diff options
293 files changed, 1113 insertions, 717 deletions
diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 000000000..6b329f917 --- /dev/null +++ b/.gitattributes | |||
@@ -0,0 +1 @@ | |||
/etc/inc/*.inc linguist-language=text | |||
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml new file mode 100644 index 000000000..951a8b8cf --- /dev/null +++ b/.github/workflows/profile-checks.yml | |||
@@ -0,0 +1,31 @@ | |||
1 | name: Profile Checks | ||
2 | |||
3 | on: | ||
4 | push: | ||
5 | branches: [ master ] | ||
6 | paths: | ||
7 | - 'etc/**' | ||
8 | - 'ci/check/profiles/**' | ||
9 | - 'src/firecfg/firecfg.config' | ||
10 | - 'contrib/sort.py' | ||
11 | pull_request: | ||
12 | branches: [ master ] | ||
13 | paths: | ||
14 | - 'etc/**' | ||
15 | - 'ci/check/profiles/**' | ||
16 | - 'src/firecfg/firecfg.config' | ||
17 | - 'contrib/sort.py' | ||
18 | |||
19 | jobs: | ||
20 | profile-checks: | ||
21 | runs-on: ubuntu-20.04 | ||
22 | steps: | ||
23 | - uses: actions/checkout@v2 | ||
24 | - name: sort.py | ||
25 | run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile | ||
26 | - name: private-etc-always-required.sh | ||
27 | run: ./ci/check/profiles/private-etc-always-required.sh etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile | ||
28 | - name: sort-disable-programs.sh | ||
29 | run: ./ci/check/profiles/sort-disable-programs.sh etc/inc/disable-programs.inc | ||
30 | - name: sort-firecfg.config.sh | ||
31 | run: ./ci/check/profiles/sort-firecfg.config.sh src/firecfg/firecfg.config | ||
diff --git a/.github/workflows/sort.yml b/.github/workflows/sort.yml deleted file mode 100644 index cfa40d2d2..000000000 --- a/.github/workflows/sort.yml +++ /dev/null | |||
@@ -1,21 +0,0 @@ | |||
1 | name: sort.py | ||
2 | |||
3 | on: | ||
4 | push: | ||
5 | branches: [ master ] | ||
6 | paths: | ||
7 | - 'etc/**' | ||
8 | - 'contrib/sort.py' | ||
9 | pull_request: | ||
10 | branches: [ master ] | ||
11 | paths: | ||
12 | - 'etc/**' | ||
13 | - 'contrib/sort.py' | ||
14 | |||
15 | jobs: | ||
16 | profile-sort: | ||
17 | runs-on: ubuntu-20.04 | ||
18 | steps: | ||
19 | - uses: actions/checkout@v2 | ||
20 | - name: check profiles | ||
21 | run: ./contrib/sort.py etc/*/{*.inc,*.profile} | ||
diff --git a/Makefile.in b/Makefile.in index 11193122d..ddc63c1af 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -116,7 +116,7 @@ endif | |||
116 | install -m 0755 src/jailcheck/jailcheck $(DESTDIR)$(bindir) | 116 | install -m 0755 src/jailcheck/jailcheck $(DESTDIR)$(bindir) |
117 | # libraries and plugins | 117 | # libraries and plugins |
118 | install -m 0755 -d $(DESTDIR)$(libdir)/firejail | 118 | install -m 0755 -d $(DESTDIR)$(libdir)/firejail |
119 | install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config | 119 | install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) |
120 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS) | 120 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS) |
121 | # plugins w/o read permission (non-dumpable) | 121 | # plugins w/o read permission (non-dumpable) |
122 | install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE) | 122 | install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE) |
@@ -135,6 +135,7 @@ endif | |||
135 | install -m 0644 -t $(DESTDIR)$(DOCDIR) COPYING README RELNOTES etc/templates/* | 135 | install -m 0644 -t $(DESTDIR)$(DOCDIR) COPYING README RELNOTES etc/templates/* |
136 | # profiles and settings | 136 | # profiles and settings |
137 | install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail | 137 | install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail |
138 | install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config | ||
138 | install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config etc/ids.config | 139 | install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config etc/ids.config |
139 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" | 140 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" |
140 | ifeq ($(BUSYBOX_WORKAROUND),yes) | 141 | ifeq ($(BUSYBOX_WORKAROUND),yes) |
@@ -467,6 +467,8 @@ hhzek0014 (https://github.com/hhzek0014) | |||
467 | - updated bibletime.profile | 467 | - updated bibletime.profile |
468 | hlein (https://github.com/hlein) | 468 | hlein (https://github.com/hlein) |
469 | - strip out \r's from jail prober | 469 | - strip out \r's from jail prober |
470 | - make env/arg sanity check failure messages more useful | ||
471 | - relocate firecfg.config to /etc/firejail/ | ||
470 | Holger Heinz (https://github.com/hheinz) | 472 | Holger Heinz (https://github.com/hheinz) |
471 | - manpage work | 473 | - manpage work |
472 | Haowei Yu (https://github.com/sfc-gh-hyu) | 474 | Haowei Yu (https://github.com/sfc-gh-hyu) |
@@ -504,6 +506,8 @@ Jan-Niclas (https://github.com/0x6a61) | |||
504 | - moved rules from firefox-common.profile to firefox.profile | 506 | - moved rules from firefox-common.profile to firefox.profile |
505 | - blacklist /*firefox* except for firefox itself | 507 | - blacklist /*firefox* except for firefox itself |
506 | - fix Firefox 'Profile not found' - whitelist /run/user/xxx/firefox | 508 | - fix Firefox 'Profile not found' - whitelist /run/user/xxx/firefox |
509 | Jan Sonntag (https://github.com/jmetrius) | ||
510 | - added OpenStego profile | ||
507 | Jean Lucas (https://github.com/flacks) | 511 | Jean Lucas (https://github.com/flacks) |
508 | - fix Discord profile | 512 | - fix Discord profile |
509 | - add AnyDesk profile | 513 | - add AnyDesk profile |
@@ -96,7 +96,7 @@ https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-loca | |||
96 | 96 | ||
97 | Try installing Firejail from your system packages first. Firejail is included in Alpine, ALT Linux, Arch, Artix, Chakra, Debian, Deepin, Devuan, Fedora, Gentoo, Manjaro, Mint, NixOS, Parabola, Parrot, PCLinuxOS, ROSA, Solus, Slackware/SlackBuilds, Trisquel, Ubuntu, Void and possibly others. | 97 | Try installing Firejail from your system packages first. Firejail is included in Alpine, ALT Linux, Arch, Artix, Chakra, Debian, Deepin, Devuan, Fedora, Gentoo, Manjaro, Mint, NixOS, Parabola, Parrot, PCLinuxOS, ROSA, Solus, Slackware/SlackBuilds, Trisquel, Ubuntu, Void and possibly others. |
98 | 98 | ||
99 | The firejail 0.9.52-LTS version is deprecated. On Ubuntu 18.04 LTS users are advised to use the [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail). On Debian buster we recommend to use the [backports](https://packages.debian.org/buster-backports/firejail) package. | 99 | The firejail 0.9.52-LTS version is deprecated. On Ubuntu 18.04 LTS users are advised to use the [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail). On Debian stable (bullseye) we recommend to use the [backports](https://packages.debian.org/bullseye-backports/firejail) package. |
100 | 100 | ||
101 | You can also install one of the [released packages](http://sourceforge.net/projects/firejail/files/firejail), or clone Firejail’s source code from our Git repository and compile manually: | 101 | You can also install one of the [released packages](http://sourceforge.net/projects/firejail/files/firejail), or clone Firejail’s source code from our Git repository and compile manually: |
102 | 102 | ||
@@ -150,7 +150,7 @@ PulseAudio changes. | |||
150 | Start your programs the way you are used to: desktop manager menus, file manager, desktop launchers. | 150 | Start your programs the way you are used to: desktop manager menus, file manager, desktop launchers. |
151 | The integration applies to any program supported by default by Firejail. There are about 250 default applications | 151 | The integration applies to any program supported by default by Firejail. There are about 250 default applications |
152 | in current Firejail version, and the number goes up with every new release. | 152 | in current Firejail version, and the number goes up with every new release. |
153 | We keep the application list in [/usr/lib/firejail/firecfg.config](https://github.com/netblue30/firejail/blob/master/src/firecfg/firecfg.config) file. | 153 | We keep the application list in [/etc/firejail/firecfg.config](https://github.com/netblue30/firejail/blob/master/src/firecfg/firecfg.config) file. |
154 | 154 | ||
155 | ## Security profiles | 155 | ## Security profiles |
156 | 156 | ||
@@ -183,34 +183,78 @@ in order to give users a chance to switch their local profiles. | |||
183 | The latest discussion on this issue is here: https://github.com/netblue30/firejail/issues/4379 | 183 | The latest discussion on this issue is here: https://github.com/netblue30/firejail/issues/4379 |
184 | 184 | ||
185 | ### Intrusion Detection System ### | 185 | ### Intrusion Detection System ### |
186 | |||
187 | We are adding IDS capabilities in the next release. We have the list of files in [/etc/firejail/ids.config](https://github.com/netblue30/firejail/blob/master/etc/ids.config), | ||
188 | and we generate a [BLAKE2](https://en.wikipedia.org/wiki/BLAKE_%28hash_function%29) checksum in /var/lib/firejail/username.ids. | ||
189 | The program runs as regular user, each user has his own file in /var/lib/firejail. | ||
190 | |||
191 | Initialize the database: | ||
192 | ````` | 186 | ````` |
193 | $ firejail --ids-init | 187 | --ids-check |
194 | Loading /etc/firejail/ids.config config file | 188 | Check file hashes previously generated by --ids-check. See IN‐ |
195 | 500 1000 1500 2000 | 189 | TRUSION DETECTION SYSTEM section for more details. |
196 | 2457 files scanned | 190 | |
197 | IDS database initialized | 191 | Example: |
192 | $ firejail --ids-check | ||
193 | |||
194 | --ids-init | ||
195 | Initialize file hashes. See INTRUSION DETECTION SYSTEM section | ||
196 | for more details. | ||
197 | |||
198 | Example: | ||
199 | $ firejail --ids-init | ||
200 | |||
201 | INTRUSION DETECTION SYSTEM (IDS) | ||
202 | The host-based intrusion detection system tracks down and audits user | ||
203 | and system file modifications. The feature is configured using | ||
204 | /etc/firejail/ids.config file, the checksums are stored in | ||
205 | /var/lib/firejail/USERNAME.ids, where USERNAME is the name of the cur‐ | ||
206 | rent user. We use BLAKE2 cryptographic function for hashing. | ||
207 | |||
208 | As a regular user, initialize the database: | ||
209 | |||
210 | $ firejail --ids-init | ||
211 | Opening config file /etc/firejail/ids.config | ||
212 | Loading config file /etc/firejail/ids.config | ||
213 | Opening config file /etc/firejail/ids.config.local | ||
214 | 500 1000 1500 2000 | ||
215 | 2466 files scanned | ||
216 | IDS database initialized | ||
217 | |||
218 | The default configuration targets several system executables in direc‐ | ||
219 | tories such as /bin, /sbin, /usr/bin, /usr/sbin, and several critical | ||
220 | config files in user home directory such as ~/.bashrc, ~/.xinitrc, and | ||
221 | ~/.config/autostart. Several system config files in /etc directory are | ||
222 | also hashed. | ||
223 | |||
224 | Run --ids-check to audit the system: | ||
225 | |||
226 | $ firejail --ids-check | ||
227 | Opening config file /etc/firejail/ids.config | ||
228 | Loading config file /etc/firejail/ids.config | ||
229 | Opening config file /etc/firejail/ids.config.local | ||
230 | 500 1000 1500 | ||
231 | Warning: modified /home/netblue/.bashrc | ||
232 | 2000 | ||
233 | 2466 files scanned: modified 1, permissions 0, new 0, removed 0 | ||
234 | |||
235 | The program will print the files that have been modified since the | ||
236 | database was created, or the files with different access permissions. | ||
237 | New files and deleted files are also flagged. | ||
238 | |||
239 | Currently while scanning the file system symbolic links are not fol‐ | ||
240 | lowed, and files the user doesn't have read access to are silently | ||
241 | dropped. The program can also be run as root (sudo firejail --ids- | ||
242 | init/--ids-check). | ||
243 | |||
198 | ````` | 244 | ````` |
199 | 245 | ||
200 | Later, we check it: | 246 | ### Deteministic Shutdown |
201 | ````` | 247 | ````` |
202 | $ firejail --ids-check | 248 | --deterministic-exit-code |
203 | Loading /etc/firejail/ids.config config file | 249 | Always exit firejail with the first child's exit status. The de‐ |
204 | 500 1000 1500 | 250 | fault behavior is to use the exit status of the final child to |
205 | Warning: modified /home/netblue/.bashrc | 251 | exit, which can be nondeterministic. |
206 | 2000 | 252 | |
207 | 2457 files scanned: modified 1, permissions 0, new 0, removed 0 | 253 | --deterministic-shutdown |
254 | Always shut down the sandbox after the first child has termi‐ | ||
255 | nated. The default behavior is to keep the sandbox alive as long | ||
256 | as it contains running processes. | ||
208 | ````` | 257 | ````` |
209 | The program will print the files that have been modified since the database was created, or the files with different access permissions. | ||
210 | New files and deleted files are also flagged. | ||
211 | |||
212 | Currently while scanning the file system symbolic links are not followed, and files the user doesn't have read access to are silently dropped. | ||
213 | The program can also be run as root (sudo firejail --ids-init/--ids-check). | ||
214 | 258 | ||
215 | ### Profile Statistics | 259 | ### Profile Statistics |
216 | 260 | ||
@@ -248,4 +292,4 @@ $ ./profstats *.profile | |||
248 | ### New profiles: | 292 | ### New profiles: |
249 | 293 | ||
250 | clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta, ncdu2, gallery-dl, yt-dlp, goldendict, bundle, | 294 | clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta, ncdu2, gallery-dl, yt-dlp, goldendict, bundle, |
251 | cmake, make, meson, pip, codium | 295 | cmake, make, meson, pip, codium, telnet, ftp, OpenStego, imv, retroarch, torbrowser |
@@ -1,6 +1,10 @@ | |||
1 | firejail (0.9.67) baseline; urgency=low | 1 | firejail (0.9.67) baseline; urgency=low |
2 | * work in progress | 2 | * work in progress |
3 | * exit code: distinguish fatal signals by adding 128 | 3 | * exit code: distinguish fatal signals by adding 128 |
4 | * intrusion detection system (--ids-init, --ids-check) | ||
5 | * deterministic shutdown (--deterministic-exit-code, | ||
6 | --deterministic-shutdown) | ||
7 | * build: firecfg.config is now installed to /etc/firejail/ (#4669) | ||
4 | * deprecated --disable-whitelist at compile time | 8 | * deprecated --disable-whitelist at compile time |
5 | * deprecated whitelist=yes/no in /etc/firejail/firejail.config | 9 | * deprecated whitelist=yes/no in /etc/firejail/firejail.config |
6 | * new condition: ALLOW_TRAY | 10 | * new condition: ALLOW_TRAY |
@@ -10,7 +14,8 @@ firejail (0.9.67) baseline; urgency=low | |||
10 | * new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim | 14 | * new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim |
11 | * new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl | 15 | * new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl |
12 | * new profiles: yt-dlp, goldendict, goldendict, bundle, cmake | 16 | * new profiles: yt-dlp, goldendict, goldendict, bundle, cmake |
13 | * new profiles: make, meson, pip, codium | 17 | * new profiles: make, meson, pip, codium, telnet, ftp, OpenStego |
18 | * new profiles: imv, retroarch, torbrowser | ||
14 | -- netblue30 <netblue30@yahoo.com> Thu, 29 Jul 2021 09:00:00 -0500 | 19 | -- netblue30 <netblue30@yahoo.com> Thu, 29 Jul 2021 09:00:00 -0500 |
15 | 20 | ||
16 | firejail (0.9.66) baseline; urgency=low | 21 | firejail (0.9.66) baseline; urgency=low |
diff --git a/ci/check/profiles/private-etc-always-required.sh b/ci/check/profiles/private-etc-always-required.sh new file mode 100755 index 000000000..892b15aa4 --- /dev/null +++ b/ci/check/profiles/private-etc-always-required.sh | |||
@@ -0,0 +1,15 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | ALWAYS_REQUIRED=(alternatives ld.so.cache ld.so.preload) | ||
4 | |||
5 | error=0 | ||
6 | while IFS=: read -r profile private_etc; do | ||
7 | for required in "${ALWAYS_REQUIRED[@]}"; do | ||
8 | if grep -q -v -E "( |,)$required(,|$)" <<<"$private_etc"; then | ||
9 | printf '%s misses %s\n' "$profile" "$required" >&2 | ||
10 | error=1 | ||
11 | fi | ||
12 | done | ||
13 | done < <(grep "^private-etc " "$@") | ||
14 | |||
15 | exit "$error" | ||
diff --git a/ci/check/profiles/sort-disable-programs.sh b/ci/check/profiles/sort-disable-programs.sh new file mode 100755 index 000000000..d81ee75d7 --- /dev/null +++ b/ci/check/profiles/sort-disable-programs.sh | |||
@@ -0,0 +1,2 @@ | |||
1 | #!/bin/sh | ||
2 | tail -n +5 "$1" | LC_ALL=C sort -c -u | ||
diff --git a/ci/check/profiles/sort-firecfg.config.sh b/ci/check/profiles/sort-firecfg.config.sh new file mode 100755 index 000000000..17a595350 --- /dev/null +++ b/ci/check/profiles/sort-firecfg.config.sh | |||
@@ -0,0 +1,2 @@ | |||
1 | #!/bin/sh | ||
2 | tail -n +4 "$1" | sed 's/^# /#/' | LC_ALL=C sort -c -d | ||
diff --git a/ci/check/profiles/sort.py b/ci/check/profiles/sort.py new file mode 120000 index 000000000..e1f3f5f16 --- /dev/null +++ b/ci/check/profiles/sort.py | |||
@@ -0,0 +1 @@ | |||
../../../contrib/sort.py \ No newline at end of file | |||
@@ -1533,52 +1533,6 @@ fi | |||
1533 | 1533 | ||
1534 | } # ac_fn_c_try_compile | 1534 | } # ac_fn_c_try_compile |
1535 | 1535 | ||
1536 | # ac_fn_c_try_link LINENO | ||
1537 | # ----------------------- | ||
1538 | # Try to link conftest.$ac_ext, and return whether this succeeded. | ||
1539 | ac_fn_c_try_link () | ||
1540 | { | ||
1541 | as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack | ||
1542 | rm -f conftest.$ac_objext conftest$ac_exeext | ||
1543 | if { { ac_try="$ac_link" | ||
1544 | case "(($ac_try" in | ||
1545 | *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; | ||
1546 | *) ac_try_echo=$ac_try;; | ||
1547 | esac | ||
1548 | eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" | ||
1549 | $as_echo "$ac_try_echo"; } >&5 | ||
1550 | (eval "$ac_link") 2>conftest.err | ||
1551 | ac_status=$? | ||
1552 | if test -s conftest.err; then | ||
1553 | grep -v '^ *+' conftest.err >conftest.er1 | ||
1554 | cat conftest.er1 >&5 | ||
1555 | mv -f conftest.er1 conftest.err | ||
1556 | fi | ||
1557 | $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 | ||
1558 | test $ac_status = 0; } && { | ||
1559 | test -z "$ac_c_werror_flag" || | ||
1560 | test ! -s conftest.err | ||
1561 | } && test -s conftest$ac_exeext && { | ||
1562 | test "$cross_compiling" = yes || | ||
1563 | test -x conftest$ac_exeext | ||
1564 | }; then : | ||
1565 | ac_retval=0 | ||
1566 | else | ||
1567 | $as_echo "$as_me: failed program was:" >&5 | ||
1568 | sed 's/^/| /' conftest.$ac_ext >&5 | ||
1569 | |||
1570 | ac_retval=1 | ||
1571 | fi | ||
1572 | # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information | ||
1573 | # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would | ||
1574 | # interfere with the next link command; also delete a directory that is | ||
1575 | # left behind by Apple's compiler. We do this before executing the actions. | ||
1576 | rm -rf conftest.dSYM conftest_ipa8_conftest.oo | ||
1577 | eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno | ||
1578 | as_fn_set_status $ac_retval | ||
1579 | |||
1580 | } # ac_fn_c_try_link | ||
1581 | |||
1582 | # ac_fn_c_try_cpp LINENO | 1536 | # ac_fn_c_try_cpp LINENO |
1583 | # ---------------------- | 1537 | # ---------------------- |
1584 | # Try to preprocess conftest.$ac_ext, and return whether this succeeded. | 1538 | # Try to preprocess conftest.$ac_ext, and return whether this succeeded. |
@@ -3938,51 +3892,6 @@ if test "x$enable_lts" = "xyes"; then : | |||
3938 | 3892 | ||
3939 | fi | 3893 | fi |
3940 | 3894 | ||
3941 | |||
3942 | |||
3943 | |||
3944 | # checking pthread library | ||
3945 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 | ||
3946 | $as_echo_n "checking for main in -lpthread... " >&6; } | ||
3947 | if ${ac_cv_lib_pthread_main+:} false; then : | ||
3948 | $as_echo_n "(cached) " >&6 | ||
3949 | else | ||
3950 | ac_check_lib_save_LIBS=$LIBS | ||
3951 | LIBS="-lpthread $LIBS" | ||
3952 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | ||
3953 | /* end confdefs.h. */ | ||
3954 | |||
3955 | |||
3956 | int | ||
3957 | main () | ||
3958 | { | ||
3959 | return main (); | ||
3960 | ; | ||
3961 | return 0; | ||
3962 | } | ||
3963 | _ACEOF | ||
3964 | if ac_fn_c_try_link "$LINENO"; then : | ||
3965 | ac_cv_lib_pthread_main=yes | ||
3966 | else | ||
3967 | ac_cv_lib_pthread_main=no | ||
3968 | fi | ||
3969 | rm -f core conftest.err conftest.$ac_objext \ | ||
3970 | conftest$ac_exeext conftest.$ac_ext | ||
3971 | LIBS=$ac_check_lib_save_LIBS | ||
3972 | fi | ||
3973 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_main" >&5 | ||
3974 | $as_echo "$ac_cv_lib_pthread_main" >&6; } | ||
3975 | if test "x$ac_cv_lib_pthread_main" = xyes; then : | ||
3976 | cat >>confdefs.h <<_ACEOF | ||
3977 | #define HAVE_LIBPTHREAD 1 | ||
3978 | _ACEOF | ||
3979 | |||
3980 | LIBS="-lpthread $LIBS" | ||
3981 | |||
3982 | else | ||
3983 | as_fn_error $? "*** POSIX thread support not installed ***" "$LINENO" 5 | ||
3984 | fi | ||
3985 | |||
3986 | ac_ext=c | 3895 | ac_ext=c |
3987 | ac_cpp='$CPP $CPPFLAGS' | 3896 | ac_cpp='$CPP $CPPFLAGS' |
3988 | ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' | 3897 | ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' |
@@ -4380,14 +4289,6 @@ fi | |||
4380 | done | 4289 | done |
4381 | 4290 | ||
4382 | 4291 | ||
4383 | ac_fn_c_check_header_mongrel "$LINENO" "pthread.h" "ac_cv_header_pthread_h" "$ac_includes_default" | ||
4384 | if test "x$ac_cv_header_pthread_h" = xyes; then : | ||
4385 | |||
4386 | else | ||
4387 | as_fn_error $? "*** POSIX thread support not installed ***" "$LINENO" 5 | ||
4388 | fi | ||
4389 | |||
4390 | |||
4391 | ac_fn_c_check_header_mongrel "$LINENO" "linux/seccomp.h" "ac_cv_header_linux_seccomp_h" "$ac_includes_default" | 4292 | ac_fn_c_check_header_mongrel "$LINENO" "linux/seccomp.h" "ac_cv_header_linux_seccomp_h" "$ac_includes_default" |
4392 | if test "x$ac_cv_header_linux_seccomp_h" = xyes; then : | 4293 | if test "x$ac_cv_header_linux_seccomp_h" = xyes; then : |
4393 | 4294 | ||
diff --git a/configure.ac b/configure.ac index fc5823143..5ef97cbd0 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -291,12 +291,6 @@ AS_IF([test "x$enable_lts" = "xyes"], [ | |||
291 | AC_SUBST(HAVE_CONTRIB_INSTALL) | 291 | AC_SUBST(HAVE_CONTRIB_INSTALL) |
292 | ]) | 292 | ]) |
293 | 293 | ||
294 | |||
295 | |||
296 | |||
297 | # checking pthread library | ||
298 | AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***])) | ||
299 | AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([*** POSIX thread support not installed ***])) | ||
300 | AC_CHECK_HEADER([linux/seccomp.h],,AC_MSG_ERROR([*** SECCOMP support is not installed (/usr/include/linux/seccomp.h missing) ***])) | 294 | AC_CHECK_HEADER([linux/seccomp.h],,AC_MSG_ERROR([*** SECCOMP support is not installed (/usr/include/linux/seccomp.h missing) ***])) |
301 | 295 | ||
302 | # set sysconfdir | 296 | # set sysconfdir |
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim index fa80a9c00..bcaa85a9c 100644 --- a/contrib/vim/syntax/firejail.vim +++ b/contrib/vim/syntax/firejail.vim | |||
@@ -51,7 +51,7 @@ syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES | |||
51 | " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) | 51 | " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) |
52 | syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained | 52 | syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained |
53 | " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below | 53 | " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below |
54 | syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained | 54 | syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained |
55 | syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained | 55 | syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained |
56 | syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained | 56 | syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained |
57 | syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained | 57 | syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained |
diff --git a/etc/apparmor/firejail-base b/etc/apparmor/firejail-base index 41e4ac2bf..6e286d4af 100644 --- a/etc/apparmor/firejail-base +++ b/etc/apparmor/firejail-base | |||
@@ -1,26 +1,27 @@ | |||
1 | ######################################### | 1 | ######################################### |
2 | # Firejail base abstraction drop-in | 2 | # Firejail base abstraction drop-in |
3 | ######################################### | 3 | # |
4 | |||
5 | # Adds basic Firejail support to AppArmor profiles. | 4 | # Adds basic Firejail support to AppArmor profiles. |
6 | # Please note: Firejail's nonewprivs and seccomp options | 5 | # Please note: Firejail's nonewprivs and seccomp options |
7 | # are not compatible with AppArmor profile transitions. | 6 | # are not compatible with AppArmor profile transitions. |
7 | # Also there is no support for Firejail chroot options. | ||
8 | ######################################### | ||
8 | 9 | ||
9 | # Discovery of process names | 10 | # Discovery of process names |
10 | owner /{,run/firejail/mnt/oroot/}proc/@{pid}/comm r, | 11 | owner /proc/@{pid}/comm r, |
11 | 12 | ||
12 | ########## | 13 | ########## |
13 | # Following paths only exist inside a Firejail sandbox | 14 | # Following paths only exist inside a Firejail sandbox |
14 | ########## | 15 | ########## |
15 | 16 | ||
16 | # Library preloading | 17 | # Library preloading |
17 | /{,run/firejail/mnt/oroot/}{,var/}run/firejail/lib/*.so mr, | 18 | /{,var/}run/firejail/lib/*.so mr, |
18 | 19 | ||
19 | # Supporting seccomp | 20 | # Supporting seccomp |
20 | owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/seccomp/seccomp.postexec r, | 21 | owner /{,var/}run/firejail/mnt/seccomp/seccomp.postexec r, |
21 | 22 | ||
22 | # Supporting trace | 23 | # Supporting trace |
23 | owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w, | 24 | owner /{,var/}run/firejail/mnt/trace w, |
24 | 25 | ||
25 | # Supporting tracelog | 26 | # Supporting tracelog |
26 | /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/fslogger r, | 27 | /{,var/}run/firejail/mnt/fslogger r, |
diff --git a/etc/ids.config b/etc/ids.config index 09b0ae912..ff55416ca 100644 --- a/etc/ids.config +++ b/etc/ids.config | |||
@@ -37,6 +37,7 @@ include ids.config.local | |||
37 | 37 | ||
38 | ### shells local ### | 38 | ### shells local ### |
39 | # bash | 39 | # bash |
40 | ${HOME}/.bash_aliases | ||
40 | ${HOME}/.bash_login | 41 | ${HOME}/.bash_login |
41 | ${HOME}/.bash_logout | 42 | ${HOME}/.bash_logout |
42 | ${HOME}/.bash_profile | 43 | ${HOME}/.bash_profile |
@@ -99,10 +100,24 @@ ${HOME}/.xsessionrc | |||
99 | ### window/desktop manager ### | 100 | ### window/desktop manager ### |
100 | ${HOME}/Desktop/*.desktop | 101 | ${HOME}/Desktop/*.desktop |
101 | ${HOME}/.config/autostart | 102 | ${HOME}/.config/autostart |
103 | ${HOME}/.config/autostart-scripts | ||
102 | ${HOME}/.config/lxsession/LXDE/autostart | 104 | ${HOME}/.config/lxsession/LXDE/autostart |
105 | ${HOME}/.config/openbox/autostart | ||
106 | ${HOME}/.config/openbox/environment | ||
107 | ${HOME}/.config/plasma-workspace/env | ||
108 | ${HOME}/.config/plasma-workspace/shutdown | ||
103 | ${HOME}/.gnomerc | 109 | ${HOME}/.gnomerc |
104 | ${HOME}/.gtkrc | 110 | ${HOME}/.gtkrc |
111 | ${HOME}/.kde/Autostart | ||
112 | ${HOME}/.kde/env | ||
113 | ${HOME}/.kde/share/autostart | ||
114 | ${HOME}/.kde/shutdown | ||
115 | ${HOME}/.kde4/Autostart | ||
116 | ${HOME}/.kde4/env | ||
117 | ${HOME}/.kde4/share/autostart | ||
118 | ${HOME}/.kde4/shutdown | ||
105 | ${HOME}/.kderc | 119 | ${HOME}/.kderc |
120 | ${HOME}/.local/share/autostart | ||
106 | 121 | ||
107 | ### security ### | 122 | ### security ### |
108 | /etc/aide | 123 | /etc/aide |
@@ -123,6 +138,7 @@ ${HOME}/.kderc | |||
123 | /etc/tripwire | 138 | /etc/tripwire |
124 | ${HOME}/.config/firejail | 139 | ${HOME}/.config/firejail |
125 | ${HOME}/.gnupg | 140 | ${HOME}/.gnupg |
141 | ${HOME}/.pam_environment | ||
126 | 142 | ||
127 | ### network security ### | 143 | ### network security ### |
128 | /etc/ca-certificates* | 144 | /etc/ca-certificates* |
diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc index 67c78a483..5d41e6607 100644 --- a/etc/inc/allow-ssh.inc +++ b/etc/inc/allow-ssh.inc | |||
@@ -5,4 +5,11 @@ include allow-ssh.local | |||
5 | noblacklist ${HOME}/.ssh | 5 | noblacklist ${HOME}/.ssh |
6 | noblacklist /etc/ssh | 6 | noblacklist /etc/ssh |
7 | noblacklist /etc/ssh/ssh_config | 7 | noblacklist /etc/ssh/ssh_config |
8 | noblacklist ${PATH}/ssh | ||
8 | noblacklist /tmp/ssh-* | 9 | noblacklist /tmp/ssh-* |
10 | # Arch Linux and derivatives | ||
11 | noblacklist /usr/lib/ssh | ||
12 | # Debian/Ubuntu and derivatives | ||
13 | noblacklist /usr/lib/openssh | ||
14 | # Fedora and derivatives | ||
15 | noblacklist /usr/libexec/openssh | ||
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index ae84ee38a..7d18ce82e 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -16,6 +16,7 @@ blacklist-nolog ${HOME}/.history | |||
16 | blacklist-nolog ${HOME}/.kde/share/apps/klipper | 16 | blacklist-nolog ${HOME}/.kde/share/apps/klipper |
17 | blacklist-nolog ${HOME}/.kde4/share/apps/klipper | 17 | blacklist-nolog ${HOME}/.kde4/share/apps/klipper |
18 | blacklist-nolog ${HOME}/.local/share/fish/fish_history | 18 | blacklist-nolog ${HOME}/.local/share/fish/fish_history |
19 | blacklist-nolog ${HOME}/.local/share/ibus-typing-booster | ||
19 | blacklist-nolog ${HOME}/.local/share/klipper | 20 | blacklist-nolog ${HOME}/.local/share/klipper |
20 | blacklist-nolog ${HOME}/.macromedia | 21 | blacklist-nolog ${HOME}/.macromedia |
21 | blacklist-nolog ${HOME}/.mupdf.history | 22 | blacklist-nolog ${HOME}/.mupdf.history |
@@ -430,6 +431,7 @@ blacklist ${HOME}/.pki | |||
430 | blacklist ${HOME}/.smbcredentials | 431 | blacklist ${HOME}/.smbcredentials |
431 | blacklist ${HOME}/.ssh | 432 | blacklist ${HOME}/.ssh |
432 | blacklist ${HOME}/.vaults | 433 | blacklist ${HOME}/.vaults |
434 | blacklist /run/timeshift | ||
433 | blacklist /var/backup | 435 | blacklist /var/backup |
434 | 436 | ||
435 | # Remove environment variables with auth tokens. | 437 | # Remove environment variables with auth tokens. |
@@ -458,7 +460,7 @@ blacklist /sbin | |||
458 | blacklist /usr/local/sbin | 460 | blacklist /usr/local/sbin |
459 | blacklist /usr/sbin | 461 | blacklist /usr/sbin |
460 | 462 | ||
461 | # system management | 463 | # system management and various SUID executables |
462 | blacklist ${PATH}/at | 464 | blacklist ${PATH}/at |
463 | blacklist ${PATH}/busybox | 465 | blacklist ${PATH}/busybox |
464 | blacklist ${PATH}/chage | 466 | blacklist ${PATH}/chage |
@@ -493,6 +495,25 @@ blacklist ${PATH}/umount | |||
493 | blacklist ${PATH}/unix_chkpwd | 495 | blacklist ${PATH}/unix_chkpwd |
494 | blacklist ${PATH}/xev | 496 | blacklist ${PATH}/xev |
495 | blacklist ${PATH}/xinput | 497 | blacklist ${PATH}/xinput |
498 | # from 0.9.67 | ||
499 | blacklist /usr/lib/openssh | ||
500 | blacklist /usr/lib/ssh | ||
501 | blacklist /usr/libexec/openssh | ||
502 | blacklist ${PATH}/passwd | ||
503 | blacklist /usr/lib/xorg/Xorg.wrap | ||
504 | blacklist /usr/lib/policykit-1/polkit-agent-helper-1 | ||
505 | blacklist /usr/lib/dbus-1.0/dbus-daemon-launch-helper | ||
506 | blacklist /usr/lib/eject/dmcrypt-get-device | ||
507 | blacklist /usr/lib/chromium/chrome-sandbox | ||
508 | blacklist /usr/lib/vmware | ||
509 | blacklist ${PATH}/suexec | ||
510 | blacklist /usr/lib/squid/basic_pam_auth | ||
511 | blacklist ${PATH}/slock | ||
512 | blacklist ${PATH}/physlock | ||
513 | blacklist ${PATH}/schroot | ||
514 | blacklist ${PATH}/wshowkeys | ||
515 | blacklist ${PATH}/pmount | ||
516 | blacklist ${PATH}/pumount | ||
496 | 517 | ||
497 | # other SUID binaries | 518 | # other SUID binaries |
498 | blacklist /usr/lib/virtualbox | 519 | blacklist /usr/lib/virtualbox |
@@ -563,8 +584,7 @@ blacklist ${HOME}/sent | |||
563 | # kernel configuration | 584 | # kernel configuration |
564 | blacklist /proc/config.gz | 585 | blacklist /proc/config.gz |
565 | 586 | ||
566 | # prevent DNS malware attempting to communicate with the server | 587 | # prevent DNS malware attempting to communicate with the server using regular DNS tools |
567 | # using regular DNS tools | ||
568 | blacklist ${PATH}/dig | 588 | blacklist ${PATH}/dig |
569 | blacklist ${PATH}/dlint | 589 | blacklist ${PATH}/dlint |
570 | blacklist ${PATH}/dns2tcp | 590 | blacklist ${PATH}/dns2tcp |
@@ -582,8 +602,14 @@ blacklist ${PATH}/nslookup | |||
582 | blacklist ${PATH}/resolvectl | 602 | blacklist ${PATH}/resolvectl |
583 | blacklist ${PATH}/unbound-host | 603 | blacklist ${PATH}/unbound-host |
584 | 604 | ||
605 | # prevent an intruder to guess passwords using regular network tools | ||
606 | blacklist ${PATH}/ftp | ||
607 | blacklist ${PATH}/ssh | ||
608 | blacklist ${PATH}/telnet | ||
609 | |||
585 | # rest of ${RUNUSER} | 610 | # rest of ${RUNUSER} |
586 | blacklist ${RUNUSER}/*.lock | 611 | blacklist ${RUNUSER}/*.lock |
587 | blacklist ${RUNUSER}/inaccessible | 612 | blacklist ${RUNUSER}/inaccessible |
588 | blacklist ${RUNUSER}/pk-debconf-socket | 613 | blacklist ${RUNUSER}/pk-debconf-socket |
589 | blacklist ${RUNUSER}/update-notifier.pid | 614 | blacklist ${RUNUSER}/update-notifier.pid |
615 | |||
diff --git a/etc/inc/disable-exec.inc b/etc/inc/disable-exec.inc index 9b5c40a2b..d7dcef7e7 100644 --- a/etc/inc/disable-exec.inc +++ b/etc/inc/disable-exec.inc | |||
