diff options
332 files changed, 896 insertions, 508 deletions
diff --git a/etc/0ad.profile b/etc/0ad.profile index 238dbbce2..f5c3491ff 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for 0ad | 1 | # Firejail profile for 0ad |
2 | # Description: Real-time strategy game of ancient warfare | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/0ad.local | 5 | include /etc/firejail/0ad.local |
diff --git a/etc/2048-qt.profile b/etc/2048-qt.profile index 1e7472bd9..56b38f5a2 100644 --- a/etc/2048-qt.profile +++ b/etc/2048-qt.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for 2048-qt | 1 | # Firejail profile for 2048-qt |
2 | # Description: Mathematics based puzzle game | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/2048-qt.local | 5 | include /etc/firejail/2048-qt.local |
diff --git a/etc/Fritzing.profile b/etc/Fritzing.profile index 1eb103b47..2e4d235b6 100644 --- a/etc/Fritzing.profile +++ b/etc/Fritzing.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for fritzing | 1 | # Firejail profile for fritzing |
2 | # Description: Easy-to-use electronic design software | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/Fritzing.local | 5 | include /etc/firejail/Fritzing.local |
diff --git a/etc/Thunar.profile b/etc/Thunar.profile index fbd475ca6..6de6cfb30 100644 --- a/etc/Thunar.profile +++ b/etc/Thunar.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for Thunar | 1 | # Firejail profile for Thunar |
2 | # Description: File Manager for Xfce | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/Thunar.local | 5 | include /etc/firejail/Thunar.local |
diff --git a/etc/VirtualBox.profile b/etc/VirtualBox.profile index dedf448ae..c84b8a4ad 100644 --- a/etc/VirtualBox.profile +++ b/etc/VirtualBox.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile alias for virtualbox | 1 | # Firejail profile alias for virtualbox |
2 | # Description: x86 virtualization solution | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | 4 | ||
4 | 5 | ||
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile index 7921e0d06..4ae2d20d2 100644 --- a/etc/Xvfb.profile +++ b/etc/Xvfb.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for Xvfb | 1 | # Firejail profile for Xvfb |
2 | # Description: Virtual Framebuffer 'fake' X server | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/Xvfb.local | 5 | include /etc/firejail/Xvfb.local |
diff --git a/etc/akregator.profile b/etc/akregator.profile index 1b8807757..af8dd2a3e 100644 --- a/etc/akregator.profile +++ b/etc/akregator.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for akregator | 1 | # Firejail profile for akregator |
2 | # Description: RSS/Atom feed aggregator | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/akregator.local | 5 | include /etc/firejail/akregator.local |
diff --git a/etc/amarok.profile b/etc/amarok.profile index c728ce4ab..3ee50a20b 100644 --- a/etc/amarok.profile +++ b/etc/amarok.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for amarok | 1 | # Firejail profile for amarok |
2 | # Description: Easy to use media player based on the KDE Platform | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/amarok.local | 5 | include /etc/firejail/amarok.local |
diff --git a/etc/amule.profile b/etc/amule.profile index 0d71f8f3b..f052a312f 100644 --- a/etc/amule.profile +++ b/etc/amule.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for amule | 1 | # Firejail profile for amule |
2 | # Description: Client for the eD2k and Kad networks, like eMule | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/amule.local | 5 | include /etc/firejail/amule.local |
diff --git a/etc/apktool.profile b/etc/apktool.profile index 2203d7b8c..2043cf5af 100644 --- a/etc/apktool.profile +++ b/etc/apktool.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for apktool | 1 | # Firejail profile for apktool |
2 | # Description: Tool for reverse engineering Android apk files | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/arch-audit.profile b/etc/arch-audit.profile index 956f0d63a..9cd200ef2 100644 --- a/etc/arch-audit.profile +++ b/etc/arch-audit.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for arch-audit | 1 | # Firejail profile for arch-audit |
2 | # Description: A utility like pkg-audit based on Arch CVE Monitoring Team data | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/arduino.profile b/etc/arduino.profile index 0ff242450..9f28cada4 100644 --- a/etc/arduino.profile +++ b/etc/arduino.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for arduino | 1 | # Firejail profile for arduino |
2 | # Description: AVR development board IDE and built-in libraries | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/arduino.local | 5 | include /etc/firejail/arduino.local |
diff --git a/etc/ark.profile b/etc/ark.profile index 12675b30b..d5a7f45f4 100644 --- a/etc/ark.profile +++ b/etc/ark.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for ark | 1 | # Firejail profile for ark |
2 | # Description: Archive utility | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/ark.local | 5 | include /etc/firejail/ark.local |
diff --git a/etc/arm.profile b/etc/arm.profile index bebf05366..da9b45928 100644 --- a/etc/arm.profile +++ b/etc/arm.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for arm | 1 | # Firejail profile for arm |
2 | # Description: Terminal status monitor for Tor relays | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/arm.local | 5 | include /etc/firejail/arm.local |
diff --git a/etc/asunder.profile b/etc/asunder.profile index 4cd340bf8..9c059ed0a 100644 --- a/etc/asunder.profile +++ b/etc/asunder.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for asounder | 1 | # Firejail profile for asounder |
2 | # Description: Graphical audio CD ripper and encoder | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/asunder.local | 5 | include /etc/firejail/asunder.local |
diff --git a/etc/atom.profile b/etc/atom.profile index f7e30aeb4..1ff4e162d 100644 --- a/etc/atom.profile +++ b/etc/atom.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for atom | 1 | # Firejail profile for atom |
2 | # Description: A hackable text editor for the 21st Century | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/atom.local | 5 | include /etc/firejail/atom.local |
diff --git a/etc/atool.profile b/etc/atool.profile index 06eace7d2..c672ed11d 100644 --- a/etc/atool.profile +++ b/etc/atool.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for atool | 1 | # Firejail profile for atool |
2 | # Description: Tool for managing file archives of various types | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/atool.local | 5 | include /etc/firejail/atool.local |
diff --git a/etc/atril.profile b/etc/atril.profile index 48902ec4a..6e5286e5f 100644 --- a/etc/atril.profile +++ b/etc/atril.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for atril | 1 | # Firejail profile for atril |
2 | # Description: MATE document viewer | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/atril.local | 5 | include /etc/firejail/atril.local |
diff --git a/etc/audacious.profile b/etc/audacious.profile index cbbe15c46..627c1a72d 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for audacious | 1 | # Firejail profile for audacious |
2 | # Description: Small and fast audio player which supports lots of formats | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/audacious.local | 5 | include /etc/firejail/audacious.local |
diff --git a/etc/audacity.profile b/etc/audacity.profile index d3c9ee4ac..685319f7f 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for audacity | 1 | # Firejail profile for audacity |
2 | # Description: Fast, cross-platform audio editor | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/audacity.local | 5 | include /etc/firejail/audacity.local |
diff --git a/etc/aweather.profile b/etc/aweather.profile index 57b8fb61a..823b07c8c 100644 --- a/etc/aweather.profile +++ b/etc/aweather.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for aweather | 1 | # Firejail profile for aweather |
2 | # Description: Advanced Weather Monitoring Program | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/aweather.local | 5 | include /etc/firejail/aweather.local |
diff --git a/etc/baobab.profile b/etc/baobab.profile index 8ff282151..d0c3f2712 100644 --- a/etc/baobab.profile +++ b/etc/baobab.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for baobab | 1 | # Firejail profile for baobab |
2 | # Description: GNOME disk usage analyzer | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/baobab.local | 5 | include /etc/firejail/baobab.local |
diff --git a/etc/bibletime.profile b/etc/bibletime.profile index fef7474a9..57595e8e2 100644 --- a/etc/bibletime.profile +++ b/etc/bibletime.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for bibletime | 1 | # Firejail profile for bibletime |
2 | # Description: Bible study tool | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/bibletime.local | 5 | include /etc/firejail/bibletime.local |
diff --git a/etc/bitcoin-qt.profile b/etc/bitcoin-qt.profile index efc11cc9c..9b6affe24 100644 --- a/etc/bitcoin-qt.profile +++ b/etc/bitcoin-qt.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for bitcoin-qt | 1 | # Firejail profile for bitcoin-qt |
2 | # Description: Bitcoin is a peer-to-peer network based digital currency | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/bitcoin-qt.local | 5 | include /etc/firejail/bitcoin-qt.local |
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index 10ef34d07..e663d7799 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for bitlbee | 1 | # Firejail profile for bitlbee |
2 | # Description: IRC to other chat networks gateway | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/bitlbee.local | 5 | include /etc/firejail/bitlbee.local |
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile index 8060d5275..49d058ab4 100644 --- a/etc/bleachbit.profile +++ b/etc/bleachbit.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for bleachbit | 1 | # Firejail profile for bleachbit |
2 | # Description: Delete unnecessary files from the system | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/bleachbit.local | 5 | include /etc/firejail/bleachbit.local |
diff --git a/etc/blender.profile b/etc/blender.profile index 6becce712..43a8622f7 100644 --- a/etc/blender.profile +++ b/etc/blender.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for blender | 1 | # Firejail profile for blender |
2 | # Description: Very fast and versatile 3D modeller/renderer | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/blender.local | 5 | include /etc/firejail/blender.local |
diff --git a/etc/bless.profile b/etc/bless.profile index 1dd756153..01f75b00d 100644 --- a/etc/bless.profile +++ b/etc/bless.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for bless | 1 | # Firejail profile for bless |
2 | # Description: A full featured hexadecimal editor | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/bless.local | 5 | include /etc/firejail/bless.local |
diff --git a/etc/bluefish.profile b/etc/bluefish.profile index 3931819f1..23ba34d42 100644 --- a/etc/bluefish.profile +++ b/etc/bluefish.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for bluefish | 1 | # Firejail profile for bluefish |
2 | # Description: Advanced Gtk+ text editor for web and software development | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/bluefish.local | 5 | include /etc/firejail/bluefish.local |
diff --git a/etc/brasero.profile b/etc/brasero.profile index a012d4715..1c0b5f843 100644 --- a/etc/brasero.profile +++ b/etc/brasero.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for brasero | 1 | # Firejail profile for brasero |
2 | # Description: CD/DVD burning application for GNOME | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/brasero.local | 5 | include /etc/firejail/brasero.local |
diff --git a/etc/bsdtar.profile b/etc/bsdtar.profile index d3bc76ba5..d8ace6aaf 100644 --- a/etc/bsdtar.profile +++ b/etc/bsdtar.profile | |||
@@ -37,6 +37,3 @@ tracelog | |||
37 | private-bin sh,bash,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive | 37 | private-bin sh,bash,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive |
38 | private-dev | 38 | private-dev |
39 | private-etc passwd,group,localtime | 39 | private-etc passwd,group,localtime |
40 | |||
41 | |||
42 | |||
diff --git a/etc/caja.profile b/etc/caja.profile index 2d292e614..20e690a14 100644 --- a/etc/caja.profile +++ b/etc/caja.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for caja | 1 | # Firejail profile for caja |
2 | # Description: File manager for the MATE desktop | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/caja.local | 5 | include /etc/firejail/caja.local |
diff --git a/etc/calibre.profile b/etc/calibre.profile index 09839161e..7a5d798c5 100644 --- a/etc/calibre.profile +++ b/etc/calibre.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for calibre | 1 | # Firejail profile for calibre |
2 | # Description: Powerful and easy to use e-book manager | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/calibre.local | 5 | include /etc/firejail/calibre.local |
diff --git a/etc/calligra.profile b/etc/calligra.profile index bc041a718..ab2845db4 100644 --- a/etc/calligra.profile +++ b/etc/calligra.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for calligra | 1 | # Firejail profile for calligra |
2 | # Description: Extensive productivity and creative suite | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/calligra.local | 5 | include /etc/firejail/calligra.local |
diff --git a/etc/catfish.profile b/etc/catfish.profile index 02c5db969..422dc93e5 100644 --- a/etc/catfish.profile +++ b/etc/catfish.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for catfish | 1 | # Firejail profile for catfish |
2 | # Description: File searching tool | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/catfish.local | 5 | include /etc/firejail/catfish.local |
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 8397da00c..0159bddae 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for cherrytree | 1 | # Firejail profile for cherrytree |
2 | # Description: Hierarchical note taking application | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/cherrytree.local | 5 | include /etc/firejail/cherrytree.local |
diff --git a/etc/chromium.profile b/etc/chromium.profile index ad9f9af33..a1488e3e9 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for chromium | 1 | # Firejail profile for chromium |
2 | # Description: A web browser built for speed, simplicity, and security | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/chromium.local | 5 | include /etc/firejail/chromium.local |
diff --git a/etc/clamav.profile b/etc/clamav.profile index 41bd3b679..cf46b8582 100644 --- a/etc/clamav.profile +++ b/etc/clamav.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for clamav | 1 | # Firejail profile for clamav |
2 | # Description: Anti-virus utility for Unix | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/clamtk.profile b/etc/clamtk.profile new file mode 100644 index 000000000..d916381b2 --- /dev/null +++ b/etc/clamtk.profile | |||
@@ -0,0 +1,28 @@ | |||
1 | # Firejail profile for clamtk | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/clamtk.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | caps.drop all | ||
9 | ipc-namespace | ||
10 | net none | ||
11 | no3d | ||
12 | nodbus | ||
13 | nodvd | ||
14 | nogroups | ||
15 | nonewprivs | ||
16 | noroot | ||
17 | nosound | ||
18 | notv | ||
19 | novideo | ||
20 | protocol unix | ||
21 | seccomp | ||
22 | shell none | ||
23 | |||
24 | private-dev | ||
25 | |||
26 | memory-deny-write-execute | ||
27 | noexec ${HOME} | ||
28 | noexec /tmp | ||
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile index 343f8bed8..cb8ae6a80 100644 --- a/etc/claws-mail.profile +++ b/etc/claws-mail.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for claws-mail | 1 | # Firejail profile for claws-mail |
2 | # Description: Fast, lightweight and user-friendly GTK+2 based email client | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/claws-mail.local | 5 | include /etc/firejail/claws-mail.local |
@@ -30,3 +31,8 @@ shell none | |||
30 | 31 | ||
31 | private-dev | 32 | private-dev |
32 | private-tmp | 33 | private-tmp |
34 | |||
35 | # If you want to read local mail stored in /var/mail, add the following to claws-mail.local: | ||
36 | # noblacklist /var/mail | ||
37 | # noblacklist /var/spool/mail | ||
38 | # writable-var | ||
diff --git a/etc/clementine.profile b/etc/clementine.profile index e13fd3f66..a72bc39cf 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for clementine | 1 | # Firejail profile for clementine |
2 | # Description: Modern music player and library organizer | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/clementine.local | 5 | include /etc/firejail/clementine.local |
diff --git a/etc/clipit.profile b/etc/clipit.profile index 866108aee..fd6fbd61b 100644 --- a/etc/clipit.profile +++ b/etc/clipit.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for clipit | 1 | # Firejail profile for clipit |
2 | # Description: Lightweight GTK+ clipboard manager | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/clipit.local | 5 | include /etc/firejail/clipit.local |
diff --git a/etc/cmus.profile b/etc/cmus.profile index a9f76ec80..5744d462b 100644 --- a/etc/cmus.profile +++ b/etc/cmus.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for cmus | 1 | # Firejail profile for cmus |
2 | # Description: Lightweight ncurses audio player | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/cmus.local | 5 | include /etc/firejail/cmus.local |
diff --git a/etc/conky.profile b/etc/conky.profile index 4d2bcfa38..f6d07d6de 100644 --- a/etc/conky.profile +++ b/etc/conky.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for conky | 1 | # Firejail profile for conky |
2 | # Description: Highly configurable system monitor | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/conky.local | 5 | include /etc/firejail/conky.local |
diff --git a/etc/corebird.profile b/etc/corebird.profile index da1869f65..c7f8a8874 100644 --- a/etc/corebird.profile +++ b/etc/corebird.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for corebird | 1 | # Firejail profile for corebird |
2 | # Description: Native Gtk+ Twitter client for the Linux desktop | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/corebird.local | 5 | include /etc/firejail/corebird.local |
diff --git a/etc/cpio.profile b/etc/cpio.profile index 445e1cec7..3c7d0748c 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for cpio | 1 | # Firejail profile for cpio |
2 | # Description: A program to manage archives of files | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/curl.profile b/etc/curl.profile index d1a682e60..e77b8bf4f 100644 --- a/etc/curl.profile +++ b/etc/curl.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for curl | 1 | # Firejail profile for curl |
2 | # Description: Command line tool for transferring data with URL syntax | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/darktable.profile b/etc/darktable.profile index 607a587a1..74144e68e 100644 --- a/etc/darktable.profile +++ b/etc/darktable.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for darktable | 1 | # Firejail profile for darktable |
2 | # Description: Virtual lighttable and darkroom for photographers | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/darktable.local | 5 | include /etc/firejail/darktable.local |
diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile index 8eb5776e7..8f5961647 100644 --- a/etc/deadbeef.profile +++ b/etc/deadbeef.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for deadbeef | 1 | # Firejail profile for deadbeef |
2 | # Description: A GTK+ audio player for GNU/Linux | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/deadbeef.local | 5 | include /etc/firejail/deadbeef.local |
diff --git a/etc/deluge.profile b/etc/deluge.profile index da7e0dcdc..27ca036ca 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for deluge | 1 | # Firejail profile for deluge |
2 | # Description: BitTorrent client written in Python/PyGTK | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/deluge.local | 5 | include /etc/firejail/deluge.local |
diff --git a/etc/dia.profile b/etc/dia.profile index fed5107aa..fdc40980f 100644 --- a/etc/dia.profile +++ b/etc/dia.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for dia | 1 | # Firejail profile for dia |
2 | # Description: Diagram editor | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/dia.local | 5 | include /etc/firejail/dia.local |
diff --git a/etc/digikam.profile b/etc/digikam.profile index b3b0de1bc..470f60779 100644 --- a/etc/digikam.profile +++ b/etc/digikam.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for digikam | 1 | # Firejail profile for digikam |
2 | # Description: Digital photo management application for KDE | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/digikam.local | 5 | include /etc/firejail/digikam.local |
diff --git a/etc/dillo.profile b/etc/dillo.profile index 05413fe56..8c3da1b3e 100644 --- a/etc/dillo.profile +++ b/etc/dillo.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for dillo | 1 | # Firejail profile for dillo |
2 | # Description: Small and fast web browser | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/dillo.local | 5 | include /etc/firejail/dillo.local |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index f0f48d456..0c295ae6d 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -209,6 +209,7 @@ read-only ${HOME}/.forward | |||
209 | read-only ${HOME}/.local/share/fish | 209 | read-only ${HOME}/.local/share/fish |
210 | read-only ${HOME}/.login | 210 | read-only ${HOME}/.login |
211 | read-only ${HOME}/.logout | 211 | read-only ${HOME}/.logout |
212 | read-only ${HOME}/.oh-my-zsh | ||
212 | read-only ${HOME}/.pam_environment | 213 | read-only ${HOME}/.pam_environment |
213 | read-only ${HOME}/.pgpkey | 214 | read-only ${HOME}/.pgpkey |
214 | read-only ${HOME}/.plan | 215 | read-only ${HOME}/.plan |
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index f8f593c83..ce73d7e72 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for dnscrypt-proxy | 1 | # Firejail profile for dnscrypt-proxy |
2 | # Description: Tool for securing communications between a client and a DNS resolver | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/dnscrypt-proxy.local | 5 | include /etc/firejail/dnscrypt-proxy.local |
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index 6d3bb920d..d68806945 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for dnsmasq | 1 | # Firejail profile for dnsmasq |
2 | # Description: Small caching DNS proxy and DHCP/TFTP server | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/dnsmasq.local | 5 | include /etc/firejail/dnsmasq.local |
diff --git a/etc/dolphin.profile b/etc/dolphin.profile index f9fa977a9..819998edf 100644 --- a/etc/dolphin.profile +++ b/etc/dolphin.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for dolphin | 1 | # Firejail profile for dolphin |
2 | # Description: File manager | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/dolphin.local | 5 | include /etc/firejail/dolphin.local |
diff --git a/etc/dosbox.profile b/etc/dosbox.profile index efc0b2d35..319daf407 100644 --- a/etc/dosbox.profile +++ b/etc/dosbox.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for dosbox | 1 | # Firejail profile for dosbox |
2 | # Description: x86 emulator with Tandy/Herc/CGA/EGA/VGA/SVGA graphics, sound and DOS | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/dosbox.local | 5 | include /etc/firejail/dosbox.local |
diff --git a/etc/dragon.profile b/etc/dragon.profile index 9d7bb5748..9f41bf87a 100644 --- a/etc/dragon.profile +++ b/etc/dragon.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for dragon | 1 | # Firejail profile for dragon |
2 | # Description: A multimedia player where the focus is on simplicity, instead of features | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/dragon.local | 5 | include /etc/firejail/dragon.local |
diff --git a/etc/electron.profile b/etc/electron.profile index 52d45b3f8..ccfde78bb 100644 --- a/etc/electron.profile +++ b/etc/electron.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for electron | 1 | # Firejail profile for electron |
2 | # Description: Build cross platform desktop apps with web technologies | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/electron.local | 5 | include /etc/firejail/electron.local |
diff --git a/etc/electrum.profile b/etc/electrum.profile index d611f3e61..b3e1ab36f 100644 --- a/etc/electrum.profile +++ b/etc/electrum.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for electrum | 1 | # Firejail profile for electrum |
2 | # Description: Lightweight Bitcoin wallet | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/electrum.local | 5 | include /etc/firejail/electrum.local |
diff --git a/etc/elinks.profile b/etc/elinks.profile index 1da0360c7..bafc19e1a 100644 --- a/etc/elinks.profile +++ b/etc/elinks.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for elinks | 1 | # Firejail profile for elinks |
2 | # Description: Advanced text-mode WWW browser | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/elinks.local | 5 | include /etc/firejail/elinks.local |
diff --git a/etc/emacs.profile b/etc/emacs.profile index 8700bc8e6..90b25bfcf 100644 --- a/etc/emacs.profile +++ b/etc/emacs.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for emacs | 1 | # Firejail profile for emacs |
2 | # Description: GNU Emacs editor | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/emacs.local | 5 | include /etc/firejail/emacs.local |
