aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--etc/0ad.profile1
-rw-r--r--etc/2048-qt.profile1
-rw-r--r--etc/Fritzing.profile1
-rw-r--r--etc/Thunar.profile1
-rw-r--r--etc/VirtualBox.profile1
-rw-r--r--etc/Xvfb.profile1
-rw-r--r--etc/akregator.profile1
-rw-r--r--etc/amarok.profile1
-rw-r--r--etc/amule.profile1
-rw-r--r--etc/apktool.profile1
-rw-r--r--etc/arch-audit.profile1
-rw-r--r--etc/arduino.profile1
-rw-r--r--etc/ark.profile1
-rw-r--r--etc/arm.profile1
-rw-r--r--etc/asunder.profile1
-rw-r--r--etc/atom.profile1
-rw-r--r--etc/atool.profile1
-rw-r--r--etc/atril.profile1
-rw-r--r--etc/audacious.profile1
-rw-r--r--etc/audacity.profile1
-rw-r--r--etc/aweather.profile1
-rw-r--r--etc/baobab.profile1
-rw-r--r--etc/bibletime.profile1
-rw-r--r--etc/bitcoin-qt.profile1
-rw-r--r--etc/bitlbee.profile1
-rw-r--r--etc/bleachbit.profile1
-rw-r--r--etc/blender.profile1
-rw-r--r--etc/bless.profile1
-rw-r--r--etc/bluefish.profile1
-rw-r--r--etc/brasero.profile1
-rw-r--r--etc/bsdtar.profile3
-rw-r--r--etc/caja.profile1
-rw-r--r--etc/calibre.profile1
-rw-r--r--etc/calligra.profile1
-rw-r--r--etc/catfish.profile1
-rw-r--r--etc/cherrytree.profile1
-rw-r--r--etc/chromium.profile1
-rw-r--r--etc/clamav.profile1
-rw-r--r--etc/clamtk.profile28
-rw-r--r--etc/claws-mail.profile6
-rw-r--r--etc/clementine.profile1
-rw-r--r--etc/clipit.profile1
-rw-r--r--etc/cmus.profile1
-rw-r--r--etc/conky.profile1
-rw-r--r--etc/corebird.profile1
-rw-r--r--etc/cpio.profile1
-rw-r--r--etc/curl.profile1
-rw-r--r--etc/darktable.profile1
-rw-r--r--etc/deadbeef.profile1
-rw-r--r--etc/deluge.profile1
-rw-r--r--etc/dia.profile1
-rw-r--r--etc/digikam.profile1
-rw-r--r--etc/dillo.profile1
-rw-r--r--etc/disable-common.inc1
-rw-r--r--etc/dnscrypt-proxy.profile1
-rw-r--r--etc/dnsmasq.profile1
-rw-r--r--etc/dolphin.profile1
-rw-r--r--etc/dosbox.profile1
-rw-r--r--etc/dragon.profile1
-rw-r--r--etc/electron.profile1
-rw-r--r--etc/electrum.profile1
-rw-r--r--etc/elinks.profile1
-rw-r--r--etc/emacs.profile1
-rw-r--r--etc/empathy.profile1
-rw-r--r--etc/enchant.profile1
-rw-r--r--etc/engrampa.profile1
-rw-r--r--etc/eog.profile1
-rw-r--r--etc/eom.profile1
-rw-r--r--etc/epiphany.profile1
-rw-r--r--etc/evince.profile1
-rw-r--r--etc/evolution.profile1
-rw-r--r--etc/falkon.profile1
-rw-r--r--etc/fbreader.profile1
-rw-r--r--etc/feh.profile1
-rw-r--r--etc/fetchmail.profile1
-rw-r--r--etc/ffmpeg.profile1
-rw-r--r--etc/file-roller.profile1
-rw-r--r--etc/file.profile1
-rw-r--r--etc/filezilla.profile1
-rw-r--r--etc/firefox-developer-edition.profile1
-rw-r--r--etc/firefox.profile1
-rw-r--r--etc/firejail-default8
-rw-r--r--etc/flameshot.profile1
-rw-r--r--etc/flowblade.profile1
-rw-r--r--etc/fontforge.profile1
-rw-r--r--etc/freecad.profile1
-rw-r--r--etc/frozen-bubble.profile1
-rw-r--r--etc/gajim.profile1
-rw-r--r--etc/galculator.profile1
-rw-r--r--etc/geany.profile1
-rw-r--r--etc/geary.profile1
-rw-r--r--etc/gedit.profile1
-rw-r--r--etc/geeqie.profile1
-rw-r--r--etc/gimp.profile1
-rw-r--r--etc/git.profile1
-rw-r--r--etc/gitg.profile1
-rw-r--r--etc/gjs.profile1
-rw-r--r--etc/gnome-2048.profile1
-rw-r--r--etc/gnome-builder.profile1
-rw-r--r--etc/gnome-calculator.profile1
-rw-r--r--etc/gnome-chess.profile1
-rw-r--r--etc/gnome-clocks.profile1
-rw-r--r--etc/gnome-contacts.profile1
-rw-r--r--etc/gnome-documents.profile1
-rw-r--r--etc/gnome-font-viewer.profile1
-rw-r--r--etc/gnome-logs.profile1
-rw-r--r--etc/gnome-maps.profile1
-rw-r--r--etc/gnome-mplayer.profile1
-rw-r--r--etc/gnome-mpv.profile1
-rw-r--r--etc/gnome-music.profile1
-rw-r--r--etc/gnome-photos.profile1
-rw-r--r--etc/gnome-recipes.profile1
-rw-r--r--etc/gnome-twitch.profile1
-rw-r--r--etc/gnome-weather.profile1
-rw-r--r--etc/goobox.profile1
-rw-r--r--etc/gpa.profile1
-rw-r--r--etc/gpg-agent.profile1
-rw-r--r--etc/gpg.profile1
-rw-r--r--etc/gpicview.profile1
-rw-r--r--etc/gpredict.profile1
-rw-r--r--etc/gthumb.profile1
-rw-r--r--etc/gucharmap.profile1
-rw-r--r--etc/gwenview.profile1
-rw-r--r--etc/gzip.profile1
-rw-r--r--etc/handbrake.profile1
-rw-r--r--etc/hashcat.profile1
-rw-r--r--etc/hedgewars.profile1
-rw-r--r--etc/hexchat.profile1
-rw-r--r--etc/highlight.profile1
-rw-r--r--etc/hugin.profile1
-rw-r--r--etc/imagej.profile1
-rw-r--r--etc/inkscape.profile1
-rw-r--r--etc/k3b.profile1
-rw-r--r--etc/kaffeine.profile1
-rw-r--r--etc/kate.profile1
-rw-r--r--etc/kcalc.profile1
-rw-r--r--etc/kdenlive.profile1
-rw-r--r--etc/keepass.profile1
-rw-r--r--etc/keepassx.profile1
-rw-r--r--etc/keepassx2.profile1
-rw-r--r--etc/keepassxc.profile4
-rw-r--r--etc/kget.profile1
-rw-r--r--etc/kino.profile1
-rw-r--r--etc/kmail.profile1
-rw-r--r--etc/knotes.profile1
-rw-r--r--etc/kodi.profile1
-rw-r--r--etc/konversation.profile1
-rw-r--r--etc/kopete.profile1
-rw-r--r--etc/krita.profile1
-rw-r--r--etc/krunner.profile1
-rw-r--r--etc/ktorrent.profile1
-rw-r--r--etc/kwrite.profile1
-rw-r--r--etc/leafpad.profile1
-rw-r--r--etc/less.profile1
-rw-r--r--etc/libreoffice.profile1
-rw-r--r--etc/liferea.profile1
-rw-r--r--etc/linphone.profile1
-rw-r--r--etc/lmms.profile1
-rw-r--r--etc/lollypop.profile1
-rw-r--r--etc/luminance-hdr.profile1
-rw-r--r--etc/lximage-qt.profile1
-rw-r--r--etc/lxmusic.profile1
-rw-r--r--etc/lynx.profile1
-rw-r--r--etc/mate-calc.profile1
-rw-r--r--etc/mcabber.profile1
-rw-r--r--etc/mediainfo.profile1
-rw-r--r--etc/mediathekview.profile1
-rw-r--r--etc/meld.profile1
-rw-r--r--etc/midori.profile1
-rw-r--r--etc/minetest.profile1
-rw-r--r--etc/mousepad.profile1
-rw-r--r--etc/mpd.profile1
-rw-r--r--etc/mplayer.profile1
-rw-r--r--etc/mpv.profile1
-rw-r--r--etc/mumble.profile1
-rw-r--r--etc/mupdf.profile1
-rw-r--r--etc/mupen64plus.profile1
-rw-r--r--etc/musescore.profile1
-rw-r--r--etc/mutt.profile1
-rw-r--r--etc/nautilus.profile1
-rw-r--r--etc/ncdu.profile1
-rw-r--r--etc/nemo.profile1
-rw-r--r--etc/netsurf.profile1
-rw-r--r--etc/neverball.profile1
-rw-r--r--etc/nheko.profile1
-rw-r--r--etc/obs.profile10
-rw-r--r--etc/odt2txt.profile1
-rw-r--r--etc/okular.profile1
-rw-r--r--etc/open-invaders.profile1
-rw-r--r--etc/openbox.profile1
-rw-r--r--etc/openshot.profile1
-rw-r--r--etc/opera.profile1
-rw-r--r--etc/orage.profile1
-rw-r--r--etc/p7zip.profile1
-rw-r--r--etc/parole.profile1
-rw-r--r--etc/patch.profile1
-rw-r--r--etc/pcmanfm.profile1
-rw-r--r--etc/pdfmod.profile1
-rw-r--r--etc/pdfsam.profile1
-rw-r--r--etc/picard.profile1
-rw-r--r--etc/pidgin.profile1
-rw-r--r--etc/pingus.profile1
-rw-r--r--etc/pinta.profile1
-rw-r--r--etc/pithos.profile1
-rw-r--r--etc/pitivi.profile1
-rw-r--r--etc/playonlinux.profile1
-rw-r--r--etc/pluma.profile1
-rw-r--r--etc/polari.profile1
-rw-r--r--etc/ppsspp.profile1
-rw-r--r--etc/psi-plus.profile1
-rw-r--r--etc/pybitmessage.profile49
-rw-r--r--etc/qbittorrent.profile1
-rw-r--r--etc/qlipper.profile1
-rw-r--r--etc/qmmp.profile1
-rw-r--r--etc/qpdfview.profile1
-rw-r--r--etc/qtox.profile1
-rw-r--r--etc/quassel.profile1
-rw-r--r--etc/quiterss.profile1
-rw-r--r--etc/qutebrowser.profile4
-rw-r--r--etc/ranger.profile1
-rw-r--r--etc/redeclipse.profile1
-rw-r--r--etc/remmina.profile1
-rw-r--r--etc/rhythmbox.profile1
-rw-r--r--etc/riot-desktop.profile1
-rw-r--r--etc/riot-web.profile1
-rw-r--r--etc/ristretto.profile1
-rw-r--r--etc/rtorrent.profile1
-rw-r--r--etc/scribus.profile1
-rw-r--r--etc/seamonkey.profile1
-rw-r--r--etc/shellcheck.profile1
-rw-r--r--etc/simple-scan.profile1
-rw-r--r--etc/simutrans.profile1
-rw-r--r--etc/skanlite.profile1
-rw-r--r--etc/slack.profile3
-rw-r--r--etc/smplayer.profile1
-rw-r--r--etc/smtube.profile1
-rw-r--r--etc/snap.profile1
-rw-r--r--etc/soundconverter.profile1
-rw-r--r--etc/spotify.profile1
-rw-r--r--etc/sqlitebrowser.profile1
-rw-r--r--etc/ssh.profile2
-rw-r--r--etc/start-tor-browser.profile4
-rw-r--r--etc/steam.profile13
-rw-r--r--etc/stellarium.profile1
-rw-r--r--etc/surf.profile1
-rw-r--r--etc/sylpheed.profile1
-rw-r--r--etc/synfigstudio.profile1
-rw-r--r--etc/tar.profile1
-rw-r--r--etc/teamspeak3.profile1
-rw-r--r--etc/telegram-desktop.profile1
-rw-r--r--etc/thunar.profile1
-rw-r--r--etc/thunderbird.profile6
-rw-r--r--etc/tor.profile1
-rw-r--r--etc/torbrowser-launcher.profile7
-rw-r--r--etc/totem.profile1
-rw-r--r--etc/tracker.profile1
-rw-r--r--etc/transmission-cli.profile1
-rw-r--r--etc/transmission-gtk.profile1
-rw-r--r--etc/transmission-qt.profile1
-rw-r--r--etc/tuxguitar.profile1
-rw-r--r--etc/unbound.profile1
-rw-r--r--etc/unknown-horizons.profile1
-rw-r--r--etc/unrar.profile1
-rw-r--r--etc/unzip.profile1
-rw-r--r--etc/uudeview.profile1
-rw-r--r--etc/viewnior.profile1
-rw-r--r--etc/viking.profile1
-rw-r--r--etc/vim.profile1
-rw-r--r--etc/vimpager.profile1
-rw-r--r--etc/virtualbox.profile1
-rw-r--r--etc/vlc.profile1
-rw-r--r--etc/vym.profile1
-rw-r--r--etc/w3m.profile1
-rw-r--r--etc/warzone2100.profile1
-rw-r--r--etc/weechat.profile1
-rw-r--r--etc/wesnoth.profile1
-rw-r--r--etc/wget.profile1
-rw-r--r--etc/wine.profile1
-rw-r--r--etc/wireshark-gtk.profile1
-rw-r--r--etc/wireshark-qt.profile1
-rw-r--r--etc/wireshark.profile2
-rw-r--r--etc/xchat.profile1
-rw-r--r--etc/xfburn.profile1
-rw-r--r--etc/xfce4-dict.profile1
-rw-r--r--etc/xfce4-notes.profile1
-rw-r--r--etc/xiphos.profile1
-rw-r--r--etc/xonotic.profile1
-rw-r--r--etc/xpdf.profile1
-rw-r--r--etc/xpra.profile1
-rw-r--r--etc/xreader.profile1
-rw-r--r--etc/xxd.profile1
-rw-r--r--etc/xz.profile1
-rw-r--r--etc/xzdec.profile1
-rw-r--r--etc/youtube-dl.profile1
-rw-r--r--etc/zaproxy.profile1
-rw-r--r--etc/zart.profile1
-rw-r--r--etc/zathura.profile1
-rwxr-xr-xplatform/snap/snap.sh20
-rw-r--r--platform/snap/snapcraft.yaml20
-rw-r--r--src/firecfg/firecfg.config2
-rw-r--r--src/firecfg/main.c181
-rw-r--r--src/firejail/arg-checking.txt84
-rw-r--r--src/firejail/bandwidth.c7
-rw-r--r--src/firejail/caps.c19
-rw-r--r--src/firejail/cpu.c19
-rw-r--r--src/firejail/firejail.h8
-rw-r--r--src/firejail/fs.c47
-rw-r--r--src/firejail/fs_etc.c8
-rw-r--r--src/firejail/fs_home.c81
-rw-r--r--src/firejail/fs_logger.c17
-rw-r--r--src/firejail/fs_mkdir.c2
-rw-r--r--src/firejail/fs_var.c19
-rw-r--r--src/firejail/fs_whitelist.c15
-rw-r--r--src/firejail/join.c58
-rw-r--r--src/firejail/main.c2
-rw-r--r--src/firejail/netfilter.c7
-rw-r--r--src/firejail/network.txt95
-rw-r--r--src/firejail/network_main.c27
-rw-r--r--src/firejail/no_sandbox.c2
-rw-r--r--src/firejail/profile.c2
-rw-r--r--src/firejail/protocol.c19
-rw-r--r--src/firejail/pulseaudio.c4
-rw-r--r--src/firejail/sandbox.c40
-rw-r--r--src/firejail/seccomp.c19
-rw-r--r--src/firejail/usage.c3
-rw-r--r--src/firejail/util.c125
-rw-r--r--src/lib/common.c6
-rw-r--r--src/lib/pid.c4
-rw-r--r--src/man/firejail-profile.txt2
-rw-r--r--src/man/firejail.txt5
-rw-r--r--src/man/firemon.txt2
-rw-r--r--status2
332 files changed, 896 insertions, 508 deletions
diff --git a/etc/0ad.profile b/etc/0ad.profile
index 238dbbce2..f5c3491ff 100644
--- a/etc/0ad.profile
+++ b/etc/0ad.profile
@@ -1,4 +1,5 @@
1# Firejail profile for 0ad 1# Firejail profile for 0ad
2# Description: Real-time strategy game of ancient warfare
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/0ad.local 5include /etc/firejail/0ad.local
diff --git a/etc/2048-qt.profile b/etc/2048-qt.profile
index 1e7472bd9..56b38f5a2 100644
--- a/etc/2048-qt.profile
+++ b/etc/2048-qt.profile
@@ -1,4 +1,5 @@
1# Firejail profile for 2048-qt 1# Firejail profile for 2048-qt
2# Description: Mathematics based puzzle game
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/2048-qt.local 5include /etc/firejail/2048-qt.local
diff --git a/etc/Fritzing.profile b/etc/Fritzing.profile
index 1eb103b47..2e4d235b6 100644
--- a/etc/Fritzing.profile
+++ b/etc/Fritzing.profile
@@ -1,4 +1,5 @@
1# Firejail profile for fritzing 1# Firejail profile for fritzing
2# Description: Easy-to-use electronic design software
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/Fritzing.local 5include /etc/firejail/Fritzing.local
diff --git a/etc/Thunar.profile b/etc/Thunar.profile
index fbd475ca6..6de6cfb30 100644
--- a/etc/Thunar.profile
+++ b/etc/Thunar.profile
@@ -1,4 +1,5 @@
1# Firejail profile for Thunar 1# Firejail profile for Thunar
2# Description: File Manager for Xfce
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/Thunar.local 5include /etc/firejail/Thunar.local
diff --git a/etc/VirtualBox.profile b/etc/VirtualBox.profile
index dedf448ae..c84b8a4ad 100644
--- a/etc/VirtualBox.profile
+++ b/etc/VirtualBox.profile
@@ -1,4 +1,5 @@
1# Firejail profile alias for virtualbox 1# Firejail profile alias for virtualbox
2# Description: x86 virtualization solution
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3 4
4 5
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile
index 7921e0d06..4ae2d20d2 100644
--- a/etc/Xvfb.profile
+++ b/etc/Xvfb.profile
@@ -1,4 +1,5 @@
1# Firejail profile for Xvfb 1# Firejail profile for Xvfb
2# Description: Virtual Framebuffer 'fake' X server
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/Xvfb.local 5include /etc/firejail/Xvfb.local
diff --git a/etc/akregator.profile b/etc/akregator.profile
index 1b8807757..af8dd2a3e 100644
--- a/etc/akregator.profile
+++ b/etc/akregator.profile
@@ -1,4 +1,5 @@
1# Firejail profile for akregator 1# Firejail profile for akregator
2# Description: RSS/Atom feed aggregator
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/akregator.local 5include /etc/firejail/akregator.local
diff --git a/etc/amarok.profile b/etc/amarok.profile
index c728ce4ab..3ee50a20b 100644
--- a/etc/amarok.profile
+++ b/etc/amarok.profile
@@ -1,4 +1,5 @@
1# Firejail profile for amarok 1# Firejail profile for amarok
2# Description: Easy to use media player based on the KDE Platform
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/amarok.local 5include /etc/firejail/amarok.local
diff --git a/etc/amule.profile b/etc/amule.profile
index 0d71f8f3b..f052a312f 100644
--- a/etc/amule.profile
+++ b/etc/amule.profile
@@ -1,4 +1,5 @@
1# Firejail profile for amule 1# Firejail profile for amule
2# Description: Client for the eD2k and Kad networks, like eMule
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/amule.local 5include /etc/firejail/amule.local
diff --git a/etc/apktool.profile b/etc/apktool.profile
index 2203d7b8c..2043cf5af 100644
--- a/etc/apktool.profile
+++ b/etc/apktool.profile
@@ -1,4 +1,5 @@
1# Firejail profile for apktool 1# Firejail profile for apktool
2# Description: Tool for reverse engineering Android apk files
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3quiet 4quiet
4# Persistent local customizations 5# Persistent local customizations
diff --git a/etc/arch-audit.profile b/etc/arch-audit.profile
index 956f0d63a..9cd200ef2 100644
--- a/etc/arch-audit.profile
+++ b/etc/arch-audit.profile
@@ -1,4 +1,5 @@
1# Firejail profile for arch-audit 1# Firejail profile for arch-audit
2# Description: A utility like pkg-audit based on Arch CVE Monitoring Team data
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3quiet 4quiet
4# Persistent local customizations 5# Persistent local customizations
diff --git a/etc/arduino.profile b/etc/arduino.profile
index 0ff242450..9f28cada4 100644
--- a/etc/arduino.profile
+++ b/etc/arduino.profile
@@ -1,4 +1,5 @@
1# Firejail profile for arduino 1# Firejail profile for arduino
2# Description: AVR development board IDE and built-in libraries
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/arduino.local 5include /etc/firejail/arduino.local
diff --git a/etc/ark.profile b/etc/ark.profile
index 12675b30b..d5a7f45f4 100644
--- a/etc/ark.profile
+++ b/etc/ark.profile
@@ -1,4 +1,5 @@
1# Firejail profile for ark 1# Firejail profile for ark
2# Description: Archive utility
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/ark.local 5include /etc/firejail/ark.local
diff --git a/etc/arm.profile b/etc/arm.profile
index bebf05366..da9b45928 100644
--- a/etc/arm.profile
+++ b/etc/arm.profile
@@ -1,4 +1,5 @@
1# Firejail profile for arm 1# Firejail profile for arm
2# Description: Terminal status monitor for Tor relays
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/arm.local 5include /etc/firejail/arm.local
diff --git a/etc/asunder.profile b/etc/asunder.profile
index 4cd340bf8..9c059ed0a 100644
--- a/etc/asunder.profile
+++ b/etc/asunder.profile
@@ -1,4 +1,5 @@
1# Firejail profile for asounder 1# Firejail profile for asounder
2# Description: Graphical audio CD ripper and encoder
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/asunder.local 5include /etc/firejail/asunder.local
diff --git a/etc/atom.profile b/etc/atom.profile
index f7e30aeb4..1ff4e162d 100644
--- a/etc/atom.profile
+++ b/etc/atom.profile
@@ -1,4 +1,5 @@
1# Firejail profile for atom 1# Firejail profile for atom
2# Description: A hackable text editor for the 21st Century
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/atom.local 5include /etc/firejail/atom.local
diff --git a/etc/atool.profile b/etc/atool.profile
index 06eace7d2..c672ed11d 100644
--- a/etc/atool.profile
+++ b/etc/atool.profile
@@ -1,4 +1,5 @@
1# Firejail profile for atool 1# Firejail profile for atool
2# Description: Tool for managing file archives of various types
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/atool.local 5include /etc/firejail/atool.local
diff --git a/etc/atril.profile b/etc/atril.profile
index 48902ec4a..6e5286e5f 100644
--- a/etc/atril.profile
+++ b/etc/atril.profile
@@ -1,4 +1,5 @@
1# Firejail profile for atril 1# Firejail profile for atril
2# Description: MATE document viewer
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/atril.local 5include /etc/firejail/atril.local
diff --git a/etc/audacious.profile b/etc/audacious.profile
index cbbe15c46..627c1a72d 100644
--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@@ -1,4 +1,5 @@
1# Firejail profile for audacious 1# Firejail profile for audacious
2# Description: Small and fast audio player which supports lots of formats
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/audacious.local 5include /etc/firejail/audacious.local
diff --git a/etc/audacity.profile b/etc/audacity.profile
index d3c9ee4ac..685319f7f 100644
--- a/etc/audacity.profile
+++ b/etc/audacity.profile
@@ -1,4 +1,5 @@
1# Firejail profile for audacity 1# Firejail profile for audacity
2# Description: Fast, cross-platform audio editor
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/audacity.local 5include /etc/firejail/audacity.local
diff --git a/etc/aweather.profile b/etc/aweather.profile
index 57b8fb61a..823b07c8c 100644
--- a/etc/aweather.profile
+++ b/etc/aweather.profile
@@ -1,4 +1,5 @@
1# Firejail profile for aweather 1# Firejail profile for aweather
2# Description: Advanced Weather Monitoring Program
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/aweather.local 5include /etc/firejail/aweather.local
diff --git a/etc/baobab.profile b/etc/baobab.profile
index 8ff282151..d0c3f2712 100644
--- a/etc/baobab.profile
+++ b/etc/baobab.profile
@@ -1,4 +1,5 @@
1# Firejail profile for baobab 1# Firejail profile for baobab
2# Description: GNOME disk usage analyzer
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/baobab.local 5include /etc/firejail/baobab.local
diff --git a/etc/bibletime.profile b/etc/bibletime.profile
index fef7474a9..57595e8e2 100644
--- a/etc/bibletime.profile
+++ b/etc/bibletime.profile
@@ -1,4 +1,5 @@
1# Firejail profile for bibletime 1# Firejail profile for bibletime
2# Description: Bible study tool
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/bibletime.local 5include /etc/firejail/bibletime.local
diff --git a/etc/bitcoin-qt.profile b/etc/bitcoin-qt.profile
index efc11cc9c..9b6affe24 100644
--- a/etc/bitcoin-qt.profile
+++ b/etc/bitcoin-qt.profile
@@ -1,4 +1,5 @@
1# Firejail profile for bitcoin-qt 1# Firejail profile for bitcoin-qt
2# Description: Bitcoin is a peer-to-peer network based digital currency
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/bitcoin-qt.local 5include /etc/firejail/bitcoin-qt.local
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile
index 10ef34d07..e663d7799 100644
--- a/etc/bitlbee.profile
+++ b/etc/bitlbee.profile
@@ -1,4 +1,5 @@
1# Firejail profile for bitlbee 1# Firejail profile for bitlbee
2# Description: IRC to other chat networks gateway
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/bitlbee.local 5include /etc/firejail/bitlbee.local
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile
index 8060d5275..49d058ab4 100644
--- a/etc/bleachbit.profile
+++ b/etc/bleachbit.profile
@@ -1,4 +1,5 @@
1# Firejail profile for bleachbit 1# Firejail profile for bleachbit
2# Description: Delete unnecessary files from the system
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/bleachbit.local 5include /etc/firejail/bleachbit.local
diff --git a/etc/blender.profile b/etc/blender.profile
index 6becce712..43a8622f7 100644
--- a/etc/blender.profile
+++ b/etc/blender.profile
@@ -1,4 +1,5 @@
1# Firejail profile for blender 1# Firejail profile for blender
2# Description: Very fast and versatile 3D modeller/renderer
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/blender.local 5include /etc/firejail/blender.local
diff --git a/etc/bless.profile b/etc/bless.profile
index 1dd756153..01f75b00d 100644
--- a/etc/bless.profile
+++ b/etc/bless.profile
@@ -1,4 +1,5 @@
1# Firejail profile for bless 1# Firejail profile for bless
2# Description: A full featured hexadecimal editor
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/bless.local 5include /etc/firejail/bless.local
diff --git a/etc/bluefish.profile b/etc/bluefish.profile
index 3931819f1..23ba34d42 100644
--- a/etc/bluefish.profile
+++ b/etc/bluefish.profile
@@ -1,4 +1,5 @@
1# Firejail profile for bluefish 1# Firejail profile for bluefish
2# Description: Advanced Gtk+ text editor for web and software development
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/bluefish.local 5include /etc/firejail/bluefish.local
diff --git a/etc/brasero.profile b/etc/brasero.profile
index a012d4715..1c0b5f843 100644
--- a/etc/brasero.profile
+++ b/etc/brasero.profile
@@ -1,4 +1,5 @@
1# Firejail profile for brasero 1# Firejail profile for brasero
2# Description: CD/DVD burning application for GNOME