@@ -6,6 +6,7 @@ noexec ${HOME} | |||
6 | noexec ${RUNUSER} | 6 | noexec ${RUNUSER} |
7 | noexec /dev/mqueue | 7 | noexec /dev/mqueue |
8 | noexec /dev/shm | 8 | noexec /dev/shm |
9 | noexec /run/shm | ||
9 | noexec /tmp | 10 | noexec /tmp |
10 | # /var is noexec by default for unprivileged users | 11 | # /var is noexec by default for unprivileged users |
11 | # except there is a writable-var option, so just in case: | 12 | # except there is a writable-var option, so just in case: |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 6734e220a..254d05e8e 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -51,10 +51,182 @@ blacklist ${HOME}/.blobby | |||
51 | blacklist ${HOME}/.bogofilter | 51 | blacklist ${HOME}/.bogofilter |
52 | blacklist ${HOME}/.bundle | 52 | blacklist ${HOME}/.bundle |
53 | blacklist ${HOME}/.bzf | 53 | blacklist ${HOME}/.bzf |
54 | blacklist ${HOME}/.cache/0ad | ||
55 | blacklist ${HOME}/.cache/8pecxstudios | ||
56 | blacklist ${HOME}/.cache/Authenticator | ||
57 | blacklist ${HOME}/.cache/BraveSoftware | ||
58 | blacklist ${HOME}/.cache/Clementine | ||
59 | blacklist ${HOME}/.cache/ENCOM/Spectral | ||
60 | blacklist ${HOME}/.cache/Enox | ||
61 | blacklist ${HOME}/.cache/Enpass | ||
62 | blacklist ${HOME}/.cache/Ferdi | ||
63 | blacklist ${HOME}/.cache/Flavio Tordini | ||
64 | blacklist ${HOME}/.cache/Franz | ||
65 | blacklist ${HOME}/.cache/GoldenDict | ||
66 | blacklist ${HOME}/.cache/INRIA | ||
67 | blacklist ${HOME}/.cache/INRIA/Natron | ||
68 | blacklist ${HOME}/.cache/JetBrains/CLion* | ||
69 | blacklist ${HOME}/.cache/KDE/neochat | ||
70 | blacklist ${HOME}/.cache/Mendeley Ltd. | ||
71 | blacklist ${HOME}/.cache/MusicBrainz | ||
72 | blacklist ${HOME}/.cache/NewsFlashGTK | ||
73 | blacklist ${HOME}/.cache/Otter | ||
74 | blacklist ${HOME}/.cache/PawelStolowski | ||
75 | blacklist ${HOME}/.cache/Psi | ||
76 | blacklist ${HOME}/.cache/QuiteRss | ||
77 | blacklist ${HOME}/.cache/Quotient/quaternion | ||
78 | blacklist ${HOME}/.cache/Shortwave | ||
79 | blacklist ${HOME}/.cache/Tox | ||
80 | blacklist ${HOME}/.cache/Zeal | ||
81 | blacklist ${HOME}/.cache/agenda | ||
82 | blacklist ${HOME}/.cache/akonadi* | ||
83 | blacklist ${HOME}/.cache/atril | ||
84 | blacklist ${HOME}/.cache/attic | ||
85 | blacklist ${HOME}/.cache/babl | ||
86 | blacklist ${HOME}/.cache/bnox | ||
87 | blacklist ${HOME}/.cache/borg | ||
88 | blacklist ${HOME}/.cache/calibre | ||
89 | blacklist ${HOME}/.cache/cantata | ||
90 | blacklist ${HOME}/.cache/champlain | ||
91 | blacklist ${HOME}/.cache/chromium | ||
92 | blacklist ${HOME}/.cache/chromium-dev | ||
93 | blacklist ${HOME}/.cache/cliqz | ||
94 | blacklist ${HOME}/.cache/com.github.johnfactotum.Foliate | ||
95 | blacklist ${HOME}/.cache/darktable | ||
96 | blacklist ${HOME}/.cache/deja-dup | ||
97 | blacklist ${HOME}/.cache/discover | ||
98 | blacklist ${HOME}/.cache/dnox | ||
99 | blacklist ${HOME}/.cache/dolphin | ||
100 | blacklist ${HOME}/.cache/dolphin-emu | ||
101 | blacklist ${HOME}/.cache/ephemeral | ||
102 | blacklist ${HOME}/.cache/epiphany | ||
103 | blacklist ${HOME}/.cache/evolution | ||
104 | blacklist ${HOME}/.cache/falkon | ||
105 | blacklist ${HOME}/.cache/feedreader | ||
106 | blacklist ${HOME}/.cache/firedragon | ||
107 | blacklist ${HOME}/.cache/flaska.net/trojita | ||
108 | blacklist ${HOME}/.cache/folks | ||
109 | blacklist ${HOME}/.cache/font-manager | ||
110 | blacklist ${HOME}/.cache/fossamail | ||
111 | blacklist ${HOME}/.cache/fractal | ||
112 | blacklist ${HOME}/.cache/freecol | ||
113 | blacklist ${HOME}/.cache/gajim | ||
114 | blacklist ${HOME}/.cache/geary | ||
115 | blacklist ${HOME}/.cache/geeqie | ||
116 | blacklist ${HOME}/.cache/gegl-0.4 | ||
117 | blacklist ${HOME}/.cache/gfeeds | ||
118 | blacklist ${HOME}/.cache/gimp | ||
119 | blacklist ${HOME}/.cache/gnome-boxes | ||
120 | blacklist ${HOME}/.cache/gnome-builder | ||
121 | blacklist ${HOME}/.cache/gnome-control-center | ||
122 | blacklist ${HOME}/.cache/gnome-recipes | ||
123 | blacklist ${HOME}/.cache/gnome-screenshot | ||
124 | blacklist ${HOME}/.cache/gnome-software | ||
125 | blacklist ${HOME}/.cache/gnome-twitch | ||
126 | blacklist ${HOME}/.cache/godot | ||
127 | blacklist ${HOME}/.cache/google-chrome | ||
128 | blacklist ${HOME}/.cache/google-chrome-beta | ||
129 | blacklist ${HOME}/.cache/google-chrome-unstable | ||
130 | blacklist ${HOME}/.cache/gradio | ||
131 | blacklist ${HOME}/.cache/gummi | ||
132 | blacklist ${HOME}/.cache/icedove | ||
133 | blacklist ${HOME}/.cache/inkscape | ||
134 | blacklist ${HOME}/.cache/inox | ||
135 | blacklist ${HOME}/.cache/io.github.lainsce.Notejot | ||
136 | blacklist ${HOME}/.cache/iridium | ||
137 | blacklist ${HOME}/.cache/kcmshell5 | ||
138 | blacklist ${HOME}/.cache/kdenlive | ||
139 | blacklist ${HOME}/.cache/keepassxc | ||
140 | blacklist ${HOME}/.cache/kfind | ||
141 | blacklist ${HOME}/.cache/kinfocenter | ||
142 | blacklist ${HOME}/.cache/kmail2 | ||
143 | blacklist ${HOME}/.cache/krunner | ||
144 | blacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite* | ||
145 | blacklist ${HOME}/.cache/kscreenlocker_greet | ||
146 | blacklist ${HOME}/.cache/ksmserver-logout-greeter | ||
147 | blacklist ${HOME}/.cache/ksplashqml | ||
148 | blacklist ${HOME}/.cache/kube | ||
149 | blacklist ${HOME}/.cache/kwin | ||
150 | blacklist ${HOME}/.cache/libgweather | ||
151 | blacklist ${HOME}/.cache/librewolf | ||
152 | blacklist ${HOME}/.cache/liferea | ||
153 | blacklist ${HOME}/.cache/lutris | ||
154 | blacklist ${HOME}/.cache/marker | ||
155 | blacklist ${HOME}/.cache/matrix-mirage | ||
156 | blacklist ${HOME}/.cache/microsoft-edge-beta | ||
157 | blacklist ${HOME}/.cache/microsoft-edge-dev | ||
158 | blacklist ${HOME}/.cache/midori | ||
159 | blacklist ${HOME}/.cache/minetest | ||
160 | blacklist ${HOME}/.cache/mirage | ||
161 | blacklist ${HOME}/.cache/moonchild productions/basilisk | ||
162 | blacklist ${HOME}/.cache/moonchild productions/pale moon | ||
163 | blacklist ${HOME}/.cache/mozilla | ||
164 | blacklist ${HOME}/.cache/ms-excel-online | ||
165 | blacklist ${HOME}/.cache/ms-office-online | ||
166 | blacklist ${HOME}/.cache/ms-onenote-online | ||
167 | blacklist ${HOME}/.cache/ms-outlook-online | ||
168 | blacklist ${HOME}/.cache/ms-powerpoint-online | ||
169 | blacklist ${HOME}/.cache/ms-skype-online | ||
170 | blacklist ${HOME}/.cache/ms-word-online | ||
171 | blacklist ${HOME}/.cache/mutt | ||
172 | blacklist ${HOME}/.cache/mypaint | ||
173 | blacklist ${HOME}/.cache/netsurf | ||
174 | blacklist ${HOME}/.cache/nheko | ||
175 | blacklist ${HOME}/.cache/okular | ||
176 | blacklist ${HOME}/.cache/opera | ||
177 | blacklist ${HOME}/.cache/opera-beta | ||
178 | blacklist ${HOME}/.cache/org.gabmus.gfeeds | ||
179 | blacklist ${HOME}/.cache/org.gnome.Books | ||
180 | blacklist ${HOME}/.cache/org.gnome.Maps | ||
181 | blacklist ${HOME}/.cache/pdfmod | ||
182 | blacklist ${HOME}/.cache/peek | ||
183 | blacklist ${HOME}/.cache/pip | ||
184 | blacklist ${HOME}/.cache/pipe-viewer | ||
185 | blacklist ${HOME}/.cache/plasmashell | ||
186 | blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite* | ||
187 | blacklist ${HOME}/.cache/psi | ||
188 | blacklist ${HOME}/.cache/qBittorrent | ||
189 | blacklist ${HOME}/.cache/quodlibet | ||
190 | blacklist ${HOME}/.cache/qupzilla | ||
191 | blacklist ${HOME}/.cache/qutebrowser | ||
192 | blacklist ${HOME}/.cache/rednotebook | ||
193 | blacklist ${HOME}/.cache/rhythmbox | ||
194 | blacklist ${HOME}/.cache/shotwell | ||
195 | blacklist ${HOME}/.cache/simple-scan | ||
196 | blacklist ${HOME}/.cache/slimjet | ||
197 | blacklist ${HOME}/.cache/smuxi | ||
198 | blacklist ${HOME}/.cache/snox | ||
199 | blacklist ${HOME}/.cache/spotify | ||
200 | blacklist ${HOME}/.cache/straw-viewer | ||
201 | blacklist ${HOME}/.cache/strawberry | ||
202 | blacklist ${HOME}/.cache/supertuxkart | ||
203 | blacklist ${HOME}/.cache/systemsettings | ||
204 | blacklist ${HOME}/.cache/telepathy | ||
205 | blacklist ${HOME}/.cache/thunderbird | ||
206 | blacklist ${HOME}/.cache/torbrowser | ||
207 | blacklist ${HOME}/.cache/transmission | ||
208 | blacklist ${HOME}/.cache/ungoogled-chromium | ||
209 | blacklist ${HOME}/.cache/vivaldi | ||
210 | blacklist ${HOME}/.cache/vivaldi-snapshot | ||
211 | blacklist ${HOME}/.cache/vlc | ||
212 | blacklist ${HOME}/.cache/vmware | ||
213 | blacklist ${HOME}/.cache/warsow-2.1 | ||
214 | blacklist ${HOME}/.cache/waterfox | ||
215 | blacklist ${HOME}/.cache/wesnoth | ||
216 | blacklist ${HOME}/.cache/winetricks | ||
217 | blacklist ${HOME}/.cache/xmms2 | ||
218 | blacklist ${HOME}/.cache/xournalpp | ||
219 | blacklist ${HOME}/.cache/xreader | ||
220 | blacklist ${HOME}/.cache/yandex-browser | ||
221 | blacklist ${HOME}/.cache/yandex-browser-beta | ||
222 | blacklist ${HOME}/.cache/youtube-dl | ||
223 | blacklist ${HOME}/.cache/youtube-viewer | ||
224 | blacklist ${HOME}/.cache/yt-dlp | ||
225 | blacklist ${HOME}/.cache/zim | ||
54 | blacklist ${HOME}/.cargo | 226 | blacklist ${HOME}/.cargo |
55 | blacklist ${HOME}/.claws-mail | 227 | blacklist ${HOME}/.claws-mail |
56 | blacklist ${HOME}/.cliqz | ||
57 | blacklist ${HOME}/.clion* | 228 | blacklist ${HOME}/.clion* |
229 | blacklist ${HOME}/.cliqz | ||
58 | blacklist ${HOME}/.clonk | 230 | blacklist ${HOME}/.clonk |
59 | blacklist ${HOME}/.config/0ad | 231 | blacklist ${HOME}/.config/0ad |
60 | blacklist ${HOME}/.config/2048-qt | 232 | blacklist ${HOME}/.config/2048-qt |
@@ -93,8 +265,8 @@ blacklist ${HOME}/.config/Google Play Music Desktop Player | |||
93 | blacklist ${HOME}/.config/Gpredict | 265 | blacklist ${HOME}/.config/Gpredict |
94 | blacklist ${HOME}/.config/INRIA | 266 | blacklist ${HOME}/.config/INRIA |
95 | blacklist ${HOME}/.config/InSilmaril | 267 | blacklist ${HOME}/.config/InSilmaril |
96 | blacklist ${HOME}/.config/Jitsi Meet | ||
97 | blacklist ${HOME}/.config/JetBrains/CLion* | 268 | blacklist ${HOME}/.config/JetBrains/CLion* |
269 | blacklist ${HOME}/.config/Jitsi Meet | ||
98 | blacklist ${HOME}/.config/KDE/neochat | 270 | blacklist ${HOME}/.config/KDE/neochat |
99 | blacklist ${HOME}/.config/KeePass | 271 | blacklist ${HOME}/.config/KeePass |
100 | blacklist ${HOME}/.config/KeePassXCrc | 272 | blacklist ${HOME}/.config/KeePassXCrc |
@@ -948,6 +1120,7 @@ blacklist ${HOME}/TeamSpeak3-Client-linux_x86 | |||
948 | blacklist ${HOME}/hyperrogue.ini | 1120 | blacklist ${HOME}/hyperrogue.ini |
949 | blacklist ${HOME}/i2p | 1121 | blacklist ${HOME}/i2p |
950 | blacklist ${HOME}/mps | 1122 | blacklist ${HOME}/mps |
1123 | blacklist ${HOME}/openstego.ini | ||
951 | blacklist ${HOME}/wallet.dat | 1124 | blacklist ${HOME}/wallet.dat |
952 | blacklist ${HOME}/yt-dlp.conf | 1125 | blacklist ${HOME}/yt-dlp.conf |
953 | blacklist ${RUNUSER}/*firefox* | 1126 | blacklist ${RUNUSER}/*firefox* |
@@ -958,177 +1131,3 @@ blacklist /var/games/slashem | |||
958 | blacklist /var/games/vulturesclaw | 1131 | blacklist /var/games/vulturesclaw |
959 | blacklist /var/games/vultureseye | 1132 | blacklist /var/games/vultureseye |
960 | blacklist /var/lib/games/Maelstrom-Scores | 1133 | blacklist /var/lib/games/Maelstrom-Scores |
961 | |||
962 | # ${HOME}/.cache directory | ||
963 | blacklist ${HOME}/.cache/0ad | ||
964 | blacklist ${HOME}/.cache/8pecxstudios | ||
965 | blacklist ${HOME}/.cache/Authenticator | ||
966 | blacklist ${HOME}/.cache/BraveSoftware | ||
967 | blacklist ${HOME}/.cache/Clementine | ||
968 | blacklist ${HOME}/.cache/ENCOM/Spectral | ||
969 | blacklist ${HOME}/.cache/Enox | ||
970 | blacklist ${HOME}/.cache/Enpass | ||
971 | blacklist ${HOME}/.cache/Ferdi | ||
972 | blacklist ${HOME}/.cache/Flavio Tordini | ||
973 | blacklist ${HOME}/.cache/Franz | ||
974 | blacklist ${HOME}/.cache/GoldenDict | ||
975 | blacklist ${HOME}/.cache/INRIA | ||
976 | blacklist ${HOME}/.cache/INRIA/Natron | ||
977 | blacklist ${HOME}/.cache/KDE/neochat | ||
978 | blacklist ${HOME}/.cache/Mendeley Ltd. | ||
979 | blacklist ${HOME}/.cache/MusicBrainz | ||
980 | blacklist ${HOME}/.cache/NewsFlashGTK | ||
981 | blacklist ${HOME}/.cache/Otter | ||
982 | blacklist ${HOME}/.cache/PawelStolowski | ||
983 | blacklist ${HOME}/.cache/Psi | ||
984 | blacklist ${HOME}/.cache/QuiteRss | ||
985 | blacklist ${HOME}/.cache/Quotient/quaternion | ||
986 | blacklist ${HOME}/.cache/Shortwave | ||
987 | blacklist ${HOME}/.cache/Tox | ||
988 | blacklist ${HOME}/.cache/Zeal | ||
989 | blacklist ${HOME}/.cache/agenda | ||
990 | blacklist ${HOME}/.cache/akonadi* | ||
991 | blacklist ${HOME}/.cache/atril | ||
992 | blacklist ${HOME}/.cache/attic | ||
993 | blacklist ${HOME}/.cache/babl | ||
994 | blacklist ${HOME}/.cache/bnox | ||
995 | blacklist ${HOME}/.cache/borg | ||
996 | blacklist ${HOME}/.cache/calibre | ||
997 | blacklist ${HOME}/.cache/cantata | ||
998 | blacklist ${HOME}/.cache/champlain | ||
999 | blacklist ${HOME}/.cache/chromium | ||
1000 | blacklist ${HOME}/.cache/chromium-dev | ||
1001 | blacklist ${HOME}/.cache/cliqz | ||
1002 | blacklist ${HOME}/.cache/com.github.johnfactotum.Foliate | ||
1003 | blacklist ${HOME}/.cache/darktable | ||
1004 | blacklist ${HOME}/.cache/deja-dup | ||
1005 | blacklist ${HOME}/.cache/discover | ||
1006 | blacklist ${HOME}/.cache/dnox | ||
1007 | blacklist ${HOME}/.cache/dolphin | ||
1008 | blacklist ${HOME}/.cache/dolphin-emu | ||
1009 | blacklist ${HOME}/.cache/ephemeral | ||
1010 | blacklist ${HOME}/.cache/epiphany | ||
1011 | blacklist ${HOME}/.cache/evolution | ||
1012 | blacklist ${HOME}/.cache/falkon | ||
1013 | blacklist ${HOME}/.cache/feedreader | ||
1014 | blacklist ${HOME}/.cache/firedragon | ||
1015 | blacklist ${HOME}/.cache/flaska.net/trojita | ||
1016 | blacklist ${HOME}/.cache/folks | ||
1017 | blacklist ${HOME}/.cache/font-manager | ||
1018 | blacklist ${HOME}/.cache/fossamail | ||
1019 | blacklist ${HOME}/.cache/fractal | ||
1020 | blacklist ${HOME}/.cache/freecol | ||
1021 | blacklist ${HOME}/.cache/gajim | ||
1022 | blacklist ${HOME}/.cache/geary | ||
1023 | blacklist ${HOME}/.cache/geeqie | ||
1024 | blacklist ${HOME}/.cache/gegl-0.4 | ||
1025 | blacklist ${HOME}/.cache/gfeeds | ||
1026 | blacklist ${HOME}/.cache/gimp | ||
1027 | blacklist ${HOME}/.cache/gnome-boxes | ||
1028 | blacklist ${HOME}/.cache/gnome-builder | ||
1029 | blacklist ${HOME}/.cache/gnome-control-center | ||
1030 | blacklist ${HOME}/.cache/gnome-recipes | ||
1031 | blacklist ${HOME}/.cache/gnome-screenshot | ||
1032 | blacklist ${HOME}/.cache/gnome-software | ||
1033 | blacklist ${HOME}/.cache/gnome-twitch | ||
1034 | blacklist ${HOME}/.cache/godot | ||
1035 | blacklist ${HOME}/.cache/google-chrome | ||
1036 | blacklist ${HOME}/.cache/google-chrome-beta | ||
1037 | blacklist ${HOME}/.cache/google-chrome-unstable | ||
1038 | blacklist ${HOME}/.cache/gradio | ||
1039 | blacklist ${HOME}/.cache/gummi | ||
1040 | blacklist ${HOME}/.cache/icedove | ||
1041 | blacklist ${HOME}/.cache/inkscape | ||
1042 | blacklist ${HOME}/.cache/inox | ||
1043 | blacklist ${HOME}/.cache/io.github.lainsce.Notejot | ||
1044 | blacklist ${HOME}/.cache/iridium | ||
1045 | blacklist ${HOME}/.cache/JetBrains/CLion* | ||
1046 | blacklist ${HOME}/.cache/kcmshell5 | ||
1047 | blacklist ${HOME}/.cache/kdenlive | ||
1048 | blacklist ${HOME}/.cache/keepassxc | ||
1049 | blacklist ${HOME}/.cache/kfind | ||
1050 | blacklist ${HOME}/.cache/kinfocenter | ||
1051 | blacklist ${HOME}/.cache/kmail2 | ||
1052 | blacklist ${HOME}/.cache/krunner | ||
1053 | blacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite* | ||
1054 | blacklist ${HOME}/.cache/kscreenlocker_greet | ||
1055 | blacklist ${HOME}/.cache/ksmserver-logout-greeter | ||
1056 | blacklist ${HOME}/.cache/ksplashqml | ||
1057 | blacklist ${HOME}/.cache/kube | ||
1058 | blacklist ${HOME}/.cache/kwin | ||
1059 | blacklist ${HOME}/.cache/libgweather | ||
1060 | blacklist ${HOME}/.cache/librewolf | ||
1061 | blacklist ${HOME}/.cache/liferea | ||
1062 | blacklist ${HOME}/.cache/lutris | ||
1063 | blacklist ${HOME}/.cache/marker | ||
1064 | blacklist ${HOME}/.cache/matrix-mirage | ||
1065 | blacklist ${HOME}/.cache/microsoft-edge-beta | ||
1066 | blacklist ${HOME}/.cache/microsoft-edge-dev | ||
1067 | blacklist ${HOME}/.cache/midori | ||
1068 | blacklist ${HOME}/.cache/minetest | ||
1069 | blacklist ${HOME}/.cache/mirage | ||
1070 | blacklist ${HOME}/.cache/moonchild productions/basilisk | ||
1071 | blacklist ${HOME}/.cache/moonchild productions/pale moon | ||
1072 | blacklist ${HOME}/.cache/mozilla | ||
1073 | blacklist ${HOME}/.cache/ms-excel-online | ||
1074 | blacklist ${HOME}/.cache/ms-office-online | ||
1075 | blacklist ${HOME}/.cache/ms-onenote-online | ||
1076 | blacklist ${HOME}/.cache/ms-outlook-online | ||
1077 | blacklist ${HOME}/.cache/ms-powerpoint-online | ||
1078 | blacklist ${HOME}/.cache/ms-skype-online | ||
1079 | blacklist ${HOME}/.cache/ms-word-online | ||
1080 | blacklist ${HOME}/.cache/mutt | ||
1081 | blacklist ${HOME}/.cache/mypaint | ||
1082 | blacklist ${HOME}/.cache/netsurf | ||
1083 | blacklist ${HOME}/.cache/nheko | ||
1084 | blacklist ${HOME}/.cache/okular | ||
1085 | blacklist ${HOME}/.cache/opera | ||
1086 | blacklist ${HOME}/.cache/opera-beta | ||
1087 | blacklist ${HOME}/.cache/org.gabmus.gfeeds | ||
1088 | blacklist ${HOME}/.cache/org.gnome.Books | ||
1089 | blacklist ${HOME}/.cache/org.gnome.Maps | ||
1090 | blacklist ${HOME}/.cache/pdfmod | ||
1091 | blacklist ${HOME}/.cache/peek | ||
1092 | blacklist ${HOME}/.cache/pip | ||
1093 | blacklist ${HOME}/.cache/pipe-viewer | ||
1094 | blacklist ${HOME}/.cache/plasmashell | ||
1095 | blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite* | ||
1096 | blacklist ${HOME}/.cache/psi | ||
1097 | blacklist ${HOME}/.cache/qBittorrent | ||
1098 | blacklist ${HOME}/.cache/quodlibet | ||
1099 | blacklist ${HOME}/.cache/qupzilla | ||
1100 | blacklist ${HOME}/.cache/qutebrowser | ||
1101 | blacklist ${HOME}/.cache/rednotebook | ||
1102 | blacklist ${HOME}/.cache/rhythmbox | ||
1103 | blacklist ${HOME}/.cache/shotwell | ||
1104 | blacklist ${HOME}/.cache/simple-scan | ||
1105 | blacklist ${HOME}/.cache/slimjet | ||
1106 | blacklist ${HOME}/.cache/smuxi | ||
1107 | blacklist ${HOME}/.cache/snox | ||
1108 | blacklist ${HOME}/.cache/spotify | ||
1109 | blacklist ${HOME}/.cache/straw-viewer | ||
1110 | blacklist ${HOME}/.cache/strawberry | ||
1111 | blacklist ${HOME}/.cache/supertuxkart | ||
1112 | blacklist ${HOME}/.cache/systemsettings | ||
1113 | blacklist ${HOME}/.cache/telepathy | ||
1114 | blacklist ${HOME}/.cache/thunderbird | ||
1115 | blacklist ${HOME}/.cache/torbrowser | ||
1116 | blacklist ${HOME}/.cache/transmission | ||
1117 | blacklist ${HOME}/.cache/ungoogled-chromium | ||
1118 | blacklist ${HOME}/.cache/vivaldi | ||
1119 | blacklist ${HOME}/.cache/vivaldi-snapshot | ||
1120 | blacklist ${HOME}/.cache/vlc | ||
1121 | blacklist ${HOME}/.cache/vmware | ||
1122 | blacklist ${HOME}/.cache/warsow-2.1 | ||
1123 | blacklist ${HOME}/.cache/waterfox | ||
1124 | blacklist ${HOME}/.cache/wesnoth | ||
1125 | blacklist ${HOME}/.cache/winetricks | ||
1126 | blacklist ${HOME}/.cache/xmms2 | ||
1127 | blacklist ${HOME}/.cache/xournalpp | ||
1128 | blacklist ${HOME}/.cache/xreader | ||
1129 | blacklist ${HOME}/.cache/yandex-browser | ||
1130 | blacklist ${HOME}/.cache/yandex-browser-beta | ||
1131 | blacklist ${HOME}/.cache/youtube-dl | ||
1132 | blacklist ${HOME}/.cache/youtube-viewer | ||
1133 | blacklist ${HOME}/.cache/yt-dlp | ||
1134 | blacklist ${HOME}/.cache/zim | ||
diff --git a/etc/inc/whitelist-run-common.inc b/etc/inc/whitelist-run-common.inc index 0d87657a9..d74655a08 100644 --- a/etc/inc/whitelist-run-common.inc +++ b/etc/inc/whitelist-run-common.inc | |||
@@ -8,5 +8,8 @@ whitelist /run/dbus/system_bus_socket | |||
8 | whitelist /run/media | 8 | whitelist /run/media |
9 | whitelist /run/resolvconf/resolv.conf | 9 | whitelist /run/resolvconf/resolv.conf |
10 | whitelist /run/shm | 10 | whitelist /run/shm |
11 | whitelist /run/systemd/journal/dev-log | ||
12 | whitelist /run/systemd/journal/socket | ||
11 | whitelist /run/systemd/resolve/resolv.conf | 13 | whitelist /run/systemd/resolve/resolv.conf |
12 | whitelist /run/systemd/resolve/stub-resolv.conf | 14 | whitelist /run/systemd/resolve/stub-resolv.conf |
15 | whitelist /run/udev/data | ||
diff --git a/etc/profile-a-l/abiword.profile b/etc/profile-a-l/abiword.profile index 256e2115a..0e7126458 100644 --- a/etc/profile-a-l/abiword.profile +++ b/etc/profile-a-l/abiword.profile | |||
@@ -42,7 +42,7 @@ tracelog | |||
42 | private-bin abiword | 42 | private-bin abiword |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc fonts,gtk-3.0,ld.so.preload,passwd | 45 | private-etc alternatives,fonts,gtk-3.0,ld.so.cache,ld.so.preload,passwd |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | # dbus-user none | 48 | # dbus-user none |
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile index 8652ae5f1..dd3b2e59b 100644 --- a/etc/profile-a-l/agetpkg.profile +++ b/etc/profile-a-l/agetpkg.profile | |||
@@ -50,7 +50,7 @@ tracelog | |||
50 | private-bin agetpkg,python3 | 50 | private-bin agetpkg,python3 |
51 | private-cache | 51 | private-cache |
52 | private-dev | 52 | private-dev |
53 | private-etc ca-certificates,crypto-policies,ld.so.preload,pki,resolv.conf,ssl | 53 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
56 | dbus-user none | 56 | dbus-user none |
diff --git a/etc/profile-a-l/akonadi_control.profile b/etc/profile-a-l/akonadi_control.profile index 168e81985..f3fb678d1 100644 --- a/etc/profile-a-l/akonadi_control.profile +++ b/etc/profile-a-l/akonadi_control.profile | |||
@@ -27,6 +27,7 @@ include disable-exec.inc | |||
27 | include disable-interpreters.inc | 27 | include disable-interpreters.inc |
28 | include disable-programs.inc | 28 | include disable-programs.inc |
29 | 29 | ||
30 | include whitelist-run-common.inc | ||
30 | include whitelist-var-common.inc | 31 | include whitelist-var-common.inc |
31 | 32 | ||
32 | # disabled options below are not compatible with the apparmor profile for mysqld-akonadi. | 33 | # disabled options below are not compatible with the apparmor profile for mysqld-akonadi. |
diff --git a/etc/profile-a-l/akregator.profile b/etc/profile-a-l/akregator.profile index d1e7df37b..47468a658 100644 --- a/etc/profile-a-l/akregator.profile +++ b/etc/profile-a-l/akregator.profile | |||
@@ -25,6 +25,7 @@ whitelist ${HOME}/.local/share/akregator | |||
25 | whitelist ${HOME}/.local/share/kssl | 25 | whitelist ${HOME}/.local/share/kssl |
26 | whitelist ${HOME}/.local/share/kxmlgui5/akregator | 26 | whitelist ${HOME}/.local/share/kxmlgui5/akregator |
27 | include whitelist-common.inc | 27 | include whitelist-common.inc |
28 | include whitelist-run-common.inc | ||
28 | include whitelist-var-common.inc | 29 | include whitelist-var-common.inc |
29 | 30 | ||
30 | caps.drop all | 31 | caps.drop all |
@@ -48,3 +49,4 @@ private-bin akregator,akregatorstorageexporter,dbus-launch,kdeinit4,kdeinit4_shu | |||
48 | private-dev | 49 | private-dev |
49 | private-tmp | 50 | private-tmp |
50 | 51 | ||
52 | deterministic-shutdown | ||
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile index 9b74b4d29..5a528595b 100644 --- a/etc/profile-a-l/alacarte.profile +++ b/etc/profile-a-l/alacarte.profile | |||
@@ -53,7 +53,7 @@ disable-mnt | |||
53 | # private-bin alacarte,bash,python*,sh | 53 | # private-bin alacarte,bash,python*,sh |
54 | private-cache | 54 | private-cache |
55 | private-dev | 55 | private-dev |
56 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg | 56 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg |
57 | private-tmp | 57 | private-tmp |
58 | 58 | ||
59 | dbus-user none | 59 | dbus-user none |
diff --git a/etc/profile-a-l/anki.profile b/etc/profile-a-l/anki.profile index b6e931be5..f6d711b2e 100644 --- a/etc/profile-a-l/anki.profile +++ b/etc/profile-a-l/anki.profile | |||
@@ -50,7 +50,7 @@ disable-mnt | |||
50 | private-bin anki,python* | 50 | private-bin anki,python* |
51 | private-cache | 51 | private-cache |
52 | private-dev | 52 | private-dev |
53 | private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,ld.so.preload,machine-id,pki,resolv.conf,ssl,Trolltech.conf | 53 | private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl,Trolltech.conf |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
56 | dbus-user none | 56 | dbus-user none |
diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile index e96def048..8aef75cd1 100644 --- a/etc/profile-a-l/aria2c.profile +++ b/etc/profile-a-l/aria2c.profile | |||
@@ -45,7 +45,7 @@ private-bin aria2c,gzip | |||
45 | # Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772). | 45 | # Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772). |
46 | #private-cache | 46 | #private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,ca-certificates,crypto-policies,groups,ld.so.preload,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl | 48 | private-etc alternatives,ca-certificates,crypto-policies,groups,ld.so.cache,ld.so.preload,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl |
49 | private-lib libreadline.so.* | 49 | private-lib libreadline.so.* |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
diff --git a/etc/profile-a-l/ark.profile b/etc/profile-a-l/ark.profile index 45071dc62..a26592f3a 100644 --- a/etc/profile-a-l/ark.profile +++ b/etc/profile-a-l/ark.profile | |||
@@ -16,6 +16,7 @@ include disable-interpreters.inc | |||
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | whitelist /usr/share/ark | 18 | whitelist /usr/share/ark |
19 | include whitelist-run-common.inc | ||
19 | include whitelist-usr-share-common.inc | 20 | include whitelist-usr-share-common.inc |
20 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
21 | 22 | ||
diff --git a/etc/profile-a-l/arm.profile b/etc/profile-a-l/arm.profile index 98ae01950..6676d42e9 100644 --- a/etc/profile-a-l/arm.profile +++ b/etc/profile-a-l/arm.profile | |||
@@ -43,6 +43,6 @@ tracelog | |||
43 | disable-mnt | 43 | disable-mnt |
44 | private-bin arm,bash,ldconfig,lsof,ps,python*,sh,tor | 44 | private-bin arm,bash,ldconfig,lsof,ps,python*,sh,tor |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,passwd,pki,ssl,tor | 46 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,passwd,pki,ssl,tor |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
diff --git a/etc/profile-a-l/artha.profile b/etc/profile-a-l/artha.profile index adf4e16ee..254f3f571 100644 --- a/etc/profile-a-l/artha.profile +++ b/etc/profile-a-l/artha.profile | |||
@@ -56,7 +56,7 @@ disable-mnt | |||
56 | private-bin artha,enchant,notify-send | 56 | private-bin artha,enchant,notify-send |
57 | private-cache | 57 | private-cache |
58 | private-dev | 58 | private-dev |
59 | private-etc alternatives,fonts,ld.so.preload,machine-id | 59 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id |
60 | private-lib libnotify.so.* | 60 | private-lib libnotify.so.* |
61 | private-tmp | 61 | private-tmp |
62 | 62 | ||
diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile index 272f9906d..6399bc1a3 100644 --- a/etc/profile-a-l/atool.profile +++ b/etc/profile-a-l/atool.profile | |||
@@ -13,7 +13,7 @@ include allow-perl.inc | |||
13 | noroot | 13 | noroot |
14 | 14 | ||
15 | # without login.defs atool complains and uses UID/GID 1000 by default | 15 | # without login.defs atool complains and uses UID/GID 1000 by default |
16 | private-etc alternatives,group,ld.so.preload,login.defs,passwd | 16 | private-etc alternatives,group,ld.so.cache,ld.so.preload,login.defs,passwd |
17 | private-tmp | 17 | private-tmp |
18 | 18 | ||
19 | # Redirect | 19 | # Redirect |
diff --git a/etc/profile-a-l/audacious.profile b/etc/profile-a-l/audacious.profile index d71370b7e..e9ecdd72e 100644 --- a/etc/profile-a-l/audacious.profile +++ b/etc/profile-a-l/audacious.profile | |||
@@ -17,6 +17,7 @@ include disable-interpreters.inc | |||
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | include disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | include whitelist-run-common.inc | ||
20 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
21 | 22 | ||
22 | apparmor | 23 | apparmor |
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile index 264bfb9ab..88bddfb22 100644 --- a/etc/profile-a-l/audacity.profile +++ b/etc/profile-a-l/audacity.profile | |||
@@ -32,7 +32,7 @@ noroot | |||
32 | notv | 32 | notv |
33 | nou2f | 33 | nou2f |
34 | novideo | 34 | novideo |
35 | protocol unix | 35 | protocol unix,inet |
36 | seccomp | 36 | seccomp |
37 | shell none | 37 | shell none |
38 | tracelog | 38 | tracelog |
diff --git a/etc/profile-a-l/authenticator-rs.profile b/etc/profile-a-l/authenticator-rs.profile index 8fefc1eb7..a8af1928b 100644 --- a/etc/profile-a-l/authenticator-rs.profile +++ b/etc/profile-a-l/authenticator-rs.profile | |||
@@ -47,7 +47,7 @@ disable-mnt | |||
47 | private-bin authenticator-rs | 47 | private-bin authenticator-rs |
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,pki,resolv.conf,ssl,xdg | 50 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl,xdg |
51 | private-tmp | 51 | private-tmp |
52 | 52 | ||
53 | dbus-user filter | 53 | dbus-user filter |
diff --git a/etc/profile-a-l/baloo_file.profile b/etc/profile-a-l/baloo_file.profile index 252016bec..55d2453d8 100644 --- a/etc/profile-a-l/baloo_file.profile +++ b/etc/profile-a-l/baloo_file.profile | |||
@@ -25,6 +25,7 @@ include disable-exec.inc | |||
25 | include disable-interpreters.inc | 25 | include disable-interpreters.inc |
26 | include disable-programs.inc | 26 | include disable-programs.inc |
27 | 27 | ||
28 | include whitelist-run-common.inc | ||
28 | include whitelist-var-common.inc | 29 | include whitelist-var-common.inc |
29 | 30 | ||
30 | apparmor | 31 | apparmor |
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile index 2080aad62..be3543b08 100644 --- a/etc/profile-a-l/balsa.profile +++ b/etc/profile-a-l/balsa.profile | |||
@@ -66,7 +66,7 @@ tracelog | |||
66 | private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm | 66 | private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm |
67 | private-cache | 67 | private-cache |
68 | private-dev | 68 | private-dev |
69 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.preload,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg | 69 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg |
70 | private-tmp | 70 | private-tmp |
71 | writable-run-user | 71 | writable-run-user |
72 | writable-var | 72 | writable-var |
diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile index 24db11c7e..be29ce8a7 100644 --- a/etc/profile-a-l/bibletime.profile +++ b/etc/profile-a-l/bibletime.profile | |||
@@ -52,7 +52,7 @@ disable-mnt | |||
52 | # private-bin bibletime,qt5ct | 52 | # private-bin bibletime,qt5ct |
53 | private-cache | 53 | private-cache |
54 | private-dev | 54 | private-dev |
55 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf | 55 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf |
56 | private-tmp | 56 | private-tmp |
57 | 57 | ||
58 | dbus-user none | 58 | dbus-user none |
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile index 61cd792b1..b86232860 100644 --- a/etc/profile-a-l/bijiben.profile +++ b/etc/profile-a-l/bijiben.profile | |||
@@ -51,7 +51,7 @@ disable-mnt | |||
51 | private-bin bijiben | 51 | private-bin bijiben |
52 | # private-cache -- access to .cache/tracker is required | 52 | # private-cache -- access to .cache/tracker is required |
53 | private-dev | 53 | private-dev |
54 | private-etc dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload | 54 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload |
55 | private-tmp | 55 | private-tmp |
56 | 56 | ||
57 | dbus-user filter | 57 | dbus-user filter |
diff --git a/etc/profile-a-l/bitwarden.profile b/etc/profile-a-l/bitwarden.profile index 91ce57966..f8114c71b 100644 --- a/etc/profile-a-l/bitwarden.profile +++ b/etc/profile-a-l/bitwarden.profile | |||
@@ -23,7 +23,7 @@ no3d | |||
23 | nosound | 23 | nosound |
24 | 24 | ||
25 | ?HAS_APPIMAGE: ignore private-dev | 25 | ?HAS_APPIMAGE: ignore private-dev |
26 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl | 26 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl |
27 | private-opt Bitwarden | 27 | private-opt Bitwarden |
28 | 28 | ||
29 | # Redirect | 29 | # Redirect |
diff --git a/etc/profile-a-l/bless.profile b/etc/profile-a-l/bless.profile index 8d8787174..3e20ed133 100644 --- a/etc/profile-a-l/bless.profile +++ b/etc/profile-a-l/bless.profile | |||
@@ -35,7 +35,7 @@ shell none | |||
35 | # private-bin bash,bless,mono,sh | 35 | # private-bin bash,bless,mono,sh |
36 | private-cache | 36 | private-cache |
37 | private-dev | 37 | private-dev |
38 | private-etc alternatives,fonts,ld.so.preload,mono | 38 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,mono |
39 | private-tmp | 39 | private-tmp |
40 | 40 | ||
41 | dbus-user none | 41 | dbus-user none |
diff --git a/etc/profile-a-l/blobby.profile b/etc/profile-a-l/blobby.profile index 7179bf4a5..d7df3bc49 100644 --- a/etc/profile-a-l/blobby.profile +++ b/etc/profile-a-l/blobby.profile | |||
@@ -41,7 +41,7 @@ tracelog | |||
41 | disable-mnt | 41 | disable-mnt |
42 | private-bin blobby | 42 | private-bin blobby |
43 | private-dev | 43 | private-dev |
44 | private-etc alsa,alternatives,asound.conf,drirc,group,hosts,ld.so.preload,login.defs,machine-id,passwd,pulse | 44 | private-etc alsa,alternatives,asound.conf,drirc,group,hosts,ld.so.cache,ld.so.preload,login.defs,machine-id,passwd,pulse |
45 | private-lib | 45 | private-lib |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
diff --git a/etc/profile-a-l/blobwars.profile b/etc/profile-a-l/blobwars.profile index 66f38b358..cc2fda3f2 100644 --- a/etc/profile-a-l/blobwars.profile +++ b/etc/profile-a-l/blobwars.profile | |||