diff --git a/etc/empathy.profile b/etc/empathy.profile index 9d70afcb8..007b51c35 100644 --- a/etc/empathy.profile +++ b/etc/empathy.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for empathy | 1 | # Firejail profile for empathy |
2 | # Description: GNOME multi-protocol chat and call client | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/empathy.local | 5 | include /etc/firejail/empathy.local |
diff --git a/etc/enchant.profile b/etc/enchant.profile index 5a4050102..cf7d76b4c 100644 --- a/etc/enchant.profile +++ b/etc/enchant.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for enchant | 1 | # Firejail profile for enchant |
2 | # Description: Wrapper for various spell checker engines | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/enchant.local | 5 | include /etc/firejail/enchant.local |
diff --git a/etc/engrampa.profile b/etc/engrampa.profile index 70ec7615e..eaf246d3c 100644 --- a/etc/engrampa.profile +++ b/etc/engrampa.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for engrampa | 1 | # Firejail profile for engrampa |
2 | # Description: Archive manager for MATE | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/engrampa.local | 5 | include /etc/firejail/engrampa.local |
diff --git a/etc/eog.profile b/etc/eog.profile index 5b9ed9bd6..017fe5c75 100644 --- a/etc/eog.profile +++ b/etc/eog.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for eog | 1 | # Firejail profile for eog |
2 | # Description: Eye of GNOME graphics viewer program | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/eog.local | 5 | include /etc/firejail/eog.local |
diff --git a/etc/eom.profile b/etc/eom.profile index 86ce01d1b..a0ce712c8 100644 --- a/etc/eom.profile +++ b/etc/eom.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for eom | 1 | # Firejail profile for eom |
2 | # Description: Eye of MATE graphics viewer program | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/eom.local | 5 | include /etc/firejail/eom.local |
diff --git a/etc/epiphany.profile b/etc/epiphany.profile index e579fb4f6..b04cf72b4 100644 --- a/etc/epiphany.profile +++ b/etc/epiphany.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for epiphany | 1 | # Firejail profile for epiphany |
2 | # Description: Clone of Boulder Dash game | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/epiphany.local | 5 | include /etc/firejail/epiphany.local |
diff --git a/etc/evince.profile b/etc/evince.profile index d4074d0aa..94f706440 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for evince | 1 | # Firejail profile for evince |
2 | # Description: Document (PostScript, PDF) viewer | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/evince.local | 5 | include /etc/firejail/evince.local |
diff --git a/etc/evolution.profile b/etc/evolution.profile index 0584b2744..f691b3c3d 100644 --- a/etc/evolution.profile +++ b/etc/evolution.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for evolution | 1 | # Firejail profile for evolution |
2 | # Description: Groupware suite with mail client and organizer | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/evolution.local | 5 | include /etc/firejail/evolution.local |
diff --git a/etc/falkon.profile b/etc/falkon.profile index 2f6168e99..41e1386dd 100644 --- a/etc/falkon.profile +++ b/etc/falkon.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for falkon | 1 | # Firejail profile for falkon |
2 | # Description: Lightweight web browser based on Qt WebEngine | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/falkon.local | 5 | include /etc/firejail/falkon.local |
diff --git a/etc/fbreader.profile b/etc/fbreader.profile index a5ddd3bf1..c5afde9ec 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for fbreader | 1 | # Firejail profile for fbreader |
2 | # Description: E-book reader | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/fbreader.local | 5 | include /etc/firejail/fbreader.local |
diff --git a/etc/feh.profile b/etc/feh.profile index c79e98d1c..197581ae7 100644 --- a/etc/feh.profile +++ b/etc/feh.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for feh | 1 | # Firejail profile for feh |
2 | # Description: imlib2 based image viewer | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/feh.local | 5 | include /etc/firejail/feh.local |
diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile index 12175295f..d9b347d70 100644 --- a/etc/fetchmail.profile +++ b/etc/fetchmail.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for fetchmail | 1 | # Firejail profile for fetchmail |
2 | # Description: SSL enabled POP3, APOP, IMAP mail gatherer/forwarder | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/fetchmail.local | 5 | include /etc/firejail/fetchmail.local |
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile index 4e55039cf..09574ffb7 100644 --- a/etc/ffmpeg.profile +++ b/etc/ffmpeg.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for ffmpeg | 1 | # Firejail profile for ffmpeg |
2 | # Description: Tools for transcoding, streaming and playing of multimedia files | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 69b9c18da..11883f03e 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for file-roller | 1 | # Firejail profile for file-roller |
2 | # Description: Archive manager for GNOME | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/file-roller.local | 5 | include /etc/firejail/file-roller.local |
diff --git a/etc/file.profile b/etc/file.profile index 2bdbaaaa8..5d1227520 100644 --- a/etc/file.profile +++ b/etc/file.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for file | 1 | # Firejail profile for file |
2 | # Description: Recognize the type of data in a file using "magic" numbers | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 1bc78e5ef..7a5ad4301 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for filezilla | 1 | # Firejail profile for filezilla |
2 | # Description: Full-featured graphical FTP/FTPS/SFTP client | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/filezilla.local | 5 | include /etc/firejail/filezilla.local |
diff --git a/etc/firefox-developer-edition.profile b/etc/firefox-developer-edition.profile index 696f95b56..7458d9e10 100644 --- a/etc/firefox-developer-edition.profile +++ b/etc/firefox-developer-edition.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for firefox-developer-edition | 1 | # Firejail profile for firefox-developer-edition |
2 | # Description: Developer Edition of the popular Firefox web browser | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/firefox-developer-edition.local | 5 | include /etc/firejail/firefox-developer-edition.local |
diff --git a/etc/firefox.profile b/etc/firefox.profile index 0ab6a6141..c968e964e 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for firefox | 1 | # Firejail profile for firefox |
2 | # Description: Safe and easy web browser from Mozilla | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/firefox.local | 5 | include /etc/firejail/firefox.local |
diff --git a/etc/firejail-default b/etc/firejail-default index 28103a598..09dc896e6 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
@@ -98,9 +98,8 @@ deny /**/.snapshots/ rwx, | |||
98 | /usr/sbin/** ix, | 98 | /usr/sbin/** ix, |
99 | /usr/local/** ix, | 99 | /usr/local/** ix, |
100 | /usr/lib/** ix, | 100 | /usr/lib/** ix, |
101 | /usr/lib64/** ix, | ||
101 | /usr/games/** ix, | 102 | /usr/games/** ix, |
102 | /opt/ r, | ||
103 | /opt/** r, | ||
104 | /opt/** ix, | 103 | /opt/** ix, |
105 | #/home/** ix, | 104 | #/home/** ix, |
106 | /run/firejail/mnt/oroot/lib/** ix, | 105 | /run/firejail/mnt/oroot/lib/** ix, |
@@ -111,9 +110,8 @@ deny /**/.snapshots/ rwx, | |||
111 | /run/firejail/mnt/oroot/usr/sbin/** ix, | 110 | /run/firejail/mnt/oroot/usr/sbin/** ix, |
112 | /run/firejail/mnt/oroot/usr/local/** ix, | 111 | /run/firejail/mnt/oroot/usr/local/** ix, |
113 | /run/firejail/mnt/oroot/usr/lib/** ix, | 112 | /run/firejail/mnt/oroot/usr/lib/** ix, |
113 | /run/firejail/mnt/oroot/usr/lib64/** ix, | ||
114 | /run/firejail/mnt/oroot/usr/games/** ix, | 114 | /run/firejail/mnt/oroot/usr/games/** ix, |
115 | /run/firejail/mnt/oroot/opt/ r, | ||
116 | /run/firejail/mnt/oroot/opt/** r, | ||
117 | /run/firejail/mnt/oroot/opt/** ix, | 115 | /run/firejail/mnt/oroot/opt/** ix, |
118 | 116 | ||
119 | ########## | 117 | ########## |
@@ -129,6 +127,8 @@ network inet6, | |||
129 | network unix, | 127 | network unix, |
130 | network netlink, | 128 | network netlink, |
131 | network raw, | 129 | network raw, |
130 | # needed for wireshark | ||
131 | network packet, | ||
132 | 132 | ||
133 | ########## | 133 | ########## |
134 | # There is no equivalent in Firejail for filtering signals. | 134 | # There is no equivalent in Firejail for filtering signals. |
diff --git a/etc/flameshot.profile b/etc/flameshot.profile index 8dbd74cc1..e4987280a 100644 --- a/etc/flameshot.profile +++ b/etc/flameshot.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for flameshot | 1 | # Firejail profile for flameshot |
2 | # Description: Powerful yet simple-to-use screenshot software | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/flameshot.local | 5 | include /etc/firejail/flameshot.local |
diff --git a/etc/flowblade.profile b/etc/flowblade.profile index 9d399931d..bc95a2b51 100644 --- a/etc/flowblade.profile +++ b/etc/flowblade.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for flowblade | 1 | # Firejail profile for flowblade |
2 | # Description: Non-linear video editor | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/flowblade.local | 5 | include /etc/firejail/flowblade.local |
diff --git a/etc/fontforge.profile b/etc/fontforge.profile index e4e763099..2ae80964d 100644 --- a/etc/fontforge.profile +++ b/etc/fontforge.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for fontforge | 1 | # Firejail profile for fontforge |
2 | # Description: Font editor | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/fontforge.local | 5 | include /etc/firejail/fontforge.local |
diff --git a/etc/freecad.profile b/etc/freecad.profile index 8c714f37d..934f1d0fb 100644 --- a/etc/freecad.profile +++ b/etc/freecad.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for freecad | 1 | # Firejail profile for freecad |
2 | # Description: Extensible Open Source CAx program | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/freecad.local | 5 | include /etc/firejail/freecad.local |
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile index 63b4d3330..279e5d403 100644 --- a/etc/frozen-bubble.profile +++ b/etc/frozen-bubble.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for frozen-bubble | 1 | # Firejail profile for frozen-bubble |
2 | # Description: Cool game where you pop out the bubbles | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/frozen-bubble.local | 5 | include /etc/firejail/frozen-bubble.local |
diff --git a/etc/gajim.profile b/etc/gajim.profile index 80efb08c5..90ba59954 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for gajim | 1 | # Firejail profile for gajim |
2 | # Description: GTK+-based Jabber client | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/gajim.local | 5 | include /etc/firejail/gajim.local |
diff --git a/etc/galculator.profile b/etc/galculator.profile index 1a5112ef5..699fb7d78 100644 --- a/etc/galculator.profile +++ b/etc/galculator.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for galculator | 1 | # Firejail profile for galculator |
2 | # Description: Scientific calculator | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/galculator.local | 5 | include /etc/firejail/galculator.local |
diff --git a/etc/geany.profile b/etc/geany.profile index 9db533e8c..d69bca1ad 100644 --- a/etc/geany.profile +++ b/etc/geany.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for geany | 1 | # Firejail profile for geany |
2 | # Description: Fast and lightweight IDE | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/geany.local | 5 | include /etc/firejail/geany.local |
diff --git a/etc/geary.profile b/etc/geary.profile index 872d21fdd..735206da2 100644 --- a/etc/geary.profile +++ b/etc/geary.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for geary | 1 | # Firejail profile for geary |
2 | # Description: Lightweight email client designed for the GNOME desktop | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/geary.local | 5 | include /etc/firejail/geary.local |
diff --git a/etc/gedit.profile b/etc/gedit.profile index 67ea43ca3..1a4d9634a 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for gedit | 1 | # Firejail profile for gedit |
2 | # Description: Official text editor of the GNOME desktop environment | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/gedit.local | 5 | include /etc/firejail/gedit.local |
diff --git a/etc/geeqie.profile b/etc/geeqie.profile index 7512cbcd9..3fbe245d6 100644 --- a/etc/geeqie.profile +++ b/etc/geeqie.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for geeqie | 1 | # Firejail profile for geeqie |
2 | # Description: Image viewer using GTK+ | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/geeqie.local | 5 | include /etc/firejail/geeqie.local |
diff --git a/etc/gimp.profile b/etc/gimp.profile index b8a297e84..fa27d2cea 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for gimp | 1 | # Firejail profile for gimp |
2 | # Description: GNU Image Manipulation Program | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/gimp.local | 5 | include /etc/firejail/gimp.local |
diff --git a/etc/git.profile b/etc/git.profile index 1bf9e8e4b..9c8d22fd3 100644 --- a/etc/git.profile +++ b/etc/git.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for git | 1 | # Firejail profile for git |
2 | # Description: Fast, scalable, distributed revision control system | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/gitg.profile b/etc/gitg.profile index deee7c994..5a7349eb1 100644 --- a/etc/gitg.profile +++ b/etc/gitg.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for gitg | 1 | # Firejail profile for gitg |
2 | # Description: Git repository viewer | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/gitg.local | 5 | include /etc/firejail/gitg.local |
diff --git a/etc/gjs.profile b/etc/gjs.profile index 6110cb71e..a603ad695 100644 --- a/etc/gjs.profile +++ b/etc/gjs.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for gjs | 1 | # Firejail profile for gjs |
2 | # Description: Mozilla-based javascript bindings for the GNOME platform | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/gjs.local | 5 | include /etc/firejail/gjs.local |
diff --git a/etc/gnome-2048.profile b/etc/gnome-2048.profile index 5ecb279e5..62b67b942 100644 --- a/etc/gnome-2048.profile +++ b/etc/gnome-2048.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for gnome-2048 | 1 | # Firejail profile for gnome-2048 |
2 | # Description: Sliding tile puzzle game | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/gnome-2048.local | 5 | include /etc/firejail/gnome-2048.local |
diff --git a/etc/gnome-builder.profile b/etc/gnome-builder.profile index 4ddfc456a..3b7e3d53a 100644 --- a/etc/gnome-builder.profile +++ b/etc/gnome-builder.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for gnome-builder | 1 | # Firejail profile for gnome-builder |
2 | # Description: IDE for GNOME | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/gnome-builder.local | 5 | include /etc/firejail/gnome-builder.local |
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index 6ace0b3ec..315564ee5 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for gnome-calculator | 1 | # Firejail profile for gnome-calculator |
2 | # Description: GNOME desktop calculator | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile index 8422e1836..74194cb33 100644 --- a/etc/gnome-chess.profile +++ b/etc/gnome-chess.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for gnome-chess | 1 | # Firejail profile for gnome-chess |
2 | # Description: Simple chess game | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/gnome-chess.local | 5 | include /etc/firejail/gnome-chess.local |
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile index b0a6cf80e..a914c302f 100644 --- a/etc/gnome-clocks.profile +++ b/etc/gnome-clocks.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for gnome-clocks | 1 | # Firejail profile for gnome-clocks |
2 | # Description: Simple GNOME app with stopwatch, timer, and world clock support | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/gnome-clocks.local | 5 | include /etc/firejail/gnome-clocks.local |
diff --git a/etc/gnome-contacts.profile b/etc/gnome-contacts.profile index 0e6f70e04..91593c89b 100644 --- a/etc/gnome-contacts.profile +++ b/etc/gnome-contacts.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for gnome-contacts | 1 | # Firejail profile for gnome-contacts |
2 | # Description: Contacts manager for GNOME | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/gnome-contacts.local | 5 | include /etc/firejail/gnome-contacts.local |
diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile index a7ebb48c8..44886d562 100644 --- a/etc/gnome-documents.profile +++ b/etc/gnome-documents.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for gnome-documents | 1 | # Firejail profile for gnome-documents |
2 | # Description: Document manager for GNOME | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/gnome-documents.local | 5 | include /etc/firejail/gnome-documents.local |
diff --git a/etc/gnome-font-viewer.profile b/etc/gnome-font-viewer.profile index 71cd06643..e11d6eb5d 100644 --- a/etc/gnome-font-viewer.profile +++ b/etc/gnome-font-viewer.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for gnome-font-viewer | 1 | # Firejail profile for gnome-font-viewer |
2 | # Description: Font viewer for GNOME | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/gnome-font-viewer.local | 5 | include /etc/firejail/gnome-font-viewer.local |
diff --git a/etc/gnome-logs.profile b/etc/gnome-logs.profile index f08142113..edb895794 100644 --- a/etc/gnome-logs.profile +++ b/etc/gnome-logs.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for gnome-logs | 1 | # Firejail profile for gnome-logs |
2 | # Description: Viewer for the systemd journal | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/gnome-logs.local | 5 | include /etc/firejail/gnome-logs.local |
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile index b747743fc..f8ff61d84 100644 --- a/etc/gnome-maps.profile +++ b/etc/gnome-maps.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for gnome-maps | 1 | # Firejail profile for gnome-maps |
2 | # Description: Map application for GNOME | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/gnome-maps.local | 5 | include /etc/firejail/gnome-maps.local |
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index e85b9dc06..9ba4969e5 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for gnome-mplayer | 1 | # Firejail profile for gnome-mplayer |
2 | # Description: GTK/Gnome interface around MPlayer | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/gnome-mplayer.local | 5 | include /etc/firejail/gnome-mplayer.local |
diff --git a/etc/gnome-mpv.profile b/etc/gnome-mpv.profile index f11ceacca..84a70c4c5 100644 --- a/etc/gnome-mpv.profile +++ b/etc/gnome-mpv.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for gnome-mpv | 1 | # Firejail profile for gnome-mpv |
2 | # Description: Simple GTK+ frontend for mpv | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/gnome-mpv.local | 5 | include /etc/firejail/gnome-mpv.local |
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile index 15710b363..eaec627c6 100644 --- a/etc/gnome-music.profile +++ b/etc/gnome-music.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for gnome-music | 1 | # Firejail profile for gnome-music |
2 | # Description: GNOME music player | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/gnome-music.local | 5 | include /etc/firejail/gnome-music.local |
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile index 132f3b6bd..5a3ac53d8 100644 --- a/etc/gnome-photos.profile +++ b/etc/gnome-photos.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for gnome-photos | 1 | # Firejail profile for gnome-photos |
2 | # Description: Access, organize and share your photos with GNOME | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/gnome-photos.local | 5 | include /etc/firejail/gnome-photos.local |
diff --git a/etc/gnome-recipes.profile b/etc/gnome-recipes.profile index f1e062fd5..ed6d341eb 100644 --- a/etc/gnome-recipes.profile +++ b/etc/gnome-recipes.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for gnome-recipes | 1 | # Firejail profile for gnome-recipes |
2 | # Description: Recipe application for GNOME | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/gnome-recipes.local | 5 | include /etc/firejail/gnome-recipes.local |
diff --git a/etc/gnome-twitch.profile b/etc/gnome-twitch.profile index c7fc04be3..e670ba22f 100644 --- a/etc/gnome-twitch.profile +++ b/etc/gnome-twitch.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for gnome-twitch | 1 | # Firejail profile for gnome-twitch |
2 | # Description: GNOME Twitch app for watching Twitch.tv streams without a browser or flash | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/gnome-twitch.local | 5 | include /etc/firejail/gnome-twitch.local |
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile index f2c6acac5..4d28278b1 100644 --- a/etc/gnome-weather.profile +++ b/etc/gnome-weather.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for gnome-weather | 1 | # Firejail profile for gnome-weather |
2 | # Description: Access current conditions and forecasts | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/gnome-weather.local | 5 | include /etc/firejail/gnome-weather.local |
diff --git a/etc/goobox.profile b/etc/goobox.profile index ca92b1540..ba949f1c9 100644 --- a/etc/goobox.profile +++ b/etc/goobox.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for goobox | 1 | # Firejail profile for goobox |
2 | # Description: CD player and ripper with GNOME 3 integration | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/goobox.local | 5 | include /etc/firejail/goobox.local |
diff --git a/etc/gpa.profile b/etc/gpa.profile index 17791bb82..c890beb2e 100644 --- a/etc/gpa.profile +++ b/etc/gpa.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for gpa | 1 | # Firejail profile for gpa |
2 | # Description: GNU Privacy Assistant (GPA) | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/gpa.local | 5 | include /etc/firejail/gpa.local |
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile index 85020fc2e..0cc17b366 100644 --- a/etc/gpg-agent.profile +++ b/etc/gpg-agent.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for gpg-agent | 1 | # Firejail profile for gpg-agent |
2 | # Description: GNU privacy guard - cryptographic agent | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/gpg-agent.local | 5 | include /etc/firejail/gpg-agent.local |
diff --git a/etc/gpg.profile b/etc/gpg.profile index ab43152d8..259a95807 100644 --- a/etc/gpg.profile +++ b/etc/gpg.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for gpg | 1 | # Firejail profile for gpg |
2 | # Description: GNU Privacy Guard -- minimalist public key operations | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/gpg.local | 5 | include /etc/firejail/gpg.local |
diff --git a/etc/gpicview.profile b/etc/gpicview.profile index 9644ac59d..04aecc782 100644 --- a/etc/gpicview.profile +++ b/etc/gpicview.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for gpicview | 1 | # Firejail profile for gpicview |
2 | # Description: Lightweight image viewer | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/gpicview.local | 5 | include /etc/firejail/gpicview.local |
diff --git a/etc/gpredict.profile b/etc/gpredict.profile index 58f79ac14..ea60e7287 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for gpredict | 1 | # Firejail profile for gpredict |
2 | # Description: Satellite tracking program | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/gpredict.local | 5 | include /etc/firejail/gpredict.local |
diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 77ce42b36..6c4de8bf0 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for gthumb | 1 | # Firejail profile for gthumb |
2 | # Description: Image viewer and browser | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/gthumb.local | 5 | include /etc/firejail/gthumb.local |
diff --git a/etc/gucharmap.profile b/etc/gucharmap.profile index db2e69f8a..88e441b14 100644 --- a/etc/gucharmap.profile +++ b/etc/gucharmap.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for gucharmap | 1 | # Firejail profile for gucharmap |
2 | # Description: Unicode character picker and font browser | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/gucharmap.local | 5 | include /etc/firejail/gucharmap.local |
diff --git a/etc/gwenview.profile b/etc/gwenview.profile index bad91f43e..cf9b27e0f 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for gwenview | 1 | # Firejail profile for gwenview |
2 | # Description: Image viewer | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/gwenview.local | 5 | include /etc/firejail/gwenview.local |
diff --git a/etc/gzip.profile b/etc/gzip.profile index 33892e5c9..9157d398a 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for gzip | 1 | # Firejail profile for gzip |
2 | # Description: GNU compression utilities | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/handbrake.profile b/etc/handbrake.profile index e467eaeb5..32da097ce 100644 --- a/etc/handbrake.profile +++ b/etc/handbrake.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for handbrake | 1 | # Firejail profile for handbrake |
