo
22protocol unix 24protocol unix
23seccomp 25seccomp
diff --git a/etc/spotify.profile b/etc/spotify.profile
index 64805153c..8eac3610b 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -36,6 +36,7 @@ netfilter
36nogroups 36nogroups
37nonewprivs 37nonewprivs
38noroot 38noroot
39notv
39protocol unix,inet,inet6,netlink 40protocol unix,inet,inet6,netlink
40seccomp 41seccomp
41shell none 42shell none
diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile
index ac7daa873..65e8073c9 100644
--- a/etc/sqlitebrowser.profile
+++ b/etc/sqlitebrowser.profile
@@ -15,10 +15,12 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 15caps.drop all
16net none 16net none
17no3d 17no3d
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
22novideo 24novideo
23protocol unix 25protocol unix
24seccomp 26seccomp
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile
index f2c88c943..ba5115521 100644
--- a/etc/ssh-agent.profile
+++ b/etc/ssh-agent.profile
@@ -19,7 +19,9 @@ include /etc/firejail/disable-programs.inc
19caps.drop all 19caps.drop all
20netfilter 20netfilter
21no3d 21no3d
22nodvd
22nonewprivs 23nonewprivs
23noroot 24noroot
25notv
24protocol unix,inet,inet6 26protocol unix,inet,inet6
25seccomp 27seccomp
diff --git a/etc/ssh.profile b/etc/ssh.profile
index ac3b7a0ba..da852c6ba 100644
--- a/etc/ssh.profile
+++ b/etc/ssh.profile
@@ -18,10 +18,12 @@ caps.drop all
18ipc-namespace 18ipc-namespace
19netfilter 19netfilter
20no3d 20no3d
21nodvd
21nogroups 22nogroups
22nonewprivs 23nonewprivs
23noroot 24noroot
24nosound 25nosound
26notv
25protocol unix,inet,inet6 27protocol unix,inet,inet6
26seccomp 28seccomp
27shell none 29shell none
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile
index 26154508a..ca521e08c 100644
--- a/etc/start-tor-browser.profile
+++ b/etc/start-tor-browser.profile
@@ -13,9 +13,11 @@ include /etc/firejail/disable-programs.inc
13 13
14caps.drop all 14caps.drop all
15netfilter 15netfilter
16nodvd
16nogroups 17nogroups
17nonewprivs 18nonewprivs
18noroot 19noroot
20notv
19protocol unix,inet,inet6 21protocol unix,inet,inet6
20seccomp 22seccomp
21shell none 23shell none
diff --git a/etc/steam.profile b/etc/steam.profile
index d928e660d..96899038a 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -24,9 +24,11 @@ include /etc/firejail/disable-programs.inc
24 24
25caps.drop all 25caps.drop all
26netfilter 26netfilter
27nodvd
27nogroups 28nogroups
28nonewprivs 29nonewprivs
29noroot 30noroot
31notv
30# novideo 32# novideo
31protocol unix,inet,inet6,netlink 33protocol unix,inet,inet6,netlink
32seccomp 34seccomp
diff --git a/etc/stellarium.profile b/etc/stellarium.profile
index 768fbd082..89e2d1a30 100644
--- a/etc/stellarium.profile
+++ b/etc/stellarium.profile
@@ -21,10 +21,12 @@ include /etc/firejail/whitelist-common.inc
21 21
22caps.drop all 22caps.drop all
23netfilter 23netfilter
24nodvd
24nogroups 25nogroups
25nonewprivs 26nonewprivs
26noroot 27noroot
27nosound 28nosound
29notv
28protocol unix,inet,inet6,netlink 30protocol unix,inet,inet6,netlink
29seccomp 31seccomp
30shell none 32shell none
diff --git a/etc/strings.profile b/etc/strings.profile
index 09957ae09..83561cae5 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -11,12 +11,16 @@ blacklist /tmp/.X11-unix
11ignore noroot 11ignore noroot
12net none 12net none
13no3d 13no3d
14nodvd
14nosound 15nosound
16notv
15novideo 17novideo
16shell none 18shell none
17tracelog 19tracelog
18 20
21private-bin strings
19private-dev 22private-dev
23private-lib
20 24
21memory-deny-write-execute 25memory-deny-write-execute
22 26
diff --git a/etc/supertux2.profile b/etc/supertux2.profile
index 4e70f9e8c..cd6496a7b 100644
--- a/etc/supertux2.profile
+++ b/etc/supertux2.profile
@@ -17,9 +17,11 @@ include /etc/firejail/whitelist-common.inc
17 17
18caps.drop all 18caps.drop all
19net none 19net none
20nodvd
20nogroups 21nogroups
21nonewprivs 22nonewprivs
22noroot 23noroot
24notv
23protocol unix,netlink 25protocol unix,netlink
24seccomp 26seccomp
25shell none 27shell none
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile
index 6861e6efb..08ece1e9b 100644
--- a/etc/synfigstudio.profile
+++ b/etc/synfigstudio.profile
@@ -15,10 +15,12 @@ include /etc/firejail/disable-programs.inc
15 15
16caps.drop all 16caps.drop all
17netfilter 17netfilter
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
22novideo 24novideo
23protocol unix 25protocol unix
24seccomp 26seccomp
diff --git a/etc/tar.profile b/etc/tar.profile
index 817e51542..34a4f34d6 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -12,7 +12,9 @@ hostname tar
12ignore noroot 12ignore noroot
13net none 13net none
14no3d 14no3d
15nodvd
15nosound 16nosound
17notv
16shell none 18shell none
17tracelog 19tracelog
18 20
diff --git a/etc/telegram-desktop.profile b/etc/telegram-desktop.profile
index 844595b3f..df6557a90 100644
--- a/etc/telegram-desktop.profile
+++ b/etc/telegram-desktop.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/firejail/telegram.profile 6include /etc/firejail/telegram.profile
diff --git a/etc/telegram.profile b/etc/telegram.profile
index e40233c35..e3ccaf1a0 100644
--- a/etc/telegram.profile
+++ b/etc/telegram.profile
@@ -13,8 +13,10 @@ include /etc/firejail/disable-programs.inc
13 13
14caps.drop all 14caps.drop all
15netfilter 15netfilter
16nodvd
16nonewprivs 17nonewprivs
17noroot 18noroot
19notv
18protocol unix,inet,inet6 20protocol unix,inet,inet6
19seccomp 21seccomp
20 22
diff --git a/etc/thunar.profile b/etc/thunar.profile
index 044f22d29..1545e8c7e 100644
--- a/etc/thunar.profile
+++ b/etc/thunar.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/firejail/Thunar.profile 6include /etc/firejail/Thunar.profile
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
index d3b7ee871..17bf51873 100644
--- a/etc/thunderbird.profile
+++ b/etc/thunderbird.profile
@@ -18,7 +18,6 @@ mkdir ~/.gnupg
18mkdir ~/.icedove 18mkdir ~/.icedove
19mkdir ~/.thunderbird 19mkdir ~/.thunderbird
20whitelist ~/.cache/thunderbird 20whitelist ~/.cache/thunderbird
21whitelist ~/.config/mimeapps.list
22whitelist ~/.gnupg 21whitelist ~/.gnupg
23whitelist ~/.icedove 22whitelist ~/.icedove
24whitelist ~/.local/share/applications 23whitelist ~/.local/share/applications
@@ -28,7 +27,7 @@ include /etc/firejail/whitelist-common.inc
28ignore private-tmp 27ignore private-tmp
29 28
30read-only ~/.config/mimeapps.list 29read-only ~/.config/mimeapps.list
31read-only ~/.local/share/applications
32 30
33# allow browsers 31# allow browsers
32# Redirect
34include /etc/firejail/firefox.profile 33include /etc/firejail/firefox.profile
diff --git a/etc/tracker.profile b/etc/tracker.profile
index feb8b4fd3..ded2ae2e5 100644
--- a/etc/tracker.profile
+++ b/etc/tracker.profile
@@ -17,10 +17,12 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 17caps.drop all
18netfilter 18netfilter
19no3d 19no3d
20nodvd
20nogroups 21nogroups
21nonewprivs 22nonewprivs
22noroot 23noroot
23nosound 24nosound
25notv
24protocol unix 26protocol unix
25seccomp 27seccomp
26shell none 28shell none
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile
index e8fdd81d7..5752c96f3 100644
--- a/etc/transmission-cli.profile
+++ b/etc/transmission-cli.profile
@@ -15,9 +15,11 @@ include /etc/firejail/disable-programs.inc
15 15
16caps.drop all 16caps.drop all
17netfilter 17netfilter
18nodvd
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
21protocol unix,inet,inet6 23protocol unix,inet,inet6
22seccomp 24seccomp
23shell none 25shell none
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index b3cf5213a..c4bf7a08d 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -22,9 +22,11 @@ include /etc/firejail/whitelist-common.inc
22 22
23caps.drop all 23caps.drop all
24netfilter 24netfilter
25nodvd
25nonewprivs 26nonewprivs
26noroot 27noroot
27nosound 28nosound
29notv
28protocol unix,inet,inet6 30protocol unix,inet,inet6
29seccomp 31seccomp
30shell none 32shell none
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index 433fb716e..02e9a5052 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -22,9 +22,11 @@ include /etc/firejail/whitelist-common.inc
22 22
23caps.drop all 23caps.drop all
24netfilter 24netfilter
25nodvd
25nonewprivs 26nonewprivs
26noroot 27noroot
27nosound 28nosound
29notv
28protocol unix,inet,inet6 30protocol unix,inet,inet6
29seccomp 31seccomp
30shell none 32shell none
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile
index e87ab51df..130defc8e 100644
--- a/etc/transmission-show.profile
+++ b/etc/transmission-show.profile
@@ -15,9 +15,11 @@ include /etc/firejail/disable-programs.inc
15 15
16caps.drop all 16caps.drop all
17net none 17net none
18nodvd
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
21protocol unix 23protocol unix
22seccomp 24seccomp
23shell none 25shell none
diff --git a/etc/truecraft.profile b/etc/truecraft.profile
index 850845c95..4e48f6c6b 100644
--- a/etc/truecraft.profile
+++ b/etc/truecraft.profile
@@ -20,9 +20,11 @@ whitelist ${HOME}/.config/truecraft
20include /etc/firejail/whitelist-common.inc 20include /etc/firejail/whitelist-common.inc
21 21
22caps.drop all 22caps.drop all
23nodvd
23nogroups 24nogroups
24nonewprivs 25nonewprivs
25noroot 26noroot
27notv
26novideo 28novideo
27protocol unix,inet,inet6 29protocol unix,inet,inet6
28seccomp 30seccomp
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile
new file mode 100644
index 000000000..ddbcce3f6
--- /dev/null
+++ b/etc/tuxguitar.profile
@@ -0,0 +1,31 @@
1# Firejail profile for tuxguitar
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/tuxguitar.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8noblacklist ~/.java
9noblacklist ~/.tuxguitar*
10
11include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc
15
16caps.drop all
17no3d
18nodvd
19nonewprivs
20noroot
21notv
22novideo
23protocol unix,inet,inet6
24seccomp
25tracelog
26
27private-dev
28private-tmp
29
30# noexec ${HOME} - tuxguitar may fail to launch
31noexec /tmp
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile
index 775ac8a96..877ad635b 100644
--- a/etc/uget-gtk.profile
+++ b/etc/uget-gtk.profile
@@ -18,9 +18,11 @@ include /etc/firejail/whitelist-common.inc
18 18
19caps.drop all 19caps.drop all
20netfilter 20netfilter
21nodvd
21nonewprivs 22nonewprivs
22noroot 23noroot
23nosound 24nosound
25notv
24protocol unix,inet,inet6 26protocol unix,inet,inet6
25seccomp 27seccomp
26shell none 28shell none
diff --git a/etc/unbound.profile b/etc/unbound.profile
index 091d59c1a..c1cb86893 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -14,7 +14,9 @@ include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc 14include /etc/firejail/disable-programs.inc
15 15
16no3d 16no3d
17nodvd
17nosound 18nosound
19notv
18seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open 20seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
19 21
20private 22private
diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile
index e09b65632..5f70843d6 100644
--- a/etc/unknown-horizons.profile
+++ b/etc/unknown-horizons.profile
@@ -16,9 +16,11 @@ whitelist ~/.unknown-horizons
16include /etc/firejail/whitelist-common.inc 16include /etc/firejail/whitelist-common.inc
17 17
18caps.drop all 18caps.drop all
19nodvd
19nogroups 20nogroups
20nonewprivs 21nonewprivs
21noroot 22noroot
23notv
22protocol unix,netlink,inet,inet6 24protocol unix,netlink,inet,inet6
23seccomp 25seccomp
24shell none 26shell none
diff --git a/etc/unrar.profile b/etc/unrar.profile
index 8d8fda952..6a3ac5527 100644
--- a/etc/unrar.profile
+++ b/etc/unrar.profile
@@ -12,7 +12,9 @@ hostname unrar
12ignore noroot 12ignore noroot
13net none 13net none
14no3d 14no3d
15nodvd
15nosound 16nosound
17notv
16shell none 18shell none
17tracelog 19tracelog
18 20
diff --git a/etc/unzip.profile b/etc/unzip.profile
index 6556b4f56..bb30d74cd 100644
--- a/etc/unzip.profile
+++ b/etc/unzip.profile
@@ -12,7 +12,9 @@ hostname unzip
12ignore noroot 12ignore noroot
13net none 13net none
14no3d 14no3d
15nodvd
15nosound 16nosound
17notv
16shell none 18shell none
17tracelog 19tracelog
18 20
diff --git a/etc/uudeview.profile b/etc/uudeview.profile
index 22457bf2c..192d13f80 100644
--- a/etc/uudeview.profile
+++ b/etc/uudeview.profile
@@ -10,7 +10,9 @@ include /etc/firejail/globals.local
10hostname uudeview 10hostname uudeview
11ignore noroot 11ignore noroot
12net none 12net none
13nodvd
13nosound 14nosound
15notv
14shell none 16shell none
15tracelog 17tracelog
16 18
diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile
index caae3659e..e7c931f30 100644
--- a/etc/uzbl-browser.profile
+++ b/etc/uzbl-browser.profile
@@ -25,8 +25,10 @@ include /etc/firejail/whitelist-common.inc
25 25
26caps.drop all 26caps.drop all
27netfilter 27netfilter
28nodvd
28nonewprivs 29nonewprivs
29noroot 30noroot
31notv
30protocol unix,inet,inet6 32protocol unix,inet,inet6
31seccomp 33seccomp
32tracelog 34tracelog
diff --git a/etc/viewnior.profile b/etc/viewnior.profile
index 9235d149c..a02845885 100644
--- a/etc/viewnior.profile
+++ b/etc/viewnior.profile
@@ -19,10 +19,12 @@ include /etc/firejail/disable-programs.inc
19 19
20caps.drop all 20caps.drop all
21net none 21net none
22nodvd
22nogroups 23nogroups
23nonewprivs 24nonewprivs
24noroot 25noroot
25nosound 26nosound
27notv
26protocol unix 28protocol unix
27seccomp 29seccomp
28shell none 30shell none
diff --git a/etc/viking.profile b/etc/viking.profile
index aa26388f8..30e89b511 100644
--- a/etc/viking.profile
+++ b/etc/viking.profile
@@ -16,10 +16,12 @@ include /etc/firejail/disable-programs.inc
16caps.drop all 16caps.drop all
17netfilter 17netfilter
18no3d 18no3d
19nodvd
19nogroups 20nogroups
20nonewprivs 21nonewprivs
21noroot 22noroot
22nosound 23nosound
24notv
23protocol unix,inet,inet6 25protocol unix,inet,inet6
24seccomp 26seccomp
25shell none 27shell none
diff --git a/etc/vim.profile b/etc/vim.profile
index 815676da8..7b5566f5b 100644
--- a/etc/vim.profile
+++ b/etc/vim.profile
@@ -15,8 +15,10 @@ include /etc/firejail/disable-programs.inc
15 15
16caps.drop all 16caps.drop all
17netfilter 17netfilter
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
22notv
21protocol unix,inet,inet6 23protocol unix,inet,inet6
22seccomp 24seccomp
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile
index e94dec35c..6e153d559 100644
--- a/etc/virtualbox.profile
+++ b/etc/virtualbox.profile
@@ -24,3 +24,5 @@ include /etc/firejail/whitelist-common.inc
24 24
25caps.drop all 25caps.drop all
26netfilter 26netfilter
27nodvd
28notv
diff --git a/etc/vivaldi-beta.profile b/etc/vivaldi-beta.profile
index 4fa8a877c..d1ceb74f4 100644
--- a/etc/vivaldi-beta.profile
+++ b/etc/vivaldi-beta.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/firejail/vivaldi.profile 6include /etc/firejail/vivaldi.profile
diff --git a/etc/vivaldi-stable.profile b/etc/vivaldi-stable.profile
index 4fa8a877c..d1ceb74f4 100644
--- a/etc/vivaldi-stable.profile
+++ b/etc/vivaldi-stable.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/firejail/vivaldi.profile 6include /etc/firejail/vivaldi.profile
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile
index ae9b49e8c..503916b26 100644
--- a/etc/vivaldi.profile
+++ b/etc/vivaldi.profile
@@ -21,7 +21,9 @@ include /etc/firejail/whitelist-common.inc
21 21
22caps.keep sys_chroot,sys_admin 22caps.keep sys_chroot,sys_admin
23netfilter 23netfilter
24nodvd
24nogroups 25nogroups
26notv
25shell none 27shell none
26 28
27private-dev 29private-dev
diff --git a/etc/vym.profile b/etc/vym.profile
index f769dda16..4f60b2ada 100644
--- a/etc/vym.profile
+++ b/etc/vym.profile
@@ -15,10 +15,12 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17no3d 17no3d
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
22novideo 24novideo
23protocol unix 25protocol unix
24seccomp 26seccomp
diff --git a/etc/w3m.profile b/etc/w3m.profile
index fc5ee2bad..b25e19135 100644
--- a/etc/w3m.profile
+++ b/etc/w3m.profile
@@ -17,10 +17,12 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 17caps.drop all
18netfilter 18netfilter
19no3d 19no3d
20nodvd
20nogroups 21nogroups
21nonewprivs 22nonewprivs
22noroot 23noroot
23nosound 24nosound
25notv
24protocol unix,inet,inet6 26protocol unix,inet,inet6
25seccomp 27seccomp
26shell none 28shell none
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile
index 9569226aa..976f7db5f 100644
--- a/etc/warzone2100.profile
+++ b/etc/warzone2100.profile
@@ -20,9 +20,11 @@ include /etc/firejail/whitelist-common.inc
20 20
21caps.drop all 21caps.drop all
22netfilter 22netfilter
23nodvd
23nogroups 24nogroups
24nonewprivs 25nonewprivs
25noroot 26noroot
27notv
26protocol unix,inet,inet6,netlink 28protocol unix,inet,inet6,netlink
27seccomp 29seccomp
28shell none 30shell none
diff --git a/etc/waterfox.profile b/etc/waterfox.profile
index 893d45719..76b7c86ba 100644
--- a/etc/waterfox.profile
+++ b/etc/waterfox.profile
@@ -52,9 +52,11 @@ include /etc/firejail/whitelist-common.inc
52 52
53caps.drop all 53caps.drop all
54netfilter 54netfilter
55nodvd
55nogroups 56nogroups
56nonewprivs 57nonewprivs
57noroot 58noroot
59notv
58protocol unix,inet,inet6,netlink 60protocol unix,inet,inet6,netlink
59seccomp 61seccomp
60shell none 62shell none
diff --git a/etc/weechat-curses.profile b/etc/weechat-curses.profile
index 2d3f6c963..0da7d45d6 100644
--- a/etc/weechat-curses.profile
+++ b/etc/weechat-curses.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/firejail/weechat.profile 6include /etc/firejail/weechat.profile
diff --git a/etc/weechat.profile b/etc/weechat.profile
index 833414f3e..b0971ae19 100644
--- a/etc/weechat.profile
+++ b/etc/weechat.profile
@@ -12,8 +12,10 @@ include /etc/firejail/disable-programs.inc
12 12
13caps.drop all 13caps.drop all
14netfilter 14netfilter
15nodvd
15nonewprivs 16nonewprivs
16noroot 17noroot
18notv
17protocol unix,inet,inet6 19protocol unix,inet,inet6
18seccomp 20seccomp
19 21
diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile
index 9798e0ace..d6318c81b 100644
--- a/etc/wesnoth.profile
+++ b/etc/wesnoth.profile
@@ -23,8 +23,10 @@ whitelist ${HOME}/.local/share/wesnoth
23include /etc/firejail/whitelist-common.inc 23include /etc/firejail/whitelist-common.inc
24 24
25caps.drop all 25caps.drop all
26nodvd
26nonewprivs 27nonewprivs
27noroot 28noroot
29notv
28protocol unix,inet,inet6 30protocol unix,inet,inet6
29seccomp 31seccomp
30 32
diff --git a/etc/wget.profile b/etc/wget.profile
index 7ab24aa8f..5072cb9c5 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -17,10 +17,12 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 17caps.drop all
18netfilter 18netfilter
19no3d 19no3d
20nodvd
20nogroups 21nogroups
21nonewprivs 22nonewprivs
22noroot 23noroot
23nosound 24nosound
25notv
24novideo 26novideo
25protocol unix,inet,inet6 27protocol unix,inet,inet6
26seccomp 28seccomp
diff --git a/etc/wine.profile b/etc/wine.profile
index 00eea2b7c..b1bc7df78 100644
--- a/etc/wine.profile
+++ b/etc/wine.profile
@@ -17,7 +17,9 @@ include /etc/firejail/disable-programs.inc
17 17
18caps.drop all 18caps.drop all
19netfilter 19netfilter
20nodvd
20nogroups 21nogroups
21nonewprivs 22nonewprivs
22noroot 23noroot
24notv
23seccomp 25seccomp
diff --git a/etc/wire.profile b/etc/wire.profile
index aacea9940..af14f686f 100644
--- a/etc/wire.profile
+++ b/etc/wire.profile
@@ -18,9 +18,11 @@ include /etc/firejail/disable-programs.inc
18 18
19caps.drop all 19caps.drop all
20netfilter 20netfilter
21nodvd
21nogroups 22nogroups
22nonewprivs 23nonewprivs
23noroot 24noroot
25notv
24protocol unix,inet,inet6,netlink 26protocol unix,inet,inet6,netlink
25seccomp 27seccomp
26shell none 28shell none
diff --git a/etc/wireshark-gtk.profile b/etc/wireshark-gtk.profile
index 35a76a978..38599b85e 100644
--- a/etc/wireshark-gtk.profile
+++ b/etc/wireshark-gtk.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/firejail/wireshark.profile 6include /etc/firejail/wireshark.profile
diff --git a/etc/wireshark-qt.profile b/etc/wireshark-qt.profile
index 35a76a978..38599b85e 100644
--- a/etc/wireshark-qt.profile
+++ b/etc/wireshark-qt.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/firejail/wireshark.profile 6include /etc/firejail/wireshark.profile
diff --git a/etc/wireshark.profile b/etc/wireshark.profile
index 8a25ec011..57f4f2f5b 100644
--- a/etc/wireshark.profile
+++ b/etc/wireshark.profile
@@ -18,7 +18,9 @@ no3d
18# nogroups - breaks unprivileged wireshark usage 18# nogroups - breaks unprivileged wireshark usage
19# nonewprivs - breaks unprivileged wireshark usage 19# nonewprivs - breaks unprivileged wireshark usage
20# noroot 20# noroot
21nodvd
21nosound 22nosound
23notv
22# protocol unix,inet,inet6,netlink 24# protocol unix,inet,inet6,netlink
23# seccomp - breaks unprivileged wireshark usage 25# seccomp - breaks unprivileged wireshark usage
24shell none 26shell none
diff --git a/etc/xchat.profile b/etc/xchat.profile
index 795e7ecd6..ab62160b5 100644
--- a/etc/xchat.profile
+++ b/etc/xchat.profile
@@ -12,8 +12,10 @@ include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-programs.inc 12include /etc/firejail/disable-programs.inc
13 13
14caps.drop all 14caps.drop all
15nodvd
15nonewprivs 16nonewprivs
16noroot 17noroot
18notv
17protocol unix,inet,inet6 19protocol unix,inet,inet6
18seccomp 20seccomp
19 21
diff --git a/etc/xed.profile b/etc/xed.profile
index 17d0ad9d9..758fb5526 100644
--- a/etc/xed.profile
+++ b/etc/xed.profile
@@ -14,10 +14,12 @@ include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16net none 16net none
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
21seccomp 23seccomp
22shell none 24shell none
23tracelog 25tracelog
diff --git a/etc/xfburn.profile b/etc/xfburn.profile
index dbacf6462..e80685f0e 100644
--- a/etc/xfburn.profile
+++ b/etc/xfburn.profile
@@ -14,10 +14,12 @@ include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17nodvd
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