@@ -43,7 +43,7 @@ disable-mnt | |||
43 | private-bin blobwars | 43 | private-bin blobwars |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc ld.so.preload,machine-id | 46 | private-etc alternatives,ld.so.cache,ld.so.preload,machine-id |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | dbus-user none | 49 | dbus-user none |
diff --git a/etc/profile-a-l/bsdtar.profile b/etc/profile-a-l/bsdtar.profile index dbfc90996..fbc7c9056 100644 --- a/etc/profile-a-l/bsdtar.profile +++ b/etc/profile-a-l/bsdtar.profile | |||
@@ -6,7 +6,7 @@ include bsdtar.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | private-etc alternatives,group,ld.so.preload,localtime,passwd | 9 | private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,passwd |
10 | 10 | ||
11 | # Redirect | 11 | # Redirect |
12 | include archiver-common.profile | 12 | include archiver-common.profile |
diff --git a/etc/profile-a-l/cameramonitor.profile b/etc/profile-a-l/cameramonitor.profile index d3c25d451..92c455144 100644 --- a/etc/profile-a-l/cameramonitor.profile +++ b/etc/profile-a-l/cameramonitor.profile | |||
@@ -46,7 +46,7 @@ tracelog | |||
46 | disable-mnt | 46 | disable-mnt |
47 | private-bin cameramonitor,python* | 47 | private-bin cameramonitor,python* |
48 | private-cache | 48 | private-cache |
49 | private-etc alternatives,fonts,ld.so.preload | 49 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
52 | # dbus-user none | 52 | # dbus-user none |
diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile index ceba03269..c7a98250e 100644 --- a/etc/profile-a-l/cawbird.profile +++ b/etc/profile-a-l/cawbird.profile | |||
@@ -39,7 +39,7 @@ disable-mnt | |||
39 | private-bin cawbird | 39 | private-bin cawbird |
40 | private-cache | 40 | private-cache |
41 | private-dev | 41 | private-dev |
42 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg | 42 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
45 | # dbus-user none | 45 | # dbus-user none |
diff --git a/etc/profile-a-l/cheese.profile b/etc/profile-a-l/cheese.profile index 978d727f4..713d8a5e4 100644 --- a/etc/profile-a-l/cheese.profile +++ b/etc/profile-a-l/cheese.profile | |||
@@ -21,7 +21,6 @@ include disable-xdg.inc | |||
21 | 21 | ||
22 | whitelist ${VIDEOS} | 22 | whitelist ${VIDEOS} |
23 | whitelist ${PICTURES} | 23 | whitelist ${PICTURES} |
24 | whitelist /run/udev/data | ||
25 | whitelist /usr/libexec/gstreamer-1.0/gst-plugin-scanner | 24 | whitelist /usr/libexec/gstreamer-1.0/gst-plugin-scanner |
26 | whitelist /usr/share/gnome-video-effects | 25 | whitelist /usr/share/gnome-video-effects |
27 | whitelist /usr/share/gstreamer-1.0 | 26 | whitelist /usr/share/gstreamer-1.0 |
@@ -53,7 +52,7 @@ disable-mnt | |||
53 | private-bin cheese | 52 | private-bin cheese |
54 | private-cache | 53 | private-cache |
55 | private-dev | 54 | private-dev |
56 | private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0,ld.so.preload | 55 | private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0,ld.so.cache,ld.so.preload |
57 | private-tmp | 56 | private-tmp |
58 | 57 | ||
59 | dbus-user filter | 58 | dbus-user filter |
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index c42243e02..7bfb61688 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile | |||
@@ -11,6 +11,7 @@ include chromium-common.local | |||
11 | 11 | ||
12 | noblacklist ${HOME}/.pki | 12 | noblacklist ${HOME}/.pki |
13 | noblacklist ${HOME}/.local/share/pki | 13 | noblacklist ${HOME}/.local/share/pki |
14 | noblacklist /usr/lib/chromium/chrome-sandbox | ||
14 | 15 | ||
15 | # Add the next line to your chromium-common.local if you want Google Chrome/Chromium browser | 16 | # Add the next line to your chromium-common.local if you want Google Chrome/Chromium browser |
16 | # to have access to Gnome extensions (extensions.gnome.org) via browser connector | 17 | # to have access to Gnome extensions (extensions.gnome.org) via browser connector |
diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile index 5eb2cb621..677d2b7eb 100644 --- a/etc/profile-a-l/clawsker.profile +++ b/etc/profile-a-l/clawsker.profile | |||
@@ -44,7 +44,7 @@ disable-mnt | |||
44 | private-bin bash,clawsker,perl,sh,which | 44 | private-bin bash,clawsker,perl,sh,which |
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc alternatives,fonts,ld.so.preload | 47 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
48 | private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-3.so.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl* | 48 | private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-3.so.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl* |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
diff --git a/etc/profile-a-l/cmus.profile b/etc/profile-a-l/cmus.profile index e51dd6bed..7421debe0 100644 --- a/etc/profile-a-l/cmus.profile +++ b/etc/profile-a-l/cmus.profile | |||
@@ -27,4 +27,4 @@ seccomp | |||
27 | shell none | 27 | shell none |
28 | 28 | ||
29 | private-bin cmus | 29 | private-bin cmus |
30 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl | 30 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl |
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile index 6f08bc378..27780b669 100644 --- a/etc/profile-a-l/com.github.bleakgrey.tootle.profile +++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | private-bin com.github.bleakgrey.tootle | 45 | private-bin com.github.bleakgrey.tootle |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg | 48 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | # Settings are immutable | 51 | # Settings are immutable |
diff --git a/etc/profile-a-l/com.github.dahenson.agenda.profile b/etc/profile-a-l/com.github.dahenson.agenda.profile index d33b89e7c..0e29d90de 100644 --- a/etc/profile-a-l/com.github.dahenson.agenda.profile +++ b/etc/profile-a-l/com.github.dahenson.agenda.profile | |||
@@ -52,7 +52,7 @@ disable-mnt | |||
52 | private-bin com.github.dahenson.agenda | 52 | private-bin com.github.dahenson.agenda |
53 | private-cache | 53 | private-cache |
54 | private-dev | 54 | private-dev |
55 | private-etc dconf,fonts,gtk-3.0,ld.so.preload | 55 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload |
56 | private-tmp | 56 | private-tmp |
57 | 57 | ||
58 | dbus-user filter | 58 | dbus-user filter |
diff --git a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile index c75a09a51..24222164b 100644 --- a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile +++ b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile | |||
@@ -55,7 +55,7 @@ disable-mnt | |||
55 | private-bin com.github.johnfactotum.Foliate,gjs | 55 | private-bin com.github.johnfactotum.Foliate,gjs |
56 | private-cache | 56 | private-cache |
57 | private-dev | 57 | private-dev |
58 | private-etc dconf,fonts,gconf,gtk-3.0,ld.so.preload | 58 | private-etc alternatives,dconf,fonts,gconf,gtk-3.0,ld.so.cache,ld.so.preload |
59 | private-tmp | 59 | private-tmp |
60 | 60 | ||
61 | read-only ${HOME} | 61 | read-only ${HOME} |
diff --git a/etc/profile-a-l/coyim.profile b/etc/profile-a-l/coyim.profile index 1d623fa09..099253b21 100644 --- a/etc/profile-a-l/coyim.profile +++ b/etc/profile-a-l/coyim.profile | |||
@@ -40,7 +40,7 @@ tracelog | |||
40 | disable-mnt | 40 | disable-mnt |
41 | private-cache | 41 | private-cache |
42 | private-dev | 42 | private-dev |
43 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,machine-id,pki,ssl | 43 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,pki,ssl |
44 | private-tmp | 44 | private-tmp |
45 | 45 | ||
46 | dbus-user none | 46 | dbus-user none |
diff --git a/etc/profile-a-l/crow.profile b/etc/profile-a-l/crow.profile index deb2c0ef8..ed1213687 100644 --- a/etc/profile-a-l/crow.profile +++ b/etc/profile-a-l/crow.profile | |||
@@ -39,7 +39,7 @@ shell none | |||
39 | disable-mnt | 39 | disable-mnt |
40 | private-bin crow | 40 | private-bin crow |
41 | private-dev | 41 | private-dev |
42 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl | 42 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl |
43 | private-opt none | 43 | private-opt none |
44 | private-tmp | 44 | private-tmp |
45 | private-srv none | 45 | private-srv none |
diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile index 0e754c448..c75bc756f 100644 --- a/etc/profile-a-l/d-feet.profile +++ b/etc/profile-a-l/d-feet.profile | |||
@@ -50,7 +50,7 @@ disable-mnt | |||
50 | private-bin d-feet,python* | 50 | private-bin d-feet,python* |
51 | private-cache | 51 | private-cache |
52 | private-dev | 52 | private-dev |
53 | private-etc alternatives,dbus-1,fonts,ld.so.preload,machine-id | 53 | private-etc alternatives,dbus-1,fonts,ld.so.cache,ld.so.preload,machine-id |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
56 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 56 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile index c2532ed3b..e1b96f186 100644 --- a/etc/profile-a-l/dbus-send.profile +++ b/etc/profile-a-l/dbus-send.profile | |||
@@ -51,7 +51,7 @@ private | |||
51 | private-bin dbus-send | 51 | private-bin dbus-send |
52 | private-cache | 52 | private-cache |
53 | private-dev | 53 | private-dev |
54 | private-etc alternatives,dbus-1,ld.so.preload | 54 | private-etc alternatives,dbus-1,ld.so.cache,ld.so.preload |
55 | private-lib libpcre* | 55 | private-lib libpcre* |
56 | private-tmp | 56 | private-tmp |
57 | 57 | ||
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile index 2b43c5ea3..8c3c22dcf 100644 --- a/etc/profile-a-l/dconf-editor.profile +++ b/etc/profile-a-l/dconf-editor.profile | |||
@@ -43,7 +43,7 @@ disable-mnt | |||
43 | private-bin dconf-editor | 43 | private-bin dconf-editor |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload,machine-id | 46 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id |
47 | private-lib | 47 | private-lib |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
diff --git a/etc/profile-a-l/dconf.profile b/etc/profile-a-l/dconf.profile index 1cbeee763..b170842c3 100644 --- a/etc/profile-a-l/dconf.profile +++ b/etc/profile-a-l/dconf.profile | |||
@@ -46,7 +46,7 @@ disable-mnt | |||
46 | private-bin dconf,gsettings | 46 | private-bin dconf,gsettings |
47 | private-cache | 47 | private-cache |
48 | private-dev | 48 | private-dev |
49 | private-etc alternatives,dconf,ld.so.preload | 49 | private-etc alternatives,dconf,ld.so.cache,ld.so.preload |
50 | private-lib | 50 | private-lib |
51 | private-tmp | 51 | private-tmp |
52 | 52 | ||
diff --git a/etc/profile-a-l/ddgtk.profile b/etc/profile-a-l/ddgtk.profile index 0669a5a6c..e9b8f5c47 100644 --- a/etc/profile-a-l/ddgtk.profile +++ b/etc/profile-a-l/ddgtk.profile | |||
@@ -45,7 +45,7 @@ tracelog | |||
45 | disable-mnt | 45 | disable-mnt |
46 | private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr | 46 | private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr |
47 | private-cache | 47 | private-cache |
48 | private-etc alternatives,fonts,ld.so.preload | 48 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | dbus-user none | 51 | dbus-user none |
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile index 0d8c224d7..dac842bb6 100644 --- a/etc/profile-a-l/default.profile +++ b/etc/profile-a-l/default.profile | |||
@@ -57,5 +57,6 @@ seccomp | |||
57 | # dbus-user none | 57 | # dbus-user none |
58 | # dbus-system none | 58 | # dbus-system none |
59 | 59 | ||
60 | # deterministic-shutdown | ||
60 | # memory-deny-write-execute | 61 | # memory-deny-write-execute |
61 | # read-only ${HOME} | 62 | # read-only ${HOME} |
diff --git a/etc/profile-a-l/devilspie.profile b/etc/profile-a-l/devilspie.profile index 19b6cffaf..a0f24c388 100644 --- a/etc/profile-a-l/devilspie.profile +++ b/etc/profile-a-l/devilspie.profile | |||
@@ -48,7 +48,7 @@ disable-mnt | |||
48 | private-bin devilspie | 48 | private-bin devilspie |
49 | private-cache | 49 | private-cache |
50 | private-dev | 50 | private-dev |
51 | private-etc alternatives,ld.so.preload | 51 | private-etc alternatives,ld.so.cache,ld.so.preload |
52 | private-lib gconv | 52 | private-lib gconv |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
diff --git a/etc/profile-a-l/dillo.profile b/etc/profile-a-l/dillo.profile index 276ee251a..19b99b5fd 100644 --- a/etc/profile-a-l/dillo.profile +++ b/etc/profile-a-l/dillo.profile | |||
@@ -35,3 +35,5 @@ tracelog | |||
35 | 35 | ||
36 | private-dev | 36 | private-dev |
37 | private-tmp | 37 | private-tmp |
38 | |||
39 | deterministic-shutdown | ||
diff --git a/etc/profile-a-l/display.profile b/etc/profile-a-l/display.profile index 6eff39d40..8a8d816a3 100644 --- a/etc/profile-a-l/display.profile +++ b/etc/profile-a-l/display.profile | |||
@@ -40,7 +40,7 @@ shell none | |||
40 | private-bin display,python* | 40 | private-bin display,python* |
41 | private-dev | 41 | private-dev |
42 | # On Debian-based systems, display is a symlink in /etc/alternatives | 42 | # On Debian-based systems, display is a symlink in /etc/alternatives |
43 | private-etc alternatives,ld.so.preload | 43 | private-etc alternatives,ld.so.cache,ld.so.preload |
44 | private-tmp | 44 | private-tmp |
45 | 45 | ||
46 | dbus-user none | 46 | dbus-user none |
diff --git a/etc/profile-a-l/dragon.profile b/etc/profile-a-l/dragon.profile index 26243ab4e..d5591adfb 100644 --- a/etc/profile-a-l/dragon.profile +++ b/etc/profile-a-l/dragon.profile | |||
@@ -19,6 +19,7 @@ include disable-shell.inc | |||
19 | include disable-xdg.inc | 19 | include disable-xdg.inc |
20 | 20 | ||
21 | whitelist /usr/share/dragonplayer | 21 | whitelist /usr/share/dragonplayer |
22 | include whitelist-run-common.inc | ||
22 | include whitelist-usr-share-common.inc | 23 | include whitelist-usr-share-common.inc |
23 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
24 | 25 | ||
diff --git a/etc/profile-a-l/drawio.profile b/etc/profile-a-l/drawio.profile index 253f5643e..df7be55de 100644 --- a/etc/profile-a-l/drawio.profile +++ b/etc/profile-a-l/drawio.profile | |||
@@ -45,7 +45,7 @@ shell none | |||
45 | private-bin drawio | 45 | private-bin drawio |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,fonts,ld.so.preload | 48 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | dbus-user none | 51 | dbus-user none |
diff --git a/etc/profile-a-l/easystroke.profile b/etc/profile-a-l/easystroke.profile index 0345f2b24..20cffae73 100644 --- a/etc/profile-a-l/easystroke.profile +++ b/etc/profile-a-l/easystroke.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | #private-bin bash,easystroke,sh | 45 | #private-bin bash,easystroke,sh |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,fonts,group,ld.so.preload,passwd | 48 | private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,passwd |
49 | # breaks custom shell command functionality | 49 | # breaks custom shell command functionality |
50 | #private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* | 50 | #private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* |
51 | private-tmp | 51 | private-tmp |
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile index e472f57b6..09d14045a 100644 --- a/etc/profile-a-l/electron-mail.profile +++ b/etc/profile-a-l/electron-mail.profile | |||
@@ -45,7 +45,7 @@ shell none | |||
45 | private-bin electron-mail | 45 | private-bin electron-mail |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,ld.so.preload,nsswitch.conf,pki,resolv.conf,selinux,ssl,xdg | 48 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,selinux,ssl,xdg |
49 | private-opt ElectronMail | 49 | private-opt ElectronMail |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
diff --git a/etc/profile-a-l/electrum.profile b/etc/profile-a-l/electrum.profile index 8cfc9f797..dfbe5cee4 100644 --- a/etc/profile-a-l/electrum.profile +++ b/etc/profile-a-l/electrum.profile | |||
@@ -47,7 +47,7 @@ private-bin electrum,python* | |||
47 | private-cache | 47 | private-cache |
48 | ?HAS_APPIMAGE: ignore private-dev | 48 | ?HAS_APPIMAGE: ignore private-dev |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,ld.so.preload,machine-id,pki,resolv.conf,ssl | 50 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl |
51 | private-tmp | 51 | private-tmp |
52 | 52 | ||
53 | # dbus-user none | 53 | # dbus-user none |
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile index 8673b65ca..ac73f002f 100644 --- a/etc/profile-a-l/email-common.profile +++ b/etc/profile-a-l/email-common.profile | |||
@@ -66,7 +66,7 @@ tracelog | |||
66 | # disable-mnt | 66 | # disable-mnt |
67 | private-cache | 67 | private-cache |
68 | private-dev | 68 | private-dev |
69 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,ld.so.preload,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg | 69 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg |
70 | private-tmp | 70 | private-tmp |
71 | # encrypting and signing email | 71 | # encrypting and signing email |
72 | writable-run-user | 72 | writable-run-user |
diff --git a/etc/profile-a-l/enchant.profile b/etc/profile-a-l/enchant.profile index 0a2e23996..eff0f64ea 100644 --- a/etc/profile-a-l/enchant.profile +++ b/etc/profile-a-l/enchant.profile | |||
@@ -48,7 +48,7 @@ x11 none | |||
48 | private-bin enchant,enchant-* | 48 | private-bin enchant,enchant-* |
49 | private-cache | 49 | private-cache |
50 | private-dev | 50 | private-dev |
51 | private-etc alternatives,ld.so.preload | 51 | private-etc alternatives,ld.so.cache,ld.so.preload |
52 | private-lib | 52 | private-lib |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile index ddc0ce0b9..31f39e210 100644 --- a/etc/profile-a-l/eo-common.profile +++ b/etc/profile-a-l/eo-common.profile | |||
@@ -47,6 +47,6 @@ tracelog | |||
47 | 47 | ||
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload | 50 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload |
51 | private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.* | 51 | private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.* |
52 | private-tmp | 52 | private-tmp |
diff --git a/etc/profile-a-l/equalx.profile b/etc/profile-a-l/equalx.profile index fe7b912bd..0c3b790d5 100644 --- a/etc/profile-a-l/equalx.profile +++ b/etc/profile-a-l/equalx.profile | |||
@@ -54,7 +54,7 @@ disable-mnt | |||
54 | private-bin equalx,gs,pdflatex,pdftocairo | 54 | private-bin equalx,gs,pdflatex,pdftocairo |
55 | private-cache | 55 | private-cache |
56 | private-dev | 56 | private-dev |
57 | private-etc equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,ld.so.preload,machine-id,papersize,passwd,texlive,Trolltech.conf | 57 | private-etc alternatives,equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,ld.so.cache,ld.so.preload,machine-id,papersize,passwd,texlive,Trolltech.conf |
58 | private-tmp | 58 | private-tmp |
59 | 59 | ||
60 | dbus-user none | 60 | dbus-user none |
diff --git a/etc/profile-a-l/exiftool.profile b/etc/profile-a-l/exiftool.profile index 12c22ba5b..ae550e842 100644 --- a/etc/profile-a-l/exiftool.profile +++ b/etc/profile-a-l/exiftool.profile | |||
@@ -48,7 +48,7 @@ x11 none | |||
48 | #private-bin exiftool,perl | 48 | #private-bin exiftool,perl |
49 | private-cache | 49 | private-cache |
50 | private-dev | 50 | private-dev |
51 | private-etc alternatives,ld.so.preload | 51 | private-etc alternatives,ld.so.cache,ld.so.preload |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
54 | dbus-user none | 54 | dbus-user none |
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile index 62ea449a6..321cb0145 100644 --- a/etc/profile-a-l/falkon.profile +++ b/etc/profile-a-l/falkon.profile | |||
@@ -23,6 +23,7 @@ whitelist ${HOME}/.cache/falkon | |||
23 | whitelist ${HOME}/.config/falkon | 23 | whitelist ${HOME}/.config/falkon |
24 | whitelist /usr/share/falkon | 24 | whitelist /usr/share/falkon |
25 | include whitelist-common.inc | 25 | include whitelist-common.inc |
26 | include whitelist-run-common.inc | ||
26 | include whitelist-runuser-common.inc | 27 | include whitelist-runuser-common.inc |
27 | include whitelist-usr-share-common.inc | 28 | include whitelist-usr-share-common.inc |
28 | include whitelist-var-common.inc | 29 | include whitelist-var-common.inc |
@@ -46,7 +47,7 @@ disable-mnt | |||
46 | # private-bin falkon | 47 | # private-bin falkon |
47 | private-cache | 48 | private-cache |
48 | private-dev | 49 | private-dev |
49 | private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg | 50 | private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg |
50 | private-tmp | 51 | private-tmp |
51 | 52 | ||
52 | # dbus-user filter | 53 | # dbus-user filter |
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile index 25e1082ad..ee775566e 100644 --- a/etc/profile-a-l/fdns.profile +++ b/etc/profile-a-l/fdns.profile | |||
@@ -42,7 +42,7 @@ private | |||
42 | private-bin bash,fdns,sh | 42 | private-bin bash,fdns,sh |
43 | private-cache | 43 | private-cache |
44 | #private-dev | 44 | #private-dev |
45 | private-etc ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl | 45 | private-etc alternatives,ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl |
46 | # private-lib | 46 | # private-lib |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
diff --git a/etc/profile-a-l/feh-network.inc.profile b/etc/profile-a-l/feh-network.inc.profile index f9b3d58c9..7293e89a8 100644 --- a/etc/profile-a-l/feh-network.inc.profile +++ b/etc/profile-a-l/feh-network.inc.profile | |||
@@ -5,4 +5,4 @@ include feh-network.inc.local | |||
5 | ignore net none | 5 | ignore net none |
6 | netfilter | 6 | netfilter |
7 | protocol unix,inet,inet6 | 7 | protocol unix,inet,inet6 |
8 | private-etc ca-certificates,crypto-policies,hosts,ld.so.preload,pki,resolv.conf,ssl | 8 | private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl |
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile index f2770f294..4b8d41170 100644 --- a/etc/profile-a-l/feh.profile +++ b/etc/profile-a-l/feh.profile | |||
@@ -36,7 +36,7 @@ shell none | |||
36 | private-bin feh,jpegexiforient,jpegtran | 36 | private-bin feh,jpegexiforient,jpegtran |
37 | private-cache | 37 | private-cache |
38 | private-dev | 38 | private-dev |
39 | private-etc alternatives,feh,ld.so.preload | 39 | private-etc alternatives,feh,ld.so.cache,ld.so.preload |
40 | private-tmp | 40 | private-tmp |
41 | 41 | ||
42 | dbus-user none | 42 | dbus-user none |
diff --git a/etc/profile-a-l/ffplay.profile b/etc/profile-a-l/ffplay.profile index 2284ccbe4..52abb99d4 100644 --- a/etc/profile-a-l/ffplay.profile +++ b/etc/profile-a-l/ffplay.profile | |||
@@ -14,7 +14,7 @@ ignore nogroups | |||
14 | ignore nosound | 14 | ignore nosound |
15 | 15 | ||
16 | private-bin ffplay | 16 | private-bin ffplay |
17 | private-etc alsa,asound.conf,group,ld.so.preload | 17 | private-etc alsa,alternatives,asound.conf,group,ld.so.cache,ld.so.preload |
18 | 18 | ||
19 | # Redirect | 19 | # Redirect |
20 | include ffmpeg.profile | 20 | include ffmpeg.profile |
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile index 54fa7dfa7..06a8f6170 100644 --- a/etc/profile-a-l/file-roller.profile +++ b/etc/profile-a-l/file-roller.profile | |||
@@ -43,7 +43,7 @@ tracelog | |||
43 | private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd | 43 | private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc dconf,fonts,gtk-3.0,ld.so.preload,xdg | 46 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,xdg |
47 | # private-tmp | 47 | # private-tmp |
48 | 48 | ||
49 | dbus-system none | 49 | dbus-system none |
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index 20ae039aa..ef647b5a0 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile | |||
@@ -19,6 +19,7 @@ include disable-common.inc | |||
19 | include disable-devel.inc | 19 | include disable-devel.inc |
20 | include disable-exec.inc | 20 | include disable-exec.inc |
21 | include disable-interpreters.inc | 21 | include disable-interpreters.inc |
22 | include disable-proc.inc | ||
22 | include disable-programs.inc | 23 | include disable-programs.inc |
23 | 24 | ||
24 | mkdir ${HOME}/.pki | 25 | mkdir ${HOME}/.pki |
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile index 862ef6ab6..f80297022 100644 --- a/etc/profile-a-l/flameshot.profile +++ b/etc/profile-a-l/flameshot.profile | |||
@@ -52,7 +52,7 @@ tracelog | |||
52 | disable-mnt | 52 | disable-mnt |
53 | private-bin flameshot | 53 | private-bin flameshot |
54 | private-cache | 54 | private-cache |
55 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,ld.so.preload,machine-id,pki,resolv.conf,ssl | 55 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,pki,resolv.conf,ssl |
56 | private-dev | 56 | private-dev |
57 | #private-tmp | 57 | #private-tmp |
58 | 58 | ||
diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile index aeed313c8..cb00ce11b 100644 --- a/etc/profile-a-l/freetube.profile +++ b/etc/profile-a-l/freetube.profile | |||
@@ -16,7 +16,7 @@ mkdir ${HOME}/.config/FreeTube | |||
16 | whitelist ${HOME}/.config/FreeTube | 16 | whitelist ${HOME}/.config/FreeTube |
17 | 17 | ||
18 | private-bin electron,electron[0-9],electron[0-9][0-9],freetube,sh | 18 | private-bin electron,electron[0-9],electron[0-9][0-9],freetube,sh |
19 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg | 19 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg |
20 | 20 | ||
21 | # Redirect | 21 | # Redirect |
22 | include electron.profile | 22 | include electron.profile |
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile index efd5246d6..8419998de 100644 --- a/etc/profile-a-l/frogatto.profile +++ b/etc/profile-a-l/frogatto.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | private-bin frogatto,sh | 45 | private-bin frogatto,sh |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc ld.so.preload,machine-id | 48 | private-etc alternatives,ld.so.cache,ld.so.preload,machine-id |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | dbus-user none | 51 | dbus-user none |
diff --git a/etc/profile-a-l/ftp.profile b/etc/profile-a-l/ftp.profile new file mode 100644 index 000000000..29470360c --- /dev/null +++ b/etc/profile-a-l/ftp.profile | |||
@@ -0,0 +1,54 @@ | |||
1 | # Firejail profile for ftp | ||
2 | # Description: standard File Access Protocol utility | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include ftp.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${PATH}/ftp | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-proc.inc | ||
17 | include disable-programs.inc | ||
18 | #include disable-shell.inc | ||
19 | include disable-write-mnt.inc | ||
20 | include disable-X11.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | machine-id | ||
27 | netfilter | ||
28 | no3d | ||
29 | nodvd | ||
30 | nogroups | ||
31 | noinput | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol inet,inet6 | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | |||
43 | #disable-mnt | ||
44 | #private-bin PROGRAMS | ||
45 | private-cache | ||
46 | private-dev | ||
47 | #private-etc FILES | ||
48 | private-tmp | ||
49 | |||
50 | dbus-user none | ||
51 | dbus-system none | ||
52 | |||
53 | memory-deny-write-execute | ||
54 | noexec ${HOME} | ||
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile index c6280c488..4efe41f8d 100644 --- a/etc/profile-a-l/galculator.profile +++ b/etc/profile-a-l/galculator.profile | |||
@@ -43,7 +43,7 @@ tracelog | |||
43 | private-bin galculator | 43 | private-bin galculator |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,fonts,ld.so.preload | 46 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
47 | private-lib | 47 | private-lib |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
diff --git a/etc/profile-a-l/gallery-dl.profile b/etc/profile-a-l/gallery-dl.profile index a31dde21c..2947873ef 100644 --- a/etc/profile-a-l/gallery-dl.profile +++ b/etc/profile-a-l/gallery-dl.profile | |||
@@ -12,7 +12,7 @@ noblacklist ${HOME}/.config/gallery-dl | |||
12 | noblacklist ${HOME}/.gallery-dl.conf | 12 | noblacklist ${HOME}/.gallery-dl.conf |
13 | 13 | ||
14 | private-bin gallery-dl | 14 | private-bin gallery-dl |
15 | private-etc gallery-dl.conf,ld.so.preload | 15 | private-etc alternatives,gallery-dl.conf,ld.so.cache,ld.so.preload |
16 | 16 | ||
17 | # Redirect | 17 | # Redirect |
18 | include youtube-dl.profile | 18 | include youtube-dl.profile |
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile index e9eb55709..ec5b733c8 100644 --- a/etc/profile-a-l/gapplication.profile +++ b/etc/profile-a-l/gapplication.profile | |||
@@ -49,7 +49,7 @@ private | |||
49 | private-bin gapplication | 49 | private-bin gapplication |
50 | private-cache | 50 | private-cache |
51 | private-dev | 51 | private-dev |
52 | private-etc ld.so.preload,none | 52 | private-etc alternatives,ld.so.cache,ld.so.preload |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
55 | # Add the next line to your gapplication.local to filter D-Bus names. | 55 | # Add the next line to your gapplication.local to filter D-Bus names. |
diff --git a/etc/profile-a-l/gconf.profile b/etc/profile-a-l/gconf.profile index 6532d85f0..a45374d4e 100644 --- a/etc/profile-a-l/gconf.profile +++ b/etc/profile-a-l/gconf.profile | |||
@@ -54,7 +54,7 @@ disable-mnt | |||
54 | private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,python2* | 54 | private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,python2* |
55 | private-cache | 55 | private-cache |
56 | private-dev | 56 | private-dev |
57 | private-etc alternatives,fonts,gconf,ld.so.preload | 57 | private-etc alternatives,fonts,gconf,ld.so.cache,ld.so.preload |
58 | private-lib GConf,libpython*,python2* | 58 | private-lib GConf,libpython*,python2* |
59 | private-tmp | 59 | private-tmp |
60 | 60 | ||
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile index b78f7e647..cececd9e9 100644 --- a/etc/profile-a-l/geary.profile +++ b/etc/profile-a-l/geary.profile | |||
@@ -70,7 +70,7 @@ tracelog | |||
70 | private-bin geary | 70 | private-bin geary |
71 | private-cache | 71 | private-cache |
72 | private-dev | 72 | private-dev |
73 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.preload,pki,resolv.conf,ssl,xdg | 73 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl,xdg |
74 | private-tmp | 74 | private-tmp |
75 | 75 | ||
76 | dbus-user filter | 76 | dbus-user filter |
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile index 4812e1368..243b893b9 100644 --- a/etc/profile-a-l/geekbench.profile +++ b/etc/profile-a-l/geekbench.profile | |||
@@ -48,7 +48,7 @@ disable-mnt | |||
48 | #private-bin bash,geekbench*,sh -- #4576 | 48 | #private-bin bash,geekbench*,sh -- #4576 |
49 | private-cache | 49 | private-cache |
50 | private-dev | 50 | private-dev |
51 | private-etc alternatives,group,ld.so.preload,lsb-release,passwd | 51 | private-etc alternatives,group,ld.so.cache,ld.so.preload,lsb-release,passwd |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
54 | dbus-user none | 54 | dbus-user none |
diff --git a/etc/profile-a-l/gget.profile b/etc/profile-a-l/gget.profile index d8ca4ae41..bc1199914 100644 --- a/etc/profile-a-l/gget.profile +++ b/etc/profile-a-l/gget.profile | |||
@@ -49,7 +49,7 @@ disable-mnt | |||
49 | private-bin gget | 49 | private-bin gget |
50 | private-cache | 50 | private-cache |
51 | private-dev | 51 | private-dev |
52 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,pki,resolv.conf,ssl | 52 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl |
53 | private-lib | 53 | private-lib |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile index df9c2ac7a..28070cb9c 100644 --- a/etc/profile-a-l/gimp.profile +++ b/etc/profile-a-l/gimp.profile | |||
@@ -39,6 +39,7 @@ whitelist /usr/share/gegl-0.4 | |||
39 | whitelist /usr/share/gimp | 39 | whitelist /usr/share/gimp |
40 | whitelist /usr/share/mypaint-data | 40 | whitelist /usr/share/mypaint-data |
41 | whitelist /usr/share/lensfun | 41 | whitelist /usr/share/lensfun |
42 | include whitelist-run-common.inc | ||
42 | include whitelist-usr-share-common.inc | 43 | include whitelist-usr-share-common.inc |
43 | include whitelist-var-common.inc | 44 | include whitelist-var-common.inc |
44 | 45 | ||
diff --git a/etc/profile-a-l/gist.profile b/etc/profile-a-l/gist.profile index 010cdae06..506ab7127 100644 --- a/etc/profile-a-l/gist.profile +++ b/etc/profile-a-l/gist.profile | |||
@@ -52,7 +52,7 @@ tracelog | |||
52 | disable-mnt | 52 | disable-mnt |
53 | private-cache | 53 | private-cache |
54 | private-dev | 54 | private-dev |
55 | private-etc alternatives,ld.so.preload | 55 | private-etc alternatives,ld.so.cache,ld.so.preload |
56 | private-tmp | 56 | private-tmp |
57 | 57 | ||
58 | dbus-user none | 58 | dbus-user none |
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile index c13273321..6439c8821 100644 --- a/etc/profile-a-l/git-cola.profile +++ b/etc/profile-a-l/git-cola.profile | |||
@@ -70,7 +70,7 @@ tracelog | |||
70 | private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed | 70 | private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed |
71 | private-cache | 71 | private-cache |
72 | private-dev | 72 | private-dev |
73 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg | 73 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg |
74 | private-tmp | 74 | private-tmp |
75 | writable-run-user | 75 | writable-run-user |
76 | 76 | ||
diff --git a/etc/profile-a-l/gitter.profile b/etc/profile-a-l/gitter.profile index 36b016e02..16358d064 100644 --- a/etc/profile-a-l/gitter.profile +++ b/etc/profile-a-l/gitter.profile | |||
@@ -37,7 +37,7 @@ shell none | |||
37 | 37 | ||
38 | disable-mnt | 38 | disable-mnt |
39 | private-bin bash,env,gitter | 39 | private-bin bash,env,gitter |
40 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,pki,pulse,resolv.conf,ssl | 40 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,pulse,resolv.conf,ssl |