2 | # Description: Versatile DVD ripper and video transcoder (GTK+ GUI) | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/handbrake.local | 5 | include /etc/firejail/handbrake.local |
diff --git a/etc/hashcat.profile b/etc/hashcat.profile index 712a09697..8bc861dde 100644 --- a/etc/hashcat.profile +++ b/etc/hashcat.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for hashcat | 1 | # Firejail profile for hashcat |
2 | # Description: World's fastest and most advanced password recovery utility | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile index d6b686be7..542771639 100644 --- a/etc/hedgewars.profile +++ b/etc/hedgewars.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for hedgewars | 1 | # Firejail profile for hedgewars |
2 | # Description: Funny turn-based artillery game, featuring fighting hedgehogs | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/hedgewars.local | 5 | include /etc/firejail/hedgewars.local |
diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 9b2eafcea..a2c163e6a 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for hexchat | 1 | # Firejail profile for hexchat |
2 | # Description: IRC client for X based on X-Chat 2 | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/hexchat.local | 5 | include /etc/firejail/hexchat.local |
diff --git a/etc/highlight.profile b/etc/highlight.profile index cd48df10c..d313f2769 100644 --- a/etc/highlight.profile +++ b/etc/highlight.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for highlight | 1 | # Firejail profile for highlight |
2 | # Description: Universal source code to formatted text converter | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/highlight.local | 5 | include /etc/firejail/highlight.local |
diff --git a/etc/hugin.profile b/etc/hugin.profile index cacdaa794..35505c698 100644 --- a/etc/hugin.profile +++ b/etc/hugin.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for hugin | 1 | # Firejail profile for hugin |
2 | # Description: Panorama photo stitcher | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/hugin.local | 5 | include /etc/firejail/hugin.local |
diff --git a/etc/imagej.profile b/etc/imagej.profile index bfd3444f0..4de064390 100644 --- a/etc/imagej.profile +++ b/etc/imagej.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for imagej | 1 | # Firejail profile for imagej |
2 | # Description: Image processing program with a focus on microscopy images | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/imagej.local | 5 | include /etc/firejail/imagej.local |
diff --git a/etc/inkscape.profile b/etc/inkscape.profile index e709d488d..56fdfd081 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for inkscape | 1 | # Firejail profile for inkscape |
2 | # Description: Vector-based drawing program | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/inkscape.local | 5 | include /etc/firejail/inkscape.local |
diff --git a/etc/k3b.profile b/etc/k3b.profile index 8474c490d..6b4c15560 100644 --- a/etc/k3b.profile +++ b/etc/k3b.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for k3b | 1 | # Firejail profile for k3b |
2 | # Description: Sophisticated CD/DVD burning application | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/k3b.local | 5 | include /etc/firejail/k3b.local |
diff --git a/etc/kaffeine.profile b/etc/kaffeine.profile index 0d63069fe..204c20501 100644 --- a/etc/kaffeine.profile +++ b/etc/kaffeine.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for kaffeine | 1 | # Firejail profile for kaffeine |
2 | # Description: Versatile media player for KDE | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/kaffeine.local | 5 | include /etc/firejail/kaffeine.local |
diff --git a/etc/kate.profile b/etc/kate.profile index 240bdb62a..8a53a56a8 100644 --- a/etc/kate.profile +++ b/etc/kate.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for kate | 1 | # Firejail profile for kate |
2 | # Description: Powerful text editor | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/kate.local | 5 | include /etc/firejail/kate.local |
diff --git a/etc/kcalc.profile b/etc/kcalc.profile index 5afea9c1c..20ad8f23a 100644 --- a/etc/kcalc.profile +++ b/etc/kcalc.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for kcalc | 1 | # Firejail profile for kcalc |
2 | # Description: Simple and scientific calculator | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/kcalc.local | 5 | include /etc/firejail/kcalc.local |
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index 0fa9da497..4aca10995 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for kdenlive | 1 | # Firejail profile for kdenlive |
2 | # Description: Non-linear video editor | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/kdenlive.local | 5 | include /etc/firejail/kdenlive.local |
diff --git a/etc/keepass.profile b/etc/keepass.profile index 7b0935030..e27248357 100644 --- a/etc/keepass.profile +++ b/etc/keepass.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for keepass | 1 | # Firejail profile for keepass |
2 | # Description: An easy-to-use password manager | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/keepass.local | 5 | include /etc/firejail/keepass.local |
diff --git a/etc/keepassx.profile b/etc/keepassx.profile index e749a1dfc..94aaa5597 100644 --- a/etc/keepassx.profile +++ b/etc/keepassx.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for keepassx | 1 | # Firejail profile for keepassx |
2 | # Description: Cross Platform Password Manager | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/keepassx.local | 5 | include /etc/firejail/keepassx.local |
diff --git a/etc/keepassx2.profile b/etc/keepassx2.profile index ba98df19d..4e74c2cea 100644 --- a/etc/keepassx2.profile +++ b/etc/keepassx2.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for keepassx2 | 1 | # Firejail profile for keepassx2 |
2 | # Description: Cross platform password manager | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | 4 | ||
4 | # Redirects | 5 | # Redirects |
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile index b7bcc7b87..a00d17878 100644 --- a/etc/keepassxc.profile +++ b/etc/keepassxc.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for keepassxc | 1 | # Firejail profile for keepassxc |
2 | # Description: Cross Platform Password Manager | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/keepassxc.local | 5 | include /etc/firejail/keepassxc.local |
@@ -47,3 +48,6 @@ private-tmp | |||
47 | #memory-deny-write-execute | 48 | #memory-deny-write-execute |
48 | noexec ${HOME} | 49 | noexec ${HOME} |
49 | noexec /tmp | 50 | noexec /tmp |
51 | |||
52 | # Mutex is stored in /tmp by default, which is broken by private-tmp | ||
53 | join-or-start keepassxc | ||
diff --git a/etc/kget.profile b/etc/kget.profile index c45d8daba..a32b51626 100644 --- a/etc/kget.profile +++ b/etc/kget.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for kget | 1 | # Firejail profile for kget |
2 | # Description: Download manager | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/kget.local | 5 | include /etc/firejail/kget.local |
diff --git a/etc/kino.profile b/etc/kino.profile index 5144ce448..cda86ddc6 100644 --- a/etc/kino.profile +++ b/etc/kino.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for kino | 1 | # Firejail profile for kino |
2 | # Description: Non-linear editor for Digital Video data | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/kino.local | 5 | include /etc/firejail/kino.local |
diff --git a/etc/kmail.profile b/etc/kmail.profile index 202faeb16..308a981f7 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for kmail | 1 | # Firejail profile for kmail |
2 | # Description: Full featured graphical email client | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/kmail.local | 5 | include /etc/firejail/kmail.local |
diff --git a/etc/knotes.profile b/etc/knotes.profile index 4bbbd332d..147d2d831 100644 --- a/etc/knotes.profile +++ b/etc/knotes.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for knotes | 1 | # Firejail profile for knotes |
2 | # Description: Sticky notes application | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/knotes.local | 5 | include /etc/firejail/knotes.local |
diff --git a/etc/kodi.profile b/etc/kodi.profile index 9726304cc..9dd7770ad 100644 --- a/etc/kodi.profile +++ b/etc/kodi.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for kodi | 1 | # Firejail profile for kodi |
2 | # Description: Open Source Home Theatre | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/kodi.local | 5 | include /etc/firejail/kodi.local |
diff --git a/etc/konversation.profile b/etc/konversation.profile index 0acad236a..b66f40600 100644 --- a/etc/konversation.profile +++ b/etc/konversation.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for konversation | 1 | # Firejail profile for konversation |
2 | # Description: User friendly Internet Relay Chat (IRC) client for KDE | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/konversation.local | 5 | include /etc/firejail/konversation.local |
diff --git a/etc/kopete.profile b/etc/kopete.profile index 0954b7dff..d7829113d 100644 --- a/etc/kopete.profile +++ b/etc/kopete.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for kopete | 1 | # Firejail profile for kopete |
2 | # Description: Instant messaging and chat application | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/kopete.local | 5 | include /etc/firejail/kopete.local |
diff --git a/etc/krita.profile b/etc/krita.profile index 723a8623a..5a1f3d031 100644 --- a/etc/krita.profile +++ b/etc/krita.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for krita | 1 | # Firejail profile for krita |
2 | # Description: Pixel-based image manipulation program | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/krita.local | 5 | include /etc/firejail/krita.local |
diff --git a/etc/krunner.profile b/etc/krunner.profile index 288327f9c..6b84e2c7c 100644 --- a/etc/krunner.profile +++ b/etc/krunner.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for krunner | 1 | # Firejail profile for krunner |
2 | # Description: Framework for providing different actions given a string query | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/krunner.local | 5 | include /etc/firejail/krunner.local |
diff --git a/etc/ktorrent.profile b/etc/ktorrent.profile index cb5aadbbf..14ee3322c 100644 --- a/etc/ktorrent.profile +++ b/etc/ktorrent.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for ktorrent | 1 | # Firejail profile for ktorrent |
2 | # Description: BitTorrent client based on the KDE platform | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/ktorrent.local | 5 | include /etc/firejail/ktorrent.local |
diff --git a/etc/kwrite.profile b/etc/kwrite.profile index 3297be3b6..f080b3ffc 100644 --- a/etc/kwrite.profile +++ b/etc/kwrite.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for kwrite | 1 | # Firejail profile for kwrite |
2 | # Description: Simple text editor | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/kwrite.local | 5 | include /etc/firejail/kwrite.local |
diff --git a/etc/leafpad.profile b/etc/leafpad.profile index 0374d2e4a..d3335893f 100644 --- a/etc/leafpad.profile +++ b/etc/leafpad.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for leafpad | 1 | # Firejail profile for leafpad |
2 | # Description: GTK+ based simple text editor | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/leafpad.local | 5 | include /etc/firejail/leafpad.local |
diff --git a/etc/less.profile b/etc/less.profile index 2b5449a7b..a08d2c547 100644 --- a/etc/less.profile +++ b/etc/less.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for less | 1 | # Firejail profile for less |
2 | # Description: Pager program similar to more | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 4aafd7c7a..905dd22b9 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for libreoffice | 1 | # Firejail profile for libreoffice |
2 | # Description: Office productivity suite | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/libreoffice.local | 5 | include /etc/firejail/libreoffice.local |
diff --git a/etc/liferea.profile b/etc/liferea.profile index 4b7905cb7..673182c10 100644 --- a/etc/liferea.profile +++ b/etc/liferea.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for liferea | 1 | # Firejail profile for liferea |
2 | # Description: Feed/news/podcast client with plugin support | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/liferea.local | 5 | include /etc/firejail/liferea.local |
diff --git a/etc/linphone.profile b/etc/linphone.profile index 9e54db3ca..b469b9711 100644 --- a/etc/linphone.profile +++ b/etc/linphone.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for linphone | 1 | # Firejail profile for linphone |
2 | # Description: SIP softphone - graphical client | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/linphone.local | 5 | include /etc/firejail/linphone.local |
diff --git a/etc/lmms.profile b/etc/lmms.profile index 3a312a2cf..d3ef1b40e 100644 --- a/etc/lmms.profile +++ b/etc/lmms.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for lmms | 1 | # Firejail profile for lmms |
2 | # Description: Linux Multimedia Studio | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/lmms.local | 5 | include /etc/firejail/lmms.local |
diff --git a/etc/lollypop.profile b/etc/lollypop.profile index ed893f53e..0f8f49488 100644 --- a/etc/lollypop.profile +++ b/etc/lollypop.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for lollypop | 1 | # Firejail profile for lollypop |
2 | # Description: Music player for GNOME | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/lollypop.local | 5 | include /etc/firejail/lollypop.local |
diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile index 05a1c2bb5..a4ccefb6d 100644 --- a/etc/luminance-hdr.profile +++ b/etc/luminance-hdr.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for luminance-hdr | 1 | # Firejail profile for luminance-hdr |
2 | # Description: Graphical user interface providing a workflow for HDR imaging | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/luminance-hdr.local | 5 | include /etc/firejail/luminance-hdr.local |
diff --git a/etc/lximage-qt.profile b/etc/lximage-qt.profile index e50455532..4b3c457f6 100644 --- a/etc/lximage-qt.profile +++ b/etc/lximage-qt.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for lximage-qt | 1 | # Firejail profile for lximage-qt |
2 | # Description: Image viewer for LXQt | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/lximage-qt.local | 5 | include /etc/firejail/lximage-qt.local |
diff --git a/etc/lxmusic.profile b/etc/lxmusic.profile index 44aa0537b..7c3334075 100644 --- a/etc/lxmusic.profile +++ b/etc/lxmusic.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for lxmusic | 1 | # Firejail profile for lxmusic |
2 | # Description: LXDE music player | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/lxmusic.local | 5 | include /etc/firejail/lxmusic.local |
diff --git a/etc/lynx.profile b/etc/lynx.profile index 3c70800be..f5ec44fda 100644 --- a/etc/lynx.profile +++ b/etc/lynx.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for lynx | 1 | # Firejail profile for lynx |
2 | # Description: Classic non-graphical (text-mode) web browser | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/lynx.local | 5 | include /etc/firejail/lynx.local |
diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile index 6185b013f..874fcf8cb 100644 --- a/etc/mate-calc.profile +++ b/etc/mate-calc.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for mate-calc | 1 | # Firejail profile for mate-calc |
2 | # Description: MATE desktop calculator | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/mate-calc.local | 5 | include /etc/firejail/mate-calc.local |
diff --git a/etc/mcabber.profile b/etc/mcabber.profile index aee153110..0ed8952e5 100644 --- a/etc/mcabber.profile +++ b/etc/mcabber.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for mcabber | 1 | # Firejail profile for mcabber |
2 | # Description: Small Jabber (XMPP) console client | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/mcabber.local | 5 | include /etc/firejail/mcabber.local |
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile index 48db03c27..7556098a7 100644 --- a/etc/mediainfo.profile +++ b/etc/mediainfo.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for mediainfo | 1 | # Firejail profile for mediainfo |
2 | # Description: Command-line utility for reading information from audio/video files | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/mediainfo.local | 5 | include /etc/firejail/mediainfo.local |
diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile index 12956bab6..e53ced860 100644 --- a/etc/mediathekview.profile +++ b/etc/mediathekview.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for mediathekview | 1 | # Firejail profile for mediathekview |
2 | # Description: View streams from German public television stations | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/mediathekview.local | 5 | include /etc/firejail/mediathekview.local |
diff --git a/etc/meld.profile b/etc/meld.profile index 1e85343df..00d5c6caa 100644 --- a/etc/meld.profile +++ b/etc/meld.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for meld | 1 | # Firejail profile for meld |
2 | # Description: Graphical tool to diff and merge files | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/meld.local | 5 | include /etc/firejail/meld.local |
diff --git a/etc/midori.profile b/etc/midori.profile index 2f7e238cb..7c56910a7 100644 --- a/etc/midori.profile +++ b/etc/midori.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for midori | 1 | # Firejail profile for midori |
2 | # Description: Lightweight web browser | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/midori.local | 5 | include /etc/firejail/midori.local |
diff --git a/etc/minetest.profile b/etc/minetest.profile index 6497fa9ba..7de546791 100644 --- a/etc/minetest.profile +++ b/etc/minetest.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for minetest | 1 | # Firejail profile for minetest |
2 | # Description: Multiplayer infinite-world block sandbox | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/minetest.local | 5 | include /etc/firejail/minetest.local |
diff --git a/etc/mousepad.profile b/etc/mousepad.profile index a4a1ad599..421637509 100644 --- a/etc/mousepad.profile +++ b/etc/mousepad.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for mousepad | 1 | # Firejail profile for mousepad |
2 | # Description: Simple Xfce oriented text editor | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/mousepad.local | 5 | include /etc/firejail/mousepad.local |
diff --git a/etc/mpd.profile b/etc/mpd.profile index 50ef915ce..709f2ef89 100644 --- a/etc/mpd.profile +++ b/etc/mpd.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for mpd | 1 | # Firejail profile for mpd |
2 | # Description: Music Player Daemon | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/mpd.local | 5 | include /etc/firejail/mpd.local |
diff --git a/etc/mplayer.profile b/etc/mplayer.profile index ddcc8b7bf..29ef21b9d 100644 --- a/etc/mplayer.profile +++ b/etc/mplayer.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for mplayer | 1 | # Firejail profile for mplayer |
2 | # Description: Movie player for Unix-like systems | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/mplayer.local | 5 | include /etc/firejail/mplayer.local |
diff --git a/etc/mpv.profile b/etc/mpv.profile index 6761c9bd1..5747cd3fa 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for mpv | 1 | # Firejail profile for mpv |
2 | # Description: Video player based on MPlayer/mplayer2 | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/mpv.local | 5 | include /etc/firejail/mpv.local |
diff --git a/etc/mumble.profile b/etc/mumble.profile index f8a49eb13..f894acb57 100644 --- a/etc/mumble.profile +++ b/etc/mumble.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for mumble | 1 | # Firejail profile for mumble |
2 | # Description: Low latency encrypted VoIP client | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/mumble.local | 5 | include /etc/firejail/mumble.local |
diff --git a/etc/mupdf.profile b/etc/mupdf.profile index 632e3c66a..b49597e00 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for mupdf | 1 | # Firejail profile for mupdf |
2 | # Description: Lightweight PDF viewer | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/mupdf.local | 5 | include /etc/firejail/mupdf.local |
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile index a91b6753c..a235c44c8 100644 --- a/etc/mupen64plus.profile +++ b/etc/mupen64plus.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for mupen64plus | 1 | # Firejail profile for mupen64plus |
2 | # Description: Nintendo64 Emulator | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/mupen64plus.local | 5 | include /etc/firejail/mupen64plus.local |
diff --git a/etc/musescore.profile b/etc/musescore.profile index 4e28051a4..3eb929bd1 100644 --- a/etc/musescore.profile +++ b/etc/musescore.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for musescore | 1 | # Firejail profile for musescore |
2 | # Description: Free music composition and notation software | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/musescore.local | 5 | include /etc/firejail/musescore.local |
diff --git a/etc/mutt.profile b/etc/mutt.profile index bc257f156..6cb09ec78 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for mutt | 1 | # Firejail profile for mutt |
2 | # Description: Text-based mailreader supporting MIME, GPG, PGP and threading | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/mutt.local | 5 | include /etc/firejail/mutt.local |
diff --git a/etc/nautilus.profile b/etc/nautilus.profile index f1f565515..1809a6b3c 100644 --- a/etc/nautilus.profile +++ b/etc/nautilus.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for nautilus | 1 | # Firejail profile for nautilus |
2 | # Description: File manager and graphical shell for GNOME | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/nautilus.local | 5 | include /etc/firejail/nautilus.local |
diff --git a/etc/ncdu.profile b/etc/ncdu.profile index ab79a325e..fa566b9fd 100644 --- a/etc/ncdu.profile +++ b/etc/ncdu.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for ncdu | 1 | # Firejail profile for ncdu |
2 | # Description: Ncurses disk usage viewer | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/ncdu.local | 5 | include /etc/firejail/ncdu.local |
diff --git a/etc/nemo.profile b/etc/nemo.profile index 962549a04..98e4ba1bd 100644 --- a/etc/nemo.profile +++ b/etc/nemo.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for nemo | 1 | # Firejail profile for nemo |
2 | # Description: File manager and graphical shell for Cinnamon | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/nemo.local | 5 | include /etc/firejail/nemo.local |
diff --git a/etc/netsurf.profile b/etc/netsurf.profile index 847e81999..cb38d9de0 100644 --- a/etc/netsurf.profile +++ b/etc/netsurf.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for netsurf | 1 | # Firejail profile for netsurf |
2 | # Description: Lightweight and fast web browser | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/netsurf.local | 5 | include /etc/firejail/netsurf.local |
diff --git a/etc/neverball.profile b/etc/neverball.profile index de8bb5d9d..5e6032ae5 100644 --- a/etc/neverball.profile +++ b/etc/neverball.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for neverball | 1 | # Firejail profile for neverball |
2 | # Description: 3D floor-tilting game | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/neverball.local | 5 | include /etc/firejail/neverball.local |
diff --git a/etc/nheko.profile b/etc/nheko.profile index fa9ce2e8b..f216a9fa5 100644 --- a/etc/nheko.profile +++ b/etc/nheko.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for nheko | 1 | # Firejail profile for nheko |
2 | # Description: Desktop IM client for the Matrix protocol | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/nheko.local | 5 | include /etc/firejail/nheko.local |
diff --git a/etc/obs.profile b/etc/obs.profile index 6d638e6e6..611ecdd67 100644 --- a/etc/obs.profile +++ b/etc/obs.profile | |||
@@ -10,6 +10,12 @@ noblacklist ${MUSIC} | |||
10 | noblacklist ${PICTURES} | 10 | noblacklist ${PICTURES} |
11 | noblacklist ${VIDEOS} | 11 | noblacklist ${VIDEOS} |
12 | 12 | ||
13 | # Allow python (blacklisted by disable-interpreters.inc) | ||
14 | noblacklist ${PATH}/python2* | ||
15 | noblacklist ${PATH}/python3* | ||
16 | noblacklist /usr/lib/python2* | ||
17 | noblacklist /usr/lib/python3* | ||
18 | |||
13 | include /etc/firejail/disable-common.inc | 19 | include /etc/firejail/disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 20 | include /etc/firejail/disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 21 | include /etc/firejail/disable-interpreters.inc |
@@ -17,6 +23,8 @@ include /etc/firejail/disable-passwdmgr.inc | |||
17 | include /etc/firejail/disable-programs.inc | 23 | include /etc/firejail/disable-programs.inc |
18 | include /etc/firejail/disable-xdg.inc | 24 | include /etc/firejail/disable-xdg.inc |
19 | 25 | ||
26 | include /etc/firejail/whitelist-var-common.inc | ||
27 | |||
20 | caps.drop all | 28 | caps.drop all |
21 | nodvd | 29 | nodvd |
22 | nogroups | 30 | nogroups |
@@ -28,7 +36,7 @@ seccomp | |||
28 | shell none | 36 | shell none |
29 | tracelog | 37 | tracelog |
30 | 38 | ||
31 | private-bin obs | 39 | private-bin obs,python* |
32 | private-cache | 40 | private-cache |
33 | private-dev | 41 | private-dev |