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/brasero.local 5include /etc/firejail/brasero.local
diff --git a/etc/bsdtar.profile b/etc/bsdtar.profile
index d3bc76ba5..d8ace6aaf 100644
--- a/etc/bsdtar.profile
+++ b/etc/bsdtar.profile
@@ -37,6 +37,3 @@ tracelog
37private-bin sh,bash,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive 37private-bin sh,bash,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive
38private-dev 38private-dev
39private-etc passwd,group,localtime 39private-etc passwd,group,localtime
40
41
42
diff --git a/etc/caja.profile b/etc/caja.profile
index 2d292e614..20e690a14 100644
--- a/etc/caja.profile
+++ b/etc/caja.profile
@@ -1,4 +1,5 @@
1# Firejail profile for caja 1# Firejail profile for caja
2# Description: File manager for the MATE desktop
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/caja.local 5include /etc/firejail/caja.local
diff --git a/etc/calibre.profile b/etc/calibre.profile
index 09839161e..7a5d798c5 100644
--- a/etc/calibre.profile
+++ b/etc/calibre.profile
@@ -1,4 +1,5 @@
1# Firejail profile for calibre 1# Firejail profile for calibre
2# Description: Powerful and easy to use e-book manager
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/calibre.local 5include /etc/firejail/calibre.local
diff --git a/etc/calligra.profile b/etc/calligra.profile
index bc041a718..ab2845db4 100644
--- a/etc/calligra.profile
+++ b/etc/calligra.profile
@@ -1,4 +1,5 @@
1# Firejail profile for calligra 1# Firejail profile for calligra
2# Description: Extensive productivity and creative suite
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/calligra.local 5include /etc/firejail/calligra.local
diff --git a/etc/catfish.profile b/etc/catfish.profile
index 02c5db969..422dc93e5 100644
--- a/etc/catfish.profile
+++ b/etc/catfish.profile
@@ -1,4 +1,5 @@
1# Firejail profile for catfish 1# Firejail profile for catfish
2# Description: File searching tool
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/catfish.local 5include /etc/firejail/catfish.local
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile
index 8397da00c..0159bddae 100644
--- a/etc/cherrytree.profile
+++ b/etc/cherrytree.profile
@@ -1,4 +1,5 @@
1# Firejail profile for cherrytree 1# Firejail profile for cherrytree
2# Description: Hierarchical note taking application
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/cherrytree.local 5include /etc/firejail/cherrytree.local
diff --git a/etc/chromium.profile b/etc/chromium.profile
index ad9f9af33..a1488e3e9 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -1,4 +1,5 @@
1# Firejail profile for chromium 1# Firejail profile for chromium
2# Description: A web browser built for speed, simplicity, and security
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/chromium.local 5include /etc/firejail/chromium.local
diff --git a/etc/clamav.profile b/etc/clamav.profile
index 41bd3b679..cf46b8582 100644
--- a/etc/clamav.profile
+++ b/etc/clamav.profile
@@ -1,4 +1,5 @@
1# Firejail profile for clamav 1# Firejail profile for clamav
2# Description: Anti-virus utility for Unix
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3quiet 4quiet
4# Persistent local customizations 5# Persistent local customizations
diff --git a/etc/clamtk.profile b/etc/clamtk.profile
new file mode 100644
index 000000000..d916381b2
--- /dev/null
+++ b/etc/clamtk.profile
@@ -0,0 +1,28 @@
1# Firejail profile for clamtk
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/clamtk.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8caps.drop all
9ipc-namespace
10net none
11no3d
12nodbus
13nodvd
14nogroups
15nonewprivs
16noroot
17nosound
18notv
19novideo
20protocol unix
21seccomp
22shell none
23
24private-dev
25
26memory-deny-write-execute
27noexec ${HOME}
28noexec /tmp
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile
index 343f8bed8..cb8ae6a80 100644
--- a/etc/claws-mail.profile
+++ b/etc/claws-mail.profile
@@ -1,4 +1,5 @@
1# Firejail profile for claws-mail 1# Firejail profile for claws-mail
2# Description: Fast, lightweight and user-friendly GTK+2 based email client
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/claws-mail.local 5include /etc/firejail/claws-mail.local
@@ -30,3 +31,8 @@ shell none
30 31
31private-dev 32private-dev
32private-tmp 33private-tmp
34
35# If you want to read local mail stored in /var/mail, add the following to claws-mail.local:
36# noblacklist /var/mail
37# noblacklist /var/spool/mail
38# writable-var
diff --git a/etc/clementine.profile b/etc/clementine.profile
index e13fd3f66..a72bc39cf 100644
--- a/etc/clementine.profile
+++ b/etc/clementine.profile
@@ -1,4 +1,5 @@
1# Firejail profile for clementine 1# Firejail profile for clementine
2# Description: Modern music player and library organizer
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/clementine.local 5include /etc/firejail/clementine.local
diff --git a/etc/clipit.profile b/etc/clipit.profile
index 866108aee..fd6fbd61b 100644
--- a/etc/clipit.profile
+++ b/etc/clipit.profile
@@ -1,4 +1,5 @@
1# Firejail profile for clipit 1# Firejail profile for clipit
2# Description: Lightweight GTK+ clipboard manager
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/clipit.local 5include /etc/firejail/clipit.local
diff --git a/etc/cmus.profile b/etc/cmus.profile
index a9f76ec80..5744d462b 100644
--- a/etc/cmus.profile
+++ b/etc/cmus.profile
@@ -1,4 +1,5 @@
1# Firejail profile for cmus 1# Firejail profile for cmus
2# Description: Lightweight ncurses audio player
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/cmus.local 5include /etc/firejail/cmus.local
diff --git a/etc/conky.profile b/etc/conky.profile
index 4d2bcfa38..f6d07d6de 100644
--- a/etc/conky.profile
+++ b/etc/conky.profile
@@ -1,4 +1,5 @@
1# Firejail profile for conky 1# Firejail profile for conky
2# Description: Highly configurable system monitor
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/conky.local 5include /etc/firejail/conky.local
diff --git a/etc/corebird.profile b/etc/corebird.profile
index da1869f65..c7f8a8874 100644
--- a/etc/corebird.profile
+++ b/etc/corebird.profile
@@ -1,4 +1,5 @@
1# Firejail profile for corebird 1# Firejail profile for corebird
2# Description: Native Gtk+ Twitter client for the Linux desktop
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/corebird.local 5include /etc/firejail/corebird.local
diff --git a/etc/cpio.profile b/etc/cpio.profile
index 445e1cec7..3c7d0748c 100644
--- a/etc/cpio.profile
+++ b/etc/cpio.profile
@@ -1,4 +1,5 @@
1# Firejail profile for cpio 1# Firejail profile for cpio
2# Description: A program to manage archives of files
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3quiet 4quiet
4# Persistent local customizations 5# Persistent local customizations
diff --git a/etc/curl.profile b/etc/curl.profile
index d1a682e60..e77b8bf4f 100644
--- a/etc/curl.profile
+++ b/etc/curl.profile
@@ -1,4 +1,5 @@
1# Firejail profile for curl 1# Firejail profile for curl
2# Description: Command line tool for transferring data with URL syntax
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3quiet 4quiet
4# Persistent local customizations 5# Persistent local customizations
diff --git a/etc/darktable.profile b/etc/darktable.profile
index 607a587a1..74144e68e 100644
--- a/etc/darktable.profile
+++ b/etc/darktable.profile
@@ -1,4 +1,5 @@
1# Firejail profile for darktable 1# Firejail profile for darktable
2# Description: Virtual lighttable and darkroom for photographers
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/darktable.local 5include /etc/firejail/darktable.local
diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile
index 8eb5776e7..8f5961647 100644
--- a/etc/deadbeef.profile
+++ b/etc/deadbeef.profile
@@ -1,4 +1,5 @@
1# Firejail profile for deadbeef 1# Firejail profile for deadbeef
2# Description: A GTK+ audio player for GNU/Linux
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/deadbeef.local 5include /etc/firejail/deadbeef.local
diff --git a/etc/deluge.profile b/etc/deluge.profile
index da7e0dcdc..27ca036ca 100644
--- a/etc/deluge.profile
+++ b/etc/deluge.profile
@@ -1,4 +1,5 @@
1# Firejail profile for deluge 1# Firejail profile for deluge
2# Description: BitTorrent client written in Python/PyGTK
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/deluge.local 5include /etc/firejail/deluge.local
diff --git a/etc/dia.profile b/etc/dia.profile
index fed5107aa..fdc40980f 100644
--- a/etc/dia.profile
+++ b/etc/dia.profile
@@ -1,4 +1,5 @@
1# Firejail profile for dia 1# Firejail profile for dia
2# Description: Diagram editor
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/dia.local 5include /etc/firejail/dia.local
diff --git a/etc/digikam.profile b/etc/digikam.profile
index b3b0de1bc..470f60779 100644
--- a/etc/digikam.profile
+++ b/etc/digikam.profile
@@ -1,4 +1,5 @@
1# Firejail profile for digikam 1# Firejail profile for digikam
2# Description: Digital photo management application for KDE
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/digikam.local 5include /etc/firejail/digikam.local
diff --git a/etc/dillo.profile b/etc/dillo.profile
index 05413fe56..8c3da1b3e 100644
--- a/etc/dillo.profile
+++ b/etc/dillo.profile
@@ -1,4 +1,5 @@
1# Firejail profile for dillo 1# Firejail profile for dillo
2# Description: Small and fast web browser
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/dillo.local 5include /etc/firejail/dillo.local
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index f0f48d456..0c295ae6d 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -209,6 +209,7 @@ read-only ${HOME}/.forward
209read-only ${HOME}/.local/share/fish 209read-only ${HOME}/.local/share/fish
210read-only ${HOME}/.login 210read-only ${HOME}/.login
211read-only ${HOME}/.logout 211read-only ${HOME}/.logout
212read-only ${HOME}/.oh-my-zsh
212read-only ${HOME}/.pam_environment 213read-only ${HOME}/.pam_environment
213read-only ${HOME}/.pgpkey 214read-only ${HOME}/.pgpkey
214read-only ${HOME}/.plan 215read-only ${HOME}/.plan
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index f8f593c83..ce73d7e72 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -1,4 +1,5 @@
1# Firejail profile for dnscrypt-proxy 1# Firejail profile for dnscrypt-proxy
2# Description: Tool for securing communications between a client and a DNS resolver
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/dnscrypt-proxy.local 5include /etc/firejail/dnscrypt-proxy.local
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile
index 6d3bb920d..d68806945 100644
--- a/etc/dnsmasq.profile
+++ b/etc/dnsmasq.profile
@@ -1,4 +1,5 @@
1# Firejail profile for dnsmasq 1# Firejail profile for dnsmasq
2# Description: Small caching DNS proxy and DHCP/TFTP server
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/dnsmasq.local 5include /etc/firejail/dnsmasq.local
diff --git a/etc/dolphin.profile b/etc/dolphin.profile
index f9fa977a9..819998edf 100644
--- a/etc/dolphin.profile
+++ b/etc/dolphin.profile
@@ -1,4 +1,5 @@
1# Firejail profile for dolphin 1# Firejail profile for dolphin
2# Description: File manager
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/dolphin.local 5include /etc/firejail/dolphin.local
diff --git a/etc/dosbox.profile b/etc/dosbox.profile
index efc0b2d35..319daf407 100644
--- a/etc/dosbox.profile
+++ b/etc/dosbox.profile
@@ -1,4 +1,5 @@
1# Firejail profile for dosbox 1# Firejail profile for dosbox
2# Description: x86 emulator with Tandy/Herc/CGA/EGA/VGA/SVGA graphics, sound and DOS
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/dosbox.local 5include /etc/firejail/dosbox.local
diff --git a/etc/dragon.profile b/etc/dragon.profile
index 9d7bb5748..9f41bf87a 100644
--- a/etc/dragon.profile
+++ b/etc/dragon.profile
@@ -1,4 +1,5 @@
1# Firejail profile for dragon 1# Firejail profile for dragon
2# Description: A multimedia player where the focus is on simplicity, instead of features
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/dragon.local 5include /etc/firejail/dragon.local
diff --git a/etc/electron.profile b/etc/electron.profile
index 52d45b3f8..ccfde78bb 100644
--- a/etc/electron.profile
+++ b/etc/electron.profile
@@ -1,4 +1,5 @@
1# Firejail profile for electron 1# Firejail profile for electron
2# Description: Build cross platform desktop apps with web technologies
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/electron.local 5include /etc/firejail/electron.local
diff --git a/etc/electrum.profile b/etc/electrum.profile
index d611f3e61..b3e1ab36f 100644
--- a/etc/electrum.profile
+++ b/etc/electrum.profile
@@ -1,4 +1,5 @@
1# Firejail profile for electrum 1# Firejail profile for electrum
2# Description: Lightweight Bitcoin wallet
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/electrum.local 5include /etc/firejail/electrum.local
diff --git a/etc/elinks.profile b/etc/elinks.profile
index 1da0360c7..bafc19e1a 100644
--- a/etc/elinks.profile
+++ b/etc/elinks.profile
@@ -1,4 +1,5 @@
1# Firejail profile for elinks 1# Firejail profile for elinks
2# Description: Advanced text-mode WWW browser
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/elinks.local 5include /etc/firejail/elinks.local
diff --git a/etc/emacs.profile b/etc/emacs.profile
index 8700bc8e6..90b25bfcf 100644
--- a/etc/emacs.profile
+++ b/etc/emacs.profile
@@ -1,4 +1,5 @@
1# Firejail profile for emacs 1# Firejail profile for emacs
2# Description: GNU Emacs editor
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/emacs.local 5include /etc/firejail/emacs.local
diff --git a/etc/empathy.profile b/etc/empathy.profile
index 9d70afcb8..007b51c35 100644
--- a/etc/empathy.profile
+++ b/etc/empathy.profile
@@ -1,4 +1,5 @@
1# Firejail profile for empathy 1# Firejail profile for empathy
2# Description: GNOME multi-protocol chat and call client
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/empathy.local 5include /etc/firejail/empathy.local
diff --git a/etc/enchant.profile b/etc/enchant.profile
index 5a4050102..cf7d76b4c 100644
--- a/etc/enchant.profile
+++ b/etc/enchant.profile
@@ -1,4 +1,5 @@
1# Firejail profile for enchant 1# Firejail profile for enchant
2# Description: Wrapper for various spell checker engines
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/enchant.local 5include /etc/firejail/enchant.local
diff --git a/etc/engrampa.profile b/etc/engrampa.profile
index 70ec7615e..eaf246d3c 100644
--- a/etc/engrampa.profile
+++ b/etc/engrampa.profile
@@ -1,4 +1,5 @@
1# Firejail profile for engrampa 1# Firejail profile for engrampa
2# Description: Archive manager for MATE
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/engrampa.local 5include /etc/firejail/engrampa.local
diff --git a/etc/eog.profile b/etc/eog.profile
index 5b9ed9bd6..017fe5c75 100644
--- a/etc/eog.profile
+++ b/etc/eog.profile
@@ -1,4 +1,5 @@
1# Firejail profile for eog 1# Firejail profile for eog
2# Description: Eye of GNOME graphics viewer program
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/eog.local 5include /etc/firejail/eog.local
diff --git a/etc/eom.profile b/etc/eom.profile
index 86ce01d1b..a0ce712c8 100644
--- a/etc/eom.profile
+++ b/etc/eom.profile
@@ -1,4 +1,5 @@
1# Firejail profile for eom 1# Firejail profile for eom
2# Description: Eye of MATE graphics viewer program
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/eom.local 5include /etc/firejail/eom.local
diff --git a/etc/epiphany.profile b/etc/epiphany.profile
index e579fb4f6..b04cf72b4 100644
--- a/etc/epiphany.profile
+++ b/etc/epiphany.profile
@@ -1,4 +1,5 @@
1# Firejail profile for epiphany 1# Firejail profile for epiphany
2# Description: Clone of Boulder Dash game
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/epiphany.local 5include /etc/firejail/epiphany.local
diff --git a/etc/evince.profile b/etc/evince.profile
index d4074d0aa..94f706440 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -1,4 +1,5 @@
1# Firejail profile for evince 1# Firejail profile for evince
2# Description: Document (PostScript, PDF) viewer
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/evince.local 5include /etc/firejail/evince.local
diff --git a/etc/evolution.profile b/etc/evolution.profile
index 0584b2744..f691b3c3d 100644
--- a/etc/evolution.profile
+++ b/etc/evolution.profile
@@ -1,4 +1,5 @@
1# Firejail profile for evolution 1# Firejail profile for evolution
2# Description: Groupware suite with mail client and organizer
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/evolution.local 5include /etc/firejail/evolution.local
diff --git a/etc/falkon.profile b/etc/falkon.profile
index 2f6168e99..41e1386dd 100644
--- a/etc/falkon.profile
+++ b/etc/falkon.profile
@@ -1,4 +1,5 @@
1# Firejail profile for falkon 1# Firejail profile for falkon
2# Description: Lightweight web browser based on Qt WebEngine
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/falkon.local 5include /etc/firejail/falkon.local
diff --git a/etc/fbreader.profile b/etc/fbreader.profile
index a5ddd3bf1..c5afde9ec 100644
--- a/etc/fbreader.profile
+++ b/etc/fbreader.profile
@@ -1,4 +1,5 @@
1# Firejail profile for fbreader 1# Firejail profile for fbreader
2# Description: E-book reader
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/fbreader.local 5include /etc/firejail/fbreader.local
diff --git a/etc/feh.profile b/etc/feh.profile
index c79e98d1c..197581ae7 100644
--- a/etc/feh.profile
+++ b/etc/feh.profile
@@ -1,4 +1,5 @@
1# Firejail profile for feh 1# Firejail profile for feh
2# Description: imlib2 based image viewer
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/feh.local 5include /etc/firejail/feh.local
diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile
index 12175295f..d9b347d70 100644
--- a/etc/fetchmail.profile
+++ b/etc/fetchmail.profile
@@ -1,4 +1,5 @@
1# Firejail profile for fetchmail 1# Firejail profile for fetchmail
2# Description: SSL enabled POP3, APOP, IMAP mail gatherer/forwarder
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/fetchmail.local 5include /etc/firejail/fetchmail.local
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile
index 4e55039cf..09574ffb7 100644
--- a/etc/ffmpeg.profile
+++ b/etc/ffmpeg.profile
@@ -1,4 +1,5 @@
1# Firejail profile for ffmpeg 1# Firejail profile for ffmpeg
2# Description: Tools for transcoding, streaming and playing of multimedia files
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3quiet 4quiet
4# Persistent local customizations 5# Persistent local customizations
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
index 69b9c18da..11883f03e 100644
--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@@ -1,4 +1,5 @@
1# Firejail profile for file-roller 1# Firejail profile for file-roller
2# Description: Archive manager for GNOME
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/file-roller.local 5include /etc/firejail/file-roller.local
diff --git a/etc/file.profile b/etc/file.profile
index 2bdbaaaa8..5d1227520 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -1,4 +1,5 @@
1# Firejail profile for file 1# Firejail profile for file
2# Description: Recognize the type of data in a file using "magic" numbers
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3quiet 4quiet
4# Persistent local customizations 5# Persistent local customizations
diff --git a/etc/filezilla.profile b/etc/filezilla.profile
index 1bc78e5ef..7a5ad4301 100644
--- a/etc/filezilla.profile
+++ b/etc/filezilla.profile
@@ -1,4 +1,5 @@
1# Firejail profile for filezilla 1# Firejail profile for filezilla
2# Description: Full-featured graphical FTP/FTPS/SFTP client
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/filezilla.local 5include /etc/firejail/filezilla.local
diff --git a/etc/firefox-developer-edition.profile b/etc/firefox-developer-edition.profile
index 696f95b56..7458d9e10 100644
--- a/etc/firefox-developer-edition.profile
+++ b/etc/firefox-developer-edition.profile
@@ -1,4 +1,5 @@
1# Firejail profile for firefox-developer-edition 1# Firejail profile for firefox-developer-edition
2# Description: Developer Edition of the popular Firefox web browser
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/firefox-developer-edition.local 5include /etc/firejail/firefox-developer-edition.local
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 0ab6a6141..c968e964e 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -1,4 +1,5 @@
1# Firejail profile for firefox 1# Firejail profile for firefox
2# Description: Safe and easy web browser from Mozilla
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/firefox.local 5include /etc/firejail/firefox.local
diff --git a/etc/firejail-default b/etc/firejail-default
index 28103a598..09dc896e6 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -98,9 +98,8 @@ deny /**/.snapshots/ rwx,
98/usr/sbin/** ix, 98/usr/sbin/** ix,
99/usr/local/** ix, 99/usr/local/** ix,
100/usr/lib/** ix, 100/usr/lib/** ix,
101/usr/lib64/** ix,
101/usr/games/** ix, 102/usr/games/** ix,
102/opt/ r,
103/opt/** r,
104/opt/** ix, 103/opt/** ix,
105#/home/** ix, 104#/home/** ix,
106/run/firejail/mnt/oroot/lib/** ix, 105/run/firejail/mnt/oroot/lib/** ix,
@@ -111,9 +110,8 @@ deny /**/.snapshots/ rwx,
111/run/firejail/mnt/oroot/usr/sbin/** ix, 110/run/firejail/mnt/oroot/usr/sbin/** ix,
112/run/firejail/mnt/oroot/usr/local/** ix, 111/run/firejail/mnt/oroot/usr/local/** ix,
113/run/firejail/mnt/oroot/usr/lib/** ix, 112/run/firejail/mnt/oroot/usr/lib/** ix,
113/run/firejail/mnt/oroot/usr/lib64/** ix,
114/run/firejail/mnt/oroot/usr/games/** ix, 114/run/firejail/mnt/oroot/usr/games/** ix,
115/run/firejail/mnt/oroot/opt/ r,
116/run/firejail/mnt/oroot/opt/** r,
117/run/firejail/mnt/oroot/opt/** ix, 115/run/firejail/mnt/oroot/opt/** ix,
118 116
119########## 117##########
@@ -129,6 +127,8 @@ network inet6,
129network unix, 127network unix,
130network netlink, 128network netlink,
131network raw, 129network raw,
130# needed for wireshark
131network packet,
132 132
133########## 133##########
134# There is no equivalent in Firejail for filtering signals. 134# There is no equivalent in Firejail for filtering signals.