41 | private-opt Gitter | 41 | private-opt Gitter |
42 | private-dev | 42 | private-dev |
43 | private-tmp | 43 | private-tmp |
diff --git a/etc/profile-a-l/gmpc.profile b/etc/profile-a-l/gmpc.profile index 0a1264888..e53297c06 100644 --- a/etc/profile-a-l/gmpc.profile +++ b/etc/profile-a-l/gmpc.profile | |||
@@ -44,7 +44,7 @@ tracelog | |||
44 | disable-mnt | 44 | disable-mnt |
45 | #private-bin gmpc | 45 | #private-bin gmpc |
46 | private-cache | 46 | private-cache |
47 | private-etc alternatives,fonts,ld.so.preload | 47 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
48 | private-tmp | 48 | private-tmp |
49 | writable-run-user | 49 | writable-run-user |
50 | 50 | ||
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile index 2c1dee50c..f9df83e2a 100644 --- a/etc/profile-a-l/gnome-calendar.profile +++ b/etc/profile-a-l/gnome-calendar.profile | |||
@@ -45,7 +45,7 @@ private | |||
45 | private-bin gnome-calendar | 45 | private-bin gnome-calendar |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl | 48 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | dbus-user filter | 51 | dbus-user filter |
diff --git a/etc/profile-a-l/gnome-chess.profile b/etc/profile-a-l/gnome-chess.profile index 6261fcc27..dc9092a93 100644 --- a/etc/profile-a-l/gnome-chess.profile +++ b/etc/profile-a-l/gnome-chess.profile | |||
@@ -50,5 +50,5 @@ disable-mnt | |||
50 | private-bin fairymax,gnome-chess,gnuchess,hoichess | 50 | private-bin fairymax,gnome-chess,gnuchess,hoichess |
51 | private-cache | 51 | private-cache |
52 | private-dev | 52 | private-dev |
53 | private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0,ld.so.preload | 53 | private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0,ld.so.cache,ld.so.preload |
54 | private-tmp | 54 | private-tmp |
diff --git a/etc/profile-a-l/gnome-clocks.profile b/etc/profile-a-l/gnome-clocks.profile index 7d33ac94e..90665add6 100644 --- a/etc/profile-a-l/gnome-clocks.profile +++ b/etc/profile-a-l/gnome-clocks.profile | |||
@@ -42,6 +42,6 @@ disable-mnt | |||
42 | private-bin gnome-clocks,gsound-play | 42 | private-bin gnome-clocks,gsound-play |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.preload,localtime,machine-id,pkcs11,pki,ssl | 45 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,pkcs11,pki,ssl |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile index 28c7e3346..ab6279608 100644 --- a/etc/profile-a-l/gnome-hexgl.profile +++ b/etc/profile-a-l/gnome-hexgl.profile | |||
@@ -42,7 +42,7 @@ private | |||
42 | private-bin gnome-hexgl | 42 | private-bin gnome-hexgl |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc alsa,asound.conf,ld.so.preload,machine-id,pulse | 45 | private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.preload,machine-id,pulse |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | dbus-user none | 48 | dbus-user none |
diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile index 1d2366365..39a6718a6 100644 --- a/etc/profile-a-l/gnome-latex.profile +++ b/etc/profile-a-l/gnome-latex.profile | |||
@@ -48,6 +48,6 @@ tracelog | |||
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed | 50 | # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed |
51 | private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,ld.so.preload,login.defs,passwd,texlive | 51 | private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,ld.so.cache,ld.so.preload,login.defs,passwd,texlive |
52 | 52 | ||
53 | dbus-system none | 53 | dbus-system none |
diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile index 3d8218e99..7ee4d8b75 100644 --- a/etc/profile-a-l/gnome-logs.profile +++ b/etc/profile-a-l/gnome-logs.profile | |||
@@ -40,7 +40,7 @@ disable-mnt | |||
40 | private-bin gnome-logs | 40 | private-bin gnome-logs |
41 | private-cache | 41 | private-cache |
42 | private-dev | 42 | private-dev |
43 | private-etc alternatives,fonts,ld.so.preload,localtime,machine-id | 43 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,localtime,machine-id |
44 | private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* | 44 | private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* |
45 | private-tmp | 45 | private-tmp |
46 | writable-var-log | 46 | writable-var-log |
diff --git a/etc/profile-a-l/gnome-music.profile b/etc/profile-a-l/gnome-music.profile index fe8268530..7b79fa15d 100644 --- a/etc/profile-a-l/gnome-music.profile +++ b/etc/profile-a-l/gnome-music.profile | |||
@@ -42,6 +42,6 @@ tracelog | |||
42 | # private-bin calls a file manager - whatever is installed! | 42 | # private-bin calls a file manager - whatever is installed! |
43 | #private-bin env,gio-launch-desktop,gnome-music,python*,yelp | 43 | #private-bin env,gio-launch-desktop,gnome-music,python*,yelp |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,ld.so.preload,machine-id,pulse,selinux,xdg | 45 | private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pulse,selinux,xdg |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile index bdc09b5ac..a96ec6f05 100644 --- a/etc/profile-a-l/gnome-passwordsafe.profile +++ b/etc/profile-a-l/gnome-passwordsafe.profile | |||
@@ -53,7 +53,7 @@ disable-mnt | |||
53 | private-bin gnome-passwordsafe,python3* | 53 | private-bin gnome-passwordsafe,python3* |
54 | private-cache | 54 | private-cache |
55 | private-dev | 55 | private-dev |
56 | private-etc dconf,fonts,gtk-3.0,ld.so.preload,passwd | 56 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,passwd |
57 | private-tmp | 57 | private-tmp |
58 | 58 | ||
59 | dbus-user filter | 59 | dbus-user filter |
diff --git a/etc/profile-a-l/gnome-pie.profile b/etc/profile-a-l/gnome-pie.profile index fb108ee97..6d30213cb 100644 --- a/etc/profile-a-l/gnome-pie.profile +++ b/etc/profile-a-l/gnome-pie.profile | |||
@@ -34,7 +34,7 @@ shell none | |||
34 | disable-mnt | 34 | disable-mnt |
35 | private-cache | 35 | private-cache |
36 | private-dev | 36 | private-dev |
37 | private-etc alternatives,fonts,ld.so.preload,machine-id | 37 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id |
38 | private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* | 38 | private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* |
39 | private-tmp | 39 | private-tmp |
40 | 40 | ||
diff --git a/etc/profile-a-l/gnome-pomodoro.profile b/etc/profile-a-l/gnome-pomodoro.profile index 256a0c69f..99d569a04 100644 --- a/etc/profile-a-l/gnome-pomodoro.profile +++ b/etc/profile-a-l/gnome-pomodoro.profile | |||
@@ -44,7 +44,7 @@ disable-mnt | |||
44 | private-bin gnome-pomodoro | 44 | private-bin gnome-pomodoro |
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id | 47 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
50 | dbus-user filter | 50 | dbus-user filter |
diff --git a/etc/profile-a-l/gnome-recipes.profile b/etc/profile-a-l/gnome-recipes.profile index 9a5f878fc..b2ce4a92a 100644 --- a/etc/profile-a-l/gnome-recipes.profile +++ b/etc/profile-a-l/gnome-recipes.profile | |||
@@ -47,7 +47,7 @@ shell none | |||
47 | disable-mnt | 47 | disable-mnt |
48 | private-bin gnome-recipes,tar | 48 | private-bin gnome-recipes,tar |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,pki,ssl | 50 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,ssl |
51 | private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.* | 51 | private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.* |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile index a4e4ae38a..36c6693a9 100644 --- a/etc/profile-a-l/gnome-screenshot.profile +++ b/etc/profile-a-l/gnome-screenshot.profile | |||
@@ -42,7 +42,7 @@ tracelog | |||
42 | disable-mnt | 42 | disable-mnt |
43 | private-bin gnome-screenshot | 43 | private-bin gnome-screenshot |
44 | private-dev | 44 | private-dev |
45 | private-etc dconf,fonts,gtk-3.0,ld.so.preload,localtime,machine-id | 45 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,machine-id |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | dbus-user filter | 48 | dbus-user filter |
diff --git a/etc/profile-a-l/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile index 859d56bd9..28a0205b9 100644 --- a/etc/profile-a-l/gnome-sound-recorder.profile +++ b/etc/profile-a-l/gnome-sound-recorder.profile | |||
@@ -40,5 +40,5 @@ tracelog | |||
40 | disable-mnt | 40 | disable-mnt |
41 | private-cache | 41 | private-cache |
42 | private-dev | 42 | private-dev |
43 | private-etc alsa,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,machine-id,openal,pango,pulse,xdg | 43 | private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,openal,pango,pulse,xdg |
44 | private-tmp | 44 | private-tmp |
diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile index addd76f7f..02b023855 100644 --- a/etc/profile-a-l/gnome-system-log.profile +++ b/etc/profile-a-l/gnome-system-log.profile | |||
@@ -43,7 +43,7 @@ disable-mnt | |||
43 | private-bin gnome-system-log | 43 | private-bin gnome-system-log |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,fonts,ld.so.preload,localtime,machine-id | 46 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,localtime,machine-id |
47 | private-lib | 47 | private-lib |
48 | private-tmp | 48 | private-tmp |
49 | writable-var-log | 49 | writable-var-log |
diff --git a/etc/profile-a-l/gnome-todo.profile b/etc/profile-a-l/gnome-todo.profile index e7615e4f2..c6cd12250 100644 --- a/etc/profile-a-l/gnome-todo.profile +++ b/etc/profile-a-l/gnome-todo.profile | |||
@@ -46,7 +46,7 @@ disable-mnt | |||
46 | private-bin gnome-todo | 46 | private-bin gnome-todo |
47 | private-cache | 47 | private-cache |
48 | private-dev | 48 | private-dev |
49 | private-etc dconf,fonts,gtk-3.0,ld.so.preload,localtime,passwd,xdg | 49 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,passwd,xdg |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
52 | dbus-user filter | 52 | dbus-user filter |
diff --git a/etc/profile-a-l/gnome_games-common.profile b/etc/profile-a-l/gnome_games-common.profile index a76fbbb2c..9b4f68808 100644 --- a/etc/profile-a-l/gnome_games-common.profile +++ b/etc/profile-a-l/gnome_games-common.profile | |||
@@ -41,7 +41,7 @@ tracelog | |||
41 | disable-mnt | 41 | disable-mnt |
42 | private-cache | 42 | private-cache |
43 | private-dev | 43 | private-dev |
44 | private-etc dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.preload,machine-id,pango,passwd,X11 | 44 | private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pango,passwd,X11 |
45 | private-tmp | 45 | private-tmp |
46 | 46 | ||
47 | dbus-user filter | 47 | dbus-user filter |
diff --git a/etc/profile-a-l/gnote.profile b/etc/profile-a-l/gnote.profile index deda06f8e..928f2c548 100644 --- a/etc/profile-a-l/gnote.profile +++ b/etc/profile-a-l/gnote.profile | |||
@@ -51,7 +51,7 @@ disable-mnt | |||
51 | private-bin gnote | 51 | private-bin gnote |
52 | private-cache | 52 | private-cache |
53 | private-dev | 53 | private-dev |
54 | private-etc dconf,fonts,gtk-3.0,ld.so.preload,pango,X11 | 54 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,pango,X11 |
55 | private-tmp | 55 | private-tmp |
56 | 56 | ||
57 | dbus-user filter | 57 | dbus-user filter |
diff --git a/etc/profile-a-l/gnubik.profile b/etc/profile-a-l/gnubik.profile index e2e154216..c895b4ce9 100644 --- a/etc/profile-a-l/gnubik.profile +++ b/etc/profile-a-l/gnubik.profile | |||
@@ -43,7 +43,7 @@ private | |||
43 | private-bin gnubik | 43 | private-bin gnubik |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc drirc,fonts,gtk-2.0,ld.so.preload | 46 | private-etc alternatives,drirc,fonts,gtk-2.0,ld.so.cache,ld.so.preload |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | dbus-user none | 49 | dbus-user none |
diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile index f33f63497..46b362db9 100644 --- a/etc/profile-a-l/godot.profile +++ b/etc/profile-a-l/godot.profile | |||
@@ -38,7 +38,7 @@ tracelog | |||
38 | # private-bin godot | 38 | # private-bin godot |
39 | private-cache | 39 | private-cache |
40 | private-dev | 40 | private-dev |
41 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,ld.so.preload,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl | 41 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,ld.so.cache,ld.so.preload,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl |
42 | private-tmp | 42 | private-tmp |
43 | 43 | ||
44 | dbus-user none | 44 | dbus-user none |
diff --git a/etc/profile-a-l/goldendict.profile b/etc/profile-a-l/goldendict.profile index 59a572319..5251ed427 100644 --- a/etc/profile-a-l/goldendict.profile +++ b/etc/profile-a-l/goldendict.profile | |||
@@ -50,7 +50,7 @@ disable-mnt | |||
50 | private-bin goldendict | 50 | private-bin goldendict |
51 | private-cache | 51 | private-cache |
52 | private-dev | 52 | private-dev |
53 | private-etc ca-certificates,crypto-policies,fonts,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl | 53 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
56 | dbus-user none | 56 | dbus-user none |
diff --git a/etc/profile-a-l/googler-common.profile b/etc/profile-a-l/googler-common.profile index a37c7ad77..a35813a09 100644 --- a/etc/profile-a-l/googler-common.profile +++ b/etc/profile-a-l/googler-common.profile | |||
@@ -54,7 +54,7 @@ disable-mnt | |||
54 | private-bin env,python3*,sh,w3m | 54 | private-bin env,python3*,sh,w3m |
55 | private-cache | 55 | private-cache |
56 | private-dev | 56 | private-dev |
57 | private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl | 57 | private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl |
58 | private-tmp | 58 | private-tmp |
59 | 59 | ||
60 | dbus-user none | 60 | dbus-user none |
diff --git a/etc/profile-a-l/gpicview.profile b/etc/profile-a-l/gpicview.profile index 436134e1b..26afe6e49 100644 --- a/etc/profile-a-l/gpicview.profile +++ b/etc/profile-a-l/gpicview.profile | |||
@@ -41,7 +41,7 @@ tracelog | |||
41 | private-bin gpicview | 41 | private-bin gpicview |
42 | private-cache | 42 | private-cache |
43 | private-dev | 43 | private-dev |
44 | private-etc alternatives,fonts,group,ld.so.preload,passwd | 44 | private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,passwd |
45 | private-lib | 45 | private-lib |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
diff --git a/etc/profile-a-l/gpredict.profile b/etc/profile-a-l/gpredict.profile index e421c6a0b..511be6fcc 100644 --- a/etc/profile-a-l/gpredict.profile +++ b/etc/profile-a-l/gpredict.profile | |||
@@ -36,6 +36,6 @@ tracelog | |||
36 | 36 | ||
37 | private-bin gpredict | 37 | private-bin gpredict |
38 | private-dev | 38 | private-dev |
39 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,pki,resolv.conf,ssl | 39 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl |
40 | private-tmp | 40 | private-tmp |
41 | 41 | ||
diff --git a/etc/profile-a-l/gradio.profile b/etc/profile-a-l/gradio.profile index efb6b39c6..9cc25e45c 100644 --- a/etc/profile-a-l/gradio.profile +++ b/etc/profile-a-l/gradio.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | private-bin gradio | 45 | private-bin gradio |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg | 48 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | dbus-user filter | 51 | dbus-user filter |
diff --git a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile index 10d41735a..d76ca105f 100644 --- a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile +++ b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile | |||
@@ -40,7 +40,7 @@ private | |||
40 | private-bin gravity-beams-and-evaporating-stars | 40 | private-bin gravity-beams-and-evaporating-stars |
41 | private-cache | 41 | private-cache |
42 | private-dev | 42 | private-dev |
43 | private-etc fonts,ld.so.preload,machine-id | 43 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id |
44 | private-tmp | 44 | private-tmp |
45 | 45 | ||
46 | dbus-user none | 46 | dbus-user none |
diff --git a/etc/profile-a-l/gtk-update-icon-cache.profile b/etc/profile-a-l/gtk-update-icon-cache.profile index c6347efdf..ec8a614fd 100644 --- a/etc/profile-a-l/gtk-update-icon-cache.profile +++ b/etc/profile-a-l/gtk-update-icon-cache.profile | |||
@@ -46,7 +46,7 @@ disable-mnt | |||
46 | private-bin gtk-update-icon-cache | 46 | private-bin gtk-update-icon-cache |
47 | private-cache | 47 | private-cache |
48 | private-dev | 48 | private-dev |
49 | private-etc ld.so.preload,none | 49 | private-etc alternatives,ld.so.cache,ld.so.preload |
50 | private-lib | 50 | private-lib |
51 | private-tmp | 51 | private-tmp |
52 | 52 | ||
diff --git a/etc/profile-a-l/gwenview.profile b/etc/profile-a-l/gwenview.profile index 8becf6d84..d98d341ae 100644 --- a/etc/profile-a-l/gwenview.profile +++ b/etc/profile-a-l/gwenview.profile | |||
@@ -25,6 +25,7 @@ include disable-interpreters.inc | |||
25 | include disable-programs.inc | 25 | include disable-programs.inc |
26 | include disable-shell.inc | 26 | include disable-shell.inc |
27 | 27 | ||
28 | include whitelist-run-common.inc | ||
28 | include whitelist-var-common.inc | 29 | include whitelist-var-common.inc |
29 | 30 | ||
30 | apparmor | 31 | apparmor |
diff --git a/etc/profile-a-l/hyperrogue.profile b/etc/profile-a-l/hyperrogue.profile index 0baebdae1..74e0faa7f 100644 --- a/etc/profile-a-l/hyperrogue.profile +++ b/etc/profile-a-l/hyperrogue.profile | |||
@@ -44,7 +44,7 @@ private-bin hyperrogue | |||
44 | private-cache | 44 | private-cache |
45 | private-cwd ${HOME} | 45 | private-cwd ${HOME} |
46 | private-dev | 46 | private-dev |
47 | private-etc fonts,ld.so.preload,machine-id | 47 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
50 | dbus-user none | 50 | dbus-user none |
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile index e0015e69a..016a4d6c8 100644 --- a/etc/profile-a-l/inkscape.profile +++ b/etc/profile-a-l/inkscape.profile | |||
@@ -29,6 +29,7 @@ include disable-programs.inc | |||
29 | include disable-xdg.inc | 29 | include disable-xdg.inc |
30 | 30 | ||
31 | whitelist /usr/share/inkscape | 31 | whitelist /usr/share/inkscape |
32 | include whitelist-run-common.inc | ||
32 | include whitelist-usr-share-common.inc | 33 | include whitelist-usr-share-common.inc |
33 | include whitelist-var-common.inc | 34 | include whitelist-var-common.inc |
34 | 35 | ||
diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile index 2997328e8..6eefd2945 100644 --- a/etc/profile-a-l/ipcalc.profile +++ b/etc/profile-a-l/ipcalc.profile | |||
@@ -50,7 +50,7 @@ private-bin bash,ipcalc,ipcalc-ng,perl,sh | |||
50 | # private-cache | 50 | # private-cache |
51 | private-dev | 51 | private-dev |
52 | # empty etc directory | 52 | # empty etc directory |
53 | private-etc ld.so.preload,none | 53 | private-etc alternatives,ld.so.cache,ld.so.preload |
54 | private-lib | 54 | private-lib |
55 | private-opt none | 55 | private-opt none |
56 | private-tmp | 56 | private-tmp |
diff --git a/etc/profile-a-l/jerry.profile b/etc/profile-a-l/jerry.profile index 59260dc64..6ca977512 100644 --- a/etc/profile-a-l/jerry.profile +++ b/etc/profile-a-l/jerry.profile | |||
@@ -34,7 +34,7 @@ tracelog | |||
34 | 34 | ||
35 | private-bin bash,jerry,sh,stockfish | 35 | private-bin bash,jerry,sh,stockfish |
36 | private-dev | 36 | private-dev |
37 | private-etc fonts,gtk-2.0,gtk-3.0,ld.so.preload | 37 | private-etc alternatives,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload |
38 | private-tmp | 38 | private-tmp |
39 | 39 | ||
40 | dbus-user none | 40 | dbus-user none |
diff --git a/etc/profile-a-l/jumpnbump.profile b/etc/profile-a-l/jumpnbump.profile index 9726ff6fe..4a9232344 100644 --- a/etc/profile-a-l/jumpnbump.profile +++ b/etc/profile-a-l/jumpnbump.profile | |||
@@ -41,7 +41,7 @@ disable-mnt | |||
41 | private-bin jumpnbump | 41 | private-bin jumpnbump |
42 | private-cache | 42 | private-cache |
43 | private-dev | 43 | private-dev |
44 | private-etc ld.so.preload,none | 44 | private-etc alternatives,ld.so.cache,ld.so.preload |
45 | private-tmp | 45 | private-tmp |
46 | 46 | ||
47 | dbus-user none | 47 | dbus-user none |
diff --git a/etc/profile-a-l/kaffeine.profile b/etc/profile-a-l/kaffeine.profile index 8799a6f24..e74c57546 100644 --- a/etc/profile-a-l/kaffeine.profile +++ b/etc/profile-a-l/kaffeine.profile | |||
@@ -22,6 +22,7 @@ include disable-interpreters.inc | |||
22 | include disable-programs.inc | 22 | include disable-programs.inc |
23 | include disable-xdg.inc | 23 | include disable-xdg.inc |
24 | 24 | ||
25 | include whitelist-run-common.inc | ||
25 | include whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
26 | 27 | ||
27 | caps.drop all | 28 | caps.drop all |
diff --git a/etc/profile-a-l/kalgebra.profile b/etc/profile-a-l/kalgebra.profile index 5253a78b0..6ad50cf14 100644 --- a/etc/profile-a-l/kalgebra.profile +++ b/etc/profile-a-l/kalgebra.profile | |||
@@ -42,7 +42,7 @@ disable-mnt | |||
42 | private-bin kalgebra,kalgebramobile | 42 | private-bin kalgebra,kalgebramobile |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc fonts,ld.so.preload,machine-id | 45 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | dbus-user none | 48 | dbus-user none |
diff --git a/etc/profile-a-l/kate.profile b/etc/profile-a-l/kate.profile index d8b2dddb1..8c340d536 100644 --- a/etc/profile-a-l/kate.profile +++ b/etc/profile-a-l/kate.profile | |||
@@ -29,6 +29,7 @@ include disable-exec.inc | |||
29 | # include disable-interpreters.inc | 29 | # include disable-interpreters.inc |
30 | include disable-programs.inc | 30 | include disable-programs.inc |
31 | 31 | ||
32 | include whitelist-run-common.inc | ||
32 | include whitelist-var-common.inc | 33 | include whitelist-var-common.inc |
33 | 34 | ||
34 | # apparmor | 35 | # apparmor |
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile index d88631005..277db1c24 100644 --- a/etc/profile-a-l/kazam.profile +++ b/etc/profile-a-l/kazam.profile | |||
@@ -49,7 +49,7 @@ disable-mnt | |||
49 | # private-bin kazam,python* | 49 | # private-bin kazam,python* |
50 | private-cache | 50 | private-cache |
51 | private-dev | 51 | private-dev |
52 | private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,machine-id,pulse,selinux,X11,xdg | 52 | private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pulse,selinux,X11,xdg |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
55 | dbus-system none | 55 | dbus-system none |
diff --git a/etc/profile-a-l/kcalc.profile b/etc/profile-a-l/kcalc.profile index c551dbdbe..06978cbf1 100644 --- a/etc/profile-a-l/kcalc.profile +++ b/etc/profile-a-l/kcalc.profile | |||
@@ -28,6 +28,7 @@ whitelist /usr/share/config.kcfg/kcalc.kcfg | |||
28 | whitelist /usr/share/kcalc | 28 | whitelist /usr/share/kcalc |
29 | whitelist /usr/share/kconf_update/kcalcrc.upd | 29 | whitelist /usr/share/kconf_update/kcalcrc.upd |
30 | include whitelist-common.inc | 30 | include whitelist-common.inc |
31 | include whitelist-run-common.inc | ||
31 | include whitelist-runuser-common.inc | 32 | include whitelist-runuser-common.inc |
32 | include whitelist-usr-share-common.inc | 33 | include whitelist-usr-share-common.inc |
33 | include whitelist-var-common.inc | 34 | include whitelist-var-common.inc |
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile index fa50b0a20..df7ee31dc 100644 --- a/etc/profile-a-l/kdiff3.profile +++ b/etc/profile-a-l/kdiff3.profile | |||
@@ -23,6 +23,8 @@ include disable-interpreters.inc | |||
23 | include disable-shell.inc | 23 | include disable-shell.inc |
24 | include disable-xdg.inc | 24 | include disable-xdg.inc |
25 | 25 | ||
26 | # Add the next line to your kdiff3.local if you don't need to compare files in /run. | ||
27 | #include whitelist-run-common.inc | ||
26 | include whitelist-runuser-common.inc | 28 | include whitelist-runuser-common.inc |
27 | # Add the next line to your kdiff3.local if you don't need to compare files in /usr/share. | 29 | # Add the next line to your kdiff3.local if you don't need to compare files in /usr/share. |
28 | #include whitelist-usr-share-common.inc | 30 | #include whitelist-usr-share-common.inc |
diff --git a/etc/profile-a-l/keepassx.profile b/etc/profile-a-l/keepassx.profile index 616b87d7e..5e2d6d8df 100644 --- a/etc/profile-a-l/keepassx.profile +++ b/etc/profile-a-l/keepassx.profile | |||
@@ -41,7 +41,7 @@ tracelog | |||
41 | 41 | ||
42 | private-bin keepassx,keepassx2 | 42 | private-bin keepassx,keepassx2 |
43 | private-dev | 43 | private-dev |
44 | private-etc alternatives,fonts,ld.so.preload,machine-id | 44 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id |
45 | private-tmp | 45 | private-tmp |
46 | 46 | ||
47 | dbus-user none | 47 | dbus-user none |
diff --git a/etc/profile-a-l/kget.profile b/etc/profile-a-l/kget.profile index ec315b431..9b6646725 100644 --- a/etc/profile-a-l/kget.profile +++ b/etc/profile-a-l/kget.profile | |||
@@ -20,6 +20,7 @@ include disable-exec.inc | |||
20 | include disable-interpreters.inc | 20 | include disable-interpreters.inc |
21 | include disable-programs.inc | 21 | include disable-programs.inc |
22 | 22 | ||
23 | include whitelist-run-common.inc | ||
23 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
24 | 25 | ||
25 | caps.drop all | 26 | caps.drop all |
diff --git a/etc/profile-a-l/kid3.profile b/etc/profile-a-l/kid3.profile index 8b35a8946..5563aa410 100644 --- a/etc/profile-a-l/kid3.profile +++ b/etc/profile-a-l/kid3.profile | |||
@@ -37,7 +37,7 @@ tracelog | |||
37 | 37 | ||
38 | private-cache | 38 | private-cache |
39 | private-dev | 39 | private-dev |
40 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl | 40 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl |
41 | private-tmp | 41 | private-tmp |
42 | private-opt none | 42 | private-opt none |
43 | private-srv none | 43 | private-srv none |
diff --git a/etc/profile-a-l/klavaro.profile b/etc/profile-a-l/klavaro.profile index 964175274..46164403b 100644 --- a/etc/profile-a-l/klavaro.profile +++ b/etc/profile-a-l/klavaro.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | private-bin bash,klavaro,sh,tclsh,tclsh* | 45 | private-bin bash,klavaro,sh,tclsh,tclsh* |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,fonts,ld.so.preload | 48 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
49 | private-tmp | 49 | private-tmp |
50 | private-opt none | 50 | private-opt none |
51 | private-srv none | 51 | private-srv none |
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile index 2c645677c..0796e6876 100644 --- a/etc/profile-a-l/kmail.profile +++ b/etc/profile-a-l/kmail.profile | |||
@@ -37,6 +37,7 @@ include disable-exec.inc | |||
37 | include disable-interpreters.inc | 37 | include disable-interpreters.inc |
38 | include disable-programs.inc | 38 | include disable-programs.inc |
39 | 39 | ||
40 | include whitelist-run-common.inc | ||
40 | include whitelist-var-common.inc | 41 | include whitelist-var-common.inc |
41 | 42 | ||
42 | # apparmor | 43 | # apparmor |
diff --git a/etc/profile-a-l/konversation.profile b/etc/profile-a-l/konversation.profile index 723fef0d2..1121dc8a5 100644 --- a/etc/profile-a-l/konversation.profile +++ b/etc/profile-a-l/konversation.profile | |||
@@ -20,6 +20,7 @@ include disable-programs.inc | |||
20 | include disable-shell.inc | 20 | include disable-shell.inc |
21 | include disable-xdg.inc | 21 | include disable-xdg.inc |
22 | 22 | ||
23 | include whitelist-run-common.inc | ||
23 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
24 | 25 | ||
25 | caps.drop all | 26 | caps.drop all |
diff --git a/etc/profile-a-l/ktorrent.profile b/etc/profile-a-l/ktorrent.profile index 9d8aa1bd7..f3eae6780 100644 --- a/etc/profile-a-l/ktorrent.profile +++ b/etc/profile-a-l/ktorrent.profile | |||
@@ -37,6 +37,7 @@ whitelist ${HOME}/.kde4/share/config/ktorrentrc | |||
37 | whitelist ${HOME}/.local/share/ktorrent | 37 | whitelist ${HOME}/.local/share/ktorrent |
38 | whitelist ${HOME}/.local/share/kxmlgui5/ktorrent | 38 | whitelist ${HOME}/.local/share/kxmlgui5/ktorrent |
39 | include whitelist-common.inc | 39 | include whitelist-common.inc |
40 | include whitelist-run-common.inc | ||
40 | include whitelist-var-common.inc | 41 | include whitelist-var-common.inc |
41 | 42 | ||
42 | caps.drop all | 43 | caps.drop all |
@@ -61,4 +62,5 @@ private-dev | |||
61 | # private-lib - problems on Arch | 62 | # private-lib - problems on Arch |
62 | private-tmp | 63 | private-tmp |
63 | 64 | ||
65 | deterministic-shutdown | ||
64 | # memory-deny-write-execute | 66 | # memory-deny-write-execute |
diff --git a/etc/profile-a-l/ktouch.profile b/etc/profile-a-l/ktouch.profile index 78eb2e8f5..44da8acca 100644 --- a/etc/profile-a-l/ktouch.profile +++ b/etc/profile-a-l/ktouch.profile | |||
@@ -46,7 +46,7 @@ disable-mnt | |||
46 | private-bin ktouch | 46 | private-bin ktouch |
47 | private-cache | 47 | private-cache |
48 | private-dev | 48 | private-dev |
49 | private-etc alternatives,fonts,kde5rc,ld.so.preload,machine-id | 49 | private-etc alternatives,fonts,kde5rc,ld.so.cache,ld.so.preload,machine-id |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
52 | dbus-user none | 52 | dbus-user none |
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile index ad6b2f5fe..718cbbf40 100644 --- a/etc/profile-a-l/kube.profile +++ b/etc/profile-a-l/kube.profile | |||
@@ -68,7 +68,7 @@ tracelog | |||
68 | private-bin kube,sink_synchronizer | 68 | private-bin kube,sink_synchronizer |
69 | private-cache | 69 | private-cache |
70 | private-dev | 70 | private-dev |
71 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg | 71 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg |
72 | private-tmp | 72 | private-tmp |
73 | writable-run-user | 73 | writable-run-user |
74 | 74 | ||
diff --git a/etc/profile-a-l/kwin_x11.profile b/etc/profile-a-l/kwin_x11.profile index 32e9870e5..0b8763c29 100644 --- a/etc/profile-a-l/kwin_x11.profile +++ b/etc/profile-a-l/kwin_x11.profile | |||
@@ -21,6 +21,7 @@ include disable-programs.inc | |||
21 | include disable-shell.inc | 21 | include disable-shell.inc |
22 | include disable-xdg.inc | 22 | include disable-xdg.inc |
23 | 23 | ||
24 | include whitelist-run-common.inc | ||
24 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
25 | 26 | ||
26 | caps.drop all | 27 | caps.drop all |
diff --git a/etc/profile-a-l/kwrite.profile b/etc/profile-a-l/kwrite.profile index cd5ce7034..aff6f3181 100644 --- a/etc/profile-a-l/kwrite.profile +++ b/etc/profile-a-l/kwrite.profile | |||
@@ -24,6 +24,7 @@ include disable-programs.inc | |||
24 | include disable-shell.inc | 24 | include disable-shell.inc |
25 | include disable-xdg.inc | 25 | include disable-xdg.inc |
26 | 26 | ||
27 | include whitelist-run-common.inc | ||
27 | include whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
28 | 29 | ||
29 | apparmor | 30 | apparmor |
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile index 328307705..12ff79748 100644 --- a/etc/profile-a-l/libreoffice.profile +++ b/etc/profile-a-l/libreoffice.profile | |||
@@ -21,6 +21,7 @@ include disable-devel.inc | |||
21 | include disable-exec.inc | 21 | include disable-exec.inc |
22 | include disable-programs.inc | 22 | include disable-programs.inc |
23 | 23 | ||
24 | include whitelist-run-common.inc | ||
24 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
25 | 26 | ||
26 | # Debian 10/Ubuntu 18.04 come with their own apparmor profile, but it is not in enforce mode. | 27 | # Debian 10/Ubuntu 18.04 come with their own apparmor profile, but it is not in enforce mode. |
diff --git a/etc/profile-a-l/links-common.profile b/etc/profile-a-l/links-common.profile index dac3eaee3..84f5dc50d 100644 --- a/etc/profile-a-l/links-common.profile +++ b/etc/profile-a-l/links-common.profile | |||
@@ -51,7 +51,7 @@ disable-mnt | |||
51 | private-bin sh | 51 | private-bin sh |
52 | private-cache | 52 | private-cache |
53 | private-dev | 53 | private-dev |
54 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl | 54 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl |
55 | # Add the next line to your links-common.local to allow external media players. | 55 | # Add the next line to your links-common.local to allow external media players. |
56 | # private-etc alsa,asound.conf,machine-id,openal,pulse | 56 | # private-etc alsa,asound.conf,machine-id,openal,pulse |
57 | private-tmp | 57 | private-tmp |
diff --git a/etc/profile-a-l/lollypop.profile b/etc/profile-a-l/lollypop.profile index a590c5fb7..fde338ff0 100644 --- a/etc/profile-a-l/lollypop.profile +++ b/etc/profile-a-l/lollypop.profile | |||
@@ -37,6 +37,6 @@ seccomp | |||
37 | shell none | 37 | shell none |
38 | 38 | ||
39 | private-dev | 39 | private-dev |
40 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg | 40 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg |
41 | private-tmp | 41 | private-tmp |
42 | 42 | ||
diff --git a/etc/profile-a-l/lyx.profile b/etc/profile-a-l/lyx.profile index 3213f3674..ae2f2d434 100644 --- a/etc/profile-a-l/lyx.profile +++ b/etc/profile-a-l/lyx.profile | |||
@@ -32,7 +32,7 @@ apparmor | |||
32 | machine-id | 32 | machine-id |
33 | 33 | ||
34 | # private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex | 34 | # private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex |
35 | private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg | 35 | private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg |
36 | 36 | ||
37 | # Redirect | 37 | # Redirect |
38 | include latex-common.profile | 38 | include latex-common.profile |
diff --git a/etc/profile-m-z/Viber.profile b/etc/profile-m-z/Viber.profile index ca7165a5d..89ca53af6 100644 --- a/etc/profile-m-z/Viber.profile +++ b/etc/profile-m-z/Viber.profile | |||
@@ -33,5 +33,5 @@ shell none | |||
33 | 33 | ||
34 | disable-mnt | 34 | disable-mnt |
35 | private-bin awk,bash,dig,sh,Viber | 35 | private-bin awk,bash,dig,sh,Viber |
