aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--README.md12
-rw-r--r--RELNOTES2
-rw-r--r--etc/abrowser.profile37
-rw-r--r--etc/akregator.profile1
-rw-r--r--etc/audacity.profile2
-rw-r--r--etc/bnox.profile23
-rw-r--r--etc/brave.profile27
-rw-r--r--etc/chromium-common.profile32
-rw-r--r--etc/chromium.profile24
-rw-r--r--etc/clementine.profile1
-rw-r--r--etc/cliqz.profile79
-rw-r--r--etc/cyberfox.profile60
-rw-r--r--etc/disable-common.inc15
-rw-r--r--etc/disable-programs.inc13
-rw-r--r--etc/dnox.profile23
-rw-r--r--etc/dolphin.profile3
-rw-r--r--etc/firefox-common-addons.inc55
-rw-r--r--etc/firefox-common.profile44
-rw-r--r--etc/firefox.profile83
-rw-r--r--etc/flashpeak-slimjet.profile26
-rw-r--r--etc/google-chrome-beta.profile23
-rw-r--r--etc/google-chrome-unstable.profile23
-rw-r--r--etc/google-chrome.profile25
-rw-r--r--etc/icecat.profile40
-rw-r--r--etc/iceweasel.profile2
-rw-r--r--etc/inox.profile23
-rw-r--r--etc/iridium.profile24
-rw-r--r--etc/kdenlive.profile3
-rw-r--r--etc/kget.profile2
-rw-r--r--etc/krita.profile1
-rw-r--r--etc/libreoffice.profile2
-rw-r--r--etc/okular.profile1
-rw-r--r--etc/opera-beta.profile17
-rw-r--r--etc/opera.profile16
-rw-r--r--etc/palemoon.profile50
-rw-r--r--etc/qbittorrent.profile1
-rw-r--r--etc/qtox.profile2
-rw-r--r--etc/remmina.profile1
-rw-r--r--etc/scribus.profile1
-rw-r--r--etc/soundconverter.profile2
-rw-r--r--etc/tilp.profile34
-rw-r--r--etc/vivaldi.profile22
-rw-r--r--etc/waterfox.profile71
-rw-r--r--etc/whitelist-common.inc3
-rw-r--r--etc/yandex-browser.profile24
-rw-r--r--src/firecfg/firecfg.config1
46 files changed, 293 insertions, 683 deletions
diff --git a/README.md b/README.md
index 1bb9b2d98..eebe91d10 100644
--- a/README.md
+++ b/README.md
@@ -98,7 +98,17 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
98````` 98`````
99# Current development version: 0.9.53 99# Current development version: 0.9.53
100 100
101## Browser profile unification
102
103All Chromium and Firefox browsers have been unified to instead extend
104chromium-common.profile and firefox-common.profile respectively.
105This allows for reduced maintenance and ease of adding new browsers.
106NOTE: All users of Firefox-based browsers who use addons and plugins
107that read/write from ${HOME} will need to uncomment the includes for
108firefox-common-addons.inc in firefox-common.profile.
109
101## New profiles 110## New profiles
102 111
103Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-canary, 112Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-canary,
104pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain 113pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain,
114tilp
diff --git a/RELNOTES b/RELNOTES
index a924cd3d8..b0a873e38 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -7,7 +7,7 @@ firejail (0.9.53) baseline; urgency=low
7 * private-tmp support for overlay and chroot sandboxes 7 * private-tmp support for overlay and chroot sandboxes
8 * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed, 8 * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed,
9 * new profiles: discord-canary, pycharm-community, pycharm-professional, kaffeine, 9 * new profiles: discord-canary, pycharm-community, pycharm-professional, kaffeine,
10 * new profiles: pdfchain 10 * new profiles: pdfchain, tilp
11 -- netblue30 <netblue30@yahoo.com> Tue, 12 Dec 2017 08:00:00 -0500 11 -- netblue30 <netblue30@yahoo.com> Tue, 12 Dec 2017 08:00:00 -0500
12 12
13firejail (0.9.52) baseline; urgency=low 13firejail (0.9.52) baseline; urgency=low
diff --git a/etc/abrowser.profile b/etc/abrowser.profile
index 5c964bad1..d757d6f49 100644
--- a/etc/abrowser.profile
+++ b/etc/abrowser.profile
@@ -7,42 +7,15 @@ include /etc/firejail/globals.local
7 7
8noblacklist ${HOME}/.cache/mozilla 8noblacklist ${HOME}/.cache/mozilla
9noblacklist ${HOME}/.mozilla 9noblacklist ${HOME}/.mozilla
10noblacklist ${HOME}/.pki
11
12include /etc/firejail/disable-common.inc
13include /etc/firejail/disable-devel.inc
14include /etc/firejail/disable-programs.inc
15 10
16mkdir ${HOME}/.cache/mozilla/abrowser 11mkdir ${HOME}/.cache/mozilla/abrowser
17mkdir ${HOME}/.mozilla 12mkdir ${HOME}/.mozilla
18whitelist ${DOWNLOADS}
19whitelist ${HOME}/.cache/gnome-mplayer/plugin
20whitelist ${HOME}/.cache/mozilla/abrowser 13whitelist ${HOME}/.cache/mozilla/abrowser
21whitelist ${HOME}/.config/gnome-mplayer
22whitelist ${HOME}/.config/pipelight-silverlight5.1
23whitelist ${HOME}/.config/pipelight-widevine
24whitelist ${HOME}/.keysnail.js
25whitelist ${HOME}/.lastpass
26whitelist ${HOME}/.mozilla 14whitelist ${HOME}/.mozilla
27whitelist ${HOME}/.pentadactyl
28whitelist ${HOME}/.pentadactylrc
29whitelist ${HOME}/.pki
30whitelist ${HOME}/.vimperator
31whitelist ${HOME}/.vimperatorrc
32whitelist ${HOME}/.wine-pipelight
33whitelist ${HOME}/.wine-pipelight64
34whitelist ${HOME}/.zotero
35whitelist ${HOME}/dwhelper
36include /etc/firejail/whitelist-common.inc
37 15
38caps.drop all 16# private-etc must first be enabled in firefox-common.profile
39netfilter 17#private-etc abrowser
40nodvd 18
41nonewprivs
42noroot
43notv
44protocol unix,inet,inet6,netlink
45seccomp
46tracelog
47 19
48# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse 20# Redirect
21include /etc/firejail/firefox-common.profile
diff --git a/etc/akregator.profile b/etc/akregator.profile
index f2e5ea341..2c49ef9f0 100644
--- a/etc/akregator.profile
+++ b/etc/akregator.profile
@@ -17,6 +17,7 @@ mkfile ${HOME}/.config/akregatorrc
17mkdir ${HOME}/.local/share/akregator 17mkdir ${HOME}/.local/share/akregator
18whitelist ${HOME}/.config/akregatorrc 18whitelist ${HOME}/.config/akregatorrc
19whitelist ${HOME}/.local/share/akregator 19whitelist ${HOME}/.local/share/akregator
20whitelist ${HOME}/.local/share/kssl
20include /etc/firejail/whitelist-common.inc 21include /etc/firejail/whitelist-common.inc
21 22
22include /etc/firejail/whitelist-var-common.inc 23include /etc/firejail/whitelist-var-common.inc
diff --git a/etc/audacity.profile b/etc/audacity.profile
index e173fa65a..ea1d38132 100644
--- a/etc/audacity.profile
+++ b/etc/audacity.profile
@@ -17,7 +17,7 @@ include /etc/firejail/disable-programs.inc
17include /etc/firejail/whitelist-var-common.inc 17include /etc/firejail/whitelist-var-common.inc
18 18
19caps.drop all 19caps.drop all
20net none 20#net none
21no3d 21no3d
22nodvd 22nodvd
23nogroups 23nogroups
diff --git a/etc/bnox.profile b/etc/bnox.profile
index 4270755c8..3207a2923 100644
--- a/etc/bnox.profile
+++ b/etc/bnox.profile
@@ -7,30 +7,11 @@ include /etc/firejail/globals.local
7 7
8noblacklist ${HOME}/.cache/bnox 8noblacklist ${HOME}/.cache/bnox
9noblacklist ${HOME}/.config/bnox 9noblacklist ${HOME}/.config/bnox
10noblacklist ${HOME}/.pki
11
12include /etc/firejail/disable-common.inc
13include /etc/firejail/disable-programs.inc
14 10
15mkdir ${HOME}/.cache/bnox 11mkdir ${HOME}/.cache/bnox
16mkdir ${HOME}/.config/bnox 12mkdir ${HOME}/.config/bnox
17mkdir ${HOME}/.pki
18whitelist ${DOWNLOADS}
19whitelist ${HOME}/.cache/bnox 13whitelist ${HOME}/.cache/bnox
20whitelist ${HOME}/.config/bnox 14whitelist ${HOME}/.config/bnox
21whitelist ${HOME}/.pki
22include /etc/firejail/whitelist-common.inc
23include /etc/firejail/whitelist-var-common.inc
24
25caps.keep sys_chroot,sys_admin
26netfilter
27nodvd
28nogroups
29notv
30shell none
31
32private-dev
33# private-tmp - problems with multiple browser sessions
34 15
35noexec ${HOME} 16# Redirect
36noexec /tmp 17include /etc/firejail/chromium-common.profile
diff --git a/etc/brave.profile b/etc/brave.profile
index 668e8a244..f37ac2a05 100644
--- a/etc/brave.profile
+++ b/etc/brave.profile
@@ -8,31 +8,10 @@ include /etc/firejail/globals.local
8noblacklist ${HOME}/.config/brave 8noblacklist ${HOME}/.config/brave
9# brave uses gpg for built-in password manager 9# brave uses gpg for built-in password manager
10noblacklist ${HOME}/.gnupg 10noblacklist ${HOME}/.gnupg
11noblacklist ${HOME}/.pki
12
13include /etc/firejail/disable-common.inc
14include /etc/firejail/disable-devel.inc
15include /etc/firejail/disable-programs.inc
16 11
17mkdir ${HOME}/.config/brave 12mkdir ${HOME}/.config/brave
18mkdir ${HOME}/.pki
19whitelist ${DOWNLOADS}