diff --git a/etc/flameshot.profile b/etc/flameshot.profile
index 8dbd74cc1..e4987280a 100644
--- a/etc/flameshot.profile
+++ b/etc/flameshot.profile
@@ -1,4 +1,5 @@
1# Firejail profile for flameshot 1# Firejail profile for flameshot
2# Description: Powerful yet simple-to-use screenshot software
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/flameshot.local 5include /etc/firejail/flameshot.local
diff --git a/etc/flowblade.profile b/etc/flowblade.profile
index 9d399931d..bc95a2b51 100644
--- a/etc/flowblade.profile
+++ b/etc/flowblade.profile
@@ -1,4 +1,5 @@
1# Firejail profile for flowblade 1# Firejail profile for flowblade
2# Description: Non-linear video editor
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/flowblade.local 5include /etc/firejail/flowblade.local
diff --git a/etc/fontforge.profile b/etc/fontforge.profile
index e4e763099..2ae80964d 100644
--- a/etc/fontforge.profile
+++ b/etc/fontforge.profile
@@ -1,4 +1,5 @@
1# Firejail profile for fontforge 1# Firejail profile for fontforge
2# Description: Font editor
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/fontforge.local 5include /etc/firejail/fontforge.local
diff --git a/etc/freecad.profile b/etc/freecad.profile
index 8c714f37d..934f1d0fb 100644
--- a/etc/freecad.profile
+++ b/etc/freecad.profile
@@ -1,4 +1,5 @@
1# Firejail profile for freecad 1# Firejail profile for freecad
2# Description: Extensible Open Source CAx program
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/freecad.local 5include /etc/firejail/freecad.local
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile
index 63b4d3330..279e5d403 100644
--- a/etc/frozen-bubble.profile
+++ b/etc/frozen-bubble.profile
@@ -1,4 +1,5 @@
1# Firejail profile for frozen-bubble 1# Firejail profile for frozen-bubble
2# Description: Cool game where you pop out the bubbles
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/frozen-bubble.local 5include /etc/firejail/frozen-bubble.local
diff --git a/etc/gajim.profile b/etc/gajim.profile
index 80efb08c5..90ba59954 100644
--- a/etc/gajim.profile
+++ b/etc/gajim.profile
@@ -1,4 +1,5 @@
1# Firejail profile for gajim 1# Firejail profile for gajim
2# Description: GTK+-based Jabber client
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/gajim.local 5include /etc/firejail/gajim.local
diff --git a/etc/galculator.profile b/etc/galculator.profile
index 1a5112ef5..699fb7d78 100644
--- a/etc/galculator.profile
+++ b/etc/galculator.profile
@@ -1,4 +1,5 @@
1# Firejail profile for galculator 1# Firejail profile for galculator
2# Description: Scientific calculator
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/galculator.local 5include /etc/firejail/galculator.local
diff --git a/etc/geany.profile b/etc/geany.profile
index 9db533e8c..d69bca1ad 100644
--- a/etc/geany.profile
+++ b/etc/geany.profile
@@ -1,4 +1,5 @@
1# Firejail profile for geany 1# Firejail profile for geany
2# Description: Fast and lightweight IDE
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/geany.local 5include /etc/firejail/geany.local
diff --git a/etc/geary.profile b/etc/geary.profile
index 872d21fdd..735206da2 100644
--- a/etc/geary.profile
+++ b/etc/geary.profile
@@ -1,4 +1,5 @@
1# Firejail profile for geary 1# Firejail profile for geary
2# Description: Lightweight email client designed for the GNOME desktop
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/geary.local 5include /etc/firejail/geary.local
diff --git a/etc/gedit.profile b/etc/gedit.profile
index 67ea43ca3..1a4d9634a 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -1,4 +1,5 @@
1# Firejail profile for gedit 1# Firejail profile for gedit
2# Description: Official text editor of the GNOME desktop environment
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/gedit.local 5include /etc/firejail/gedit.local
diff --git a/etc/geeqie.profile b/etc/geeqie.profile
index 7512cbcd9..3fbe245d6 100644
--- a/etc/geeqie.profile
+++ b/etc/geeqie.profile
@@ -1,4 +1,5 @@
1# Firejail profile for geeqie 1# Firejail profile for geeqie
2# Description: Image viewer using GTK+
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/geeqie.local 5include /etc/firejail/geeqie.local
diff --git a/etc/gimp.profile b/etc/gimp.profile
index b8a297e84..fa27d2cea 100644
--- a/etc/gimp.profile
+++ b/etc/gimp.profile
@@ -1,4 +1,5 @@
1# Firejail profile for gimp 1# Firejail profile for gimp
2# Description: GNU Image Manipulation Program
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/gimp.local 5include /etc/firejail/gimp.local
diff --git a/etc/git.profile b/etc/git.profile
index 1bf9e8e4b..9c8d22fd3 100644
--- a/etc/git.profile
+++ b/etc/git.profile
@@ -1,4 +1,5 @@
1# Firejail profile for git 1# Firejail profile for git
2# Description: Fast, scalable, distributed revision control system
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3quiet 4quiet
4# Persistent local customizations 5# Persistent local customizations
diff --git a/etc/gitg.profile b/etc/gitg.profile
index deee7c994..5a7349eb1 100644
--- a/etc/gitg.profile
+++ b/etc/gitg.profile
@@ -1,4 +1,5 @@
1# Firejail profile for gitg 1# Firejail profile for gitg
2# Description: Git repository viewer
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/gitg.local 5include /etc/firejail/gitg.local
diff --git a/etc/gjs.profile b/etc/gjs.profile
index 6110cb71e..a603ad695 100644
--- a/etc/gjs.profile
+++ b/etc/gjs.profile
@@ -1,4 +1,5 @@
1# Firejail profile for gjs 1# Firejail profile for gjs
2# Description: Mozilla-based javascript bindings for the GNOME platform
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/gjs.local 5include /etc/firejail/gjs.local
diff --git a/etc/gnome-2048.profile b/etc/gnome-2048.profile
index 5ecb279e5..62b67b942 100644
--- a/etc/gnome-2048.profile
+++ b/etc/gnome-2048.profile
@@ -1,4 +1,5 @@
1# Firejail profile for gnome-2048 1# Firejail profile for gnome-2048
2# Description: Sliding tile puzzle game
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/gnome-2048.local 5include /etc/firejail/gnome-2048.local
diff --git a/etc/gnome-builder.profile b/etc/gnome-builder.profile
index 4ddfc456a..3b7e3d53a 100644
--- a/etc/gnome-builder.profile
+++ b/etc/gnome-builder.profile
@@ -1,4 +1,5 @@
1# Firejail profile for gnome-builder 1# Firejail profile for gnome-builder
2# Description: IDE for GNOME
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/gnome-builder.local 5include /etc/firejail/gnome-builder.local
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
index 6ace0b3ec..315564ee5 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@@ -1,4 +1,5 @@
1# Firejail profile for gnome-calculator 1# Firejail profile for gnome-calculator
2# Description: GNOME desktop calculator
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3quiet 4quiet
4# Persistent local customizations 5# Persistent local customizations
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile
index 8422e1836..74194cb33 100644
--- a/etc/gnome-chess.profile
+++ b/etc/gnome-chess.profile
@@ -1,4 +1,5 @@
1# Firejail profile for gnome-chess 1# Firejail profile for gnome-chess
2# Description: Simple chess game
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/gnome-chess.local 5include /etc/firejail/gnome-chess.local
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile
index b0a6cf80e..a914c302f 100644
--- a/etc/gnome-clocks.profile
+++ b/etc/gnome-clocks.profile
@@ -1,4 +1,5 @@
1# Firejail profile for gnome-clocks 1# Firejail profile for gnome-clocks
2# Description: Simple GNOME app with stopwatch, timer, and world clock support
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/gnome-clocks.local 5include /etc/firejail/gnome-clocks.local
diff --git a/etc/gnome-contacts.profile b/etc/gnome-contacts.profile
index 0e6f70e04..91593c89b 100644
--- a/etc/gnome-contacts.profile
+++ b/etc/gnome-contacts.profile
@@ -1,4 +1,5 @@
1# Firejail profile for gnome-contacts 1# Firejail profile for gnome-contacts
2# Description: Contacts manager for GNOME
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/gnome-contacts.local 5include /etc/firejail/gnome-contacts.local
diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile
index a7ebb48c8..44886d562 100644
--- a/etc/gnome-documents.profile
+++ b/etc/gnome-documents.profile
@@ -1,4 +1,5 @@
1# Firejail profile for gnome-documents 1# Firejail profile for gnome-documents
2# Description: Document manager for GNOME
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/gnome-documents.local 5include /etc/firejail/gnome-documents.local
diff --git a/etc/gnome-font-viewer.profile b/etc/gnome-font-viewer.profile
index 71cd06643..e11d6eb5d 100644
--- a/etc/gnome-font-viewer.profile
+++ b/etc/gnome-font-viewer.profile
@@ -1,4 +1,5 @@
1# Firejail profile for gnome-font-viewer 1# Firejail profile for gnome-font-viewer
2# Description: Font viewer for GNOME
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/gnome-font-viewer.local 5include /etc/firejail/gnome-font-viewer.local
diff --git a/etc/gnome-logs.profile b/etc/gnome-logs.profile
index f08142113..edb895794 100644
--- a/etc/gnome-logs.profile
+++ b/etc/gnome-logs.profile
@@ -1,4 +1,5 @@
1# Firejail profile for gnome-logs 1# Firejail profile for gnome-logs
2# Description: Viewer for the systemd journal
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/gnome-logs.local 5include /etc/firejail/gnome-logs.local
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile
index b747743fc..f8ff61d84 100644
--- a/etc/gnome-maps.profile
+++ b/etc/gnome-maps.profile
@@ -1,4 +1,5 @@
1# Firejail profile for gnome-maps 1# Firejail profile for gnome-maps
2# Description: Map application for GNOME
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/gnome-maps.local 5include /etc/firejail/gnome-maps.local
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile
index e85b9dc06..9ba4969e5 100644
--- a/etc/gnome-mplayer.profile
+++ b/etc/gnome-mplayer.profile
@@ -1,4 +1,5 @@
1# Firejail profile for gnome-mplayer 1# Firejail profile for gnome-mplayer
2# Description: GTK/Gnome interface around MPlayer
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/gnome-mplayer.local 5include /etc/firejail/gnome-mplayer.local
diff --git a/etc/gnome-mpv.profile b/etc/gnome-mpv.profile
index f11ceacca..84a70c4c5 100644
--- a/etc/gnome-mpv.profile
+++ b/etc/gnome-mpv.profile
@@ -1,4 +1,5 @@
1# Firejail profile for gnome-mpv 1# Firejail profile for gnome-mpv
2# Description: Simple GTK+ frontend for mpv
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/gnome-mpv.local 5include /etc/firejail/gnome-mpv.local
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile
index 15710b363..eaec627c6 100644
--- a/etc/gnome-music.profile
+++ b/etc/gnome-music.profile
@@ -1,4 +1,5 @@
1# Firejail profile for gnome-music 1# Firejail profile for gnome-music
2# Description: GNOME music player
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/gnome-music.local 5include /etc/firejail/gnome-music.local
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile
index 132f3b6bd..5a3ac53d8 100644
--- a/etc/gnome-photos.profile
+++ b/etc/gnome-photos.profile
@@ -1,4 +1,5 @@
1# Firejail profile for gnome-photos 1# Firejail profile for gnome-photos
2# Description: Access, organize and share your photos with GNOME
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/gnome-photos.local 5include /etc/firejail/gnome-photos.local
diff --git a/etc/gnome-recipes.profile b/etc/gnome-recipes.profile
index f1e062fd5..ed6d341eb 100644
--- a/etc/gnome-recipes.profile
+++ b/etc/gnome-recipes.profile
@@ -1,4 +1,5 @@
1# Firejail profile for gnome-recipes 1# Firejail profile for gnome-recipes
2# Description: Recipe application for GNOME
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/gnome-recipes.local 5include /etc/firejail/gnome-recipes.local
diff --git a/etc/gnome-twitch.profile b/etc/gnome-twitch.profile
index c7fc04be3..e670ba22f 100644
--- a/etc/gnome-twitch.profile
+++ b/etc/gnome-twitch.profile
@@ -1,4 +1,5 @@
1# Firejail profile for gnome-twitch 1# Firejail profile for gnome-twitch
2# Description: GNOME Twitch app for watching Twitch.tv streams without a browser or flash
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/gnome-twitch.local 5include /etc/firejail/gnome-twitch.local
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile
index f2c6acac5..4d28278b1 100644
--- a/etc/gnome-weather.profile
+++ b/etc/gnome-weather.profile
@@ -1,4 +1,5 @@
1# Firejail profile for gnome-weather 1# Firejail profile for gnome-weather
2# Description: Access current conditions and forecasts
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/gnome-weather.local 5include /etc/firejail/gnome-weather.local
diff --git a/etc/goobox.profile b/etc/goobox.profile
index ca92b1540..ba949f1c9 100644
--- a/etc/goobox.profile
+++ b/etc/goobox.profile
@@ -1,4 +1,5 @@
1# Firejail profile for goobox 1# Firejail profile for goobox
2# Description: CD player and ripper with GNOME 3 integration
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/goobox.local 5include /etc/firejail/goobox.local
diff --git a/etc/gpa.profile b/etc/gpa.profile
index 17791bb82..c890beb2e 100644
--- a/etc/gpa.profile
+++ b/etc/gpa.profile
@@ -1,4 +1,5 @@
1# Firejail profile for gpa 1# Firejail profile for gpa
2# Description: GNU Privacy Assistant (GPA)
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/gpa.local 5include /etc/firejail/gpa.local
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile
index 85020fc2e..0cc17b366 100644
--- a/etc/gpg-agent.profile
+++ b/etc/gpg-agent.profile
@@ -1,4 +1,5 @@
1# Firejail profile for gpg-agent 1# Firejail profile for gpg-agent
2# Description: GNU privacy guard - cryptographic agent
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/gpg-agent.local 5include /etc/firejail/gpg-agent.local
diff --git a/etc/gpg.profile b/etc/gpg.profile
index ab43152d8..259a95807 100644
--- a/etc/gpg.profile
+++ b/etc/gpg.profile
@@ -1,4 +1,5 @@
1# Firejail profile for gpg 1# Firejail profile for gpg
2# Description: GNU Privacy Guard -- minimalist public key operations
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/gpg.local 5include /etc/firejail/gpg.local
diff --git a/etc/gpicview.profile b/etc/gpicview.profile
index 9644ac59d..04aecc782 100644
--- a/etc/gpicview.profile
+++ b/etc/gpicview.profile
@@ -1,4 +1,5 @@
1# Firejail profile for gpicview 1# Firejail profile for gpicview
2# Description: Lightweight image viewer
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/gpicview.local 5include /etc/firejail/gpicview.local
diff --git a/etc/gpredict.profile b/etc/gpredict.profile
index 58f79ac14..ea60e7287 100644
--- a/etc/gpredict.profile
+++ b/etc/gpredict.profile
@@ -1,4 +1,5 @@
1# Firejail profile for gpredict 1# Firejail profile for gpredict
2# Description: Satellite tracking program
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/gpredict.local 5include /etc/firejail/gpredict.local
diff --git a/etc/gthumb.profile b/etc/gthumb.profile
index 77ce42b36..6c4de8bf0 100644
--- a/etc/gthumb.profile
+++ b/etc/gthumb.profile
@@ -1,4 +1,5 @@
1# Firejail profile for gthumb 1# Firejail profile for gthumb
2# Description: Image viewer and browser
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/gthumb.local 5include /etc/firejail/gthumb.local
diff --git a/etc/gucharmap.profile b/etc/gucharmap.profile
index db2e69f8a..88e441b14 100644
--- a/etc/gucharmap.profile
+++ b/etc/gucharmap.profile
@@ -1,4 +1,5 @@
1# Firejail profile for gucharmap 1# Firejail profile for gucharmap
2# Description: Unicode character picker and font browser
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/gucharmap.local 5include /etc/firejail/gucharmap.local
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
index bad91f43e..cf9b27e0f 100644
--- a/etc/gwenview.profile
+++ b/etc/gwenview.profile
@@ -1,4 +1,5 @@
1# Firejail profile for gwenview 1# Firejail profile for gwenview
2# Description: Image viewer
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/gwenview.local 5include /etc/firejail/gwenview.local
diff --git a/etc/gzip.profile b/etc/gzip.profile
index 33892e5c9..9157d398a 100644
--- a/etc/gzip.profile
+++ b/etc/gzip.profile
@@ -1,4 +1,5 @@
1# Firejail profile for gzip 1# Firejail profile for gzip
2# Description: GNU compression utilities
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3quiet 4quiet
4# Persistent local customizations 5# Persistent local customizations
diff --git a/etc/handbrake.profile b/etc/handbrake.profile
index e467eaeb5..32da097ce 100644
--- a/etc/handbrake.profile
+++ b/etc/handbrake.profile
@@ -1,4 +1,5 @@
1# Firejail profile for handbrake 1# Firejail profile for handbrake
2# Description: Versatile DVD ripper and video transcoder (GTK+ GUI)
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/handbrake.local 5include /etc/firejail/handbrake.local
diff --git a/etc/hashcat.profile b/etc/hashcat.profile
index 712a09697..8bc861dde 100644
--- a/etc/hashcat.profile
+++ b/etc/hashcat.profile
@@ -1,4 +1,5 @@
1# Firejail profile for hashcat 1# Firejail profile for hashcat
2# Description: World's fastest and most advanced password recovery utility
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3quiet 4quiet
4# Persistent local customizations 5# Persistent local customizations
diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile
index d6b686be7..542771639 100644
--- a/etc/hedgewars.profile
+++ b/etc/hedgewars.profile
@@ -1,4 +1,5 @@
1# Firejail profile for hedgewars 1# Firejail profile for hedgewars
2# Description: Funny turn-based artillery game, featuring fighting hedgehogs
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/hedgewars.local 5include /etc/firejail/hedgewars.local
diff --git a/etc/hexchat.profile b/etc/hexchat.profile
index 9b2eafcea..a2c163e6a 100644
--- a/etc/hexchat.profile
+++ b/etc/hexchat.profile
@@ -1,4 +1,5 @@
1# Firejail profile for hexchat 1# Firejail profile for hexchat
2# Description: IRC client for X based on X-Chat 2
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/hexchat.local 5include /etc/firejail/hexchat.local
diff --git a/etc/highlight.profile b/etc/highlight.profile
index cd48df10c..d313f2769 100644
--- a/etc/highlight.profile
+++ b/etc/highlight.profile
@@ -1,4 +1,5 @@
1# Firejail profile for highlight 1# Firejail profile for highlight
2# Description: Universal source code to formatted text converter
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/highlight.local 5include /etc/firejail/highlight.local
diff --git a/etc/hugin.profile b/etc/hugin.profile
index cacdaa794..35505c698 100644
--- a/etc/hugin.profile
+++ b/etc/hugin.profile
@@ -1,4 +1,5 @@
1# Firejail profile for hugin 1# Firejail profile for hugin
2# Description: Panorama photo stitcher
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/hugin.local 5include /etc/firejail/hugin.local
diff --git a/etc/imagej.profile b/etc/imagej.profile
index bfd3444f0..4de064390 100644
--- a/etc/imagej.profile
+++ b/etc/imagej.profile
@@ -1,4 +1,5 @@
1# Firejail profile for imagej 1# Firejail profile for imagej
2# Description: Image processing program with a focus on microscopy images
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/imagej.local 5include /etc/firejail/imagej.local
diff --git a/etc/inkscape.profile b/etc/inkscape.profile
index e709d488d..56fdfd081 100644
--- a/etc/inkscape.profile
+++ b/etc/inkscape.profile
@@ -1,4 +1,5 @@
1# Firejail profile for inkscape 1# Firejail profile for inkscape
2# Description: Vector-based drawing program
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/inkscape.local 5include /etc/firejail/inkscape.local
diff --git a/etc/k3b.profile b/etc/k3b.profile
index 8474c490d..6b4c15560 100644
--- a/etc/k3b.profile
+++ b/etc/k3b.profile
@@ -1,4 +1,5 @@
1# Firejail profile for k3b 1# Firejail profile for k3b
2# Description: Sophisticated CD/DVD burning application
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/k3b.local 5include /etc/firejail/k3b.local
diff --git a/etc/kaffeine.profile b/etc/kaffeine.profile
index 0d63069fe..204c20501 100644
--- a/etc/kaffeine.profile
+++ b/etc/kaffeine.profile
@@ -1,4 +1,5 @@
1# Firejail profile for kaffeine 1# Firejail profile for kaffeine
2# Description: Versatile media player for KDE
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/kaffeine.local 5include /etc/firejail/kaffeine.local
diff --git a/etc/kate.profile b/etc/kate.profile
index 240bdb62a..8a53a56a8 100644
--- a/etc/kate.profile
+++ b/etc/kate.profile
@@ -1,4 +1,5 @@
1# Firejail profile for kate 1# Firejail profile for kate
2# Description: Powerful text editor
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/kate.local 5include /etc/firejail/kate.local
diff --git a/etc/kcalc.profile b/etc/kcalc.profile
index 5afea9c1c..20ad8f23a 100644
--- a/etc/kcalc.profile
+++ b/etc/kcalc.profile
@@ -1,4 +1,5 @@
1# Firejail profile for kcalc 1# Firejail profile for kcalc
2# Description: Simple and scientific calculator
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/kcalc.local 5include /etc/firejail/kcalc.local
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile
index 0fa9da497..4aca10995 100644
--- a/etc/kdenlive.profile
+++ b/etc/kdenlive.profile
@@ -1,4 +1,5 @@
1# Firejail profile for kdenlive 1# Firejail profile for kdenlive
2# Description: Non-linear video editor
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/kdenlive.local 5include /etc/firejail/kdenlive.local
diff --git a/etc/keepass.profile b/etc/keepass.profile
index 7b0935030..e27248357 100644
--- a/etc/keepass.profile
+++ b/etc/keepass.profile
@@ -1,4 +1,5 @@
1# Firejail profile for keepass 1# Firejail profile for keepass
2# Description: An easy-to-use password manager
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/keepass.local 5include /etc/firejail/keepass.local
diff --git a/etc/keepassx.profile b/etc/keepassx.profile
index e749a1dfc..94aaa5597 100644
--- a/etc/keepassx.profile
+++ b/etc/keepassx.profile
@@ -1,4 +1,5 @@
1# Firejail profile for keepassx 1# Firejail profile for keepassx