36 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,ld.so.preload,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11 | 36 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11 |
37 | private-tmp | 37 | private-tmp |
diff --git a/etc/profile-m-z/magicor.profile b/etc/profile-m-z/magicor.profile index b7cba2421..47165dd3d 100644 --- a/etc/profile-m-z/magicor.profile +++ b/etc/profile-m-z/magicor.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | private-bin magicor,python2* | 45 | private-bin magicor,python2* |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc ld.so.preload,machine-id | 48 | private-etc alternatives,ld.so.cache,ld.so.preload,machine-id |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | dbus-user none | 51 | dbus-user none |
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile index b6038cc91..9c5959091 100644 --- a/etc/profile-m-z/man.profile +++ b/etc/profile-m-z/man.profile | |||
@@ -58,7 +58,7 @@ disable-mnt | |||
58 | #private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim | 58 | #private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim |
59 | private-cache | 59 | private-cache |
60 | private-dev | 60 | private-dev |
61 | private-etc alternatives,fonts,groff,ld.so.preload,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg | 61 | private-etc alternatives,fonts,groff,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg |
62 | #private-tmp | 62 | #private-tmp |
63 | 63 | ||
64 | dbus-user none | 64 | dbus-user none |
diff --git a/etc/profile-m-z/masterpdfeditor.profile b/etc/profile-m-z/masterpdfeditor.profile index dc2088a18..764d040ab 100644 --- a/etc/profile-m-z/masterpdfeditor.profile +++ b/etc/profile-m-z/masterpdfeditor.profile | |||
@@ -36,6 +36,6 @@ tracelog | |||
36 | 36 | ||
37 | private-cache | 37 | private-cache |
38 | private-dev | 38 | private-dev |
39 | private-etc alternatives,fonts,ld.so.preload | 39 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
40 | private-tmp | 40 | private-tmp |
41 | 41 | ||
diff --git a/etc/profile-m-z/mate-calc.profile b/etc/profile-m-z/mate-calc.profile index cb14c6584..2be6b9af1 100644 --- a/etc/profile-m-z/mate-calc.profile +++ b/etc/profile-m-z/mate-calc.profile | |||
@@ -42,7 +42,7 @@ shell none | |||
42 | 42 | ||
43 | disable-mnt | 43 | disable-mnt |
44 | private-bin mate-calc,mate-calculator | 44 | private-bin mate-calc,mate-calculator |
45 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload | 45 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload |
46 | private-dev | 46 | private-dev |
47 | private-opt none | 47 | private-opt none |
48 | private-tmp | 48 | private-tmp |
diff --git a/etc/profile-m-z/mate-color-select.profile b/etc/profile-m-z/mate-color-select.profile index 97793abd5..e16b0fc6c 100644 --- a/etc/profile-m-z/mate-color-select.profile +++ b/etc/profile-m-z/mate-color-select.profile | |||
@@ -33,7 +33,7 @@ shell none | |||
33 | 33 | ||
34 | disable-mnt | 34 | disable-mnt |
35 | private-bin mate-color-select | 35 | private-bin mate-color-select |
36 | private-etc alternatives,fonts,ld.so.preload | 36 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
37 | private-dev | 37 | private-dev |
38 | private-lib | 38 | private-lib |
39 | private-tmp | 39 | private-tmp |
diff --git a/etc/profile-m-z/mate-dictionary.profile b/etc/profile-m-z/mate-dictionary.profile index cb0002af6..469416304 100644 --- a/etc/profile-m-z/mate-dictionary.profile +++ b/etc/profile-m-z/mate-dictionary.profile | |||
@@ -37,7 +37,7 @@ shell none | |||
37 | 37 | ||
38 | disable-mnt | 38 | disable-mnt |
39 | private-bin mate-dictionary | 39 | private-bin mate-dictionary |
40 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,pki,resolv.conf,ssl | 40 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl |
41 | private-opt mate-dictionary | 41 | private-opt mate-dictionary |
42 | private-dev | 42 | private-dev |
43 | private-tmp | 43 | private-tmp |
diff --git a/etc/profile-m-z/mcabber.profile b/etc/profile-m-z/mcabber.profile index 87083f1e3..4c4a6aa76 100644 --- a/etc/profile-m-z/mcabber.profile +++ b/etc/profile-m-z/mcabber.profile | |||
@@ -31,4 +31,4 @@ shell none | |||
31 | 31 | ||
32 | private-bin mcabber | 32 | private-bin mcabber |
33 | private-dev | 33 | private-dev |
34 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,pki,ssl | 34 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,ssl |
diff --git a/etc/profile-m-z/mdr.profile b/etc/profile-m-z/mdr.profile index da5e0ffa8..bcfd59cbb 100644 --- a/etc/profile-m-z/mdr.profile +++ b/etc/profile-m-z/mdr.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | private-bin mdr | 45 | private-bin mdr |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc ld.so.preload,none | 48 | private-etc alternatives,ld.so.cache,ld.so.preload |
49 | private-lib | 49 | private-lib |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
diff --git a/etc/profile-m-z/mediainfo.profile b/etc/profile-m-z/mediainfo.profile index 9403321e2..9bfbaf745 100644 --- a/etc/profile-m-z/mediainfo.profile +++ b/etc/profile-m-z/mediainfo.profile | |||
@@ -42,7 +42,7 @@ x11 none | |||
42 | private-bin mediainfo | 42 | private-bin mediainfo |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives,ld.so.preload | 45 | private-etc alternatives,ld.so.cache,ld.so.preload |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | dbus-user none | 48 | dbus-user none |
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile index f9f7db3cb..ed0758a49 100644 --- a/etc/profile-m-z/menulibre.profile +++ b/etc/profile-m-z/menulibre.profile | |||
@@ -52,7 +52,7 @@ tracelog | |||
52 | disable-mnt | 52 | disable-mnt |
53 | private-cache | 53 | private-cache |
54 | private-dev | 54 | private-dev |
55 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload,locale.alias,locale.conf,mime.types,nsswitch.conf,passwd,pki,selinux,X11,xdg | 55 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,locale.alias,locale.conf,mime.types,nsswitch.conf,passwd,pki,selinux,X11,xdg |
56 | private-tmp | 56 | private-tmp |
57 | 57 | ||
58 | dbus-user none | 58 | dbus-user none |
diff --git a/etc/profile-m-z/mindless.profile b/etc/profile-m-z/mindless.profile index bcc7b232b..16ace7ce4 100644 --- a/etc/profile-m-z/mindless.profile +++ b/etc/profile-m-z/mindless.profile | |||
@@ -42,7 +42,7 @@ private | |||
42 | private-bin mindless | 42 | private-bin mindless |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc fonts,ld.so.preload | 45 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | dbus-user none | 48 | dbus-user none |
diff --git a/etc/profile-m-z/mirrormagic.profile b/etc/profile-m-z/mirrormagic.profile index 133a17350..be846ce63 100644 --- a/etc/profile-m-z/mirrormagic.profile +++ b/etc/profile-m-z/mirrormagic.profile | |||
@@ -44,7 +44,7 @@ private | |||
44 | private-bin mirrormagic | 44 | private-bin mirrormagic |
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc ld.so.preload,machine-id | 47 | private-etc alternatives,ld.so.cache,ld.so.preload,machine-id |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
50 | dbus-user none | 50 | dbus-user none |
diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile index 79f603f92..313d78030 100644 --- a/etc/profile-m-z/mocp.profile +++ b/etc/profile-m-z/mocp.profile | |||
@@ -42,7 +42,7 @@ tracelog | |||
42 | private-bin mocp | 42 | private-bin mocp |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl | 45 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | dbus-user none | 48 | dbus-user none |
diff --git a/etc/profile-m-z/mp3splt-gtk.profile b/etc/profile-m-z/mp3splt-gtk.profile index 445691f6a..fe3c78b55 100644 --- a/etc/profile-m-z/mp3splt-gtk.profile +++ b/etc/profile-m-z/mp3splt-gtk.profile | |||
@@ -37,7 +37,7 @@ tracelog | |||
37 | private-bin mp3splt-gtk | 37 | private-bin mp3splt-gtk |
38 | private-cache | 38 | private-cache |
39 | private-dev | 39 | private-dev |
40 | private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,ld.so.preload,machine-id,openal,pulse | 40 | private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,openal,pulse |
41 | private-tmp | 41 | private-tmp |
42 | 42 | ||
43 | dbus-user none | 43 | dbus-user none |
diff --git a/etc/profile-m-z/mp3splt.profile b/etc/profile-m-z/mp3splt.profile index 4d6109250..c89c72ce4 100644 --- a/etc/profile-m-z/mp3splt.profile +++ b/etc/profile-m-z/mp3splt.profile | |||
@@ -44,7 +44,7 @@ disable-mnt | |||
44 | private-bin flacsplt,mp3splt,mp3wrap,oggsplt | 44 | private-bin flacsplt,mp3splt,mp3wrap,oggsplt |
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc alternatives,ld.so.preload | 47 | private-etc alternatives,ld.so.cache,ld.so.preload |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
50 | memory-deny-write-execute | 50 | memory-deny-write-execute |
diff --git a/etc/profile-m-z/mpDris2.profile b/etc/profile-m-z/mpDris2.profile index 597390914..18a839363 100644 --- a/etc/profile-m-z/mpDris2.profile +++ b/etc/profile-m-z/mpDris2.profile | |||
@@ -49,7 +49,7 @@ shell none | |||
49 | private-bin mpDris2,notify-send,python* | 49 | private-bin mpDris2,notify-send,python* |
50 | private-cache | 50 | private-cache |
51 | private-dev | 51 | private-dev |
52 | private-etc alternatives,hosts,ld.so.preload,nsswitch.conf | 52 | private-etc alternatives,hosts,ld.so.cache,ld.so.preload,nsswitch.conf |
53 | private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3* | 53 | private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3* |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index 74402a8de..efb11465b 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile | |||
@@ -74,7 +74,7 @@ seccomp.block-secondary | |||
74 | shell none | 74 | shell none |
75 | tracelog | 75 | tracelog |
76 | 76 | ||
77 | private-bin env,mpv,python*,waf,youtube-dl | 77 | private-bin env,mpv,python*,waf,youtube-dl,yt-dlp |
78 | # private-cache causes slow OSD, see #2838 | 78 | # private-cache causes slow OSD, see #2838 |
79 | #private-cache | 79 | #private-cache |
80 | private-dev | 80 | private-dev |
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile index 5b5902563..3fe88ec7f 100644 --- a/etc/profile-m-z/mrrescue.profile +++ b/etc/profile-m-z/mrrescue.profile | |||
@@ -52,7 +52,7 @@ disable-mnt | |||
52 | private-bin love,mrrescue,sh | 52 | private-bin love,mrrescue,sh |
53 | private-cache | 53 | private-cache |
54 | private-dev | 54 | private-dev |
55 | private-etc ld.so.preload,machine-id | 55 | private-etc alternatives,ld.so.cache,ld.so.preload,machine-id |
56 | private-tmp | 56 | private-tmp |
57 | 57 | ||
58 | dbus-user none | 58 | dbus-user none |
diff --git a/etc/profile-m-z/ms-office.profile b/etc/profile-m-z/ms-office.profile index 7b4a305e9..e15b14db7 100644 --- a/etc/profile-m-z/ms-office.profile +++ b/etc/profile-m-z/ms-office.profile | |||
@@ -35,7 +35,7 @@ tracelog | |||
35 | 35 | ||
36 | disable-mnt | 36 | disable-mnt |
37 | private-bin bash,env,fonts,jak,ms-office,python*,sh | 37 | private-bin bash,env,fonts,jak,ms-office,python*,sh |
38 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,pki,resolv.conf,ssl | 38 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl |
39 | private-dev | 39 | private-dev |
40 | private-tmp | 40 | private-tmp |
41 | 41 | ||
diff --git a/etc/profile-m-z/mupdf-x11-curl.profile b/etc/profile-m-z/mupdf-x11-curl.profile index b95ab2194..006f64ba8 100644 --- a/etc/profile-m-z/mupdf-x11-curl.profile +++ b/etc/profile-m-z/mupdf-x11-curl.profile | |||
@@ -12,7 +12,7 @@ ignore net none | |||
12 | netfilter | 12 | netfilter |
13 | protocol unix,inet,inet6 | 13 | protocol unix,inet,inet6 |
14 | 14 | ||
15 | private-etc ca-certificates,crypto-policies,hosts,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl | 15 | private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl |
16 | 16 | ||
17 | # Redirect | 17 | # Redirect |
18 | include mupdf.profile | 18 | include mupdf.profile |
diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile index aab2ac19d..796d7fbb0 100644 --- a/etc/profile-m-z/musixmatch.profile +++ b/etc/profile-m-z/musixmatch.profile | |||
@@ -33,5 +33,5 @@ seccomp !chroot | |||
33 | 33 | ||
34 | disable-mnt | 34 | disable-mnt |
35 | private-dev | 35 | private-dev |
36 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,ld.so.preload,machine-id,pki,pulse,ssl | 36 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,machine-id,pki,pulse,ssl |
37 | 37 | ||
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile index fb923051f..d10c55549 100644 --- a/etc/profile-m-z/mutt.profile +++ b/etc/profile-m-z/mutt.profile | |||
@@ -134,7 +134,7 @@ tracelog | |||
134 | # disable-mnt | 134 | # disable-mnt |
135 | private-cache | 135 | private-cache |
136 | private-dev | 136 | private-dev |
137 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gai.conf,gcrypt,gnupg,gnutls,hostname,hosts,hosts.conf,ld.so.preload,mail,mailname,Mutt,Muttrc,Muttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,terminfo,xdg | 137 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gai.conf,gcrypt,gnupg,gnutls,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,mail,mailname,Mutt,Muttrc,Muttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,terminfo,xdg |
138 | private-tmp | 138 | private-tmp |
139 | writable-run-user | 139 | writable-run-user |
140 | writable-var | 140 | writable-var |
diff --git a/etc/profile-m-z/mypaint.profile b/etc/profile-m-z/mypaint.profile index bf01aaa0e..74301df06 100644 --- a/etc/profile-m-z/mypaint.profile +++ b/etc/profile-m-z/mypaint.profile | |||
@@ -43,7 +43,7 @@ tracelog | |||
43 | 43 | ||
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload | 46 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | dbus-user none | 49 | dbus-user none |
diff --git a/etc/profile-m-z/nano.profile b/etc/profile-m-z/nano.profile index 23a30bf97..f7c1f0ff7 100644 --- a/etc/profile-m-z/nano.profile +++ b/etc/profile-m-z/nano.profile | |||
@@ -49,7 +49,7 @@ private-dev | |||
49 | # Add the next lines to your nano.local if you want to edit files in /etc directly. | 49 | # Add the next lines to your nano.local if you want to edit files in /etc directly. |
50 | #ignore private-etc | 50 | #ignore private-etc |
51 | #writable-etc | 51 | #writable-etc |
52 | private-etc alternatives,ld.so.preload,nanorc | 52 | private-etc alternatives,ld.so.cache,ld.so.preload,nanorc |
53 | # Add the next line to your nano.local if you want to edit files in /var directly. | 53 | # Add the next line to your nano.local if you want to edit files in /var directly. |
54 | #writable-var | 54 | #writable-var |
55 | 55 | ||
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile index 1e59a1490..f31cf9dcb 100644 --- a/etc/profile-m-z/neomutt.profile +++ b/etc/profile-m-z/neomutt.profile | |||
@@ -137,7 +137,7 @@ tracelog | |||
137 | # disable-mnt | 137 | # disable-mnt |
138 | private-cache | 138 | private-cache |
139 | private-dev | 139 | private-dev |
140 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,hostname,hosts,hosts.conf,ld.so.preload,mail,mailname,Mutt,Muttrc,Muttrc.d,neomuttrc,neomuttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg | 140 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,mail,mailname,Mutt,Muttrc,Muttrc.d,neomuttrc,neomuttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg |
141 | private-tmp | 141 | private-tmp |
142 | writable-run-user | 142 | writable-run-user |
143 | writable-var | 143 | writable-var |
diff --git a/etc/profile-m-z/netactview.profile b/etc/profile-m-z/netactview.profile index 57f026a0b..d6ac8d5bc 100644 --- a/etc/profile-m-z/netactview.profile +++ b/etc/profile-m-z/netactview.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | private-bin netactview,netactview_polkit | 45 | private-bin netactview,netactview_polkit |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,fonts,ld.so.preload | 48 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
49 | private-lib | 49 | private-lib |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
diff --git a/etc/profile-m-z/newsboat.profile b/etc/profile-m-z/newsboat.profile index 34c6110cf..cf72bf802 100644 --- a/etc/profile-m-z/newsboat.profile +++ b/etc/profile-m-z/newsboat.profile | |||
@@ -53,7 +53,7 @@ disable-mnt | |||
53 | private-bin gzip,lynx,newsboat,sh,w3m | 53 | private-bin gzip,lynx,newsboat,sh,w3m |
54 | private-cache | 54 | private-cache |
55 | private-dev | 55 | private-dev |
56 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo | 56 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo |
57 | private-tmp | 57 | private-tmp |
58 | 58 | ||
59 | dbus-user none | 59 | dbus-user none |
diff --git a/etc/profile-m-z/newsflash.profile b/etc/profile-m-z/newsflash.profile index 56cedec03..9966a0e1b 100644 --- a/etc/profile-m-z/newsflash.profile +++ b/etc/profile-m-z/newsflash.profile | |||
@@ -51,7 +51,7 @@ disable-mnt | |||
51 | private-bin com.gitlab.newsflash,newsflash | 51 | private-bin com.gitlab.newsflash,newsflash |
52 | private-cache | 52 | private-cache |
53 | private-dev | 53 | private-dev |
54 | private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pango,pki,resolv.conf,ssl,X11 | 54 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pango,pki,resolv.conf,ssl,X11 |
55 | private-tmp | 55 | private-tmp |
56 | 56 | ||
57 | dbus-user none | 57 | dbus-user none |
diff --git a/etc/profile-m-z/nomacs.profile b/etc/profile-m-z/nomacs.profile index 0bed12b1f..7ffb09e56 100644 --- a/etc/profile-m-z/nomacs.profile +++ b/etc/profile-m-z/nomacs.profile | |||
@@ -41,5 +41,5 @@ tracelog | |||
41 | #private-bin nomacs | 41 | #private-bin nomacs |
42 | private-cache | 42 | private-cache |
43 | private-dev | 43 | private-dev |
44 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.preload,login.defs,machine-id,pki,resolv.conf,ssl | 44 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,login.defs,machine-id,pki,resolv.conf,ssl |
45 | private-tmp | 45 | private-tmp |
diff --git a/etc/profile-m-z/noprofile.profile b/etc/profile-m-z/noprofile.profile new file mode 100644 index 000000000..560ee9db3 --- /dev/null +++ b/etc/profile-m-z/noprofile.profile | |||
@@ -0,0 +1,28 @@ | |||
1 | # This is the weakest possible firejail profile. | ||
2 | # If a program still fail with this profile, it is incompatible with firejail. | ||
3 | # (from https://gist.github.com/rusty-snake/bb234cb3e50e1e4e7429f29a7931cc72) | ||
4 | # | ||
5 | # Usage: | ||
6 | # 1. download | ||
7 | # 2. firejail --profile=noprofile.profile /path/to/program | ||
8 | |||
9 | # Keep in mind that even with this profile some things are done | ||
10 | # which can break the program. | ||
11 | # - some env-vars are cleared | ||
12 | # - /etc/firejail/firejail.config can contain options such as 'force-nonewprivs yes' | ||
13 | # - a new private pid-namespace is created | ||
14 | # - a minimal hardcoded blacklist is applied | ||
15 | # - ... | ||
16 | |||
17 | noblacklist /sys/fs | ||
18 | noblacklist /sys/module | ||
19 | |||
20 | allow-debuggers | ||
21 | allusers | ||
22 | keep-config-pulse | ||
23 | keep-dev-shm | ||
24 | keep-var-tmp | ||
25 | writable-etc | ||
26 | writable-run-user | ||
27 | writable-var | ||
28 | writable-var-log | ||
diff --git a/etc/profile-m-z/notify-send.profile b/etc/profile-m-z/notify-send.profile index a7bb93a02..9f23c099d 100644 --- a/etc/profile-m-z/notify-send.profile +++ b/etc/profile-m-z/notify-send.profile | |||
@@ -49,7 +49,7 @@ private | |||
49 | private-bin notify-send | 49 | private-bin notify-send |
50 | private-cache | 50 | private-cache |
51 | private-dev | 51 | private-dev |
52 | private-etc ld.so.preload,none | 52 | private-etc alternatives,ld.so.cache,ld.so.preload |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
55 | dbus-user filter | 55 | dbus-user filter |
diff --git a/etc/profile-m-z/nuclear.profile b/etc/profile-m-z/nuclear.profile index 9e3093ea7..9f4a6ec46 100644 --- a/etc/profile-m-z/nuclear.profile +++ b/etc/profile-m-z/nuclear.profile | |||
@@ -18,7 +18,7 @@ whitelist ${HOME}/.config/nuclear | |||
18 | no3d | 18 | no3d |
19 | 19 | ||
20 | # private-bin nuclear | 20 | # private-bin nuclear |
21 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 21 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
22 | private-opt nuclear | 22 | private-opt nuclear |
23 | 23 | ||
24 | # Redirect | 24 | # Redirect |
diff --git a/etc/profile-m-z/nyx.profile b/etc/profile-m-z/nyx.profile index 9b431d76d..653591482 100644 --- a/etc/profile-m-z/nyx.profile +++ b/etc/profile-m-z/nyx.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | private-bin nyx,python* | 45 | private-bin nyx,python* |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,fonts,ld.so.preload,passwd,tor | 48 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,passwd,tor |
49 | private-opt none | 49 | private-opt none |
50 | private-srv none | 50 | private-srv none |
51 | private-tmp | 51 | private-tmp |
diff --git a/etc/profile-m-z/odt2txt.profile b/etc/profile-m-z/odt2txt.profile index 7d2374ccf..de62f4114 100644 --- a/etc/profile-m-z/odt2txt.profile +++ b/etc/profile-m-z/odt2txt.profile | |||
@@ -38,7 +38,7 @@ x11 none | |||
38 | private-bin odt2txt | 38 | private-bin odt2txt |
39 | private-cache | 39 | private-cache |
40 | private-dev | 40 | private-dev |
41 | private-etc alternatives,ld.so.preload | 41 | private-etc alternatives,ld.so.cache,ld.so.preload |
42 | private-tmp | 42 | private-tmp |
43 | 43 | ||
44 | dbus-user none | 44 | dbus-user none |
diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile index 0a200b46e..fb28ad89f 100644 --- a/etc/profile-m-z/okular.profile +++ b/etc/profile-m-z/okular.profile | |||
@@ -36,6 +36,7 @@ whitelist /usr/share/kconf_update/okular.upd | |||
36 | whitelist /usr/share/kxmlgui5/okular | 36 | whitelist /usr/share/kxmlgui5/okular |
37 | whitelist /usr/share/okular | 37 | whitelist /usr/share/okular |
38 | whitelist /usr/share/poppler | 38 | whitelist /usr/share/poppler |
39 | include whitelist-run-common.inc | ||
39 | include whitelist-runuser-common.inc | 40 | include whitelist-runuser-common.inc |
40 | include whitelist-usr-share-common.inc | 41 | include whitelist-usr-share-common.inc |
41 | include whitelist-var-common.inc | 42 | include whitelist-var-common.inc |
diff --git a/etc/profile-m-z/onboard.profile b/etc/profile-m-z/onboard.profile index e70e5e81e..e05e58cad 100644 --- a/etc/profile-m-z/onboard.profile +++ b/etc/profile-m-z/onboard.profile | |||
@@ -50,7 +50,7 @@ disable-mnt | |||
50 | private-cache | 50 | private-cache |
51 | private-bin onboard,python*,tput | 51 | private-bin onboard,python*,tput |
52 | private-dev | 52 | private-dev |
53 | private-etc alternatives,dbus-1,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,locale,locale.alias,locale.conf,mime.types,selinux,X11,xdg | 53 | private-etc alternatives,dbus-1,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,mime.types,selinux,X11,xdg |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
56 | dbus-system none | 56 | dbus-system none |
diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile index de334defd..c3ac097a0 100644 --- a/etc/profile-m-z/openarena.profile +++ b/etc/profile-m-z/openarena.profile | |||
@@ -43,7 +43,7 @@ disable-mnt | |||
43 | private-bin bash,cut,glxinfo,grep,head,openarena,openarena_ded,quake3,zenity | 43 | private-bin bash,cut,glxinfo,grep,head,openarena,openarena_ded,quake3,zenity |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc drirc,ld.so.preload,machine-id,openal,passwd,selinux,udev,xdg | 46 | private-etc alternatives,drirc,ld.so.cache,ld.so.preload,machine-id,openal,passwd,selinux,udev,xdg |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | dbus-user none | 49 | dbus-user none |
diff --git a/etc/profile-m-z/openstego.profile b/etc/profile-m-z/openstego.profile new file mode 100644 index 000000000..f6622b38d --- /dev/null +++ b/etc/profile-m-z/openstego.profile | |||
@@ -0,0 +1,58 @@ | |||
1 | # Firejail profile for OpenStego | ||
2 | # Description: Steganography application that provides data hiding and watermarking functionality | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include openstego.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/openstego.ini | ||
10 | |||
11 | # Allow java (blacklisted by disable-devel.inc) | ||
12 | include allow-java.inc | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-proc.inc | ||
19 | include disable-programs.inc | ||
20 | |||
21 | mkfile ${HOME}/openstego.ini | ||
22 | whitelist ${HOME}/openstego.ini | ||
23 | whitelist ${HOME}/.java | ||
24 | whitelist ${PICTURES} | ||
25 | whitelist ${DOCUMENTS} | ||
26 | whitelist ${DESKTOP} | ||
27 | whitelist /usr/share/java | ||
28 | include whitelist-common.inc | ||
29 | include whitelist-run-common.inc | ||
30 | include whitelist-runuser-common.inc | ||
31 | include whitelist-usr-share-common.inc | ||
32 | include whitelist-var-common.inc | ||
33 | |||
34 | caps.drop all | ||
35 | machine-id | ||
36 | net none | ||
37 | no3d | ||
38 | nogroups | ||
39 | noinput | ||
40 | nonewprivs | ||
41 | noroot | ||
42 | nosound | ||
43 | notv | ||
44 | nou2f | ||
45 | novideo | ||
46 | seccomp | ||
47 | seccomp.block-secondary | ||
48 | shell none | ||
49 | tracelog | ||
50 | |||
51 | disable-mnt | ||
52 | private-bin bash,dirname,openstego,readlink,sh | ||
53 | private-cache | ||
54 | private-dev | ||
55 | private-tmp | ||
56 | |||
57 | dbus-user none | ||
58 | dbus-system none | ||
diff --git a/etc/profile-m-z/pandoc.profile b/etc/profile-m-z/pandoc.profile index 460f60beb..c016b5103 100644 --- a/etc/profile-m-z/pandoc.profile +++ b/etc/profile-m-z/pandoc.profile | |||
@@ -50,7 +50,7 @@ x11 none | |||
50 | disable-mnt | 50 | disable-mnt |
51 | private-cache | 51 | private-cache |
52 | private-dev | 52 | private-dev |
53 | private-etc alternatives,ld.so.preload,texlive,texmf | 53 | private-etc alternatives,ld.so.cache,ld.so.preload,texlive,texmf |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
56 | dbus-user none | 56 | dbus-user none |
diff --git a/etc/profile-m-z/parole.profile b/etc/profile-m-z/parole.profile index a4737d388..3d380542f 100644 --- a/etc/profile-m-z/parole.profile +++ b/etc/profile-m-z/parole.profile | |||
@@ -27,4 +27,4 @@ shell none | |||
27 | 27 | ||
28 | private-bin dbus-launch,parole | 28 | private-bin dbus-launch,parole |
29 | private-cache | 29 | private-cache |
30 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,ld.so.preload,machine-id,passwd,pki,pulse,ssl | 30 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd,pki,pulse,ssl |
diff --git a/etc/profile-m-z/pavucontrol.profile b/etc/profile-m-z/pavucontrol.profile index 76f1c9704..d64aab200 100644 --- a/etc/profile-m-z/pavucontrol.profile +++ b/etc/profile-m-z/pavucontrol.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | private-bin pavucontrol | 45 | private-bin pavucontrol |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,asound.conf,avahi,fonts,ld.so.preload,machine-id,pulse | 48 | private-etc alternatives,asound.conf,avahi,fonts,ld.so.cache,ld.so.preload,machine-id,pulse |
49 | private-lib | 49 | private-lib |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
diff --git a/etc/profile-m-z/pdfchain.profile b/etc/profile-m-z/pdfchain.profile index 400fc3d77..41ec98a39 100644 --- a/etc/profile-m-z/pdfchain.profile +++ b/etc/profile-m-z/pdfchain.profile | |||
@@ -34,7 +34,7 @@ shell none | |||
34 | 34 | ||
35 | private-bin pdfchain,pdftk,sh | 35 | private-bin pdfchain,pdftk,sh |
36 | private-dev | 36 | private-dev |
37 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload,xdg | 37 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,xdg |
38 | private-tmp | 38 | private-tmp |
39 | 39 | ||
40 | dbus-user none | 40 | dbus-user none |
diff --git a/etc/profile-m-z/pdftotext.profile b/etc/profile-m-z/pdftotext.profile index b1c2dfb1c..9d2f2b95f 100644 --- a/etc/profile-m-z/pdftotext.profile +++ b/etc/profile-m-z/pdftotext.profile | |||
@@ -48,7 +48,7 @@ x11 none | |||
48 | private-bin pdftotext | 48 | private-bin pdftotext |
49 | private-cache | 49 | private-cache |
50 | private-dev | 50 | private-dev |
51 | private-etc alternatives,ld.so.preload | 51 | private-etc alternatives,ld.so.cache,ld.so.preload |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
54 | dbus-user none | 54 | dbus-user none |
diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile index e216742a4..f5c295b5d 100644 --- a/etc/profile-m-z/peek.profile +++ b/etc/profile-m-z/peek.profile | |||
@@ -48,7 +48,7 @@ tracelog | |||
48 | disable-mnt | 48 | disable-mnt |
49 | private-bin bash,convert,ffmpeg,firejail,fish,peek,sh,which,zsh | 49 | private-bin bash,convert,ffmpeg,firejail,fish,peek,sh,which,zsh |
50 | private-dev | 50 | private-dev |
51 | private-etc dconf,firejail,fonts,gtk-3.0,ld.so.preload,login.defs,pango,passwd,X11 | 51 | private-etc alternatives,dconf,firejail,fonts,gtk-3.0,ld.so.cache,ld.so.preload,login.defs,pango,passwd,X11 |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
54 | dbus-user filter | 54 | dbus-user filter |
diff --git a/etc/profile-m-z/photoflare.profile b/etc/profile-m-z/photoflare.profile index c0d0ae4df..80efedec7 100644 --- a/etc/profile-m-z/photoflare.profile +++ b/etc/profile-m-z/photoflare.profile | |||
@@ -43,7 +43,7 @@ disable-mnt | |||
43 | private-bin photoflare | 43 | private-bin photoflare |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,fonts,ld.so.preload,locale,locale.alias,locale.conf,mime.types,X11 | 46 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,mime.types,X11 |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | dbus-user none | 49 | dbus-user none |
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile index fb50e66ca..69c78740d 100644 --- a/etc/profile-m-z/pingus.profile +++ b/etc/profile-m-z/pingus.profile | |||
@@ -50,7 +50,7 @@ disable-mnt | |||
50 | private-bin pingus,pingus.bin,sh | 50 | private-bin pingus,pingus.bin,sh |
51 | private-cache | 51 | private-cache |
52 | private-dev | 52 | private-dev |
53 | private-etc ld.so.preload,machine-id | 53 | private-etc alternatives,ld.so.cache,ld.so.preload,machine-id |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
56 | dbus-user none | 56 | dbus-user none |
diff --git a/etc/profile-m-z/pkglog.profile b/etc/profile-m-z/pkglog.profile index 23e21f347..69b954f53 100644 --- a/etc/profile-m-z/pkglog.profile +++ b/etc/profile-m-z/pkglog.profile | |||
@@ -44,7 +44,7 @@ private | |||
44 | private-bin pkglog,python* | 44 | private-bin pkglog,python* |
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc alternatives,ld.so.preload | 47 | private-etc alternatives,ld.so.cache,ld.so.preload |
48 | private-opt none | 48 | private-opt none |
49 | private-tmp | 49 | private-tmp |
50 | writable-var-log | 50 | writable-var-log |
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile index a6b0768f1..38ccf72e8 100644 --- a/etc/profile-m-z/plv.profile +++ b/etc/profile-m-z/plv.profile | |||
@@ -46,7 +46,7 @@ disable-mnt | |||
46 | private-bin plv | 46 | private-bin plv |
47 | private-cache | 47 | private-cache |
48 | private-dev | 48 | private-dev |
49 | private-etc alternatives,fonts,ld.so.preload | 49 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
50 | private-opt none | 50 | private-opt none |
51 | private-tmp | 51 | private-tmp |
52 | writable-var-log | 52 | writable-var-log |
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile index 534cc5943..6b989202f 100644 --- a/etc/profile-m-z/pngquant.profile +++ b/etc/profile-m-z/pngquant.profile | |||
@@ -47,7 +47,7 @@ x11 none | |||
47 | private-bin pngquant | 47 | private-bin pngquant |
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives,ld.so.preload | 50 | private-etc alternatives,ld.so.cache,ld.so.preload |
51 | private-tmp | 51 | private-tmp |
52 | 52 | ||
53 | dbus-user none | 53 | dbus-user none |
diff --git a/etc/profile-m-z/pragha.profile b/etc/profile-m-z/pragha.profile index c9793433e..fd595c27a 100644 --- a/etc/profile-m-z/pragha.profile +++ b/etc/profile-m-z/pragha.profile | |||
@@ -33,6 +33,6 @@ seccomp | |||
33 | shell none | 33 | shell none |
34 | 34 | ||
35 | private-dev | 35 | private-dev |
36 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg | 36 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg |
37 | private-tmp | 37 | private-tmp |
38 | 38 | ||
diff --git a/etc/profile-m-z/profanity.profile b/etc/profile-m-z/profanity.profile index af0ca5d8f..25a248425 100644 --- a/etc/profile-m-z/profanity.profile +++ b/etc/profile-m-z/profanity.profile | |||
@@ -44,7 +44,7 @@ shell none | |||
44 | private-bin profanity | 44 | private-bin profanity |
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl | 47 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
50 | dbus-user none | 50 | dbus-user none |
diff --git a/etc/profile-m-z/qgis.profile b/etc/profile-m-z/qgis.profile index 4ebd556d6..555e1e41b 100644 --- a/etc/profile-m-z/qgis.profile +++ b/etc/profile-m-z/qgis.profile | |||
@@ -52,7 +52,7 @@ tracelog | |||
52 | disable-mnt | 52 | disable-mnt |
53 | private-cache | 53 | private-cache |
54 | private-dev | 54 | private-dev |
55 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf | 55 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf |
56 | private-tmp | 56 | private-tmp |
57 | 57 | ||
58 | dbus-user none | 58 | dbus-user none |
diff --git a/etc/profile-m-z/qnapi.profile b/etc/profile-m-z/qnapi.profile index 89cb5baa8..4a3ce366e 100644 --- a/etc/profile-m-z/qnapi.profile +++ b/etc/profile-m-z/qnapi.profile | |||
@@ -47,7 +47,7 @@ tracelog | |||
47 | private-bin 7z,qnapi | 47 | private-bin 7z,qnapi |
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives,fonts,ld.so.preload | 50 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