34 | private-tmp | 42 | private-tmp |
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile index ea49c1a4d..59470f3bb 100644 --- a/etc/odt2txt.profile +++ b/etc/odt2txt.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for odt2txt | 1 | # Firejail profile for odt2txt |
2 | # Description: Simple converter from OpenDocument Text to plain text | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/odt2txt.local | 5 | include /etc/firejail/odt2txt.local |
diff --git a/etc/okular.profile b/etc/okular.profile index 8fe3b9354..0f15500af 100644 --- a/etc/okular.profile +++ b/etc/okular.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for okular | 1 | # Firejail profile for okular |
2 | # Description: Universal document viewer | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/okular.local | 5 | include /etc/firejail/okular.local |
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile index 5d331423e..1cd9e9537 100644 --- a/etc/open-invaders.profile +++ b/etc/open-invaders.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for open-invaders | 1 | # Firejail profile for open-invaders |
2 | # Description: Space Invaders clone | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/open-invaders.local | 5 | include /etc/firejail/open-invaders.local |
diff --git a/etc/openbox.profile b/etc/openbox.profile index ec4b47c29..1540b71bd 100644 --- a/etc/openbox.profile +++ b/etc/openbox.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for openbox | 1 | # Firejail profile for openbox |
2 | # Description: Standards-compliant, fast, light-weight and extensible window manager | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/openbox.local | 5 | include /etc/firejail/openbox.local |
diff --git a/etc/openshot.profile b/etc/openshot.profile index 832008564..242511243 100644 --- a/etc/openshot.profile +++ b/etc/openshot.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for openshot | 1 | # Firejail profile for openshot |
2 | # Description: Create and edit videos and movies | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/openshot.local | 5 | include /etc/firejail/openshot.local |
diff --git a/etc/opera.profile b/etc/opera.profile index c0138c555..294041c24 100644 --- a/etc/opera.profile +++ b/etc/opera.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for opera | 1 | # Firejail profile for opera |
2 | # Description: A fast and secure web browser | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/opera.local | 5 | include /etc/firejail/opera.local |
diff --git a/etc/orage.profile b/etc/orage.profile index 89720ce34..8fc6330d9 100644 --- a/etc/orage.profile +++ b/etc/orage.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for orage | 1 | # Firejail profile for orage |
2 | # Description: Calendar for Xfce Desktop Environment | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/orage.local | 5 | include /etc/firejail/orage.local |
diff --git a/etc/p7zip.profile b/etc/p7zip.profile index b813bfda5..f8b2d6f1a 100644 --- a/etc/p7zip.profile +++ b/etc/p7zip.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for p7zip | 1 | # Firejail profile for p7zip |
2 | # Description: 7zr file archiver with high compression ratio | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/p7zip.local | 5 | include /etc/firejail/p7zip.local |
diff --git a/etc/parole.profile b/etc/parole.profile index df8f8e194..00e1466b4 100644 --- a/etc/parole.profile +++ b/etc/parole.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for parole | 1 | # Firejail profile for parole |
2 | # Description: Media player based on GStreamer framework | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/parole.local | 5 | include /etc/firejail/parole.local |
diff --git a/etc/patch.profile b/etc/patch.profile index 3e8045bd4..d4058d6e7 100644 --- a/etc/patch.profile +++ b/etc/patch.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for patch | 1 | # Firejail profile for patch |
2 | # Description: Apply a diff file to an original | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/pcmanfm.profile b/etc/pcmanfm.profile index 83c1864e9..c7e449166 100644 --- a/etc/pcmanfm.profile +++ b/etc/pcmanfm.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for pcmanfm | 1 | # Firejail profile for pcmanfm |
2 | # Description: Extremely fast and lightweight file manager | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/pcmanfm.local | 5 | include /etc/firejail/pcmanfm.local |
diff --git a/etc/pdfmod.profile b/etc/pdfmod.profile index 2e3573121..34cf5e44f 100644 --- a/etc/pdfmod.profile +++ b/etc/pdfmod.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for pdfmod | 1 | # Firejail profile for pdfmod |
2 | # Description: Simple tool for modifying PDF documents | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/pdfmod.local | 5 | include /etc/firejail/pdfmod.local |
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index daae31338..a09ab0a8a 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for pdfsam | 1 | # Firejail profile for pdfsam |
2 | # Description: PDF Split and Merge | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/pdfsam.local | 5 | include /etc/firejail/pdfsam.local |
diff --git a/etc/picard.profile b/etc/picard.profile index 4031d51f5..2cc0b5c68 100644 --- a/etc/picard.profile +++ b/etc/picard.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for picard | 1 | # Firejail profile for picard |
2 | # Description: Next-Generation MusicBrainz audio files tagger | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/picard.local | 5 | include /etc/firejail/picard.local |
diff --git a/etc/pidgin.profile b/etc/pidgin.profile index e0fd270af..e891f5fd8 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for pidgin | 1 | # Firejail profile for pidgin |
2 | # Description: Graphical multi-protocol instant messaging client | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/pidgin.local | 5 | include /etc/firejail/pidgin.local |
diff --git a/etc/pingus.profile b/etc/pingus.profile index 89247f847..4ce584d1e 100644 --- a/etc/pingus.profile +++ b/etc/pingus.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for pingus | 1 | # Firejail profile for pingus |
2 | # Description: Free Lemmings(TM) clone | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/pingus.local | 5 | include /etc/firejail/pingus.local |
diff --git a/etc/pinta.profile b/etc/pinta.profile index 335659430..506918b92 100644 --- a/etc/pinta.profile +++ b/etc/pinta.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for pinta | 1 | # Firejail profile for pinta |
2 | # Description: Simple drawing/painting program | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/pinta.local | 5 | include /etc/firejail/pinta.local |
diff --git a/etc/pithos.profile b/etc/pithos.profile index 7f0ba56b8..e5af9c973 100644 --- a/etc/pithos.profile +++ b/etc/pithos.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for pithos | 1 | # Firejail profile for pithos |
2 | # Description: Pandora Radio client for the GNOME desktop | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/pithos.local | 5 | include /etc/firejail/pithos.local |
diff --git a/etc/pitivi.profile b/etc/pitivi.profile index 1d7c4f721..6f6aed117 100644 --- a/etc/pitivi.profile +++ b/etc/pitivi.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for pitivi | 1 | # Firejail profile for pitivi |
2 | # Description: Non-linear audio/video editor using GStreamer | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/pitivi.local | 5 | include /etc/firejail/pitivi.local |
diff --git a/etc/playonlinux.profile b/etc/playonlinux.profile index 1179a7a01..119baf6b5 100644 --- a/etc/playonlinux.profile +++ b/etc/playonlinux.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for playonlinux | 1 | # Firejail profile for playonlinux |
2 | # Description: Front-end for Wine | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/playonlinux.local | 5 | include /etc/firejail/playonlinux.local |
diff --git a/etc/pluma.profile b/etc/pluma.profile index 7a70c88ab..832e7a3f4 100644 --- a/etc/pluma.profile +++ b/etc/pluma.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for pluma | 1 | # Firejail profile for pluma |
2 | # Description: Official text editor of the MATE desktop environment | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/pluma.local | 5 | include /etc/firejail/pluma.local |
diff --git a/etc/polari.profile b/etc/polari.profile index aba5ea57e..cb6b0f73c 100644 --- a/etc/polari.profile +++ b/etc/polari.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for polari | 1 | # Firejail profile for polari |
2 | # Description: Internet Relay Chat (IRC) client | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/polari.local | 5 | include /etc/firejail/polari.local |
diff --git a/etc/ppsspp.profile b/etc/ppsspp.profile index 3a40b6260..8fcc19e65 100644 --- a/etc/ppsspp.profile +++ b/etc/ppsspp.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for ppsspp | 1 | # Firejail profile for ppsspp |
2 | # Description: A PSP emulator written in C++ | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/ppsspp.local | 5 | include /etc/firejail/ppsspp.local |
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile index 6d7050b7a..d2612c95c 100644 --- a/etc/psi-plus.profile +++ b/etc/psi-plus.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for psi-plus | 1 | # Firejail profile for psi-plus |
2 | # Description: Qt-based XMPP/Jabber client | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/psi-plus.local | 5 | include /etc/firejail/psi-plus.local |
diff --git a/etc/pybitmessage.profile b/etc/pybitmessage.profile new file mode 100644 index 000000000..02c35b104 --- /dev/null +++ b/etc/pybitmessage.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for pybitmessage | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/pybitmessage.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist /sbin | ||
9 | noblacklist /usr/local/sbin | ||
10 | noblacklist /usr/sbin | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | noblacklist ${PATH}/python2* | ||
14 | noblacklist ${PATH}/python3* | ||
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | |||
18 | include /etc/firejail/disable-common.inc | ||
19 | include /etc/firejail/disable-devel.inc | ||
20 | include /etc/firejail/disable-passwdmgr.inc | ||
21 | include /etc/firejail/disable-programs.inc | ||
22 | include /etc/firejail/disable-interpreters.inc | ||
23 | |||
24 | include /etc/firejail/whitelist-var-common.inc | ||
25 | |||
26 | caps.drop all | ||
27 | ipc-namespace | ||
28 | netfilter | ||
29 | no3d | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | novideo | ||
37 | protocol unix,inet,inet6,netlink | ||
38 | seccomp | ||
39 | shell none | ||
40 | |||
41 | disable-mnt | ||
42 | private-bin pybitmessage,python*,sh,ldconfig,env,bash,stat | ||
43 | private-dev | ||
44 | private-etc PyBitmessage,PyBitmessage.conf,Trolltech.conf,fonts,gtk-2.0,hosts,ld.so.cache,ld.so.preload,localtime,pki,resolv.conf,selinux,sni-qt.conf,system-fips,xdg,ca-certificates,ssl,pki,crypto-policies | ||
45 | private-tmp | ||
46 | |||
47 | memory-deny-write-execute | ||
48 | noexec ${HOME} | ||
49 | noexec /tmp | ||
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index eb15ff445..4ba5d3871 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for qbittorrent | 1 | # Firejail profile for qbittorrent |
2 | # Description: BitTorrent client based on libtorrent-rasterbar with a Qt5 GUI | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/qbittorrent.local | 5 | include /etc/firejail/qbittorrent.local |
diff --git a/etc/qlipper.profile b/etc/qlipper.profile index a99825a0c..1293fa30d 100644 --- a/etc/qlipper.profile +++ b/etc/qlipper.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for qlipper | 1 | # Firejail profile for qlipper |
2 | # Description: Lightweight and cross-platform clipboard history applet | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/qlipper.local | 5 | include /etc/firejail/qlipper.local |
diff --git a/etc/qmmp.profile b/etc/qmmp.profile index 5c3873b7f..9d127731f 100644 --- a/etc/qmmp.profile +++ b/etc/qmmp.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for qmmp | 1 | # Firejail profile for qmmp |
2 | # Description: Feature-rich audio player with support of many formats | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/qmmp.local | 5 | include /etc/firejail/qmmp.local |
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile index 6057bf4f1..3063010cc 100644 --- a/etc/qpdfview.profile +++ b/etc/qpdfview.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for qpdfview | 1 | # Firejail profile for qpdfview |
2 | # Description: Tabbed document viewer | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/qpdfview.local | 5 | include /etc/firejail/qpdfview.local |
diff --git a/etc/qtox.profile b/etc/qtox.profile index 92a8bbf28..3c1697085 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for qtox | 1 | # Firejail profile for qtox |
2 | # Description: Powerful Tox client written in C++/Qt that follows the Tox design guidelines | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/qtox.local | 5 | include /etc/firejail/qtox.local |
diff --git a/etc/quassel.profile b/etc/quassel.profile index 9c5bbe1d3..69c6aa61b 100644 --- a/etc/quassel.profile +++ b/etc/quassel.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for quassel | 1 | # Firejail profile for quassel |
2 | # Description: Distributed IRC client | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/quassel.local | 5 | include /etc/firejail/quassel.local |
diff --git a/etc/quiterss.profile b/etc/quiterss.profile index c9e7f9089..368a3d996 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for quiterss | 1 | # Firejail profile for quiterss |
2 | # Description: RSS/Atom news feeds reader | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/quiterss.local | 5 | include /etc/firejail/quiterss.local |
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index 8849cc7b8..d4d8e3b97 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for qutebrowser | 1 | # Firejail profile for qutebrowser |
2 | # Description: Keyboard-driven, vim-like browser based on PyQt5 | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/qutebrowser.local | 5 | include /etc/firejail/qutebrowser.local |
@@ -15,6 +16,9 @@ noblacklist ${PATH}/python3* | |||
15 | noblacklist /usr/lib/python2* | 16 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 17 | noblacklist /usr/lib/python3* |
17 | 18 | ||
19 | # with >=llvm-4 mesa drivers need llvm stuff | ||
20 | noblacklist /usr/lib/llvm* | ||
21 | |||
18 | include /etc/firejail/disable-common.inc | 22 | include /etc/firejail/disable-common.inc |
19 | include /etc/firejail/disable-devel.inc | 23 | include /etc/firejail/disable-devel.inc |
20 | include /etc/firejail/disable-interpreters.inc | 24 | include /etc/firejail/disable-interpreters.inc |
diff --git a/etc/ranger.profile b/etc/ranger.profile index ff65a057b..fe4131e88 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for ranger | 1 | # Firejail profile for ranger |
2 | # Description: File manager with an ncurses frontend written in Python | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/ranger.local | 5 | include /etc/firejail/ranger.local |
diff --git a/etc/redeclipse.profile b/etc/redeclipse.profile index 536c7073c..7271ac2f4 100644 --- a/etc/redeclipse.profile +++ b/etc/redeclipse.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for redeclipse | 1 | # Firejail profile for redeclipse |
2 | # Description: Free, casual arena shooter | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/redeclipse.local | 5 | include /etc/firejail/redeclipse.local |
diff --git a/etc/remmina.profile b/etc/remmina.profile index 71f4bb94f..5078000bb 100644 --- a/etc/remmina.profile +++ b/etc/remmina.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for remmina | 1 | # Firejail profile for remmina |
2 | # Description: GTK+ Remote Desktop Client | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/remmina.local | 5 | include /etc/firejail/remmina.local |
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index ca06845a5..7dc6470f9 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for rhythmbox | 1 | # Firejail profile for rhythmbox |
2 | # Description: Music player and organizer for GNOME | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/rhythmbox.local | 5 | include /etc/firejail/rhythmbox.local |
diff --git a/etc/riot-desktop.profile b/etc/riot-desktop.profile index d38ab6876..cc8b68ebb 100644 --- a/etc/riot-desktop.profile +++ b/etc/riot-desktop.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for riot-desktop | 1 | # Firejail profile for riot-desktop |
2 | # Description: A glossy Matrix collaboration client for the desktop | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/riot-desktop.local | 5 | include /etc/firejail/riot-desktop.local |
diff --git a/etc/riot-web.profile b/etc/riot-web.profile index 1779d0b7c..5379223c5 100644 --- a/etc/riot-web.profile +++ b/etc/riot-web.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for riot-web | 1 | # Firejail profile for riot-web |
2 | # Description: A glossy Matrix collaboration client for the web | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/riot-web.local | 5 | include /etc/firejail/riot-web.local |
diff --git a/etc/ristretto.profile b/etc/ristretto.profile index 08c9dbf2d..bb2a7e95b 100644 --- a/etc/ristretto.profile +++ b/etc/ristretto.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for ristretto | 1 | # Firejail profile for ristretto |
2 | # Description: Lightweight picture-viewer for the Xfce desktop environment | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/ristretto.local | 5 | include /etc/firejail/ristretto.local |
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index b4a2921ff..bdc5b9232 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for rtorrent | 1 | # Firejail profile for rtorrent |
2 | # Description: Ncurses BitTorrent client based on LibTorrent from rakshasa | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/rtorrent.local | 5 | include /etc/firejail/rtorrent.local |
diff --git a/etc/scribus.profile b/etc/scribus.profile index f08c57c1b..375983667 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for scribus | 1 | # Firejail profile for scribus |
2 | # Description: Open Source Desktop Page Layout | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/scribus.local | 5 | include /etc/firejail/scribus.local |
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index 365fd3a53..b702d8b23 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for seamonkey | 1 | # Firejail profile for seamonkey |
2 | # Description: SeaMonkey internet suite | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/seamonkey.local | 5 | include /etc/firejail/seamonkey.local |
diff --git a/etc/shellcheck.profile b/etc/shellcheck.profile index 6827b0baf..f6c154183 100644 --- a/etc/shellcheck.profile +++ b/etc/shellcheck.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for shellcheck | 1 | # Firejail profile for shellcheck |
2 | # Description: Lint tool for shell scripts | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile index a15576478..30d2203de 100644 --- a/etc/simple-scan.profile +++ b/etc/simple-scan.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for simple-scan | 1 | # Firejail profile for simple-scan |
2 | # Description: Simple Scanning Utility | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/simple-scan.local | 5 | include /etc/firejail/simple-scan.local |
diff --git a/etc/simutrans.profile b/etc/simutrans.profile index 41832011e..3722d9414 100644 --- a/etc/simutrans.profile +++ b/etc/simutrans.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for simutrans | 1 | # Firejail profile for simutrans |
2 | # Description: Transportation simulator | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/simutrans.local | 5 | include /etc/firejail/simutrans.local |
diff --git a/etc/skanlite.profile b/etc/skanlite.profile index 5bac0a90d..f8bca415d 100644 --- a/etc/skanlite.profile +++ b/etc/skanlite.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for skanlite | 1 | # Firejail profile for skanlite |
2 | # Description: Image scanner based on the KSane backend | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/skanlite.local | 5 | include /etc/firejail/skanlite.local |
diff --git a/etc/slack.profile b/etc/slack.profile index 91bf0a722..ba77a16b9 100644 --- a/etc/slack.profile +++ b/etc/slack.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/slack.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /var | ||
9 | |||
10 | noblacklist ${HOME}/.config/Slack | 8 | noblacklist ${HOME}/.config/Slack |
11 | noblacklist ${HOME}/Downloads | 9 | noblacklist ${HOME}/Downloads |
12 | 10 | ||
@@ -21,6 +19,7 @@ mkdir ${HOME}/.config/Slack | |||
21 | whitelist ${HOME}/.config/Slack | 19 | whitelist ${HOME}/.config/Slack |
22 | whitelist ${HOME}/Downloads | 20 | whitelist ${HOME}/Downloads |
23 | include /etc/firejail/whitelist-common.inc | 21 | include /etc/firejail/whitelist-common.inc |
22 | include /etc/firejail/whitelist-var-common.inc | ||
24 | 23 | ||
25 | caps.drop all | 24 | caps.drop all |
26 | name slack | 25 | name slack |
diff --git a/etc/smplayer.profile b/etc/smplayer.profile index 2e792d891..6d8355e6f 100644 --- a/etc/smplayer.profile +++ b/etc/smplayer.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for smplayer | 1 | # Firejail profile for smplayer |
2 | # Description: Complete front-end for MPlayer and mpv | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/smplayer.local | 5 | include /etc/firejail/smplayer.local |
diff --git a/etc/smtube.profile b/etc/smtube.profile index 41be2714a..430b4e5cf 100644 --- a/etc/smtube.profile +++ b/etc/smtube.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for smtube | 1 | # Firejail profile for smtube |
2 | # Description: YouTube videos browser | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/smtube.local | 5 | include /etc/firejail/smtube.local |
diff --git a/etc/snap.profile b/etc/snap.profile index 345525c9a..bcfdc8911 100644 --- a/etc/snap.profile +++ b/etc/snap.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for snap | 1 | # Firejail profile for snap |
2 | # Description: Location of genes from DNA sequence with hidden markov model | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/snap.local | 5 | include /etc/firejail/snap.local |
diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile index a7c8dfce6..ee4d90265 100644 --- a/etc/soundconverter.profile +++ b/etc/soundconverter.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for soundconverter | 1 | # Firejail profile for soundconverter |
2 | # Description: GNOME application to convert audio files into other formats | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/soundconverter.local | 5 | include /etc/firejail/soundconverter.local |
diff --git a/etc/spotify.profile b/etc/spotify.profile index 7f40d4399..4e2718c95 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile | |||
@@ -9,7 +9,6 @@ blacklist ${HOME}/.bashrc | |||
9 | blacklist /lost+found | 9 | blacklist /lost+found |
10 | blacklist /sbin | 10 | blacklist /sbin |
11 | blacklist /srv | 11 | blacklist /srv |
12 | blacklist /sys | ||
13 | 12 | ||
14 | noblacklist ${HOME}/.cache/spotify | 13 | noblacklist ${HOME}/.cache/spotify |
15 | noblacklist ${HOME}/.config/spotify | 14 | noblacklist ${HOME}/.config/spotify |
diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile index 5fee722bf..75e8ed5c0 100644 --- a/etc/sqlitebrowser.profile +++ b/etc/sqlitebrowser.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for sqlitebrowser | 1 | # Firejail profile for sqlitebrowser |
2 | # Description: GUI editor for SQLite databases | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/sqlitebrowser.local | 5 | include /etc/firejail/sqlitebrowser.local |
diff --git a/etc/ssh.profile b/etc/ssh.profile index dfaeb9688..584294f05 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for ssh | 1 | # Firejail profile for ssh |
2 | # Description: Secure shell client and server | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
@@ -37,4 +38,3 @@ memory-deny-write-execute | |||
37 | noexec ${HOME} | 38 | noexec ${HOME} |
38 | noexec /tmp | 39 | noexec /tmp |
39 | writable-run-user | 40 | writable-run-user |
40 | |||
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile index fe9760ad4..6069c5174 100644 --- a/etc/start-tor-browser.profile +++ b/etc/start-tor-browser.profile | |||
@@ -17,6 +17,7 @@ include /etc/firejail/whitelist-var-common.inc | |||
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | netfilter | 19 | netfilter |
20 | nodbus | ||
20 | nodvd | 21 | nodvd |
21 | nogroups | 22 | nogroups |
22 | nonewprivs | 23 | nonewprivs |
@@ -24,8 +25,9 @@ noroot | |||
24 | notv | 25 | notv |
25 | novideo | 26 | novideo |
26 | protocol unix,inet,inet6 | 27 | protocol unix,inet,inet6 |
27 | seccomp | 28 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
28 | shell none | 29 | shell none |
30 | # tracelog may cause issues, see github issue #1930 | ||
29 | tracelog | 31 | tracelog |
30 | 32 | ||
31 | disable-mnt | 33 | disable-mnt |
diff --git a/etc/steam.profile b/etc/steam.profile index 3c39915e7..6b985f4e8 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for steam | 1 | # Firejail profile for steam |
2 | # Description: Valve's Steam digital software delivery system | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/steam.local | 5 | include /etc/firejail/steam.local |
@@ -30,6 +31,12 @@ noblacklist /usr/lib/java | |||