2# Description: Cross Platform Password Manager
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/keepassx.local 5include /etc/firejail/keepassx.local
diff --git a/etc/keepassx2.profile b/etc/keepassx2.profile
index ba98df19d..4e74c2cea 100644
--- a/etc/keepassx2.profile
+++ b/etc/keepassx2.profile
@@ -1,4 +1,5 @@
1# Firejail profile for keepassx2 1# Firejail profile for keepassx2
2# Description: Cross platform password manager
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3 4
4# Redirects 5# Redirects
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile
index b7bcc7b87..a00d17878 100644
--- a/etc/keepassxc.profile
+++ b/etc/keepassxc.profile
@@ -1,4 +1,5 @@
1# Firejail profile for keepassxc 1# Firejail profile for keepassxc
2# Description: Cross Platform Password Manager
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/keepassxc.local 5include /etc/firejail/keepassxc.local
@@ -47,3 +48,6 @@ private-tmp
47#memory-deny-write-execute 48#memory-deny-write-execute
48noexec ${HOME} 49noexec ${HOME}
49noexec /tmp 50noexec /tmp
51
52# Mutex is stored in /tmp by default, which is broken by private-tmp
53join-or-start keepassxc
diff --git a/etc/kget.profile b/etc/kget.profile
index c45d8daba..a32b51626 100644
--- a/etc/kget.profile
+++ b/etc/kget.profile
@@ -1,4 +1,5 @@
1# Firejail profile for kget 1# Firejail profile for kget
2# Description: Download manager
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/kget.local 5include /etc/firejail/kget.local
diff --git a/etc/kino.profile b/etc/kino.profile
index 5144ce448..cda86ddc6 100644
--- a/etc/kino.profile
+++ b/etc/kino.profile
@@ -1,4 +1,5 @@
1# Firejail profile for kino 1# Firejail profile for kino
2# Description: Non-linear editor for Digital Video data
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/kino.local 5include /etc/firejail/kino.local
diff --git a/etc/kmail.profile b/etc/kmail.profile
index 202faeb16..308a981f7 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -1,4 +1,5 @@
1# Firejail profile for kmail 1# Firejail profile for kmail
2# Description: Full featured graphical email client
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/kmail.local 5include /etc/firejail/kmail.local
diff --git a/etc/knotes.profile b/etc/knotes.profile
index 4bbbd332d..147d2d831 100644
--- a/etc/knotes.profile
+++ b/etc/knotes.profile
@@ -1,4 +1,5 @@
1# Firejail profile for knotes 1# Firejail profile for knotes
2# Description: Sticky notes application
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/knotes.local 5include /etc/firejail/knotes.local
diff --git a/etc/kodi.profile b/etc/kodi.profile
index 9726304cc..9dd7770ad 100644
--- a/etc/kodi.profile
+++ b/etc/kodi.profile
@@ -1,4 +1,5 @@
1# Firejail profile for kodi 1# Firejail profile for kodi
2# Description: Open Source Home Theatre
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/kodi.local 5include /etc/firejail/kodi.local
diff --git a/etc/konversation.profile b/etc/konversation.profile
index 0acad236a..b66f40600 100644
--- a/etc/konversation.profile
+++ b/etc/konversation.profile
@@ -1,4 +1,5 @@
1# Firejail profile for konversation 1# Firejail profile for konversation
2# Description: User friendly Internet Relay Chat (IRC) client for KDE
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/konversation.local 5include /etc/firejail/konversation.local
diff --git a/etc/kopete.profile b/etc/kopete.profile
index 0954b7dff..d7829113d 100644
--- a/etc/kopete.profile
+++ b/etc/kopete.profile
@@ -1,4 +1,5 @@
1# Firejail profile for kopete 1# Firejail profile for kopete
2# Description: Instant messaging and chat application
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/kopete.local 5include /etc/firejail/kopete.local
diff --git a/etc/krita.profile b/etc/krita.profile
index 723a8623a..5a1f3d031 100644
--- a/etc/krita.profile
+++ b/etc/krita.profile
@@ -1,4 +1,5 @@
1# Firejail profile for krita 1# Firejail profile for krita
2# Description: Pixel-based image manipulation program
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/krita.local 5include /etc/firejail/krita.local
diff --git a/etc/krunner.profile b/etc/krunner.profile
index 288327f9c..6b84e2c7c 100644
--- a/etc/krunner.profile
+++ b/etc/krunner.profile
@@ -1,4 +1,5 @@
1# Firejail profile for krunner 1# Firejail profile for krunner
2# Description: Framework for providing different actions given a string query
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/krunner.local 5include /etc/firejail/krunner.local
diff --git a/etc/ktorrent.profile b/etc/ktorrent.profile
index cb5aadbbf..14ee3322c 100644
--- a/etc/ktorrent.profile
+++ b/etc/ktorrent.profile
@@ -1,4 +1,5 @@
1# Firejail profile for ktorrent 1# Firejail profile for ktorrent
2# Description: BitTorrent client based on the KDE platform
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/ktorrent.local 5include /etc/firejail/ktorrent.local
diff --git a/etc/kwrite.profile b/etc/kwrite.profile
index 3297be3b6..f080b3ffc 100644
--- a/etc/kwrite.profile
+++ b/etc/kwrite.profile
@@ -1,4 +1,5 @@
1# Firejail profile for kwrite 1# Firejail profile for kwrite
2# Description: Simple text editor
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/kwrite.local 5include /etc/firejail/kwrite.local
diff --git a/etc/leafpad.profile b/etc/leafpad.profile
index 0374d2e4a..d3335893f 100644
--- a/etc/leafpad.profile
+++ b/etc/leafpad.profile
@@ -1,4 +1,5 @@
1# Firejail profile for leafpad 1# Firejail profile for leafpad
2# Description: GTK+ based simple text editor
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/leafpad.local 5include /etc/firejail/leafpad.local
diff --git a/etc/less.profile b/etc/less.profile
index 2b5449a7b..a08d2c547 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -1,4 +1,5 @@
1# Firejail profile for less 1# Firejail profile for less
2# Description: Pager program similar to more
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3quiet 4quiet
4# Persistent local customizations 5# Persistent local customizations
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
index 4aafd7c7a..905dd22b9 100644
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@@ -1,4 +1,5 @@
1# Firejail profile for libreoffice 1# Firejail profile for libreoffice
2# Description: Office productivity suite
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/libreoffice.local 5include /etc/firejail/libreoffice.local
diff --git a/etc/liferea.profile b/etc/liferea.profile
index 4b7905cb7..673182c10 100644
--- a/etc/liferea.profile
+++ b/etc/liferea.profile
@@ -1,4 +1,5 @@
1# Firejail profile for liferea 1# Firejail profile for liferea
2# Description: Feed/news/podcast client with plugin support
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/liferea.local 5include /etc/firejail/liferea.local
diff --git a/etc/linphone.profile b/etc/linphone.profile
index 9e54db3ca..b469b9711 100644
--- a/etc/linphone.profile
+++ b/etc/linphone.profile
@@ -1,4 +1,5 @@
1# Firejail profile for linphone 1# Firejail profile for linphone
2# Description: SIP softphone - graphical client
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/linphone.local 5include /etc/firejail/linphone.local
diff --git a/etc/lmms.profile b/etc/lmms.profile
index 3a312a2cf..d3ef1b40e 100644
--- a/etc/lmms.profile
+++ b/etc/lmms.profile
@@ -1,4 +1,5 @@
1# Firejail profile for lmms 1# Firejail profile for lmms
2# Description: Linux Multimedia Studio
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/lmms.local 5include /etc/firejail/lmms.local
diff --git a/etc/lollypop.profile b/etc/lollypop.profile
index ed893f53e..0f8f49488 100644
--- a/etc/lollypop.profile
+++ b/etc/lollypop.profile
@@ -1,4 +1,5 @@
1# Firejail profile for lollypop 1# Firejail profile for lollypop
2# Description: Music player for GNOME
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/lollypop.local 5include /etc/firejail/lollypop.local
diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile
index 05a1c2bb5..a4ccefb6d 100644
--- a/etc/luminance-hdr.profile
+++ b/etc/luminance-hdr.profile
@@ -1,4 +1,5 @@
1# Firejail profile for luminance-hdr 1# Firejail profile for luminance-hdr
2# Description: Graphical user interface providing a workflow for HDR imaging
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/luminance-hdr.local 5include /etc/firejail/luminance-hdr.local
diff --git a/etc/lximage-qt.profile b/etc/lximage-qt.profile
index e50455532..4b3c457f6 100644
--- a/etc/lximage-qt.profile
+++ b/etc/lximage-qt.profile
@@ -1,4 +1,5 @@
1# Firejail profile for lximage-qt 1# Firejail profile for lximage-qt
2# Description: Image viewer for LXQt
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/lximage-qt.local 5include /etc/firejail/lximage-qt.local
diff --git a/etc/lxmusic.profile b/etc/lxmusic.profile
index 44aa0537b..7c3334075 100644
--- a/etc/lxmusic.profile
+++ b/etc/lxmusic.profile
@@ -1,4 +1,5 @@
1# Firejail profile for lxmusic 1# Firejail profile for lxmusic
2# Description: LXDE music player
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/lxmusic.local 5include /etc/firejail/lxmusic.local
diff --git a/etc/lynx.profile b/etc/lynx.profile
index 3c70800be..f5ec44fda 100644
--- a/etc/lynx.profile
+++ b/etc/lynx.profile
@@ -1,4 +1,5 @@
1# Firejail profile for lynx 1# Firejail profile for lynx
2# Description: Classic non-graphical (text-mode) web browser
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/lynx.local 5include /etc/firejail/lynx.local
diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile
index 6185b013f..874fcf8cb 100644
--- a/etc/mate-calc.profile
+++ b/etc/mate-calc.profile
@@ -1,4 +1,5 @@
1# Firejail profile for mate-calc 1# Firejail profile for mate-calc
2# Description: MATE desktop calculator
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/mate-calc.local 5include /etc/firejail/mate-calc.local
diff --git a/etc/mcabber.profile b/etc/mcabber.profile
index aee153110..0ed8952e5 100644
--- a/etc/mcabber.profile
+++ b/etc/mcabber.profile
@@ -1,4 +1,5 @@
1# Firejail profile for mcabber 1# Firejail profile for mcabber
2# Description: Small Jabber (XMPP) console client
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/mcabber.local 5include /etc/firejail/mcabber.local
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile
index 48db03c27..7556098a7 100644
--- a/etc/mediainfo.profile
+++ b/etc/mediainfo.profile
@@ -1,4 +1,5 @@
1# Firejail profile for mediainfo 1# Firejail profile for mediainfo
2# Description: Command-line utility for reading information from audio/video files
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/mediainfo.local 5include /etc/firejail/mediainfo.local
diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile
index 12956bab6..e53ced860 100644
--- a/etc/mediathekview.profile
+++ b/etc/mediathekview.profile
@@ -1,4 +1,5 @@
1# Firejail profile for mediathekview 1# Firejail profile for mediathekview
2# Description: View streams from German public television stations
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/mediathekview.local 5include /etc/firejail/mediathekview.local
diff --git a/etc/meld.profile b/etc/meld.profile
index 1e85343df..00d5c6caa 100644
--- a/etc/meld.profile
+++ b/etc/meld.profile
@@ -1,4 +1,5 @@
1# Firejail profile for meld 1# Firejail profile for meld
2# Description: Graphical tool to diff and merge files
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/meld.local 5include /etc/firejail/meld.local
diff --git a/etc/midori.profile b/etc/midori.profile
index 2f7e238cb..7c56910a7 100644
--- a/etc/midori.profile
+++ b/etc/midori.profile
@@ -1,4 +1,5 @@
1# Firejail profile for midori 1# Firejail profile for midori
2# Description: Lightweight web browser
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/midori.local 5include /etc/firejail/midori.local
diff --git a/etc/minetest.profile b/etc/minetest.profile
index 6497fa9ba..7de546791 100644
--- a/etc/minetest.profile
+++ b/etc/minetest.profile
@@ -1,4 +1,5 @@
1# Firejail profile for minetest 1# Firejail profile for minetest
2# Description: Multiplayer infinite-world block sandbox
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/minetest.local 5include /etc/firejail/minetest.local
diff --git a/etc/mousepad.profile b/etc/mousepad.profile
index a4a1ad599..421637509 100644
--- a/etc/mousepad.profile
+++ b/etc/mousepad.profile
@@ -1,4 +1,5 @@
1# Firejail profile for mousepad 1# Firejail profile for mousepad
2# Description: Simple Xfce oriented text editor
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/mousepad.local 5include /etc/firejail/mousepad.local
diff --git a/etc/mpd.profile b/etc/mpd.profile
index 50ef915ce..709f2ef89 100644
--- a/etc/mpd.profile
+++ b/etc/mpd.profile
@@ -1,4 +1,5 @@
1# Firejail profile for mpd 1# Firejail profile for mpd
2# Description: Music Player Daemon
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/mpd.local 5include /etc/firejail/mpd.local
diff --git a/etc/mplayer.profile b/etc/mplayer.profile
index ddcc8b7bf..29ef21b9d 100644
--- a/etc/mplayer.profile
+++ b/etc/mplayer.profile
@@ -1,4 +1,5 @@
1# Firejail profile for mplayer 1# Firejail profile for mplayer
2# Description: Movie player for Unix-like systems
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/mplayer.local 5include /etc/firejail/mplayer.local
diff --git a/etc/mpv.profile b/etc/mpv.profile
index 6761c9bd1..5747cd3fa 100644
--- a/etc/mpv.profile
+++ b/etc/mpv.profile
@@ -1,4 +1,5 @@
1# Firejail profile for mpv 1# Firejail profile for mpv
2# Description: Video player based on MPlayer/mplayer2
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/mpv.local 5include /etc/firejail/mpv.local
diff --git a/etc/mumble.profile b/etc/mumble.profile
index f8a49eb13..f894acb57 100644
--- a/etc/mumble.profile
+++ b/etc/mumble.profile
@@ -1,4 +1,5 @@
1# Firejail profile for mumble 1# Firejail profile for mumble
2# Description: Low latency encrypted VoIP client
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/mumble.local 5include /etc/firejail/mumble.local
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
index 632e3c66a..b49597e00 100644
--- a/etc/mupdf.profile
+++ b/etc/mupdf.profile
@@ -1,4 +1,5 @@
1# Firejail profile for mupdf 1# Firejail profile for mupdf
2# Description: Lightweight PDF viewer
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/mupdf.local 5include /etc/firejail/mupdf.local
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile
index a91b6753c..a235c44c8 100644
--- a/etc/mupen64plus.profile
+++ b/etc/mupen64plus.profile
@@ -1,4 +1,5 @@
1# Firejail profile for mupen64plus 1# Firejail profile for mupen64plus
2# Description: Nintendo64 Emulator
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/mupen64plus.local 5include /etc/firejail/mupen64plus.local
diff --git a/etc/musescore.profile b/etc/musescore.profile
index 4e28051a4..3eb929bd1 100644
--- a/etc/musescore.profile
+++ b/etc/musescore.profile
@@ -1,4 +1,5 @@
1# Firejail profile for musescore 1# Firejail profile for musescore
2# Description: Free music composition and notation software
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/musescore.local 5include /etc/firejail/musescore.local
diff --git a/etc/mutt.profile b/etc/mutt.profile
index bc257f156..6cb09ec78 100644
--- a/etc/mutt.profile
+++ b/etc/mutt.profile
@@ -1,4 +1,5 @@
1# Firejail profile for mutt 1# Firejail profile for mutt
2# Description: Text-based mailreader supporting MIME, GPG, PGP and threading
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/mutt.local 5include /etc/firejail/mutt.local
diff --git a/etc/nautilus.profile b/etc/nautilus.profile
index f1f565515..1809a6b3c 100644
--- a/etc/nautilus.profile
+++ b/etc/nautilus.profile
@@ -1,4 +1,5 @@
1# Firejail profile for nautilus 1# Firejail profile for nautilus
2# Description: File manager and graphical shell for GNOME
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/nautilus.local 5include /etc/firejail/nautilus.local
diff --git a/etc/ncdu.profile b/etc/ncdu.profile
index ab79a325e..fa566b9fd 100644
--- a/etc/ncdu.profile
+++ b/etc/ncdu.profile
@@ -1,4 +1,5 @@
1# Firejail profile for ncdu 1# Firejail profile for ncdu
2# Description: Ncurses disk usage viewer
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/ncdu.local 5include /etc/firejail/ncdu.local
diff --git a/etc/nemo.profile b/etc/nemo.profile
index 962549a04..98e4ba1bd 100644
--- a/etc/nemo.profile
+++ b/etc/nemo.profile
@@ -1,4 +1,5 @@
1# Firejail profile for nemo 1# Firejail profile for nemo
2# Description: File manager and graphical shell for Cinnamon
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/nemo.local 5include /etc/firejail/nemo.local
diff --git a/etc/netsurf.profile b/etc/netsurf.profile
index 847e81999..cb38d9de0 100644
--- a/etc/netsurf.profile
+++ b/etc/netsurf.profile
@@ -1,4 +1,5 @@
1# Firejail profile for netsurf 1# Firejail profile for netsurf
2# Description: Lightweight and fast web browser
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/netsurf.local 5include /etc/firejail/netsurf.local
diff --git a/etc/neverball.profile b/etc/neverball.profile
index de8bb5d9d..5e6032ae5 100644
--- a/etc/neverball.profile
+++ b/etc/neverball.profile
@@ -1,4 +1,5 @@
1# Firejail profile for neverball 1# Firejail profile for neverball
2# Description: 3D floor-tilting game
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/neverball.local 5include /etc/firejail/neverball.local
diff --git a/etc/nheko.profile b/etc/nheko.profile
index fa9ce2e8b..f216a9fa5 100644
--- a/etc/nheko.profile
+++ b/etc/nheko.profile
@@ -1,4 +1,5 @@
1# Firejail profile for nheko 1# Firejail profile for nheko
2# Description: Desktop IM client for the Matrix protocol
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/nheko.local 5include /etc/firejail/nheko.local
diff --git a/etc/obs.profile b/etc/obs.profile
index 6d638e6e6..611ecdd67 100644
--- a/etc/obs.profile
+++ b/etc/obs.profile
@@ -10,6 +10,12 @@ noblacklist ${MUSIC}
10noblacklist ${PICTURES} 10noblacklist ${PICTURES}
11noblacklist ${VIDEOS} 11noblacklist ${VIDEOS}
12 12
13# Allow python (blacklisted by disable-interpreters.inc)
14noblacklist ${PATH}/python2*
15noblacklist ${PATH}/python3*
16noblacklist /usr/lib/python2*
17noblacklist /usr/lib/python3*
18
13include /etc/firejail/disable-common.inc 19include /etc/firejail/disable-common.inc
14include /etc/firejail/disable-devel.inc 20include /etc/firejail/disable-devel.inc
15include /etc/firejail/disable-interpreters.inc 21include /etc/firejail/disable-interpreters.inc
@@ -17,6 +23,8 @@ include /etc/firejail/disable-passwdmgr.inc
17include /etc/firejail/disable-programs.inc 23include /etc/firejail/disable-programs.inc
18include /etc/firejail/disable-xdg.inc 24include /etc/firejail/disable-xdg.inc
19 25
26include /etc/firejail/whitelist-var-common.inc
27
20caps.drop all 28caps.drop all
21nodvd 29nodvd
22nogroups 30nogroups
@@ -28,7 +36,7 @@ seccomp
28shell none 36shell none
29tracelog 37tracelog
30 38
31private-bin obs 39private-bin obs,python*
32private-cache 40private-cache
33private-dev 41private-dev
34private-tmp 42private-tmp
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile
index ea49c1a4d..59470f3bb 100644
--- a/etc/odt2txt.profile
+++ b/etc/odt2txt.profile
@@ -1,4 +1,5 @@
1# Firejail profile for odt2txt 1# Firejail profile for odt2txt
2# Description: Simple converter from OpenDocument Text to plain text
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/odt2txt.local 5include /etc/firejail/odt2txt.local
diff --git a/etc/okular.profile b/etc/okular.profile
index 8fe3b9354..0f15500af 100644
--- a/etc/okular.profile
+++ b/etc/okular.profile
@@ -1,4 +1,5 @@
1# Firejail profile for okular 1# Firejail profile for okular
2# Description: Universal document viewer
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/okular.local 5include /etc/firejail/okular.local
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile
index 5d331423e..1cd9e9537 100644
--- a/etc/open-invaders.profile
+++ b/etc/open-invaders.profile
@@ -1,4 +1,5 @@
1# Firejail profile for open-invaders 1# Firejail profile for open-invaders
2# Description: Space Invaders clone
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/open-invaders.local 5include /etc/firejail/open-invaders.local
diff --git a/etc/openbox.profile b/etc/openbox.profile
index ec4b47c29..1540b71bd 100644
--- a/etc/openbox.profile
+++ b/etc/openbox.profile
@@ -1,4 +1,5 @@
1# Firejail profile for openbox 1# Firejail profile for openbox
2# Description: Standards-compliant, fast, light-weight and extensible window manager
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/openbox.local 5include /etc/firejail/openbox.local
diff --git a/etc/openshot.profile b/etc/openshot.profile
index 832008564..242511243 100644
--- a/etc/openshot.profile
+++ b/etc/openshot.profile
@@ -1,4 +1,5 @@
1# Firejail profile for openshot 1# Firejail profile for openshot
2# Description: Create and edit videos and movies
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/openshot.local 5include /etc/firejail/openshot.local
diff --git a/etc/opera.profile b/etc/opera.profile
index c0138c555..294041c24 100644
--- a/etc/opera.profile
+++ b/etc/opera.profile
@@ -1,4 +1,5 @@
1# Firejail profile for opera 1# Firejail profile for opera
2# Description: A fast and secure web browser
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/opera.local 5include /etc/firejail/opera.local
diff --git a/etc/orage.profile b/etc/orage.profile
index 89720ce34..8fc6330d9 100644
--- a/etc/orage.profile
+++ b/etc/orage.profile
@@ -1,4 +1,5 @@
1# Firejail profile for orage 1# Firejail profile for orage
2# Description: Calendar for Xfce Desktop Environment
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/orage.local 5include /etc/firejail/orage.local
diff --git a/etc/p7zip.profile b/etc/p7zip.profile
index b813bfda5..f8b2d6f1a 100644
--- a/etc/p7zip.profile
+++ b/etc/p7zip.profile
@@ -1,4 +1,5 @@
1# Firejail profile for p7zip 1# Firejail profile for p7zip
2# Description: 7zr file archiver with high compression ratio