20whitelist ${HOME}/.config/KeePass
21whitelist ${HOME}/.config/brave 13whitelist ${HOME}/.config/brave
22whitelist ${HOME}/.config/keepass 14whitelist ${HOME}/.gnupg
23whitelist ${HOME}/.config/lastpass
24whitelist ${HOME}/.keepass
25whitelist ${HOME}/.lastpass
26whitelist ${HOME}/.pki
27include /etc/firejail/whitelist-common.inc
28
29# caps.drop all
30netfilter
31# nonewprivs
32# noroot
33nodvd
34notv
35# protocol unix,inet,inet6,netlink
36# seccomp
37 15
38disable-mnt 16# Redirect
17include /etc/firejail/chromium-common.profile
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile
new file mode 100644
index 000000000..5c5215309
--- /dev/null
+++ b/etc/chromium-common.profile
@@ -0,0 +1,32 @@
1# Firejail profile for chromium-common
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/chromium-common.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8noblacklist ${HOME}/.pki
9
10include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-programs.inc
13
14mkdir ${HOME}/.pki
15whitelist ${DOWNLOADS}
16whitelist ${HOME}/.pki
17include /etc/firejail/whitelist-common.inc
18include /etc/firejail/whitelist-var-common.inc
19
20caps.keep sys_chroot,sys_admin
21netfilter
22nodvd
23nogroups
24notv
25shell none
26
27disable-mnt
28private-dev
29# private-tmp - problems with multiple browser sessions
30
31noexec ${HOME}
32noexec /tmp
diff --git a/etc/chromium.profile b/etc/chromium.profile
index 64d790121..ad9f9af33 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -8,34 +8,14 @@ include /etc/firejail/globals.local
8noblacklist ${HOME}/.cache/chromium 8noblacklist ${HOME}/.cache/chromium
9noblacklist ${HOME}/.config/chromium 9noblacklist ${HOME}/.config/chromium
10noblacklist ${HOME}/.config/chromium-flags.conf 10noblacklist ${HOME}/.config/chromium-flags.conf
11noblacklist ${HOME}/.pki
12
13include /etc/firejail/disable-common.inc
14include /etc/firejail/disable-devel.inc
15include /etc/firejail/disable-programs.inc
16 11
17mkdir ${HOME}/.cache/chromium 12mkdir ${HOME}/.cache/chromium
18mkdir ${HOME}/.config/chromium 13mkdir ${HOME}/.config/chromium
19mkdir ${HOME}/.pki
20whitelist ${DOWNLOADS}
21whitelist ${HOME}/.cache/chromium 14whitelist ${HOME}/.cache/chromium
22whitelist ${HOME}/.config/chromium 15whitelist ${HOME}/.config/chromium
23whitelist ${HOME}/.config/chromium-flags.conf 16whitelist ${HOME}/.config/chromium-flags.conf
24whitelist ${HOME}/.pki
25include /etc/firejail/whitelist-common.inc
26include /etc/firejail/whitelist-var-common.inc
27
28caps.keep sys_chroot,sys_admin
29netfilter
30nodvd
31nogroups
32notv
33shell none
34 17
35disable-mnt
36# private-bin chromium,chromium-browser,chromedriver 18# private-bin chromium,chromium-browser,chromedriver
37private-dev
38# private-tmp - problems with multiple browser sessions
39 19
40noexec ${HOME} 20# Redirect
41noexec /tmp 21include /etc/firejail/chromium-common.profile
diff --git a/etc/clementine.profile b/etc/clementine.profile
index a736f7bf9..ccf6f9c97 100644
--- a/etc/clementine.profile
+++ b/etc/clementine.profile
@@ -5,6 +5,7 @@ include /etc/firejail/clementine.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8noblacklist ${HOME}/.cache/Clementine
8noblacklist ${HOME}/.config/Clementine 9noblacklist ${HOME}/.config/Clementine
9 10
10include /etc/firejail/disable-common.inc 11include /etc/firejail/disable-common.inc
diff --git a/etc/cliqz.profile b/etc/cliqz.profile
index 086dfa233..4ff96311d 100644
--- a/etc/cliqz.profile
+++ b/etc/cliqz.profile
@@ -7,77 +7,14 @@ include /etc/firejail/globals.local
7 7
8noblacklist ${HOME}/.cache/cliqz 8noblacklist ${HOME}/.cache/cliqz
9noblacklist ${HOME}/.config/cliqz 9noblacklist ${HOME}/.config/cliqz
10noblacklist ${HOME}/.config/okularpartrc
11noblacklist ${HOME}/.config/okularrc
12noblacklist ${HOME}/.config/qpdfview
13noblacklist ${HOME}/.kde/share/apps/okular
14noblacklist ${HOME}/.kde/share/config/okularpartrc
15noblacklist ${HOME}/.kde/share/config/okularrc
16noblacklist ${HOME}/.kde4/share/apps/okular
17noblacklist ${HOME}/.kde4/share/config/okularpartrc
18noblacklist ${HOME}/.kde4/share/config/okularrc
19# noblacklist ${HOME}/.local/share/gnome-shell/extensions
20noblacklist ${HOME}/.local/share/okular
21noblacklist ${HOME}/.local/share/qpdfview
22 10
23noblacklist ${HOME}/.pki 11mkdir ${HOME}/.cache/cliqz
12mkdir ${HOME}/.config/cliqz
13whitelist ${HOME}/.cache/cliqz
14whitelist ${HOME}/.config/cliqz
24 15
25include /etc/firejail/disable-common.inc 16# private-etc must first be enabled in firefox-common.profile
26include /etc/firejail/disable-devel.inc 17#private-etc cliqz
27include /etc/firejail/disable-programs.inc
28 18
29mkdir ${HOME}/.cache/mozilla/firefox 19# Redirect
30mkdir ${HOME}/.mozilla 20include /etc/firejail/firefox-common.profile
31mkdir ${HOME}/.pki
32whitelist ${DOWNLOADS}
33whitelist ${HOME}/.cache/gnome-mplayer/plugin
34whitelist ${HOME}/.cache/mozilla/firefox
35whitelist ${HOME}/.config/gnome-mplayer
36whitelist ${HOME}/.config/okularpartrc
37whitelist ${HOME}/.config/okularrc
38whitelist ${HOME}/.config/pipelight-silverlight5.1
39whitelist ${HOME}/.config/pipelight-widevine
40whitelist ${HOME}/.config/qpdfview
41whitelist ${HOME}/.kde/share/apps/okular
42whitelist ${HOME}/.kde/share/config/okularpartrc
43whitelist ${HOME}/.kde/share/config/okularrc
44whitelist ${HOME}/.kde4/share/apps/okular
45whitelist ${HOME}/.kde4/share/config/okularpartrc
46whitelist ${HOME}/.kde4/share/config/okularrc
47whitelist ${HOME}/.keysnail.js
48whitelist ${HOME}/.lastpass
49whitelist ${HOME}/.local/share/gnome-shell/extensions
50whitelist ${HOME}/.local/share/okular
51whitelist ${HOME}/.local/share/qpdfview
52whitelist ${HOME}/.mozilla
53whitelist ${HOME}/.pentadactyl
54whitelist ${HOME}/.pentadactylrc
55whitelist ${HOME}/.pki
56whitelist ${HOME}/.vimperator
57whitelist ${HOME}/.vimperatorrc
58whitelist ${HOME}/.wine-pipelight
59whitelist ${HOME}/.wine-pipelight64
60whitelist ${HOME}/.zotero
61whitelist ${HOME}/dwhelper
62include /etc/firejail/whitelist-common.inc
63include /etc/firejail/whitelist-var-common.inc
64
65caps.drop all
66netfilter
67nodvd
68nogroups
69nonewprivs
70noroot
71notv
72protocol unix,inet,inet6,netlink
73seccomp
74shell none
75tracelog
76
77# private-bin firefox,which,sh,dbus-launch,dbus-send,env
78private-dev
79# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
80private-tmp
81
82noexec ${HOME}
83noexec /tmp
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile
index 66cd27461..ce51906ba 100644
--- a/etc/cyberfox.profile
+++ b/etc/cyberfox.profile
@@ -7,67 +7,15 @@ include /etc/firejail/globals.local
7 7
8noblacklist ${HOME}/.8pecxstudios 8noblacklist ${HOME}/.8pecxstudios
9noblacklist ${HOME}/.cache/8pecxstudios 9noblacklist ${HOME}/.cache/8pecxstudios
10noblacklist ${HOME}/.config/okularpartrc
11noblacklist ${HOME}/.config/okularrc
12noblacklist ${HOME}/.config/qpdfview
13noblacklist ${HOME}/.kde/share/apps/okular
14noblacklist ${HOME}/.kde4/share/apps/okular
15noblacklist ${HOME}/.local/share/okular
16noblacklist ${HOME}/.local/share/qpdfview
17noblacklist ${HOME}/.pki
18
19include /etc/firejail/disable-common.inc
20include /etc/firejail/disable-devel.inc
21include /etc/firejail/disable-programs.inc
22 10
23mkdir ${HOME}/.8pecxstudios 11mkdir ${HOME}/.8pecxstudios
24mkdir ${HOME}/.cache/8pecxstudios 12mkdir ${HOME}/.cache/8pecxstudios
25mkdir ${HOME}/.pki
26whitelist ${DOWNLOADS}
27whitelist ${HOME}/.8pecxstudios 13whitelist ${HOME}/.8pecxstudios
28whitelist ${HOME}/.cache/8pecxstudios 14whitelist ${HOME}/.cache/8pecxstudios
29whitelist ${HOME}/.cache/gnome-mplayer/plugin
30whitelist ${HOME}/.config/gnome-mplayer
31whitelist ${HOME}/.config/okularpartrc
32whitelist ${HOME}/.config/okularrc
33whitelist ${HOME}/.config/pipelight-silverlight5.1
34whitelist ${HOME}/.config/pipelight-widevine
35whitelist ${HOME}/.config/qpdfview
36whitelist ${HOME}/.kde/share/apps/okular
37whitelist ${HOME}/.kde4/share/apps/okular
38whitelist ${HOME}/.keysnail.js
39whitelist ${HOME}/.lastpass
40whitelist ${HOME}/.local/share/okular
41whitelist ${HOME}/.local/share/qpdfview
42whitelist ${HOME}/.pentadactyl
43whitelist ${HOME}/.pentadactylrc
44whitelist ${HOME}/.pki
45whitelist ${HOME}/.vimperator