51 | private-opt none | 51 | private-opt none |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
diff --git a/etc/profile-m-z/qrencode.profile b/etc/profile-m-z/qrencode.profile index 691449b9f..dd3f24875 100644 --- a/etc/profile-m-z/qrencode.profile +++ b/etc/profile-m-z/qrencode.profile | |||
@@ -47,7 +47,7 @@ disable-mnt | |||
47 | private-bin qrencode | 47 | private-bin qrencode |
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | private-etc ld.so.preload,none | 50 | private-etc alternatives,ld.so.cache,ld.so.preload |
51 | private-lib libpcre* | 51 | private-lib libpcre* |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
diff --git a/etc/profile-m-z/regextester.profile b/etc/profile-m-z/regextester.profile index 6b9144791..f1ce313e7 100644 --- a/etc/profile-m-z/regextester.profile +++ b/etc/profile-m-z/regextester.profile | |||
@@ -43,7 +43,7 @@ disable-mnt | |||
43 | private-bin regextester | 43 | private-bin regextester |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,fonts,ld.so.preload | 46 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
47 | private-lib libgranite.so.* | 47 | private-lib libgranite.so.* |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
diff --git a/etc/profile-m-z/rsync-download_only.profile b/etc/profile-m-z/rsync-download_only.profile index e49f10b7b..e44e55a12 100644 --- a/etc/profile-m-z/rsync-download_only.profile +++ b/etc/profile-m-z/rsync-download_only.profile | |||
@@ -49,7 +49,7 @@ disable-mnt | |||
49 | private-bin rsync | 49 | private-bin rsync |
50 | private-cache | 50 | private-cache |
51 | private-dev | 51 | private-dev |
52 | private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl | 52 | private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
55 | dbus-user none | 55 | dbus-user none |
diff --git a/etc/profile-m-z/scorchwentbonkers.profile b/etc/profile-m-z/scorchwentbonkers.profile index d256b2efe..70b5d844a 100644 --- a/etc/profile-m-z/scorchwentbonkers.profile +++ b/etc/profile-m-z/scorchwentbonkers.profile | |||
@@ -43,7 +43,7 @@ disable-mnt | |||
43 | private-bin scorchwentbonkers | 43 | private-bin scorchwentbonkers |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alsa,asound.conf,ld.so.preload,machine-id,pulse | 46 | private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.preload,machine-id,pulse |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | dbus-user none | 49 | dbus-user none |
diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile index cb3378597..72d6d5cf7 100644 --- a/etc/profile-m-z/seahorse-adventures.profile +++ b/etc/profile-m-z/seahorse-adventures.profile | |||
@@ -48,7 +48,7 @@ private | |||
48 | private-bin bash,dash,python*,seahorse-adventures,sh | 48 | private-bin bash,dash,python*,seahorse-adventures,sh |
49 | private-cache | 49 | private-cache |
50 | private-dev | 50 | private-dev |
51 | private-etc ld.so.preload,machine-id | 51 | private-etc alternatives,ld.so.cache,ld.so.preload,machine-id |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
54 | dbus-user none | 54 | dbus-user none |
diff --git a/etc/profile-m-z/seahorse-tool.profile b/etc/profile-m-z/seahorse-tool.profile index f08b852db..9ef174606 100644 --- a/etc/profile-m-z/seahorse-tool.profile +++ b/etc/profile-m-z/seahorse-tool.profile | |||
@@ -8,7 +8,7 @@ include seahorse-tool.local | |||
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | # private-etc workaround for: #2877 | 10 | # private-etc workaround for: #2877 |
11 | private-etc firejail,ld.so.preload,login.defs,passwd | 11 | private-etc alternatives,firejail,ld.so.cache,ld.so.preload,login.defs,passwd |
12 | private-tmp | 12 | private-tmp |
13 | 13 | ||
14 | # Redirect | 14 | # Redirect |
diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile index 94a27da87..7382e4712 100644 --- a/etc/profile-m-z/seahorse.profile +++ b/etc/profile-m-z/seahorse.profile | |||
@@ -60,7 +60,7 @@ tracelog | |||
60 | disable-mnt | 60 | disable-mnt |
61 | private-cache | 61 | private-cache |
62 | private-dev | 62 | private-dev |
63 | private-etc ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11 | 63 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11 |
64 | writable-run-user | 64 | writable-run-user |
65 | 65 | ||
66 | dbus-user filter | 66 | dbus-user filter |
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile index 3c9ef3a86..9e40796a6 100644 --- a/etc/profile-m-z/server.profile +++ b/etc/profile-m-z/server.profile | |||
@@ -83,6 +83,7 @@ private-tmp | |||
83 | dbus-user none | 83 | dbus-user none |
84 | # dbus-system none | 84 | # dbus-system none |
85 | 85 | ||
86 | # deterministic-shutdown | ||
86 | # memory-deny-write-execute | 87 | # memory-deny-write-execute |
87 | # read-only ${HOME} | 88 | # read-only ${HOME} |
88 | # writable-run-user | 89 | # writable-run-user |
diff --git a/etc/profile-m-z/shotwell.profile b/etc/profile-m-z/shotwell.profile index 304a1cda2..3b569eeaf 100644 --- a/etc/profile-m-z/shotwell.profile +++ b/etc/profile-m-z/shotwell.profile | |||
@@ -49,7 +49,7 @@ tracelog | |||
49 | private-bin shotwell | 49 | private-bin shotwell |
50 | private-cache | 50 | private-cache |
51 | private-dev | 51 | private-dev |
52 | private-etc alternatives,fonts,ld.so.preload,machine-id | 52 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id |
53 | private-opt none | 53 | private-opt none |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
diff --git a/etc/profile-m-z/softmaker-common.profile b/etc/profile-m-z/softmaker-common.profile index 47468a531..099e6a2ad 100644 --- a/etc/profile-m-z/softmaker-common.profile +++ b/etc/profile-m-z/softmaker-common.profile | |||
@@ -43,7 +43,7 @@ tracelog | |||
43 | private-bin freeoffice-planmaker,freeoffice-presentations,freeoffice-textmaker,planmaker18,planmaker18free,presentations18,presentations18free,sh,textmaker18,textmaker18free | 43 | private-bin freeoffice-planmaker,freeoffice-presentations,freeoffice-textmaker,planmaker18,planmaker18free,presentations18,presentations18free,sh,textmaker18,textmaker18free |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,SoftMaker,ssl | 46 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,SoftMaker,ssl |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | dbus-user none | 49 | dbus-user none |
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile index 21a77a0d1..deaf37f52 100644 --- a/etc/profile-m-z/sqlitebrowser.profile +++ b/etc/profile-m-z/sqlitebrowser.profile | |||
@@ -42,7 +42,7 @@ shell none | |||
42 | private-bin sqlitebrowser | 42 | private-bin sqlitebrowser |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.preload,machine-id,passwd,pki,ssl | 45 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd,pki,ssl |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | # breaks proxy creation | 48 | # breaks proxy creation |
diff --git a/etc/profile-m-z/strawberry.profile b/etc/profile-m-z/strawberry.profile index 50ecc3432..32e43f079 100644 --- a/etc/profile-m-z/strawberry.profile +++ b/etc/profile-m-z/strawberry.profile | |||
@@ -43,7 +43,7 @@ disable-mnt | |||
43 | private-bin strawberry,strawberry-tagreader | 43 | private-bin strawberry,strawberry-tagreader |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl | 46 | private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | dbus-system none | 49 | dbus-system none |
diff --git a/etc/profile-m-z/subdownloader.profile b/etc/profile-m-z/subdownloader.profile index 65cb678d0..a9f22085b 100644 --- a/etc/profile-m-z/subdownloader.profile +++ b/etc/profile-m-z/subdownloader.profile | |||
@@ -44,7 +44,7 @@ tracelog | |||
44 | 44 | ||
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc alternatives,fonts,ld.so.preload | 47 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
50 | dbus-user none | 50 | dbus-user none |
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile index d48065c4b..464fa1b08 100644 --- a/etc/profile-m-z/supertux2.profile +++ b/etc/profile-m-z/supertux2.profile | |||
@@ -44,7 +44,7 @@ tracelog | |||
44 | disable-mnt | 44 | disable-mnt |
45 | # private-bin supertux2 | 45 | # private-bin supertux2 |
46 | private-cache | 46 | private-cache |
47 | private-etc ld.so.preload,machine-id | 47 | private-etc alternatives,ld.so.cache,ld.so.preload,machine-id |
48 | private-dev | 48 | private-dev |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile index 5b5b4aae5..473472251 100644 --- a/etc/profile-m-z/supertuxkart.profile +++ b/etc/profile-m-z/supertuxkart.profile | |||
@@ -54,7 +54,7 @@ private-bin supertuxkart | |||
54 | private-cache | 54 | private-cache |
55 | # Add the next line to your supertuxkart.local if you do not need controller support. | 55 | # Add the next line to your supertuxkart.local if you do not need controller support. |
56 | #private-dev | 56 | #private-dev |
57 | private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,ld.so.preload,machine-id,openal,pki,resolv.conf,ssl | 57 | private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,ld.so.cache,ld.so.preload,machine-id,openal,pki,resolv.conf,ssl |
58 | private-tmp | 58 | private-tmp |
59 | private-opt none | 59 | private-opt none |
60 | private-srv none | 60 | private-srv none |
diff --git a/etc/profile-m-z/surf.profile b/etc/profile-m-z/surf.profile index cfecb6f62..c04f00cab 100644 --- a/etc/profile-m-z/surf.profile +++ b/etc/profile-m-z/surf.profile | |||
@@ -34,6 +34,6 @@ tracelog | |||
34 | disable-mnt | 34 | disable-mnt |
35 | private-bin bash,curl,dmenu,ls,printf,sed,sh,sleep,st,stterm,surf,xargs,xprop | 35 | private-bin bash,curl,dmenu,ls,printf,sed,sh,sleep,st,stterm,surf,xargs,xprop |
36 | private-dev | 36 | private-dev |
37 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,ld.so.preload,machine-id,passwd,pki,resolv.conf,ssl | 37 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,ld.so.cache,ld.so.preload,machine-id,passwd,pki,resolv.conf,ssl |
38 | private-tmp | 38 | private-tmp |
39 | 39 | ||
diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile index 388805f31..0817adda8 100644 --- a/etc/profile-m-z/tar.profile +++ b/etc/profile-m-z/tar.profile | |||
@@ -14,7 +14,7 @@ ignore include disable-shell.inc | |||
14 | # all capabilities this is automatically read-only. | 14 | # all capabilities this is automatically read-only. |
15 | noblacklist /var/lib/pacman | 15 | noblacklist /var/lib/pacman |
16 | 16 | ||
17 | private-etc alternatives,group,ld.so.preload,localtime,login.defs,passwd | 17 | private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,login.defs,passwd |
18 | #private-lib libfakeroot,liblzma.so.*,libreadline.so.* | 18 | #private-lib libfakeroot,liblzma.so.*,libreadline.so.* |
19 | # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) | 19 | # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) |
20 | writable-var | 20 | writable-var |
diff --git a/etc/profile-m-z/teams-for-linux.profile b/etc/profile-m-z/teams-for-linux.profile index 310c440b1..ee19bcd00 100644 --- a/etc/profile-m-z/teams-for-linux.profile +++ b/etc/profile-m-z/teams-for-linux.profile | |||
@@ -20,7 +20,7 @@ mkdir ${HOME}/.config/teams-for-linux | |||
20 | whitelist ${HOME}/.config/teams-for-linux | 20 | whitelist ${HOME}/.config/teams-for-linux |
21 | 21 | ||
22 | private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh | 22 | private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh |
23 | private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,resolv.conf,ssl | 23 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,resolv.conf,ssl |
24 | 24 | ||
25 | # Redirect | 25 | # Redirect |
26 | include electron.profile | 26 | include electron.profile |
diff --git a/etc/profile-m-z/telnet.profile b/etc/profile-m-z/telnet.profile new file mode 100644 index 000000000..0b0510460 --- /dev/null +++ b/etc/profile-m-z/telnet.profile | |||
@@ -0,0 +1,54 @@ | |||
1 | # Firejail profile for ftp | ||
2 | # Description: standard File Access Protocol utility | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include telnet.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${PATH}/telnet | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-proc.inc | ||
17 | include disable-programs.inc | ||
18 | #include disable-shell.inc | ||
19 | include disable-write-mnt.inc | ||
20 | include disable-X11.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | machine-id | ||
27 | netfilter | ||
28 | no3d | ||
29 | nodvd | ||
30 | nogroups | ||
31 | noinput | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol inet,inet6 | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | |||
43 | #disable-mnt | ||
44 | #private-bin PROGRAMS | ||
45 | private-cache | ||
46 | private-dev | ||
47 | #private-etc FILES | ||
48 | private-tmp | ||
49 | |||
50 | dbus-user none | ||
51 | dbus-system none | ||
52 | |||
53 | memory-deny-write-execute | ||
54 | noexec ${HOME} | ||
diff --git a/etc/profile-m-z/tilp.profile b/etc/profile-m-z/tilp.profile index 07212a452..d2db44b1c 100644 --- a/etc/profile-m-z/tilp.profile +++ b/etc/profile-m-z/tilp.profile | |||
@@ -30,6 +30,6 @@ tracelog | |||
30 | disable-mnt | 30 | disable-mnt |
31 | private-bin tilp | 31 | private-bin tilp |
32 | private-cache | 32 | private-cache |
33 | private-etc alternatives,fonts,ld.so.preload | 33 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
34 | private-tmp | 34 | private-tmp |
35 | 35 | ||
diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile index a43e53aae..1d4ee9370 100644 --- a/etc/profile-m-z/tin.profile +++ b/etc/profile-m-z/tin.profile | |||
@@ -58,7 +58,7 @@ disable-mnt | |||
58 | private-bin rtin,tin | 58 | private-bin rtin,tin |
59 | private-cache | 59 | private-cache |
60 | private-dev | 60 | private-dev |
61 | private-etc ld.so.preload,passwd,resolv.conf,terminfo,tin | 61 | private-etc alternatives,ld.so.cache,ld.so.preload,passwd,resolv.conf,terminfo,tin |
62 | private-lib terminfo | 62 | private-lib terminfo |
63 | private-tmp | 63 | private-tmp |
64 | 64 | ||
diff --git a/etc/profile-m-z/tor.profile b/etc/profile-m-z/tor.profile index 312123f59..d8cd8eb44 100644 --- a/etc/profile-m-z/tor.profile +++ b/etc/profile-m-z/tor.profile | |||
@@ -46,6 +46,6 @@ private | |||
46 | private-bin bash,tor | 46 | private-bin bash,tor |
47 | private-cache | 47 | private-cache |
48 | private-dev | 48 | private-dev |
49 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,passwd,pki,ssl,tor | 49 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,passwd,pki,ssl,tor |
50 | private-tmp | 50 | private-tmp |
51 | writable-var | 51 | writable-var |
diff --git a/etc/profile-m-z/transgui.profile b/etc/profile-m-z/transgui.profile index 0e23b7843..4acb8e7e8 100644 --- a/etc/profile-m-z/transgui.profile +++ b/etc/profile-m-z/transgui.profile | |||
@@ -45,7 +45,7 @@ tracelog | |||
45 | private-bin geoiplookup,geoiplookup6,transgui | 45 | private-bin geoiplookup,geoiplookup6,transgui |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,fonts,ld.so.preload | 48 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
49 | private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.* | 49 | private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.* |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
diff --git a/etc/profile-m-z/transmission-cli.profile b/etc/profile-m-z/transmission-cli.profile index b3fab083c..8a1711e97 100644 --- a/etc/profile-m-z/transmission-cli.profile +++ b/etc/profile-m-z/transmission-cli.profile | |||
@@ -8,7 +8,7 @@ include transmission-cli.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | private-bin transmission-cli | 10 | private-bin transmission-cli |
11 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl | 11 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl |
12 | 12 | ||
13 | # Redirect | 13 | # Redirect |
14 | include transmission-common.profile | 14 | include transmission-common.profile |
diff --git a/etc/profile-m-z/transmission-daemon.profile b/etc/profile-m-z/transmission-daemon.profile index 9d91b8b81..5d28f2f10 100644 --- a/etc/profile-m-z/transmission-daemon.profile +++ b/etc/profile-m-z/transmission-daemon.profile | |||
@@ -17,7 +17,7 @@ caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot | |||
17 | protocol packet | 17 | protocol packet |
18 | 18 | ||
19 | private-bin transmission-daemon | 19 | private-bin transmission-daemon |
20 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl | 20 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl |
21 | 21 | ||
22 | read-write /var/lib/transmission | 22 | read-write /var/lib/transmission |
23 | writable-var-log | 23 | writable-var-log |
diff --git a/etc/profile-m-z/transmission-remote-gtk.profile b/etc/profile-m-z/transmission-remote-gtk.profile index 20d54500f..6a0f1bde3 100644 --- a/etc/profile-m-z/transmission-remote-gtk.profile +++ b/etc/profile-m-z/transmission-remote-gtk.profile | |||
@@ -12,7 +12,7 @@ noblacklist ${HOME}/.config/transmission-remote-gtk | |||
12 | mkdir ${HOME}/.config/transmission-remote-gtk | 12 | mkdir ${HOME}/.config/transmission-remote-gtk |
13 | whitelist ${HOME}/.config/transmission-remote-gtk | 13 | whitelist ${HOME}/.config/transmission-remote-gtk |
14 | 14 | ||
15 | private-etc fonts,hostname,hosts,ld.so.preload,resolv.conf | 15 | private-etc alternatives,fonts,hostname,hosts,ld.so.cache,ld.so.preload,resolv.conf |
16 | # Problems with private-lib (see issue #2889) | 16 | # Problems with private-lib (see issue #2889) |
17 | ignore private-lib | 17 | ignore private-lib |
18 | 18 | ||
diff --git a/etc/profile-m-z/transmission-remote.profile b/etc/profile-m-z/transmission-remote.profile index ad4ad2172..565433d99 100644 --- a/etc/profile-m-z/transmission-remote.profile +++ b/etc/profile-m-z/transmission-remote.profile | |||
@@ -8,7 +8,7 @@ include transmission-remote.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | private-bin transmission-remote | 10 | private-bin transmission-remote |
11 | private-etc alternatives,hosts,ld.so.preload,nsswitch.conf | 11 | private-etc alternatives,hosts,ld.so.cache,ld.so.preload,nsswitch.conf |
12 | 12 | ||
13 | # Redirect | 13 | # Redirect |
14 | include transmission-common.profile | 14 | include transmission-common.profile |
diff --git a/etc/profile-m-z/transmission-show.profile b/etc/profile-m-z/transmission-show.profile index 822a368da..0a5826ec4 100644 --- a/etc/profile-m-z/transmission-show.profile +++ b/etc/profile-m-z/transmission-show.profile | |||
@@ -8,7 +8,7 @@ include transmission-show.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | private-bin transmission-show | 10 | private-bin transmission-show |
11 | private-etc alternatives,hosts,ld.so.preload,nsswitch.conf | 11 | private-etc alternatives,hosts,ld.so.cache,ld.so.preload,nsswitch.conf |
12 | 12 | ||
13 | # Redirect | 13 | # Redirect |
14 | include transmission-common.profile | 14 | include transmission-common.profile |
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile index 1959aee1e..60a192ac1 100644 --- a/etc/profile-m-z/trojita.profile +++ b/etc/profile-m-z/trojita.profile | |||
@@ -54,7 +54,7 @@ tracelog | |||
54 | private-bin trojita | 54 | private-bin trojita |
55 | private-cache | 55 | private-cache |
56 | private-dev | 56 | private-dev |
57 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg | 57 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg |
58 | private-tmp | 58 | private-tmp |
59 | 59 | ||
60 | dbus-user filter | 60 | dbus-user filter |
diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile index bd2f1bcf9..987a2b719 100644 --- a/etc/profile-m-z/twitch.profile +++ b/etc/profile-m-z/twitch.profile | |||
@@ -18,7 +18,7 @@ mkdir ${HOME}/.config/Twitch | |||
18 | whitelist ${HOME}/.config/Twitch | 18 | whitelist ${HOME}/.config/Twitch |
19 | 19 | ||
20 | private-bin electron,electron[0-9],electron[0-9][0-9],twitch | 20 | private-bin electron,electron[0-9],electron[0-9][0-9],twitch |
21 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 21 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
22 | private-opt Twitch | 22 | private-opt Twitch |
23 | 23 | ||
24 | # Redirect | 24 | # Redirect |
diff --git a/etc/profile-m-z/unf.profile b/etc/profile-m-z/unf.profile index 685e74e25..1b82ad881 100644 --- a/etc/profile-m-z/unf.profile +++ b/etc/profile-m-z/unf.profile | |||
@@ -49,7 +49,7 @@ private-bin unf | |||
49 | private-cache | 49 | private-cache |
50 | ?HAS_APPIMAGE: ignore private-dev | 50 | ?HAS_APPIMAGE: ignore private-dev |
51 | private-dev | 51 | private-dev |
52 | private-etc alternatives,ld.so.preload | 52 | private-etc alternatives,ld.so.cache,ld.so.preload |
53 | private-lib gcc/*/*/libgcc_s.so.* | 53 | private-lib gcc/*/*/libgcc_s.so.* |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
diff --git a/etc/profile-m-z/unrar.profile b/etc/profile-m-z/unrar.profile index 761ee91c5..443d1f415 100644 --- a/etc/profile-m-z/unrar.profile +++ b/etc/profile-m-z/unrar.profile | |||
@@ -8,7 +8,7 @@ include unrar.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | private-bin unrar | 10 | private-bin unrar |
11 | private-etc alternatives,group,ld.so.preload,localtime,passwd | 11 | private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,passwd |
12 | private-tmp | 12 | private-tmp |
13 | 13 | ||
14 | # Redirect | 14 | # Redirect |
diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile index 981826b16..97df693ba 100644 --- a/etc/profile-m-z/unzip.profile +++ b/etc/profile-m-z/unzip.profile | |||
@@ -10,7 +10,7 @@ include globals.local | |||
10 | # GNOME Shell integration (chrome-gnome-shell) | 10 | # GNOME Shell integration (chrome-gnome-shell) |
11 | noblacklist ${HOME}/.local/share/gnome-shell | 11 | noblacklist ${HOME}/.local/share/gnome-shell |
12 | 12 | ||
13 | private-etc alternatives,group,ld.so.preload,localtime,passwd | 13 | private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,passwd |
14 | 14 | ||
15 | # Redirect | 15 | # Redirect |
16 | include archiver-common.profile | 16 | include archiver-common.profile |
diff --git a/etc/profile-m-z/uudeview.profile b/etc/profile-m-z/uudeview.profile index 3b38f16e0..426766e17 100644 --- a/etc/profile-m-z/uudeview.profile +++ b/etc/profile-m-z/uudeview.profile | |||
@@ -41,7 +41,7 @@ x11 none | |||
41 | private-bin uudeview | 41 | private-bin uudeview |
42 | private-cache | 42 | private-cache |
43 | private-dev | 43 | private-dev |
44 | private-etc alternatives,ld.so.preload | 44 | private-etc alternatives,ld.so.cache,ld.so.preload |
45 | 45 | ||
46 | dbus-user none | 46 | dbus-user none |
47 | dbus-system none | 47 | dbus-system none |
diff --git a/etc/profile-m-z/viewnior.profile b/etc/profile-m-z/viewnior.profile index ed2f0103b..585a8eddb 100644 --- a/etc/profile-m-z/viewnior.profile +++ b/etc/profile-m-z/viewnior.profile | |||
@@ -43,7 +43,7 @@ tracelog | |||
43 | private-bin viewnior | 43 | private-bin viewnior |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,fonts,ld.so.preload,machine-id | 46 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | dbus-user none | 49 | dbus-user none |
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile index a6d3eaafd..227ad83cc 100644 --- a/etc/profile-m-z/virtualbox.profile +++ b/etc/profile-m-z/virtualbox.profile | |||
@@ -45,7 +45,7 @@ tracelog | |||
45 | #disable-mnt | 45 | #disable-mnt |
46 | #private-bin awk,basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami | 46 | #private-bin awk,basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami |
47 | private-cache | 47 | private-cache |
48 | private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl | 48 | private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | dbus-user none | 51 | dbus-user none |
diff --git a/etc/profile-m-z/vmware-view.profile b/etc/profile-m-z/vmware-view.profile index b2b019ff4..278a66149 100644 --- a/etc/profile-m-z/vmware-view.profile +++ b/etc/profile-m-z/vmware-view.profile | |||
@@ -7,6 +7,7 @@ include vmware-view.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.vmware | 9 | noblacklist ${HOME}/.vmware |
10 | noblacklist /usr/lib/vmware | ||
10 | 11 | ||
11 | noblacklist /sbin | 12 | noblacklist /sbin |
12 | noblacklist /usr/sbin | 13 | noblacklist /usr/sbin |
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile index 8e25daee0..57fbbae96 100644 --- a/etc/profile-m-z/vmware.profile +++ b/etc/profile-m-z/vmware.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/vmware | 9 | noblacklist ${HOME}/.cache/vmware |
10 | noblacklist ${HOME}/.vmware | 10 | noblacklist ${HOME}/.vmware |
11 | noblacklist /usr/lib/vmware | ||
11 | 12 | ||
12 | include disable-common.inc | 13 | include disable-common.inc |
13 | include disable-devel.inc | 14 | include disable-devel.inc |
@@ -38,6 +39,6 @@ tracelog | |||
38 | #disable-mnt | 39 | #disable-mnt |
39 | # Add the next line to your vmware.local to enable private-bin. | 40 | # Add the next line to your vmware.local to enable private-bin. |
40 | #private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-* | 41 | #private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-* |
41 | private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix | 42 | private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix |
42 | dbus-user none | 43 | dbus-user none |
43 | dbus-system none | 44 | dbus-system none |
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile index d2e30e824..c9e209142 100644 --- a/etc/profile-m-z/w3m.profile +++ b/etc/profile-m-z/w3m.profile | |||
@@ -62,7 +62,7 @@ disable-mnt | |||
62 | private-bin perl,sh,w3m | 62 | private-bin perl,sh,w3m |
63 | private-cache | 63 | private-cache |
64 | private-dev | 64 | private-dev |
65 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,mailcap,nsswitch.conf,pki,resolv.conf,ssl | 65 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,mailcap,nsswitch.conf,pki,resolv.conf,ssl |
66 | private-tmp | 66 | private-tmp |
67 | 67 | ||
68 | dbus-user none | 68 | dbus-user none |
diff --git a/etc/profile-m-z/warmux.profile b/etc/profile-m-z/warmux.profile index fc59b7239..0a6f19b1e 100644 --- a/etc/profile-m-z/warmux.profile +++ b/etc/profile-m-z/warmux.profile | |||
@@ -49,7 +49,7 @@ disable-mnt | |||
49 | private-bin warmux | 49 | private-bin warmux |
50 | private-cache | 50 | private-cache |
51 | private-dev | 51 | private-dev |
52 | private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.preload,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl | 52 | private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
55 | dbus-user none | 55 | dbus-user none |
diff --git a/etc/profile-m-z/whalebird.profile b/etc/profile-m-z/whalebird.profile index ae3944561..92ebebdae 100644 --- a/etc/profile-m-z/whalebird.profile +++ b/etc/profile-m-z/whalebird.profile | |||
@@ -21,7 +21,7 @@ whitelist ${HOME}/.config/Whalebird | |||
21 | no3d | 21 | no3d |
22 | 22 | ||
23 | private-bin electron,electron[0-9],electron[0-9][0-9],whalebird | 23 | private-bin electron,electron[0-9],electron[0-9][0-9],whalebird |
24 | private-etc fonts,ld.so.preload,machine-id | 24 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id |
25 | 25 | ||
26 | # Redirect | 26 | # Redirect |
27 | include electron.profile | 27 | include electron.profile |
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile index 0650e41ad..afff6f587 100644 --- a/etc/profile-m-z/whois.profile +++ b/etc/profile-m-z/whois.profile | |||
@@ -47,7 +47,7 @@ private | |||
47 | private-bin bash,sh,whois | 47 | private-bin bash,sh,whois |
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives,hosts,jwhois.conf,ld.so.preload,resolv.conf,services,whois.conf | 50 | private-etc alternatives,hosts,jwhois.conf,ld.so.cache,ld.so.preload,resolv.conf,services,whois.conf |
51 | private-lib gconv | 51 | private-lib gconv |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
diff --git a/etc/profile-m-z/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile index eebad4a19..d8742cd71 100644 --- a/etc/profile-m-z/wire-desktop.profile +++ b/etc/profile-m-z/wire-desktop.profile | |||
@@ -26,7 +26,7 @@ mkdir ${HOME}/.config/Wire | |||
26 | whitelist ${HOME}/.config/Wire | 26 | whitelist ${HOME}/.config/Wire |
27 | 27 | ||
28 | private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop | 28 | private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop |
29 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,machine-id,pki,resolv.conf,ssl | 29 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl |
30 | 30 | ||
31 | # Redirect | 31 | # Redirect |
32 | include electron.profile | 32 | include electron.profile |
diff --git a/etc/profile-m-z/wordwarvi.profile b/etc/profile-m-z/wordwarvi.profile index 374290ed0..3147c2ac3 100644 --- a/etc/profile-m-z/wordwarvi.profile +++ b/etc/profile-m-z/wordwarvi.profile | |||
@@ -45,7 +45,7 @@ private | |||
45 | private-bin wordwarvi | 45 | private-bin wordwarvi |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alsa,asound.conf,ld.so.preload,machine-id,pulse | 48 | private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.preload,machine-id,pulse |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | dbus-user none | 51 | dbus-user none |
diff --git a/etc/profile-m-z/xbill.profile b/etc/profile-m-z/xbill.profile index 738b5ca13..bb119996c 100644 --- a/etc/profile-m-z/xbill.profile +++ b/etc/profile-m-z/xbill.profile | |||
@@ -44,7 +44,7 @@ private | |||
44 | private-bin xbill | 44 | private-bin xbill |
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc ld.so.preload,none | 47 | private-etc alternatives,ld.so.cache,ld.so.preload |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
50 | dbus-user none | 50 | dbus-user none |
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile index 21857dbe6..386ef2bd6 100644 --- a/etc/profile-m-z/xfce4-mixer.profile +++ b/etc/profile-m-z/xfce4-mixer.profile | |||
@@ -46,7 +46,7 @@ disable-mnt | |||
46 | private-bin xfce4-mixer,xfconf-query | 46 | private-bin xfce4-mixer,xfconf-query |
47 | private-cache | 47 | private-cache |
48 | private-dev | 48 | private-dev |
49 | private-etc alternatives,asound.conf,fonts,ld.so.preload,machine-id,pulse | 49 | private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,machine-id,pulse |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
52 | dbus-user filter | 52 | dbus-user filter |
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile index ad3058ce2..d74ed5754 100644 --- a/etc/profile-m-z/xfce4-screenshooter.profile +++ b/etc/profile-m-z/xfce4-screenshooter.profile | |||
@@ -42,7 +42,7 @@ tracelog | |||
42 | disable-mnt | 42 | disable-mnt |
43 | private-bin xfce4-screenshooter,xfconf-query | 43 | private-bin xfce4-screenshooter,xfconf-query |
44 | private-dev | 44 | private-dev |
45 | private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.preload,pki,resolv.conf,ssl | 45 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | dbus-user none | 48 | dbus-user none |
diff --git a/etc/profile-m-z/xiphos.profile b/etc/profile-m-z/xiphos.profile index 9b7a006d2..c7fd0799b 100644 --- a/etc/profile-m-z/xiphos.profile +++ b/etc/profile-m-z/xiphos.profile | |||
@@ -47,5 +47,5 @@ disable-mnt | |||
47 | private-bin xiphos | 47 | private-bin xiphos |
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,pki,resolv.conf,ssli,sword,sword.conf | 50 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssli,sword,sword.conf |
51 | private-tmp | 51 | private-tmp |
diff --git a/etc/profile-m-z/xlinks.profile b/etc/profile-m-z/xlinks.profile index 1c9310986..404baf607 100644 --- a/etc/profile-m-z/xlinks.profile +++ b/etc/profile-m-z/xlinks.profile | |||
@@ -14,7 +14,7 @@ include whitelist-common.inc | |||
14 | # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' | 14 | # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' |
15 | # to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line | 15 | # to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line |
16 | private-bin xlinks | 16 | private-bin xlinks |
17 | private-etc fonts,ld.so.preload | 17 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
18 | 18 | ||
19 | # Redirect | 19 | # Redirect |
20 | include links.profile | 20 | include links.profile |
diff --git a/etc/profile-m-z/xlinks2 b/etc/profile-m-z/xlinks2 index bbf660e29..d7edd3543 100644 --- a/etc/profile-m-z/xlinks2 +++ b/etc/profile-m-z/xlinks2 | |||
@@ -14,7 +14,7 @@ include whitelist-common.inc | |||
14 | # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' | 14 | # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' |
15 | # to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line | 15 | # to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line |
16 | private-bin xlinks2 | 16 | private-bin xlinks2 |
17 | private-etc fonts,ld.so.preload | 17 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
18 | 18 | ||
19 | # Redirect | 19 | # Redirect |
20 | include links2.profile | 20 | include links2.profile |
diff --git a/etc/profile-m-z/xmr-stak.profile b/etc/profile-m-z/xmr-stak.profile index 2a9fbf171..e541436a4 100644 --- a/etc/profile-m-z/xmr-stak.profile +++ b/etc/profile-m-z/xmr-stak.profile | |||
@@ -38,7 +38,7 @@ disable-mnt | |||
38 | private ${HOME}/.xmr-stak | 38 | private ${HOME}/.xmr-stak |
39 | private-bin xmr-stak | 39 | private-bin xmr-stak |
40 | private-dev | 40 | private-dev |
41 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl | 41 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl |
42 | #private-lib libxmrstak_opencl_backend,libxmrstak_cuda_backend | 42 | #private-lib libxmrstak_opencl_backend,libxmrstak_cuda_backend |
43 | private-opt cuda | 43 | private-opt cuda |
44 | private-tmp | 44 | private-tmp |
diff --git a/etc/profile-m-z/xournal.profile b/etc/profile-m-z/xournal.profile index fe7395078..a0e77b4e7 100644 --- a/etc/profile-m-z/xournal.profile +++ b/etc/profile-m-z/xournal.profile | |||