22notv
21protocol unix 23protocol unix
22seccomp 24seccomp
23shell none 25shell none
diff --git a/etc/xfce4-dict.profile b/etc/xfce4-dict.profile
index 26f65ee1c..ab52d17e9 100644
--- a/etc/xfce4-dict.profile
+++ b/etc/xfce4-dict.profile
@@ -15,10 +15,12 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 15caps.drop all
16netfilter 16netfilter
17no3d 17no3d
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
22novideo 24novideo
23protocol unix,inet,inet6 25protocol unix,inet,inet6
24seccomp 26seccomp
diff --git a/etc/xfce4-notes.profile b/etc/xfce4-notes.profile
index 6f026c2e7..868b4796b 100644
--- a/etc/xfce4-notes.profile
+++ b/etc/xfce4-notes.profile
@@ -17,10 +17,12 @@ include /etc/firejail/disable-programs.inc
17caps.drop all 17caps.drop all
18netfilter 18netfilter
19no3d 19no3d
20nodvd
20nogroups 21nogroups
21nonewprivs 22nonewprivs
22noroot 23noroot
23nosound 24nosound
25notv
24novideo 26novideo
25protocol unix 27protocol unix
26seccomp 28seccomp
diff --git a/etc/xiphos.profile b/etc/xiphos.profile
index eb894d8b5..38e568860 100644
--- a/etc/xiphos.profile
+++ b/etc/xiphos.profile
@@ -22,10 +22,12 @@ include /etc/firejail/whitelist-common.inc
22 22
23caps.drop all 23caps.drop all
24netfilter 24netfilter
25nodvd
25nogroups 26nogroups
26nonewprivs 27nonewprivs
27noroot 28noroot
28nosound 29nosound
30notv
29protocol unix,inet,inet6 31protocol unix,inet,inet6
30seccomp 32seccomp
31shell none 33shell none
diff --git a/etc/xmms.profile b/etc/xmms.profile
index d2cf00a36..d2e6eddac 100644
--- a/etc/xmms.profile
+++ b/etc/xmms.profile
@@ -17,6 +17,7 @@ netfilter
17no3d 17no3d
18nonewprivs 18nonewprivs
19noroot 19noroot
20notv
20protocol unix,inet,inet6 21protocol unix,inet,inet6
21seccomp 22seccomp
22shell none 23shell none
diff --git a/etc/xonotic-glx.profile b/etc/xonotic-glx.profile
index 8be8b2d7b..041a063bb 100644
--- a/etc/xonotic-glx.profile
+++ b/etc/xonotic-glx.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/firejail/xonotic.profile 6include /etc/firejail/xonotic.profile
diff --git a/etc/xonotic-sdl.profile b/etc/xonotic-sdl.profile
index 8be8b2d7b..041a063bb 100644
--- a/etc/xonotic-sdl.profile
+++ b/etc/xonotic-sdl.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/firejail/xonotic.profile 6include /etc/firejail/xonotic.profile
diff --git a/etc/xonotic.profile b/etc/xonotic.profile
index 95a2a2dbd..c7db00daf 100644
--- a/etc/xonotic.profile
+++ b/etc/xonotic.profile
@@ -18,9 +18,11 @@ include /etc/firejail/whitelist-common.inc
18 18
19caps.drop all 19caps.drop all
20netfilter 20netfilter
21nodvd
21nogroups 22nogroups
22nonewprivs 23nonewprivs
23noroot 24noroot
25notv
24novideo 26novideo
25protocol unix,inet,inet6 27protocol unix,inet,inet6
26seccomp 28seccomp
diff --git a/etc/xpdf.profile b/etc/xpdf.profile
index be69ebe1a..f34358521 100644
--- a/etc/xpdf.profile
+++ b/etc/xpdf.profile
@@ -15,10 +15,12 @@ include /etc/firejail/disable-programs.inc
15caps.drop all 15caps.drop all
16net none 16net none
17no3d 17no3d
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
22novideo 24novideo
23protocol unix 25protocol unix
24seccomp 26seccomp
diff --git a/etc/xplayer.profile b/etc/xplayer.profile
index afa3deac6..0722768d1 100644
--- a/etc/xplayer.profile
+++ b/etc/xplayer.profile
@@ -18,6 +18,7 @@ netfilter
18nogroups 18nogroups
19nonewprivs 19nonewprivs
20noroot 20noroot
21notv
21protocol unix,inet,inet6 22protocol unix,inet,inet6
22seccomp 23seccomp
23shell none 24shell none
diff --git a/etc/xpra.profile b/etc/xpra.profile
index ed393d70b..2bd91e8b5 100644
--- a/etc/xpra.profile
+++ b/etc/xpra.profile
@@ -21,15 +21,19 @@ include /etc/firejail/disable-passwdmgr.inc
21include /etc/firejail/disable-programs.inc 21include /etc/firejail/disable-programs.inc
22 22
23whitelist /var/lib/xkb 23whitelist /var/lib/xkb
24include /etc/firejail/whitelist-common.inc 24# whitelisting home directory, or including whitelist-common.inc
25# will crash xpra on some platforms
25 26
26caps.drop all 27caps.drop all
27# xpra needs to be allowed access to the abstract Unix socket namespace. 28# xpra needs to be allowed access to the abstract Unix socket namespace.
29nodvd
28nogroups 30nogroups
29nonewprivs 31nonewprivs
30# In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix. 32# In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix.
31#noroot 33#noroot
32nosound 34nosound
35notv
36novideo
33protocol unix 37protocol unix
34seccomp 38seccomp
35shell none 39shell none
diff --git a/etc/xreader.profile b/etc/xreader.profile
index 2abe569c5..107cefe5e 100644
--- a/etc/xreader.profile
+++ b/etc/xreader.profile
@@ -15,10 +15,12 @@ include /etc/firejail/disable-passwdmgr.inc
15include /etc/firejail/disable-programs.inc 15include /etc/firejail/disable-programs.inc
16 16
17caps.drop all 17caps.drop all
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
22protocol unix 24protocol unix
23seccomp 25seccomp
24shell none 26shell none
diff --git a/etc/xviewer.profile b/etc/xviewer.profile
index 7c9886b29..70ad3b895 100644
--- a/etc/xviewer.profile
+++ b/etc/xviewer.profile
@@ -16,10 +16,12 @@ include /etc/firejail/disable-passwdmgr.inc
16include /etc/firejail/disable-programs.inc 16include /etc/firejail/disable-programs.inc
17 17
18caps.drop all 18caps.drop all
19nodvd
19nogroups 20nogroups
20nonewprivs 21nonewprivs
21noroot 22noroot
22nosound 23nosound
24notv
23protocol unix 25protocol unix
24seccomp 26seccomp
25shell none 27shell none
diff --git a/etc/xz.profile b/etc/xz.profile
index b552f59c0..d77fc85b4 100644
--- a/etc/xz.profile
+++ b/etc/xz.profile
@@ -2,4 +2,5 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3 3
4 4
5# Redirect
5include /etc/firejail/cpio.profile 6include /etc/firejail/cpio.profile
diff --git a/etc/xzdec.profile b/etc/xzdec.profile
index 0d5b8dda6..7f21f5d2f 100644
--- a/etc/xzdec.profile
+++ b/etc/xzdec.profile
@@ -11,7 +11,9 @@ blacklist /tmp/.X11-unix
11ignore noroot 11ignore noroot
12net none 12net none
13no3d 13no3d
14nodvd
14nosound 15nosound
16notv
15shell none 17shell none
16tracelog 18tracelog
17 19
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile
index fea7284c8..e20fb3e99 100644
--- a/etc/youtube-dl.profile
+++ b/etc/youtube-dl.profile
@@ -17,10 +17,12 @@ caps.drop all
17ipc-namespace 17ipc-namespace
18netfilter 18netfilter
19no3d 19no3d
20nodvd
20nogroups 21nogroups
21nonewprivs 22nonewprivs
22noroot 23noroot
23nosound 24nosound
25notv
24novideo 26novideo
25protocol unix,inet,inet6 27protocol unix,inet,inet6
26seccomp 28seccomp
diff --git a/etc/zathura.profile b/etc/zathura.profile
index 0552f85a9..0036a3521 100644
--- a/etc/zathura.profile
+++ b/etc/zathura.profile
@@ -15,10 +15,12 @@ include /etc/firejail/disable-programs.inc
15 15
16caps.drop all 16caps.drop all
17net none 17net none
18nodvd
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
23notv
22protocol unix 24protocol unix
23seccomp 25seccomp
24shell none 26shell none
diff --git a/etc/zoom.profile b/etc/zoom.profile
index 4ef756d9f..381df9ab5 100644
--- a/etc/zoom.profile
+++ b/etc/zoom.profile
@@ -18,8 +18,10 @@ include /etc/firejail/whitelist-common.inc
18 18
19caps.drop all 19caps.drop all
20netfilter 20netfilter
21nodvd
21nonewprivs 22nonewprivs
22noroot 23noroot
24notv
23protocol unix,inet,inet6 25protocol unix,inet,inet6
24seccomp 26seccomp
25 27
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index afd22c041..360ac8921 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -298,6 +298,7 @@
298/etc/firejail/transmission-qt.profile 298/etc/firejail/transmission-qt.profile
299/etc/firejail/transmission-show.profile 299/etc/firejail/transmission-show.profile
300/etc/firejail/truecraft.profile 300/etc/firejail/truecraft.profile
301/etc/firejail/tuxguitar.profile
301/etc/firejail/uget-gtk.profile 302/etc/firejail/uget-gtk.profile
302/etc/firejail/unbound.profile 303/etc/firejail/unbound.profile
303/etc/firejail/unknown-horizons.profile 304/etc/firejail/unknown-horizons.profile
diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec
index ab908ef49..fa92ded94 100644
--- a/platform/rpm/firejail.spec
+++ b/platform/rpm/firejail.spec
@@ -3,7 +3,7 @@ Version: __VERSION__
3Release: 1 3Release: 1
4Summary: Linux namepaces sandbox program 4Summary: Linux namepaces sandbox program
5 5
6License: GPL+ 6License: GPLv2+
7Group: Development/Tools 7Group: Development/Tools
8Source0: https://github.com/netblue30/firejail/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz 8Source0: https://github.com/netblue30/firejail/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
9URL: http://github.com/netblue30/firejail 9URL: http://github.com/netblue30/firejail
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index bcf2ced1e..d66b026b0 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -80,6 +80,7 @@ file-roller
80filezilla 80filezilla
81firefox 81firefox
82firefox-esr 82firefox-esr
83firefox-nightly
83flashpeak-slimjet 84flashpeak-slimjet
84flowblade 85flowblade
85fontforge 86fontforge
@@ -267,6 +268,7 @@ transmission-gtk
267transmission-qt 268transmission-qt
268transmission-show 269transmission-show
269truecraft 270truecraft
271tuxguitar
270uget-gtk 272uget-gtk
271unbound 273unbound
272unknown-horizons 274unknown-horizons
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 86f730aa0..5f16d1a5d 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -57,6 +57,7 @@
57#define RUN_SECCOMP_AMD64 "/run/firejail/mnt/seccomp.amd64" // amd64 filter installed on i386 architectures 57#define RUN_SECCOMP_AMD64 "/run/firejail/mnt/seccomp.amd64" // amd64 filter installed on i386 architectures
58#define RUN_SECCOMP_I386 "/run/firejail/mnt/seccomp.i386" // i386 filter installed on amd64 architectures 58#define RUN_SECCOMP_I386 "/run/firejail/mnt/seccomp.i386" // i386 filter installed on amd64 architectures
59#define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute 59#define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute
60#define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library
60#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make 61#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make
61#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make 62#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make
62#define PATH_SECCOMP_AMD64 (LIBDIR "/firejail/seccomp.amd64") // amd64 filter built during make 63#define PATH_SECCOMP_AMD64 (LIBDIR "/firejail/seccomp.amd64") // amd64 filter built during make
@@ -305,6 +306,7 @@ extern int arg_overlay_keep; // place overlay diff in a known directory
305extern int arg_overlay_reuse; // allow the reuse of overlays 306extern int arg_overlay_reuse; // allow the reuse of overlays
306 307
307extern int arg_seccomp; // enable default seccomp filter 308extern int arg_seccomp; // enable default seccomp filter
309extern int arg_seccomp_postexec; // need postexec ld.preload library?