46whitelist ${HOME}/.vimperatorrc
47whitelist ${HOME}/.wine-pipelight
48whitelist ${HOME}/.wine-pipelight64
49whitelist ${HOME}/.zotero
50whitelist ${HOME}/dwhelper
51include /etc/firejail/whitelist-common.inc
52
53caps.drop all
54netfilter
55nodvd
56nogroups
57nonewprivs
58noroot
59notv
60protocol unix,inet,inet6,netlink
61seccomp
62shell none
63tracelog
64 15
65disable-mnt
66# private-bin cyberfox,which,sh,dbus-launch,dbus-send,env 16# private-bin cyberfox,which,sh,dbus-launch,dbus-send,env
67private-dev 17# private-etc must first be enabled in firefox-common.profile
68private-dev 18#private-etc cyberfox
69# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,cyberfox,mime.types,mailcap,asound.conf,pulse
70private-tmp
71 19
72noexec ${HOME} 20# Redirect
73noexec /tmp 21include /etc/firejail/firefox-common.profile
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 522a14aad..54a292bc2 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -45,9 +45,9 @@ blacklist /etc/X11/Xsession.d
45blacklist /etc/xdg/autostart 45blacklist /etc/xdg/autostart
46 46
47# KDE config 47# KDE config
48blacklist ${HOME}/.config/*.notifyrc
49blacklist ${HOME}/.config/khotkeysrc 48blacklist ${HOME}/.config/khotkeysrc
50blacklist ${HOME}/.config/krunnerrc 49blacklist ${HOME}/.config/krunnerrc
50blacklist ${HOME}/.config/ksslcertificatemanager
51blacklist ${HOME}/.config/kwinrc 51blacklist ${HOME}/.config/kwinrc
52blacklist ${HOME}/.config/kwinrulesrc 52blacklist ${HOME}/.config/kwinrulesrc
53blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc 53blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc
@@ -57,9 +57,9 @@ blacklist ${HOME}/.kde/share/apps/konsole
57blacklist ${HOME}/.kde/share/apps/kwin 57blacklist ${HOME}/.kde/share/apps/kwin
58blacklist ${HOME}/.kde/share/apps/plasma 58blacklist ${HOME}/.kde/share/apps/plasma
59blacklist ${HOME}/.kde/share/apps/solid 59blacklist ${HOME}/.kde/share/apps/solid
60blacklist ${HOME}/.kde/share/config/*.notifyrc
61blacklist ${HOME}/.kde/share/config/khotkeysrc 60blacklist ${HOME}/.kde/share/config/khotkeysrc
62blacklist ${HOME}/.kde/share/config/krunnerrc 61blacklist ${HOME}/.kde/share/config/krunnerrc
62blacklist ${HOME}/.kde/share/config/ksslcertificatemanager
63blacklist ${HOME}/.kde/share/config/kwinrc 63blacklist ${HOME}/.kde/share/config/kwinrc
64blacklist ${HOME}/.kde/share/config/kwinrulesrc 64blacklist ${HOME}/.kde/share/config/kwinrulesrc
65blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc 65blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc
@@ -67,9 +67,9 @@ blacklist ${HOME}/.kde4/share/apps/konsole
67blacklist ${HOME}/.kde4/share/apps/kwin 67blacklist ${HOME}/.kde4/share/apps/kwin
68blacklist ${HOME}/.kde4/share/apps/plasma 68blacklist ${HOME}/.kde4/share/apps/plasma
69blacklist ${HOME}/.kde4/share/apps/solid 69blacklist ${HOME}/.kde4/share/apps/solid
70blacklist ${HOME}/.kde4/share/config/*.notifyrc
71blacklist ${HOME}/.kde4/share/config/khotkeysrc 70blacklist ${HOME}/.kde4/share/config/khotkeysrc
72blacklist ${HOME}/.kde4/share/config/krunnerrc 71blacklist ${HOME}/.kde4/share/config/krunnerrc
72blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager
73blacklist ${HOME}/.kde4/share/config/kwinrc 73blacklist ${HOME}/.kde4/share/config/kwinrc
74blacklist ${HOME}/.kde4/share/config/kwinrulesrc 74blacklist ${HOME}/.kde4/share/config/kwinrulesrc
75blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc 75blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
@@ -79,19 +79,28 @@ blacklist ${HOME}/.local/share/kwin
79blacklist ${HOME}/.local/share/plasma 79blacklist ${HOME}/.local/share/plasma
80blacklist ${HOME}/.local/share/solid 80blacklist ${HOME}/.local/share/solid
81read-only ${HOME}/.cache/ksycoca5_* 81read-only ${HOME}/.cache/ksycoca5_*
82read-only ${HOME}/.config/*notifyrc
82read-only ${HOME}/.config/kdeglobals 83read-only ${HOME}/.config/kdeglobals
83read-only ${HOME}/.config/kio_httprc 84read-only ${HOME}/.config/kio_httprc
84read-only ${HOME}/.config/kiorc 85read-only ${HOME}/.config/kiorc
85read-only ${HOME}/.config/kioslaverc 86read-only ${HOME}/.config/kioslaverc
87read-only ${HOME}/.config/ksslcablacklist
88read-only ${HOME}/.kde/share/apps/kssl
89read-only ${HOME}/.kde/share/config/*notifyrc
86read-only ${HOME}/.kde/share/config/kdeglobals 90read-only ${HOME}/.kde/share/config/kdeglobals
87read-only ${HOME}/.kde/share/config/kio_httprc 91read-only ${HOME}/.kde/share/config/kio_httprc
88read-only ${HOME}/.kde/share/config/kioslaverc 92read-only ${HOME}/.kde/share/config/kioslaverc
93read-only ${HOME}/.kde/share/config/ksslcablacklist
89read-only ${HOME}/.kde/share/kde4/services 94read-only ${HOME}/.kde/share/kde4/services
95read-only ${HOME}/.kde4/share/apps/kssl
96read-only ${HOME}/.kde4/share/config/*notifyrc
90read-only ${HOME}/.kde4/share/config/kdeglobals 97read-only ${HOME}/.kde4/share/config/kdeglobals
91read-only ${HOME}/.kde4/share/config/kio_httprc 98read-only ${HOME}/.kde4/share/config/kio_httprc
92read-only ${HOME}/.kde4/share/config/kioslaverc 99read-only ${HOME}/.kde4/share/config/kioslaverc
100read-only ${HOME}/.kde4/share/config/ksslcablacklist
93read-only ${HOME}/.kde4/share/kde4/services 101read-only ${HOME}/.kde4/share/kde4/services
94read-only ${HOME}/.local/share/kservices5 102read-only ${HOME}/.local/share/kservices5
103read-only ${HOME}/.local/share/kssl
95 104
96# kdeinit socket 105# kdeinit socket
97blacklist /run/user/*/kdeinit5__* 106blacklist /run/user/*/kdeinit5__*
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 660bb9ffd..8e72dc47e 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -135,6 +135,8 @@ blacklist ${HOME}/.config/katerc
135blacklist ${HOME}/.config/kateschemarc 135blacklist ${HOME}/.config/kateschemarc
136blacklist ${HOME}/.config/katesyntaxhighlightingrc 136blacklist ${HOME}/.config/katesyntaxhighlightingrc
137blacklist ${HOME}/.config/katevirc 137blacklist ${HOME}/.config/katevirc
138blacklist ${HOME}/.config/kdenliverc
139blacklist ${HOME}/.config/kgetrc
138blacklist ${HOME}/.config/klipperrc 140blacklist ${HOME}/.config/klipperrc
139blacklist ${HOME}/.config/kritarc 141blacklist ${HOME}/.config/kritarc
140blacklist ${HOME}/.config/kwriterc 142blacklist ${HOME}/.config/kwriterc
@@ -346,6 +348,7 @@ blacklist ${HOME}/.local/share/clipit
346blacklist ${HOME}/.local/share/data/Mumble 348blacklist ${HOME}/.local/share/data/Mumble
347blacklist ${HOME}/.local/share/data/MusE 349blacklist ${HOME}/.local/share/data/MusE
348blacklist ${HOME}/.local/share/data/MuseScore 350blacklist ${HOME}/.local/share/data/MuseScore
351blacklist ${HOME}/.local/share/data/qBittorrent
349blacklist ${HOME}/.local/share/dino 352blacklist ${HOME}/.local/share/dino
350blacklist ${HOME}/.local/share/dolphin 353blacklist ${HOME}/.local/share/dolphin
351blacklist ${HOME}/.local/share/epiphany 354blacklist ${HOME}/.local/share/epiphany
@@ -364,6 +367,9 @@ blacklist ${HOME}/.local/share/gnome-twitch
364blacklist ${HOME}/.local/share/gwenview 367blacklist ${HOME}/.local/share/gwenview
365blacklist ${HOME}/.local/share/kaffeine 368blacklist ${HOME}/.local/share/kaffeine
366blacklist ${HOME}/.local/share/kate 369blacklist ${HOME}/.local/share/kate
370blacklist ${HOME}/.local/share/kdenlive
371blacklist ${HOME}/.local/share/kget
372blacklist ${HOME}/.local/share/krita
367blacklist ${HOME}/.local/share/ktorrentrc 373blacklist ${HOME}/.local/share/ktorrentrc
368blacklist ${HOME}/.local/share/ktorrent 374blacklist ${HOME}/.local/share/ktorrent
369blacklist ${HOME}/.local/share/kwrite 375blacklist ${HOME}/.local/share/kwrite
@@ -445,6 +451,7 @@ blacklist ${HOME}/.sylpheed-2.0
445blacklist ${HOME}/.synfig 451blacklist ${HOME}/.synfig
446blacklist ${HOME}/.tconn 452blacklist ${HOME}/.tconn
447blacklist ${HOME}/.thunderbird 453blacklist ${HOME}/.thunderbird
454blacklist ${HOME}/.tilp
448blacklist ${HOME}/.tooling 455blacklist ${HOME}/.tooling
449blacklist ${HOME}/.tor-browser-* 456blacklist ${HOME}/.tor-browser-*
450blacklist ${HOME}/.ts3client 457blacklist ${HOME}/.ts3client
@@ -474,6 +481,7 @@ blacklist /tmp/ssh-*
474# ~/.cache directory 481# ~/.cache directory
475blacklist ${HOME}/.cache/0ad 482blacklist ${HOME}/.cache/0ad