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/p7zip.local 5include /etc/firejail/p7zip.local
diff --git a/etc/parole.profile b/etc/parole.profile
index df8f8e194..00e1466b4 100644
--- a/etc/parole.profile
+++ b/etc/parole.profile
@@ -1,4 +1,5 @@
1# Firejail profile for parole 1# Firejail profile for parole
2# Description: Media player based on GStreamer framework
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/parole.local 5include /etc/firejail/parole.local
diff --git a/etc/patch.profile b/etc/patch.profile
index 3e8045bd4..d4058d6e7 100644
--- a/etc/patch.profile
+++ b/etc/patch.profile
@@ -1,4 +1,5 @@
1# Firejail profile for patch 1# Firejail profile for patch
2# Description: Apply a diff file to an original
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3quiet 4quiet
4# Persistent local customizations 5# Persistent local customizations
diff --git a/etc/pcmanfm.profile b/etc/pcmanfm.profile
index 83c1864e9..c7e449166 100644
--- a/etc/pcmanfm.profile
+++ b/etc/pcmanfm.profile
@@ -1,4 +1,5 @@
1# Firejail profile for pcmanfm 1# Firejail profile for pcmanfm
2# Description: Extremely fast and lightweight file manager
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/pcmanfm.local 5include /etc/firejail/pcmanfm.local
diff --git a/etc/pdfmod.profile b/etc/pdfmod.profile
index 2e3573121..34cf5e44f 100644
--- a/etc/pdfmod.profile
+++ b/etc/pdfmod.profile
@@ -1,4 +1,5 @@
1# Firejail profile for pdfmod 1# Firejail profile for pdfmod
2# Description: Simple tool for modifying PDF documents
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/pdfmod.local 5include /etc/firejail/pdfmod.local
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile
index daae31338..a09ab0a8a 100644
--- a/etc/pdfsam.profile
+++ b/etc/pdfsam.profile
@@ -1,4 +1,5 @@
1# Firejail profile for pdfsam 1# Firejail profile for pdfsam
2# Description: PDF Split and Merge
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/pdfsam.local 5include /etc/firejail/pdfsam.local
diff --git a/etc/picard.profile b/etc/picard.profile
index 4031d51f5..2cc0b5c68 100644
--- a/etc/picard.profile
+++ b/etc/picard.profile
@@ -1,4 +1,5 @@
1# Firejail profile for picard 1# Firejail profile for picard
2# Description: Next-Generation MusicBrainz audio files tagger
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/picard.local 5include /etc/firejail/picard.local
diff --git a/etc/pidgin.profile b/etc/pidgin.profile
index e0fd270af..e891f5fd8 100644
--- a/etc/pidgin.profile
+++ b/etc/pidgin.profile
@@ -1,4 +1,5 @@
1# Firejail profile for pidgin 1# Firejail profile for pidgin
2# Description: Graphical multi-protocol instant messaging client
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/pidgin.local 5include /etc/firejail/pidgin.local
diff --git a/etc/pingus.profile b/etc/pingus.profile
index 89247f847..4ce584d1e 100644
--- a/etc/pingus.profile
+++ b/etc/pingus.profile
@@ -1,4 +1,5 @@
1# Firejail profile for pingus 1# Firejail profile for pingus
2# Description: Free Lemmings(TM) clone
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/pingus.local 5include /etc/firejail/pingus.local
diff --git a/etc/pinta.profile b/etc/pinta.profile
index 335659430..506918b92 100644
--- a/etc/pinta.profile
+++ b/etc/pinta.profile
@@ -1,4 +1,5 @@
1# Firejail profile for pinta 1# Firejail profile for pinta
2# Description: Simple drawing/painting program
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/pinta.local 5include /etc/firejail/pinta.local
diff --git a/etc/pithos.profile b/etc/pithos.profile
index 7f0ba56b8..e5af9c973 100644
--- a/etc/pithos.profile
+++ b/etc/pithos.profile
@@ -1,4 +1,5 @@
1# Firejail profile for pithos 1# Firejail profile for pithos
2# Description: Pandora Radio client for the GNOME desktop
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/pithos.local 5include /etc/firejail/pithos.local
diff --git a/etc/pitivi.profile b/etc/pitivi.profile
index 1d7c4f721..6f6aed117 100644
--- a/etc/pitivi.profile
+++ b/etc/pitivi.profile
@@ -1,4 +1,5 @@
1# Firejail profile for pitivi 1# Firejail profile for pitivi
2# Description: Non-linear audio/video editor using GStreamer
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/pitivi.local 5include /etc/firejail/pitivi.local
diff --git a/etc/playonlinux.profile b/etc/playonlinux.profile
index 1179a7a01..119baf6b5 100644
--- a/etc/playonlinux.profile
+++ b/etc/playonlinux.profile
@@ -1,4 +1,5 @@
1# Firejail profile for playonlinux 1# Firejail profile for playonlinux
2# Description: Front-end for Wine
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/playonlinux.local 5include /etc/firejail/playonlinux.local
diff --git a/etc/pluma.profile b/etc/pluma.profile
index 7a70c88ab..832e7a3f4 100644
--- a/etc/pluma.profile
+++ b/etc/pluma.profile
@@ -1,4 +1,5 @@
1# Firejail profile for pluma 1# Firejail profile for pluma
2# Description: Official text editor of the MATE desktop environment
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/pluma.local 5include /etc/firejail/pluma.local
diff --git a/etc/polari.profile b/etc/polari.profile
index aba5ea57e..cb6b0f73c 100644
--- a/etc/polari.profile
+++ b/etc/polari.profile
@@ -1,4 +1,5 @@
1# Firejail profile for polari 1# Firejail profile for polari
2# Description: Internet Relay Chat (IRC) client
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/polari.local 5include /etc/firejail/polari.local
diff --git a/etc/ppsspp.profile b/etc/ppsspp.profile
index 3a40b6260..8fcc19e65 100644
--- a/etc/ppsspp.profile
+++ b/etc/ppsspp.profile
@@ -1,4 +1,5 @@
1# Firejail profile for ppsspp 1# Firejail profile for ppsspp
2# Description: A PSP emulator written in C++
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/ppsspp.local 5include /etc/firejail/ppsspp.local
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile
index 6d7050b7a..d2612c95c 100644
--- a/etc/psi-plus.profile
+++ b/etc/psi-plus.profile
@@ -1,4 +1,5 @@
1# Firejail profile for psi-plus 1# Firejail profile for psi-plus
2# Description: Qt-based XMPP/Jabber client
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/psi-plus.local 5include /etc/firejail/psi-plus.local
diff --git a/etc/pybitmessage.profile b/etc/pybitmessage.profile
new file mode 100644
index 000000000..02c35b104
--- /dev/null
+++ b/etc/pybitmessage.profile
@@ -0,0 +1,49 @@
1# Firejail profile for pybitmessage
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/pybitmessage.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8noblacklist /sbin
9noblacklist /usr/local/sbin
10noblacklist /usr/sbin
11
12# Allow python (blacklisted by disable-interpreters.inc)
13noblacklist ${PATH}/python2*
14noblacklist ${PATH}/python3*
15noblacklist /usr/lib/python2*
16noblacklist /usr/lib/python3*
17
18include /etc/firejail/disable-common.inc
19include /etc/firejail/disable-devel.inc
20include /etc/firejail/disable-passwdmgr.inc
21include /etc/firejail/disable-programs.inc
22include /etc/firejail/disable-interpreters.inc
23
24include /etc/firejail/whitelist-var-common.inc
25
26caps.drop all
27ipc-namespace
28netfilter
29no3d
30nodvd
31nogroups
32nonewprivs
33noroot
34nosound
35notv
36novideo
37protocol unix,inet,inet6,netlink
38seccomp
39shell none
40
41disable-mnt
42private-bin pybitmessage,python*,sh,ldconfig,env,bash,stat
43private-dev
44private-etc PyBitmessage,PyBitmessage.conf,Trolltech.conf,fonts,gtk-2.0,hosts,ld.so.cache,ld.so.preload,localtime,pki,resolv.conf,selinux,sni-qt.conf,system-fips,xdg,ca-certificates,ssl,pki,crypto-policies
45private-tmp
46
47memory-deny-write-execute
48noexec ${HOME}
49noexec /tmp
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index eb15ff445..4ba5d3871 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -1,4 +1,5 @@
1# Firejail profile for qbittorrent 1# Firejail profile for qbittorrent
2# Description: BitTorrent client based on libtorrent-rasterbar with a Qt5 GUI
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/qbittorrent.local 5include /etc/firejail/qbittorrent.local
diff --git a/etc/qlipper.profile b/etc/qlipper.profile
index a99825a0c..1293fa30d 100644
--- a/etc/qlipper.profile
+++ b/etc/qlipper.profile
@@ -1,4 +1,5 @@
1# Firejail profile for qlipper 1# Firejail profile for qlipper
2# Description: Lightweight and cross-platform clipboard history applet
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/qlipper.local 5include /etc/firejail/qlipper.local
diff --git a/etc/qmmp.profile b/etc/qmmp.profile
index 5c3873b7f..9d127731f 100644
--- a/etc/qmmp.profile
+++ b/etc/qmmp.profile
@@ -1,4 +1,5 @@
1# Firejail profile for qmmp 1# Firejail profile for qmmp
2# Description: Feature-rich audio player with support of many formats
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/qmmp.local 5include /etc/firejail/qmmp.local
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile
index 6057bf4f1..3063010cc 100644
--- a/etc/qpdfview.profile
+++ b/etc/qpdfview.profile
@@ -1,4 +1,5 @@
1# Firejail profile for qpdfview 1# Firejail profile for qpdfview
2# Description: Tabbed document viewer
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/qpdfview.local 5include /etc/firejail/qpdfview.local
diff --git a/etc/qtox.profile b/etc/qtox.profile
index 92a8bbf28..3c1697085 100644
--- a/etc/qtox.profile
+++ b/etc/qtox.profile
@@ -1,4 +1,5 @@
1# Firejail profile for qtox 1# Firejail profile for qtox
2# Description: Powerful Tox client written in C++/Qt that follows the Tox design guidelines
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/qtox.local 5include /etc/firejail/qtox.local
diff --git a/etc/quassel.profile b/etc/quassel.profile
index 9c5bbe1d3..69c6aa61b 100644
--- a/etc/quassel.profile
+++ b/etc/quassel.profile
@@ -1,4 +1,5 @@
1# Firejail profile for quassel 1# Firejail profile for quassel
2# Description: Distributed IRC client
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/quassel.local 5include /etc/firejail/quassel.local
diff --git a/etc/quiterss.profile b/etc/quiterss.profile
index c9e7f9089..368a3d996 100644
--- a/etc/quiterss.profile
+++ b/etc/quiterss.profile
@@ -1,4 +1,5 @@
1# Firejail profile for quiterss 1# Firejail profile for quiterss
2# Description: RSS/Atom news feeds reader
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/quiterss.local 5include /etc/firejail/quiterss.local
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile
index 8849cc7b8..d4d8e3b97 100644
--- a/etc/qutebrowser.profile
+++ b/etc/qutebrowser.profile
@@ -1,4 +1,5 @@
1# Firejail profile for qutebrowser 1# Firejail profile for qutebrowser
2# Description: Keyboard-driven, vim-like browser based on PyQt5
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/qutebrowser.local 5include /etc/firejail/qutebrowser.local
@@ -15,6 +16,9 @@ noblacklist ${PATH}/python3*
15noblacklist /usr/lib/python2* 16noblacklist /usr/lib/python2*
16noblacklist /usr/lib/python3* 17noblacklist /usr/lib/python3*
17 18
19# with >=llvm-4 mesa drivers need llvm stuff
20noblacklist /usr/lib/llvm*
21
18include /etc/firejail/disable-common.inc 22include /etc/firejail/disable-common.inc
19include /etc/firejail/disable-devel.inc 23include /etc/firejail/disable-devel.inc
20include /etc/firejail/disable-interpreters.inc 24include /etc/firejail/disable-interpreters.inc
diff --git a/etc/ranger.profile b/etc/ranger.profile
index ff65a057b..fe4131e88 100644
--- a/etc/ranger.profile
+++ b/etc/ranger.profile
@@ -1,4 +1,5 @@
1# Firejail profile for ranger 1# Firejail profile for ranger
2# Description: File manager with an ncurses frontend written in Python
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/ranger.local 5include /etc/firejail/ranger.local
diff --git a/etc/redeclipse.profile b/etc/redeclipse.profile
index 536c7073c..7271ac2f4 100644
--- a/etc/redeclipse.profile
+++ b/etc/redeclipse.profile
@@ -1,4 +1,5 @@
1# Firejail profile for redeclipse 1# Firejail profile for redeclipse
2# Description: Free, casual arena shooter
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/redeclipse.local 5include /etc/firejail/redeclipse.local
diff --git a/etc/remmina.profile b/etc/remmina.profile
index 71f4bb94f..5078000bb 100644
--- a/etc/remmina.profile
+++ b/etc/remmina.profile
@@ -1,4 +1,5 @@
1# Firejail profile for remmina 1# Firejail profile for remmina
2# Description: GTK+ Remote Desktop Client
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/remmina.local 5include /etc/firejail/remmina.local
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile
index ca06845a5..7dc6470f9 100644
--- a/etc/rhythmbox.profile
+++ b/etc/rhythmbox.profile
@@ -1,4 +1,5 @@
1# Firejail profile for rhythmbox 1# Firejail profile for rhythmbox
2# Description: Music player and organizer for GNOME
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/rhythmbox.local 5include /etc/firejail/rhythmbox.local
diff --git a/etc/riot-desktop.profile b/etc/riot-desktop.profile
index d38ab6876..cc8b68ebb 100644
--- a/etc/riot-desktop.profile
+++ b/etc/riot-desktop.profile
@@ -1,4 +1,5 @@
1# Firejail profile for riot-desktop 1# Firejail profile for riot-desktop
2# Description: A glossy Matrix collaboration client for the desktop
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/riot-desktop.local 5include /etc/firejail/riot-desktop.local
diff --git a/etc/riot-web.profile b/etc/riot-web.profile
index 1779d0b7c..5379223c5 100644
--- a/etc/riot-web.profile
+++ b/etc/riot-web.profile
@@ -1,4 +1,5 @@
1# Firejail profile for riot-web 1# Firejail profile for riot-web
2# Description: A glossy Matrix collaboration client for the web
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/riot-web.local 5include /etc/firejail/riot-web.local
diff --git a/etc/ristretto.profile b/etc/ristretto.profile
index 08c9dbf2d..bb2a7e95b 100644
--- a/etc/ristretto.profile
+++ b/etc/ristretto.profile
@@ -1,4 +1,5 @@
1# Firejail profile for ristretto 1# Firejail profile for ristretto
2# Description: Lightweight picture-viewer for the Xfce desktop environment
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/ristretto.local 5include /etc/firejail/ristretto.local
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile
index b4a2921ff..bdc5b9232 100644
--- a/etc/rtorrent.profile
+++ b/etc/rtorrent.profile
@@ -1,4 +1,5 @@
1# Firejail profile for rtorrent 1# Firejail profile for rtorrent
2# Description: Ncurses BitTorrent client based on LibTorrent from rakshasa
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/rtorrent.local 5include /etc/firejail/rtorrent.local
diff --git a/etc/scribus.profile b/etc/scribus.profile
index f08c57c1b..375983667 100644
--- a/etc/scribus.profile
+++ b/etc/scribus.profile
@@ -1,4 +1,5 @@
1# Firejail profile for scribus 1# Firejail profile for scribus
2# Description: Open Source Desktop Page Layout
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/scribus.local 5include /etc/firejail/scribus.local
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile
index 365fd3a53..b702d8b23 100644
--- a/etc/seamonkey.profile
+++ b/etc/seamonkey.profile
@@ -1,4 +1,5 @@
1# Firejail profile for seamonkey 1# Firejail profile for seamonkey
2# Description: SeaMonkey internet suite
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/seamonkey.local 5include /etc/firejail/seamonkey.local
diff --git a/etc/shellcheck.profile b/etc/shellcheck.profile
index 6827b0baf..f6c154183 100644
--- a/etc/shellcheck.profile
+++ b/etc/shellcheck.profile
@@ -1,4 +1,5 @@
1# Firejail profile for shellcheck 1# Firejail profile for shellcheck
2# Description: Lint tool for shell scripts
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3quiet 4quiet
4# Persistent local customizations 5# Persistent local customizations
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile
index a15576478..30d2203de 100644
--- a/etc/simple-scan.profile
+++ b/etc/simple-scan.profile
@@ -1,4 +1,5 @@
1# Firejail profile for simple-scan 1# Firejail profile for simple-scan
2# Description: Simple Scanning Utility
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/simple-scan.local 5include /etc/firejail/simple-scan.local
diff --git a/etc/simutrans.profile b/etc/simutrans.profile
index 41832011e..3722d9414 100644
--- a/etc/simutrans.profile
+++ b/etc/simutrans.profile
@@ -1,4 +1,5 @@
1# Firejail profile for simutrans 1# Firejail profile for simutrans
2# Description: Transportation simulator
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/simutrans.local 5include /etc/firejail/simutrans.local
diff --git a/etc/skanlite.profile b/etc/skanlite.profile
index 5bac0a90d..f8bca415d 100644
--- a/etc/skanlite.profile
+++ b/etc/skanlite.profile
@@ -1,4 +1,5 @@
1# Firejail profile for skanlite 1# Firejail profile for skanlite
2# Description: Image scanner based on the KSane backend
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/skanlite.local 5include /etc/firejail/skanlite.local
diff --git a/etc/slack.profile b/etc/slack.profile
index 91bf0a722..ba77a16b9 100644
--- a/etc/slack.profile
+++ b/etc/slack.profile
@@ -5,8 +5,6 @@ include /etc/firejail/slack.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8blacklist /var
9
10noblacklist ${HOME}/.config/Slack 8noblacklist ${HOME}/.config/Slack
11noblacklist ${HOME}/Downloads 9noblacklist ${HOME}/Downloads
12 10
@@ -21,6 +19,7 @@ mkdir ${HOME}/.config/Slack
21whitelist ${HOME}/.config/Slack 19whitelist ${HOME}/.config/Slack
22whitelist ${HOME}/Downloads 20whitelist ${HOME}/Downloads
23include /etc/firejail/whitelist-common.inc 21include /etc/firejail/whitelist-common.inc
22include /etc/firejail/whitelist-var-common.inc
24 23
25caps.drop all 24caps.drop all
26name slack 25name slack
diff --git a/etc/smplayer.profile b/etc/smplayer.profile
index 2e792d891..6d8355e6f 100644
--- a/etc/smplayer.profile
+++ b/etc/smplayer.profile
@@ -1,4 +1,5 @@
1# Firejail profile for smplayer 1# Firejail profile for smplayer
2# Description: Complete front-end for MPlayer and mpv
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/smplayer.local 5include /etc/firejail/smplayer.local
diff --git a/etc/smtube.profile b/etc/smtube.profile
index 41be2714a..430b4e5cf 100644
--- a/etc/smtube.profile
+++ b/etc/smtube.profile
@@ -1,4 +1,5 @@
1# Firejail profile for smtube 1# Firejail profile for smtube
2# Description: YouTube videos browser
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/smtube.local 5include /etc/firejail/smtube.local
diff --git a/etc/snap.profile b/etc/snap.profile
index 345525c9a..bcfdc8911 100644
--- a/etc/snap.profile
+++ b/etc/snap.profile
@@ -1,4 +1,5 @@
1# Firejail profile for snap 1# Firejail profile for snap
2# Description: Location of genes from DNA sequence with hidden markov model
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/snap.local 5include /etc/firejail/snap.local
diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile
index a7c8dfce6..ee4d90265 100644
--- a/etc/soundconverter.profile
+++ b/etc/soundconverter.profile
@@ -1,4 +1,5 @@
1# Firejail profile for soundconverter 1# Firejail profile for soundconverter
2# Description: GNOME application to convert audio files into other formats
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/soundconverter.local 5include /etc/firejail/soundconverter.local
diff --git a/etc/spotify.profile b/etc/spotify.profile
index 7f40d4399..4e2718c95 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -9,7 +9,6 @@ blacklist ${HOME}/.bashrc
9blacklist /lost+found 9blacklist /lost+found
10blacklist /sbin 10blacklist /sbin
11blacklist /srv 11blacklist /srv
12blacklist /sys
13 12
14noblacklist ${HOME}/.cache/spotify 13noblacklist ${HOME}/.cache/spotify
15noblacklist ${HOME}/.config/spotify 14noblacklist ${HOME}/.config/spotify
diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile
index 5fee722bf..75e8ed5c0 100644
--- a/etc/sqlitebrowser.profile
+++ b/etc/sqlitebrowser.profile
@@ -1,4 +1,5 @@
1# Firejail profile for sqlitebrowser 1# Firejail profile for sqlitebrowser
2# Description: GUI editor for SQLite databases
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/sqlitebrowser.local 5include /etc/firejail/sqlitebrowser.local
diff --git a/etc/ssh.profile b/etc/ssh.profile
index dfaeb9688..584294f05 100644
--- a/etc/ssh.profile
+++ b/etc/ssh.profile
@@ -1,4 +1,5 @@
1# Firejail profile for ssh 1# Firejail profile for ssh
2# Description: Secure shell client and server
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3quiet 4quiet
4# Persistent local customizations 5# Persistent local customizations
@@ -37,4 +38,3 @@ memory-deny-write-execute
37noexec ${HOME} 38noexec ${HOME}
38noexec /tmp 39noexec /tmp
39writable-run-user 40writable-run-user
40
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile
index fe9760ad4..6069c5174 100644
--- a/etc/start-tor-browser.profile
+++ b/etc/start-tor-browser.profile
@@ -17,6 +17,7 @@ include /etc/firejail/whitelist-var-common.inc
17 17
18caps.drop all 18caps.drop all
19netfilter 19netfilter
20nodbus
20nodvd 21nodvd
21nogroups 22nogroups
22nonewprivs 23nonewprivs
@@ -24,8 +25,9 @@ noroot
24notv 25notv
25novideo 26novideo
26protocol unix,inet,inet6 27protocol unix,inet,inet6
27seccomp 28seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
28shell none 29shell none
30# tracelog may cause issues, see github issue #1930
29tracelog 31tracelog
30 32
31disable-mnt 33disable-mnt
diff --git a/etc/steam.profile b/etc/steam.profile
index 3c39915e7..6b985f4e8 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -1,4 +1,5 @@
1# Firejail profile for steam 1# Firejail profile for steam
2# Description: Valve's Steam digital software delivery system
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/steam.local 5include /etc/firejail/steam.local
@@ -30,6 +31,12 @@ noblacklist /usr/lib/java
30noblacklist /etc/java 31noblacklist /etc/java
31noblacklist /usr/share/java 32noblacklist /usr/share/java
32 33
34# Allow python (blacklisted by disable-interpreters.inc)
35noblacklist ${PATH}/python2*
36noblacklist ${PATH}/python3*
37noblacklist /usr/lib/python2*
38noblacklist /usr/lib/python3*
39
33include /etc/firejail/disable-common.inc 40include /etc/firejail/disable-common.inc