308 310
309extern int arg_caps_default_filter; // enable default capabilities filter 311extern int arg_caps_default_filter; // enable default capabilities filter
310extern int arg_caps_drop; // drop list 312extern int arg_caps_drop; // drop list
@@ -360,6 +362,8 @@ extern int arg_machineid; // preserve /etc/machine-id
360extern int arg_disable_mnt; // disable /mnt and /media 362extern int arg_disable_mnt; // disable /mnt and /media
361extern int arg_noprofile; // use default.profile if none other found/specified 363extern int arg_noprofile; // use default.profile if none other found/specified
362extern int arg_memory_deny_write_execute; // block writable and executable memory 364extern int arg_memory_deny_write_execute; // block writable and executable memory
365extern int arg_notv; // --notv
366extern int arg_nodvd; // --nodvd
363 367
364extern int login_shell; 368extern int login_shell;
365extern int parent_to_child_fds[2]; 369extern int parent_to_child_fds[2];
@@ -512,6 +516,8 @@ void fs_private_dev(void);
512void fs_dev_disable_sound(void); 516void fs_dev_disable_sound(void);
513void fs_dev_disable_3d(void); 517void fs_dev_disable_3d(void);
514void fs_dev_disable_video(void); 518void fs_dev_disable_video(void);
519void fs_dev_disable_tv(void);
520void fs_dev_disable_dvd(void);
515 521
516// fs_home.c 522// fs_home.c
517// private mode (--private) 523// private mode (--private)
@@ -549,8 +555,6 @@ void caps_drop_dac_override(void);
549 555
550// syscall.c 556// syscall.c
551const char *syscall_find_nr(int nr); 557const char *syscall_find_nr(int nr);
552// return -1 if error, 0 if no error
553int syscall_check_list(const char *slist, void (*callback)(int syscall, int arg), int arg);
554 558
555// fs_trace.c 559// fs_trace.c
556void fs_trace_preload(void); 560void fs_trace_preload(void);
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index fdaa0b355..0dbbb65a0 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -31,41 +31,52 @@
31#include <sys/sysmacros.h> 31#include <sys/sysmacros.h>
32#include <sys/types.h> 32#include <sys/types.h>
33 33
34// device type
35typedef enum {
36 DEV_NONE = 0,
37 DEV_SOUND,
38 DEV_3D,
39 DEV_VIDEO,
40 DEV_TV,
41 DEV_DVD,
42} DEV_TYPE;
43
44
34typedef struct { 45typedef struct {
35 const char *dev_fname; 46 const char *dev_fname;
36 const char *run_fname; 47 const char *run_fname;
37 int sound; 48 DEV_TYPE type;
38 int hw3d;
39 int video;
40} DevEntry; 49} DevEntry;
41 50
42static DevEntry dev[] = { 51static DevEntry dev[] = {
43 {"/dev/snd", RUN_DEV_DIR "/snd", 1, 0, 0}, // sound device 52 {"/dev/snd", RUN_DEV_DIR "/snd", DEV_SOUND}, // sound device
44 {"/dev/dri", RUN_DEV_DIR "/dri", 0, 1, 0}, // 3d device 53 {"/dev/dri", RUN_DEV_DIR "/dri", DEV_3D}, // 3d device
45 {"/dev/nvidia0", RUN_DEV_DIR "/nvidia0", 0, 1, 0}, 54 {"/dev/nvidia0", RUN_DEV_DIR "/nvidia0", DEV_3D},
46 {"/dev/nvidia1", RUN_DEV_DIR "/nvidia1", 0, 1, 0}, 55 {"/dev/nvidia1", RUN_DEV_DIR "/nvidia1", DEV_3D},
47 {"/dev/nvidia2", RUN_DEV_DIR "/nvidia2", 0, 1, 0}, 56 {"/dev/nvidia2", RUN_DEV_DIR "/nvidia2", DEV_3D},
48 {"/dev/nvidia3", RUN_DEV_DIR "/nvidia3", 0, 1, 0}, 57 {"/dev/nvidia3", RUN_DEV_DIR "/nvidia3", DEV_3D},
49 {"/dev/nvidia4", RUN_DEV_DIR "/nvidia4", 0, 1, 0}, 58 {"/dev/nvidia4", RUN_DEV_DIR "/nvidia4", DEV_3D},
50 {"/dev/nvidia5", RUN_DEV_DIR "/nvidia5", 0, 1, 0}, 59 {"/dev/nvidia5", RUN_DEV_DIR "/nvidia5", DEV_3D},
51 {"/dev/nvidia6", RUN_DEV_DIR "/nvidia6", 0, 1, 0}, 60 {"/dev/nvidia6", RUN_DEV_DIR "/nvidia6", DEV_3D},
52 {"/dev/nvidia7", RUN_DEV_DIR "/nvidia7", 0, 1, 0}, 61 {"/dev/nvidia7", RUN_DEV_DIR "/nvidia7", DEV_3D},
53 {"/dev/nvidia8", RUN_DEV_DIR "/nvidia8", 0, 1, 0}, 62 {"/dev/nvidia8", RUN_DEV_DIR "/nvidia8", DEV_3D},
54 {"/dev/nvidia9", RUN_DEV_DIR "/nvidia9", 0, 1, 0}, 63 {"/dev/nvidia9", RUN_DEV_DIR "/nvidia9", DEV_3D},
55 {"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl", 0, 1, 0}, 64 {"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl", DEV_3D},
56 {"/dev/nvidia-modeset", RUN_DEV_DIR "/nvidia-modeset", 0, 1, 0}, 65 {"/dev/nvidia-modeset", RUN_DEV_DIR "/nvidia-modeset", DEV_3D},
57 {"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm", 0, 1, 0}, 66 {"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm", DEV_3D},
58 {"/dev/video0", RUN_DEV_DIR "/video0", 0, 0, 1}, // video camera devices 67 {"/dev/video0", RUN_DEV_DIR "/video0", DEV_VIDEO}, // video camera devices
59 {"/dev/video1", RUN_DEV_DIR "/video1", 0, 0, 1}, 68 {"/dev/video1", RUN_DEV_DIR "/video1", DEV_VIDEO},
60 {"/dev/video2", RUN_DEV_DIR "/video2", 0, 0, 1}, 69 {"/dev/video2", RUN_DEV_DIR "/video2", DEV_VIDEO},
61 {"/dev/video3", RUN_DEV_DIR "/video3", 0, 0, 1}, 70 {"/dev/video3", RUN_DEV_DIR "/video3", DEV_VIDEO},
62 {"/dev/video4", RUN_DEV_DIR "/video4", 0, 0, 1}, 71 {"/dev/video4", RUN_DEV_DIR "/video4", DEV_VIDEO},
63 {"/dev/video5", RUN_DEV_DIR "/video5", 0, 0, 1}, 72 {"/dev/video5", RUN_DEV_DIR "/video5", DEV_VIDEO},
64 {"/dev/video6", RUN_DEV_DIR "/video6", 0, 0, 1}, 73 {"/dev/video6", RUN_DEV_DIR "/video6", DEV_VIDEO},
65 {"/dev/video7", RUN_DEV_DIR "/video7", 0, 0, 1}, 74 {"/dev/video7", RUN_DEV_DIR "/video7", DEV_VIDEO},
66 {"/dev/video8", RUN_DEV_DIR "/video8", 0, 0, 1}, 75 {"/dev/video8", RUN_DEV_DIR "/video8", DEV_VIDEO},
67 {"/dev/video9", RUN_DEV_DIR "/video9", 0, 0, 1}, 76 {"/dev/video9", RUN_DEV_DIR "/video9", DEV_VIDEO},
68 {NULL, NULL, 0, 0, 0} 77 {"/dev/dvb", RUN_DEV_DIR "/dvb", DEV_TV}, // DVB (Digital Video Broadcasting) - TV device
78 {"/dev/sr0", RUN_DEV_DIR "/sr0", DEV_DVD}, // for DVD and audio CD players
79 {NULL, NULL, DEV_NONE}
69}; 80};
70 81
71static void deventry_mount(void) { 82static void deventry_mount(void) {
@@ -73,31 +84,40 @@ static void deventry_mount(void) {
73 while (dev[i].dev_fname != NULL) { 84 while (dev[i].dev_fname != NULL) {
74 struct stat s; 85 struct stat s;
75 if (stat(dev[i].run_fname, &s) == 0) { 86 if (stat(dev[i].run_fname, &s) == 0) {
76 int dir = is_dir(dev[i].run_fname); 87
77 if (arg_debug) 88 // check device type and subsystem configuration
78 printf("mounting %s %s\n", dev[i].run_fname, (dir)? "directory": "file"); 89 if ((dev[i].type == DEV_SOUND && arg_nosound == 0) ||
79 if (dir) { 90 (dev[i].type == DEV_3D && arg_no3d == 0) ||
80 mkdir_attr(dev[i].dev_fname, 0755, 0, 0); 91 (dev[i].type == DEV_VIDEO && arg_novideo == 0) ||
81 } 92 (dev[i].type == DEV_TV && arg_notv == 0) ||
82 else { 93 (dev[i].type == DEV_DVD && arg_nodvd == 0)) {
83 struct stat s; 94
84 if (stat(dev[i].run_fname, &s) == -1) { 95 int dir = is_dir(dev[i].run_fname);
85 if (arg_debug) 96 if (arg_debug)
86 fwarning("cannot stat %s file\n", dev[i].run_fname); 97 printf("mounting %s %s\n", dev[i].run_fname, (dir)? "directory": "file");
87 i++; 98 if (dir) {
88 continue; 99 mkdir_attr(dev[i].dev_fname, 0755, 0, 0);
89 } 100 }
90 FILE *fp = fopen(dev[i].dev_fname, "w"); 101 else {
91 if (fp) { 102 struct stat s;
92 fprintf(fp, "\n"); 103 if (stat(dev[i].run_fname, &s) == -1) {
93 SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode); 104 if (arg_debug)
94 fclose(fp); 105 fwarning("cannot stat %s file\n", dev[i].run_fname);
106 i++;
107 continue;
108 }
109 FILE *fp = fopen(dev[i].dev_fname, "w");
110 if (fp) {
111 fprintf(fp, "\n");
112 SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode);
113 fclose(fp);
114 }
95 } 115 }
116
117 if (mount(dev[i].run_fname, dev[i].dev_fname, NULL, MS_BIND|MS_REC, NULL) < 0)
118 errExit("mounting dev file");
119 fs_logger2("whitelist", dev[i].dev_fname);
96 } 120 }
97
98 if (mount(dev[i].run_fname, dev[i].dev_fname, NULL, MS_BIND|MS_REC, NULL) < 0)
99 errExit("mounting dev file");
100 fs_logger2("whitelist", dev[i].dev_fname);
101 } 121 }
102 122
103 i++; 123 i++;
@@ -140,7 +160,7 @@ void fs_private_dev(void){
140 // keep a copy of dev directory 160 // keep a copy of dev directory
141 mkdir_attr(RUN_DEV_DIR, 0755, 0, 0); 161 mkdir_attr(RUN_DEV_DIR, 0755, 0, 0);
142 if (mount("/dev", RUN_DEV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) 162 if (mount("/dev", RUN_DEV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
143 errExit("mounting /dev/dri"); 163 errExit("mounting /dev");
144 164
145 // create DEVLOG_FILE 165 // create DEVLOG_FILE
146 int have_devlog = 0; 166 int have_devlog = 0;
@@ -163,6 +183,7 @@ void fs_private_dev(void){
163 errExit("mounting /dev"); 183 errExit("mounting /dev");
164 fs_logger("tmpfs /dev"); 184 fs_logger("tmpfs /dev");
165 185
186 // optional devices: sound, video cards etc...