476blacklist ${HOME}/.cache/8pecxstudios 483blacklist ${HOME}/.cache/8pecxstudios
484blacklist ${HOME}/.cache/Clementine
477blacklist ${HOME}/.cache/Franz 485blacklist ${HOME}/.cache/Franz
478blacklist ${HOME}/.cache/INRIA 486blacklist ${HOME}/.cache/INRIA
479blacklist ${HOME}/.cache/MusicBrainz 487blacklist ${HOME}/.cache/MusicBrainz
@@ -487,6 +495,7 @@ blacklist ${HOME}/.cache/chromium-dev
487blacklist ${HOME}/.cache/cliqz 495blacklist ${HOME}/.cache/cliqz
488blacklist ${HOME}/.cache/darktable 496blacklist ${HOME}/.cache/darktable
489blacklist ${HOME}/.cache/discover 497blacklist ${HOME}/.cache/discover
498blacklist ${HOME}/.cache/dolphin
490blacklist ${HOME}/.cache/epiphany 499blacklist ${HOME}/.cache/epiphany
491blacklist ${HOME}/.cache/evolution 500blacklist ${HOME}/.cache/evolution
492blacklist ${HOME}/.cache/fossamail 501blacklist ${HOME}/.cache/fossamail
@@ -500,6 +509,8 @@ blacklist ${HOME}/.cache/icedove
500blacklist ${HOME}/.cache/INRIA/Natron 509blacklist ${HOME}/.cache/INRIA/Natron
501blacklist ${HOME}/.cache/inox 510blacklist ${HOME}/.cache/inox
502blacklist ${HOME}/.cache/iridium 511blacklist ${HOME}/.cache/iridium
512blacklist ${HOME}/.cache/kdenlive
513blacklist ${HOME}/.cache/kinfocenter
503blacklist ${HOME}/.cache/krunner 514blacklist ${HOME}/.cache/krunner
504blacklist ${HOME}/.cache/kscreenlocker_greet 515blacklist ${HOME}/.cache/kscreenlocker_greet
505blacklist ${HOME}/.cache/ksmserver-logout-greeter 516blacklist ${HOME}/.cache/ksmserver-logout-greeter
@@ -513,6 +524,7 @@ blacklist ${HOME}/.cache/mozilla
513blacklist ${HOME}/.cache/mutt 524blacklist ${HOME}/.cache/mutt
514blacklist ${HOME}/.cache/nheko/nheko 525blacklist ${HOME}/.cache/nheko/nheko
515blacklist ${HOME}/.cache/netsurf 526blacklist ${HOME}/.cache/netsurf
527blacklist ${HOME}/.cache/okular
516blacklist ${HOME}/.cache/opera 528blacklist ${HOME}/.cache/opera
517blacklist ${HOME}/.cache/opera-beta 529blacklist ${HOME}/.cache/opera-beta
518blacklist ${HOME}/.cache/org.gnome.Books 530blacklist ${HOME}/.cache/org.gnome.Books
@@ -525,6 +537,7 @@ blacklist ${HOME}/.cache/qutebrowser
525blacklist ${HOME}/.cache/simple-scan 537blacklist ${HOME}/.cache/simple-scan
526blacklist ${HOME}/.cache/slimjet 538blacklist ${HOME}/.cache/slimjet
527blacklist ${HOME}/.cache/spotify 539blacklist ${HOME}/.cache/spotify
540blacklist ${HOME}/.cache/systemsettings
528blacklist ${HOME}/.cache/telepathy 541blacklist ${HOME}/.cache/telepathy
529blacklist ${HOME}/.cache/thunderbird 542blacklist ${HOME}/.cache/thunderbird
530blacklist ${HOME}/.cache/torbrowser 543blacklist ${HOME}/.cache/torbrowser
diff --git a/etc/dnox.profile b/etc/dnox.profile
index d6626c048..505884ca6 100644
--- a/etc/dnox.profile
+++ b/etc/dnox.profile
@@ -7,30 +7,11 @@ include /etc/firejail/globals.local
7 7
8noblacklist ${HOME}/.cache/dnox 8noblacklist ${HOME}/.cache/dnox
9noblacklist ${HOME}/.config/dnox 9noblacklist ${HOME}/.config/dnox
10noblacklist ${HOME}/.pki
11
12include /etc/firejail/disable-common.inc
13include /etc/firejail/disable-programs.inc
14 10
15mkdir ${HOME}/.cache/dnox 11mkdir ${HOME}/.cache/dnox
16mkdir ${HOME}/.config/dnox 12mkdir ${HOME}/.config/dnox
17mkdir ${HOME}/.pki
18whitelist ${DOWNLOADS}
19whitelist ${HOME}/.cache/dnox 13whitelist ${HOME}/.cache/dnox
20whitelist ${HOME}/.config/dnox 14whitelist ${HOME}/.config/dnox
21whitelist ${HOME}/.pki
22include /etc/firejail/whitelist-common.inc
23include /etc/firejail/whitelist-var-common.inc
24
25caps.keep sys_chroot,sys_admin
26netfilter
27nodvd
28nogroups
29notv
30shell none
31
32private-dev
33# private-tmp - problems with multiple browser sessions
34 15
35noexec ${HOME} 16# Redirect
36noexec /tmp 17include /etc/firejail/chromium-common.profile
diff --git a/etc/dolphin.profile b/etc/dolphin.profile
index c1604826e..ce167b7a7 100644
--- a/etc/dolphin.profile
+++ b/etc/dolphin.profile
@@ -8,7 +8,8 @@ include /etc/firejail/globals.local
8# warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5 8# warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5
9 9
10noblacklist ${HOME}/.local/share/Trash 10noblacklist ${HOME}/.local/share/Trash
11# noblacklist ${HOME}/.config/dolphinrc - diable-programs.inc is disabled, see below 11# noblacklist ${HOME}/.cache/dolphin - disable-programs.inc is disabled, see below
12# noblacklist ${HOME}/.config/dolphinrc
12# noblacklist ${HOME}/.local/share/dolphin 13# noblacklist ${HOME}/.local/share/dolphin
13 14
14include /etc/firejail/disable-common.inc 15include /etc/firejail/disable-common.inc
diff --git a/etc/firefox-common-addons.inc b/etc/firefox-common-addons.inc
new file mode 100644
index 000000000..b237c3c05
--- /dev/null
+++ b/etc/firefox-common-addons.inc
@@ -0,0 +1,55 @@
1# This file is overwritten during software install.
2# Persistent customizations should go in a .local file.
3include /etc/firejail/firefox-common-addons.local
4
5noblacklist ${HOME}/.config/kgetrc
6noblacklist ${HOME}/.config/okularpartrc
7noblacklist ${HOME}/.config/okularrc
8noblacklist ${HOME}/.config/qpdfview
9noblacklist ${HOME}/.kde/share/apps/kget
10noblacklist ${HOME}/.kde/share/apps/okular
11noblacklist ${HOME}/.kde/share/config/kgetrc
12noblacklist ${HOME}/.kde/share/config/okularpartrc
13noblacklist ${HOME}/.kde/share/config/okularrc
14noblacklist ${HOME}/.kde4/share/apps/kget
15noblacklist ${HOME}/.kde4/share/apps/okular
16noblacklist ${HOME}/.kde4/share/config/kgetrc
17noblacklist ${HOME}/.kde4/share/config/okularpartrc
18noblacklist ${HOME}/.kde4/share/config/okularrc
19# noblacklist ${HOME}/.local/share/gnome-shell/extensions
20noblacklist ${HOME}/.local/share/kget
21noblacklist ${HOME}/.local/share/okular
22noblacklist ${HOME}/.local/share/qpdfview
23
24whitelist ${HOME}/.cache/gnome-mplayer/plugin
25whitelist ${HOME}/.config/gnome-mplayer
26whitelist ${HOME}/.config/kgetrc
27whitelist ${HOME}/.config/okularpartrc
28whitelist ${HOME}/.config/okularrc
29whitelist ${HOME}/.config/pipelight-silverlight5.1
30whitelist ${HOME}/.config/pipelight-widevine
31whitelist ${HOME}/.config/qpdfview
32whitelist ${HOME}/.kde/share/apps/kget
33whitelist ${HOME}/.kde/share/apps/okular
34whitelist ${HOME}/.kde/share/config/kgetrc
35whitelist ${HOME}/.kde/share/config/okularpartrc
36whitelist ${HOME}/.kde/share/config/okularrc
37whitelist ${HOME}/.kde4/share/apps/kget
38whitelist ${HOME}/.kde4/share/apps/okular
39whitelist ${HOME}/.kde4/share/config/kgetrc
40whitelist ${HOME}/.kde4/share/config/okularpartrc
41whitelist ${HOME}/.kde4/share/config/okularrc
42whitelist ${HOME}/.keysnail.js
43whitelist ${HOME}/.lastpass
44whitelist ${HOME}/.local/share/gnome-shell/extensions
45whitelist ${HOME}/.local/share/kget
46whitelist ${HOME}/.local/share/okular
47whitelist ${HOME}/.local/share/qpdfview
48whitelist ${HOME}/.pentadactyl
49whitelist ${HOME}/.pentadactylrc
50whitelist ${HOME}/.vimperator
51whitelist ${HOME}/.vimperatorrc
52whitelist ${HOME}/.wine-pipelight
53whitelist ${HOME}/.wine-pipelight64
54whitelist ${HOME}/.zotero
55whitelist ${HOME}/dwhelper
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
new file mode 100644
index 000000000..0c4271edc
--- /dev/null
+++ b/etc/firefox-common.profile
@@ -0,0 +1,44 @@
1# Firejail profile for firefox-common
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/firefox-common.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8# uncomment the following line to allow access to common programs/addons/plugins
9#include /etc/firejail/firefox-common-addons.inc
10
11noblacklist ${HOME}/.pki
12
13include /etc/firejail/disable-common.inc
14include /etc/firejail/disable-devel.inc
15include /etc/firejail/disable-programs.inc
16
17mkdir ${HOME}/.pki
18whitelist ${DOWNLOADS}
19whitelist ${HOME}/.pki
20include /etc/firejail/whitelist-common.inc
21include /etc/firejail/whitelist-var-common.inc
22
23caps.drop all
24# machine-id breaks pulse audio; it should work fine in setups where sound is not required
25#machine-id
26netfilter
27nodvd
28nogroups
29nonewprivs
30noroot
31notv
32protocol unix,inet,inet6,netlink
33seccomp
34shell none
35tracelog
36
37disable-mnt
38private-dev
39# private-etc below works fine on most distributions. There are some problems on CentOS.