30 | noblacklist /etc/java | 31 | noblacklist /etc/java |
31 | noblacklist /usr/share/java | 32 | noblacklist /usr/share/java |
32 | 33 | ||
34 | # Allow python (blacklisted by disable-interpreters.inc) | ||
35 | noblacklist ${PATH}/python2* | ||
36 | noblacklist ${PATH}/python3* | ||
37 | noblacklist /usr/lib/python2* | ||
38 | noblacklist /usr/lib/python3* | ||
39 | |||
33 | include /etc/firejail/disable-common.inc | 40 | include /etc/firejail/disable-common.inc |
34 | include /etc/firejail/disable-devel.inc | 41 | include /etc/firejail/disable-devel.inc |
35 | include /etc/firejail/disable-interpreters.inc | 42 | include /etc/firejail/disable-interpreters.inc |
@@ -57,14 +64,14 @@ shell none | |||
57 | #tracelog | 64 | #tracelog |
58 | 65 | ||
59 | # private-bin is disabled while in testing, but has been tested working with multiple games | 66 | # private-bin is disabled while in testing, but has been tested working with multiple games |
60 | #private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lspci,lsof,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity | 67 | #private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lspci,lsof,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity |
61 | # extra programs are available which might be needed for select games | 68 | # extra programs are available which might be needed for select games |
62 | #private-bin java,java-config,mono,python* | 69 | #private-bin java,java-config,mono |
63 | # picture viewers are needed for viewing screenshots | 70 | # picture viewers are needed for viewing screenshots |
64 | #private-bin eog,eom,gthumb,pix,viewnior,xviewer | 71 | #private-bin eog,eom,gthumb,pix,viewnior,xviewer |
65 | 72 | ||
66 | # private-dev should be commented for controllers | 73 | # private-dev should be commented for controllers |
67 | private-dev | 74 | private-dev |
68 | # private-etc breaks a small selection of games on some systems, comment to support those | 75 | # private-etc breaks a small selection of games on some systems, comment to support those |
69 | private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies,alternatives | 76 | private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies,alternatives,bumblebee,nvidia,os-release |
70 | private-tmp | 77 | private-tmp |
diff --git a/etc/stellarium.profile b/etc/stellarium.profile index a174dcd42..cddbd99d6 100644 --- a/etc/stellarium.profile +++ b/etc/stellarium.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for stellarium | 1 | # Firejail profile for stellarium |
2 | # Description: Real-time photo-realistic sky generator | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/stellarium.local | 5 | include /etc/firejail/stellarium.local |
diff --git a/etc/surf.profile b/etc/surf.profile index 46c4a363c..3d40ea49b 100644 --- a/etc/surf.profile +++ b/etc/surf.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for surf | 1 | # Firejail profile for surf |
2 | # Description: Simple web browser by suckless community | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/surf.local | 5 | include /etc/firejail/surf.local |
diff --git a/etc/sylpheed.profile b/etc/sylpheed.profile index 54edbd20d..5f30c95ba 100644 --- a/etc/sylpheed.profile +++ b/etc/sylpheed.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for sylpheed | 1 | # Firejail profile for sylpheed |
2 | # Description: Light weight e-mail client with GTK+ | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/sylpheed.local | 5 | include /etc/firejail/sylpheed.local |
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index dcfd730ee..0fc59fd17 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for synfigstudio | 1 | # Firejail profile for synfigstudio |
2 | # Description: Vector-based 2D animation package | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/synfigstudio.local | 5 | include /etc/firejail/synfigstudio.local |
diff --git a/etc/tar.profile b/etc/tar.profile index 35dbb3378..7409393c6 100644 --- a/etc/tar.profile +++ b/etc/tar.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for tar | 1 | # Firejail profile for tar |
2 | # Description: GNU version of the tar archiving utility | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile index ad7564bb6..55a95157d 100644 --- a/etc/teamspeak3.profile +++ b/etc/teamspeak3.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for teamspeak3 | 1 | # Firejail profile for teamspeak3 |
2 | # Description: TeamSpeak is software for quality voice communication via the Internet | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/teamspeak3.local | 5 | include /etc/firejail/teamspeak3.local |
diff --git a/etc/telegram-desktop.profile b/etc/telegram-desktop.profile index df6557a90..9e4855247 100644 --- a/etc/telegram-desktop.profile +++ b/etc/telegram-desktop.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile alias for telegram | 1 | # Firejail profile alias for telegram |
2 | # Description: Official Telegram Desktop client | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | 4 | ||
4 | 5 | ||
diff --git a/etc/thunar.profile b/etc/thunar.profile index 1545e8c7e..37d10ae0d 100644 --- a/etc/thunar.profile +++ b/etc/thunar.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile alias for Thunar | 1 | # Firejail profile alias for Thunar |
2 | # Description: Modern file manager for Xfce | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | 4 | ||
4 | 5 | ||
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index 6045d6d17..86671d1be 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for thunderbird | 1 | # Firejail profile for thunderbird |
2 | # Description: Email, RSS and newsgroup client with integrated spam filter | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/thunderbird.local | 5 | include /etc/firejail/thunderbird.local |
@@ -30,6 +31,11 @@ read-only ${HOME}/.config/mimeapps.list | |||
30 | # writable-run-user is needed for signing and encrypting emails | 31 | # writable-run-user is needed for signing and encrypting emails |
31 | writable-run-user | 32 | writable-run-user |
32 | 33 | ||
34 | # If you want to read local mail stored in /var/mail, add the following to thunderbird.local: | ||
35 | # noblacklist /var/mail | ||
36 | # noblacklist /var/spool/mail | ||
37 | # writable-var | ||
38 | |||
33 | # allow browsers | 39 | # allow browsers |
34 | # Redirect | 40 | # Redirect |
35 | include /etc/firejail/firefox.profile | 41 | include /etc/firejail/firefox.profile |
diff --git a/etc/tor.profile b/etc/tor.profile index 6bfc1c9a6..ddaa9806c 100644 --- a/etc/tor.profile +++ b/etc/tor.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for tor | 1 | # Firejail profile for tor |
2 | # Description: Anonymizing overlay network for TCP | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/tor.local | 5 | include /etc/firejail/tor.local |
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile index 9e3e0ef49..f175b6590 100644 --- a/etc/torbrowser-launcher.profile +++ b/etc/torbrowser-launcher.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for torbrowser-launcher | 1 | # Firejail profile for torbrowser-launcher |
2 | # Description: Helps download and run the Tor Browser Bundle | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/torbrowser-launcher.local | 5 | include /etc/firejail/torbrowser-launcher.local |
@@ -19,9 +20,11 @@ include /etc/firejail/disable-devel.inc | |||
19 | include /etc/firejail/disable-interpreters.inc | 20 | include /etc/firejail/disable-interpreters.inc |
20 | include /etc/firejail/disable-passwdmgr.inc | 21 | include /etc/firejail/disable-passwdmgr.inc |
21 | include /etc/firejail/disable-programs.inc | 22 | include /etc/firejail/disable-programs.inc |
23 | include /etc/firejail/disable-xdg.inc | ||
22 | 24 | ||
23 | mkdir ${HOME}/.config/torbrowser | 25 | mkdir ${HOME}/.config/torbrowser |
24 | mkdir ${HOME}/.local/share/torbrowser | 26 | mkdir ${HOME}/.local/share/torbrowser |
27 | whitelist ${DOWNLOADS} | ||
25 | whitelist ${HOME}/.config/torbrowser | 28 | whitelist ${HOME}/.config/torbrowser |
26 | whitelist ${HOME}/.local/share/torbrowser | 29 | whitelist ${HOME}/.local/share/torbrowser |
27 | include /etc/firejail/whitelist-common.inc | 30 | include /etc/firejail/whitelist-common.inc |
@@ -29,6 +32,7 @@ include /etc/firejail/whitelist-var-common.inc | |||
29 | 32 | ||
30 | caps.drop all | 33 | caps.drop all |
31 | netfilter | 34 | netfilter |
35 | nodbus | ||
32 | nodvd | 36 | nodvd |
33 | nogroups | 37 | nogroups |
34 | nonewprivs | 38 | nonewprivs |
@@ -36,8 +40,9 @@ noroot | |||
36 | notv | 40 | notv |
37 | novideo | 41 | novideo |
38 | protocol unix,inet,inet6 | 42 | protocol unix,inet,inet6 |
39 | seccomp | 43 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
40 | shell none | 44 | shell none |
45 | # tracelog may cause issues, see github issue #1930 | ||
41 | tracelog | 46 | tracelog |
42 | 47 | ||
43 | disable-mnt | 48 | disable-mnt |
diff --git a/etc/totem.profile b/etc/totem.profile index 0acbc5127..bfa5883e2 100644 --- a/etc/totem.profile +++ b/etc/totem.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for totem | 1 | # Firejail profile for totem |
2 | # Description: Simple media player for the GNOME desktop based on GStreamer | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/totem.local | 5 | include /etc/firejail/totem.local |
diff --git a/etc/tracker.profile b/etc/tracker.profile index fc58fc479..142089c34 100644 --- a/etc/tracker.profile +++ b/etc/tracker.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for tracker | 1 | # Firejail profile for tracker |
2 | # Description: Metadata database, indexer and search tool | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/tracker.local | 5 | include /etc/firejail/tracker.local |
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile index 849f9ed49..1a22a713c 100644 --- a/etc/transmission-cli.profile +++ b/etc/transmission-cli.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for transmission-cli | 1 | # Firejail profile for transmission-cli |
2 | # Description: Lightweight BitTorrent client | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/transmission-cli.local | 5 | include /etc/firejail/transmission-cli.local |
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 6366aa89d..758205ccf 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for transmission-gtk | 1 | # Firejail profile for transmission-gtk |
2 | # Description: Lightweight BitTorrent client | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/transmission-gtk.local | 5 | include /etc/firejail/transmission-gtk.local |
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index added7067..c8eb9e326 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for transmission-qt | 1 | # Firejail profile for transmission-qt |
2 | # Description: Lightweight BitTorrent client | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/transmission-qt.local | 5 | include /etc/firejail/transmission-qt.local |
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile index 1f0d2705e..d467e1a83 100644 --- a/etc/tuxguitar.profile +++ b/etc/tuxguitar.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for tuxguitar | 1 | # Firejail profile for tuxguitar |
2 | # Description: Multitrack guitar tablature editor and player (gp3 to gp5) | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/tuxguitar.local | 5 | include /etc/firejail/tuxguitar.local |
diff --git a/etc/unbound.profile b/etc/unbound.profile index 3d7ca7285..5bc350e8d 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for unbound | 1 | # Firejail profile for unbound |
2 | # Description: Validating, recursive, caching DNS resolver | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/unbound.local | 5 | include /etc/firejail/unbound.local |
diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile index 985998382..5b2944a88 100644 --- a/etc/unknown-horizons.profile +++ b/etc/unknown-horizons.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for unknown-horizons | 1 | # Firejail profile for unknown-horizons |
2 | # Description: 2D realtime strategy simulation | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/unknown-horizons.local | 5 | include /etc/firejail/unknown-horizons.local |
diff --git a/etc/unrar.profile b/etc/unrar.profile index 40ee277e0..c8c72f1f3 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for unrar | 1 | # Firejail profile for unrar |
2 | # Description: Unarchiver for .rar files | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/unzip.profile b/etc/unzip.profile index 1a1142fe8..0b8b0cc50 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for unzip | 1 | # Firejail profile for unzip |
2 | # Description: De-archiver for .zip files | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/uudeview.profile b/etc/uudeview.profile index f71f0150d..d1130960d 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for uudeview | 1 | # Firejail profile for uudeview |
2 | # Description: Smart multi-file multi-part decoder | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/viewnior.profile b/etc/viewnior.profile index ce4983337..08f9fd309 100644 --- a/etc/viewnior.profile +++ b/etc/viewnior.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for viewnior | 1 | # Firejail profile for viewnior |
2 | # Description: Simple, fast and elegant image viewer | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/viewnior.local | 5 | include /etc/firejail/viewnior.local |
diff --git a/etc/viking.profile b/etc/viking.profile index a5a01f544..624cb962b 100644 --- a/etc/viking.profile +++ b/etc/viking.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for viking | 1 | # Firejail profile for viking |
2 | # Description: GPS data editor, analyzer and viewer | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/viking.local | 5 | include /etc/firejail/viking.local |
diff --git a/etc/vim.profile b/etc/vim.profile index 7fe16e628..1f98a018a 100644 --- a/etc/vim.profile +++ b/etc/vim.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for vim | 1 | # Firejail profile for vim |
2 | # Description: Vi IMproved - enhanced vi editor | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/vim.local | 5 | include /etc/firejail/vim.local |
diff --git a/etc/vimpager.profile b/etc/vimpager.profile index 8bc7cc26a..9c59cb82f 100644 --- a/etc/vimpager.profile +++ b/etc/vimpager.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for vimpager | 1 | # Firejail profile for vimpager |
2 | # Description: A vim-based script to use as a PAGER | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/vimpager.local | 5 | include /etc/firejail/vimpager.local |
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile index 61177698a..c634348c7 100644 --- a/etc/virtualbox.profile +++ b/etc/virtualbox.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for virtualbox | 1 | # Firejail profile for virtualbox |
2 | # Description: x86 virtualization solution | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/virtualbox.local | 5 | include /etc/firejail/virtualbox.local |
diff --git a/etc/vlc.profile b/etc/vlc.profile index 41f482d49..20dafba25 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for vlc | 1 | # Firejail profile for vlc |
2 | # Description: Multimedia player and streamer | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/vlc.local | 5 | include /etc/firejail/vlc.local |
diff --git a/etc/vym.profile b/etc/vym.profile index f926bf1f4..bb044069d 100644 --- a/etc/vym.profile +++ b/etc/vym.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for vym | 1 | # Firejail profile for vym |
2 | # Description: Mindmapping tool | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/vym.local | 5 | include /etc/firejail/vym.local |
diff --git a/etc/w3m.profile b/etc/w3m.profile index 22843ca54..858b30a5f 100644 --- a/etc/w3m.profile +++ b/etc/w3m.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for w3m | 1 | # Firejail profile for w3m |
2 | # Description: WWW browsable pager with excellent tables/frames support | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/w3m.local | 5 | include /etc/firejail/w3m.local |
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile index e339b4100..632a56074 100644 --- a/etc/warzone2100.profile +++ b/etc/warzone2100.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for warzone2100 | 1 | # Firejail profile for warzone2100 |
2 | # Description: 3D real time strategy game | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/warzone2100.local | 5 | include /etc/firejail/warzone2100.local |
diff --git a/etc/weechat.profile b/etc/weechat.profile index b0971ae19..213271367 100644 --- a/etc/weechat.profile +++ b/etc/weechat.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for weechat | 1 | # Firejail profile for weechat |
2 | # Description: Fast, light and extensible chat client | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/weechat.local | 5 | include /etc/firejail/weechat.local |
diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index 732b37df0..215d2e72d 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for wesnoth | 1 | # Firejail profile for wesnoth |
2 | # Description: Fantasy turn-based strategy game | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/wesnoth.local | 5 | include /etc/firejail/wesnoth.local |
diff --git a/etc/wget.profile b/etc/wget.profile index c509faecc..abe2436d7 100644 --- a/etc/wget.profile +++ b/etc/wget.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for wget | 1 | # Firejail profile for wget |
2 | # Description: Retrieves files from the web | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/wine.profile b/etc/wine.profile index 914a2225f..88cdd2ffc 100644 --- a/etc/wine.profile +++ b/etc/wine.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for wine | 1 | # Firejail profile for wine |
2 | # Description: A compatibility layer for running Windows programs | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/wine.local | 5 | include /etc/firejail/wine.local |
diff --git a/etc/wireshark-gtk.profile b/etc/wireshark-gtk.profile index 38599b85e..26747379a 100644 --- a/etc/wireshark-gtk.profile +++ b/etc/wireshark-gtk.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile alias for wireshark | 1 | # Firejail profile alias for wireshark |
2 | # Description: Network protocol analyzer | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | 4 | ||
4 | 5 | ||
diff --git a/etc/wireshark-qt.profile b/etc/wireshark-qt.profile index 38599b85e..26747379a 100644 --- a/etc/wireshark-qt.profile +++ b/etc/wireshark-qt.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile alias for wireshark | 1 | # Firejail profile alias for wireshark |
2 | # Description: Network protocol analyzer | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | 4 | ||
4 | 5 | ||
diff --git a/etc/wireshark.profile b/etc/wireshark.profile index d45198f6a..330f0140e 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for wireshark | 1 | # Firejail profile for wireshark |
2 | # Description: Network traffic analyzer | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/wireshark.local | 5 | include /etc/firejail/wireshark.local |
@@ -24,6 +25,7 @@ include /etc/firejail/disable-xdg.inc | |||
24 | 25 | ||
25 | include /etc/firejail/whitelist-var-common.inc | 26 | include /etc/firejail/whitelist-var-common.inc |
26 | 27 | ||
28 | apparmor | ||
27 | # caps.drop all | 29 | # caps.drop all |
28 | caps.keep dac_override,net_admin,net_raw | 30 | caps.keep dac_override,net_admin,net_raw |
29 | netfilter | 31 | netfilter |
diff --git a/etc/xchat.profile b/etc/xchat.profile index bab108c0a..af6da1ac5 100644 --- a/etc/xchat.profile +++ b/etc/xchat.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for xchat | 1 | # Firejail profile for xchat |
2 | # Description: IRC client for X similar to AmIRC | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/xchat.local | 5 | include /etc/firejail/xchat.local |
diff --git a/etc/xfburn.profile b/etc/xfburn.profile index b63e430f6..207e62232 100644 --- a/etc/xfburn.profile +++ b/etc/xfburn.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for xfburn | 1 | # Firejail profile for xfburn |
2 | # Description: CD-burner application for Xfce Desktop Environment | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/xfburn.local | 5 | include /etc/firejail/xfburn.local |
diff --git a/etc/xfce4-dict.profile b/etc/xfce4-dict.profile index fc5294d5b..e84c78b24 100644 --- a/etc/xfce4-dict.profile +++ b/etc/xfce4-dict.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for xfce4-dict | 1 | # Firejail profile for xfce4-dict |
2 | # Description: Dictionary plugin for Xfce4 panel | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/xfce4-dict.local | 5 | include /etc/firejail/xfce4-dict.local |
diff --git a/etc/xfce4-notes.profile b/etc/xfce4-notes.profile index 5749b7832..99aeebb7f 100644 --- a/etc/xfce4-notes.profile +++ b/etc/xfce4-notes.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for xfce4-notes | 1 | # Firejail profile for xfce4-notes |
2 | # Description: Notes application for the Xfce4 desktop | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/xfce4-notes.local | 5 | include /etc/firejail/xfce4-notes.local |
diff --git a/etc/xiphos.profile b/etc/xiphos.profile index 14aced0d9..703579562 100644 --- a/etc/xiphos.profile +++ b/etc/xiphos.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for xiphos | 1 | # Firejail profile for xiphos |
2 | # Description: Environment for Bible reading, study, and research | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/xiphos.local | 5 | include /etc/firejail/xiphos.local |
diff --git a/etc/xonotic.profile b/etc/xonotic.profile index a5cfa7513..29b2bb382 100644 --- a/etc/xonotic.profile +++ b/etc/xonotic.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for xonotic | 1 | # Firejail profile for xonotic |
2 | # Description: A free, fast-paced crossplatform first-person shooter | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/xonotic.local | 5 | include /etc/firejail/xonotic.local |
diff --git a/etc/xpdf.profile b/etc/xpdf.profile index b689ccb25..c12a3437c 100644 --- a/etc/xpdf.profile +++ b/etc/xpdf.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for xpdf | 1 | # Firejail profile for xpdf |
2 | # Description: Portable Document Format (PDF) reader | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/xpdf.local | 5 | include /etc/firejail/xpdf.local |
diff --git a/etc/xpra.profile b/etc/xpra.profile index 0535d85a5..960c493b9 100644 --- a/etc/xpra.profile +++ b/etc/xpra.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for xpra | 1 | # Firejail profile for xpra |
2 | # Description: Tool to detach/reattach running X programs | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/xpra.local | 5 | include /etc/firejail/xpra.local |
diff --git a/etc/xreader.profile b/etc/xreader.profile index 6da8957f4..25e790fe0 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for xreader | 1 | # Firejail profile for xreader |
2 | # Description: Document viewer for files like PDF and Postscript. X-Apps Project. | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/xreader.local | 5 | include /etc/firejail/xreader.local |
diff --git a/etc/xxd.profile b/etc/xxd.profile index 59dac5a91..baee905b7 100644 --- a/etc/xxd.profile +++ b/etc/xxd.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for xxd | 1 | # Firejail profile for xxd |
2 | # Description: Tool to make (or reverse) a hex dump | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/xxd.local | 5 | include /etc/firejail/xxd.local |
diff --git a/etc/xz.profile b/etc/xz.profile index d77fc85b4..cd79eebc6 100644 --- a/etc/xz.profile +++ b/etc/xz.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile alias for cpio | 1 | # Firejail profile alias for cpio |
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | 4 | ||
4 | 5 | ||
diff --git a/etc/xzdec.profile b/etc/xzdec.profile index 93b6d5093..796c1d642 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for xzdec | 1 | # Firejail profile for xzdec |
2 | # Description: XZ-format compression utilities - tiny decompressors | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index fcb0a8a52..75d4514b6 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for youtube-dl | 1 | # Firejail profile for youtube-dl |
2 | # Description: Downloader of videos from YouTube and other sites | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/zaproxy.profile b/etc/zaproxy.profile index 66f91250d..872719ebc 100644 --- a/etc/zaproxy.profile +++ b/etc/zaproxy.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for zaproxy | 1 | # Firejail profile for zaproxy |
2 | # Description: Integrated penetration testing tool for finding vulnerabilities in web applications | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/zaproxy.local | 5 | include /etc/firejail/zaproxy.local |
diff --git a/etc/zart.profile b/etc/zart.profile index 885fa5021..a4b22ed5d 100644 --- a/etc/zart.profile +++ b/etc/zart.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for zart | 1 | # Firejail profile for zart |
2 | # Description: A GUI for G'MIC real-time manipulations on the output of a webcam | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/zart.local | 5 | include /etc/firejail/zart.local |
diff --git a/etc/zathura.profile b/etc/zathura.profile index baeca8d19..c1785e332 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for zathura | 1 | # Firejail profile for zathura |
2 | # Description: Document viewer with a minimalistic interface | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include /etc/firejail/zathura.local | 5 | include /etc/firejail/zathura.local |