166 deventry_mount(); 187 deventry_mount();
167 188
168 // bring back /dev/log 189 // bring back /dev/log
@@ -177,8 +198,7 @@ void fs_private_dev(void){
177 } 198 }
178 } 199 }
179 if (mount(RUN_RO_DIR, RUN_DEV_DIR, "none", MS_BIND, "mode=400,gid=0") < 0) 200 if (mount(RUN_RO_DIR, RUN_DEV_DIR, "none", MS_BIND, "mode=400,gid=0") < 0)
180 errExit("disable /dev/snd"); 201 errExit("disable run dev directory");
181
182 202
183 // create /dev/shm 203 // create /dev/shm
184 if (arg_debug) 204 if (arg_debug)
@@ -186,7 +206,7 @@ void fs_private_dev(void){
186 mkdir_attr("/dev/shm", 01777, 0, 0); 206 mkdir_attr("/dev/shm", 01777, 0, 0);
187 fs_logger("mkdir /dev/shm"); 207 fs_logger("mkdir /dev/shm");
188 208
189 // create devices 209 // create default devices
190 create_char_dev("/dev/zero", 0666, 1, 5); // mknod -m 666 /dev/zero c 1 5 210 create_char_dev("/dev/zero", 0666, 1, 5); // mknod -m 666 /dev/zero c 1 5
191 fs_logger("mknod /dev/zero"); 211 fs_logger("mknod /dev/zero");
192 create_char_dev("/dev/null", 0666, 1, 3); // mknod -m 666 /dev/null c 1 3 212 create_char_dev("/dev/null", 0666, 1, 3); // mknod -m 666 /dev/null c 1 3
@@ -234,6 +254,14 @@ void fs_private_dev(void){
234 create_link("/proc/self/fd/1", "/dev/stdout"); 254 create_link("/proc/self/fd/1", "/dev/stdout");
235 create_link("/proc/self/fd/2", "/dev/stderr"); 255 create_link("/proc/self/fd/2", "/dev/stderr");
236#endif 256#endif
257
258 // symlinks for DVD/CD players
259 if (stat("/dev/sr0", &s) == 0) {
260 create_link("/dev/sr0", "/dev/cdrom");
261 create_link("/dev/sr0", "/dev/cdrw");
262 create_link("/dev/sr0", "/dev/dvd");
263 create_link("/dev/sr0", "/dev/dvdrw");
264 }
237} 265}
238 266
239 267
@@ -294,7 +322,7 @@ static void disable_file_or_dir(const char *fname) {
294void fs_dev_disable_sound(void) { 322void fs_dev_disable_sound(void) {
295 int i = 0; 323 int i = 0;
296 while (dev[i].dev_fname != NULL) { 324 while (dev[i].dev_fname != NULL) {
297 if (dev[i].sound) 325 if (dev[i].type == DEV_SOUND)
298 disable_file_or_dir(dev[i].dev_fname); 326 disable_file_or_dir(dev[i].dev_fname);
299 i++; 327 i++;
300 } 328 }
@@ -303,7 +331,7 @@ void fs_dev_disable_sound(void) {
303void fs_dev_disable_video(void) { 331void fs_dev_disable_video(void) {
304 int i = 0; 332 int i = 0;
305 while (dev[i].dev_fname != NULL) { 333 while (dev[i].dev_fname != NULL) {
306 if (dev[i].video) 334 if (dev[i].type == DEV_VIDEO)
307 disable_file_or_dir(dev[i].dev_fname); 335 disable_file_or_dir(dev[i].dev_fname);
308 i++; 336 i++;
309 } 337 }
@@ -312,7 +340,25 @@ void fs_dev_disable_video(void) {
312void fs_dev_disable_3d(void) { 340void fs_dev_disable_3d(void) {
313 int i = 0; 341 int i = 0;
314 while (dev[i].dev_fname != NULL) { 342 while (dev[i].dev_fname != NULL) {
315 if (dev[i].hw3d) 343 if (dev[i].type == DEV_3D)
344 disable_file_or_dir(dev[i].dev_fname);
345 i++;
346 }
347}
348
349void fs_dev_disable_tv(void) {
350 int i = 0;
351 while (dev[i].dev_fname != NULL) {
352 if (dev[i].type == DEV_TV)
353 disable_file_or_dir(dev[i].dev_fname);
354 i++;
355 }
356}
357
358void fs_dev_disable_dvd(void) {
359 int i = 0;
360 while (dev[i].dev_fname != NULL) {
361 if (dev[i].type == DEV_DVD)
316 disable_file_or_dir(dev[i].dev_fname); 362 disable_file_or_dir(dev[i].dev_fname);
317 i++; 363 i++;
318 } 364 }
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c
index df76f4fe1..c87d29b5c 100644
--- a/src/firejail/fs_trace.c
+++ b/src/firejail/fs_trace.c
@@ -63,6 +63,11 @@ void fs_trace(void) {
63 if (!arg_quiet) 63 if (!arg_quiet)
64 printf("Blacklist violations are logged to syslog\n"); 64 printf("Blacklist violations are logged to syslog\n");
65 } 65 }
66 if (arg_seccomp_postexec) {
67 fprintf(fp, "%s/libpostexecseccomp.so\n", prefix);
68 if (!arg_quiet)
69 printf("Post-exec seccomp protector enabled\n");
70 }
66 71
67 SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); 72 SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
68 fclose(fp); 73 fclose(fp);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 9cff080a0..9726c0b8a 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -56,6 +56,7 @@ int arg_overlay_keep = 0; // place overlay diff in a known directory
56int arg_overlay_reuse = 0; // allow the reuse of overlays 56int arg_overlay_reuse = 0; // allow the reuse of overlays
57 57
58int arg_seccomp = 0; // enable default seccomp filter 58int arg_seccomp = 0; // enable default seccomp filter
59int arg_seccomp_postexec = 0; // need postexec ld.preload library?
59 60
60int arg_caps_default_filter = 0; // enable default capabilities filter 61int arg_caps_default_filter = 0; // enable default capabilities filter
61int arg_caps_drop = 0; // drop list 62int arg_caps_drop = 0; // drop list
@@ -112,7 +113,8 @@ int arg_writable_var_log = 0; // writable /var/log
112int arg_disable_mnt = 0; // disable /mnt and /media 113int arg_disable_mnt = 0; // disable /mnt and /media
113int arg_noprofile = 0; // use default.profile if none other found/specified 114int arg_noprofile = 0; // use default.profile if none other found/specified
114int arg_memory_deny_write_execute = 0; // block writable and executable memory 115int arg_memory_deny_write_execute = 0; // block writable and executable memory
115 116int arg_notv = 0; // --notv
117int arg_nodvd = 0; // --nodvd
116int login_shell = 0; 118int login_shell = 0;
117 119
118 120
@@ -1021,7 +1023,7 @@ int main(int argc, char **argv) {
1021 } 1023 }
1022 else { 1024 else {
1023 // check --output option and execute it; 1025 // check --output option and execute it;
1024 check_output(argc, argv); // the function will not return if --output option was found 1026 check_output(argc, argv); // the function will not return if --output or --output-stderr option was found
1025 } 1027 }
1026 1028
1027 1029
@@ -1676,22 +1678,22 @@ int main(int argc, char **argv) {
1676 exit_err_feature("noroot"); 1678 exit_err_feature("noroot");
1677 } 1679 }
1678#endif 1680#endif
1679 else if (strcmp(argv[i], "--nonewprivs") == 0) { 1681 else if (strcmp(argv[i], "--nonewprivs") == 0)
1680 arg_nonewprivs = 1; 1682 arg_nonewprivs = 1;
1681 }
1682 else if (strncmp(argv[i], "--env=", 6) == 0) 1683 else if (strncmp(argv[i], "--env=", 6) == 0)
1683 env_store(argv[i] + 6, SETENV); 1684 env_store(argv[i] + 6, SETENV);
1684 else if (strncmp(argv[i], "--rmenv=", 8) == 0) 1685 else if (strncmp(argv[i], "--rmenv=", 8) == 0)
1685 env_store(argv[i] + 8, RMENV); 1686 env_store(argv[i] + 8, RMENV);
1686 else if (strcmp(argv[i], "--nosound") == 0) { 1687 else if (strcmp(argv[i], "--nosound") == 0)
1687 arg_nosound = 1; 1688 arg_nosound = 1;
1688 } 1689 else if (strcmp(argv[i], "--novideo") == 0)
1689 else if (strcmp(argv[i], "--novideo") == 0) {
1690 arg_novideo = 1; 1690 arg_novideo = 1;
1691 } 1691 else if (strcmp(argv[i], "--no3d") == 0)
1692 else if (strcmp(argv[i], "--no3d") == 0) {
1693 arg_no3d = 1; 1692 arg_no3d = 1;
1694 } 1693 else if (strcmp(argv[i], "--notv") == 0)
1694 arg_notv = 1;
1695 else if (strcmp(argv[i], "--nodvd") == 0)
1696 arg_nodvd = 1;
1695 1697
1696 //************************************* 1698 //*************************************
1697 // network 1699 // network
diff --git a/src/firejail/output.c b/src/firejail/output.c
index 9fb4ad6b1..abdfa4d3b 100644
--- a/src/firejail/output.c
+++ b/src/firejail/output.c
@@ -27,12 +27,18 @@ void check_output(int argc, char **argv) {
27 27
28 int i; 28 int i;
29 int outindex = 0; 29 int outindex = 0;
30 30 int enable_stderr = 0;
31
31 for (i = 1; i < argc; i++) { 32 for (i = 1; i < argc; i++) {
32 if (strncmp(argv[i], "--output=", 9) == 0) { 33 if (strncmp(argv[i], "--output=", 9) == 0) {
33 outindex = i; 34 outindex = i;
34 break; 35 break;
35 } 36 }
37 if (strncmp(argv[i], "--output-stderr=", 16) == 0) {
38 outindex = i;
39 enable_stderr = 1;
40 break;
41 }
36 } 42 }
37 if (!outindex) 43 if (!outindex)
38 return; 44 return;
@@ -40,9 +46,9 @@ void check_output(int argc, char **argv) {
40 46
41 // check filename 47 // check filename
42 drop_privs(0); 48 drop_privs(0);
43 char *outfile = NULL; 49 char *outfile = argv[outindex];
44 invalid_filename(argv[outindex] + 9); 50 outfile += (enable_stderr)? 16:9;
45 outfile = argv[outindex] + 9; 51 invalid_filename(outfile);
46 52
47 // do not accept directories, links, and files with ".." 53 // do not accept directories, links, and files with ".."