40#private-etc ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies
41private-tmp
42
43noexec ${HOME}
44noexec /tmp
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 079cb1536..0ab6a6141 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -6,90 +6,17 @@ include /etc/firejail/firefox.local
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8noblacklist ${HOME}/.cache/mozilla 8noblacklist ${HOME}/.cache/mozilla
9noblacklist ${HOME}/.config/okularpartrc
10noblacklist ${HOME}/.config/okularrc
11noblacklist ${HOME}/.config/qpdfview
12noblacklist ${HOME}/.kde/share/apps/kget
13noblacklist ${HOME}/.kde/share/apps/okular
14noblacklist ${HOME}/.kde/share/config/kgetrc
15noblacklist ${HOME}/.kde/share/config/okularpartrc
16noblacklist ${HOME}/.kde/share/config/okularrc
17noblacklist ${HOME}/.kde4/share/apps/kget
18noblacklist ${HOME}/.kde4/share/apps/okular
19noblacklist ${HOME}/.kde4/share/config/kgetrc
20noblacklist ${HOME}/.kde4/share/config/okularpartrc
21noblacklist ${HOME}/.kde4/share/config/okularrc
22# noblacklist ${HOME}/.local/share/gnome-shell/extensions
23noblacklist ${HOME}/.local/share/okular
24noblacklist ${HOME}/.local/share/qpdfview
25noblacklist ${HOME}/.mozilla 9noblacklist ${HOME}/.mozilla
26noblacklist ${HOME}/.pki
27
28include /etc/firejail/disable-common.inc
29include /etc/firejail/disable-devel.inc
30include /etc/firejail/disable-programs.inc
31 10
32mkdir ${HOME}/.cache/mozilla/firefox 11mkdir ${HOME}/.cache/mozilla/firefox
33mkdir ${HOME}/.mozilla 12mkdir ${HOME}/.mozilla
34mkdir ${HOME}/.pki
35whitelist ${DOWNLOADS}
36whitelist ${HOME}/.cache/gnome-mplayer/plugin
37whitelist ${HOME}/.cache/mozilla/firefox 13whitelist ${HOME}/.cache/mozilla/firefox
38whitelist ${HOME}/.config/gnome-mplayer
39whitelist ${HOME}/.config/okularpartrc
40whitelist ${HOME}/.config/okularrc
41whitelist ${HOME}/.config/pipelight-silverlight5.1
42whitelist ${HOME}/.config/pipelight-widevine
43whitelist ${HOME}/.config/qpdfview
44whitelist ${HOME}/.kde/share/apps/kget
45whitelist ${HOME}/.kde/share/apps/okular
46whitelist ${HOME}/.kde/share/config/kgetrc
47whitelist ${HOME}/.kde/share/config/okularpartrc
48whitelist ${HOME}/.kde/share/config/okularrc
49whitelist ${HOME}/.kde4/share/apps/kget
50whitelist ${HOME}/.kde4/share/apps/okular
51whitelist ${HOME}/.kde4/share/config/kgetrc
52whitelist ${HOME}/.kde4/share/config/okularpartrc
53whitelist ${HOME}/.kde4/share/config/okularrc
54whitelist ${HOME}/.keysnail.js
55whitelist ${HOME}/.lastpass
56whitelist ${HOME}/.local/share/gnome-shell/extensions
57whitelist ${HOME}/.local/share/okular
58whitelist ${HOME}/.local/share/qpdfview
59whitelist ${HOME}/.mozilla 14whitelist ${HOME}/.mozilla
60whitelist ${HOME}/.pentadactyl
61whitelist ${HOME}/.pentadactylrc
62whitelist ${HOME}/.pki
63whitelist ${HOME}/.vimperator
64whitelist ${HOME}/.vimperatorrc
65whitelist ${HOME}/.wine-pipelight
66whitelist ${HOME}/.wine-pipelight64
67whitelist ${HOME}/.zotero
68whitelist ${HOME}/dwhelper
69include /etc/firejail/whitelist-common.inc
70include /etc/firejail/whitelist-var-common.inc
71
72caps.drop all
73# machine-id breaks pulse audio; it should work fine in setups where sound is not required
74#machine-id
75netfilter
76nodvd
77nogroups
78nonewprivs
79noroot
80notv
81protocol unix,inet,inet6,netlink
82seccomp
83shell none
84tracelog
85 15
86disable-mnt
87# firefox requires a shell to launch on Arch. 16# firefox requires a shell to launch on Arch.
88# private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash 17#private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash
89private-dev 18# private-etc must first be enabled in firefox-common.profile
90# private-etc below works fine on most distributions. There are some problems on CentOS. 19#private-etc firefox
91# private-etc iceweasel,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies
92private-tmp
93 20
94noexec ${HOME} 21# Redirect
95noexec /tmp 22include /etc/firejail/firefox-common.profile
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile
index d9be8b9c5..63f9d19a9 100644
--- a/etc/flashpeak-slimjet.profile
+++ b/etc/flashpeak-slimjet.profile
@@ -5,35 +5,13 @@ include /etc/firejail/flashpeak-slimjet.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# This is a whitelisted profile, the internal browser sandbox
9# is disabled because it requires sudo password. The command
10# to run it is as follows:
11# firejail flashpeak-slimjet --no-sandbox
12
13noblacklist ${HOME}/.cache/slimjet 8noblacklist ${HOME}/.cache/slimjet
14noblacklist ${HOME}/.config/slimjet 9noblacklist ${HOME}/.config/slimjet
15noblacklist ${HOME}/.pki
16
17include /etc/firejail/disable-common.inc
18include /etc/firejail/disable-devel.inc
19include /etc/firejail/disable-programs.inc
20 10
21mkdir ${HOME}/.cache/slimjet 11mkdir ${HOME}/.cache/slimjet
22mkdir ${HOME}/.config/slimjet 12mkdir ${HOME}/.config/slimjet
23mkdir ${HOME}/.pki
24whitelist ${DOWNLOADS}
25whitelist ${HOME}/.cache/slimjet 13whitelist ${HOME}/.cache/slimjet
26whitelist ${HOME}/.config/slimjet 14whitelist ${HOME}/.config/slimjet
27whitelist ${HOME}/.pki
28include /etc/firejail/whitelist-common.inc
29
30caps.drop all
31netfilter
32nodvd
33nonewprivs
34noroot
35notv
36protocol unix,inet,inet6,netlink
37seccomp
38 15
39disable-mnt 16# Redirect
17include /etc/firejail/chromium-common.profile
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile
index 9c7306b85..ab16558ea 100644
--- a/etc/google-chrome-beta.profile
+++ b/etc/google-chrome-beta.profile
@@ -7,30 +7,11 @@ include /etc/firejail/globals.local
7 7
8noblacklist ${HOME}/.cache/google-chrome-beta 8noblacklist ${HOME}/.cache/google-chrome-beta
9noblacklist ${HOME}/.config/google-chrome-beta 9noblacklist ${HOME}/.config/google-chrome-beta
10noblacklist ${HOME}/.pki
11
12include /etc/firejail/disable-common.inc
13include /etc/firejail/disable-devel.inc
14include /etc/firejail/disable-programs.inc
15 10
16mkdir ${HOME}/.cache/google-chrome-beta 11mkdir ${HOME}/.cache/google-chrome-beta
17mkdir ${HOME}/.config/google-chrome-beta 12mkdir ${HOME}/.config/google-chrome-beta
18mkdir ${HOME}/.pki
19whitelist ${DOWNLOADS}
20whitelist ${HOME}/.cache/google-chrome-beta 13whitelist ${HOME}/.cache/google-chrome-beta
21whitelist ${HOME}/.config/google-chrome-beta 14whitelist ${HOME}/.config/google-chrome-beta
22whitelist ${HOME}/.pki
23include /etc/firejail/whitelist-common.inc
24
25caps.keep sys_chroot,sys_admin
26netfilter
27nodvd
28nogroups
29notv
30shell none
31
32private-dev
33# private-tmp - problems with multiple browser sessions
34 15
35noexec ${HOME} 16# Redirect
36noexec /tmp 17include /etc/firejail/chromium-common.profile
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile
index bb05b3e99..b7d0eccf3 100644
--- a/etc/google-chrome-unstable.profile
+++ b/etc/google-chrome-unstable.profile
@@ -7,30 +7,11 @@ include /etc/firejail/globals.local
7 7
8noblacklist ${HOME}/.cache/google-chrome-unstable 8noblacklist ${HOME}/.cache/google-chrome-unstable
9noblacklist ${HOME}/.config/google-chrome-unstable 9noblacklist ${HOME}/.config/google-chrome-unstable
10noblacklist ${HOME}/.pki
11
12include /etc/firejail/disable-common.inc
13include /etc/firejail/disable-devel.inc
14include /etc/firejail/disable-programs.inc
15 10
16mkdir ${HOME}/.cache/google-chrome-unstable 11mkdir ${HOME}/.cache/google-chrome-unstable
17mkdir ${HOME}/.config/google-chrome-unstable 12mkdir ${HOME}/.config/google-chrome-unstable
18mkdir ${HOME}/.pki
19whitelist ${DOWNLOADS}
20whitelist ${HOME}/.cache/google-chrome-unstable 13whitelist ${HOME}/.cache/google-chrome-unstable
21whitelist ${HOME}/.config/google-chrome-unstable 14whitelist ${HOME}/.config/google-chrome-unstable
22whitelist ${HOME}/.pki
23include /etc/firejail/whitelist-common.inc
24
25caps.keep sys_chroot,sys_admin
26netfilter
27nodvd
28nogroups
29notv
30shell none
31
32private-dev
33# private-tmp - problems with multiple browser sessions
34 15
35noexec ${HOME} 16# Redirect
36noexec /tmp 17include /etc/firejail/chromium-common.profile
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile
index 19ebfa974..6e44190ae 100644
--- a/etc/google-chrome.profile
+++ b/etc/google-chrome.profile
@@ -7,32 +7,11 @@ include /etc/firejail/globals.local
7 7
8noblacklist ${HOME}/.cache/google-chrome 8noblacklist ${HOME}/.cache/google-chrome
9noblacklist ${HOME}/.config/google-chrome 9noblacklist ${HOME}/.config/google-chrome