diff --git a/platform/snap/snap.sh b/platform/snap/snap.sh deleted file mode 100755 index d7f924293..000000000 --- a/platform/snap/snap.sh +++ /dev/null | |||
@@ -1,20 +0,0 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | rm -fr faudit-snap | ||
4 | rm -f faudit_*.snap | ||
5 | mkdir faudit-snap | ||
6 | cd faudit-snap | ||
7 | snapcraft init | ||
8 | cp ../snapcraft.yaml . | ||
9 | #snapcraft stage | ||
10 | mkdir -p stage/usr/lib/firejail | ||
11 | cp ../../../src/faudit/faudit stage/usr/lib/firejail/. | ||
12 | find stage | ||
13 | snapcraft stage | ||
14 | snapcraft snap | ||
15 | cd .. | ||
16 | mv faudit-snap/faudit_*.snap ../../. | ||
17 | rm -fr faudit-snap | ||
18 | |||
19 | |||
20 | |||
diff --git a/platform/snap/snapcraft.yaml b/platform/snap/snapcraft.yaml deleted file mode 100644 index d3755de96..000000000 --- a/platform/snap/snapcraft.yaml +++ /dev/null | |||
@@ -1,20 +0,0 @@ | |||
1 | name: faudit # the name of the snap | ||
2 | version: 0 # the version of the snap | ||
3 | summary: Fireajail audit snap edition # 79 char long summary | ||
4 | description: faudit program extracted from Firejail and packaged as a snap # a longer description for the snap | ||
5 | confinement: strict # use "strict" to enforce system access only via declared interfaces | ||
6 | |||
7 | apps: | ||
8 | faudit: | ||
9 | command: /usr/lib/firejail/faudit | ||
10 | |||
11 | parts: | ||
12 | faudit: # Replace with a part name of your liking | ||
13 | # Get more information about plugins by running | ||
14 | # snapcraft help plugins | ||
15 | # and more information about the available plugins | ||
16 | # by running | ||
17 | # snapcraft list-plugins | ||
18 | plugin: nil | ||
19 | snap: | ||
20 | - usr/lib/firejail/faudit | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index a33aaeb49..0bbafb343 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -77,6 +77,7 @@ cinelerra | |||
77 | clamdscan | 77 | clamdscan |
78 | clamdtop | 78 | clamdtop |
79 | clamscan | 79 | clamscan |
80 | clamtk | ||
80 | claws-mail | 81 | claws-mail |
81 | clementine | 82 | clementine |
82 | clipit | 83 | clipit |
@@ -328,6 +329,7 @@ pluma | |||
328 | polari | 329 | polari |
329 | ppsspp | 330 | ppsspp |
330 | psi-plus | 331 | psi-plus |
332 | pybitmessage | ||
331 | # pycharm-community - FB note: may enable later | 333 | # pycharm-community - FB note: may enable later |
332 | # pycharm-professional | 334 | # pycharm-professional |
333 | qbittorrent | 335 | qbittorrent |
diff --git a/src/firecfg/main.c b/src/firecfg/main.c index 6fe220d35..298314d4f 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c | |||
@@ -21,6 +21,7 @@ | |||
21 | #include "firecfg.h" | 21 | #include "firecfg.h" |
22 | #include "../include/firejail_user.h" | 22 | #include "../include/firejail_user.h" |
23 | int arg_debug = 0; | 23 | int arg_debug = 0; |
24 | char *arg_bindir = "/usr/local/bin"; | ||
24 | 25 | ||
25 | static char *usage_str = | 26 | static char *usage_str = |
26 | "Firecfg is the desktop configuration utility for Firejail software. The utility\n" | 27 | "Firecfg is the desktop configuration utility for Firejail software. The utility\n" |
@@ -31,6 +32,7 @@ static char *usage_str = | |||
31 | "DESKTOP INTEGRATION section in man 1 firejail.\n\n" | 32 | "DESKTOP INTEGRATION section in man 1 firejail.\n\n" |
32 | "Usage: firecfg [OPTIONS]\n\n" | 33 | "Usage: firecfg [OPTIONS]\n\n" |
33 | " --add-users user [user] - add the users to Firejail user access database.\n\n" | 34 | " --add-users user [user] - add the users to Firejail user access database.\n\n" |
35 | " --bindir=directory - install in directory instead of /usr/local/bin.\n\n" | ||
34 | " --clean - remove all firejail symbolic links.\n\n" | 36 | " --clean - remove all firejail symbolic links.\n\n" |
35 | " --debug - print debug messages.\n\n" | 37 | " --debug - print debug messages.\n\n" |
36 | " --fix - fix .desktop files.\n\n" | 38 | " --fix - fix .desktop files.\n\n" |
@@ -62,9 +64,9 @@ static void usage(void) { | |||
62 | 64 | ||
63 | 65 | ||
64 | static void list(void) { | 66 | static void list(void) { |
65 | DIR *dir = opendir("/usr/local/bin"); | 67 | DIR *dir = opendir(arg_bindir); |
66 | if (!dir) { | 68 | if (!dir) { |
67 | fprintf(stderr, "Error: cannot open /usr/local/bin directory\n"); | 69 | fprintf(stderr, "Error: cannot open %s directory\n", arg_bindir); |
68 | exit(1); | 70 | exit(1); |
69 | } | 71 | } |
70 | 72 | ||
@@ -78,7 +80,7 @@ static void list(void) { | |||
78 | continue; | 80 | continue; |
79 | 81 | ||
80 | char *fullname; | 82 | char *fullname; |
81 | if (asprintf(&fullname, "/usr/local/bin/%s", entry->d_name) == -1) | 83 | if (asprintf(&fullname, "%s/%s", arg_bindir, entry->d_name) == -1) |
82 | errExit("asprintf"); | 84 | errExit("asprintf"); |
83 | 85 | ||
84 | if (is_link(fullname)) { | 86 | if (is_link(fullname)) { |
@@ -98,14 +100,10 @@ static void list(void) { | |||
98 | 100 | ||
99 | static void clean(void) { | 101 | static void clean(void) { |
100 | printf("Removing all firejail symlinks:\n"); | 102 | printf("Removing all firejail symlinks:\n"); |
101 | if (getuid() != 0) { | ||
102 | fprintf(stderr, "Error: you need to be root to run this command\n"); | ||
103 | exit(1); | ||
104 | } | ||
105 | 103 | ||
106 | DIR *dir = opendir("/usr/local/bin"); | 104 | DIR *dir = opendir(arg_bindir); |
107 | if (!dir) { | 105 | if (!dir) { |
108 | fprintf(stderr, "Error: cannot open /usr/local/bin directory\n"); | 106 | fprintf(stderr, "Error: cannot open %s directory\n", arg_bindir); |
109 | exit(1); | 107 | exit(1); |
110 | } | 108 | } |
111 | 109 | ||
@@ -119,7 +117,7 @@ static void clean(void) { | |||
119 | continue; | 117 | continue; |
120 | 118 | ||
121 | char *fullname; | 119 | char *fullname; |
122 | if (asprintf(&fullname, "/usr/local/bin/%s", entry->d_name) == -1) | 120 | if (asprintf(&fullname, "%s/%s", arg_bindir, entry->d_name) == -1) |
123 | errExit("asprintf"); | 121 | errExit("asprintf"); |
124 | 122 | ||
125 | if (is_link(fullname)) { | 123 | if (is_link(fullname)) { |
@@ -129,8 +127,11 @@ static void clean(void) { | |||
129 | char *ptr = strrchr(fullname, '/'); | 127 | char *ptr = strrchr(fullname, '/'); |
130 | assert(ptr); | 128 | assert(ptr); |
131 | ptr++; | 129 | ptr++; |
132 | unlink(fullname); | 130 | int rv = unlink(fullname); |
133 | printf(" %s removed\n", ptr); | 131 | if (rv) |
132 | fprintf(stderr, "Warning: cannot remove %s\n", fullname); | ||
133 | else | ||
134 | printf(" %s removed\n", ptr); | ||
134 | } | 135 | } |
135 | free(fname); | 136 | free(fname); |
136 | } | 137 | } |
@@ -148,7 +149,7 @@ static void set_file(const char *name, const char *firejail_exec) { | |||
148 | return; | 149 | return; |
149 | 150 | ||
150 | char *fname; | 151 | char *fname; |
151 | if (asprintf(&fname, "/usr/local/bin/%s", name) == -1) | 152 | if (asprintf(&fname, "%s/%s", arg_bindir, name) == -1) |
152 | errExit("asprintf"); | 153 | errExit("asprintf"); |
153 | 154 | ||
154 | struct stat s; | 155 | struct stat s; |
@@ -161,6 +162,9 @@ static void set_file(const char *name, const char *firejail_exec) { | |||
161 | else | 162 | else |
162 | printf(" %s created\n", name); | 163 | printf(" %s created\n", name); |
163 | } | 164 | } |
165 | else { | ||
166 | fprintf(stderr, "Warning: cannot create %s - already exists! Skipping...\n", fname); | ||
167 | } | ||
164 | 168 | ||
165 | free(fname); | 169 | free(fname); |
166 | } | 170 | } |
@@ -181,7 +185,7 @@ static void set_links_firecfg(void) { | |||
181 | fprintf(stderr, "Error: cannot open %s\n", cfgfile); | 185 | fprintf(stderr, "Error: cannot open %s\n", cfgfile); |
182 | exit(1); | 186 | exit(1); |
183 | } | 187 | } |
184 | printf("Configuring symlinks in /usr/local/bin based on firecfg.config\n"); | 188 | printf("Configuring symlinks in %s based on firecfg.config\n", arg_bindir); |
185 | 189 | ||
186 | char buf[MAX_BUF]; | 190 | char buf[MAX_BUF]; |
187 | int lineno = 0; | 191 | int lineno = 0; |
@@ -239,7 +243,7 @@ static void set_links_homedir(const char *homedir) { | |||
239 | errExit("asprintf"); | 243 | errExit("asprintf"); |
240 | 244 | ||
241 | // parse ~/.config/firejail/ directory | 245 | // parse ~/.config/firejail/ directory |
242 | printf("\nConfiguring symlinks in /usr/local/bin based on local firejail config directory\n"); | 246 | printf("\nConfiguring symlinks in %s based on local firejail config directory\n", arg_bindir); |
243 | 247 | ||
244 | DIR *dir = opendir(dirname); | 248 | DIR *dir = opendir(dirname); |
245 | if (!dir) { | 249 | if (!dir) { |
@@ -275,9 +279,68 @@ static void set_links_homedir(const char *homedir) { | |||
275 | free(firejail_exec); | 279 | free(firejail_exec); |
276 | } | 280 | } |
277 | 281 | ||
282 | static char *get_user(void) { | ||
283 | char *user = getlogin(); | ||
284 | if (!user) { | ||
285 | user = getenv("SUDO_USER"); | ||
286 | if (!user) { | ||
287 | fprintf(stderr, "Error: cannot detect login user\n"); | ||
288 | exit(1); | ||
289 | } | ||
290 | } | ||
291 | |||
292 | return user; | ||
293 | } | ||
294 | |||
295 | static char *get_homedir(const char *user, uid_t *uid, gid_t *gid) { | ||
296 | // find home directory | ||
297 | struct passwd *pw = getpwnam(user); | ||
298 | if (!pw) | ||
299 | goto errexit; | ||
300 | |||
301 | char *home = pw->pw_dir; | ||
302 | if (!home) | ||
303 | goto errexit; | ||
304 | |||
305 | *uid = pw->pw_uid; | ||
306 | *gid = pw->pw_gid; | ||
307 | |||
308 | return home; | ||
309 | |||
310 | errexit: | ||
311 | fprintf(stderr, "Error: cannot find home directory for user %s\n", user); | ||
312 | exit(1); | ||
313 | } | ||
278 | 314 | ||
279 | int main(int argc, char **argv) { | 315 | int main(int argc, char **argv) { |
280 | int i; | 316 | int i; |
317 | int bindir_set = 0; | ||
318 | |||
319 | // user setup | ||
320 | char *user = get_user(); | ||
321 | uid_t uid; | ||
322 | gid_t gid; | ||
323 | char *home = get_homedir(user, &uid, &gid); | ||
324 | |||
325 | |||
326 | // check for --bindir | ||
327 | for (i = i; i < argc; i++) { | ||
328 | if (strncmp(argv[i], "--bindir=", 9) == 0) { | ||
329 | if (strncmp(argv[i] + 9, "~/", 2) == 0) { | ||
330 | if (asprintf(&arg_bindir, "%s/%s", home, argv[i] + 11) == -1) | ||
331 | errExit("asprintf"); | ||
332 | } | ||
333 | else | ||
334 | arg_bindir = argv[i] + 9; | ||
335 | bindir_set = 1; | ||
336 | |||
337 | // exit if the directory does not exist, or if we don't have access to it | ||
338 | if (access(arg_bindir, R_OK | W_OK | X_OK)) { | ||
339 | fprintf(stderr, "Error: directory %s not found\n", arg_bindir); | ||
340 | exit(1); | ||
341 | } | ||
342 | } | ||
343 | } | ||
281 | 344 | ||
282 | for (i = 1; i < argc; i++) { | 345 | for (i = 1; i < argc; i++) { |
283 | // default options | 346 | // default options |
@@ -297,15 +360,6 @@ int main(int argc, char **argv) { | |||
297 | return 0; | 360 | return 0; |
298 | } | 361 | } |
299 | else if (strcmp(argv[i], "--fix") == 0) { | 362 | else if (strcmp(argv[i], "--fix") == 0) { |
300 | // find home directory | ||
301 | struct passwd *pw = getpwuid(getuid()); | ||
302 | if (!pw) { | ||
303 | goto errexit; | ||
304 | } | ||
305 | char *home = pw->pw_dir; | ||
306 | if (!home) { | ||
307 | goto errexit; | ||
308 | } | ||
309 | fix_desktop_files(home); | 363 | fix_desktop_files(home); |
310 | return 0; | 364 | return 0; |
311 | } | 365 | } |
@@ -331,19 +385,24 @@ int main(int argc, char **argv) { | |||
331 | return 0; | 385 | return 0; |
332 | } | 386 | } |
333 | else { | 387 | else { |
334 | fprintf(stderr, "Error: invalid command line option\n"); | 388 | if (strncmp(argv[i], "--bindir=", 9) != 0) { // already handled |
335 | usage(); | 389 | fprintf(stderr, "Error: invalid command line option\n"); |
336 | return 1; | 390 | usage(); |
391 | return 1; | ||
392 | } | ||
337 | } | 393 | } |
338 | } | 394 | } |
339 | 395 | ||
396 | if (arg_debug) | ||
397 | printf("%s %d %d %d %d\n", user, getuid(), getgid(), geteuid(), getegid()); | ||
398 | |||
340 | // set symlinks in /usr/local/bin | 399 | // set symlinks in /usr/local/bin |
341 | if (getuid() != 0) { | 400 | if (bindir_set == 0 && getuid() != 0) { |
342 | fprintf(stderr, "Error: cannot set the symbolic links in /usr/local/bin\n"); | 401 | fprintf(stderr, "Error: cannot set the symbolic links in %s\n", arg_bindir); |
343 | fprintf(stderr, "The proper way to run this command is \"sudo firecfg\".\n"); | 402 | fprintf(stderr, "The proper way to run this command is \"sudo firecfg\".\n"); |
344 | return 1; | 403 | return 1; |
345 | } | 404 | } |
346 | else { | 405 | else if (bindir_set == 0) { |
347 | // create /usr/local directory if it doesn't exist (Solus distro) | 406 | // create /usr/local directory if it doesn't exist (Solus distro) |
348 | struct stat s; | 407 | struct stat s; |
349 | if (stat("/usr/local", &s) != 0) { | 408 | if (stat("/usr/local", &s) != 0) { |
@@ -354,66 +413,46 @@ int main(int argc, char **argv) { | |||
354 | return 1; | 413 | return 1; |
355 | } | 414 | } |
356 | } | 415 | } |
357 | if (stat("/usr/local/bin", &s) != 0) { | 416 | if (stat(arg_bindir, &s) != 0) { |
358 | printf("Creating /usr/local directory\n"); | 417 | printf("Creating /usr/local directory\n"); |
359 | int rv = mkdir("/usr/local/bin", 0755); | 418 | int rv = mkdir(arg_bindir, 0755); |
360 | if (rv != 0) { | 419 | if (rv != 0) { |
361 | fprintf(stderr, "Error: cannot create /usr/local/bin directory\n"); | 420 | fprintf(stderr, "Error: cannot create %s directory\n", arg_bindir); |
362 | return 1; | 421 | return 1; |
363 | } | 422 | } |
364 | } | 423 | } |
365 | } | 424 | } |
366 | clean(); | ||
367 | set_links_firecfg(); | ||
368 | |||
369 | 425 | ||
426 | // clear all symlinks | ||
427 | clean(); | ||
370 | 428 | ||
371 | // user setup | 429 | // set new symlinks based on /usr/lib/firejail/firecfg.cfg |
372 | char *user = getlogin(); | 430 | set_links_firecfg(); |
373 | if (!user) { | ||
374 | user = getenv("SUDO_USER"); | ||
375 | if (!user) { | ||
376 | goto errexit; | ||
377 | } | ||
378 | } | ||
379 | 431 | ||
380 | // add user to firejail access database | 432 | // add user to firejail access database - only for root |
381 | if (user) { | 433 | if (user && getuid() == 0) { |
382 | printf("\nAdding user %s to Firejail access database in %s/firejail.users\n", user, SYSCONFDIR); | 434 | printf("\nAdding user %s to Firejail access database in %s/firejail.users\n", user, SYSCONFDIR); |
383 | firejail_user_add(user); | 435 | firejail_user_add(user); |
384 | } | 436 | } |
385 | 437 | ||
386 | // switch to the local user, and fix desktop files | 438 | // set new symlinks based on ~/.config/firejail directory |
387 | if (user) { | 439 | set_links_homedir(home); |
388 | // find home directory | ||
389 | struct passwd *pw = getpwnam(user); | ||
390 | if (!pw) { | ||
391 | goto errexit; | ||
392 | } | ||
393 | char *home = pw->pw_dir; | ||
394 | if (!home) { | ||
395 | goto errexit; | ||
396 | } | ||
397 | |||
398 | // running as root | ||
399 | set_links_homedir(home); | ||
400 | 440 | ||
401 | // drop permissions | 441 | // drop permissions |
442 | if (getuid() == 0) { | ||
402 | if (setgroups(0, NULL) < 0) | 443 | if (setgroups(0, NULL) < 0) |
403 | errExit("setgroups"); | 444 | errExit("setgroups"); |
404 | // set uid/gid | 445 | if (setgid(gid) < 0) |
405 | if (setgid(pw->pw_gid) < 0) | ||
406 | errExit("setgid"); | 446 | errExit("setgid"); |
407 | if (setuid(pw->pw_uid) < 0) | 447 | if (setuid(uid) < 0) |
408 | errExit("setuid"); | 448 | errExit("setuid"); |
409 | if (arg_debug) | ||
410 | printf("%s %d %d %d %d\n", user, getuid(), getgid(), geteuid(), getegid()); | ||
411 | fix_desktop_files(home); | ||
412 | } | 449 | } |
413 | 450 | ||
414 | return 0; | 451 | if (arg_debug) |
452 | printf("%s %d %d %d %d\n", user, getuid(), getgid(), geteuid(), getegid()); | ||
415 | 453 | ||
416 | errexit: | 454 | // fix .desktop files in ~/.local/share/applications directory |
417 | fprintf(stderr, "Error: cannot detect login user in order to set desktop files in ~/.local/share/applications\n"); | 455 | fix_desktop_files(home); |
418 | return 1; | 456 | |
457 | return 0; | ||
419 | } | 458 | } |
diff --git a/src/firejail/arg-checking.txt b/src/firejail/arg-checking.txt deleted file mode 100644 index cfed454f8..000000000 --- a/src/firejail/arg-checking.txt +++ /dev/null | |||
@@ -1,84 +0,0 @@ | |||
1 | arg checking: | ||
2 | |||
3 | 1. --output=filename | ||
4 | - not supported in profiles | ||
5 | - checking no "..", | ||
6 | - checking no link, | ||
7 | - checking no dir, | ||
8 | - checking same permissions, | ||
9 | - checking no hard links | ||
10 | - unit test | ||
11 | |||
12 | 2. --chroot=dirname | ||
13 | - not supported in profiles | ||
14 | - expand "~" | ||
15 | - checking no "..", | ||
16 | - checking is dir, | ||
17 | - checking no link | ||
18 | - checking directory structure | ||
19 | - unit test | ||
20 | |||
21 | 3. --bind=dirname1,dirname2, --bind=filename1,filenam2 | ||
22 | - supported in profiles | ||
23 | - accepted only when running as root | ||
24 | - checking string chars | ||
25 | - checking no ".." | ||
26 | - unit test non root | ||
27 | |||
28 | 4. --tmpfs=dirname | ||
29 | - supported in profiles | ||
30 | - checking string chars | ||
31 | - checking no ".." | ||
32 | - unit test | ||
33 | |||
34 | 5. --blacklist=filename, --blacklist=dirname | ||
35 | - supported in profiles | ||
36 | - checking string chars | ||
37 | - checking no ".." | ||
38 | - unit test | ||
39 | |||
40 | 6. --read-only=filename, --read-only=dirname | ||
41 | - supported in profiles | ||
42 | - checking string chars | ||
43 | - checking no ".." | ||
44 | - unit test | ||
45 | |||
46 | 7. --profile=filename | ||
47 | - check access as real GID/UID | ||
48 | - checking no dir | ||
49 | - checking no link | ||
50 | - checking no ".." | ||
51 | - unit test | ||
52 | |||
53 | 8. --private=dirname | ||
54 | - supported in profiles | ||
55 | - expand "~" | ||
56 | - check is dir | ||
57 | - check no link | ||
58 | - checking no ".." | ||
59 | - check same owner | ||
60 | - unit test | ||
61 | |||
62 | 9. --private-home=filelist | ||
63 | - supported in profiles | ||
64 | - checking no ".." | ||
65 | - checking file found | ||
66 | - checking same owner | ||
67 | - checking no link | ||
68 | - unit test | ||
69 | |||
70 | 10. --netfilter=filename | ||
71 | - supported in profiles | ||
72 | - check access as real GID/UID | ||
73 | - checking no dir | ||
74 | - checking no link | ||
75 | - checking no ".." | ||
76 | - unit test | ||
77 | |||
78 | 11. --shell=filename | ||
79 | - not supported in profiles | ||
80 | - check access as real GID/UID | ||
81 | - checking no dir | ||
82 | - checking no link | ||
83 | - checking no ".." | ||
84 | - unit test | ||
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index 0045b444f..d7764682a 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c | |||
@@ -328,7 +328,12 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in | |||
328 | // join the network namespace | 328 | // join the network namespace |
329 | //************************ | 329 | //************************ |
330 | pid_t child; | 330 | pid_t child; |
331 | if (find_child(pid, &child) == -1) { | 331 | if (find_child(pid, &child) == 1) { |
332 | fprintf(stderr, "Error: cannot join the network namespace\n"); | ||
333 | exit(1); | ||
334 | } | ||
335 | |||
336 | if (invalid_sandbox(child)) { | ||
332 | fprintf(stderr, "Error: cannot join the network namespace\n"); | 337 | fprintf(stderr, "Error: cannot join the network namespace\n"); |
333 | exit(1); | 338 | exit(1); |
334 | } | 339 | } |
diff --git a/src/firejail/caps.c b/src/firejail/caps.c index dae45d9df..bd3b5e229 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c | |||
@@ -401,18 +401,13 @@ errexit: | |||
401 | void caps_print_filter(pid_t pid) { | 401 | void caps_print_filter(pid_t pid) { |
402 | EUID_ASSERT(); | 402 | EUID_ASSERT(); |
403 | 403 | ||
404 | // if the pid is that of a firejail process, use the pid of the first child process | 404 | // in case the pid is that of a firejail process, use the pid of the first child process |
405 | EUID_ROOT(); // grsecurity | 405 | pid = switch_to_child(pid); |
406 | char *comm = pid_proc_comm(pid); | 406 | |
407 | EUID_USER(); // grsecurity | 407 | // now check if the pid belongs to a firejail sandbox |
408 | if (comm) { | 408 | if (invalid_sandbox(pid)) { |
409 | if (strcmp(comm, "firejail") == 0) { | 409 | fprintf(stderr, "Error: no valid sandbox\n"); |
410 | pid_t child; | 410 | exit(1); |
411 | if (find_child(pid, &child) == 0) { | ||
412 | pid = child; | ||
413 | } | ||
414 | } | ||
415 | free(comm); | ||
416 | } | 411 | } |
417 | 412 | ||
418 | // check privileges for non-root users | 413 | // check privileges for non-root users |
diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c index 8f72fb69e..a92562e67 100644 --- a/src/firejail/cpu.c +++ b/src/firejail/cpu.c | |||
@@ -165,18 +165,13 @@ static void print_cpu(int pid) { | |||
165 | void cpu_print_filter(pid_t pid) { | 165 | void cpu_print_filter(pid_t pid) { |
166 | EUID_ASSERT(); | 166 | EUID_ASSERT(); |
167 | 167 | ||
168 | // if the pid is that of a firejail process, use the pid of the first child process | 168 | // in case the pid is that of a firejail process, use the pid of the first child process |
169 | EUID_ROOT(); // grsecurity | 169 | pid = switch_to_child(pid); |
170 | char *comm = pid_proc_comm(pid); | 170 | |
171 | EUID_USER(); // grsecurity | 171 | // now check if the pid belongs to a firejail sandbox |
172 | if (comm) { | 172 | if (invalid_sandbox(pid)) { |
173 | if (strcmp(comm, "firejail") == 0) { | 173 | fprintf(stderr, "Error: no valid sandbox\n"); |
174 | pid_t child; | 174 | exit(1); |
175 | if (find_child(pid, &child) == 0) { | ||
176 | pid = child; | ||
177 | } | ||
178 | } | ||
179 | free(comm); | ||
180 | } | 175 | } |
181 | 176 | ||
182 | // check privileges for non-root users | 177 | // check privileges for non-root users |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index f31d6a2bc..051456539 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -100,6 +100,7 @@ | |||
100 | #define RUN_FSLOGGER_FILE "/run/firejail/mnt/fslogger" | 100 | #define RUN_FSLOGGER_FILE "/run/firejail/mnt/fslogger" |
101 | #define RUN_UMASK_FILE "/run/firejail/mnt/umask" | 101 | #define RUN_UMASK_FILE "/run/firejail/mnt/umask" |
102 | #define RUN_OVERLAY_ROOT "/run/firejail/mnt/oroot" | 102 | #define RUN_OVERLAY_ROOT "/run/firejail/mnt/oroot" |
103 | #define RUN_READY_FOR_JOIN "/run/firejail/mnt/ready-for-join" | ||
103 | 104 | ||
104 | 105 | ||
105 | // profiles | 106 | // profiles |
@@ -405,7 +406,7 @@ char *guess_shell(void); | |||
405 | 406 | ||
406 | // sandbox.c | 407 | // sandbox.c |
407 | int sandbox(void* sandbox_arg); | 408 | int sandbox(void* sandbox_arg); |
408 | void start_application(int no_sandbox); | 409 | void start_application(int no_sandbox, FILE *fp); |
409 | 410 | ||
410 | // network_main.c | 411 | // network_main.c |
411 | void net_configure_sandbox_ip(Bridge *br); | 412 | void net_configure_sandbox_ip(Bridge *br); |
@@ -477,6 +478,7 @@ void usage(void); | |||
477 | 478 | ||
478 | // join.c | 479 | // join.c |
479 | void join(pid_t pid, int argc, char **argv, int index); | 480 | void join(pid_t pid, int argc, char **argv, int index); |
481 | pid_t switch_to_child(pid_t pid); | ||
480 | 482 | ||
481 | // shutdown.c | 483 | // shutdown.c |
482 | void shut(pid_t pid); | 484 | void shut(pid_t pid); |
@@ -512,9 +514,10 @@ void logerr(const char *msg); | |||
512 | int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); | 514 | int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); |
513 | void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); | 515 | void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); |
514 | void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); | 516 | void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); |
515 | void touch_file_as_user(const char *fname, uid_t uid, gid_t gid, mode_t mode); | 517 | void touch_file_as_user(const char *fname, mode_t mode); |
516 | int is_dir(const char *fname); | 518 | int is_dir(const char *fname); |
517 | int is_link(const char *fname); | 519 | int is_link(const char *fname); |
520 | void trim_trailing_slash_or_dot(char *path); | ||
518 | char *line_remove_spaces(const char *buf); | 521 | char *line_remove_spaces(const char *buf); |
519 | char *split_comma(char *str); | 522 | char *split_comma(char *str); |
520 | void check_unsigned(const char *str, const char *msg); | 523 | void check_unsigned(const char *str, const char *msg); |
@@ -536,6 +539,7 @@ unsigned extract_timeout(const char *str); | |||
536 | void disable_file_or_dir(const char *fname); | 539 | void disable_file_or_dir(const char *fname); |
537 | void disable_file_path(const char *path, const char *file); | 540 | void disable_file_path(const char *path, const char *file); |
538 | int safe_fd(const char *path, int flags); | 541 | int safe_fd(const char *path, int flags); |
542 | int invalid_sandbox(const pid_t pid); | ||
539 | 543 | ||
540 | // Get info regarding the last kernel mount operation from /proc/self/mountinfo | 544 | // Get info regarding the last kernel mount operation from /proc/self/mountinfo |
541 | // The return value points to a static area, and will be overwritten by subsequent calls. | 545 | // The return value points to a static area, and will be overwritten by subsequent calls. |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index ba2f8e284..d28ff534f 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -641,8 +641,26 @@ void fs_proc_sys_dev_boot(void) { | |||