48 if (strstr(outfile, "..") || is_link(outfile) || is_dir(outfile)) { 54 if (strstr(outfile, "..") || is_link(outfile) || is_dir(outfile)) {
@@ -80,9 +86,15 @@ void check_output(int argc, char **argv) {
80 for (i = 0; i < argc; i++) { 86 for (i = 0; i < argc; i++) {
81 if (strncmp(argv[i], "--output=", 9) == 0) 87 if (strncmp(argv[i], "--output=", 9) == 0)
82 continue; 88 continue;
89 if (strncmp(argv[i], "--output-stderr=", 16) == 0)
90 continue;
83 ptr += sprintf(ptr, "%s ", argv[i]); 91 ptr += sprintf(ptr, "%s ", argv[i]);
84 } 92 }
85 sprintf(ptr, "2>&1 | %s/firejail/ftee %s", LIBDIR, outfile); 93
94 if (enable_stderr)
95 sprintf(ptr, "2>&1 | %s/firejail/ftee %s", LIBDIR, outfile);
96 else
97 sprintf(ptr, " | %s/firejail/ftee %s", LIBDIR, outfile);
86 98
87 // run command 99 // run command
88 char *a[4]; 100 char *a[4];
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index 9c474415d..583cc4610 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -85,9 +85,12 @@ void preproc_mount_mnt_dir(void) {
85 85
86 if (arg_memory_deny_write_execute) 86 if (arg_memory_deny_write_execute)
87 copy_file(PATH_SECCOMP_MDWX, RUN_SECCOMP_MDWX, getuid(), getgid(), 0644); // root needed 87 copy_file(PATH_SECCOMP_MDWX, RUN_SECCOMP_MDWX, getuid(), getgid(), 0644); // root needed
88 // as root, create an empty RUN_SECCOMP_PROTOCOL file 88 // as root, create empty RUN_SECCOMP_PROTOCOL and RUN_SECCOMP_POSTEXEC files
89 create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644); 89 create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644);
90 if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644)) 90 if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644))
91 errExit("set_perms"); 91 errExit("set_perms");
92 create_empty_file_as_root(RUN_SECCOMP_POSTEXEC, 0644);
93 if (set_perms(RUN_SECCOMP_POSTEXEC, getuid(), getgid(), 0644))
94 errExit("set_perms");
92 } 95 }
93} 96}
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 708251b0b..7753ee3b2 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -225,6 +225,14 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
225 arg_nosound = 1; 225 arg_nosound = 1;
226 return 0; 226 return 0;
227 } 227 }
228 else if (strcmp(ptr, "notv") == 0) {
229 arg_notv = 1;
230 return 0;
231 }
232 else if (strcmp(ptr, "nodvd") == 0) {
233 arg_nodvd = 1;
234 return 0;
235 }
228 else if (strcmp(ptr, "novideo") == 0) { 236 else if (strcmp(ptr, "novideo") == 0) {
229 arg_novideo = 1; 237 arg_novideo = 1;
230 return 0; 238 return 0;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 6c0fdebe3..568549cbf 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -664,10 +664,15 @@ int sandbox(void* sandbox_arg) {
664 if (rv) 664 if (rv)
665 exit(rv); 665 exit(rv);
666 } 666 }
667 if (arg_seccomp && (cfg.seccomp_list || cfg.seccomp_list_drop || cfg.seccomp_list_keep))
668 arg_seccomp_postexec = 1;
667#endif 669#endif
668 670
671 // need ld.so.preload if tracing or seccomp with any non-default lists
672 bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec;
673
669 // trace pre-install 674 // trace pre-install
670 if (arg_trace || arg_tracelog) 675 if (need_preload)
671 fs_trace_preload(); 676 fs_trace_preload();
672 677
673 // store hosts file 678 // store hosts file
@@ -704,7 +709,7 @@ int sandbox(void* sandbox_arg) {
704 //**************************** 709 //****************************
705 // trace pre-install, this time inside chroot 710 // trace pre-install, this time inside chroot
706 //**************************** 711 //****************************
707 if (arg_trace || arg_tracelog) 712 if (need_preload)
708 fs_trace_preload(); 713 fs_trace_preload();
709 } 714 }
710 else 715 else
@@ -767,7 +772,7 @@ int sandbox(void* sandbox_arg) {
767 else { 772 else {
768 fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep); 773 fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep);
769 // create /etc/ld.so.preload file again 774 // create /etc/ld.so.preload file again
770 if (arg_trace || arg_tracelog) 775 if (need_preload)
771 fs_trace_preload(); 776 fs_trace_preload();
772 } 777 }
773 } 778 }
@@ -876,7 +881,7 @@ int sandbox(void* sandbox_arg) {
876 fs_blacklist(); // mkdir and mkfile are processed all over again 881 fs_blacklist(); // mkdir and mkfile are processed all over again
877 882
878 //**************************** 883 //****************************
879 // nosound/no3d and fix for pulseaudio 7.0 884 // nosound/no3d/notv/novideo and fix for pulseaudio 7.0
880 //**************************** 885 //****************************
881 if (arg_nosound) { 886 if (arg_nosound) {
882 // disable pulseaudio 887 // disable pulseaudio
@@ -891,18 +896,19 @@ int sandbox(void* sandbox_arg) {
891 if (arg_no3d) 896 if (arg_no3d)
892 fs_dev_disable_3d(); 897 fs_dev_disable_3d();
893 898
894 //**************************** 899 if (arg_notv)
895 // novideo 900 fs_dev_disable_tv();
896 //**************************** 901
897 if (arg_novideo) { 902 if (arg_nodvd)
898 // disable /dev/video* 903 fs_dev_disable_dvd();
904
905 if (arg_novideo)
899 fs_dev_disable_video(); 906 fs_dev_disable_video();
900 }
901 907
902 //**************************** 908 //****************************
903 // install trace 909 // install trace
904 //**************************** 910 //****************************
905 if (arg_trace || arg_tracelog) 911 if (need_preload)
906 fs_trace(); 912 fs_trace();
907 913
908 //**************************** 914 //****************************
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 13d8d44fa..516c97fa0 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -41,7 +41,7 @@ char *seccomp_check_list(const char *str) {
41 const char *ptr1 = str; 41 const char *ptr1 = str;
42 char *ptr2 = rv; 42 char *ptr2 = rv;
43 while (*ptr1 != '\0') { 43 while (*ptr1 != '\0') {
44 if (isalnum(*ptr1) || *ptr1 == '_' || *ptr1 == ',' || *ptr1 == ':') 44 if (isalnum(*ptr1) || *ptr1 == '_' || *ptr1 == ',' || *ptr1 == ':' || *ptr1 == '@' || *ptr1 == '-')
45 *ptr2++ = *ptr1++; 45 *ptr2++ = *ptr1++;
46 else { 46 else {
47 fprintf(stderr, "Error: invalid syscall list\n"); 47 fprintf(stderr, "Error: invalid syscall list\n");
@@ -145,11 +145,11 @@ int seccomp_filter_drop(int enforce_seccomp) {
145 // build the seccomp filter as a regular user 145 // build the seccomp filter as a regular user
146 int rv; 146 int rv;
147 if (arg_allow_debuggers) 147 if (arg_allow_debuggers)
148 rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6, 148 rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7,
149 PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, cfg.seccomp_list, "allow-debuggers"); 149 PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list, "allow-debuggers");
150 else 150 else
151 rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5, 151 rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6,
152 PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, cfg.seccomp_list); 152 PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list);
153 if (rv) 153 if (rv)
154 exit(rv); 154 exit(rv);
155 } 155 }
@@ -163,11 +163,11 @@ int seccomp_filter_drop(int enforce_seccomp) {
163 // build the seccomp filter as a regular user 163 // build the seccomp filter as a regular user
164 int rv; 164 int rv;
165 if (arg_allow_debuggers) 165 if (arg_allow_debuggers)
166 rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5, 166 rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6,
167 PATH_FSECCOMP, "drop", RUN_SECCOMP_CFG, cfg.seccomp_list_drop, "allow-debuggers"); 167 PATH_FSECCOMP, "drop", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list_drop, "allow-debuggers");
168 else 168 else
169 rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, 169 rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5,
170 PATH_FSECCOMP, "drop", RUN_SECCOMP_CFG, cfg.seccomp_list_drop); 170 PATH_FSECCOMP, "drop", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list_drop);
171 171
172 if (rv) 172 if (rv)
173 exit(rv); 173 exit(rv);
@@ -183,9 +183,14 @@ int seccomp_filter_drop(int enforce_seccomp) {
183 exit(1); 183 exit(1);
184 } 184 }
185 185
186 if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0) 186 if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0) {
187 sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, 187 sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3,
188 PATH_FSECCOMP, "print", RUN_SECCOMP_CFG); 188 PATH_FSECCOMP, "print", RUN_SECCOMP_CFG);
189 struct stat st;
190 if (stat(RUN_SECCOMP_POSTEXEC, &st) != -1 && st.st_size != 0)
191 sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3,
192 PATH_FSECCOMP, "print", RUN_SECCOMP_POSTEXEC);
193 }
189 194
190 return 0; 195 return 0;
191} 196}
@@ -196,14 +201,19 @@ int seccomp_filter_keep(void) {
196 printf("Build drop seccomp filter\n"); 201 printf("Build drop seccomp filter\n");
197 202
198 // build the seccomp filter as a regular user 203 // build the seccomp filter as a regular user
199 sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, 204 sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5,
200 PATH_FSECCOMP, "keep", RUN_SECCOMP_CFG, cfg.seccomp_list_keep); 205 PATH_FSECCOMP, "keep", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list_keep);
201 if (arg_debug) 206 if (arg_debug)
202 printf("seccomp filter configured\n"); 207 printf("seccomp filter configured\n");
203 208
204 209
205 if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0) 210 if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0) {
206 sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FSECCOMP, "print", RUN_SECCOMP_CFG); 211 sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FSECCOMP, "print", RUN_SECCOMP_CFG);
212 struct stat st;
213 if (stat(RUN_SECCOMP_POSTEXEC, &st) != -1 && st.st_size != 0)
214 sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FSECCOMP, "print", RUN_SECCOMP_POSTEXEC);
215 }
216
207 return seccomp_load(RUN_SECCOMP_CFG); 217 return seccomp_load(RUN_SECCOMP_CFG);
208} 218}
209 219
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 71bb6f24e..b9ab00eae 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -134,11 +134,12 @@ void usage(void) {
134 printf(" --novideo - disable video devices.\n"); 134 printf(" --novideo - disable video devices.\n");
135 printf(" --nowhitelist=filename - disable whitelist for file or directory .\n"); 135 printf(" --nowhitelist=filename - disable whitelist for file or directory .\n");
136 printf(" --output=logfile - stdout logging and log rotation.\n"); 136 printf(" --output=logfile - stdout logging and log rotation.\n");
137 printf(" --output-stderr=logfile - stdout and stderr logging and log rotation.\n");
137 printf(" --overlay - mount a filesystem overlay on top of the current filesystem.\n"); 138 printf(" --overlay - mount a filesystem overlay on top of the current filesystem.\n");
138 printf(" --overlay-named=name - mount a filesystem overlay on top of the current\n"); 139 printf(" --overlay-named=name - mount a filesystem overlay on top of the current\n");
139 printf("\tfilesystem, and store it in name directory.\n"); 140 printf("\tfilesystem, and store it in name directory.\n");
140 printf(" --overlay-tmpfs - mount a temporary filesystem overlay on top of the current\n"); 141 printf(" --overlay-tmpfs - mount a temporary filesystem overlay on top of the\n");
141 printf("\tfilesystem.\n"); 142 printf("\tcurrent filesystem.\n");
142 printf(" --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n"); 143 printf(" --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n");
143 printf(" --private - temporary home directory.\n"); 144 printf(" --private - temporary home directory.\n");
144 printf(" --private=directory - use directory as user home.\n"); 145 printf(" --private=directory - use directory as user home.\n");
diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h
index 0db670380..144b612ae 100644
--- a/src/fseccomp/fseccomp.h
+++ b/src/fseccomp/fseccomp.h
@@ -30,8 +30,9 @@ extern int arg_quiet;
30 30
31// syscall.c 31// syscall.c
32void syscall_print(void); 32void syscall_print(void);
33int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, int arg), int fd, int arg); 33int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, int arg, void *ptrarg), int fd, int arg, void *ptrarg);
34const char *syscall_find_nr(int nr); 34const char *syscall_find_nr(int nr);
35void syscalls_in_list(const char *list, const char *slist, int fd, char **prelist, char **postlist);
35 36
36// errno.c 37// errno.c