34include /etc/firejail/disable-devel.inc 41include /etc/firejail/disable-devel.inc
35include /etc/firejail/disable-interpreters.inc 42include /etc/firejail/disable-interpreters.inc
@@ -57,14 +64,14 @@ shell none
57#tracelog 64#tracelog
58 65
59# private-bin is disabled while in testing, but has been tested working with multiple games 66# private-bin is disabled while in testing, but has been tested working with multiple games
60#private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lspci,lsof,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity 67#private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lspci,lsof,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity
61# extra programs are available which might be needed for select games 68# extra programs are available which might be needed for select games
62#private-bin java,java-config,mono,python* 69#private-bin java,java-config,mono
63# picture viewers are needed for viewing screenshots 70# picture viewers are needed for viewing screenshots
64#private-bin eog,eom,gthumb,pix,viewnior,xviewer 71#private-bin eog,eom,gthumb,pix,viewnior,xviewer
65 72
66# private-dev should be commented for controllers 73# private-dev should be commented for controllers
67private-dev 74private-dev
68# private-etc breaks a small selection of games on some systems, comment to support those 75# private-etc breaks a small selection of games on some systems, comment to support those
69private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies,alternatives 76private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies,alternatives,bumblebee,nvidia,os-release
70private-tmp 77private-tmp
diff --git a/etc/stellarium.profile b/etc/stellarium.profile
index a174dcd42..cddbd99d6 100644
--- a/etc/stellarium.profile
+++ b/etc/stellarium.profile
@@ -1,4 +1,5 @@
1# Firejail profile for stellarium 1# Firejail profile for stellarium
2# Description: Real-time photo-realistic sky generator
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/stellarium.local 5include /etc/firejail/stellarium.local
diff --git a/etc/surf.profile b/etc/surf.profile
index 46c4a363c..3d40ea49b 100644
--- a/etc/surf.profile
+++ b/etc/surf.profile
@@ -1,4 +1,5 @@
1# Firejail profile for surf 1# Firejail profile for surf
2# Description: Simple web browser by suckless community
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/surf.local 5include /etc/firejail/surf.local
diff --git a/etc/sylpheed.profile b/etc/sylpheed.profile
index 54edbd20d..5f30c95ba 100644
--- a/etc/sylpheed.profile
+++ b/etc/sylpheed.profile
@@ -1,4 +1,5 @@
1# Firejail profile for sylpheed 1# Firejail profile for sylpheed
2# Description: Light weight e-mail client with GTK+
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/sylpheed.local 5include /etc/firejail/sylpheed.local
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile
index dcfd730ee..0fc59fd17 100644
--- a/etc/synfigstudio.profile
+++ b/etc/synfigstudio.profile
@@ -1,4 +1,5 @@
1# Firejail profile for synfigstudio 1# Firejail profile for synfigstudio
2# Description: Vector-based 2D animation package
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/synfigstudio.local 5include /etc/firejail/synfigstudio.local
diff --git a/etc/tar.profile b/etc/tar.profile
index 35dbb3378..7409393c6 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -1,4 +1,5 @@
1# Firejail profile for tar 1# Firejail profile for tar
2# Description: GNU version of the tar archiving utility
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3quiet 4quiet
4# Persistent local customizations 5# Persistent local customizations
diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile
index ad7564bb6..55a95157d 100644
--- a/etc/teamspeak3.profile
+++ b/etc/teamspeak3.profile
@@ -1,4 +1,5 @@
1# Firejail profile for teamspeak3 1# Firejail profile for teamspeak3
2# Description: TeamSpeak is software for quality voice communication via the Internet
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/teamspeak3.local 5include /etc/firejail/teamspeak3.local
diff --git a/etc/telegram-desktop.profile b/etc/telegram-desktop.profile
index df6557a90..9e4855247 100644
--- a/etc/telegram-desktop.profile
+++ b/etc/telegram-desktop.profile
@@ -1,4 +1,5 @@
1# Firejail profile alias for telegram 1# Firejail profile alias for telegram
2# Description: Official Telegram Desktop client
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3 4
4 5
diff --git a/etc/thunar.profile b/etc/thunar.profile
index 1545e8c7e..37d10ae0d 100644
--- a/etc/thunar.profile
+++ b/etc/thunar.profile
@@ -1,4 +1,5 @@
1# Firejail profile alias for Thunar 1# Firejail profile alias for Thunar
2# Description: Modern file manager for Xfce
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3 4
4 5
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
index 6045d6d17..86671d1be 100644
--- a/etc/thunderbird.profile
+++ b/etc/thunderbird.profile
@@ -1,4 +1,5 @@
1# Firejail profile for thunderbird 1# Firejail profile for thunderbird
2# Description: Email, RSS and newsgroup client with integrated spam filter
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/thunderbird.local 5include /etc/firejail/thunderbird.local
@@ -30,6 +31,11 @@ read-only ${HOME}/.config/mimeapps.list
30# writable-run-user is needed for signing and encrypting emails 31# writable-run-user is needed for signing and encrypting emails
31writable-run-user 32writable-run-user
32 33
34# If you want to read local mail stored in /var/mail, add the following to thunderbird.local:
35# noblacklist /var/mail
36# noblacklist /var/spool/mail
37# writable-var
38
33# allow browsers 39# allow browsers
34# Redirect 40# Redirect
35include /etc/firejail/firefox.profile 41include /etc/firejail/firefox.profile
diff --git a/etc/tor.profile b/etc/tor.profile
index 6bfc1c9a6..ddaa9806c 100644
--- a/etc/tor.profile
+++ b/etc/tor.profile
@@ -1,4 +1,5 @@
1# Firejail profile for tor 1# Firejail profile for tor
2# Description: Anonymizing overlay network for TCP
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/tor.local 5include /etc/firejail/tor.local
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile
index 9e3e0ef49..f175b6590 100644
--- a/etc/torbrowser-launcher.profile
+++ b/etc/torbrowser-launcher.profile
@@ -1,4 +1,5 @@
1# Firejail profile for torbrowser-launcher 1# Firejail profile for torbrowser-launcher
2# Description: Helps download and run the Tor Browser Bundle
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/torbrowser-launcher.local 5include /etc/firejail/torbrowser-launcher.local
@@ -19,9 +20,11 @@ include /etc/firejail/disable-devel.inc
19include /etc/firejail/disable-interpreters.inc 20include /etc/firejail/disable-interpreters.inc
20include /etc/firejail/disable-passwdmgr.inc 21include /etc/firejail/disable-passwdmgr.inc
21include /etc/firejail/disable-programs.inc 22include /etc/firejail/disable-programs.inc
23include /etc/firejail/disable-xdg.inc
22 24
23mkdir ${HOME}/.config/torbrowser 25mkdir ${HOME}/.config/torbrowser
24mkdir ${HOME}/.local/share/torbrowser 26mkdir ${HOME}/.local/share/torbrowser
27whitelist ${DOWNLOADS}
25whitelist ${HOME}/.config/torbrowser 28whitelist ${HOME}/.config/torbrowser
26whitelist ${HOME}/.local/share/torbrowser 29whitelist ${HOME}/.local/share/torbrowser
27include /etc/firejail/whitelist-common.inc 30include /etc/firejail/whitelist-common.inc
@@ -29,6 +32,7 @@ include /etc/firejail/whitelist-var-common.inc
29 32
30caps.drop all 33caps.drop all
31netfilter 34netfilter
35nodbus
32nodvd 36nodvd
33nogroups 37nogroups
34nonewprivs 38nonewprivs
@@ -36,8 +40,9 @@ noroot
36notv 40notv
37novideo 41novideo
38protocol unix,inet,inet6 42protocol unix,inet,inet6
39seccomp 43seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
40shell none 44shell none
45# tracelog may cause issues, see github issue #1930
41tracelog 46tracelog
42 47
43disable-mnt 48disable-mnt
diff --git a/etc/totem.profile b/etc/totem.profile
index 0acbc5127..bfa5883e2 100644
--- a/etc/totem.profile
+++ b/etc/totem.profile
@@ -1,4 +1,5 @@
1# Firejail profile for totem 1# Firejail profile for totem
2# Description: Simple media player for the GNOME desktop based on GStreamer
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/totem.local 5include /etc/firejail/totem.local
diff --git a/etc/tracker.profile b/etc/tracker.profile
index fc58fc479..142089c34 100644
--- a/etc/tracker.profile
+++ b/etc/tracker.profile
@@ -1,4 +1,5 @@
1# Firejail profile for tracker 1# Firejail profile for tracker
2# Description: Metadata database, indexer and search tool
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/tracker.local 5include /etc/firejail/tracker.local
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile
index 849f9ed49..1a22a713c 100644
--- a/etc/transmission-cli.profile
+++ b/etc/transmission-cli.profile
@@ -1,4 +1,5 @@
1# Firejail profile for transmission-cli 1# Firejail profile for transmission-cli
2# Description: Lightweight BitTorrent client
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/transmission-cli.local 5include /etc/firejail/transmission-cli.local
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index 6366aa89d..758205ccf 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -1,4 +1,5 @@
1# Firejail profile for transmission-gtk 1# Firejail profile for transmission-gtk
2# Description: Lightweight BitTorrent client
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/transmission-gtk.local 5include /etc/firejail/transmission-gtk.local
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index added7067..c8eb9e326 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -1,4 +1,5 @@
1# Firejail profile for transmission-qt 1# Firejail profile for transmission-qt
2# Description: Lightweight BitTorrent client
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/transmission-qt.local 5include /etc/firejail/transmission-qt.local
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile
index 1f0d2705e..d467e1a83 100644
--- a/etc/tuxguitar.profile
+++ b/etc/tuxguitar.profile
@@ -1,4 +1,5 @@
1# Firejail profile for tuxguitar 1# Firejail profile for tuxguitar
2# Description: Multitrack guitar tablature editor and player (gp3 to gp5)
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/tuxguitar.local 5include /etc/firejail/tuxguitar.local
diff --git a/etc/unbound.profile b/etc/unbound.profile
index 3d7ca7285..5bc350e8d 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -1,4 +1,5 @@
1# Firejail profile for unbound 1# Firejail profile for unbound
2# Description: Validating, recursive, caching DNS resolver
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/unbound.local 5include /etc/firejail/unbound.local
diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile
index 985998382..5b2944a88 100644
--- a/etc/unknown-horizons.profile
+++ b/etc/unknown-horizons.profile
@@ -1,4 +1,5 @@
1# Firejail profile for unknown-horizons 1# Firejail profile for unknown-horizons
2# Description: 2D realtime strategy simulation
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/unknown-horizons.local 5include /etc/firejail/unknown-horizons.local
diff --git a/etc/unrar.profile b/etc/unrar.profile
index 40ee277e0..c8c72f1f3 100644
--- a/etc/unrar.profile
+++ b/etc/unrar.profile
@@ -1,4 +1,5 @@
1# Firejail profile for unrar 1# Firejail profile for unrar
2# Description: Unarchiver for .rar files
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3quiet 4quiet
4# Persistent local customizations 5# Persistent local customizations
diff --git a/etc/unzip.profile b/etc/unzip.profile
index 1a1142fe8..0b8b0cc50 100644
--- a/etc/unzip.profile
+++ b/etc/unzip.profile
@@ -1,4 +1,5 @@
1# Firejail profile for unzip 1# Firejail profile for unzip
2# Description: De-archiver for .zip files
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3quiet 4quiet
4# Persistent local customizations 5# Persistent local customizations
diff --git a/etc/uudeview.profile b/etc/uudeview.profile
index f71f0150d..d1130960d 100644
--- a/etc/uudeview.profile
+++ b/etc/uudeview.profile
@@ -1,4 +1,5 @@
1# Firejail profile for uudeview 1# Firejail profile for uudeview
2# Description: Smart multi-file multi-part decoder
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3quiet 4quiet
4# Persistent local customizations 5# Persistent local customizations
diff --git a/etc/viewnior.profile b/etc/viewnior.profile
index ce4983337..08f9fd309 100644
--- a/etc/viewnior.profile
+++ b/etc/viewnior.profile
@@ -1,4 +1,5 @@
1# Firejail profile for viewnior 1# Firejail profile for viewnior
2# Description: Simple, fast and elegant image viewer
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/viewnior.local 5include /etc/firejail/viewnior.local
diff --git a/etc/viking.profile b/etc/viking.profile
index a5a01f544..624cb962b 100644
--- a/etc/viking.profile
+++ b/etc/viking.profile
@@ -1,4 +1,5 @@
1# Firejail profile for viking 1# Firejail profile for viking
2# Description: GPS data editor, analyzer and viewer
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/viking.local 5include /etc/firejail/viking.local
diff --git a/etc/vim.profile b/etc/vim.profile
index 7fe16e628..1f98a018a 100644
--- a/etc/vim.profile
+++ b/etc/vim.profile
@@ -1,4 +1,5 @@
1# Firejail profile for vim 1# Firejail profile for vim
2# Description: Vi IMproved - enhanced vi editor
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/vim.local 5include /etc/firejail/vim.local
diff --git a/etc/vimpager.profile b/etc/vimpager.profile
index 8bc7cc26a..9c59cb82f 100644
--- a/etc/vimpager.profile
+++ b/etc/vimpager.profile
@@ -1,4 +1,5 @@
1# Firejail profile for vimpager 1# Firejail profile for vimpager
2# Description: A vim-based script to use as a PAGER
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/vimpager.local 5include /etc/firejail/vimpager.local
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile
index 61177698a..c634348c7 100644
--- a/etc/virtualbox.profile
+++ b/etc/virtualbox.profile
@@ -1,4 +1,5 @@
1# Firejail profile for virtualbox 1# Firejail profile for virtualbox
2# Description: x86 virtualization solution
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/virtualbox.local 5include /etc/firejail/virtualbox.local
diff --git a/etc/vlc.profile b/etc/vlc.profile
index 41f482d49..20dafba25 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -1,4 +1,5 @@
1# Firejail profile for vlc 1# Firejail profile for vlc
2# Description: Multimedia player and streamer
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/vlc.local 5include /etc/firejail/vlc.local
diff --git a/etc/vym.profile b/etc/vym.profile
index f926bf1f4..bb044069d 100644
--- a/etc/vym.profile
+++ b/etc/vym.profile
@@ -1,4 +1,5 @@
1# Firejail profile for vym 1# Firejail profile for vym
2# Description: Mindmapping tool
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/vym.local 5include /etc/firejail/vym.local
diff --git a/etc/w3m.profile b/etc/w3m.profile
index 22843ca54..858b30a5f 100644
--- a/etc/w3m.profile
+++ b/etc/w3m.profile
@@ -1,4 +1,5 @@
1# Firejail profile for w3m 1# Firejail profile for w3m
2# Description: WWW browsable pager with excellent tables/frames support
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/w3m.local 5include /etc/firejail/w3m.local
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile
index e339b4100..632a56074 100644
--- a/etc/warzone2100.profile
+++ b/etc/warzone2100.profile
@@ -1,4 +1,5 @@
1# Firejail profile for warzone2100 1# Firejail profile for warzone2100
2# Description: 3D real time strategy game
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/warzone2100.local 5include /etc/firejail/warzone2100.local
diff --git a/etc/weechat.profile b/etc/weechat.profile
index b0971ae19..213271367 100644
--- a/etc/weechat.profile
+++ b/etc/weechat.profile
@@ -1,4 +1,5 @@
1# Firejail profile for weechat 1# Firejail profile for weechat
2# Description: Fast, light and extensible chat client
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/weechat.local 5include /etc/firejail/weechat.local
diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile
index 732b37df0..215d2e72d 100644
--- a/etc/wesnoth.profile
+++ b/etc/wesnoth.profile
@@ -1,4 +1,5 @@
1# Firejail profile for wesnoth 1# Firejail profile for wesnoth
2# Description: Fantasy turn-based strategy game
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/wesnoth.local 5include /etc/firejail/wesnoth.local
diff --git a/etc/wget.profile b/etc/wget.profile
index c509faecc..abe2436d7 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -1,4 +1,5 @@
1# Firejail profile for wget 1# Firejail profile for wget
2# Description: Retrieves files from the web
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3quiet 4quiet
4# Persistent local customizations 5# Persistent local customizations
diff --git a/etc/wine.profile b/etc/wine.profile
index 914a2225f..88cdd2ffc 100644
--- a/etc/wine.profile
+++ b/etc/wine.profile
@@ -1,4 +1,5 @@
1# Firejail profile for wine 1# Firejail profile for wine
2# Description: A compatibility layer for running Windows programs
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/wine.local 5include /etc/firejail/wine.local
diff --git a/etc/wireshark-gtk.profile b/etc/wireshark-gtk.profile
index 38599b85e..26747379a 100644
--- a/etc/wireshark-gtk.profile
+++ b/etc/wireshark-gtk.profile
@@ -1,4 +1,5 @@
1# Firejail profile alias for wireshark 1# Firejail profile alias for wireshark
2# Description: Network protocol analyzer
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3 4
4 5
diff --git a/etc/wireshark-qt.profile b/etc/wireshark-qt.profile
index 38599b85e..26747379a 100644
--- a/etc/wireshark-qt.profile
+++ b/etc/wireshark-qt.profile
@@ -1,4 +1,5 @@
1# Firejail profile alias for wireshark 1# Firejail profile alias for wireshark
2# Description: Network protocol analyzer
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3 4
4 5
diff --git a/etc/wireshark.profile b/etc/wireshark.profile
index d45198f6a..330f0140e 100644
--- a/etc/wireshark.profile
+++ b/etc/wireshark.profile
@@ -1,4 +1,5 @@
1# Firejail profile for wireshark 1# Firejail profile for wireshark
2# Description: Network traffic analyzer
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/wireshark.local 5include /etc/firejail/wireshark.local
@@ -24,6 +25,7 @@ include /etc/firejail/disable-xdg.inc
24 25
25include /etc/firejail/whitelist-var-common.inc 26include /etc/firejail/whitelist-var-common.inc
26 27
28apparmor
27# caps.drop all 29# caps.drop all
28caps.keep dac_override,net_admin,net_raw 30caps.keep dac_override,net_admin,net_raw
29netfilter 31netfilter
diff --git a/etc/xchat.profile b/etc/xchat.profile
index bab108c0a..af6da1ac5 100644
--- a/etc/xchat.profile
+++ b/etc/xchat.profile
@@ -1,4 +1,5 @@
1# Firejail profile for xchat 1# Firejail profile for xchat
2# Description: IRC client for X similar to AmIRC
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/xchat.local 5include /etc/firejail/xchat.local
diff --git a/etc/xfburn.profile b/etc/xfburn.profile
index b63e430f6..207e62232 100644
--- a/etc/xfburn.profile
+++ b/etc/xfburn.profile
@@ -1,4 +1,5 @@
1# Firejail profile for xfburn 1# Firejail profile for xfburn
2# Description: CD-burner application for Xfce Desktop Environment
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/xfburn.local 5include /etc/firejail/xfburn.local
diff --git a/etc/xfce4-dict.profile b/etc/xfce4-dict.profile
index fc5294d5b..e84c78b24 100644
--- a/etc/xfce4-dict.profile
+++ b/etc/xfce4-dict.profile
@@ -1,4 +1,5 @@
1# Firejail profile for xfce4-dict 1# Firejail profile for xfce4-dict
2# Description: Dictionary plugin for Xfce4 panel
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/xfce4-dict.local 5include /etc/firejail/xfce4-dict.local
diff --git a/etc/xfce4-notes.profile b/etc/xfce4-notes.profile
index 5749b7832..99aeebb7f 100644
--- a/etc/xfce4-notes.profile
+++ b/etc/xfce4-notes.profile
@@ -1,4 +1,5 @@
1# Firejail profile for xfce4-notes 1# Firejail profile for xfce4-notes
2# Description: Notes application for the Xfce4 desktop
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/xfce4-notes.local 5include /etc/firejail/xfce4-notes.local
diff --git a/etc/xiphos.profile b/etc/xiphos.profile
index 14aced0d9..703579562 100644
--- a/etc/xiphos.profile
+++ b/etc/xiphos.profile
@@ -1,4 +1,5 @@
1# Firejail profile for xiphos 1# Firejail profile for xiphos
2# Description: Environment for Bible reading, study, and research
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/xiphos.local 5include /etc/firejail/xiphos.local
diff --git a/etc/xonotic.profile b/etc/xonotic.profile
index a5cfa7513..29b2bb382 100644
--- a/etc/xonotic.profile
+++ b/etc/xonotic.profile
@@ -1,4 +1,5 @@
1# Firejail profile for xonotic 1# Firejail profile for xonotic
2# Description: A free, fast-paced crossplatform first-person shooter
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/xonotic.local 5include /etc/firejail/xonotic.local
diff --git a/etc/xpdf.profile b/etc/xpdf.profile
index b689ccb25..c12a3437c 100644
--- a/etc/xpdf.profile
+++ b/etc/xpdf.profile
@@ -1,4 +1,5 @@
1# Firejail profile for xpdf 1# Firejail profile for xpdf
2# Description: Portable Document Format (PDF) reader
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/xpdf.local 5include /etc/firejail/xpdf.local
diff --git a/etc/xpra.profile b/etc/xpra.profile
index 0535d85a5..960c493b9 100644
--- a/etc/xpra.profile
+++ b/etc/xpra.profile
@@ -1,4 +1,5 @@
1# Firejail profile for xpra 1# Firejail profile for xpra
2# Description: Tool to detach/reattach running X programs
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/xpra.local 5include /etc/firejail/xpra.local
diff --git a/etc/xreader.profile b/etc/xreader.profile
index 6da8957f4..25e790fe0 100644
--- a/etc/xreader.profile
+++ b/etc/xreader.profile
@@ -1,4 +1,5 @@
1# Firejail profile for xreader 1# Firejail profile for xreader
2# Description: Document viewer for files like PDF and Postscript. X-Apps Project.