10noblacklist ${HOME}/.pki
11
12include /etc/firejail/disable-common.inc
13include /etc/firejail/disable-devel.inc
14include /etc/firejail/disable-programs.inc
15 10
16mkdir ${HOME}/.cache/google-chrome 11mkdir ${HOME}/.cache/google-chrome
17mkdir ${HOME}/.config/google-chrome 12mkdir ${HOME}/.config/google-chrome
18mkdir ${HOME}/.pki
19whitelist ${DOWNLOADS}
20whitelist ${HOME}/.cache/google-chrome 13whitelist ${HOME}/.cache/google-chrome
21whitelist ${HOME}/.config/google-chrome 14whitelist ${HOME}/.config/google-chrome
22whitelist ${HOME}/.pki
23include /etc/firejail/whitelist-common.inc
24include /etc/firejail/whitelist-var-common.inc
25
26caps.keep sys_chroot,sys_admin
27netfilter
28nodvd
29nogroups
30notv
31shell none
32
33disable-mnt
34private-dev
35# private-tmp - problems with multiple browser sessions
36 15
37noexec ${HOME} 16# Redirect
38noexec /tmp 17include /etc/firejail/chromium-common.profile
diff --git a/etc/icecat.profile b/etc/icecat.profile
index 9e5526c95..42e762c21 100644
--- a/etc/icecat.profile
+++ b/etc/icecat.profile
@@ -7,46 +7,14 @@ include /etc/firejail/globals.local
7 7
8noblacklist ${HOME}/.cache/mozilla 8noblacklist ${HOME}/.cache/mozilla
9noblacklist ${HOME}/.mozilla 9noblacklist ${HOME}/.mozilla
10noblacklist ${HOME}/.pki
11
12include /etc/firejail/disable-common.inc
13include /etc/firejail/disable-devel.inc
14include /etc/firejail/disable-programs.inc
15 10
16mkdir ${HOME}/.cache/mozilla/icecat 11mkdir ${HOME}/.cache/mozilla/icecat
17mkdir ${HOME}/.mozilla 12mkdir ${HOME}/.mozilla
18whitelist ${DOWNLOADS}
19whitelist ${HOME}/.cache/gnome-mplayer/plugin
20whitelist ${HOME}/.cache/mozilla/icecat 13whitelist ${HOME}/.cache/mozilla/icecat
21whitelist ${HOME}/.config/gnome-mplayer
22whitelist ${HOME}/.config/pipelight-silverlight5.1
23whitelist ${HOME}/.config/pipelight-widevine
24whitelist ${HOME}/.keysnail.js
25whitelist ${HOME}/.lastpass
26whitelist ${HOME}/.mozilla 14whitelist ${HOME}/.mozilla
27whitelist ${HOME}/.pentadactyl
28whitelist ${HOME}/.pentadactylrc
29whitelist ${HOME}/.pki
30whitelist ${HOME}/.vimperator
31whitelist ${HOME}/.vimperatorrc
32whitelist ${HOME}/.wine-pipelight
33whitelist ${HOME}/.wine-pipelight64
34whitelist ${HOME}/.zotero
35whitelist ${HOME}/dwhelper
36include /etc/firejail/whitelist-common.inc
37
38caps.drop all
39netfilter
40nodvd
41nonewprivs
42noroot
43notv
44protocol unix,inet,inet6,netlink
45seccomp
46tracelog
47 15
48disable-mnt 16# private-etc must first be enabled in firefox-common.profile
49# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse 17#private-etc icecat
50 18
51noexec ${HOME} 19# Redirect
52noexec /tmp 20include /etc/firejail/firefox-common.profile
diff --git a/etc/iceweasel.profile b/etc/iceweasel.profile
index f6b57dde0..51f15aa1b 100644
--- a/etc/iceweasel.profile
+++ b/etc/iceweasel.profile
@@ -5,6 +5,8 @@ include /etc/firejail/iceweasel.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# private-etc must first be enabled in firefox-common.profile
9#private-etc iceweasel
8 10
9# Redirect 11# Redirect
10include /etc/firejail/firefox.profile 12include /etc/firejail/firefox.profile
diff --git a/etc/inox.profile b/etc/inox.profile
index fbc654434..652761c54 100644
--- a/etc/inox.profile
+++ b/etc/inox.profile
@@ -7,30 +7,11 @@ include /etc/firejail/globals.local
7 7
8noblacklist ${HOME}/.cache/inox 8noblacklist ${HOME}/.cache/inox
9noblacklist ${HOME}/.config/inox 9noblacklist ${HOME}/.config/inox
10noblacklist ${HOME}/.pki
11
12include /etc/firejail/disable-common.inc
13include /etc/firejail/disable-programs.inc
14 10
15mkdir ${HOME}/.cache/inox 11mkdir ${HOME}/.cache/inox
16mkdir ${HOME}/.config/inox 12mkdir ${HOME}/.config/inox
17mkdir ${HOME}/.pki
18whitelist ${DOWNLOADS}
19whitelist ${HOME}/.cache/inox 13whitelist ${HOME}/.cache/inox
20whitelist ${HOME}/.config/inox 14whitelist ${HOME}/.config/inox
21whitelist ${HOME}/.pki
22include /etc/firejail/whitelist-common.inc
23include /etc/firejail/whitelist-var-common.inc
24
25caps.keep sys_chroot,sys_admin
26netfilter
27nodvd
28nogroups
29notv
30shell none
31
32private-dev
33# private-tmp - problems with multiple browser sessions
34 15
35noexec ${HOME} 16# Redirect
36noexec /tmp 17include /etc/firejail/chromium-common.profile
diff --git a/etc/iridium.profile b/etc/iridium.profile
index 76026722f..2869c3070 100644
--- a/etc/iridium.profile
+++ b/etc/iridium.profile
@@ -8,30 +8,10 @@ include /etc/firejail/globals.local
8noblacklist ${HOME}/.cache/iridium 8noblacklist ${HOME}/.cache/iridium
9noblacklist ${HOME}/.config/iridium 9noblacklist ${HOME}/.config/iridium
10 10
11include /etc/firejail/disable-common.inc
12# chromium/iridium is distributed with a perl script on Arch
13# include /etc/firejail/disable-devel.inc
14include /etc/firejail/disable-programs.inc
15
16mkdir ${HOME}/.cache/iridium 11mkdir ${HOME}/.cache/iridium
17mkdir ${HOME}/.config/iridium 12mkdir ${HOME}/.config/iridium
18mkdir ${HOME}/.pki
19whitelist ${DOWNLOADS}
20whitelist ${HOME}/.cache/iridium 13whitelist ${HOME}/.cache/iridium
21whitelist ${HOME}/.config/iridium 14whitelist ${HOME}/.config/iridium
22whitelist ${HOME}/.pki
23include /etc/firejail/whitelist-common.inc
24include /etc/firejail/whitelist-var-common.inc
25
26caps.keep sys_chroot,sys_admin
27netfilter
28nodvd
29nogroups
30notv
31shell none
32
33private-dev
34# private-tmp - problems with multiple browser sessions
35 15
36noexec ${HOME} 16# Redirect
37noexec /tmp 17include /etc/firejail/chromium-common.profile
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile
index 4d34c82d3..b6d48356d 100644
--- a/etc/kdenlive.profile
+++ b/etc/kdenlive.profile
@@ -6,6 +6,9 @@ include /etc/firejail/kdenlive.local
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus 8# blacklist /run/user/*/bus
9noblacklist ${HOME}/.cache/kdenlive
10noblacklist ${HOME}/.config/kdenliverc
11noblacklist ${HOME}/.local/share/kdenlive
9 12
10include /etc/firejail/disable-common.inc 13include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 14include /etc/firejail/disable-devel.inc
diff --git a/etc/kget.profile b/etc/kget.profile
index 25c66e044..c4e073c2b 100644
--- a/etc/kget.profile
+++ b/etc/kget.profile
@@ -5,10 +5,12 @@ include /etc/firejail/kget.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8noblacklist ${HOME}/.config/kgetrc
8noblacklist ${HOME}/.kde/share/apps/kget 9noblacklist ${HOME}/.kde/share/apps/kget
9noblacklist ${HOME}/.kde/share/config/kgetrc 10noblacklist ${HOME}/.kde/share/config/kgetrc
10noblacklist ${HOME}/.kde4/share/apps/kget 11noblacklist ${HOME}/.kde4/share/apps/kget
11noblacklist ${HOME}/.kde4/share/config/kgetrc 12noblacklist ${HOME}/.kde4/share/config/kgetrc
13noblacklist ${HOME}/.local/share/kget
12 14
13include /etc/firejail/disable-common.inc 15include /etc/firejail/disable-common.inc
14include /etc/firejail/disable-devel.inc 16include /etc/firejail/disable-devel.inc
diff --git a/etc/krita.profile b/etc/krita.profile
index 0d2b62c5d..c621e2c72 100644
--- a/etc/krita.profile
+++ b/etc/krita.profile
@@ -7,6 +7,7 @@ include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus 8# blacklist /run/user/*/bus
9noblacklist ${HOME}/.config/kritarc 9noblacklist ${HOME}/.config/kritarc
10noblacklist ${HOME}/.local/share/krita
10 11
11include /etc/firejail/disable-common.inc 12include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc 13include /etc/firejail/disable-devel.inc
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
index 3548a75ad..220e0f02c 100644
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@@ -34,3 +34,5 @@ private-tmp
34 34
35noexec ${HOME} 35noexec ${HOME}
36noexec /tmp 36noexec /tmp
37
38join-or-start libreoffice
diff --git a/etc/okular.profile b/etc/okular.profile
index da82d2622..d98d4792f 100644
--- a/etc/okular.profile
+++ b/etc/okular.profile
@@ -7,6 +7,7 @@ include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus 8# blacklist /run/user/*/bus
9 9
10noblacklist ${HOME}/.cache/okular
10noblacklist ${HOME}/.config/okularpartrc 11noblacklist ${HOME}/.config/okularpartrc
11noblacklist ${HOME}/.config/okularrc 12noblacklist ${HOME}/.config/okularrc
12noblacklist ${HOME}/.kde/share/apps/okular 13noblacklist ${HOME}/.kde/share/apps/okular
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile
index 3fe86d26c..38a3152d2 100644