37void errno_print(void); 38void errno_print(void);
@@ -49,9 +50,9 @@ void seccomp_secondary_32(const char *fname);
49// seccomp_file.c 50// seccomp_file.c
50void write_to_file(int fd, const void *data, int size); 51void write_to_file(int fd, const void *data, int size);
51void filter_init(int fd); 52void filter_init(int fd);
52void filter_add_whitelist(int fd, int syscall, int arg); 53void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg);
53void filter_add_blacklist(int fd, int syscall, int arg); 54void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg);
54void filter_add_errno(int fd, int syscall, int arg); 55void filter_add_errno(int fd, int syscall, int arg, void *ptrarg);
55void filter_end_blacklist(int fd); 56void filter_end_blacklist(int fd);
56void filter_end_whitelist(int fd); 57void filter_end_whitelist(int fd);
57 58
@@ -59,11 +60,11 @@ void filter_end_whitelist(int fd);
59// default list 60// default list
60void seccomp_default(const char *fname, int allow_debuggers); 61void seccomp_default(const char *fname, int allow_debuggers);
61// drop list 62// drop list
62void seccomp_drop(const char *fname, char *list, int allow_debuggers); 63void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers);
63// default+drop list 64// default+drop list
64void seccomp_default_drop(const char *fname, char *list, int allow_debuggers); 65void seccomp_default_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers);
65// whitelisted filter 66// whitelisted filter
66void seccomp_keep(const char *fname, char *list); 67void seccomp_keep(const char *fname1, const char *fname2, char *list);
67// block writable and executable memory 68// block writable and executable memory
68void memory_deny_write_execute(const char *fname); 69void memory_deny_write_execute(const char *fname);
69 70
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
index 3d95d5bb2..3bf7de0fa 100644
--- a/src/fseccomp/main.c
+++ b/src/fseccomp/main.c
@@ -30,11 +30,11 @@ static void usage(void) {
30 printf("\tfseccomp secondary 32 file\n"); 30 printf("\tfseccomp secondary 32 file\n");
31 printf("\tfseccomp default file\n"); 31 printf("\tfseccomp default file\n");
32 printf("\tfseccomp default file allow-debuggers\n"); 32 printf("\tfseccomp default file allow-debuggers\n");
33 printf("\tfseccomp drop file list\n"); 33 printf("\tfseccomp drop file1 file2 list\n");
34 printf("\tfseccomp drop file list allow-debuggers\n"); 34 printf("\tfseccomp drop file1 file2 list allow-debuggers\n");
35 printf("\tfseccomp default drop file list\n"); 35 printf("\tfseccomp default drop file1 file2 list\n");
36 printf("\tfseccomp default drop file list allow-debuggers\n"); 36 printf("\tfseccomp default drop file1 file2 list allow-debuggers\n");
37 printf("\tfseccomp keep file list\n"); 37 printf("\tfseccomp keep file1 file2 list\n");
38 printf("\tfseccomp memory-deny-write-execute file\n"); 38 printf("\tfseccomp memory-deny-write-execute file\n");
39 printf("\tfseccomp print file\n"); 39 printf("\tfseccomp print file\n");
40} 40}
@@ -78,16 +78,16 @@ printf("\n");
78 seccomp_default(argv[2], 0); 78 seccomp_default(argv[2], 0);
79 else if (argc == 4 && strcmp(argv[1], "default") == 0 && strcmp(argv[3], "allow-debuggers") == 0) 79 else if (argc == 4 && strcmp(argv[1], "default") == 0 && strcmp(argv[3], "allow-debuggers") == 0)
80 seccomp_default(argv[2], 1); 80 seccomp_default(argv[2], 1);
81 else if (argc == 4 && strcmp(argv[1], "drop") == 0) 81 else if (argc == 5 && strcmp(argv[1], "drop") == 0)
82 seccomp_drop(argv[2], argv[3], 0); 82 seccomp_drop(argv[2], argv[3], argv[4], 0);
83 else if (argc == 5 && strcmp(argv[1], "drop") == 0 && strcmp(argv[4], "allow-debuggers") == 0) 83 else if (argc == 6 && strcmp(argv[1], "drop") == 0 && strcmp(argv[5], "allow-debuggers") == 0)
84 seccomp_drop(argv[2], argv[3], 1); 84 seccomp_drop(argv[2], argv[3], argv[4], 1);
85 else if (argc == 5 && strcmp(argv[1], "default") == 0 && strcmp(argv[2], "drop") == 0) 85 else if (argc == 6 && strcmp(argv[1], "default") == 0 && strcmp(argv[2], "drop") == 0)
86 seccomp_default_drop(argv[3], argv[4], 0); 86 seccomp_default_drop(argv[3], argv[4], argv[5], 0);
87 else if (argc == 6 && strcmp(argv[1], "default") == 0 && strcmp(argv[2], "drop") == 0 && strcmp(argv[5], "allow-debuggers") == 0) 87 else if (argc == 7 && strcmp(argv[1], "default") == 0 && strcmp(argv[2], "drop") == 0 && strcmp(argv[6], "allow-debuggers") == 0)
88 seccomp_default_drop(argv[3], argv[4], 1); 88 seccomp_default_drop(argv[3], argv[4], argv[5], 1);
89 else if (argc == 4 && strcmp(argv[1], "keep") == 0) 89 else if (argc == 5 && strcmp(argv[1], "keep") == 0)
90 seccomp_keep(argv[2], argv[3]); 90 seccomp_keep(argv[2], argv[3], argv[4]);
91 else if (argc == 3 && strcmp(argv[1], "memory-deny-write-execute") == 0) 91 else if (argc == 3 && strcmp(argv[1], "memory-deny-write-execute") == 0)
92 memory_deny_write_execute(argv[2]); 92 memory_deny_write_execute(argv[2]);
93 else if (argc == 3 && strcmp(argv[1], "print") == 0) 93 else if (argc == 3 && strcmp(argv[1], "print") == 0)
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c
index a3db46aad..c49681476 100644
--- a/src/fseccomp/seccomp.c
+++ b/src/fseccomp/seccomp.c
@@ -27,9 +27,9 @@
27static void add_default_list(int fd, int allow_debuggers) { 27static void add_default_list(int fd, int allow_debuggers) {
28 int r; 28 int r;
29 if (!allow_debuggers) 29 if (!allow_debuggers)
30 r = syscall_check_list("@default-nodebuggers", filter_add_blacklist, fd, 0); 30 r = syscall_check_list("@default-nodebuggers", filter_add_blacklist, fd, 0, NULL);
31 else 31 else
32 r = syscall_check_list("@default", filter_add_blacklist, fd, 0); 32 r = syscall_check_list("@default", filter_add_blacklist, fd, 0, NULL);
33 33
34 assert(r == 0); 34 assert(r == 0);
35//#ifdef SYS_mknod - emoved in 0.9.29 - it breaks Zotero extension 35//#ifdef SYS_mknod - emoved in 0.9.29 - it breaks Zotero extension
@@ -56,7 +56,7 @@ void seccomp_default(const char *fname, int allow_debuggers) {
56 exit(1); 56 exit(1);
57 } 57 }
58 58
59 // build filter 59 // build filter (no post-exec filter needed because default list is fine for us)
60 filter_init(fd); 60 filter_init(fd);
61 add_default_list(fd, allow_debuggers); 61 add_default_list(fd, allow_debuggers);
62 filter_end_blacklist(fd); 62 filter_end_blacklist(fd);
@@ -66,20 +66,44 @@ void seccomp_default(const char *fname, int allow_debuggers) {
66} 66}
67 67
68// drop list 68// drop list
69void seccomp_drop(const char *fname, char *list, int allow_debuggers) { 69void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers) {
70 assert(fname); 70 assert(fname1);
71 assert(fname2);
71 (void) allow_debuggers; // todo: to implemnet it 72 (void) allow_debuggers; // todo: to implemnet it
72 73
73 // open file 74 // open file for pre-exec filter
74 int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); 75 int fd = open(fname1, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
75 if (fd < 0) { 76 if (fd < 0) {
76 fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname); 77 fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname1);
77 exit(1); 78 exit(1);
78 } 79 }
79 80
80 // build filter 81 // build pre-exec filter: don't blacklist any syscalls in @default-keep
81 filter_init(fd); 82 filter_init(fd);
82 if (syscall_check_list(list, filter_add_blacklist, fd, 0)) { 83 char *prelist, *postlist;
84 syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist);
85 if (prelist)
86 if (syscall_check_list(prelist, filter_add_blacklist, fd, 0, NULL)) {
87 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
88 exit(1);
89 }
90 filter_end_blacklist(fd);
91 // close file
92 close(fd);
93
94 if (!postlist)
95 return;
96
97 // open file for post-exec filter
98 fd = open(fname2, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
99 if (fd < 0) {
100 fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname2);
101 exit(1);
102 }
103
104 // build post-exec filter: blacklist remaining syscalls
105 filter_init(fd);
106 if (syscall_check_list(postlist, filter_add_blacklist, fd, 0, NULL)) {
83 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n"); 107 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
84 exit(1); 108 exit(1);
85 } 109 }
@@ -90,20 +114,46 @@ void seccomp_drop(const char *fname, char *list, int allow_debuggers) {
90} 114}
91 115
92// default+drop 116// default+drop
93void seccomp_default_drop(const char *fname, char *list, int allow_debuggers) { 117void seccomp_default_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers) {
94 assert(fname); 118 assert(fname1);
119 assert(fname2);
95 120
96 // open file 121 // open file
97 int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); 122 int fd = open(fname1, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
98 if (fd < 0) { 123 if (fd < 0) {
99 fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname); 124 fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname1);
100 exit(1); 125 exit(1);
101 } 126 }
102 127
103 // build filter 128 // build pre-exec filter: blacklist @default, don't blacklist
129 // any listed syscalls in @default-keep
104 filter_init(fd); 130 filter_init(fd);
105 add_default_list(fd, allow_debuggers); 131 add_default_list(fd, allow_debuggers);
106 if (syscall_check_list(list, filter_add_blacklist, fd, 0)) { 132 char *prelist, *postlist;
133 syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist);
134 if (prelist)
135 if (syscall_check_list(prelist, filter_add_blacklist, fd, 0, NULL)) {
136 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
137 exit(1);
138 }
139 filter_end_blacklist(fd);
140
141 // close file
142 close(fd);
143
144 if (!postlist)
145 return;
146
147 // open file for post-exec filter
148 fd = open(fname2, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
149 if (fd < 0) {
150 fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname2);
151 exit(1);
152 }
153
154 // build post-exec filter: blacklist remaining syscalls
155 filter_init(fd);
156 if (syscall_check_list(postlist, filter_add_blacklist, fd, 0, NULL)) {
107 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n"); 157 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
108 exit(1); 158 exit(1);
109 } 159 }
@@ -113,22 +163,42 @@ void seccomp_default_drop(const char *fname, char *list, int allow_debuggers) {
113 close(fd); 163 close(fd);
114} 164}
115 165
116void seccomp_keep(const char *fname, char *list) { 166void seccomp_keep(const char *fname1, const char *fname2, char *list) {
117 // open file 167 // open file for pre-exec filter
118 int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); 168 int fd = open(fname1, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
119 if (fd < 0) { 169 if (fd < 0) {
120 fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname); 170 fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname1);
121 exit(1); 171 exit(1);
122 } 172 }
123 173
124 // build filter 174 // build pre-exec filter: whitelist also @default-keep
125 filter_init(fd); 175 filter_init(fd);
126 // these syscalls are used by firejail after the seccomp filter is initialized 176 // these syscalls are used by firejail after the seccomp filter is initialized
127 int r; 177 int r;
128 r = syscall_check_list("@default-keep", filter_add_whitelist, fd, 0); 178 r = syscall_check_list("@default-keep", filter_add_whitelist, fd, 0, NULL);
129 assert(r == 0); 179 assert(r == 0);
130 180
131 if (syscall_check_list(list, filter_add_whitelist, fd, 0)) { 181 if (syscall_check_list(list, filter_add_whitelist, fd, 0, NULL)) {
182 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
183 exit(1);
184 }
185
186 filter_end_whitelist(fd);
187
188 // close file
189 close(fd);
190
191 // open file for post-exec filter
192 fd = open(fname2, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
193 if (fd < 0) {
194 fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname2);
195 exit(1);
196 }
197
198 // build post-exec filter: whitelist without @default-keep
199 filter_init(fd);
200
201 if (syscall_check_list(list, filter_add_whitelist, fd, 0, NULL)) {
132 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n"); 202 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
133 exit(1); 203 exit(1);
134 } 204 }
diff --git a/src/fseccomp/seccomp_file.c b/src/fseccomp/seccomp_file.c
index 16ffd5302..2d5ee115d 100644
--- a/src/fseccomp/seccomp_file.c
+++ b/src/fseccomp/seccomp_file.c
@@ -60,8 +60,9 @@ void filter_init(int fd) {