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/xreader.local 5include /etc/firejail/xreader.local
diff --git a/etc/xxd.profile b/etc/xxd.profile
index 59dac5a91..baee905b7 100644
--- a/etc/xxd.profile
+++ b/etc/xxd.profile
@@ -1,4 +1,5 @@
1# Firejail profile for xxd 1# Firejail profile for xxd
2# Description: Tool to make (or reverse) a hex dump
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/xxd.local 5include /etc/firejail/xxd.local
diff --git a/etc/xz.profile b/etc/xz.profile
index d77fc85b4..cd79eebc6 100644
--- a/etc/xz.profile
+++ b/etc/xz.profile
@@ -1,4 +1,5 @@
1# Firejail profile alias for cpio 1# Firejail profile alias for cpio
2# Description: Library and command line tools for XZ and LZMA compressed files
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3 4
4 5
diff --git a/etc/xzdec.profile b/etc/xzdec.profile
index 93b6d5093..796c1d642 100644
--- a/etc/xzdec.profile
+++ b/etc/xzdec.profile
@@ -1,4 +1,5 @@
1# Firejail profile for xzdec 1# Firejail profile for xzdec
2# Description: XZ-format compression utilities - tiny decompressors
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3quiet 4quiet
4# Persistent local customizations 5# Persistent local customizations
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile
index fcb0a8a52..75d4514b6 100644
--- a/etc/youtube-dl.profile
+++ b/etc/youtube-dl.profile
@@ -1,4 +1,5 @@
1# Firejail profile for youtube-dl 1# Firejail profile for youtube-dl
2# Description: Downloader of videos from YouTube and other sites
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3quiet 4quiet
4# Persistent local customizations 5# Persistent local customizations
diff --git a/etc/zaproxy.profile b/etc/zaproxy.profile
index 66f91250d..872719ebc 100644
--- a/etc/zaproxy.profile
+++ b/etc/zaproxy.profile
@@ -1,4 +1,5 @@
1# Firejail profile for zaproxy 1# Firejail profile for zaproxy
2# Description: Integrated penetration testing tool for finding vulnerabilities in web applications
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/zaproxy.local 5include /etc/firejail/zaproxy.local
diff --git a/etc/zart.profile b/etc/zart.profile
index 885fa5021..a4b22ed5d 100644
--- a/etc/zart.profile
+++ b/etc/zart.profile
@@ -1,4 +1,5 @@
1# Firejail profile for zart 1# Firejail profile for zart
2# Description: A GUI for G'MIC real-time manipulations on the output of a webcam
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/zart.local 5include /etc/firejail/zart.local
diff --git a/etc/zathura.profile b/etc/zathura.profile
index baeca8d19..c1785e332 100644
--- a/etc/zathura.profile
+++ b/etc/zathura.profile
@@ -1,4 +1,5 @@
1# Firejail profile for zathura 1# Firejail profile for zathura
2# Description: Document viewer with a minimalistic interface
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include /etc/firejail/zathura.local 5include /etc/firejail/zathura.local
diff --git a/platform/snap/snap.sh b/platform/snap/snap.sh
deleted file mode 100755
index d7f924293..000000000
--- a/platform/snap/snap.sh
+++ /dev/null
@@ -1,20 +0,0 @@
1#!/bin/bash
2
3rm -fr faudit-snap
4rm -f faudit_*.snap
5mkdir faudit-snap
6cd faudit-snap
7snapcraft init
8cp ../snapcraft.yaml .
9#snapcraft stage
10mkdir -p stage/usr/lib/firejail
11cp ../../../src/faudit/faudit stage/usr/lib/firejail/.
12find stage
13snapcraft stage
14snapcraft snap
15cd ..
16mv faudit-snap/faudit_*.snap ../../.
17rm -fr faudit-snap
18
19
20
diff --git a/platform/snap/snapcraft.yaml b/platform/snap/snapcraft.yaml
deleted file mode 100644
index d3755de96..000000000
--- a/platform/snap/snapcraft.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
1name: faudit # the name of the snap
2version: 0 # the version of the snap
3summary: Fireajail audit snap edition # 79 char long summary
4description: faudit program extracted from Firejail and packaged as a snap # a longer description for the snap
5confinement: strict # use "strict" to enforce system access only via declared interfaces
6
7apps:
8 faudit:
9 command: /usr/lib/firejail/faudit
10
11parts:
12 faudit: # Replace with a part name of your liking
13 # Get more information about plugins by running
14 # snapcraft help plugins
15 # and more information about the available plugins
16 # by running
17 # snapcraft list-plugins
18 plugin: nil
19 snap:
20 - usr/lib/firejail/faudit
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index a33aaeb49..0bbafb343 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -77,6 +77,7 @@ cinelerra
77clamdscan 77clamdscan
78clamdtop 78clamdtop
79clamscan 79clamscan
80clamtk
80claws-mail 81claws-mail
81clementine 82clementine
82clipit 83clipit
@@ -328,6 +329,7 @@ pluma
328polari 329polari
329ppsspp 330ppsspp
330psi-plus 331psi-plus
332pybitmessage
331# pycharm-community - FB note: may enable later 333# pycharm-community - FB note: may enable later
332# pycharm-professional 334# pycharm-professional
333qbittorrent 335qbittorrent
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index 6fe220d35..298314d4f 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -21,6 +21,7 @@
21#include "firecfg.h" 21#include "firecfg.h"
22#include "../include/firejail_user.h" 22#include "../include/firejail_user.h"
23int arg_debug = 0; 23int arg_debug = 0;
24char *arg_bindir = "/usr/local/bin";
24 25
25static char *usage_str = 26static char *usage_str =
26 "Firecfg is the desktop configuration utility for Firejail software. The utility\n" 27 "Firecfg is the desktop configuration utility for Firejail software. The utility\n"
@@ -31,6 +32,7 @@ static char *usage_str =
31 "DESKTOP INTEGRATION section in man 1 firejail.\n\n" 32 "DESKTOP INTEGRATION section in man 1 firejail.\n\n"
32 "Usage: firecfg [OPTIONS]\n\n" 33 "Usage: firecfg [OPTIONS]\n\n"
33 " --add-users user [user] - add the users to Firejail user access database.\n\n" 34 " --add-users user [user] - add the users to Firejail user access database.\n\n"
35 " --bindir=directory - install in directory instead of /usr/local/bin.\n\n"
34 " --clean - remove all firejail symbolic links.\n\n" 36 " --clean - remove all firejail symbolic links.\n\n"
35 " --debug - print debug messages.\n\n" 37 " --debug - print debug messages.\n\n"
36 " --fix - fix .desktop files.\n\n" 38 " --fix - fix .desktop files.\n\n"
@@ -62,9 +64,9 @@ static void usage(void) {
62 64
63 65
64static void list(void) { 66static void list(void) {
65 DIR *dir = opendir("/usr/local/bin"); 67 DIR *dir = opendir(arg_bindir);
66 if (!dir) { 68 if (!dir) {
67 fprintf(stderr, "Error: cannot open /usr/local/bin directory\n"); 69 fprintf(stderr, "Error: cannot open %s directory\n", arg_bindir);
68 exit(1); 70 exit(1);
69 } 71 }
70 72
@@ -78,7 +80,7 @@ static void list(void) {
78 continue; 80 continue;
79 81
80 char *fullname; 82 char *fullname;
81 if (asprintf(&fullname, "/usr/local/bin/%s", entry->d_name) == -1) 83 if (asprintf(&fullname, "%s/%s", arg_bindir, entry->d_name) == -1)
82 errExit("asprintf"); 84 errExit("asprintf");
83 85
84 if (is_link(fullname)) { 86 if (is_link(fullname)) {
@@ -98,14 +100,10 @@ static void list(void) {
98 100
99static void clean(void) { 101static void clean(void) {
100 printf("Removing all firejail symlinks:\n"); 102 printf("Removing all firejail symlinks:\n");
101 if (getuid() != 0) {
102 fprintf(stderr, "Error: you need to be root to run this command\n");
103 exit(1);
104 }
105 103
106 DIR *dir = opendir("/usr/local/bin"); 104 DIR *dir = opendir(arg_bindir);
107 if (!dir) { 105 if (!dir) {
108 fprintf(stderr, "Error: cannot open /usr/local/bin directory\n"); 106 fprintf(stderr, "Error: cannot open %s directory\n", arg_bindir);
109 exit(1); 107 exit(1);
110 } 108 }
111 109
@@ -119,7 +117,7 @@ static void clean(void) {
119 continue; 117 continue;
120 118
121 char *fullname; 119 char *fullname;
122 if (asprintf(&fullname, "/usr/local/bin/%s", entry->d_name) == -1) 120 if (asprintf(&fullname, "%s/%s", arg_bindir, entry->d_name) == -1)
123 errExit("asprintf"); 121 errExit("asprintf");
124 122
125 if (is_link(fullname)) { 123 if (is_link(fullname)) {
@@ -129,8 +127,11 @@ static void clean(void) {
129 char *ptr = strrchr(fullname, '/'); 127 char *ptr = strrchr(fullname, '/');
130 assert(ptr); 128 assert(ptr);
131 ptr++; 129 ptr++;
132 unlink(fullname); 130 int rv = unlink(fullname);
133 printf(" %s removed\n", ptr); 131 if (rv)
132 fprintf(stderr, "Warning: cannot remove %s\n", fullname);
133 else
134 printf(" %s removed\n", ptr);
134 } 135 }
135 free(fname); 136 free(fname);
136 } 137 }
@@ -148,7 +149,7 @@ static void set_file(const char *name, const char *firejail_exec) {
148 return; 149 return;
149 150
150 char *fname; 151 char *fname;
151 if (asprintf(&fname, "/usr/local/bin/%s", name) == -1) 152 if (asprintf(&fname, "%s/%s", arg_bindir, name) == -1)
152 errExit("asprintf"); 153 errExit("asprintf");
153 154
154 struct stat s; 155 struct stat s;
@@ -161,6 +162,9 @@ static void set_file(const char *name, const char *firejail_exec) {
161 else 162 else
162 printf(" %s created\n", name); 163 printf(" %s created\n", name);
163 } 164 }
165 else {
166 fprintf(stderr, "Warning: cannot create %s - already exists! Skipping...\n", fname);
167 }
164 168
165 free(fname); 169 free(fname);
166} 170}
@@ -181,7 +185,7 @@ static void set_links_firecfg(void) {
181 fprintf(stderr, "Error: cannot open %s\n", cfgfile); 185 fprintf(stderr, "Error: cannot open %s\n", cfgfile);
182 exit(1); 186 exit(1);
183 } 187 }
184 printf("Configuring symlinks in /usr/local/bin based on firecfg.config\n"); 188 printf("Configuring symlinks in %s based on firecfg.config\n", arg_bindir);
185 189
186 char buf[MAX_BUF]; 190 char buf[MAX_BUF];
187 int lineno = 0; 191 int lineno = 0;
@@ -239,7 +243,7 @@ static void set_links_homedir(const char *homedir) {
239 errExit("asprintf"); 243 errExit("asprintf");
240 244
241 // parse ~/.config/firejail/ directory 245 // parse ~/.config/firejail/ directory
242 printf("\nConfiguring symlinks in /usr/local/bin based on local firejail config directory\n"); 246 printf("\nConfiguring symlinks in %s based on local firejail config directory\n", arg_bindir);
243 247
244 DIR *dir = opendir(dirname); 248 DIR *dir = opendir(dirname);
245 if (!dir) { 249 if (!dir) {
@@ -275,9 +279,68 @@ static void set_links_homedir(const char *homedir) {
275 free(firejail_exec); 279 free(firejail_exec);
276} 280}
277 281
282static char *get_user(void) {
283 char *user = getlogin();
284 if (!user) {
285 user = getenv("SUDO_USER");
286 if (!user) {
287 fprintf(stderr, "Error: cannot detect login user\n");
288 exit(1);
289 }
290 }
291
292 return user;
293}
294
295static char *get_homedir(const char *user, uid_t *uid, gid_t *gid) {
296 // find home directory
297 struct passwd *pw = getpwnam(user);
298 if (!pw)
299 goto errexit;
300
301 char *home = pw->pw_dir;
302 if (!home)
303 goto errexit;
304
305 *uid = pw->pw_uid;
306 *gid = pw->pw_gid;
307
308 return home;
309
310errexit:
311 fprintf(stderr, "Error: cannot find home directory for user %s\n", user);
312 exit(1);
313}
278 314
279int main(int argc, char **argv) { 315int main(int argc, char **argv) {
280 int i; 316 int i;
317 int bindir_set = 0;
318
319 // user setup
320 char *user = get_user();
321 uid_t uid;
322 gid_t gid;
323 char *home = get_homedir(user, &uid, &gid);
324
325
326 // check for --bindir
327 for (i = i; i < argc; i++) {
328 if (strncmp(argv[i], "--bindir=", 9) == 0) {
329 if (strncmp(argv[i] + 9, "~/", 2) == 0) {
330 if (asprintf(&arg_bindir, "%s/%s", home, argv[i] + 11) == -1)
331 errExit("asprintf");
332 }
333 else
334 arg_bindir = argv[i] + 9;
335 bindir_set = 1;
336
337 // exit if the directory does not exist, or if we don't have access to it
338 if (access(arg_bindir, R_OK | W_OK | X_OK)) {
339 fprintf(stderr, "Error: directory %s not found\n", arg_bindir);
340 exit(1);
341 }
342 }
343 }
281 344
282 for (i = 1; i < argc; i++) { 345 for (i = 1; i < argc; i++) {
283 // default options 346 // default options
@@ -297,15 +360,6 @@ int main(int argc, char **argv) {
297 return 0; 360 return 0;
298 } 361 }
299 else if (strcmp(argv[i], "--fix") == 0) { 362 else if (strcmp(argv[i], "--fix") == 0) {
300 // find home directory
301 struct passwd *pw = getpwuid(getuid());
302 if (!pw) {
303 goto errexit;
304 }
305 char *home = pw->pw_dir;
306 if (!home) {
307 goto errexit;
308 }
309 fix_desktop_files(home); 363 fix_desktop_files(home);
310 return 0; 364 return 0;
311 } 365 }
@@ -331,19 +385,24 @@ int main(int argc, char **argv) {
331 return 0; 385 return 0;
332 } 386 }
333 else { 387 else {
334 fprintf(stderr, "Error: invalid command line option\n"); 388 if (strncmp(argv[i], "--bindir=", 9) != 0) { // already handled
335 usage(); 389 fprintf(stderr, "Error: invalid command line option\n");
336 return 1; 390 usage();
391 return 1;
392 }
337 } 393 }
338 } 394 }
339 395
396 if (arg_debug)
397 printf("%s %d %d %d %d\n", user, getuid(), getgid(), geteuid(), getegid());
398
340 // set symlinks in /usr/local/bin 399 // set symlinks in /usr/local/bin
341 if (getuid() != 0) { 400 if (bindir_set == 0 && getuid() != 0) {
342 fprintf(stderr, "Error: cannot set the symbolic links in /usr/local/bin\n"); 401 fprintf(stderr, "Error: cannot set the symbolic links in %s\n", arg_bindir);
343 fprintf(stderr, "The proper way to run this command is \"sudo firecfg\".\n"); 402 fprintf(stderr, "The proper way to run this command is \"sudo firecfg\".\n");
344 return 1; 403 return 1;
345 } 404 }
346 else { 405 else if (bindir_set == 0) {
347 // create /usr/local directory if it doesn't exist (Solus distro) 406 // create /usr/local directory if it doesn't exist (Solus distro)
348 struct stat s; 407 struct stat s;
349 if (stat("/usr/local", &s) != 0) { 408 if (stat("/usr/local", &s) != 0) {
@@ -354,66 +413,46 @@ int main(int argc, char **argv) {
354 return 1; 413 return 1;
355 } 414 }
356 } 415 }
357 if (stat("/usr/local/bin", &s) != 0) { 416 if (stat(arg_bindir, &s) != 0) {
358 printf("Creating /usr/local directory\n"); 417 printf("Creating /usr/local directory\n");
359 int rv = mkdir("/usr/local/bin", 0755); 418 int rv = mkdir(arg_bindir, 0755);
360 if (rv != 0) { 419 if (rv != 0) {
361 fprintf(stderr, "Error: cannot create /usr/local/bin directory\n"); 420 fprintf(stderr, "Error: cannot create %s directory\n", arg_bindir);
362 return 1; 421 return 1;
363 } 422 }
364 } 423 }
365 } 424 }
366 clean();
367 set_links_firecfg();
368
369 425
426 // clear all symlinks
427 clean();
370 428
371 // user setup 429 // set new symlinks based on /usr/lib/firejail/firecfg.cfg
372 char *user = getlogin(); 430 set_links_firecfg();
373 if (!user) {
374 user = getenv("SUDO_USER");
375 if (!user) {
376 goto errexit;
377 }
378 }
379 431
380 // add user to firejail access database 432 // add user to firejail access database - only for root
381 if (user) { 433 if (user && getuid() == 0) {
382 printf("\nAdding user %s to Firejail access database in %s/firejail.users\n", user, SYSCONFDIR); 434 printf("\nAdding user %s to Firejail access database in %s/firejail.users\n", user, SYSCONFDIR);
383 firejail_user_add(user); 435 firejail_user_add(user);
384 } 436 }
385 437
386 // switch to the local user, and fix desktop files 438 // set new symlinks based on ~/.config/firejail directory
387 if (user) { 439 set_links_homedir(home);
388 // find home directory
389 struct passwd *pw = getpwnam(user);
390 if (!pw) {
391 goto errexit;
392 }
393 char *home = pw->pw_dir;
394 if (!home) {
395 goto errexit;
396 }
397
398 // running as root
399 set_links_homedir(home);
400 440
401 // drop permissions 441 // drop permissions
442 if (getuid() == 0) {
402 if (setgroups(0, NULL) < 0) 443 if (setgroups(0, NULL) < 0)
403 errExit("setgroups"); 444 errExit("setgroups");
404 // set uid/gid 445 if (setgid(gid) < 0)
405 if (setgid(pw->pw_gid) < 0)
406 errExit("setgid"); 446 errExit("setgid");
407 if (setuid(pw->pw_uid) < 0) 447 if (setuid(uid) < 0)
408 errExit("setuid"); 448 errExit("setuid");
409 if (arg_debug)
410 printf("%s %d %d %d %d\n", user, getuid(), getgid(), geteuid(), getegid());
411 fix_desktop_files(home);
412 } 449 }
413 450
414 return 0; 451 if (arg_debug)
452 printf("%s %d %d %d %d\n", user, getuid(), getgid(), geteuid(), getegid());
415 453
416errexit: 454 // fix .desktop files in ~/.local/share/applications directory
417 fprintf(stderr, "Error: cannot detect login user in order to set desktop files in ~/.local/share/applications\n"); 455 fix_desktop_files(home);
418 return 1; 456
457 return 0;
419} 458}
diff --git a/src/firejail/arg-checking.txt b/src/firejail/arg-checking.txt
deleted file mode 100644
index cfed454f8..000000000
--- a/src/firejail/arg-checking.txt
+++ /dev/null
@@ -1,84 +0,0 @@
1arg checking:
2
31. --output=filename
4 - not supported in profiles
5 - checking no "..",
6 - checking no link,
7 - checking no dir,
8 - checking same permissions,
9 - checking no hard links
10 - unit test
11
122. --chroot=dirname
13 - not supported in profiles
14 - expand "~"
15 - checking no "..",
16 - checking is dir,
17 - checking no link
18 - checking directory structure
19 - unit test
20
213. --bind=dirname1,dirname2, --bind=filename1,filenam2
22 - supported in profiles
23 - accepted only when running as root
24 - checking string chars
25 - checking no ".."
26 - unit test non root
27
284. --tmpfs=dirname
29 - supported in profiles
30 - checking string chars
31 - checking no ".."
32 - unit test
33
345. --blacklist=filename, --blacklist=dirname
35 - supported in profiles
36 - checking string chars
37 - checking no ".."
38 - unit test
39
406. --read-only=filename, --read-only=dirname
41 - supported in profiles
42 - checking string chars
43 - checking no ".."
44 - unit test
45
467. --profile=filename
47 - check access as real GID/UID
48 - checking no dir
49 - checking no link
50 - checking no ".."
51 - unit test
52
538. --private=dirname
54 - supported in profiles
55 - expand "~"
56 - check is dir
57 - check no link
58 - checking no ".."
59 - check same owner
60 - unit test
61
629. --private-home=filelist
63 - supported in profiles
64 - checking no ".."
65 - checking file found
66 - checking same owner
67 - checking no link
68 - unit test
69
7010. --netfilter=filename
71 - supported in profiles
72 - check access as real GID/UID
73 - checking no dir
74 - checking no link
75 - checking no ".."
76 - unit test
77
7811. --shell=filename
79 - not supported in profiles
80 - check access as real GID/UID
81 - checking no dir
82 - checking no link
83 - checking no ".."