--- a/etc/opera-beta.profile
+++ b/etc/opera-beta.profile
@@ -5,24 +5,13 @@ include /etc/firejail/opera-beta.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8noblacklist ${HOME}/.cache/opera
8noblacklist ${HOME}/.config/opera-beta 9noblacklist ${HOME}/.config/opera-beta
9noblacklist ${HOME}/.pki
10
11include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-programs.inc
14 10
15mkdir ${HOME}/.cache/opera 11mkdir ${HOME}/.cache/opera
16mkdir ${HOME}/.config/opera-beta 12mkdir ${HOME}/.config/opera-beta
17mkdir ${HOME}/.pki
18whitelist ${DOWNLOADS}
19whitelist ${HOME}/.cache/opera 13whitelist ${HOME}/.cache/opera
20whitelist ${HOME}/.config/opera-beta 14whitelist ${HOME}/.config/opera-beta
21whitelist ${HOME}/.pki
22include /etc/firejail/whitelist-common.inc
23
24netfilter
25nodvd
26notv
27 15
28disable-mnt 16# Redirect
17include /etc/firejail/chromium-common.profile
diff --git a/etc/opera.profile b/etc/opera.profile
index fed7564b2..c0138c555 100644
--- a/etc/opera.profile
+++ b/etc/opera.profile
@@ -8,25 +8,13 @@ include /etc/firejail/globals.local
8noblacklist ${HOME}/.cache/opera 8noblacklist ${HOME}/.cache/opera
9noblacklist ${HOME}/.config/opera 9noblacklist ${HOME}/.config/opera
10noblacklist ${HOME}/.opera 10noblacklist ${HOME}/.opera
11noblacklist ${HOME}/.pki
12
13include /etc/firejail/disable-common.inc
14include /etc/firejail/disable-devel.inc
15include /etc/firejail/disable-programs.inc
16 11
17mkdir ${HOME}/.cache/opera 12mkdir ${HOME}/.cache/opera
18mkdir ${HOME}/.config/opera 13mkdir ${HOME}/.config/opera
19mkdir ${HOME}/.opera 14mkdir ${HOME}/.opera
20mkdir ${HOME}/.pki
21whitelist ${DOWNLOADS}
22whitelist ${HOME}/.cache/opera 15whitelist ${HOME}/.cache/opera
23whitelist ${HOME}/.config/opera 16whitelist ${HOME}/.config/opera
24whitelist ${HOME}/.opera 17whitelist ${HOME}/.opera
25whitelist ${HOME}/.pki
26include /etc/firejail/whitelist-common.inc
27
28netfilter
29nodvd
30notv
31 18
32disable-mnt 19# Redirect
20include /etc/firejail/chromium-common.profile
diff --git a/etc/palemoon.profile b/etc/palemoon.profile
index 1112a9bb7..ff7087e55 100644
--- a/etc/palemoon.profile
+++ b/etc/palemoon.profile
@@ -8,53 +8,15 @@ include /etc/firejail/globals.local
8noblacklist ${HOME}/.cache/moonchild productions/pale moon 8noblacklist ${HOME}/.cache/moonchild productions/pale moon
9noblacklist ${HOME}/.moonchild productions/pale moon 9noblacklist ${HOME}/.moonchild productions/pale moon
10 10
11include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-programs.inc
14
15# These are uncommented in the Firefox profile. If you run into trouble you may
16# want to uncomment (some of) them.
17#whitelist ${HOME}/dwhelper
18#whitelist ${HOME}/.zotero
19#whitelist ${HOME}/.vimperatorrc
20#whitelist ${HOME}/.vimperator
21#whitelist ${HOME}/.pentadactylrc
22#whitelist ${HOME}/.pentadactyl
23#whitelist ${HOME}/.keysnail.js
24#whitelist ${HOME}/.config/gnome-mplayer
25#whitelist ${HOME}/.cache/gnome-mplayer/plugin
26#whitelist ${HOME}/.pki
27#whitelist ${HOME}/.lastpass
28
29# For silverlight
30#whitelist ${HOME}/.wine-pipelight
31#whitelist ${HOME}/.wine-pipelight64
32#whitelist ${HOME}/.config/pipelight-widevine
33#whitelist ${HOME}/.config/pipelight-silverlight5.1
34
35mkdir ${HOME}/.cache/moonchild productions/pale moon 11mkdir ${HOME}/.cache/moonchild productions/pale moon
36mkdir ${HOME}/.moonchild productions 12mkdir ${HOME}/.moonchild productions
37whitelist ${DOWNLOADS}
38whitelist ${HOME}/.cache/moonchild productions/pale moon 13whitelist ${HOME}/.cache/moonchild productions/pale moon
39whitelist ${HOME}/.moonchild productions 14whitelist ${HOME}/.moonchild productions
40include /etc/firejail/whitelist-common.inc
41
42caps.drop all
43netfilter
44nodvd
45nogroups
46nonewprivs
47noroot
48notv
49protocol unix,inet,inet6,netlink
50seccomp
51shell none
52tracelog
53 15
54# private-bin palemoon 16#private-bin palemoon
55# private-dev (disabled for now as it will interfere with webcam use in palemoon) 17# private-etc must first be enabled in firefox-common.profile
56# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse 18#private-etc palemoon
57# private-opt palemoon 19#private-opt palemoon
58private-tmp
59 20
60disable-mnt 21# Redirect
22include /etc/firejail/firefox-common.profile
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index a01b1e9a8..da870ab76 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -8,6 +8,7 @@ include /etc/firejail/globals.local
8noblacklist ${HOME}/.cache/qBittorrent 8noblacklist ${HOME}/.cache/qBittorrent
9noblacklist ${HOME}/.config/qBittorrent 9noblacklist ${HOME}/.config/qBittorrent
10noblacklist ${HOME}/.config/qBittorrentrc 10noblacklist ${HOME}/.config/qBittorrentrc
11noblacklist ${HOME}/.local/share/data/qBittorrent
11 12
12include /etc/firejail/disable-common.inc 13include /etc/firejail/disable-common.inc
13include /etc/firejail/disable-devel.inc 14include /etc/firejail/disable-devel.inc
diff --git a/etc/qtox.profile b/etc/qtox.profile
index a8d980a18..648282db4 100644
--- a/etc/qtox.profile
+++ b/etc/qtox.profile
@@ -33,7 +33,7 @@ tracelog
33 33
34disable-mnt 34disable-mnt
35private-bin qtox 35private-bin qtox
36private-etc fonts,resolv.conf,ld.so.cache 36private-etc fonts,resolv.conf,ld.so.cache,localtime
37private-dev 37private-dev
38private-tmp 38private-tmp
39 39
diff --git a/etc/remmina.profile b/etc/remmina.profile
index f6738b7d5..cc209b84a 100644
--- a/etc/remmina.profile
+++ b/etc/remmina.profile
@@ -24,6 +24,7 @@ notv
24novideo 24novideo
25protocol unix,inet,inet6 25protocol unix,inet,inet6
26seccomp 26seccomp
27# seccomp.keep access,arch_prctl,brk,chmod,clock_getres,clock_gettime,clone,close,connect,dup3,eventfd2,execve,fadvise64,fallocate,fcntl,flock,fstat,fstatfs,fsync,ftruncate,futex,getdents,getegid,geteuid,getgid,getpeername,getpid,getrandom,getresgid,getresuid,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,memfd_create,mmap,mprotect,mremap,munmap,nanosleep,open,openat,pipe,pipe2,poll,prctl,prlimit64,pwrite64,read,readlink,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,sendmmsg,sendmsg,sendto,set_robust_list,setsockopt,set_tid_address,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,tgkill,uname,utimensat,write,writev
27shell none 28shell none
28 29
29private-dev 30private-dev
diff --git a/etc/scribus.profile b/etc/scribus.profile
index 001b91387..8ce63fbf0 100644
--- a/etc/scribus.profile
+++ b/etc/scribus.profile
@@ -8,6 +8,7 @@ include /etc/firejail/globals.local
8blacklist /run/user/*/bus 8blacklist /run/user/*/bus
9 9
10# Support for PDF readers comes with Scribus 1.5 and higher 10# Support for PDF readers comes with Scribus 1.5 and higher
11noblacklist ${HOME}/.cache/okular
11noblacklist ${HOME}/.config/okularpartrc 12noblacklist ${HOME}/.config/okularpartrc
12noblacklist ${HOME}/.config/okularrc 13noblacklist ${HOME}/.config/okularrc
13noblacklist ${HOME}/.config/scribus 14noblacklist ${HOME}/.config/scribus
diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile
index c27fb3819..1f64567ef 100644
--- a/etc/soundconverter.profile
+++ b/etc/soundconverter.profile
@@ -5,8 +5,6 @@ include /etc/firejail/soundconverter.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /run/user/*/bus
9
10include /etc/firejail/disable-common.inc 8include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc 9include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 10include /etc/firejail/disable-passwdmgr.inc
diff --git a/etc/tilp.profile b/etc/tilp.profile
new file mode 100644
index 000000000..a6165fbfe
--- /dev/null
+++ b/etc/tilp.profile
@@ -0,0 +1,34 @@
1# Firejail profile for tilp
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/tilp.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8noblacklist ${HOME}/.tilp
9
10include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc
14
15caps.drop all
16net none
17nodvd
18nogroups
19nonewprivs
20noroot
21notv
22novideo
23protocol unix,netlink
24seccomp
25shell none
26tracelog
27
28disable-mnt
29private-bin tilp
30private-etc fonts
31private-tmp
32
33noexec ${HOME}
34noexec /tmp
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile
index 3a1f72f23..aeef58292 100644
--- a/etc/vivaldi.profile
+++ b/etc/vivaldi.profile
@@ -8,28 +8,10 @@ include /etc/firejail/globals.local
8noblacklist ${HOME}/.cache/vivaldi 8noblacklist ${HOME}/.cache/vivaldi