641 | char *fnamegpg; | 641 | char *fnamegpg; |
642 | if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1) | 642 | if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1) |
643 | errExit("asprintf"); | 643 | errExit("asprintf"); |
644 | if (stat(fnamegpg, &s) == -1) | 644 | if (stat(fnamegpg, &s) == -1) { |
645 | mkdir_attr(fnamegpg, 0700, getuid(), getgid()); | 645 | pid_t child = fork(); |
646 | if (child < 0) | ||
647 | errExit("fork"); | ||
648 | if (child == 0) { | ||
649 | // drop privileges | ||
650 | drop_privs(0); | ||
651 | if (mkdir(fnamegpg, 0700) == 0) { | ||
652 | if (chmod(fnamegpg, 0700) == -1) | ||
653 | {;} // do nothing | ||
654 | } | ||
655 | #ifdef HAVE_GCOV | ||
656 | __gcov_flush(); | ||
657 | #endif | ||
658 | _exit(0); | ||
659 | } | ||
660 | // wait for the child to finish | ||
661 | waitpid(child, NULL, 0); | ||
662 | fs_logger2("create", fnamegpg); | ||
663 | } | ||
646 | if (stat(fnamegpg, &s) == 0) | 664 | if (stat(fnamegpg, &s) == 0) |
647 | disable_file(BLACKLIST_FILE, fnamegpg); | 665 | disable_file(BLACKLIST_FILE, fnamegpg); |
648 | free(fnamegpg); | 666 | free(fnamegpg); |
@@ -651,8 +669,26 @@ void fs_proc_sys_dev_boot(void) { | |||
651 | char *fnamesysd; | 669 | char *fnamesysd; |
652 | if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1) | 670 | if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1) |
653 | errExit("asprintf"); | 671 | errExit("asprintf"); |
654 | if (stat(fnamesysd, &s) == -1) | 672 | if (stat(fnamesysd, &s) == -1) { |
655 | mkdir_attr(fnamesysd, 0755, getuid(), getgid()); | 673 | pid_t child = fork(); |
674 | if (child < 0) | ||
675 | errExit("fork"); | ||
676 | if (child == 0) { | ||
677 | // drop privileges | ||
678 | drop_privs(0); | ||
679 | if (mkdir(fnamesysd, 0755) == 0) { | ||
680 | if (chmod(fnamesysd, 0755) == -1) | ||
681 | {;} // do nothing | ||
682 | } | ||
683 | #ifdef HAVE_GCOV | ||
684 | __gcov_flush(); | ||
685 | #endif | ||
686 | _exit(0); | ||
687 | } | ||
688 | // wait for the child to finish | ||
689 | waitpid(child, NULL, 0); | ||
690 | fs_logger2("create", fnamesysd); | ||
691 | } | ||
656 | if (stat(fnamesysd, &s) == 0) | 692 | if (stat(fnamesysd, &s) == 0) |
657 | disable_file(BLACKLIST_FILE, fnamesysd); | 693 | disable_file(BLACKLIST_FILE, fnamesysd); |
658 | free(fnamesysd); | 694 | free(fnamesysd); |
@@ -1347,14 +1383,17 @@ void fs_private_cache(void) { | |||
1347 | struct stat s; | 1383 | struct stat s; |
1348 | if (is_link(cache)) { | 1384 | if (is_link(cache)) { |
1349 | fwarning("user .cache is a symbolic link, tmpfs not mounted\n"); | 1385 | fwarning("user .cache is a symbolic link, tmpfs not mounted\n"); |
1386 | free(cache); | ||
1350 | return; | 1387 | return; |
1351 | } | 1388 | } |
1352 | if (stat(cache, &s) == -1 || !S_ISDIR(s.st_mode)) { | 1389 | if (stat(cache, &s) == -1 || !S_ISDIR(s.st_mode)) { |
1353 | fwarning("no user .cache directory found, tmpfs not mounted\n"); | 1390 | fwarning("no user .cache directory found, tmpfs not mounted\n"); |
1391 | free(cache); | ||
1354 | return; | 1392 | return; |
1355 | } | 1393 | } |
1356 | if (s.st_uid != getuid()) { | 1394 | if (s.st_uid != getuid()) { |
1357 | fwarning("user .cache is not owned by current user, tmpfs not mounted\n"); | 1395 | fwarning("user .cache is not owned by current user, tmpfs not mounted\n"); |
1396 | free(cache); | ||
1358 | return; | 1397 | return; |
1359 | } | 1398 | } |
1360 | 1399 | ||
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 01350aa0e..8e8739436 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -100,7 +100,9 @@ errexit: | |||
100 | } | 100 | } |
101 | 101 | ||
102 | static void duplicate(const char *fname, const char *private_dir, const char *private_run_dir) { | 102 | static void duplicate(const char *fname, const char *private_dir, const char *private_run_dir) { |
103 | if (*fname == '~' || *fname == '/' || strstr(fname, "..")) { | 103 | assert(fname); |
104 | |||
105 | if (*fname == '~' || strchr(fname, '/') || strcmp(fname, "..") == 0) { | ||
104 | fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname); | 106 | fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname); |
105 | exit(1); | 107 | exit(1); |
106 | } | 108 | } |
@@ -163,6 +165,10 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c | |||
163 | 165 | ||
164 | 166 | ||
165 | char *ptr = strtok(dlist, ","); | 167 | char *ptr = strtok(dlist, ","); |
168 | if (!ptr) { | ||
169 | fprintf(stderr, "Error: invalid private %s argument\n", private_dir); | ||
170 | exit(1); | ||
171 | } | ||
166 | duplicate(ptr, private_dir, private_run_dir); | 172 | duplicate(ptr, private_dir, private_run_dir); |
167 | 173 | ||
168 | while ((ptr = strtok(NULL, ",")) != NULL) | 174 | while ((ptr = strtok(NULL, ",")) != NULL) |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 3a332f7ff..866b750b0 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -53,7 +53,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) { | |||
53 | fs_logger2("clone", fname); | 53 | fs_logger2("clone", fname); |
54 | } | 54 | } |
55 | else { | 55 | else { |
56 | touch_file_as_user(fname, u, g, 0644); | 56 | touch_file_as_user(fname, 0644); |
57 | fs_logger2("touch", fname); | 57 | fs_logger2("touch", fname); |
58 | } | 58 | } |
59 | free(fname); | 59 | free(fname); |
@@ -78,7 +78,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) { | |||
78 | fs_logger2("clone", fname); | 78 | fs_logger2("clone", fname); |
79 | } | 79 | } |
80 | else { | 80 | else { |
81 | touch_file_as_user(fname, u, g, 0644); | 81 | touch_file_as_user(fname, 0644); |
82 | fs_logger2("touch", fname); | 82 | fs_logger2("touch", fname); |
83 | } | 83 | } |
84 | free(fname); | 84 | free(fname); |
@@ -235,8 +235,29 @@ void fs_private_homedir(void) { | |||
235 | // mount bind private_homedir on top of homedir | 235 | // mount bind private_homedir on top of homedir |
236 | if (arg_debug) | 236 | if (arg_debug) |
237 | printf("Mount-bind %s on top of %s\n", private_homedir, homedir); | 237 | printf("Mount-bind %s on top of %s\n", private_homedir, homedir); |
238 | if (mount(private_homedir, homedir, NULL, MS_NOSUID | MS_NODEV | MS_BIND | MS_REC, NULL) < 0) | 238 | // get a file descriptor for private_homedir, fails if there is any symlink |
239 | int fd = safe_fd(private_homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | ||
240 | if (fd == -1) | ||
241 | errExit("safe_fd"); | ||
242 | // check if new home directory is owned by the user | ||
243 | struct stat s; | ||
244 | if (fstat(fd, &s) == -1) | ||
245 | errExit("fstat"); | ||
246 | if (s.st_uid != getuid()) { | ||
247 | fprintf(stderr, "Error: private directory is not owned by the current user\n"); | ||
248 | exit(1); | ||
249 | } | ||
250 | if ((S_IRWXU & s.st_mode) != S_IRWXU) | ||
251 | fwarning("no full permissions for private directory\n"); | ||
252 | // mount via the link in /proc/self/fd | ||
253 | char *proc; | ||
254 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | ||
255 | errExit("asprintf"); | ||
256 | if (mount(proc, homedir, NULL, MS_NOSUID | MS_NODEV | MS_BIND | MS_REC, NULL) < 0) | ||
239 | errExit("mount bind"); | 257 | errExit("mount bind"); |
258 | free(proc); | ||
259 | close(fd); | ||
260 | |||
240 | fs_logger3("mount-bind", private_homedir, cfg.homedir); | 261 | fs_logger3("mount-bind", private_homedir, cfg.homedir); |
241 | fs_logger2("whitelist", cfg.homedir); | 262 | fs_logger2("whitelist", cfg.homedir); |
242 | // preserve mode and ownership | 263 | // preserve mode and ownership |
@@ -339,37 +360,16 @@ void fs_check_private_dir(void) { | |||
339 | free(tmp); | 360 | free(tmp); |
340 | 361 | ||
341 | if (!cfg.home_private | 362 | if (!cfg.home_private |
342 | || !is_dir(cfg.home_private) | 363 | || !is_dir(cfg.home_private)) { |
343 | || is_link(cfg.home_private) | ||
344 | || strstr(cfg.home_private, "..")) { | ||
345 | fprintf(stderr, "Error: invalid private directory\n"); | 364 | fprintf(stderr, "Error: invalid private directory\n"); |
346 | exit(1); | 365 | exit(1); |
347 | } | 366 | } |
348 | |||
349 | // check home directory and chroot home directory have the same owner | ||
350 | struct stat s2; | ||
351 | int rv = stat(cfg.home_private, &s2); | ||
352 | if (rv < 0) { | ||
353 | fprintf(stderr, "Error: cannot find %s directory\n", cfg.home_private); | ||
354 | exit(1); | ||
355 | } | ||
356 | |||
357 | struct stat s1; | ||
358 | rv = stat(cfg.homedir, &s1); | ||
359 | if (rv < 0) { | ||
360 | fprintf(stderr, "Error: cannot find %s directory, full path name required\n", cfg.homedir); | ||
361 | exit(1); | ||
362 | } | ||
363 | if (s1.st_uid != s2.st_uid) { | ||
364 | printf("Error: --private directory should be owned by the current user\n"); | ||
365 | exit(1); | ||
366 | } | ||
367 | } | 367 | } |
368 | 368 | ||
369 | #ifndef LTS | ||
370 | //*********************************************************************************** | 369 | //*********************************************************************************** |
371 | // --private-home | 370 | // --private-home |
372 | //*********************************************************************************** | 371 | //*********************************************************************************** |
372 | #ifndef LTS | ||
373 | static char *check_dir_or_file(const char *name) { | 373 | static char *check_dir_or_file(const char *name) { |
374 | assert(name); | 374 | assert(name); |
375 | 375 | ||
@@ -401,34 +401,33 @@ static char *check_dir_or_file(const char *name) { | |||
401 | } | 401 | } |
402 | return fname; | 402 | return fname; |
403 | } | 403 | } |
404 | else { | 404 | else // dangling link |
405 | fprintf(stderr, "Error: invalid file %s\n", name); | 405 | goto errexit; |
406 | exit(1); | ||
407 | } | ||
408 | } | 406 | } |
409 | else { | 407 | else { |
410 | // check the file is in user home directory, a full home directory is not allowed | 408 | // check the file is in user home directory, a full home directory is not allowed |
411 | char *rname = realpath(fname, NULL); | 409 | char *rname = realpath(fname, NULL); |
412 | if (!rname || | 410 | if (!rname || |
413 | strncmp(rname, cfg.homedir, strlen(cfg.homedir)) != 0 || | 411 | strncmp(rname, cfg.homedir, strlen(cfg.homedir)) != 0 || |
414 | strcmp(rname, cfg.homedir) == 0) { | 412 | strcmp(rname, cfg.homedir) == 0) |
415 | fprintf(stderr, "Error: invalid file %s\n", name); | 413 | goto errexit; |
416 | exit(1); | ||
417 | } | ||
418 | 414 | ||
419 | // only top files and directories in user home are allowed | 415 | // only top files and directories in user home are allowed |
420 | char *ptr = rname + strlen(cfg.homedir); | 416 | char *ptr = rname + strlen(cfg.homedir); |
421 | assert(*ptr != '\0'); | 417 | if (*ptr != '/') |
418 | goto errexit; | ||
422 | ptr = strchr(++ptr, '/'); | 419 | ptr = strchr(++ptr, '/'); |
423 | if (ptr) { | 420 | if (ptr) { |
424 | if (*ptr != '\0') { | 421 | fprintf(stderr, "Error: only top files and directories in user home are allowed\n"); |
425 | fprintf(stderr, "Error: only top files and directories in user home are allowed\n"); | 422 | exit(1); |
426 | exit(1); | ||
427 | } | ||
428 | } | 423 | } |
429 | free(fname); | 424 | free(fname); |
430 | return rname; | 425 | return rname; |
431 | } | 426 | } |
427 | |||
428 | errexit: | ||
429 | fprintf(stderr, "Error: invalid file %s\n", name); | ||
430 | exit(1); | ||
432 | } | 431 | } |
433 | 432 | ||
434 | static void duplicate(char *name) { | 433 | static void duplicate(char *name) { |
@@ -495,6 +494,10 @@ void fs_private_home_list(void) { | |||
495 | errExit("strdup"); | 494 | errExit("strdup"); |
496 | 495 | ||
497 | char *ptr = strtok(dlist, ","); | 496 | char *ptr = strtok(dlist, ","); |
497 | if (!ptr) { | ||
498 | fprintf(stderr, "Error: invalid private-home argument\n"); | ||
499 | exit(1); | ||
500 | } | ||
498 | duplicate(ptr); | 501 | duplicate(ptr); |
499 | while ((ptr = strtok(NULL, ",")) != NULL) | 502 | while ((ptr = strtok(NULL, ",")) != NULL) |
500 | duplicate(ptr); | 503 | duplicate(ptr); |
diff --git a/src/firejail/fs_logger.c b/src/firejail/fs_logger.c index 93f28a26b..02e2ba5d7 100644 --- a/src/firejail/fs_logger.c +++ b/src/firejail/fs_logger.c | |||
@@ -120,19 +120,8 @@ void fs_logger_change_owner(void) { | |||
120 | void fs_logger_print_log(pid_t pid) { | 120 | void fs_logger_print_log(pid_t pid) { |
121 | EUID_ASSERT(); | 121 | EUID_ASSERT(); |
122 | 122 | ||
123 | // if the pid is that of a firejail process, use the pid of the first child process | 123 | // in case the pid is that of a firejail process, use the pid of the first child process |
124 | EUID_ROOT(); | 124 | pid = switch_to_child(pid); |
125 | char *comm = pid_proc_comm(pid); | ||
126 | EUID_USER(); | ||
127 | if (comm) { | ||
128 | if (strcmp(comm, "firejail") == 0) { | ||
129 | pid_t child; | ||
130 | if (find_child(pid, &child) == 0) { | ||
131 | pid = child; | ||
132 | } | ||
133 | } | ||
134 | free(comm); | ||
135 | } | ||
136 | 125 | ||
137 | // check privileges for non-root users | 126 | // check privileges for non-root users |
138 | uid_t uid = getuid(); | 127 | uid_t uid = getuid(); |
@@ -151,7 +140,7 @@ void fs_logger_print_log(pid_t pid) { | |||
151 | 140 | ||
152 | EUID_ROOT(); | 141 | EUID_ROOT(); |
153 | struct stat s; | 142 | struct stat s; |
154 | if (stat(fname, &s) == -1) { | 143 | if (stat(fname, &s) == -1 || s.st_uid != 0) { |
155 | fprintf(stderr, "Error: Cannot access filesystem log\n"); | 144 | fprintf(stderr, "Error: Cannot access filesystem log\n"); |
156 | exit(1); | 145 | exit(1); |
157 | } | 146 | } |
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index 9d22093ee..b66068a95 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c | |||
@@ -114,7 +114,7 @@ void fs_mkfile(const char *name) { | |||
114 | } | 114 | } |
115 | 115 | ||
116 | // create file | 116 | // create file |
117 | touch_file_as_user(expanded, getuid(), getgid(), 0600); | 117 | touch_file_as_user(expanded, 0600); |
118 | 118 | ||
119 | doexit: | 119 | doexit: |
120 | free(expanded); | 120 | free(expanded); |
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index 9fbbdfa8f..8c53e6161 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c | |||
@@ -255,23 +255,8 @@ void fs_var_lock(void) { | |||
255 | fs_logger("tmpfs /var/lock"); | 255 | fs_logger("tmpfs /var/lock"); |
256 | } | 256 | } |
257 | else { | 257 | else { |
258 | char *lnk = realpath("/var/lock", NULL); | 258 | fwarning("/var/lock not mounted\n"); |
259 | if (lnk) { | 259 | dbg_test_dir("/var/lock"); |
260 | if (!is_dir(lnk)) { | ||
261 | // create directory | ||
262 | mkdir_attr(lnk, S_IRWXU|S_IRWXG|S_IRWXO, 0, 0); | ||
263 | } | ||
264 | if (arg_debug) | ||
265 | printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk); | ||
266 | if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) | ||
267 | errExit("mounting /var/lock"); | ||
268 | free(lnk); | ||
269 | fs_logger("tmpfs /var/lock"); | ||
270 | } | ||
271 | else { | ||
272 | fwarning("/var/lock not mounted\n"); | ||
273 | dbg_test_dir("/var/lock"); | ||
274 | } | ||
275 | } | 260 | } |
276 | } | 261 | } |
277 | 262 | ||
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index c3d34e259..602985b4e 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -395,19 +395,8 @@ void fs_whitelist(void) { | |||
395 | new_name = expand_home(dataptr, cfg.homedir); | 395 | new_name = expand_home(dataptr, cfg.homedir); |
396 | assert(new_name); | 396 | assert(new_name); |
397 | 397 | ||
398 | // trim trailing slashes or dots | 398 | // remove trailing slashes and single dots |
399 | char *end = strchr(new_name, '\0'); | 399 | trim_trailing_slash_or_dot(new_name); |
400 | assert(end); | ||
401 | if ((end - new_name) > 1) { | ||
402 | end--; | ||
403 | while (*end == '/' || | ||
404 | (*end == '.' && *(end - 1) == '/')) { | ||
405 | *end = '\0'; | ||
406 | end--; | ||
407 | if (end == new_name) | ||
408 | break; | ||
409 | } | ||
410 | } | ||
411 | 400 | ||
412 | if (arg_debug || arg_debug_whitelists) | 401 | if (arg_debug || arg_debug_whitelists) |
413 | fprintf(stderr, "Debug %d: new_name #%s#, %s\n", __LINE__, new_name, (nowhitelist_flag)? "nowhitelist": "whitelist"); | 402 | fprintf(stderr, "Debug %d: new_name #%s#, %s\n", __LINE__, new_name, (nowhitelist_flag)? "nowhitelist": "whitelist"); |
diff --git a/src/firejail/join.c b/src/firejail/join.c index 729c7f797..cdd95b6a8 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -212,8 +212,10 @@ static void extract_umask(pid_t pid) { | |||
212 | 212 | ||
213 | FILE *fp = fopen(fname, "re"); | 213 | FILE *fp = fopen(fname, "re"); |
214 | free(fname); | 214 | free(fname); |
215 | if (!fp) | 215 | if (!fp) { |
216 | return; | 216 | fprintf(stderr, "Error: cannot open umask file\n"); |
217 | exit(1); | ||
218 | } | ||
217 | if (fscanf(fp, "%3o", &orig_umask) < 1) { | 219 | if (fscanf(fp, "%3o", &orig_umask) < 1) { |
218 | fprintf(stderr, "Error: cannot read umask\n"); | 220 | fprintf(stderr, "Error: cannot read umask\n"); |
219 | exit(1); | 221 | exit(1); |
@@ -221,6 +223,36 @@ static void extract_umask(pid_t pid) { | |||
221 | fclose(fp); | 223 | fclose(fp); |
222 | } | 224 | } |
223 | 225 | ||
226 | pid_t switch_to_child(pid_t pid) { | ||
227 | EUID_ROOT(); | ||
228 | errno = 0; | ||
229 | char *comm = pid_proc_comm(pid); | ||
230 | if (!comm) { | ||
231 | if (errno == ENOENT) { | ||
232 | fprintf(stderr, "Error: cannot find process with id %d\n", pid); | ||
233 | exit(1); | ||
234 | } | ||
235 | else { | ||
236 | fprintf(stderr, "Error: cannot read /proc file\n"); | ||
237 | exit(1); | ||
238 | } | ||
239 | } | ||
240 | EUID_USER(); | ||
241 | if (strcmp(comm, "firejail") == 0) { | ||
242 | pid_t child; | ||
243 | if (find_child(pid, &child) == 1) { | ||
244 | fprintf(stderr, "Error: no valid sandbox\n"); | ||
245 | exit(1); | ||
246 | } | ||
247 | fmessage("Switching to pid %u, the first child process inside the sandbox\n", (unsigned) child); | ||
248 | pid = child; | ||
249 | } | ||
250 | free(comm); | ||
251 | return pid; | ||
252 | } | ||
253 | |||
254 | |||
255 | |||
224 | void join(pid_t pid, int argc, char **argv, int index) { | 256 | void join(pid_t pid, int argc, char **argv, int index) { |
225 | EUID_ASSERT(); | 257 | EUID_ASSERT(); |
226 | char *homedir = cfg.homedir; | 258 | char *homedir = cfg.homedir; |
@@ -229,19 +261,13 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
229 | extract_command(argc, argv, index); | 261 | extract_command(argc, argv, index); |
230 | signal (SIGTERM, signal_handler); | 262 | signal (SIGTERM, signal_handler); |
231 | 263 | ||
232 | // if the pid is that of a firejail process, use the pid of the first child process | 264 | // in case the pid is that of a firejail process, use the pid of the first child process |
233 | EUID_ROOT(); | 265 | pid = switch_to_child(pid); |
234 | char *comm = pid_proc_comm(pid); | 266 | |
235 | EUID_USER(); | 267 | // now check if the pid belongs to a firejail sandbox |
236 | if (comm) { | 268 | if (invalid_sandbox(pid)) { |
237 | if (strcmp(comm, "firejail") == 0) { | 269 | fprintf(stderr, "Error: no valid sandbox\n"); |
238 | pid_t child; | 270 | exit(1); |
239 | if (find_child(pid, &child) == 0) { | ||
240 | pid = child; | ||
241 | fmessage("Switching to pid %u, the first child process inside the sandbox\n", (unsigned) pid); | ||
242 | } | ||
243 | } | ||
244 | free(comm); | ||
245 | } | 271 | } |
246 | 272 | ||
247 | // check privileges for non-root users | 273 | // check privileges for non-root users |
@@ -406,7 +432,7 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
406 | } | 432 | } |
407 | 433 | ||
408 | drop_privs(arg_nogroups); | 434 | drop_privs(arg_nogroups); |
409 | start_application(0); | 435 | start_application(0, NULL); |
410 | 436 | ||
411 | // it will never get here!!! | 437 | // it will never get here!!! |
412 | } | 438 | } |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 4212edd9b..b3664ee2e 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1652,7 +1652,7 @@ int main(int argc, char **argv) { | |||
1652 | else if (strncmp(argv[i], "--private-srv=", 14) == 0) { | 1652 | else if (strncmp(argv[i], "--private-srv=", 14) == 0) { |
1653 | // extract private srv list | 1653 | // extract private srv list |
1654 | if (*(argv[i] + 14) == '\0') { | 1654 | if (*(argv[i] + 14) == '\0') { |
1655 | fprintf(stderr, "Error: invalid private-etc option\n"); | 1655 | fprintf(stderr, "Error: invalid private-srv option\n"); |
1656 | exit(1); | 1656 | exit(1); |
1657 | } | 1657 | } |
1658 | if (cfg.srv_private_keep) { | 1658 | if (cfg.srv_private_keep) { |
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index de446d032..8fbd11bba 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c | |||
@@ -170,7 +170,12 @@ void netfilter_print(pid_t pid, int ipv6) { | |||
170 | 170 | ||
171 | // join the network namespace | 171 | // join the network namespace |
172 | pid_t child; | 172 | pid_t child; |
173 | if (find_child(pid, &child) == -1) { | 173 | if (find_child(pid, &child) == 1) { |
174 | fprintf(stderr, "Error: cannot join the network namespace\n"); | ||
175 | exit(1); | ||
176 | } | ||
177 | |||
178 | if (invalid_sandbox(child)) { | ||
174 | fprintf(stderr, "Error: cannot join the network namespace\n"); | 179 | fprintf(stderr, "Error: cannot join the network namespace\n"); |
175 | exit(1); | 180 | exit(1); |
176 | } | 181 | } |
diff --git a/src/firejail/network.txt b/src/firejail/network.txt deleted file mode 100644 index 75bdc346d..000000000 --- a/src/firejail/network.txt +++ /dev/null | |||
@@ -1,95 +0,0 @@ | |||
1 | struct Bridge { | ||
2 | char *dev; // bridge device name | ||
3 | uint32_t ip; // bridge device IP address | ||
4 | uint32_t mask; // bridge device mask | ||
5 | uint32_t ipsandbox // sandbox interface IP address | ||
6 | } | ||
7 | |||
8 | net_configure_bridge(br, device) { | ||
9 | br->dev = devname; | ||
10 | br->ip = extracted from kernel device - using net_get_if_addr() in network.c | ||
11 | br->mask = extracted from kernel device - using net_get_if_addr() in network.c | ||
12 | check available network range; /31 networks are not supported | ||
13 | } | ||
14 | |||
15 | net_configure_sandbox_ip(br) { | ||
16 | if br->ip_sandbox | ||
17 | check br->ipsandbox inside the bridge network | ||
18 | arp_check(br->ipsandbox) // send an arp req to check if anybody else is using this address | ||
19 | else | ||
20 | br->ipsandbox = arp_assign(); | ||
21 | } | ||
22 | |||
23 | net_configure_veth_pair { | ||
24 | create a veth pair | ||
25 | place one interface end in the bridge | ||
26 | place the other end in the namespace of the child process | ||
27 | } | ||
28 | |||
29 | net_bridge_wait_ip { | ||
30 | arp_check br->ipsandbox address to come up | ||
31 | wait for not more than 5 seconds | ||
32 | } | ||
33 | |||
34 | main() { | ||
35 | |||
36 | foreach argv[i] { | ||
37 | if --net | ||
38 | br = next bridge available | ||
39 | net_configure_bridge(br, device name from argv[i]); | ||
40 | else if --ip | ||
41 | br = last bridge configured | ||
42 | br->ipsandbox = ip address extracted from argv[i] | ||
43 | else if --defaultgw | ||
44 | cfg.defaultgw = ip address extracted from argv[i] | ||
45 | } | ||
46 | |||
47 | net_check_cfg(); // check the validity of network configuration so far | ||
48 | |||
49 | if (any bridge configured) { | ||
50 | lock /var/lock/firejail.lock file | ||
51 | for each bridge | ||
52 | net_configure_sandbox_ip(br) | ||
53 | } | ||
54 | |||
55 | clone (new network namespace if any bridge configured or --net=none) | ||
56 | |||
57 | if (any bridge configured) { | ||
58 | for each bridge | ||
59 | net_configure_veth_pair | ||
60 | } | ||
61 | |||
62 | notify child init is done | ||
63 | |||
64 | if (any bridge configured) { | ||
65 | for each bridge | ||
66 | net_bridge_wait_ip | ||
67 | unlock /var/lock/firejail.lock file | ||
68 | } | ||
69 | |||
70 | wait on child | ||
71 | exit | ||
72 | } | ||
73 | |||
74 | |||
75 | ****************************************************** | ||
76 | * macvlan notes | ||
77 | ****************************************************** | ||
78 | Configure a macvlan interface | ||
79 | |||
80 | # ip link add virtual0 link eth0 type macvlan mode bridge | ||
81 | (you can configure it with # ifconfig virtual0 192.168.1.52/24 up) | ||
82 | |||
83 | Create a new network namespace and move the interface in the new network namespace | ||
84 | |||
85 | # ip netns add dummy0 | ||
86 | # ip link set virtual0 netns dummy0 | ||
87 | |||
88 | Join the namespace and configure the interfaces | ||
89 | |||
90 | # ip netns exec dummy0 bash | ||
91 | # ifconfig lo up | ||
92 | # ifconfig virtual0 192.168.1.52/24 | ||
93 | |||
94 | Investigate ipvlan interface - added to linux kernel 3.19 | ||
95 | https://github.com/torvalds/linux/blob/master/Documentation/networking/ipvlan.txt | ||
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index e30d07229..e3c750767 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c | |||
@@ -269,18 +269,23 @@ void net_dns_print(pid_t pid) { | |||
269 | EUID_ASSERT(); | 269 | EUID_ASSERT(); |
270 | // drop privileges - will not be able to read /etc/resolv.conf for --noroot option | 270 | // drop privileges - will not be able to read /etc/resolv.conf for --noroot option |
271 | 271 | ||
272 | // if the pid is that of a firejail process, use the pid of the first child process | 272 | // in case the pid is that of a firejail process, use the pid of the first child process |
273 | EUID_ROOT(); | 273 | pid = switch_to_child(pid); |
274 | char *comm = pid_proc_comm(pid); | 274 | |
275 | EUID_USER(); | 275 | // now check if the pid belongs to a firejail sandbox |