60 write_to_file(fd, filter, sizeof(filter)); 60 write_to_file(fd, filter, sizeof(filter));
61} 61}
62 62
63void filter_add_whitelist(int fd, int syscall, int arg) { 63void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg) {
64 (void) arg; 64 (void) arg;
65 (void) ptrarg;
65 66
66 struct sock_filter filter[] = { 67 struct sock_filter filter[] = {
67 WHITELIST(syscall) 68 WHITELIST(syscall)
@@ -69,8 +70,9 @@ void filter_add_whitelist(int fd, int syscall, int arg) {
69 write_to_file(fd, filter, sizeof(filter)); 70 write_to_file(fd, filter, sizeof(filter));
70} 71}
71 72
72void filter_add_blacklist(int fd, int syscall, int arg) { 73void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg) {
73 (void) arg; 74 (void) arg;
75 (void) ptrarg;
74 76
75 struct sock_filter filter[] = { 77 struct sock_filter filter[] = {
76 BLACKLIST(syscall) 78 BLACKLIST(syscall)
@@ -78,7 +80,8 @@ void filter_add_blacklist(int fd, int syscall, int arg) {
78 write_to_file(fd, filter, sizeof(filter)); 80 write_to_file(fd, filter, sizeof(filter));
79} 81}
80 82
81void filter_add_errno(int fd, int syscall, int arg) { 83void filter_add_errno(int fd, int syscall, int arg, void *ptrarg) {
84 (void) ptrarg;
82 struct sock_filter filter[] = { 85 struct sock_filter filter[] = {
83 BLACKLIST_ERRNO(syscall, arg) 86 BLACKLIST_ERRNO(syscall, arg)
84 }; 87 };
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c
index 5893a2ea8..b9e6d995b 100644
--- a/src/fseccomp/syscall.c
+++ b/src/fseccomp/syscall.c
@@ -17,7 +17,9 @@
17 * with this program; if not, write to the Free Software Foundation, Inc., 17 * with this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19*/ 19*/
20#define _GNU_SOURCE
20#include "fseccomp.h" 21#include "fseccomp.h"
22#include <stdio.h>
21#include <sys/syscall.h> 23#include <sys/syscall.h>
22 24
23typedef struct { 25typedef struct {
@@ -30,6 +32,13 @@ typedef struct {
30 const char * const list; 32 const char * const list;
31} SyscallGroupList; 33} SyscallGroupList;
32 34
35typedef struct {
36 const char *slist;
37 char *prelist, *postlist;
38 bool found;
39 int syscall;
40} SyscallCheckList;
41
33static const SyscallEntry syslist[] = { 42static const SyscallEntry syslist[] = {
34// 43//
35// code generated using tools/extract-syscall 44// code generated using tools/extract-syscall
@@ -174,6 +183,7 @@ static const SyscallGroupList sysgroups[] = {
174 }, 183 },
175 { .name = "@default-keep", .list = 184 { .name = "@default-keep", .list =
176 "dup," 185 "dup,"
186 "execve,"
177 "prctl," 187 "prctl,"
178 "setgid," 188 "setgid,"
179 "setgroups," 189 "setgroups,"
@@ -449,7 +459,7 @@ error:
449} 459}
450 460
451// return 1 if error, 0 if OK 461// return 1 if error, 0 if OK
452int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, int arg), int fd, int arg) { 462int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, int arg, void *ptrarg), int fd, int arg, void *ptrarg) {
453 // don't allow empty lists 463 // don't allow empty lists
454 if (slist == NULL || *slist == '\0') { 464 if (slist == NULL || *slist == '\0') {
455 fprintf(stderr, "Error fseccomp: empty syscall lists are not allowed\n"); 465 fprintf(stderr, "Error fseccomp: empty syscall lists are not allowed\n");
@@ -477,7 +487,7 @@ int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall,
477 fprintf(stderr, "Error fseccomp: unknown syscall group %s\n", ptr); 487 fprintf(stderr, "Error fseccomp: unknown syscall group %s\n", ptr);
478 exit(1); 488 exit(1);
479 } 489 }
480 syscall_check_list(new_list, callback, fd, arg); 490 syscall_check_list(new_list, callback, fd, arg, ptrarg);
481 } 491 }
482 else { 492 else {
483 syscall_process_name(ptr, &syscall_nr, &error_nr); 493 syscall_process_name(ptr, &syscall_nr, &error_nr);
@@ -487,9 +497,9 @@ int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall,
487 } 497 }
488 else if (callback != NULL) { 498 else if (callback != NULL) {
489 if (error_nr != -1) 499 if (error_nr != -1)
490 filter_add_errno(fd, syscall_nr, error_nr); 500 filter_add_errno(fd, syscall_nr, error_nr, ptrarg);
491 else 501 else
492 callback(fd, syscall_nr, arg); 502 callback(fd, syscall_nr, arg, ptrarg);
493 } 503 }
494 } 504 }
495 ptr = strtok_r(NULL, ",", &saveptr); 505 ptr = strtok_r(NULL, ",", &saveptr);
@@ -498,3 +508,49 @@ int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall,
498 free(str); 508 free(str);
499 return 0; 509 return 0;
500} 510}
511
512static void find_syscall(int fd, int syscall, int arg, void *ptrarg) {
513 (void)fd;
514 SyscallCheckList *ptr = ptrarg;
515 if (syscall == ptr->syscall)
516 ptr->found = true;
517}
518
519// go through list2 and find matches for problem syscall
520static void syscall_in_list(int fd, int syscall, int arg, void *ptrarg) {
521 (void)arg;
522 SyscallCheckList *ptr = ptrarg;
523 SyscallCheckList sl;
524 sl.found = false;
525 sl.syscall = syscall;
526 syscall_check_list(ptr->slist, find_syscall, fd, 0, &sl);
527 // if found in the problem list, add to post-exec list
528 if (sl.found)
529 if (ptr->postlist) {
530 if (asprintf(&ptr->postlist, "%s,%s", ptr->postlist, syscall_find_nr(syscall)) == -1)
531 errExit("asprintf");
532 }
533 else
534 ptr->postlist = strdup(syscall_find_nr(syscall));
535 else // no problem, add to pre-exec list
536 if (ptr->prelist) {
537 if (asprintf(&ptr->prelist, "%s,%s", ptr->prelist, syscall_find_nr(syscall)) == -1)
538 errExit("asprintf");
539 }
540 else
541 ptr->prelist = strdup(syscall_find_nr(syscall));
542}
543
544// go through list and find matches for syscalls in list @default-keep
545void syscalls_in_list(const char *list, const char *slist, int fd, char **prelist, char **postlist) {
546 SyscallCheckList sl;
547 // these syscalls are used by firejail after the seccomp filter is initialized
548 sl.slist = slist;
549 sl.prelist = NULL;
550 sl.postlist = NULL;
551 syscall_check_list(list, syscall_in_list, 0, 0, &sl);
552 if (!arg_quiet)
553 printf("list in: %s, check list: %s prelist: %s, postlist: %s\n", list, sl.slist, sl.prelist, sl.postlist);
554 *prelist = sl.prelist;
555 *postlist = sl.postlist;
556}
diff --git a/src/libpostexecseccomp/Makefile.in b/src/libpostexecseccomp/Makefile.in
new file mode 100644
index 000000000..92803342c
--- /dev/null
+++ b/src/libpostexecseccomp/Makefile.in
@@ -0,0 +1,26 @@
1CC=@CC@
2PREFIX=@prefix@
3VERSION=@PACKAGE_VERSION@
4NAME=@PACKAGE_NAME@
5HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
6
7H_FILE_LIST = $(sort $(wildcard *.[h]))
8C_FILE_LIST = $(sort $(wildcard *.c))
9OBJS = $(C_FILE_LIST:.c=.o)
10BINOBJS = $(foreach file, $(OBJS), $file)
11CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
12LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now
13
14all: libpostexecseccomp.so
15
16%.o : %.c $(H_FILE_LIST)
17 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
18
19libpostexecseccomp.so: $(OBJS)
20 $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl
21
22
23clean:; rm -f $(OBJS) libpostexecseccomp.so
24
25distclean: clean
26 rm -fr Makefile
diff --git a/src/libpostexecseccomp/libpostexecseccomp.c b/src/libpostexecseccomp/libpostexecseccomp.c
new file mode 100644
index 000000000..2c9d02c84
--- /dev/null
+++ b/src/libpostexecseccomp/libpostexecseccomp.c
@@ -0,0 +1,54 @@
1/*
2 * Copyright (C) 2017 Firejail Authors
3 *
4 * This file is part of firejail project
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License along
17 * with this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19*/
20#include "libpostexecseccomp.h"
21#include "../include/seccomp.h"
22#include <fcntl.h>
23#include <linux/filter.h>
24#include <sys/mman.h>
25#include <sys/prctl.h>
26#include <unistd.h>
27
28__attribute__((constructor))
29static void load_seccomp(void) {
30 int fd = open(RUN_SECCOMP_POSTEXEC, O_RDONLY);
31 if (fd == -1)
32 return;
33
34 int size = lseek(fd, 0, SEEK_END);
35 unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter);
36 struct sock_filter *filter = MAP_FAILED;
37 if (size != 0)
38 filter = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
39
40 close(fd);
41
42 if (size == 0 || filter == MAP_FAILED)
43 return;
44
45 // install filter
46 struct sock_fprog prog = {
47 .len = entries,
48 .filter = filter,
49 };
50
51 prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
52 prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
53 munmap(filter, size);
54}
diff --git a/src/libpostexecseccomp/libpostexecseccomp.h b/src/libpostexecseccomp/libpostexecseccomp.h
new file mode 100644
index 000000000..c4aca540a
--- /dev/null
+++ b/src/libpostexecseccomp/libpostexecseccomp.h
@@ -0,0 +1,25 @@
1/*
2 * Copyright (C) 2017 Firejail Authors
3 *
4 * This file is part of firejail project
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License along
17 * with this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19*/
20#ifndef LIBPOSTEXECSECCOMP_H
21#define LIBPOSTEXECSECCOMP_H
22
23#define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec"
24
25#endif
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index f446f37b8..5bd4f6ef8 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -411,6 +411,9 @@ env LD_LIBRARY_PATH=/opt/test/lib
411env CFLAGS="-W -Wall -Werror" 411env CFLAGS="-W -Wall -Werror"
412 412
413.TP 413.TP
414\fBnodvd
415Disable DVD and audio CD devices.
416.TP
414\fBnogroups 417\fBnogroups
415Disable supplementary user groups 418Disable supplementary user groups
416.TP 419.TP
@@ -423,6 +426,9 @@ Enable IPC namespace.
423\fBnosound 426\fBnosound
424Disable sound system. 427Disable sound system.
425.TP 428.TP
429\fBnotv
430Disable DVB (Digital Video Broadcasting) TV devices.
431.TP
426\fBnovideo 432\fBnovideo
427Disable video devices. 433Disable video devices.
428.TP 434.TP
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index bf18167b2..be73429bc 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -974,6 +974,15 @@ $ nc dict.org 2628
974220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64 974220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64
975.br 975.br
976.TP 976.TP
977\fB\-\-nodvd
978Disable DVD and audio CD devices.
979.br
980
981.br
982Example:
983.br
984$ firejail \-\-nodvd
985.TP
977\fB\-\-noexec=dirname_or_filename 986\fB\-\-noexec=dirname_or_filename
978Remount directory or file noexec, nodev and nosuid. 987Remount directory or file noexec, nodev and nosuid.
979.br 988.br
@@ -1084,6 +1093,16 @@ Example:
1084$ firejail \-\-nosound firefox 1093$ firejail \-\-nosound firefox
1085 1094
1086.TP 1095.TP
1096\fB\-\-notv
1097Disable DVB (Digital Video Broadcasting) TV devices.
1098.br
1099
1100.br
1101Example:
1102.br
1103$ firejail \-\-notv vlc
1104
1105.TP
1087\fB\-\-novideo 1106\fB\-\-novideo
1088Disable video devices. 1107Disable video devices.
1089.br 1108.br
@@ -1120,6 +1139,10 @@ $ ls -l sandboxlog*
1120-rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.5 1139-rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.5
1121 1140
1122.TP 1141.TP
1142\fB\-\-output-stderr=logfile
1143Similar to \-\-output, but stderr is also stored.
1144
1145.TP
1123\fB\-\-overlay 1146\fB\-\-overlay
1124Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, 1147Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container,
1125the system directories are mounted read-write. All filesystem modifications go into the overlay. 1148the system directories are mounted read-write. All filesystem modifications go into the overlay.
@@ -1555,6 +1578,32 @@ $ rm testfile
1555rm: cannot remove `testfile': Operation not permitted 1578rm: cannot remove `testfile': Operation not permitted
1556.br 1579.br
1557 1580
1581.br
1582If the blocked system calls would also block Firejail from operating,
1583they are handled by adding a preloaded library which performs seccomp
1584system calls later.
1585.br
1586
1587.br
1588Example:
1589.br
1590
1591.br
1592$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve bash
1593.br
1594Parent pid 32751, child pid 32752
1595.br
1596Post-exec seccomp protector enabled
1597.br
1598list in: execve, check list: @default-keep prelist: (null), postlist: execve
1599.br
1600Child process initialized in 46.44 ms
1601.br
1602$ ls
1603.br
1604Bad system call
1605.br
1606
1558.TP 1607.TP
1559\fB\-\-seccomp.drop=syscall,syscall,syscall 1608\fB\-\-seccomp.drop=syscall,syscall,syscall
1560Enable seccomp filter, and blacklist the syscalls specified by the command. 1609Enable seccomp filter, and blacklist the syscalls specified by the command.
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-04 02:08:36 +0000