9noblacklist ${HOME}/.config/vivaldi 9noblacklist ${HOME}/.config/vivaldi
10 10
11include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-programs.inc
14
15mkdir ${HOME}/.cache/vivaldi 11mkdir ${HOME}/.cache/vivaldi
16mkdir ${HOME}/.config/vivaldi 12mkdir ${HOME}/.config/vivaldi
17whitelist ${DOWNLOADS}
18whitelist ${HOME}/.cache/vivaldi 13whitelist ${HOME}/.cache/vivaldi
19whitelist ${HOME}/.config/vivaldi 14whitelist ${HOME}/.config/vivaldi
20include /etc/firejail/whitelist-common.inc
21include /etc/firejail/whitelist-var-common.inc
22
23caps.keep sys_chroot,sys_admin
24netfilter
25nodvd
26nogroups
27notv
28shell none
29
30disable-mnt
31private-dev
32# private-tmp - problems with multiple browser sessions
33 15
34noexec ${HOME} 16# Redirect
35noexec /tmp 17include /etc/firejail/chromium-common.profile
diff --git a/etc/waterfox.profile b/etc/waterfox.profile
index b2abb3a5f..fdd299bbf 100644
--- a/etc/waterfox.profile
+++ b/etc/waterfox.profile
@@ -7,83 +7,22 @@ include /etc/firejail/globals.local
7 7
8noblacklist ${HOME}/.cache/mozilla 8noblacklist ${HOME}/.cache/mozilla
9noblacklist ${HOME}/.cache/waterfox 9noblacklist ${HOME}/.cache/waterfox
10noblacklist ${HOME}/.config/okularpartrc
11noblacklist ${HOME}/.config/okularrc
12noblacklist ${HOME}/.config/qpdfview
13noblacklist ${HOME}/.kde/share/apps/okular
14noblacklist ${HOME}/.kde/share/config/okularpartrc
15noblacklist ${HOME}/.kde/share/config/okularrc
16noblacklist ${HOME}/.kde4/share/apps/okular
17noblacklist ${HOME}/.kde4/share/config/okularpartrc
18noblacklist ${HOME}/.kde4/share/config/okularrc
19# noblacklist ${HOME}/.local/share/gnome-shell/extensions
20noblacklist ${HOME}/.local/share/okular
21noblacklist ${HOME}/.local/share/qpdfview
22noblacklist ${HOME}/.mozilla 10noblacklist ${HOME}/.mozilla
23noblacklist ${HOME}/.waterfox 11noblacklist ${HOME}/.waterfox
24noblacklist ${HOME}/.pki
25
26include /etc/firejail/disable-common.inc
27include /etc/firejail/disable-devel.inc
28include /etc/firejail/disable-programs.inc
29 12
30mkdir ${HOME}/.cache/mozilla/firefox 13mkdir ${HOME}/.cache/mozilla/firefox
31mkdir ${HOME}/.mozilla 14mkdir ${HOME}/.mozilla
32mkdir ${HOME}/.cache/waterfox 15mkdir ${HOME}/.cache/waterfox
33mkdir ${HOME}/.waterfox 16mkdir ${HOME}/.waterfox
34mkdir ${HOME}/.pki
35whitelist ${DOWNLOADS}
36whitelist ${HOME}/.cache/gnome-mplayer/plugin
37whitelist ${HOME}/.cache/mozilla/firefox 17whitelist ${HOME}/.cache/mozilla/firefox
38whitelist ${HOME}/.cache/waterfox 18whitelist ${HOME}/.cache/waterfox
39whitelist ${HOME}/.config/gnome-mplayer
40whitelist ${HOME}/.config/okularpartrc
41whitelist ${HOME}/.config/okularrc
42whitelist ${HOME}/.config/pipelight-silverlight5.1
43whitelist ${HOME}/.config/pipelight-widevine
44whitelist ${HOME}/.config/qpdfview
45whitelist ${HOME}/.kde/share/apps/okular
46whitelist ${HOME}/.kde/share/config/okularpartrc
47whitelist ${HOME}/.kde/share/config/okularrc
48whitelist ${HOME}/.kde4/share/apps/okular
49whitelist ${HOME}/.kde4/share/config/okularpartrc
50whitelist ${HOME}/.kde4/share/config/okularrc
51whitelist ${HOME}/.keysnail.js
52whitelist ${HOME}/.lastpass
53whitelist ${HOME}/.local/share/gnome-shell/extensions
54whitelist ${HOME}/.local/share/okular
55whitelist ${HOME}/.local/share/qpdfview
56whitelist ${HOME}/.mozilla 19whitelist ${HOME}/.mozilla
57whitelist ${HOME}/.waterfox 20whitelist ${HOME}/.waterfox
58whitelist ${HOME}/.pentadactyl
59whitelist ${HOME}/.pentadactylrc
60whitelist ${HOME}/.pki
61whitelist ${HOME}/.vimperator
62whitelist ${HOME}/.vimperatorrc
63whitelist ${HOME}/.wine-pipelight
64whitelist ${HOME}/.wine-pipelight64
65whitelist ${HOME}/.zotero
66whitelist ${HOME}/dwhelper
67include /etc/firejail/whitelist-common.inc
68include /etc/firejail/whitelist-var-common.inc
69
70caps.drop all
71netfilter
72nodvd
73nogroups
74nonewprivs
75noroot
76notv
77protocol unix,inet,inet6,netlink
78seccomp
79shell none
80tracelog
81 21
82# waterfox requires a shell to launch on Arch. We can possibly remove sh though. 22# waterfox requires a shell to launch on Arch. We can possibly remove sh though.
83# private-bin waterfox,which,sh,dbus-launch,dbus-send,env,bash 23#private-bin waterfox,which,sh,dbus-launch,dbus-send,env,bash
84private-dev 24# private-etc must first be enabled in firefox-common.profile
85# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse 25#private-etc waterfox
86private-tmp
87 26
88noexec ${HOME} 27# Redirect
89noexec /tmp 28include /etc/firejail/firefox-common.profile
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc
index 97846b4a3..c664d5a53 100644
--- a/etc/whitelist-common.inc
+++ b/etc/whitelist-common.inc
@@ -57,15 +57,18 @@ whitelist ${HOME}/.config/Trolltech.conf
57whitelist ${HOME}/.config/kdeglobals 57whitelist ${HOME}/.config/kdeglobals
58whitelist ${HOME}/.config/kio_httprc 58whitelist ${HOME}/.config/kio_httprc
59whitelist ${HOME}/.config/kioslaverc 59whitelist ${HOME}/.config/kioslaverc
60whitelist ${HOME}/.config/ksslcablacklist
60whitelist ${HOME}/.config/qt5ct 61whitelist ${HOME}/.config/qt5ct
61whitelist ${HOME}/.kde/share/config/kdeglobals 62whitelist ${HOME}/.kde/share/config/kdeglobals
62whitelist ${HOME}/.kde/share/config/kio_httprc 63whitelist ${HOME}/.kde/share/config/kio_httprc
63whitelist ${HOME}/.kde/share/config/kioslaverc 64whitelist ${HOME}/.kde/share/config/kioslaverc
65whitelist ${HOME}/.kde/share/config/ksslcablacklist
64whitelist ${HOME}/.kde/share/config/oxygenrc 66whitelist ${HOME}/.kde/share/config/oxygenrc
65whitelist ${HOME}/.kde/share/icons 67whitelist ${HOME}/.kde/share/icons
66whitelist ${HOME}/.kde4/share/config/kdeglobals 68whitelist ${HOME}/.kde4/share/config/kdeglobals
67whitelist ${HOME}/.kde4/share/config/kio_httprc 69whitelist ${HOME}/.kde4/share/config/kio_httprc
68whitelist ${HOME}/.kde4/share/config/kioslaverc 70whitelist ${HOME}/.kde4/share/config/kioslaverc
71whitelist ${HOME}/.kde4/share/config/ksslcablacklist
69whitelist ${HOME}/.kde4/share/config/oxygenrc 72whitelist ${HOME}/.kde4/share/config/oxygenrc
70whitelist ${HOME}/.kde4/share/icons 73whitelist ${HOME}/.kde4/share/icons
71whitelist ${HOME}/.local/share/qt5ct 74whitelist ${HOME}/.local/share/qt5ct
diff --git a/etc/yandex-browser.profile b/etc/yandex-browser.profile
index 1c7769727..fdb7694a5 100644
--- a/etc/yandex-browser.profile
+++ b/etc/yandex-browser.profile
@@ -9,35 +9,15 @@ noblacklist ${HOME}/.cache/yandex-browser
9noblacklist ${HOME}/.cache/yandex-browser-beta 9noblacklist ${HOME}/.cache/yandex-browser-beta
10noblacklist ${HOME}/.config/yandex-browser 10noblacklist ${HOME}/.config/yandex-browser
11noblacklist ${HOME}/.config/yandex-browser-beta 11noblacklist ${HOME}/.config/yandex-browser-beta
12noblacklist ${HOME}/.pki
13
14include /etc/firejail/disable-common.inc
15include /etc/firejail/disable-devel.inc
16include /etc/firejail/disable-programs.inc
17 12
18mkdir ${HOME}/.cache/yandex-browser 13mkdir ${HOME}/.cache/yandex-browser
19mkdir ${HOME}/.cache/yandex-browser-beta 14mkdir ${HOME}/.cache/yandex-browser-beta
20mkdir ${HOME}/.config/yandex-browser 15mkdir ${HOME}/.config/yandex-browser
21mkdir ${HOME}/.config/yandex-browser-beta 16mkdir ${HOME}/.config/yandex-browser-beta
22mkdir ${HOME}/.pki
23whitelist ${DOWNLOADS}
24whitelist ${HOME}/.cache/yandex-browser 17whitelist ${HOME}/.cache/yandex-browser
25whitelist ${HOME}/.cache/yandex-browser-beta 18whitelist ${HOME}/.cache/yandex-browser-beta
26whitelist ${HOME}/.config/yandex-browser 19whitelist ${HOME}/.config/yandex-browser
27whitelist ${HOME}/.config/yandex-browser-beta 20whitelist ${HOME}/.config/yandex-browser-beta
28whitelist ${HOME}/.pki
29include /etc/firejail/whitelist-common.inc
30
31caps.keep sys_chroot,sys_admin
32netfilter
33nodvd
34nogroups
35notv
36shell none
37
38disable-mnt
39private-dev
40# private-tmp - problems with multiple browser sessions
41 21
42noexec ${HOME} 22# Redirect
43noexec /tmp 23include /etc/firejail/chromium-common.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 90bbc8bb5..9bd60171b 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -338,6 +338,7 @@ telegram
338telegram-desktop 338telegram-desktop
339terasology 339terasology
340thunderbird 340thunderbird
341tilp
341tor-browser-ar 342tor-browser-ar
342tor-browser-en 343tor-browser-en
343tor-browser-en-us 344tor-browser-en-us
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-03 04:41:08 +0000