276 | if (comm) { | 276 | if (invalid_sandbox(pid)) { |
277 | if (strcmp(comm, "firejail") == 0) { | 277 | fprintf(stderr, "Error: no valid sandbox\n"); |
278 | pid_t child; | 278 | exit(1); |
279 | if (find_child(pid, &child) == 0) { | 279 | } |
280 | pid = child; | 280 | |
281 | } | 281 | // check privileges for non-root users |
282 | uid_t uid = getuid(); | ||
283 | if (uid != 0) { | ||
284 | uid_t sandbox_uid = pid_get_uid(pid); | ||
285 | if (uid != sandbox_uid) { | ||
286 | fprintf(stderr, "Error: permission denied.\n"); | ||
287 | exit(1); | ||
282 | } | 288 | } |
283 | free(comm); | ||
284 | } | 289 | } |
285 | 290 | ||
286 | EUID_ROOT(); | 291 | EUID_ROOT(); |
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 5bd3f7e09..7c5cc1df9 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -233,5 +233,5 @@ void run_no_sandbox(int argc, char **argv) { | |||
233 | 233 | ||
234 | arg_quiet = 1; | 234 | arg_quiet = 1; |
235 | 235 | ||
236 | start_application(1); | 236 | start_application(1, NULL); |
237 | } | 237 | } |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 79fc36fb5..ea069de76 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1050,7 +1050,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1050 | 1050 | ||
1051 | // filesystem bind | 1051 | // filesystem bind |
1052 | if (strncmp(ptr, "bind ", 5) == 0) { | 1052 | if (strncmp(ptr, "bind ", 5) == 0) { |
1053 | #ifdef HAVE_BIND | ||
1054 | if (checkcfg(CFG_BIND)) { | 1053 | if (checkcfg(CFG_BIND)) { |
1055 | if (getuid() != 0) { | 1054 | if (getuid() != 0) { |
1056 | fprintf(stderr, "Error: --bind option is available only if running as root\n"); | 1055 | fprintf(stderr, "Error: --bind option is available only if running as root\n"); |
@@ -1083,7 +1082,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1083 | } | 1082 | } |
1084 | else | 1083 | else |
1085 | warning_feature_disabled("bind"); | 1084 | warning_feature_disabled("bind"); |
1086 | #endif | ||
1087 | return 0; | 1085 | return 0; |
1088 | } | 1086 | } |
1089 | 1087 | ||
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c index eb3763253..9989ddb68 100644 --- a/src/firejail/protocol.c +++ b/src/firejail/protocol.c | |||
@@ -64,18 +64,13 @@ void protocol_print_filter(pid_t pid) { | |||
64 | 64 | ||
65 | (void) pid; | 65 | (void) pid; |
66 | #ifdef SYS_socket | 66 | #ifdef SYS_socket |
67 | // if the pid is that of a firejail process, use the pid of the first child process | 67 | // in case the pid is that of a firejail process, use the pid of the first child process |
68 | EUID_ROOT(); | 68 | pid = switch_to_child(pid); |
69 | char *comm = pid_proc_comm(pid); | 69 | |
70 | EUID_USER(); | 70 | // now check if the pid belongs to a firejail sandbox |
71 | if (comm) { | 71 | if (invalid_sandbox(pid)) { |
72 | if (strcmp(comm, "firejail") == 0) { | 72 | fprintf(stderr, "Error: no valid sandbox\n"); |
73 | pid_t child; | 73 | exit(1); |
74 | if (find_child(pid, &child) == 0) { | ||
75 | pid = child; | ||
76 | } | ||
77 | } | ||
78 | free(comm); | ||
79 | } | 74 | } |
80 | 75 | ||
81 | // check privileges for non-root users | 76 | // check privileges for non-root users |
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index 521f144e8..e6696ecb4 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
@@ -117,7 +117,7 @@ void pulseaudio_init(void) { | |||
117 | 117 | ||
118 | int rv = mkdir(dir1, 0755); | 118 | int rv = mkdir(dir1, 0755); |
119 | if (rv == 0) { | 119 | if (rv == 0) { |
120 | if (set_perms(dir1, getuid(), getgid(), 0755)) | 120 | if (chmod(dir1, 0755)) |
121 | {;} // do nothing | 121 | {;} // do nothing |
122 | } | 122 | } |
123 | #ifdef HAVE_GCOV | 123 | #ifdef HAVE_GCOV |
@@ -153,7 +153,7 @@ void pulseaudio_init(void) { | |||
153 | 153 | ||
154 | int rv = mkdir(dir1, 0700); | 154 | int rv = mkdir(dir1, 0700); |
155 | if (rv == 0) { | 155 | if (rv == 0) { |
156 | if (set_perms(dir1, getuid(), getgid(), 0700)) | 156 | if (chmod(dir1, 0700)) |
157 | {;} // do nothing | 157 | {;} // do nothing |
158 | } | 158 | } |
159 | #ifdef HAVE_GCOV | 159 | #ifdef HAVE_GCOV |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index b0a792277..919a2b84e 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -139,6 +139,18 @@ void save_umask(void) { | |||
139 | } | 139 | } |
140 | } | 140 | } |
141 | 141 | ||
142 | static FILE *create_ready_for_join_file(void) { | ||
143 | FILE *fp = fopen(RUN_READY_FOR_JOIN, "wxe"); | ||
144 | if (fp) { | ||
145 | ASSERT_PERMS_STREAM(fp, 0, 0, 0644); | ||
146 | return fp; | ||
147 | } | ||
148 | else { | ||
149 | fprintf(stderr, "Error: cannot create %s\n", RUN_READY_FOR_JOIN); | ||
150 | exit(1); | ||
151 | } | ||
152 | } | ||
153 | |||
142 | static void sandbox_if_up(Bridge *br) { | 154 | static void sandbox_if_up(Bridge *br) { |
143 | assert(br); | 155 | assert(br); |
144 | if (!br->configured) | 156 | if (!br->configured) |
@@ -374,7 +386,7 @@ static int ok_to_run(const char *program) { | |||
374 | return 0; | 386 | return 0; |
375 | } | 387 | } |
376 | 388 | ||
377 | void start_application(int no_sandbox) { | 389 | void start_application(int no_sandbox, FILE *fp) { |
378 | // set environment | 390 | // set environment |
379 | if (no_sandbox == 0) { | 391 | if (no_sandbox == 0) { |
380 | env_defaults(); | 392 | env_defaults(); |
@@ -394,6 +406,11 @@ void start_application(int no_sandbox) { | |||
394 | #ifndef LTS | 406 | #ifndef LTS |
395 | if (arg_audit) { | 407 | if (arg_audit) { |
396 | assert(arg_audit_prog); | 408 | assert(arg_audit_prog); |
409 | |||
410 | if (fp) { | ||
411 | fprintf(fp, "ready\n"); | ||
412 | fclose(fp); | ||
413 | } | ||
397 | #ifdef HAVE_GCOV | 414 | #ifdef HAVE_GCOV |
398 | __gcov_dump(); | 415 | __gcov_dump(); |
399 | #endif | 416 | #endif |
@@ -426,6 +443,11 @@ void start_application(int no_sandbox) { | |||
426 | print_time(); | 443 | print_time(); |
427 | 444 | ||
428 | int rv = ok_to_run(cfg.original_argv[cfg.original_program_index]); | 445 | int rv = ok_to_run(cfg.original_argv[cfg.original_program_index]); |
446 | |||
447 | if (fp) { | ||
448 | fprintf(fp, "ready\n"); | ||
449 | fclose(fp); | ||
450 | } | ||
429 | #ifdef HAVE_GCOV | 451 | #ifdef HAVE_GCOV |
430 | __gcov_dump(); | 452 | __gcov_dump(); |
431 | #endif | 453 | #endif |
@@ -482,6 +504,11 @@ void start_application(int no_sandbox) { | |||
482 | 504 | ||
483 | if (!arg_command && !arg_quiet) | 505 | if (!arg_command && !arg_quiet) |
484 | print_time(); | 506 | print_time(); |
507 | |||
508 | if (fp) { | ||
509 | fprintf(fp, "ready\n"); | ||
510 | fclose(fp); | ||
511 | } | ||
485 | #ifdef HAVE_GCOV | 512 | #ifdef HAVE_GCOV |
486 | __gcov_dump(); | 513 | __gcov_dump(); |
487 | #endif | 514 | #endif |
@@ -1080,6 +1107,13 @@ int sandbox(void* sandbox_arg) { | |||
1080 | #endif | 1107 | #endif |
1081 | 1108 | ||
1082 | //**************************************** | 1109 | //**************************************** |
1110 | // communicate progress of sandbox set up | ||
1111 | // to --join | ||
1112 | //**************************************** | ||
1113 | |||
1114 | FILE *fp = create_ready_for_join_file(); | ||
1115 | |||
1116 | //**************************************** | ||
1083 | // create a new user namespace | 1117 | // create a new user namespace |
1084 | // - too early to drop privileges | 1118 | // - too early to drop privileges |
1085 | //**************************************** | 1119 | //**************************************** |
@@ -1144,9 +1178,11 @@ int sandbox(void* sandbox_arg) { | |||
1144 | #endif | 1178 | #endif |
1145 | 1179 | ||
1146 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died | 1180 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died |
1147 | start_application(0); // start app | 1181 | start_application(0, fp); // start app |
1148 | } | 1182 | } |
1149 | 1183 | ||
1184 | fclose(fp); | ||
1185 | |||
1150 | int status = monitor_application(app_pid); // monitor application | 1186 | int status = monitor_application(app_pid); // monitor application |
1151 | flush_stdin(); | 1187 | flush_stdin(); |
1152 | 1188 | ||
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 3da0206e1..7be7b3950 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -295,18 +295,13 @@ int seccomp_filter_keep(void) { | |||
295 | void seccomp_print_filter(pid_t pid) { | 295 | void seccomp_print_filter(pid_t pid) { |
296 | EUID_ASSERT(); | 296 | EUID_ASSERT(); |
297 | 297 | ||
298 | // if the pid is that of a firejail process, use the pid of the first child process | 298 | // in case the pid is that of a firejail process, use the pid of the first child process |
299 | EUID_ROOT(); | 299 | pid = switch_to_child(pid); |
300 | char *comm = pid_proc_comm(pid); | 300 | |
301 | EUID_USER(); | 301 | // now check if the pid belongs to a firejail sandbox |
302 | if (comm) { | 302 | if (invalid_sandbox(pid)) { |
303 | if (strcmp(comm, "firejail") == 0) { | 303 | fprintf(stderr, "Error: no valid sandbox\n"); |
304 | pid_t child; | 304 | exit(1); |
305 | if (find_child(pid, &child) == 0) { | ||
306 | pid = child; | ||
307 | } | ||
308 | } | ||
309 | free(comm); | ||
310 | } | 305 | } |
311 | 306 | ||
312 | // check privileges for non-root users | 307 | // check privileges for non-root users |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 78cd30926..c8866da3a 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -37,10 +37,8 @@ static char *usage_str = | |||
37 | #ifdef HAVE_NETWORK | 37 | #ifdef HAVE_NETWORK |
38 | " --bandwidth=name|pid - set bandwidth limits.\n" | 38 | " --bandwidth=name|pid - set bandwidth limits.\n" |
39 | #endif | 39 | #endif |
40 | #ifdef HAVE_BIND | ||
41 | " --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n" | 40 | " --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n" |
42 | " --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n" | 41 | " --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n" |
43 | #endif | ||
44 | " --blacklist=filename - blacklist directory or file.\n" | 42 | " --blacklist=filename - blacklist directory or file.\n" |
45 | " --build - build a whitelisted profile for the application.\n" | 43 | " --build - build a whitelisted profile for the application.\n" |
46 | " --build=filename - build a whitelisted profile for the application.\n" | 44 | " --build=filename - build a whitelisted profile for the application.\n" |
@@ -153,6 +151,7 @@ static char *usage_str = | |||
153 | " --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n" | 151 | " --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n" |
154 | " --private - temporary home directory.\n" | 152 | " --private - temporary home directory.\n" |
155 | " --private=directory - use directory as user home.\n" | 153 | " --private=directory - use directory as user home.\n" |
154 | " --private-cache - temporary ~/.cache directory.\n" | ||
156 | " --private-home=file,directory - build a new user home in a temporary\n" | 155 | " --private-home=file,directory - build a new user home in a temporary\n" |
157 | "\tfilesystem, and copy the files and directories in the list in\n" | 156 | "\tfilesystem, and copy the files and directories in the list in\n" |
158 | "\tthe new home.\n" | 157 | "\tthe new home.\n" |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 329ae141b..050f7534a 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -156,7 +156,6 @@ int mkpath_as_root(const char* path) { | |||
156 | *p='\0'; | 156 | *p='\0'; |
157 | if (mkdir(file_path, 0755)==-1) { | 157 | if (mkdir(file_path, 0755)==-1) { |
158 | if (errno != EEXIST) { | 158 | if (errno != EEXIST) { |
159 | *p='/'; | ||
160 | free(file_path); | 159 | free(file_path); |
161 | return -1; | 160 | return -1; |
162 | } | 161 | } |
@@ -365,7 +364,7 @@ void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_ | |||
365 | } | 364 | } |
366 | 365 | ||
367 | // return -1 if error, 0 if no error | 366 | // return -1 if error, 0 if no error |
368 | void touch_file_as_user(const char *fname, uid_t uid, gid_t gid, mode_t mode) { | 367 | void touch_file_as_user(const char *fname, mode_t mode) { |
369 | pid_t child = fork(); | 368 | pid_t child = fork(); |
370 | if (child < 0) | 369 | if (child < 0) |
371 | errExit("fork"); | 370 | errExit("fork"); |
@@ -373,10 +372,10 @@ void touch_file_as_user(const char *fname, uid_t uid, gid_t gid, mode_t mode) { | |||
373 | // drop privileges | 372 | // drop privileges |
374 | drop_privs(0); | 373 | drop_privs(0); |
375 | 374 | ||
376 | FILE *fp = fopen(fname, "w"); | 375 | FILE *fp = fopen(fname, "wx"); |
377 | if (fp) { | 376 | if (fp) { |
378 | fprintf(fp, "\n"); | 377 | fprintf(fp, "\n"); |
379 | SET_PERMS_STREAM(fp, uid, gid, mode); | 378 | SET_PERMS_STREAM(fp, -1, -1, mode); |
380 | fclose(fp); | 379 | fclose(fp); |
381 | } | 380 | } |
382 | #ifdef HAVE_GCOV | 381 | #ifdef HAVE_GCOV |
@@ -425,15 +424,48 @@ int is_link(const char *fname) { | |||
425 | if (*fname == '\0') | 424 | if (*fname == '\0') |
426 | return 0; | 425 | return 0; |
427 | 426 | ||
427 | char *dup = NULL; | ||
428 | struct stat s; | 428 | struct stat s; |
429 | if (lstat(fname, &s) == 0) { | 429 | if (lstat(fname, &s) == 0) { |
430 | if (S_ISLNK(s.st_mode)) | 430 | if (S_ISLNK(s.st_mode)) |
431 | return 1; | 431 | return 1; |
432 | if (S_ISDIR(s.st_mode)) { | ||
433 | // remove trailing slashes and single dots and try again | ||
434 | dup = strdup(fname); | ||
435 | if (!dup) | ||
436 | errExit("strdup"); | ||
437 | trim_trailing_slash_or_dot(dup); | ||
438 | if (lstat(dup, &s) == 0) { | ||
439 | if (S_ISLNK(s.st_mode)) { | ||
440 | free(dup); | ||
441 | return 1; | ||
442 | } | ||
443 | } | ||
444 | } | ||
432 | } | 445 | } |
433 | 446 | ||
447 | free(dup); | ||
434 | return 0; | 448 | return 0; |
435 | } | 449 | } |
436 | 450 | ||
451 | // remove all slashes and single dots from the end of a path | ||
452 | // for example /foo/bar///././. -> /foo/bar | ||
453 | void trim_trailing_slash_or_dot(char *path) { | ||
454 | assert(path); | ||
455 | |||
456 | char *end = strchr(path, '\0'); | ||
457 | assert(end); | ||
458 | if ((end - path) > 1) { | ||
459 | end--; | ||
460 | while (*end == '/' || | ||
461 | (*end == '.' && *(end - 1) == '/')) { | ||
462 | *end = '\0'; | ||
463 | end--; | ||
464 | if (end == path) | ||
465 | break; | ||
466 | } | ||
467 | } | ||
468 | } | ||
437 | 469 | ||
438 | // remove multiple spaces and return allocated memory | 470 | // remove multiple spaces and return allocated memory |
439 | char *line_remove_spaces(const char *buf) { | 471 | char *line_remove_spaces(const char *buf) { |
@@ -762,12 +794,14 @@ uid_t pid_get_uid(pid_t pid) { | |||
762 | char buf[PIDS_BUFLEN]; | 794 | char buf[PIDS_BUFLEN]; |
763 | while (fgets(buf, PIDS_BUFLEN - 1, fp)) { | 795 | while (fgets(buf, PIDS_BUFLEN - 1, fp)) { |
764 | if (strncmp(buf, "Uid:", 4) == 0) { | 796 | if (strncmp(buf, "Uid:", 4) == 0) { |
765 | char *ptr = buf + 5; | 797 | char *ptr = buf + 4; |
766 | while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) { | 798 | while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) { |
767 | ptr++; | 799 | ptr++; |
768 | } | 800 | } |
769 | if (*ptr == '\0') | 801 | if (*ptr == '\0') { |
770 | break; | 802 | fprintf(stderr, "Error: cannot read /proc file\n"); |
803 | exit(1); | ||
804 | } | ||
771 | 805 | ||
772 | rv = atoi(ptr); | 806 | rv = atoi(ptr); |
773 | break; // break regardless! | 807 | break; // break regardless! |
@@ -778,10 +812,6 @@ uid_t pid_get_uid(pid_t pid) { | |||
778 | free(file); | 812 | free(file); |
779 | EUID_USER(); // grsecurity fix | 813 | EUID_USER(); // grsecurity fix |
780 | 814 | ||
781 | if (rv == 0) { | ||
782 | fprintf(stderr, "Error: cannot read /proc file\n"); | ||
783 | exit(1); | ||
784 | } | ||
785 | return rv; | 815 | return rv; |
786 | } | 816 | } |
787 | 817 | ||
@@ -891,10 +921,8 @@ void create_empty_file_as_root(const char *fname, mode_t mode) { | |||
891 | FILE *fp = fopen(fname, "w"); | 921 | FILE *fp = fopen(fname, "w"); |
892 | if (!fp) | 922 | if (!fp) |
893 | errExit("fopen"); | 923 | errExit("fopen"); |
894 | SET_PERMS_STREAM(fp, 0, 0, S_IRUSR); | 924 | SET_PERMS_STREAM(fp, 0, 0, mode); |
895 | fclose(fp); | 925 | fclose(fp); |
896 | if (chmod(fname, mode) == -1) | ||
897 | errExit("chmod"); | ||
898 | } | 926 | } |
899 | } | 927 | } |
900 | 928 | ||
@@ -1022,7 +1050,7 @@ int safe_fd(const char *path, int flags) { | |||
1022 | errExit("open"); | 1050 | errExit("open"); |
1023 | 1051 | ||
1024 | // traverse the path and return -1 if a symlink is encountered | 1052 | // traverse the path and return -1 if a symlink is encountered |
1025 | int entered = 0; | 1053 | int weird_pathname = 1; |
1026 | int fd = -1; | 1054 | int fd = -1; |
1027 | char *tok = strtok(dup, "/"); | 1055 | char *tok = strtok(dup, "/"); |
1028 | while (tok) { | 1056 | while (tok) { |
@@ -1031,7 +1059,7 @@ int safe_fd(const char *path, int flags) { | |||
1031 | tok = strtok(NULL, "/"); | 1059 | tok = strtok(NULL, "/"); |
1032 | continue; | 1060 | continue; |
1033 | } | 1061 | } |
1034 | entered = 1; | 1062 | weird_pathname = 0; |
1035 | 1063 | ||
1036 | // open the directory | 1064 | // open the directory |
1037 | fd = openat(parentfd, tok, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | 1065 | fd = openat(parentfd, tok, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
@@ -1046,7 +1074,7 @@ int safe_fd(const char *path, int flags) { | |||
1046 | } | 1074 | } |
1047 | if (p != dup) { | 1075 | if (p != dup) { |
1048 | // consistent flags for top level directories (////foo, /.///foo) | 1076 | // consistent flags for top level directories (////foo, /.///foo) |
1049 | if (!entered) | 1077 | if (weird_pathname) |
1050 | flags = O_PATH|O_DIRECTORY|O_CLOEXEC; | 1078 | flags = O_PATH|O_DIRECTORY|O_CLOEXEC; |
1051 | // open last path segment | 1079 | // open last path segment |
1052 | fd = openat(parentfd, p + 1, flags|O_NOFOLLOW); | 1080 | fd = openat(parentfd, p + 1, flags|O_NOFOLLOW); |
@@ -1059,3 +1087,66 @@ errexit: | |||
1059 | fprintf(stderr, "Error: cannot open \"%s\", invalid filename\n", path); | 1087 | fprintf(stderr, "Error: cannot open \"%s\", invalid filename\n", path); |
1060 | exit(1); | 1088 | exit(1); |
1061 | } | 1089 | } |
1090 | |||
1091 | |||
1092 | // return 1 if the sandbox identified by pid is not fully set up yet or if | ||
1093 | // it is no firejail sandbox at all, return 0 if the sandbox is complete | ||
1094 | int invalid_sandbox(const pid_t pid) { | ||
1095 | // check if a file "ready-for-join" exists | ||
1096 | char *fname; | ||
1097 | if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_READY_FOR_JOIN) == -1) | ||
1098 | errExit("asprintf"); | ||
1099 | EUID_ROOT(); | ||
1100 | FILE *fp = fopen(fname, "re"); | ||
1101 | EUID_USER(); | ||
1102 | free(fname); | ||
1103 | if (!fp) | ||
1104 | return 1; | ||
1105 | // regular file owned by root | ||
1106 | int fd = fileno(fp); | ||
1107 | if (fd == -1) | ||
1108 | errExit("fileno"); | ||
1109 | struct stat s; | ||
1110 | if (fstat(fd, &s) == -1) | ||
1111 | errExit("fstat"); | ||
1112 | if (!S_ISREG(s.st_mode) || s.st_uid != 0) { | ||
1113 | fclose(fp); | ||
1114 | return 1; | ||
1115 | } | ||
1116 | // check if it is non-empty | ||
1117 | char buf[BUFLEN]; | ||
1118 | if (fgets(buf, BUFLEN, fp) == NULL) { | ||
1119 | fclose(fp); | ||
1120 | return 1; | ||
1121 | } | ||
1122 | fclose(fp); | ||
1123 | // confirm "ready" string was written | ||
1124 | if (strncmp(buf, "ready\n", 6) != 0) | ||
1125 | return 1; | ||
1126 | |||
1127 | // walk down the process tree a few nodes, there should be no firejail leaf | ||
1128 | #define MAXNODES 5 | ||
1129 | pid_t current = pid, next; | ||
1130 | int i; | ||
1131 | for (i = 0; i < MAXNODES; i++) { | ||
1132 | if (find_child(current, &next) == 1) { | ||
1133 | // found a leaf | ||
1134 | EUID_ROOT(); | ||
1135 | char *comm = pid_proc_comm(current); | ||
1136 | EUID_USER(); | ||
1137 | if (!comm) { | ||
1138 | fprintf(stderr, "Error: cannot read /proc file\n"); | ||
1139 | exit(1); | ||
1140 | } | ||
1141 | if (strcmp(comm, "firejail") == 0) { | ||
1142 | free(comm); | ||
1143 | return 1; | ||
1144 | } | ||
1145 | free(comm); | ||
1146 | break; | ||
1147 | } | ||
1148 | current = next; | ||
1149 | } | ||
1150 | |||
1151 | return 0; | ||
1152 | } | ||
diff --git a/src/lib/common.c b/src/lib/common.c index fa988446b..d6dd43c4b 100644 --- a/src/lib/common.c +++ b/src/lib/common.c | |||
@@ -129,7 +129,7 @@ char *pid_proc_comm(const pid_t pid) { | |||
129 | // open /proc/pid/cmdline file | 129 | // open /proc/pid/cmdline file |
130 | char *fname; | 130 | char *fname; |
131 | int fd; | 131 | int fd; |
132 | if (asprintf(&fname, "/proc/%d//comm", pid) == -1) | 132 | if (asprintf(&fname, "/proc/%d/comm", pid) == -1) |
133 | return NULL; | 133 | return NULL; |
134 | if ((fd = open(fname, O_RDONLY)) < 0) { | 134 | if ((fd = open(fname, O_RDONLY)) < 0) { |
135 | free(fname); | 135 | free(fname); |
@@ -154,6 +154,8 @@ char *pid_proc_comm(const pid_t pid) { | |||
154 | 154 | ||
155 | // return a malloc copy of the command line | 155 | // return a malloc copy of the command line |
156 | char *rv = strdup(buffer); | 156 | char *rv = strdup(buffer); |
157 | if (!rv) | ||
158 | return NULL; | ||
157 | if (strlen(rv) == 0) { | 159 | if (strlen(rv) == 0) { |
158 | free(rv); | 160 | free(rv); |
159 | return NULL; | 161 | return NULL; |
@@ -192,6 +194,8 @@ char *pid_proc_cmdline(const pid_t pid) { | |||
192 | 194 | ||
193 | // return a malloc copy of the command line | 195 | // return a malloc copy of the command line |
194 | char *rv = strdup((char *) buffer); | 196 | char *rv = strdup((char *) buffer); |
197 | if (!rv) | ||
198 | return NULL; | ||
195 | if (strlen(rv) == 0) { | 199 | if (strlen(rv) == 0) { |
196 | free(rv); | 200 | free(rv); |
197 | return NULL; | 201 | return NULL; |
diff --git a/src/lib/pid.c b/src/lib/pid.c index 3c804716d..75576c787 100644 --- a/src/lib/pid.c +++ b/src/lib/pid.c | |||
@@ -149,7 +149,7 @@ uid_t pid_get_uid(pid_t pid) { | |||
149 | char buf[PIDS_BUFLEN]; | 149 | char buf[PIDS_BUFLEN]; |
150 | while (fgets(buf, PIDS_BUFLEN - 1, fp)) { | 150 | while (fgets(buf, PIDS_BUFLEN - 1, fp)) { |
151 | if (strncmp(buf, "Uid:", 4) == 0) { | 151 | if (strncmp(buf, "Uid:", 4) == 0) { |
152 | char *ptr = buf + 5; | 152 | char *ptr = buf + 4; |
153 | while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) { | 153 | while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) { |
154 | ptr++; | 154 | ptr++; |
155 | } | 155 | } |
@@ -398,7 +398,7 @@ void pid_read(pid_t mon_pid) { | |||
398 | pids[pid].parent = parent; | 398 | pids[pid].parent = parent; |
399 | } | 399 | } |
400 | else if (strncmp(buf, "Uid:", 4) == 0) { | 400 | else if (strncmp(buf, "Uid:", 4) == 0) { |
401 | char *ptr = buf + 5; | 401 | char *ptr = buf + 4; |
402 | while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) { | 402 | while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) { |
403 | ptr++; | 403 | ptr++; |
404 | } | 404 | } |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index e29cf4f4b..17562c503 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -113,6 +113,8 @@ Example: "nowhitelist ~/.config" | |||
113 | Ignore command. | 113 | Ignore command. |
114 | 114 | ||
115 | Example: "ignore seccomp" | 115 | Example: "ignore seccomp" |
116 | .br | ||
117 | Example: "ignore net ehh0" | ||
116 | 118 | ||
117 | .TP | 119 | .TP |
118 | \fBquiet | 120 | \fBquiet |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index f29d9cddf..7de1bff50 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -170,7 +170,7 @@ in order to allow strace to run. Chromium and Chromium-based browsers will not w | |||
170 | .br | 170 | .br |
171 | Example: | 171 | Example: |
172 | .br | 172 | .br |
173 | $ firejail --build=profile-file vlc ~/Videos/test.mp4 | 173 | $ firejail --build vlc ~/Videos/test.mp4 |
174 | .TP | 174 | .TP |
175 | \fB\-\-build=profile-file | 175 | \fB\-\-build=profile-file |
176 | The command builds a whitelisted profile, and saves it in profile-file. If /usr/bin/strace is installed on the system, it also | 176 | The command builds a whitelisted profile, and saves it in profile-file. If /usr/bin/strace is installed on the system, it also |
@@ -509,7 +509,8 @@ Ignore command in profile file. | |||
509 | Example: | 509 | Example: |
510 | .br | 510 | .br |
511 | $ firejail \-\-ignore=shell --ignore=seccomp firefox | 511 | $ firejail \-\-ignore=shell --ignore=seccomp firefox |
512 | 512 | .br | |
513 | $ firejail \-\-ignore="net eth0" firefox | ||
513 | .TP | 514 | .TP |
514 | \fB\-\-interface=interface | 515 | \fB\-\-interface=interface |
515 | Move interface in a new network namespace. Up to four --interface options can be specified. | 516 | Move interface in a new network namespace. Up to four --interface options can be specified. |
diff --git a/src/man/firemon.txt b/src/man/firemon.txt index 9cae72b54..214fcac44 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt | |||
@@ -105,7 +105,7 @@ The owner of the sandbox. | |||
105 | .SH LICENSE | 105 | .SH LICENSE |
106 | This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. | 106 | This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. |
107 | .PP | 107 | .PP |
108 | Homepage: http://firejail.wordpress.com | 108 | Homepage: https://firejail.wordpress.com |
109 | .SH SEE ALSO | 109 | .SH SEE ALSO |
110 | \&\flfirejail\fR\|(1), | 110 | \&\flfirejail\fR\|(1), |
111 | \&\flfirecfg\fR\|(1), | 111 | \&\flfirecfg\fR\|(1), |
@@ -1,3 +1,5 @@ | |||
1 | Aug 26 - merge mainline | ||
2 | |||
1 | Phase 2 | 3 | Phase 2 |
2 | - Aug 21 | 4 | - Aug 21 |
3 | - remove --output --libtrace --libtracelog | 5 | - remove --output --libtrace --libtracelog |