@@ -43,7 +43,7 @@ tracelog | |||
43 | private-bin xournal | 43 | private-bin xournal |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,fonts,group,ld.so.preload,machine-id,passwd | 46 | private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd |
47 | # TODO should use private-lib | 47 | # TODO should use private-lib |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile index c5e44c6b4..31a51b2c4 100644 --- a/etc/profile-m-z/yelp.profile +++ b/etc/profile-m-z/yelp.profile | |||
@@ -56,7 +56,7 @@ disable-mnt | |||
56 | private-bin groff,man,tbl,troff,yelp | 56 | private-bin groff,man,tbl,troff,yelp |
57 | private-cache | 57 | private-cache |
58 | private-dev | 58 | private-dev |
59 | private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,ld.so.preload,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml | 59 | private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml |
60 | private-tmp | 60 | private-tmp |
61 | 61 | ||
62 | dbus-user filter | 62 | dbus-user filter |
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile index 3224f8fc6..80d551038 100644 --- a/etc/profile-m-z/youtube-viewers-common.profile +++ b/etc/profile-m-z/youtube-viewers-common.profile | |||
@@ -53,7 +53,7 @@ disable-mnt | |||
53 | private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python*,sh,smplayer,stty,wget,which,xterm,youtube-dl,yt-dlp | 53 | private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python*,sh,smplayer,stty,wget,which,xterm,youtube-dl,yt-dlp |
54 | private-cache | 54 | private-cache |
55 | private-dev | 55 | private-dev |
56 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg | 56 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg |
57 | private-tmp | 57 | private-tmp |
58 | 58 | ||
59 | dbus-user none | 59 | dbus-user none |
diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile index c7dbec968..5c4d697da 100644 --- a/etc/profile-m-z/youtube.profile +++ b/etc/profile-m-z/youtube.profile | |||
@@ -17,7 +17,7 @@ mkdir ${HOME}/.config/Youtube | |||
17 | whitelist ${HOME}/.config/Youtube | 17 | whitelist ${HOME}/.config/Youtube |
18 | 18 | ||
19 | private-bin electron,electron[0-9],electron[0-9][0-9],youtube | 19 | private-bin electron,electron[0-9],electron[0-9][0-9],youtube |
20 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 20 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
21 | private-opt Youtube | 21 | private-opt Youtube |
22 | 22 | ||
23 | # Redirect | 23 | # Redirect |
diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile index 35ecf059d..2b5ffeaaf 100644 --- a/etc/profile-m-z/youtubemusic-nativefier.profile +++ b/etc/profile-m-z/youtubemusic-nativefier.profile | |||
@@ -14,7 +14,7 @@ mkdir ${HOME}/.config/youtubemusic-nativefier-040164 | |||
14 | whitelist ${HOME}/.config/youtubemusic-nativefier-040164 | 14 | whitelist ${HOME}/.config/youtubemusic-nativefier-040164 |
15 | 15 | ||
16 | private-bin electron,electron[0-9],electron[0-9][0-9],youtubemusic-nativefier | 16 | private-bin electron,electron[0-9],electron[0-9][0-9],youtubemusic-nativefier |
17 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 17 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
18 | private-opt youtubemusic-nativefier | 18 | private-opt youtubemusic-nativefier |
19 | 19 | ||
20 | # Redirect | 20 | # Redirect |
diff --git a/etc/profile-m-z/yt-dlp.profile b/etc/profile-m-z/yt-dlp.profile index bfb24b488..32e873aa5 100644 --- a/etc/profile-m-z/yt-dlp.profile +++ b/etc/profile-m-z/yt-dlp.profile | |||
@@ -12,8 +12,8 @@ noblacklist ${HOME}/.cache/yt-dlp | |||
12 | noblacklist ${HOME}/.config/yt-dlp | 12 | noblacklist ${HOME}/.config/yt-dlp |
13 | noblacklist ${HOME}/yt-dlp.conf | 13 | noblacklist ${HOME}/yt-dlp.conf |
14 | 14 | ||
15 | private-bin yt-dlp | 15 | private-bin ffprobe,yt-dlp |
16 | private-etc ld.so.preload,yt-dlp.conf | 16 | private-etc alternatives,ld.so.cache,ld.so.preload,yt-dlp.conf |
17 | 17 | ||
18 | # Redirect | 18 | # Redirect |
19 | include youtube-dl.profile | 19 | include youtube-dl.profile |
diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile index 84f2f3cb2..59b6e2543 100644 --- a/etc/profile-m-z/ytmdesktop.profile +++ b/etc/profile-m-z/ytmdesktop.profile | |||
@@ -14,7 +14,7 @@ mkdir ${HOME}/.config/youtube-music-desktop-app | |||
14 | whitelist ${HOME}/.config/youtube-music-desktop-app | 14 | whitelist ${HOME}/.config/youtube-music-desktop-app |
15 | 15 | ||
16 | # private-bin env,ytmdesktop | 16 | # private-bin env,ytmdesktop |
17 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 17 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
18 | # private-opt | 18 | # private-opt |
19 | 19 | ||
20 | # Redirect | 20 | # Redirect |
diff --git a/etc/profile-m-z/zulip.profile b/etc/profile-m-z/zulip.profile index c1c94d74f..8acfdd651 100644 --- a/etc/profile-m-z/zulip.profile +++ b/etc/profile-m-z/zulip.profile | |||
@@ -44,5 +44,5 @@ disable-mnt | |||
44 | private-bin locale,zulip | 44 | private-bin locale,zulip |
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc asound.conf,fonts,ld.so.preload,machine-id | 47 | private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,machine-id |
48 | private-tmp | 48 | private-tmp |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 44197b547..1a4c8fef9 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -220,6 +220,7 @@ include globals.local | |||
220 | #dbus-user.talk org.freedesktop.Notifications | 220 | #dbus-user.talk org.freedesktop.Notifications |
221 | #dbus-system none | 221 | #dbus-system none |
222 | 222 | ||
223 | ##deterministic-shutdown | ||
223 | ##env VAR=VALUE | 224 | ##env VAR=VALUE |
224 | ##join-or-start NAME | 225 | ##join-or-start NAME |
225 | #memory-deny-write-execute | 226 | #memory-deny-write-execute |
@@ -4,7 +4,7 @@ | |||
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | gcov_init() { | 6 | gcov_init() { |
7 | USER=`whoami` | 7 | USER="$(whoami)" |
8 | firejail --help > /dev/null | 8 | firejail --help > /dev/null |
9 | firemon --help > /dev/null | 9 | firemon --help > /dev/null |
10 | /usr/lib/firejail/fnet --help > /dev/null | 10 | /usr/lib/firejail/fnet --help > /dev/null |
@@ -20,7 +20,7 @@ gcov_init() { | |||
20 | /usr/lib/firejail/faudit --help > /dev/null | 20 | /usr/lib/firejail/faudit --help > /dev/null |
21 | /usr/lib/firejail/fbuilder --help > /dev/null | 21 | /usr/lib/firejail/fbuilder --help > /dev/null |
22 | 22 | ||
23 | sudo chown $USER:$USER `find .` | 23 | find . -exec sudo chown "$USER:$USER" '{}' + |
24 | } | 24 | } |
25 | 25 | ||
26 | generate() { | 26 | generate() { |
@@ -28,7 +28,7 @@ generate() { | |||
28 | lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new --output-file gcov-file | 28 | lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new --output-file gcov-file |
29 | rm -fr gcov-dir | 29 | rm -fr gcov-dir |
30 | genhtml -q gcov-file --output-directory gcov-dir | 30 | genhtml -q gcov-file --output-directory gcov-dir |
31 | sudo rm `find . -name *.gcda` | 31 | find . -name '*.gcda' -exec sudo rm '{}' + |
32 | cp gcov-file gcov-file-old | 32 | cp gcov-file gcov-file-old |
33 | gcov_init | 33 | gcov_init |
34 | } | 34 | } |
diff --git a/linecnt.sh b/linecnt.sh index 86bccbc07..c30e175ba 100755 --- a/linecnt.sh +++ b/linecnt.sh | |||
@@ -4,7 +4,7 @@ | |||
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | gcov_init() { | 6 | gcov_init() { |
7 | USER=`whoami` | 7 | USER="$(whoami)" |
8 | firejail --help > /dev/null | 8 | firejail --help > /dev/null |
9 | firemon --help > /dev/null | 9 | firemon --help > /dev/null |
10 | /usr/lib/firejail/fnet --help > /dev/null | 10 | /usr/lib/firejail/fnet --help > /dev/null |
@@ -20,7 +20,7 @@ gcov_init() { | |||
20 | /usr/lib/firejail/faudit --help > /dev/null | 20 | /usr/lib/firejail/faudit --help > /dev/null |
21 | /usr/lib/firejail/fbuilder --help > /dev/null | 21 | /usr/lib/firejail/fbuilder --help > /dev/null |
22 | 22 | ||
23 | sudo chown $USER:$USER `find .` | 23 | find . -exec sudo chown "$USER:$USER" '{}' + |
24 | } | 24 | } |
25 | 25 | ||
26 | rm -fr gcov-dir | 26 | rm -fr gcov-dir |
@@ -5,9 +5,9 @@ | |||
5 | 5 | ||
6 | echo "Calculating SHA256 for all files in /transfer - firejail version $1" | 6 | echo "Calculating SHA256 for all files in /transfer - firejail version $1" |
7 | 7 | ||
8 | cd /transfer | 8 | cd /transfer || exit 1 |
9 | sha256sum * > firejail-$1-unsigned | 9 | sha256sum ./* > "firejail-$1-unsigned" |
10 | gpg --clearsign --digest-algo SHA256 < firejail-$1-unsigned > firejail-$1.asc | 10 | gpg --clearsign --digest-algo SHA256 < "firejail-$1-unsigned" > "firejail-$1.asc" |
11 | gpg --verify firejail-$1.asc | 11 | gpg --verify "firejail-$1.asc" |
12 | gpg --detach-sign --armor firejail-$1.tar.xz | 12 | gpg --detach-sign --armor "firejail-$1.tar.xz" |
13 | rm firejail-$1-unsigned | 13 | rm "firejail-$1-unsigned" |
diff --git a/mkdeb.sh.in b/mkdeb.sh.in index e45acf8eb..ddd6ca1ee 100755 --- a/mkdeb.sh.in +++ b/mkdeb.sh.in | |||
@@ -22,7 +22,7 @@ if [ -n "$HAVE_SELINUX" ]; then | |||
22 | CONFIG_ARGS="$CONFIG_ARGS --enable-selinux" | 22 | CONFIG_ARGS="$CONFIG_ARGS --enable-selinux" |
23 | fi | 23 | fi |
24 | 24 | ||
25 | TOP=`pwd` | 25 | TOP="$PWD" |
26 | CODE_ARCHIVE="$NAME-$VERSION.tar.xz" | 26 | CODE_ARCHIVE="$NAME-$VERSION.tar.xz" |
27 | CODE_DIR="$NAME-$VERSION" | 27 | CODE_DIR="$NAME-$VERSION" |
28 | INSTALL_DIR="${INSTALL_DIR}${CODE_DIR}/debian" | 28 | INSTALL_DIR="${INSTALL_DIR}${CODE_DIR}/debian" |
@@ -35,9 +35,9 @@ echo "install directory: $INSTALL_DIR" | |||
35 | echo "debian control directory: $DEBIAN_CTRL_DIR" | 35 | echo "debian control directory: $DEBIAN_CTRL_DIR" |
36 | echo "*****************************************" | 36 | echo "*****************************************" |
37 | 37 | ||
38 | tar -xJvf $CODE_ARCHIVE | 38 | tar -xJvf "$CODE_ARCHIVE" |
39 | #mkdir -p $INSTALL_DIR | 39 | #mkdir -p "$INSTALL_DIR" |
40 | cd $CODE_DIR | 40 | cd "$CODE_DIR" |
41 | ./configure $CONFIG_ARGS | 41 | ./configure $CONFIG_ARGS |
42 | make -j2 | 42 | make -j2 |
43 | mkdir debian | 43 | mkdir debian |
@@ -45,26 +45,26 @@ DESTDIR=debian make install-strip | |||
45 | 45 | ||
46 | cd .. | 46 | cd .. |
47 | echo "*****************************************" | 47 | echo "*****************************************" |
48 | SIZE=`du -s $INSTALL_DIR` | 48 | SIZE="$(du -s "$INSTALL_DIR")" |
49 | echo "install size $SIZE" | 49 | echo "install size $SIZE" |
50 | echo "*****************************************" | 50 | echo "*****************************************" |
51 | 51 | ||
52 | mv $INSTALL_DIR/usr/share/doc/firejail/RELNOTES $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian | 52 | mv "$INSTALL_DIR/usr/share/doc/firejail/RELNOTES" "$INSTALL_DIR/usr/share/doc/firejail/changelog.Debian" |
53 | gzip -9 -n $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian | 53 | gzip -9 -n "$INSTALL_DIR/usr/share/doc/firejail/changelog.Debian" |
54 | rm $INSTALL_DIR/usr/share/doc/firejail/COPYING | 54 | rm "$INSTALL_DIR/usr/share/doc/firejail/COPYING" |
55 | install -m644 $CODE_DIR/platform/debian/copyright $INSTALL_DIR/usr/share/doc/firejail/. | 55 | install -m644 "$CODE_DIR/platform/debian/copyright" "$INSTALL_DIR/usr/share/doc/firejail/." |
56 | mkdir -p $DEBIAN_CTRL_DIR | 56 | mkdir -p "$DEBIAN_CTRL_DIR" |
57 | sed "s/FIREJAILVER/$VERSION/g" $CODE_DIR/platform/debian/control.$(dpkg-architecture -qDEB_HOST_ARCH) > $DEBIAN_CTRL_DIR/control | 57 | sed "s/FIREJAILVER/$VERSION/g" "$CODE_DIR/platform/debian/control.$(dpkg-architecture -qDEB_HOST_ARCH)" > "$DEBIAN_CTRL_DIR/control" |
58 | 58 | ||
59 | mkdir -p $INSTALL_DIR/usr/share/lintian/overrides/ | 59 | mkdir -p "$INSTALL_DIR/usr/share/lintian/overrides/" |
60 | install -m644 $CODE_DIR/platform/debian/firejail.lintian-overrides $INSTALL_DIR/usr/share/lintian/overrides/firejail | 60 | install -m644 "$CODE_DIR/platform/debian/firejail.lintian-overrides" "$INSTALL_DIR/usr/share/lintian/overrides/firejail" |
61 | 61 | ||
62 | find $INSTALL_DIR/etc -type f | sed "s,^$INSTALL_DIR,," | LC_ALL=C sort > $DEBIAN_CTRL_DIR/conffiles | 62 | find "$INSTALL_DIR/etc" -type f | sed "s,^$INSTALL_DIR,," | LC_ALL=C sort > "$DEBIAN_CTRL_DIR/conffiles" |
63 | chmod 644 $DEBIAN_CTRL_DIR/conffiles | 63 | chmod 644 "$DEBIAN_CTRL_DIR/conffiles" |
64 | find $INSTALL_DIR -type d | xargs chmod 755 | 64 | find "$INSTALL_DIR" -type d -exec chmod 755 '{}' + |
65 | cd $CODE_DIR | 65 | cd "$CODE_DIR" |
66 | fakeroot dpkg-deb --build debian | 66 | fakeroot dpkg-deb --build debian |
67 | lintian --no-tag-display-limit debian.deb | 67 | lintian --no-tag-display-limit debian.deb |
68 | mv debian.deb ../firejail_${VERSION}${EXTRA_VERSION}_1_$(dpkg-architecture -qDEB_HOST_ARCH).deb | 68 | mv debian.deb "../firejail_${VERSION}${EXTRA_VERSION}_1_$(dpkg-architecture -qDEB_HOST_ARCH).deb" |
69 | cd .. | 69 | cd .. |
70 | rm -fr $CODE_DIR | 70 | rm -fr "$CODE_DIR" |
@@ -5,8 +5,8 @@ | |||
5 | 5 | ||
6 | set -e | 6 | set -e |
7 | 7 | ||
8 | sed "s/VERSION/$1/g" $2 > $3 | 8 | sed "s/VERSION/$1/g" "$2" > "$3" |
9 | MONTH=`LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%b` | 9 | MONTH="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%b)" |
10 | sed -i "s/MONTH/$MONTH/g" $3 | 10 | sed -i "s/MONTH/$MONTH/g" "$3" |
11 | YEAR=`LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%Y` | 11 | YEAR="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%Y)" |
12 | sed -i "s/YEAR/$YEAR/g" $3 | 12 | sed -i "s/YEAR/$YEAR/g" "$3" |
@@ -9,8 +9,8 @@ echo "#define FIREJAIL_UIDS_H" >> uids.h | |||
9 | 9 | ||
10 | if [ -r /etc/login.defs ] | 10 | if [ -r /etc/login.defs ] |
11 | then | 11 | then |
12 | UID_MIN=`awk '/^\s*UID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs` | 12 | UID_MIN="$(awk '/^\s*UID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs)" |
13 | GID_MIN=`awk '/^\s*GID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs` | 13 | GID_MIN="$(awk '/^\s*GID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs)" |
14 | fi | 14 | fi |
15 | 15 | ||
16 | # use default values if not found | 16 | # use default values if not found |
diff --git a/src/common.mk.in b/src/common.mk.in index d117433dc..c8329e7c2 100644 --- a/src/common.mk.in +++ b/src/common.mk.in | |||
@@ -44,7 +44,7 @@ CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDI | |||
44 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) | 44 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) |
45 | CFLAGS += $(MANFLAGS) | 45 | CFLAGS += $(MANFLAGS) |
46 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security | 46 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security |
47 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread | 47 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now |
48 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | 48 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ |
49 | 49 | ||
50 | ifdef NO_EXTRA_CFLAGS | 50 | ifdef NO_EXTRA_CFLAGS |
diff --git a/src/fids/main.c b/src/fids/main.c index c899b55e1..8f9bc1ea0 100644 --- a/src/fids/main.c +++ b/src/fids/main.c | |||
@@ -210,22 +210,29 @@ static void process_config(const char *fname) { | |||
210 | exit(1); | 210 | exit(1); |
211 | } | 211 | } |
212 | 212 | ||
213 | // make sure the file is owned by root | 213 | fprintf(stderr, "Opening config file %s\n", fname); |
214 | struct stat s; | 214 | int fd = open(fname, O_RDONLY|O_CLOEXEC); |
215 | if (stat(fname, &s)) { | 215 | if (fd < 0) { |
216 | if (include_level == 1) { | 216 | if (include_level == 1) { |
217 | fprintf(stderr, "Error ids: config file not found\n"); | 217 | fprintf(stderr, "Error ids: cannot open config file %s\n", fname); |
218 | exit(1); | 218 | exit(1); |
219 | } | 219 | } |
220 | return; | 220 | return; |
221 | } | 221 | } |
222 | |||
223 | // make sure the file is owned by root | ||
224 | struct stat s; | ||
225 | if (fstat(fd, &s)) { | ||
226 | fprintf(stderr, "Error ids: cannot stat config file %s\n", fname); | ||
227 | exit(1); | ||
228 | } | ||
222 | if (s.st_uid || s.st_gid) { | 229 | if (s.st_uid || s.st_gid) { |
223 | fprintf(stderr, "Error ids: config file not owned by root\n"); | 230 | fprintf(stderr, "Error ids: config file not owned by root\n"); |
224 | exit(1); | 231 | exit(1); |
225 | } | 232 | } |
226 | 233 | ||
227 | fprintf(stderr, "Loading %s config file\n", fname); | 234 | fprintf(stderr, "Loading config file %s\n", fname); |
228 | FILE *fp = fopen(fname, "r"); | 235 | FILE *fp = fdopen(fd, "r"); |
229 | if (!fp) { | 236 | if (!fp) { |
230 | fprintf(stderr, "Error fids: cannot open config file %s\n", fname); | 237 | fprintf(stderr, "Error fids: cannot open config file %s\n", fname); |
231 | exit(1); | 238 | exit(1); |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 1982afdee..117c6f6ae 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -1,7 +1,6 @@ | |||
1 | # /usr/lib/firejail/firecfg.config - firecfg utility configuration file | 1 | # /etc/firejail/firecfg.config - firecfg utility configuration file |
2 | # This is the list of programs in alphabetical order handled by firecfg utility | 2 | # This is the list of programs in alphabetical order handled by firecfg utility |
3 | # | 3 | # |
4 | #qemu-system-x86_64 | ||
5 | 0ad | 4 | 0ad |
6 | 2048-qt | 5 | 2048-qt |
7 | Books | 6 | Books |
@@ -139,8 +138,8 @@ clamdscan | |||
139 | clamdtop | 138 | clamdtop |
140 | clamscan | 139 | clamscan |
141 | clamtk | 140 | clamtk |
142 | claws-mail | ||
143 | clawsker | 141 | clawsker |
142 | claws-mail | ||
144 | clementine | 143 | clementine |
145 | clion | 144 | clion |
146 | clion-eap | 145 | clion-eap |
@@ -170,7 +169,6 @@ crow | |||
170 | cryptocat | 169 | cryptocat |
171 | cvlc | 170 | cvlc |
172 | cyberfox | 171 | cyberfox |
173 | d-feet | ||
174 | darktable | 172 | darktable |
175 | dconf-editor | 173 | dconf-editor |
176 | ddgr | 174 | ddgr |
@@ -180,6 +178,7 @@ deluge | |||
180 | desktopeditors | 178 | desktopeditors |
181 | devhelp | 179 | devhelp |
182 | dex2jar | 180 | dex2jar |
181 | d-feet | ||
183 | dia | 182 | dia |
184 | dig | 183 | dig |
185 | digikam | 184 | digikam |
@@ -256,8 +255,8 @@ flacsplt | |||
256 | flameshot | 255 | flameshot |
257 | flashpeak-slimjet | 256 | flashpeak-slimjet |
258 | flowblade | 257 | flowblade |
259 | font-manager | ||
260 | fontforge | 258 | fontforge |
259 | font-manager | ||
261 | fossamail | 260 | fossamail |
262 | four-in-a-row | 261 | four-in-a-row |
263 | fractal | 262 | fractal |
@@ -276,6 +275,7 @@ freetube | |||
276 | freshclam | 275 | freshclam |
277 | frogatto | 276 | frogatto |
278 | frozen-bubble | 277 | frozen-bubble |
278 | ftp | ||
279 | funnyboat | 279 | funnyboat |
280 | gajim | 280 | gajim |
281 | gajim-history-manager | 281 | gajim-history-manager |
@@ -366,11 +366,11 @@ gradio | |||
366 | gramps | 366 | gramps |
367 | gravity-beams-and-evaporating-stars | 367 | gravity-beams-and-evaporating-stars |
368 | gthumb | 368 | gthumb |
369 | gtk2-youtube-viewer | ||
370 | gtk3-youtube-viewer | ||
369 | gtk-pipe-viewer | 371 | gtk-pipe-viewer |
370 | gtk-straw-viewer | 372 | gtk-straw-viewer |
371 | gtk-youtube-viewer | 373 | gtk-youtube-viewer |
372 | gtk2-youtube-viewer | ||
373 | gtk3-youtube-viewer | ||
374 | guayadeque | 374 | guayadeque |
375 | gucharmap | 375 | gucharmap |
376 | gummi | 376 | gummi |
@@ -391,8 +391,8 @@ icecat | |||
391 | icedove | 391 | icedove |
392 | iceweasel | 392 | iceweasel |
393 | idea | 393 | idea |
394 | idea.sh | ||
395 | ideaIC | 394 | ideaIC |
395 | idea.sh | ||
396 | imagej | 396 | imagej |
397 | img2txt | 397 | img2txt |
398 | impressive | 398 | impressive |
@@ -533,6 +533,7 @@ mp3wrap | |||
533 | mpDris2 | 533 | mpDris2 |
534 | mpg123 | 534 | mpg123 |
535 | mpg123-alsa | 535 | mpg123-alsa |
536 | mpg123.bin | ||
536 | mpg123-id3dump | 537 | mpg123-id3dump |
537 | mpg123-jack | 538 | mpg123-jack |
538 | mpg123-nas | 539 | mpg123-nas |
@@ -541,7 +542,6 @@ mpg123-oss | |||
541 | mpg123-portaudio | 542 | mpg123-portaudio |
542 | mpg123-pulse | 543 | mpg123-pulse |
543 | mpg123-strip | 544 | mpg123-strip |
544 | mpg123.bin | ||
545 | mplayer | 545 | mplayer |
546 | mpsyt | 546 | mpsyt |
547 | mpv | 547 | mpv |
@@ -606,16 +606,17 @@ onboard | |||
606 | onionshare-gui | 606 | onionshare-gui |
607 | ooffice | 607 | ooffice |
608 | ooviewdoc | 608 | ooviewdoc |
609 | open-invaders | ||
610 | openarena | 609 | openarena |
611 | openarena_ded | 610 | openarena_ded |
612 | opencity | 611 | opencity |
613 | openclonk | 612 | openclonk |
613 | open-invaders | ||
614 | openmw | 614 | openmw |
615 | openmw-launcher | 615 | openmw-launcher |
616 | openoffice.org | 616 | openoffice.org |
617 | openshot | 617 | openshot |
618 | openshot-qt | 618 | openshot-qt |
619 | openstego | ||
619 | openttd | 620 | openttd |
620 | opera | 621 | opera |
621 | opera-beta | 622 | opera-beta |
@@ -669,6 +670,7 @@ pybitmessage | |||
669 | qbittorrent | 670 | qbittorrent |
670 | qcomicbook | 671 | qcomicbook |
671 | qemu-launcher | 672 | qemu-launcher |
673 | #qemu-system-x86_64 | ||
672 | qgis | 674 | qgis |
673 | qlipper | 675 | qlipper |
674 | qmmp | 676 | qmmp |
@@ -732,8 +734,8 @@ smuxi-frontend-gnome | |||
732 | snox | 734 | snox |
733 | soffice | 735 | soffice |
734 | sol | 736 | sol |
735 | sound-juicer | ||
736 | soundconverter | 737 | soundconverter |
738 | sound-juicer | ||
737 | spectacle | 739 | spectacle |
738 | spectral | 740 | spectral |
739 | spotify | 741 | spotify |
@@ -746,8 +748,8 @@ steam | |||
746 | steam-native | 748 | steam-native |
747 | steam-runtime | 749 | steam-runtime |
748 | stellarium | 750 | stellarium |
749 | straw-viewer | ||
750 | strawberry | 751 | strawberry |
752 | straw-viewer | ||
751 | strings | 753 | strings |
752 | studio.sh | 754 | studio.sh |
753 | subdownloader | 755 | subdownloader |
@@ -767,6 +769,7 @@ teamspeak3 | |||
767 | teeworlds | 769 | teeworlds |
768 | telegram | 770 | telegram |
769 | telegram-desktop | 771 | telegram-desktop |
772 | telnet | ||
770 | terasology | 773 | terasology |
771 | textmaker18 | 774 | textmaker18 |
772 | textmaker18free | 775 | textmaker18free |
@@ -775,6 +778,7 @@ thunderbird-beta | |||
775 | thunderbird-wayland | 778 | thunderbird-wayland |
776 | tilp | 779 | tilp |
777 | tor-browser | 780 | tor-browser |
781 | torbrowser | ||
778 | tor-browser-ar | 782 | tor-browser-ar |
779 | tor-browser-ca | 783 | tor-browser-ca |
780 | tor-browser-cs | 784 | tor-browser-cs |
@@ -796,6 +800,7 @@ tor-browser-it | |||
796 | tor-browser-ja | 800 | tor-browser-ja |
797 | tor-browser-ka | 801 | tor-browser-ka |
798 | tor-browser-ko | 802 | tor-browser-ko |
803 | torbrowser-launcher | ||
799 | tor-browser-nb | 804 | tor-browser-nb |
800 | tor-browser-nl | 805 | tor-browser-nl |
801 | tor-browser-pl | 806 | tor-browser-pl |
@@ -806,8 +811,6 @@ tor-browser-tr | |||
806 | tor-browser-vi | 811 | tor-browser-vi |
807 | tor-browser-zh-cn | 812 | tor-browser-zh-cn |
808 | tor-browser-zh-tw | 813 | tor-browser-zh-tw |
809 | torbrowser | ||
810 | torbrowser-launcher | ||
811 | torcs | 814 | torcs |
812 | totem | 815 | totem |
813 | tracker | 816 | tracker |
@@ -913,8 +916,8 @@ yelp | |||
913 | youtube | 916 | youtube |
914 | youtube-dl | 917 | youtube-dl |
915 | youtube-dl-gui | 918 | youtube-dl-gui |
916 | youtube-viewer | ||
917 | youtubemusic-nativefier | 919 | youtubemusic-nativefier |
920 | youtube-viewer | ||
918 | yt-dlp | 921 | yt-dlp |
919 | ytmdesktop | 922 | ytmdesktop |
920 | zaproxy | 923 | zaproxy |
diff --git a/src/firecfg/main.c b/src/firecfg/main.c index 363000e15..fafa0e635 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c | |||
@@ -171,17 +171,17 @@ static void set_file(const char *name, const char *firejail_exec) { | |||
171 | free(fname); | 171 | free(fname); |
172 | } | 172 | } |
173 | 173 | ||
174 | // parse /usr/lib/firejail/firecfg.cfg file | 174 | // parse /etc/firejail/firecfg.config file |
175 | static void set_links_firecfg(void) { | 175 | static void set_links_firecfg(void) { |
176 | char *cfgfile; | 176 | char *cfgfile; |
177 | if (asprintf(&cfgfile, "%s/firejail/firecfg.config", LIBDIR) == -1) | 177 | if (asprintf(&cfgfile, "%s/firecfg.config", SYSCONFDIR) == -1) |
178 | errExit("asprintf"); | 178 | errExit("asprintf"); |
179 | 179 | ||
180 | char *firejail_exec; | 180 | char *firejail_exec; |
181 | if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1) | 181 | if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1) |
182 | errExit("asprintf"); | 182 | errExit("asprintf"); |
183 | 183 | ||
184 | // parse /usr/lib/firejail/firecfg.cfg file | 184 | // parse /etc/firejail/firecfg.config file |
185 | FILE *fp = fopen(cfgfile, "r"); | 185 | FILE *fp = fopen(cfgfile, "r"); |
186 | if (!fp) { | 186 | if (!fp) { |
187 | perror("fopen"); | 187 | perror("fopen"); |
@@ -440,7 +440,7 @@ int main(int argc, char **argv) { | |||
440 | // clear all symlinks | 440 | // clear all symlinks |
441 | clean(); | 441 | clean(); |
442 | 442 | ||
443 | // set new symlinks based on /usr/lib/firejail/firecfg.cfg | 443 | // set new symlinks based on /etc/firejail/firecfg.config |
444 | set_links_firecfg(); | 444 | set_links_firecfg(); |
445 | 445 | ||
446 | if (getuid() == 0) { | 446 | if (getuid() == 0) { |
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 2266fa499..bb5b29d79 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c | |||
@@ -45,10 +45,10 @@ int appimage_find_profile(const char *archive) { | |||
45 | assert(archive); | 45 | assert(archive); |
46 | assert(strlen(archive)); | 46 | assert(strlen(archive)); |
47 | 47 | ||
48 | // try to match the name of the archive with the list of programs in /usr/lib/firejail/firecfg.config | 48 | // try to match the name of the archive with the list of programs in /etc/firejail/firecfg.config |
49 | FILE *fp = fopen(LIBDIR "/firejail/firecfg.config", "r"); | 49 | FILE *fp = fopen(SYSCONFDIR "/firecfg.config", "r"); |
50 | if (!fp) { | 50 | if (!fp) { |
51 | fprintf(stderr, "Error: cannot find %s, firejail is not correctly installed\n", LIBDIR "/firejail/firecfg.config"); | 51 | fprintf(stderr, "Error: cannot find %s, firejail is not correctly installed\n", SYSCONFDIR "/firecfg.config"); |
52 | exit(1); | 52 | exit(1); |
53 | } | 53 | } |
54 | char buf[MAXBUF]; | 54 | char buf[MAXBUF]; |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index a6924b830..251350acc 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -341,7 +341,7 @@ extern int arg_allow_debuggers; // allow debuggers | |||
341 | extern int arg_x11_block; // block X11 | 341 | extern int arg_x11_block; // block X11 |
342 | extern int arg_x11_xorg; // use X11 security extension | 342 | extern int arg_x11_xorg; // use X11 security extension |
343 | extern int arg_allusers; // all user home directories visible | 343 | extern int arg_allusers; // all user home directories visible |
344 | extern int arg_machineid; // preserve /etc/machine-id | 344 | extern int arg_machineid; // spoof /etc/machine-id |
345 | extern int arg_disable_mnt; // disable /mnt and /media | 345 | extern int arg_disable_mnt; // disable /mnt and /media |
346 | extern int arg_noprofile; // use default.profile if none other found/specified | 346 | extern int arg_noprofile; // use default.profile if none other found/specified |
347 | extern int arg_memory_deny_write_execute; // block writable and executable memory | 347 | extern int arg_memory_deny_write_execute; // block writable and executable memory |
@@ -350,6 +350,7 @@ extern int arg_nodvd; // --nodvd | |||
350 | extern int arg_nou2f; // --nou2f | 350 | extern int arg_nou2f; // --nou2f |
351 | extern int arg_noinput; // --noinput | 351 | extern int arg_noinput; // --noinput |
352 | extern int arg_deterministic_exit_code; // always exit with first child's exit status | 352 | extern int arg_deterministic_exit_code; // always exit with first child's exit status |
353 | extern int arg_deterministic_shutdown; // shut down the sandbox if first child dies | ||
353 | 354 | ||
354 | typedef enum { | 355 | typedef enum { |
355 | DBUS_POLICY_ALLOW, // Allow unrestricted access to the bus | 356 | DBUS_POLICY_ALLOW, // Allow unrestricted access to the bus |
@@ -709,6 +710,8 @@ void pulseaudio_disable(void); | |||
709 | void fs_private_bin_list(void); | 710 | void fs_private_bin_list(void); |
710 | 711 | ||
711 | // fs_lib.c | 712 | // fs_lib.c |
713 | int is_firejail_link(const char *fname); | ||
714 | char *find_in_path(const char *program); | ||
712 | void fs_private_lib(void); | 715 | void fs_private_lib(void); |
713 | 716 | ||
714 | // protocol.c | 717 | // protocol.c |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 9c1b889ed..f62e6404e 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -94,16 +94,7 @@ static void disable_file(OPERATION op, const char *filename) { | |||
94 | return; | 94 | return; |
95 | } | 95 | } |
96 | 96 | ||
97 | // if the file is not present, do nothing | ||
98 | assert(fname); | 97 | assert(fname); |
99 | struct stat s; | ||
100 | if (stat(fname, &s) < 0) { | ||
101 | if (arg_debug) | ||
102 | printf("Warning (blacklisting): cannot access %s: %s\n", fname, strerror(errno)); | ||
103 | free(fname); | ||
104 | return; | ||
105 | } | ||
106 | |||
107 | // check for firejail executable | 98 | // check for firejail executable |
108 | // we might have a file found in ${PATH} pointing to /usr/bin/firejail | 99 | // we might have a file found in ${PATH} pointing to /usr/bin/firejail |
109 | // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird | 100 | // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird |
@@ -113,6 +104,24 @@ static void disable_file(OPERATION op, const char *filename) { | |||
113 | return; | 104 | return; |
114 | } | 105 | } |
115 | 106 | ||
107 | // if the file is not present, do nothing | ||
108 | int fd = open(fname, O_PATH|O_CLOEXEC); | ||
109 | if (fd < 0) { | ||
110 | if (arg_debug) | ||
111 | printf("Warning (blacklisting): cannot open %s: %s\n", fname, strerror(errno)); | ||
112 | free(fname); | ||
113 | return; | ||
114 | } | ||
115 | |||
116 | struct stat s; | ||
117 | if (fstat(fd, &s) < 0) { | ||
118 | if (arg_debug) | ||
119 | printf("Warning (blacklisting): cannot stat %s: %s\n", fname, strerror(errno)); | ||
120 | free(fname); | ||
121 | close(fd); | ||
122 | return; | ||
123 | } | ||
124 | |||
116 | // modify the file | 125 | // modify the file |
117 | if (op == BLACKLIST_FILE || op == BLACKLIST_NOLOG) { | 126 | if (op == BLACKLIST_FILE || op == BLACKLIST_NOLOG) { |
118 | // some distros put all executables under /usr/bin and make /bin a symbolic link | 127 | // some distros put all executables under /usr/bin and make /bin a symbolic link |
@@ -136,13 +145,6 @@ static void disable_file(OPERATION op, const char *filename) { | |||
136 | printf(" - no logging\n"); | 145 | printf(" - no logging\n"); |
137 | } | 146 | } |
138 | 147 | ||
139 | int fd = open(fname, O_PATH|O_CLOEXEC); | ||
140 | if (fd < 0) { | ||
141 | if (arg_debug) | ||
142 | printf("Warning (blacklisting): cannot open %s: %s\n", fname, strerror(errno)); | ||
143 | free(fname); | ||
144 | return; | ||
145 | } | ||
146 | EUID_ROOT(); | 148 | EUID_ROOT(); |
147 | if (S_ISDIR(s.st_mode)) { | 149 | if (S_ISDIR(s.st_mode)) { |
148 | if (bind_mount_path_to_fd(RUN_RO_DIR, fd) < 0) | 150 | if (bind_mount_path_to_fd(RUN_RO_DIR, fd) < 0) |
@@ -153,7 +155,6 @@ static void disable_file(OPERATION op, const char *filename) { | |||
153 | errExit("disable file"); | 155 | errExit("disable file"); |
154 | } | 156 | } |
155 | EUID_USER(); | 157 | EUID_USER(); |
156 | close(fd); | ||
157 | 158 | ||
158 | if (op == BLACKLIST_FILE) | 159 | if (op == BLACKLIST_FILE) |
159 | fs_logger2("blacklist", fname); | 160 | fs_logger2("blacklist", fname); |
@@ -180,8 +181,7 @@ static void disable_file(OPERATION op, const char *filename) { | |||
180 | else if (op == MOUNT_TMPFS) { | 181 | else if (op == MOUNT_TMPFS) { |
181 | if (!S_ISDIR(s.st_mode)) { | 182 | if (!S_ISDIR(s.st_mode)) { |
182 | fwarning("%s is not a directory; cannot mount a tmpfs on top of it.\n", fname); | 183 | fwarning("%s is not a directory; cannot mount a tmpfs on top of it.\n", fname); |
183 | free(fname); | 184 | goto out; |
184 | return; | ||
185 | } | 185 | } |
186 | 186 | ||
187 | uid_t uid = getuid(); | 187 | uid_t uid = getuid(); |
@@ -191,8 +191,7 @@ static void disable_file(OPERATION op, const char *filename) { | |||
191 | strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 || | 191 | strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 || |
192 | fname[strlen(cfg.homedir)] != '/') { | 192 | fname[strlen(cfg.homedir)] != '/') { |
193 | fwarning("you are not allowed to mount a tmpfs on %s\n", fname); | 193 | fwarning("you are not allowed to mount a tmpfs on %s\n", fname); |
194 | free(fname); | 194 | goto out; |
195 | return; | ||
196 | } | 195 | } |
197 | } | 196 | } |
198 | 197 | ||
@@ -202,6 +201,8 @@ static void disable_file(OPERATION op, const char *filename) { | |||
202 | else | 201 | else |
203 | assert(0); | 202 | assert(0); |
204 | 203 | ||
204 | out: | ||
205 | close(fd); | ||
205 | free(fname); | 206 | free(fname); |
206 | } | 207 | } |
207 | 208 | ||
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 61398f12b..4c9dac0c2 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
@@ -41,9 +41,9 @@ static char *paths[] = { | |||
41 | 41 | ||
42 | // return 1 if found, 0 if not found | 42 | // return 1 if found, 0 if not found |
43 | static char *check_dir_or_file(const char *name) { | 43 | static char *check_dir_or_file(const char *name) { |
44 | EUID_ASSERT(); | ||
44 | assert(name); | 45 | assert(name); |
45 | struct stat s; | 46 | struct stat s; |
46 | char *fname = NULL; | ||
47 | 47 | ||
48 | int i = 0; | 48 | int i = 0; |
49 | while (paths[i]) { | 49 | while (paths[i]) { |
@@ -54,50 +54,34 @@ static char *check_dir_or_file(const char *name) { | |||
54 | } | 54 | } |
55 | 55 | ||
56 | // check file | 56 | // check file |
57 | char *fname; | ||
57 | if (asprintf(&fname, "%s/%s", paths[i], name) == -1) | 58 | if (asprintf(&fname, "%s/%s", paths[i], name) == -1) |
58 | errExit("asprintf"); | 59 | errExit("asprintf"); |
59 | if (arg_debug) | 60 | if (arg_debug) |
60 | printf("Checking %s/%s\n", paths[i], name); | 61 | printf("Checking %s/%s\n", paths[i], name); |
61 | if (stat(fname, &s) == 0 && !S_ISDIR(s.st_mode)) { // do not allow directories | 62 | if (stat(fname, &s) == 0 && |
62 | // check symlink to firejail executable in /usr/local/bin | 63 | !S_ISDIR(s.st_mode) && // do not allow directories |
63 | if (strcmp(paths[i], "/usr/local/bin") == 0 && is_link(fname)) { | 64 | !is_firejail_link(fname)) { // skip symlinks to firejail executable, as created by firecfg |
64 | /* coverity[toctou] */ | 65 | free(fname); |
65 | char *actual_path = realpath(fname, NULL); | ||
66 | if (actual_path) { | ||
67 | char *ptr = strstr(actual_path, "/firejail"); | ||
68 | if (ptr && strlen(ptr) == strlen("/firejail")) { | ||
69 | if (arg_debug) | ||
70 | printf("firejail exec symlink detected\n"); | ||
71 | free(actual_path); | ||
72 | free(fname); | ||
73 | fname = NULL; | ||
74 | i++; | ||
75 | continue; | ||
76 | } | ||
77 | free(actual_path); | ||
78 | } | ||
79 | |||
80 | } | ||
81 | break; // file found | 66 | break; // file found |
82 | } | 67 | } |
83 | 68 | ||
84 | free(fname); | 69 | free(fname); |
85 | fname = NULL; | ||
86 | i++; | 70 | i++; |
87 | } | 71 | } |
88 | 72 | ||
89 | if (!fname) { | 73 | if (!paths[i]) { |
90 | if (arg_debug) | 74 | if (arg_debug) |
91 | fwarning("file %s not found\n", name); | 75 | fwarning("file %s not found\n", name); |
92 | return NULL; | 76 | return NULL; |
93 | } | 77 | } |
94 | 78 | ||
95 | free(fname); | ||
96 | return paths[i]; | 79 | return paths[i]; |
97 | } | 80 | } |
98 | 81 | ||
99 | // return 1 if the file is in paths[] | 82 | // return 1 if the file is in paths[] |
100 | static int valid_full_path_file(const char *name) { | 83 | static int valid_full_path_file(const char *name) { |
84 | EUID_ASSERT(); | ||
101 | assert(name); | 85 | assert(name); |
102 | 86 | ||
103 | if (*name != '/') | 87 | if (*name != '/') |
@@ -149,6 +133,7 @@ static void report_duplication(const char *fname) { | |||
149 | } | 133 | } |
150 | 134 | ||
151 | static void duplicate(char *fname) { | 135 | static void duplicate(char *fname) { |
136 | EUID_ASSERT(); | ||
152 | assert(fname); | 137 | assert(fname); |
153 | 138 | ||
154 | if (*fname == '~' || strstr(fname, "..")) { | 139 | if (*fname == '~' || strstr(fname, "..")) { |
@@ -220,6 +205,7 @@ static void duplicate(char *fname) { | |||
220 | } | 205 | } |
221 | 206 | ||
222 | static void globbing(char *fname) { | 207 | static void globbing(char *fname) { |
208 | EUID_ASSERT(); | ||
223 | assert(fname); | 209 | assert(fname); |
224 | 210 | ||
225 | // go directly to duplicate() if no globbing char is present - see man 7 glob | 211 | // go directly to duplicate() if no globbing char is present - see man 7 glob |
@@ -256,6 +242,9 @@ static void globbing(char *fname) { | |||
256 | // testing for GLOB_NOCHECK - no pattern matched returns the original pattern | 242 | // testing for GLOB_NOCHECK - no pattern matched returns the original pattern |
257 | if (strcmp(globbuf.gl_pathv[j], pattern) == 0) | 243 | if (strcmp(globbuf.gl_pathv[j], pattern) == 0) |
258 | continue; | 244 | continue; |
245 | // skip symlinks to firejail executable, as created by firecfg | ||
246 | if (is_firejail_link(globbuf.gl_pathv[j])) | ||
247 | continue; | ||
259 | 248 | ||
260 | duplicate(globbuf.gl_pathv[j]); | 249 | duplicate(globbuf.gl_pathv[j]); |
261 | } | 250 | } |
@@ -267,6 +256,7 @@ static void globbing(char *fname) { | |||
267 | } | 256 | } |
268 | 257 | ||
269 | void fs_private_bin_list(void) { | 258 | void fs_private_bin_list(void) { |
259 | EUID_ASSERT(); | ||
270 | char *private_list = cfg.bin_private_keep; | 260 | char *private_list = cfg.bin_private_keep; |
271 | assert(private_list); | 261 | assert(private_list); |
272 | 262 | ||
@@ -274,7 +264,9 @@ void fs_private_bin_list(void) { | |||
274 | timetrace_start(); | 264 | timetrace_start(); |
275 | 265 | ||
276 | // create /run/firejail/mnt/bin directory | 266 | // create /run/firejail/mnt/bin directory |
267 | EUID_ROOT(); | ||
277 | mkdir_attr(RUN_BIN_DIR, 0755, 0, 0); | 268 | mkdir_attr(RUN_BIN_DIR, 0755, 0, 0); |
269 | EUID_USER(); | ||
278 | 270 | ||
279 | if (arg_debug) | 271 | if (arg_debug) |
280 | printf("Copying files in the new bin directory\n"); | 272 | printf("Copying files in the new bin directory\n"); |
@@ -293,9 +285,9 @@ void fs_private_bin_list(void) { | |||
293 | while ((ptr = strtok(NULL, ",")) != NULL) | 285 | while ((ptr = strtok(NULL, ",")) != NULL) |
294 | globbing(ptr); | 286 | globbing(ptr); |
295 | free(dlist); | 287 | free(dlist); |
296 | fs_logger_print(); | ||
297 | 288 | ||
298 | // mount-bind | 289 | // mount-bind |
290 | EUID_ROOT(); | ||
299 | int i = 0; | 291 | int i = 0; |
300 | while (paths[i]) { | 292 | while (paths[i]) { |
301 | struct stat s; | 293 | struct stat s; |
@@ -309,6 +301,9 @@ void fs_private_bin_list(void) { | |||
309 | } | 301 | } |
310 | i++; | 302 | i++; |
311 | } | 303 | } |
304 | fs_logger_print(); | ||
305 | EUID_USER(); | ||
306 | |||
312 | selinux_relabel_path(RUN_BIN_DIR, "/bin"); | 307 | selinux_relabel_path(RUN_BIN_DIR, "/bin"); |
313 | fmessage("%d %s installed in %0.2f ms\n", prog_cnt, (prog_cnt == 1)? "program": "programs", timetrace_end()); | 308 | fmessage("%d %s installed in %0.2f ms\n", prog_cnt, (prog_cnt == 1)? "program": "programs", timetrace_end()); |
314 | } | 309 | } |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 8d8530d81..230e9186c 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -380,12 +380,14 @@ void fs_private(void) { | |||
380 | selinux_relabel_path("/home", "/home"); | 380 | selinux_relabel_path("/home", "/home"); |
381 | fs_logger("tmpfs /home"); | 381 | fs_logger("tmpfs /home"); |
382 | } | 382 | } |
383 | EUID_USER(); | ||
383 | 384 | ||
384 | if (u != 0) { | 385 | if (u != 0) { |
385 | if (!arg_allusers && strncmp(homedir, "/home/", 6) == 0) { | 386 | if (!arg_allusers && strncmp(homedir, "/home/", 6) == 0) { |
386 | // create new empty /home/user directory | 387 | // create new empty /home/user directory |
387 | if (arg_debug) | 388 | if (arg_debug) |
388 | printf("Create a new user directory\n"); | 389 | printf("Create a new user directory\n"); |
390 | EUID_ROOT(); | ||
389 | if (mkdir(homedir, S_IRWXU) == -1) { | 391 | if (mkdir(homedir, S_IRWXU) == -1) { |
390 | if (mkpath_as_root(homedir) == -1) | 392 | if (mkpath_as_root(homedir) == -1) |
391 | errExit("mkpath"); | 393 | errExit("mkpath"); |
@@ -394,20 +396,17 @@ void fs_private(void) { | |||
394 | } | 396 | } |
395 | if (chown(homedir, u, g) < 0) | 397 | if (chown(homedir, u, g) < 0) |
396 | errExit("chown"); | 398 | errExit("chown"); |
399 | EUID_USER(); | ||
397 | fs_logger2("mkdir", homedir); | 400 | fs_logger2("mkdir", homedir); |
398 | fs_logger2("tmpfs", homedir); | 401 | fs_logger2("tmpfs", homedir); |
399 | } | 402 | } |
400 | else { | 403 | else |
401 | // mask user home directory | 404 | // mask user home directory |
402 | // the directory should be owned by the current user | 405 | // the directory should be owned by the current user |
403 | EUID_USER(); | ||
404 | fs_tmpfs(homedir, 1); | 406 | fs_tmpfs(homedir, 1); |
405 | EUID_ROOT(); | ||
406 | } | ||
407 | 407 | ||
408 | selinux_relabel_path(homedir, homedir); | 408 | selinux_relabel_path(homedir, homedir); |
409 | } | 409 | } |
410 | EUID_USER(); | ||
411 | 410 | ||
412 | skel(homedir); | 411 | skel(homedir); |
413 | if (xflag) | 412 | if (xflag) |
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 848c186fa..03af7f8fb 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
@@ -61,17 +61,31 @@ static int valid_full_path(const char *full_path) { | |||
61 | return 0; | 61 | return 0; |
62 | } | 62 | } |
63 | 63 | ||
64 | // return 1 if symlink to firejail executable | ||
65 | int is_firejail_link(const char *fname) { | ||
66 | EUID_ASSERT(); | ||
67 | |||
68 | if (!is_link(fname)) | ||
69 | return 0; | ||
70 | |||
71 | char *rp = realpath(fname, NULL); | ||
72 | if (!rp) | ||
73 | return 0; | ||
74 | |||
75 | int rv = 0; | ||
76 | const char *base = gnu_basename(rp); | ||
77 | if (strcmp(base, "firejail") == 0) | ||
78 | rv = 1; | ||
79 | |||
80 | free(rp); | ||
81 | return rv; | ||
82 | } | ||
83 | |||
64 | char *find_in_path(const char *program) { | 84 | char *find_in_path(const char *program) { |
65 | EUID_ASSERT(); | 85 | EUID_ASSERT(); |
66 | if (arg_debug) | 86 | if (arg_debug) |
67 | printf("Searching $PATH for %s\n", program); | 87 | printf("Searching $PATH for %s\n", program); |
68 | 88 | ||
69 | char self[MAXBUF]; | ||
70 | ssize_t len = readlink("/proc/self/exe", self, MAXBUF - 1); | ||
71 | if (len < 0) | ||
72 | errExit("readlink"); | ||
73 | self[len] = '\0'; | ||
74 | |||
75 | const char *path = env_get("PATH"); | 89 | const char *path = env_get("PATH"); |
76 | if (!path) | 90 | if (!path) |
77 | return NULL; | 91 | return NULL; |
@@ -88,18 +102,12 @@ char *find_in_path(const char *program) { | |||
88 | if (arg_debug) | 102 | if (arg_debug) |
89 | printf("trying #%s#\n", fname); | 103 | printf("trying #%s#\n", fname); |
90 | struct stat s; | 104 | struct stat s; |
91 | if (stat(fname, &s) == 0) { | 105 | if (stat(fname, &s) == 0 && |
92 | // but skip links created by firecfg | 106 | !is_firejail_link(fname)) { // skip links created by firecfg |
93 | char *rp = realpath(fname, NULL); | 107 | free(dup); |
94 | if (!rp) | 108 | return fname; |
95 | errExit("realpath"); | ||
96 | if (strcmp(self, rp) != 0) { | ||
97 | free(rp); | ||
98 | free(dup); | ||
99 | return fname; | ||
100 | } | ||
101 | free(rp); | ||
102 | } | 109 | } |
110 | |||
103 | free(fname); | 111 | free(fname); |
104 | tok = strtok(NULL, ":"); | 112 | tok = strtok(NULL, ":"); |
105 | } | 113 | } |
diff --git a/src/firejail/main.c b/src/firejail/main.c index c10ad17a5..b4117bb70 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -137,7 +137,7 @@ int arg_allow_debuggers = 0; // allow debuggers | |||
137 | int arg_x11_block = 0; // block X11 | 137 | int arg_x11_block = 0; // block X11 |
138 | int arg_x11_xorg = 0; // use X11 security extension | 138 | int arg_x11_xorg = 0; // use X11 security extension |
139 | int arg_allusers = 0; // all user home directories visible | 139 | int arg_allusers = 0; // all user home directories visible |
140 | int arg_machineid = 0; // preserve /etc/machine-id | 140 | int arg_machineid = 0; // spoof /etc/machine-id |
141 | int arg_allow_private_blacklist = 0; // blacklist things in private directories | 141 | int arg_allow_private_blacklist = 0; // blacklist things in private directories |
142 | int arg_disable_mnt = 0; // disable /mnt and /media | 142 | int arg_disable_mnt = 0; // disable /mnt and /media |
143 | int arg_noprofile = 0; // use default.profile if none other found/specified | 143 | int arg_noprofile = 0; // use default.profile if none other found/specified |
@@ -147,6 +147,7 @@ int arg_nodvd = 0; // --nodvd | |||
147 | int arg_nou2f = 0; // --nou2f | 147 | int arg_nou2f = 0; // --nou2f |
148 | int arg_noinput = 0; // --noinput | 148 | int arg_noinput = 0; // --noinput |
149 | int arg_deterministic_exit_code = 0; // always exit with first child's exit status | 149 | int arg_deterministic_exit_code = 0; // always exit with first child's exit status |
150 | int arg_deterministic_shutdown = 0; // shut down the sandbox if first child dies | ||
150 | DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW; // --dbus-user | 151 | DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW; // --dbus-user |
151 | DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system | 152 | DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system |
152 | const char *arg_dbus_log_file = NULL; | 153 | const char *arg_dbus_log_file = NULL; |
@@ -871,7 +872,7 @@ char *guess_shell(void) { | |||
871 | if (shell) { | 872 | if (shell) { |
872 | invalid_filename(shell, 0); // no globbing | 873 | invalid_filename(shell, 0); // no globbing |
873 | if (access(shell, X_OK) == 0 && !is_dir(shell) && strstr(shell, "..") == NULL && | 874 | if (access(shell, X_OK) == 0 && !is_dir(shell) && strstr(shell, "..") == NULL && |
874 | strcmp(shell, PATH_FIREJAIL) != 0) | 875 | strcmp(gnu_basename(shell), "firejail") != 0) |
875 | goto found; | 876 | goto found; |
876 | } | 877 | } |
877 | 878 | ||
@@ -935,6 +936,8 @@ static void run_builder(int argc, char **argv) { | |||
935 | if (setresuid(-1, getuid(), getuid()) != 0) | 936 | if (setresuid(-1, getuid(), getuid()) != 0) |
936 | errExit("setresuid"); | 937 | errExit("setresuid"); |
937 | 938 | ||
939 | if (env_get("LD_PRELOAD") != NULL) | ||
940 | fprintf(stderr, "run_builder: LD_PRELOAD is: '%s'\n", env_get("LD_PRELOAD")); | ||
938 | assert(env_get("LD_PRELOAD") == NULL); | 941 | assert(env_get("LD_PRELOAD") == NULL); |
939 | assert(getenv("LD_PRELOAD") == NULL); | 942 | assert(getenv("LD_PRELOAD") == NULL); |
940 | umask(orig_umask); | 943 | umask(orig_umask); |
@@ -1003,18 +1006,18 @@ int main(int argc, char **argv, char **envp) { | |||
1003 | fprintf(stderr, "Error: argv is invalid\n"); | 1006 | fprintf(stderr, "Error: argv is invalid\n"); |
1004 | exit(1); | 1007 | exit(1); |
1005 | } else if (argc >= MAX_ARGS) { | 1008 | } else if (argc >= MAX_ARGS) { |
1006 | fprintf(stderr, "Error: too many arguments\n"); | 1009 | fprintf(stderr, "Error: too many arguments: argc (%d) >= MAX_ARGS (%d)\n", argc, MAX_ARGS); |
1007 | exit(1); | 1010 | exit(1); |
1008 | } | 1011 | } |
1009 | 1012 | ||
1010 | // sanity check for arguments | 1013 | // sanity check for arguments |
1011 | for (i = 0; i < argc; i++) { | 1014 | for (i = 0; i < argc; i++) { |
1012 | if (*argv[i] == 0) { | 1015 | if (*argv[i] == 0) { |
1013 | fprintf(stderr, "Error: too short arguments\n"); | 1016 | fprintf(stderr, "Error: too short arguments: argv[%d] is empty\n", i); |
1014 | exit(1); | 1017 | exit(1); |
1015 | } | 1018 | } |
1016 | if (strlen(argv[i]) >= MAX_ARG_LEN) { | 1019 | if (strlen(argv[i]) >= MAX_ARG_LEN) { |
1017 | fprintf(stderr, "Error: too long arguments\n"); | 1020 | fprintf(stderr, "Error: too long arguments: argv[%d] len (%zu) >= MAX_ARG_LEN (%d)\n", i, strlen(argv[i]), MAX_ARG_LEN); |
1018 | exit(1); | 1021 | exit(1); |
1019 | } | 1022 | } |
1020 | } | 1023 | } |
@@ -1025,7 +1028,7 @@ int main(int argc, char **argv, char **envp) { | |||
1025 | 1028 | ||
1026 | // sanity check for environment variables | 1029 | // sanity check for environment variables |
1027 | if (i >= MAX_ENVS) { | 1030 | if (i >= MAX_ENVS) { |
1028 | fprintf(stderr, "Error: too many environment variables\n"); | 1031 | fprintf(stderr, "Error: too many environment variables: >= MAX_ENVS (%d)\n", MAX_ENVS); |
1029 | exit(1); | 1032 | exit(1); |
1030 | } | 1033 | } |
1031 | 1034 | ||
@@ -2765,6 +2768,9 @@ int main(int argc, char **argv, char **envp) { | |||
2765 | else if (strcmp(argv[i], "--deterministic-exit-code") == 0) { | 2768 | else if (strcmp(argv[i], "--deterministic-exit-code") == 0) { |
2766 | arg_deterministic_exit_code = 1; | 2769 | arg_deterministic_exit_code = 1; |
2767 | } | 2770 | } |
2771 | else if (strcmp(argv[i], "--deterministic-shutdown") == 0) { | ||
2772 | arg_deterministic_shutdown = 1; | ||
2773 | } | ||
2768 | else { | 2774 | else { |
2769 | // double dash - positional params to follow | 2775 | // double dash - positional params to follow |
2770 | if (strcmp(argv[i], "--") == 0) { | 2776 | if (strcmp(argv[i], "--") == 0) { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index babc3941e..d44b97ff6 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1597,6 +1597,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1597 | return 0; | 1597 | return 0; |
1598 | } | 1598 | } |
1599 | 1599 | ||
1600 | if (strcmp(ptr, "deterministic-shutdown") == 0) { | ||
1601 | arg_deterministic_shutdown = 1; | ||
1602 | return 0; | ||
1603 | } | ||
1604 | |||
1600 | // rest of filesystem | 1605 | // rest of filesystem |
1601 | if (strncmp(ptr, "blacklist ", 10) == 0) | 1606 | if (strncmp(ptr, "blacklist ", 10) == 0) |
1602 | ptr += 10; | 1607 | ptr += 10; |
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c index 77fac5438..14667d9eb 100644 --- a/src/firejail/run_symlink.c +++ b/src/firejail/run_symlink.c | |||
@@ -22,7 +22,6 @@ | |||
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <unistd.h> | 23 | #include <unistd.h> |
24 | 24 | ||
25 | extern char *find_in_path(const char *program); | ||
26 | 25 | ||
27 | void run_symlink(int argc, char **argv, int run_as_is) { | 26 | void run_symlink(int argc, char **argv, int run_as_is) { |
28 | EUID_ASSERT(); | 27 | EUID_ASSERT(); |
@@ -77,6 +76,8 @@ void run_symlink(int argc, char **argv, int run_as_is) { | |||
77 | a[i + 2] = argv[i + 1]; | 76 | a[i + 2] = argv[i + 1]; |
78 | } | 77 | } |
79 | a[i + 2] = NULL; | 78 | a[i + 2] = NULL; |
79 | if (env_get("LD_PRELOAD") != NULL) | ||
80 | fprintf(stderr, "run_symlink: LD_PRELOAD is: '%s'\n", env_get("LD_PRELOAD")); | ||
80 | assert(env_get("LD_PRELOAD") == NULL); | 81 | assert(env_get("LD_PRELOAD") == NULL); |
81 | assert(getenv("LD_PRELOAD") == NULL); | 82 | assert(getenv("LD_PRELOAD") == NULL); |
82 | execvp(a[0], a); | 83 | execvp(a[0], a); |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index d66b6c573..3887b5701 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -356,6 +356,15 @@ static int monitor_application(pid_t app_pid) { | |||
356 | if (arg_debug) | 356 | if (arg_debug) |
357 | printf("Sandbox monitor: waitpid %d retval %d status %d\n", monitored_pid, rv, status); | 357 | printf("Sandbox monitor: waitpid %d retval %d status %d\n", monitored_pid, rv, status); |
358 | 358 | ||
359 | if (arg_deterministic_shutdown) { | ||
360 | if (arg_debug) | ||
361 | printf("Sandbox monitor: monitored process died, shut down the sandbox\n"); | ||
362 | kill(-1, SIGTERM); | ||
363 | usleep(100000); | ||
364 | kill(-1, SIGKILL); | ||
365 | break; | ||
366 | } | ||
367 | |||
359 | DIR *dir; | 368 | DIR *dir; |
360 | if (!(dir = opendir("/proc"))) { | 369 | if (!(dir = opendir("/proc"))) { |
361 | // sleep 2 seconds and try again | 370 | // sleep 2 seconds and try again |
@@ -377,18 +386,6 @@ static int monitor_application(pid_t app_pid) { | |||
377 | if ((pid_t) pid == dhclient4_pid || (pid_t) pid == dhclient6_pid) | 386 | if ((pid_t) pid == dhclient4_pid || (pid_t) pid == dhclient6_pid) |
378 | continue; | 387 | continue; |
379 | 388 | ||
380 | // todo: make this generic | ||
381 | // Dillo browser leaves a dpid process running, we need to shut it down | ||
382 | int found = 0; | ||
383 | if (strcmp(cfg.command_name, "dillo") == 0) { | ||
384 | char *pidname = pid_proc_comm(pid); | ||
385 | if (pidname && strcmp(pidname, "dpid") == 0) | ||
386 | found = 1; | ||
387 | free(pidname); | ||
388 | } | ||
389 | if (found) | ||
390 | break; | ||
391 | |||
392 | monitored_pid = pid; | 389 | monitored_pid = pid; |
393 | break; | 390 | break; |
394 | } | 391 | } |
@@ -890,16 +887,16 @@ int sandbox(void* sandbox_arg) { | |||
890 | else if (arg_overlay) | 887 | else if (arg_overlay) |
891 | fwarning("private-bin feature is disabled in overlay\n"); | 888 | fwarning("private-bin feature is disabled in overlay\n"); |
892 | else { | 889 | else { |
890 | EUID_USER(); | ||
893 | // for --x11=xorg we need to add xauth command | 891 | // for --x11=xorg we need to add xauth command |
894 | if (arg_x11_xorg) { | 892 | if (arg_x11_xorg) { |
895 | EUID_USER(); | ||
896 | char *tmp; | 893 | char *tmp; |
897 | if (asprintf(&tmp, "%s,xauth", cfg.bin_private_keep) == -1) | 894 | if (asprintf(&tmp, "%s,xauth", cfg.bin_private_keep) == -1) |
898 | errExit("asprintf"); | 895 | errExit("asprintf"); |
899 | cfg.bin_private_keep = tmp; | 896 | cfg.bin_private_keep = tmp; |
900 | EUID_ROOT(); | ||
901 | } | 897 | } |
902 | fs_private_bin_list(); | 898 | fs_private_bin_list(); |
899 | EUID_ROOT(); | ||
903 | } | 900 | } |
904 | } | 901 | } |
905 | 902 | ||
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 3d9bf9082..e02be29f1 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -435,11 +435,11 @@ void seccomp_print_filter(pid_t pid) { | |||
435 | if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_SECCOMP_LIST) == -1) | 435 | if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_SECCOMP_LIST) == -1) |
436 | errExit("asprintf"); | 436 | errExit("asprintf"); |
437 | 437 | ||
438 | struct stat s; | 438 | int fd = open(fname, O_RDONLY|O_CLOEXEC); |
439 | if (stat(fname, &s) == -1) | 439 | if (fd < 0) |
440 | goto errexit; | 440 | goto errexit; |
441 | 441 | ||
442 | FILE *fp = fopen(fname, "re"); | 442 | FILE *fp = fdopen(fd, "r"); |
443 | if (!fp) | 443 | if (!fp) |
444 | goto errexit; | 444 | goto errexit; |
445 | free(fname); | 445 | free(fname); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 43f862b9d..4a0f05528 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -87,6 +87,7 @@ static char *usage_str = | |||
87 | " --defaultgw=address - configure default gateway.\n" | 87 | " --defaultgw=address - configure default gateway.\n" |
88 | #endif | 88 | #endif |
89 | " --deterministic-exit-code - always exit with first child's status code.\n" | 89 | " --deterministic-exit-code - always exit with first child's status code.\n" |
90 | " --deterministic-shutdown - terminate orphan processes.\n" | ||
90 | " --dns=address - set DNS server.\n" | 91 | " --dns=address - set DNS server.\n" |
91 | " --dns.print=name|pid - print DNS configuration.\n" | 92 | " --dns.print=name|pid - print DNS configuration.\n" |
92 | " --env=name=value - set environment variable.\n" | 93 | " --env=name=value - set environment variable.\n" |
@@ -126,7 +127,7 @@ static char *usage_str = | |||
126 | #ifdef HAVE_NETWORK | 127 | #ifdef HAVE_NETWORK |
127 | " --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n" | 128 | " --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n" |
128 | #endif | 129 | #endif |
129 | " --machine-id - preserve /etc/machine-id\n" | 130 | " --machine-id - spoof /etc/machine-id with a random id\n" |
130 | " --memory-deny-write-execute - seccomp filter to block attempts to create\n" | 131 | " --memory-deny-write-execute - seccomp filter to block attempts to create\n" |
131 | "\tmemory mappings that are both writable and executable.\n" | 132 | "\tmemory mappings that are both writable and executable.\n" |
132 | " --mkdir=dirname - create a directory.\n" | 133 | " --mkdir=dirname - create a directory.\n" |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 969578aeb..3bfb4435e 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -1059,7 +1059,7 @@ int create_empty_dir_as_user(const char *dir, mode_t mode) { | |||
1059 | waitpid(child, NULL, 0); | 1059 | waitpid(child, NULL, 0); |
1060 | 1060 | ||
1061 | if (access(dir, F_OK) == 0) | 1061 | if (access(dir, F_OK) == 0) |
1062 | return 1; | 1062 | return 1; |
1063 | return 0; | 1063 | return 0; |
1064 | } | 1064 | } |
1065 | 1065 | ||
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt index 7e0a57f92..189e9cc8d 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.txt | |||
@@ -27,7 +27,7 @@ desktop managers are supported in this moment | |||
27 | To set it up, run "sudo firecfg" after installing Firejail software. | 27 | To set it up, run "sudo firecfg" after installing Firejail software. |
28 | The same command should also be run after | 28 | The same command should also be run after |
29 | installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin | 29 | installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin |
30 | will be created. For a full list of programs supported by default run "cat /usr/lib/firejail/firecfg.config". | 30 | will be created. For a full list of programs supported by default run "cat /etc/firejail/firecfg.config". |
31 | 31 | ||
32 | For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR. | 32 | For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR. |
33 | .SH DEFAULT ACTIONS | 33 | .SH DEFAULT ACTIONS |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index a1eccaa5e..f6c905d59 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -954,12 +954,17 @@ be created and configured using "ip netns". | |||
954 | Use this name for the interface connected to the bridge for --net=bridge_interface commands, | 954 | Use this name for the interface connected to the bridge for --net=bridge_interface commands, |
955 | instead of the default one. | 955 | instead of the default one. |
956 | #endif | 956 | #endif |
957 | |||
957 | .SH Other | 958 | .SH Other |
958 | .TP | 959 | .TP |
959 | \fBdeterministic-exit-code | 960 | \fBdeterministic-exit-code |
960 | Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. | 961 | Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. |
961 | 962 | ||
962 | .TP | 963 | .TP |
964 | \fBdeterministic-shutdown | ||
965 | Always shut down the sandbox after the first child has terminated. The default behavior is to keep the sandbox alive as long as it contains running processes. | ||
966 | |||
967 | .TP | ||
963 | \fBjoin-or-start sandboxname | 968 | \fBjoin-or-start sandboxname |
964 | Join the sandbox identified by name or start a new one. | 969 | Join the sandbox identified by name or start a new one. |
965 | Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname". | 970 | Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname". |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index e724e4bb9..b5cb1e7c2 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -706,6 +706,12 @@ $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox | |||
706 | \fB\-\-deterministic-exit-code | 706 | \fB\-\-deterministic-exit-code |
707 | Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. | 707 | Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. |
708 | .br | 708 | .br |
709 | |||
710 | .TP | ||
711 | \fB\-\-deterministic-shutdown | ||
712 | Always shut down the sandbox after the first child has terminated. The default behavior is to keep the sandbox alive as long as it contains running processes. | ||
713 | .br | ||
714 | |||
709 | .TP | 715 | .TP |
710 | \fB\-\-disable-mnt | 716 | \fB\-\-disable-mnt |
711 | Blacklist /mnt, /media, /run/mount and /run/media access. | 717 | Blacklist /mnt, /media, /run/mount and /run/media access. |
@@ -815,6 +821,26 @@ Example: | |||
815 | $ firejail \-\-hosts-file=~/myhosts firefox | 821 | $ firejail \-\-hosts-file=~/myhosts firefox |
816 | 822 | ||
817 | .TP | 823 | .TP |
824 | \fB\-\-ids-check | ||
825 | Check file hashes previously generated by \-\-ids-check. See INTRUSION DETECTION SYSTEM section for more details. | ||
826 | .br | ||
827 | |||
828 | .br | ||
829 | Example: | ||
830 | .br | ||
831 | $ firejail \-\-ids-check | ||
832 | |||
833 | .TP | ||
834 | \fB\-\-ids-init | ||
835 | Initialize file hashes. See INTRUSION DETECTION SYSTEM section for more details. | ||
836 | .br | ||
837 | |||
838 | .br | ||
839 | Example: | ||
840 | .br | ||
841 | $ firejail \-\-ids-init | ||
842 | |||
843 | .TP | ||
818 | \fB\-\-ignore=command | 844 | \fB\-\-ignore=command |
819 | Ignore command in profile file. | 845 | Ignore command in profile file. |
820 | .br | 846 | .br |
@@ -3202,6 +3228,65 @@ $ firejail \-\-put=mybrowser xpra-clipboard.png ~/Downloads/xpra-clipboard.png | |||
3202 | $ firejail \-\-cat=mybrowser ~/.bashrc | 3228 | $ firejail \-\-cat=mybrowser ~/.bashrc |
3203 | .br | 3229 | .br |
3204 | #endif | 3230 | #endif |
3231 | |||
3232 | .SH INTRUSION DETECTION SYSTEM (IDS) | ||
3233 | The host-based intrusion detection system tracks down and audits user and system file modifications. | ||
3234 | The feature is configured using /etc/firejail/ids.config file, the checksums are stored in /var/lib/firejail/USERNAME.ids, | ||
3235 | where USERNAME is the name of the current user. We use BLAKE2 cryptographic function for hashing. | ||
3236 | |||
3237 | As a regular user, initialize the database: | ||
3238 | .br | ||
3239 | |||
3240 | .br | ||
3241 | $ firejail --ids-init | ||
3242 | .br | ||
3243 | Opening config file /etc/firejail/ids.config | ||
3244 | .br | ||
3245 | Loading config file /etc/firejail/ids.config | ||
3246 | .br | ||
3247 | Opening config file /etc/firejail/ids.config.local | ||
3248 | .br | ||
3249 | 500 1000 1500 2000 | ||
3250 | .br | ||
3251 | 2466 files scanned | ||
3252 | .br | ||
3253 | IDS database initialized | ||
3254 | .br | ||
3255 | |||
3256 | .br | ||
3257 | The default configuration targets several system executables in directories such as /bin, /sbin, /usr/bin, /usr/sbin, and several critical config files in user home directory | ||
3258 | such as ~/.bashrc, ~/.xinitrc, and ~/.config/autostart. Several system config files in /etc directory are also hashed. | ||
3259 | .br | ||
3260 | |||
3261 | .br | ||
3262 | Run --ids-check to audit the system: | ||
3263 | .br | ||
3264 | |||
3265 | .br | ||
3266 | $ firejail --ids-check | ||
3267 | .br | ||
3268 | Opening config file /etc/firejail/ids.config | ||
3269 | .br | ||
3270 | Loading config file /etc/firejail/ids.config | ||
3271 | .br | ||
3272 | Opening config file /etc/firejail/ids.config.local | ||
3273 | .br | ||
3274 | 500 1000 1500 | ||
3275 | .br | ||
3276 | Warning: modified /home/netblue/.bashrc | ||
3277 | .br | ||
3278 | 2000 | ||
3279 | .br | ||
3280 | 2466 files scanned: modified 1, permissions 0, new 0, removed 0 | ||
3281 | .br | ||
3282 | |||
3283 | .br | ||
3284 | The program will print the files that have been modified since the database was created, or the files with different access permissions. | ||
3285 | New files and deleted files are also flagged. | ||
3286 | |||
3287 | Currently while scanning the file system, symbolic links are not followed, and files the user doesn't have read access to are silently dropped. | ||
3288 | The program can also be run as root (sudo firejail --ids-init/--ids-check). | ||
3289 | |||
3205 | .SH MONITORING | 3290 | .SH MONITORING |
3206 | Option \-\-list prints a list of all sandboxes. The format | 3291 | Option \-\-list prints a list of all sandboxes. The format |
3207 | for each process entry is as follows: | 3292 | for each process entry is as follows: |
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index c7f6ee3f1..6ce71aed8 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -94,6 +94,7 @@ _firejail_args=( | |||
94 | '--cpu=-[set cpu affinity]: :->cpus' | 94 | '--cpu=-[set cpu affinity]: :->cpus' |
95 | '*--deny=-[deny access to directory or file]: :_files' | 95 | '*--deny=-[deny access to directory or file]: :_files' |
96 | "--deterministic-exit-code[always exit with first child's status code]" | 96 | "--deterministic-exit-code[always exit with first child's status code]" |
97 | '--deterministic-shutdown[terminate orphan processes]' | ||
97 | '*--dns=-[set DNS server]: :' | 98 | '*--dns=-[set DNS server]: :' |
98 | '*--env=-[set environment variable]: :' | 99 | '*--env=-[set environment variable]: :' |
99 | '--hostname=-[set sandbox hostname]: :' | 100 | '--hostname=-[set sandbox hostname]: :' |
@@ -104,7 +105,7 @@ _firejail_args=( | |||
104 | '--keep-config-pulse[disable automatic ~/.config/pulse init]' | 105 | '--keep-config-pulse[disable automatic ~/.config/pulse init]' |
105 | '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]' | 106 | '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]' |
106 | '--keep-var-tmp[/var/tmp directory is untouched]' | 107 | '--keep-var-tmp[/var/tmp directory is untouched]' |
107 | '--machine-id[preserve /etc/machine-id]' | 108 | '--machine-id[spoof /etc/machine-id with a random id]' |
108 | '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]' | 109 | '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]' |
109 | '*--mkdir=-[create a directory]:' | 110 | '*--mkdir=-[create a directory]:' |
110 | '*--mkfile=-[create a file]:' | 111 | '*--mkfile=-[create a file]:' |
diff --git a/test/environment/deterministic-shutdown.exp b/test/environment/deterministic-shutdown.exp new file mode 100755 index 000000000..3931893be --- /dev/null +++ b/test/environment/deterministic-shutdown.exp | |||
@@ -0,0 +1,16 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2021 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 5 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --deterministic-shutdown bash -c \"sleep 10 & exec sleep 1\"\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Parent is shutting down, bye..." | ||
14 | } | ||
15 | |||
16 | puts "\nall done\n" | ||
diff --git a/test/environment/environment.sh b/test/environment/environment.sh index 1e1dd549b..c35f69b0c 100755 --- a/test/environment/environment.sh +++ b/test/environment/environment.sh | |||
@@ -124,5 +124,8 @@ echo "TESTING: rlimit errors profile (test/environment/rlimit-bad-profile.exp)" | |||
124 | echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code.exp)" | 124 | echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code.exp)" |
125 | ./deterministic-exit-code.exp | 125 | ./deterministic-exit-code.exp |
126 | 126 | ||
127 | echo "TESTING: deterministic shutdown (test/environment/deterministic-shutdown.exp)" | ||
128 | ./deterministic-shutdown.exp | ||
129 | |||
127 | echo "TESTING: retain umask (test/environment/umask.exp)" | 130 | echo "TESTING: retain umask (test/environment/umask.exp)" |
128 | (umask 123 && ./umask.exp) | 131 | (umask 123 && ./umask.exp) |