84 - unit test
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c
index 0045b444f..d7764682a 100644
--- a/src/firejail/bandwidth.c
+++ b/src/firejail/bandwidth.c
@@ -328,7 +328,12 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in
328 // join the network namespace 328 // join the network namespace
329 //************************ 329 //************************
330 pid_t child; 330 pid_t child;
331 if (find_child(pid, &child) == -1) { 331 if (find_child(pid, &child) == 1) {
332 fprintf(stderr, "Error: cannot join the network namespace\n");
333 exit(1);
334 }
335
336 if (invalid_sandbox(child)) {
332 fprintf(stderr, "Error: cannot join the network namespace\n"); 337 fprintf(stderr, "Error: cannot join the network namespace\n");
333 exit(1); 338 exit(1);
334 } 339 }
diff --git a/src/firejail/caps.c b/src/firejail/caps.c
index dae45d9df..bd3b5e229 100644
--- a/src/firejail/caps.c
+++ b/src/firejail/caps.c
@@ -401,18 +401,13 @@ errexit:
401void caps_print_filter(pid_t pid) { 401void caps_print_filter(pid_t pid) {
402 EUID_ASSERT(); 402 EUID_ASSERT();
403 403
404 // if the pid is that of a firejail process, use the pid of the first child process 404 // in case the pid is that of a firejail process, use the pid of the first child process
405 EUID_ROOT(); // grsecurity 405 pid = switch_to_child(pid);
406 char *comm = pid_proc_comm(pid); 406
407 EUID_USER(); // grsecurity 407 // now check if the pid belongs to a firejail sandbox
408 if (comm) { 408 if (invalid_sandbox(pid)) {
409 if (strcmp(comm, "firejail") == 0) { 409 fprintf(stderr, "Error: no valid sandbox\n");
410 pid_t child; 410 exit(1);
411 if (find_child(pid, &child) == 0) {
412 pid = child;
413 }
414 }
415 free(comm);
416 } 411 }
417 412
418 // check privileges for non-root users 413 // check privileges for non-root users
diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c
index 8f72fb69e..a92562e67 100644
--- a/src/firejail/cpu.c
+++ b/src/firejail/cpu.c
@@ -165,18 +165,13 @@ static void print_cpu(int pid) {
165void cpu_print_filter(pid_t pid) { 165void cpu_print_filter(pid_t pid) {
166 EUID_ASSERT(); 166 EUID_ASSERT();
167 167
168 // if the pid is that of a firejail process, use the pid of the first child process 168 // in case the pid is that of a firejail process, use the pid of the first child process
169 EUID_ROOT(); // grsecurity 169 pid = switch_to_child(pid);
170 char *comm = pid_proc_comm(pid); 170
171 EUID_USER(); // grsecurity 171 // now check if the pid belongs to a firejail sandbox
172 if (comm) { 172 if (invalid_sandbox(pid)) {
173 if (strcmp(comm, "firejail") == 0) { 173 fprintf(stderr, "Error: no valid sandbox\n");
174 pid_t child; 174 exit(1);
175 if (find_child(pid, &child) == 0) {
176 pid = child;
177 }
178 }
179 free(comm);
180 } 175 }
181 176
182 // check privileges for non-root users 177 // check privileges for non-root users
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index f31d6a2bc..051456539 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -100,6 +100,7 @@
100#define RUN_FSLOGGER_FILE "/run/firejail/mnt/fslogger" 100#define RUN_FSLOGGER_FILE "/run/firejail/mnt/fslogger"
101#define RUN_UMASK_FILE "/run/firejail/mnt/umask" 101#define RUN_UMASK_FILE "/run/firejail/mnt/umask"
102#define RUN_OVERLAY_ROOT "/run/firejail/mnt/oroot" 102#define RUN_OVERLAY_ROOT "/run/firejail/mnt/oroot"
103#define RUN_READY_FOR_JOIN "/run/firejail/mnt/ready-for-join"
103 104
104 105
105// profiles 106// profiles
@@ -405,7 +406,7 @@ char *guess_shell(void);
405 406
406// sandbox.c 407// sandbox.c
407int sandbox(void* sandbox_arg); 408int sandbox(void* sandbox_arg);
408void start_application(int no_sandbox); 409void start_application(int no_sandbox, FILE *fp);
409 410
410// network_main.c 411// network_main.c
411void net_configure_sandbox_ip(Bridge *br); 412void net_configure_sandbox_ip(Bridge *br);
@@ -477,6 +478,7 @@ void usage(void);
477 478
478// join.c 479// join.c
479void join(pid_t pid, int argc, char **argv, int index); 480void join(pid_t pid, int argc, char **argv, int index);
481pid_t switch_to_child(pid_t pid);
480 482
481// shutdown.c 483// shutdown.c
482void shut(pid_t pid); 484void shut(pid_t pid);
@@ -512,9 +514,10 @@ void logerr(const char *msg);
512int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); 514int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
513void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); 515void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
514void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); 516void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
515void touch_file_as_user(const char *fname, uid_t uid, gid_t gid, mode_t mode); 517void touch_file_as_user(const char *fname, mode_t mode);
516int is_dir(const char *fname); 518int is_dir(const char *fname);
517int is_link(const char *fname); 519int is_link(const char *fname);
520void trim_trailing_slash_or_dot(char *path);
518char *line_remove_spaces(const char *buf); 521char *line_remove_spaces(const char *buf);
519char *split_comma(char *str); 522char *split_comma(char *str);
520void check_unsigned(const char *str, const char *msg); 523void check_unsigned(const char *str, const char *msg);
@@ -536,6 +539,7 @@ unsigned extract_timeout(const char *str);
536void disable_file_or_dir(const char *fname); 539void disable_file_or_dir(const char *fname);
537void disable_file_path(const char *path, const char *file); 540void disable_file_path(const char *path, const char *file);
538int safe_fd(const char *path, int flags); 541int safe_fd(const char *path, int flags);
542int invalid_sandbox(const pid_t pid);
539 543
540// Get info regarding the last kernel mount operation from /proc/self/mountinfo 544// Get info regarding the last kernel mount operation from /proc/self/mountinfo
541// The return value points to a static area, and will be overwritten by subsequent calls. 545// The return value points to a static area, and will be overwritten by subsequent calls.
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index ba2f8e284..d28ff534f 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -641,8 +641,26 @@ void fs_proc_sys_dev_boot(void) {
641 char *fnamegpg; 641 char *fnamegpg;
642 if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1) 642 if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1)
643 errExit("asprintf"); 643 errExit("asprintf");
644 if (stat(fnamegpg, &s) == -1) 644 if (stat(fnamegpg, &s) == -1) {
645 mkdir_attr(fnamegpg, 0700, getuid(), getgid()); 645 pid_t child = fork();
646 if (child < 0)
647 errExit("fork");
648 if (child == 0) {
649 // drop privileges
650 drop_privs(0);
651 if (mkdir(fnamegpg, 0700) == 0) {
652 if (chmod(fnamegpg, 0700) == -1)
653 {;} // do nothing
654 }
655#ifdef HAVE_GCOV
656 __gcov_flush();
657#endif
658 _exit(0);
659 }
660 // wait for the child to finish
661 waitpid(child, NULL, 0);
662 fs_logger2("create", fnamegpg);
663 }
646 if (stat(fnamegpg, &s) == 0) 664 if (stat(fnamegpg, &s) == 0)
647 disable_file(BLACKLIST_FILE, fnamegpg); 665 disable_file(BLACKLIST_FILE, fnamegpg);
648 free(fnamegpg); 666 free(fnamegpg);
@@ -651,8 +669,26 @@ void fs_proc_sys_dev_boot(void) {
651 char *fnamesysd; 669 char *fnamesysd;
652 if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1) 670 if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1)
653 errExit("asprintf"); 671 errExit("asprintf");
654 if (stat(fnamesysd, &s) == -1) 672 if (stat(fnamesysd, &s) == -1) {
655 mkdir_attr(fnamesysd, 0755, getuid(), getgid()); 673 pid_t child = fork();
674 if (child < 0)
675 errExit("fork");
676 if (child == 0) {
677 // drop privileges
678 drop_privs(0);
679 if (mkdir(fnamesysd, 0755) == 0) {
680 if (chmod(fnamesysd, 0755) == -1)
681 {;} // do nothing
682 }
683#ifdef HAVE_GCOV
684 __gcov_flush();
685#endif
686 _exit(0);
687 }
688 // wait for the child to finish
689 waitpid(child, NULL, 0);
690 fs_logger2("create", fnamesysd);
691 }
656 if (stat(fnamesysd, &s) == 0) 692 if (stat(fnamesysd, &s) == 0)
657 disable_file(BLACKLIST_FILE, fnamesysd); 693 disable_file(BLACKLIST_FILE, fnamesysd);
658 free(fnamesysd); 694 free(fnamesysd);
@@ -1347,14 +1383,17 @@ void fs_private_cache(void) {
1347 struct stat s; 1383 struct stat s;
1348 if (is_link(cache)) { 1384 if (is_link(cache)) {
1349 fwarning("user .cache is a symbolic link, tmpfs not mounted\n"); 1385 fwarning("user .cache is a symbolic link, tmpfs not mounted\n");
1386 free(cache);
1350 return; 1387 return;
1351 } 1388 }
1352 if (stat(cache, &s) == -1 || !S_ISDIR(s.st_mode)) { 1389 if (stat(cache, &s) == -1 || !S_ISDIR(s.st_mode)) {
1353 fwarning("no user .cache directory found, tmpfs not mounted\n"); 1390 fwarning("no user .cache directory found, tmpfs not mounted\n");
1391 free(cache);
1354 return; 1392 return;
1355 } 1393 }
1356 if (s.st_uid != getuid()) { 1394 if (s.st_uid != getuid()) {
1357 fwarning("user .cache is not owned by current user, tmpfs not mounted\n"); 1395 fwarning("user .cache is not owned by current user, tmpfs not mounted\n");
1396 free(cache);
1358 return; 1397 return;
1359 } 1398 }
1360 1399
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index 01350aa0e..8e8739436 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -100,7 +100,9 @@ errexit:
100} 100}
101 101
102static void duplicate(const char *fname, const char *private_dir, const char *private_run_dir) { 102static void duplicate(const char *fname, const char *private_dir, const char *private_run_dir) {
103 if (*fname == '~' || *fname == '/' || strstr(fname, "..")) { 103 assert(fname);
104
105 if (*fname == '~' || strchr(fname, '/') || strcmp(fname, "..") == 0) {
104 fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname); 106 fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname);
105 exit(1); 107 exit(1);
106 } 108 }
@@ -163,6 +165,10 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c
163 165
164 166
165 char *ptr = strtok(dlist, ","); 167 char *ptr = strtok(dlist, ",");
168 if (!ptr) {
169 fprintf(stderr, "Error: invalid private %s argument\n", private_dir);
170 exit(1);
171 }
166 duplicate(ptr, private_dir, private_run_dir); 172 duplicate(ptr, private_dir, private_run_dir);
167 173
168 while ((ptr = strtok(NULL, ",")) != NULL) 174 while ((ptr = strtok(NULL, ",")) != NULL)
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 3a332f7ff..866b750b0 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -53,7 +53,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
53 fs_logger2("clone", fname); 53 fs_logger2("clone", fname);
54 } 54 }
55 else { 55 else {
56 touch_file_as_user(fname, u, g, 0644); 56 touch_file_as_user(fname, 0644);
57 fs_logger2("touch", fname); 57 fs_logger2("touch", fname);
58 } 58 }
59 free(fname); 59 free(fname);
@@ -78,7 +78,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
78 fs_logger2("clone", fname); 78 fs_logger2("clone", fname);
79 } 79 }
80 else { 80 else {
81 touch_file_as_user(fname, u, g, 0644); 81 touch_file_as_user(fname, 0644);
82 fs_logger2("touch", fname); 82 fs_logger2("touch", fname);
83 } 83 }
84 free(fname); 84 free(fname);
@@ -235,8 +235,29 @@ void fs_private_homedir(void) {
235 // mount bind private_homedir on top of homedir 235 // mount bind private_homedir on top of homedir
236 if (arg_debug) 236 if (arg_debug)
237 printf("Mount-bind %s on top of %s\n", private_homedir, homedir); 237 printf("Mount-bind %s on top of %s\n", private_homedir, homedir);
238 if (mount(private_homedir, homedir, NULL, MS_NOSUID | MS_NODEV | MS_BIND | MS_REC, NULL) < 0) 238 // get a file descriptor for private_homedir, fails if there is any symlink
239 int fd = safe_fd(private_homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
240 if (fd == -1)
241 errExit("safe_fd");
242 // check if new home directory is owned by the user
243 struct stat s;
244 if (fstat(fd, &s) == -1)
245 errExit("fstat");
246 if (s.st_uid != getuid()) {
247 fprintf(stderr, "Error: private directory is not owned by the current user\n");
248 exit(1);
249 }
250 if ((S_IRWXU & s.st_mode) != S_IRWXU)
251 fwarning("no full permissions for private directory\n");
252 // mount via the link in /proc/self/fd
253 char *proc;
254 if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
255 errExit("asprintf");
256 if (mount(proc, homedir, NULL, MS_NOSUID | MS_NODEV | MS_BIND | MS_REC, NULL) < 0)
239 errExit("mount bind"); 257 errExit("mount bind");
258 free(proc);
259 close(fd);
260
240 fs_logger3("mount-bind", private_homedir, cfg.homedir); 261 fs_logger3("mount-bind", private_homedir, cfg.homedir);
241 fs_logger2("whitelist", cfg.homedir); 262 fs_logger2("whitelist", cfg.homedir);
242// preserve mode and ownership 263// preserve mode and ownership
@@ -339,37 +360,16 @@ void fs_check_private_dir(void) {
339 free(tmp); 360 free(tmp);
340 361
341 if (!cfg.home_private 362 if (!cfg.home_private
342 || !is_dir(cfg.home_private) 363 || !is_dir(cfg.home_private)) {
343 || is_link(cfg.home_private)
344 || strstr(cfg.home_private, "..")) {
345 fprintf(stderr, "Error: invalid private directory\n"); 364 fprintf(stderr, "Error: invalid private directory\n");
346 exit(1); 365 exit(1);
347 } 366 }
348
349 // check home directory and chroot home directory have the same owner
350 struct stat s2;
351 int rv = stat(cfg.home_private, &s2);
352 if (rv < 0) {
353 fprintf(stderr, "Error: cannot find %s directory\n", cfg.home_private);
354 exit(1);
355 }
356
357 struct stat s1;
358 rv = stat(cfg.homedir, &s1);
359 if (rv < 0) {
360 fprintf(stderr, "Error: cannot find %s directory, full path name required\n", cfg.homedir);
361 exit(1);
362 }
363 if (s1.st_uid != s2.st_uid) {
364 printf("Error: --private directory should be owned by the current user\n");
365 exit(1);
366 }
367} 367}
368 368
369#ifndef LTS
370//*********************************************************************************** 369//***********************************************************************************
371// --private-home 370// --private-home
372//*********************************************************************************** 371//***********************************************************************************
372#ifndef LTS
373static char *check_dir_or_file(const char *name) { 373static char *check_dir_or_file(const char *name) {
374 assert(name); 374 assert(name);
375 375
@@ -401,34 +401,33 @@ static char *check_dir_or_file(const char *name) {
401 } 401 }
402 return fname; 402 return fname;
403 } 403 }
404 else { 404 else // dangling link
405 fprintf(stderr, "Error: invalid file %s\n", name); 405 goto errexit;
406 exit(1);
407 }
408 } 406 }
409 else { 407 else {
410 // check the file is in user home directory, a full home directory is not allowed 408 // check the file is in user home directory, a full home directory is not allowed
411 char *rname = realpath(fname, NULL); 409 char *rname = realpath(fname, NULL);
412 if (!rname || 410 if (!rname ||
413 strncmp(rname, cfg.homedir, strlen(cfg.homedir)) != 0 || 411 strncmp(rname, cfg.homedir, strlen(cfg.homedir)) != 0 ||
414 strcmp(rname, cfg.homedir) == 0) { 412 strcmp(rname, cfg.homedir) == 0)
415 fprintf(stderr, "Error: invalid file %s\n", name); 413 goto errexit;
416 exit(1);
417 }
418 414
419 // only top files and directories in user home are allowed 415 // only top files and directories in user home are allowed
420 char *ptr = rname + strlen(cfg.homedir); 416 char *ptr = rname + strlen(cfg.homedir);
421 assert(*ptr != '\0'); 417 if (*ptr != '/')
418 goto errexit;
422 ptr = strchr(++ptr, '/'); 419 ptr = strchr(++ptr, '/');
423 if (ptr) { 420 if (ptr) {
424 if (*ptr != '\0') { 421 fprintf(stderr, "Error: only top files and directories in user home are allowed\n");
425 fprintf(stderr, "Error: only top files and directories in user home are allowed\n"); 422 exit(1);
426 exit(1);
427 }
428 } 423 }
429 free(fname); 424 free(fname);
430 return rname; 425 return rname;
431 } 426 }
427
428errexit:
429 fprintf(stderr, "Error: invalid file %s\n", name);
430 exit(1);
432} 431}
433 432
434static void duplicate(char *name) { 433static void duplicate(char *name) {
@@ -495,6 +494,10 @@ void fs_private_home_list(void) {
495 errExit("strdup"); 494 errExit("strdup");
496 495
497 char *ptr = strtok(dlist, ","); 496 char *ptr = strtok(dlist, ",");
497 if (!ptr) {
498 fprintf(stderr, "Error: invalid private-home argument\n");
499 exit(1);
500 }
498 duplicate(ptr); 501 duplicate(ptr);
499 while ((ptr = strtok(NULL, ",")) != NULL) 502 while ((ptr = strtok(NULL, ",")) != NULL)
500 duplicate(ptr); 503 duplicate(ptr);
diff --git a/src/firejail/fs_logger.c b/src/firejail/fs_logger.c
index 93f28a26b..02e2ba5d7 100644
--- a/src/firejail/fs_logger.c
+++ b/src/firejail/fs_logger.c
@@ -120,19 +120,8 @@ void fs_logger_change_owner(void) {
120void fs_logger_print_log(pid_t pid) { 120void fs_logger_print_log(pid_t pid) {
121 EUID_ASSERT(); 121 EUID_ASSERT();
122 122
123 // if the pid is that of a firejail process, use the pid of the first child process 123 // in case the pid is that of a firejail process, use the pid of the first child process
124 EUID_ROOT(); 124 pid = switch_to_child(pid);
125 char *comm = pid_proc_comm(pid);
126 EUID_USER();
127 if (comm) {
128 if (strcmp(comm, "firejail") == 0) {
129 pid_t child;
130 if (find_child(pid, &child) == 0) {
131 pid = child;
132 }
133 }
134 free(comm);
135 }
136 125
137 // check privileges for non-root users 126 // check privileges for non-root users
138 uid_t uid = getuid(); 127 uid_t uid = getuid();
@@ -151,7 +140,7 @@ void fs_logger_print_log(pid_t pid) {
151 140
152 EUID_ROOT(); 141 EUID_ROOT();
153 struct stat s; 142 struct stat s;
154 if (stat(fname, &s) == -1) { 143 if (stat(fname, &s) == -1 || s.st_uid != 0) {
155 fprintf(stderr, "Error: Cannot access filesystem log\n"); 144 fprintf(stderr, "Error: Cannot access filesystem log\n");
156 exit(1); 145 exit(1);
157 } 146 }
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c
index 9d22093ee..b66068a95 100644
--- a/src/firejail/fs_mkdir.c
+++ b/src/firejail/fs_mkdir.c
@@ -114,7 +114,7 @@ void fs_mkfile(const char *name) {
114 } 114 }
115 115
116 // create file 116 // create file
117 touch_file_as_user(expanded, getuid(), getgid(), 0600); 117 touch_file_as_user(expanded, 0600);
118 118
119doexit: 119doexit:
120 free(expanded); 120 free(expanded);
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index 9fbbdfa8f..8c53e6161 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -255,23 +255,8 @@ void fs_var_lock(void) {
255 fs_logger("tmpfs /var/lock"); 255 fs_logger("tmpfs /var/lock");
256 } 256 }
257 else { 257 else {
258 char *lnk = realpath("/var/lock", NULL); 258 fwarning("/var/lock not mounted\n");
259 if (lnk) { 259 dbg_test_dir("/var/lock");
260 if (!is_dir(lnk)) {
261 // create directory
262 mkdir_attr(lnk, S_IRWXU|S_IRWXG|S_IRWXO, 0, 0);
263 }
264 if (arg_debug)
265 printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk);
266 if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0)
267 errExit("mounting /var/lock");
268 free(lnk);
269 fs_logger("tmpfs /var/lock");
270 }
271 else {
272 fwarning("/var/lock not mounted\n");
273 dbg_test_dir("/var/lock");
274 }
275 } 260 }
276} 261}
277 262
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index c3d34e259..602985b4e 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -395,19 +395,8 @@ void fs_whitelist(void) {
395 new_name = expand_home(dataptr, cfg.homedir); 395 new_name = expand_home(dataptr, cfg.homedir);
396 assert(new_name); 396 assert(new_name);
397 397
398 // trim trailing slashes or dots 398 // remove trailing slashes and single dots
399 char *end = strchr(new_name, '\0'); 399 trim_trailing_slash_or_dot(new_name);
400 assert(end);
401 if ((end - new_name) > 1) {
402 end--;
403 while (*end == '/' ||
404 (*end == '.' && *(end - 1) == '/')) {
405 *end = '\0';
406 end--;
407 if (end == new_name)
408 break;
409 }
410 }
411 400
412 if (arg_debug || arg_debug_whitelists) 401 if (arg_debug || arg_debug_whitelists)
413 fprintf(stderr, "Debug %d: new_name #%s#, %s\n", __LINE__, new_name, (nowhitelist_flag)? "nowhitelist": "whitelist"); 402 fprintf(stderr, "Debug %d: new_name #%s#, %s\n", __LINE__, new_name, (nowhitelist_flag)? "nowhitelist": "whitelist");
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 729c7f797..cdd95b6a8 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -212,8 +212,10 @@ static void extract_umask(pid_t pid) {
212 212
213 FILE *fp = fopen(fname, "re"); 213 FILE *fp = fopen(fname, "re");
214 free(fname); 214 free(fname);
215 if (!fp) 215 if (!fp) {
216 return; 216 fprintf(stderr, "Error: cannot open umask file\n");
217 exit(1);
218 }
217 if (fscanf(fp, "%3o", &orig_umask) < 1) { 219 if (fscanf(fp, "%3o", &orig_umask) < 1) {
218 fprintf(stderr, "Error: cannot read umask\n"); 220 fprintf(stderr, "Error: cannot read umask\n");
219 exit(1); 221 exit(1);
@@ -221,6 +223,36 @@ static void extract_umask(pid_t pid) {
221 fclose(fp); 223 fclose(fp);
222} 224}
223 225
226pid_t switch_to_child(pid_t pid) {
227 EUID_ROOT();
228 errno = 0;
229 char *comm = pid_proc_comm(pid);
230 if (!comm) {
231 if (errno == ENOENT) {
232 fprintf(stderr, "Error: cannot find process with id %d\n", pid);
233 exit(1);
234 }
235 else {
236 fprintf(stderr, "Error: cannot read /proc file\n");
237 exit(1);
238 }
239 }
240 EUID_USER();
241 if (strcmp(comm, "firejail") == 0) {
242 pid_t child;
243 if (find_child(pid, &child) == 1) {
244 fprintf(stderr, "Error: no valid sandbox\n");
245 exit(1);
246 }
247 fmessage("Switching to pid %u, the first child process inside the sandbox\n", (unsigned) child);
248 pid = child;
249 }
250 free(comm);
251 return pid;
252}
253
254
255
224void join(pid_t pid, int argc, char **argv, int index) { 256void join(pid_t pid, int argc, char **argv, int index) {
225 EUID_ASSERT(); 257 EUID_ASSERT();
226 char *homedir = cfg.homedir; 258 char *homedir = cfg.homedir;
@@ -229,19 +261,13 @@ void join(pid_t pid, int argc, char **argv, int index) {
229 extract_command(argc, argv, index); 261 extract_command(argc, argv, index);
230 signal (SIGTERM, signal_handler); 262 signal (SIGTERM, signal_handler);
231 263
232 // if the pid is that of a firejail process, use the pid of the first child process 264 // in case the pid is that of a firejail process, use the pid of the first child process
233 EUID_ROOT(); 265 pid = switch_to_child(pid);
234 char *comm = pid_proc_comm(pid); 266
235 EUID_USER(); 267 // now check if the pid belongs to a firejail sandbox
236 if (comm) { 268 if (invalid_sandbox(pid)) {
237 if (strcmp(comm, "firejail") == 0) { 269 fprintf(stderr, "Error: no valid sandbox\n");
238 pid_t child; 270 exit(1);
239 if (find_child(pid, &child) == 0) {
240 pid = child;
241 fmessage("Switching to pid %u, the first child process inside the sandbox\n", (unsigned) pid);
242 }
243 }
244 free(comm);
245 } 271 }
246 272
247 // check privileges for non-root users 273 // check privileges for non-root users
@@ -406,7 +432,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
406 } 432 }
407 433
408 drop_privs(arg_nogroups); 434 drop_privs(arg_nogroups);
409 start_application(0); 435 start_application(0, NULL);
410 436
411 // it will never get here!!! 437 // it will never get here!!!
412 } 438 }
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 4212edd9b..b3664ee2e 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1652,7 +1652,7 @@ int main(int argc, char **argv) {
1652 else if (strncmp(argv[i], "--private-srv=", 14) == 0) { 1652 else if (strncmp(argv[i], "--private-srv=", 14) == 0) {
1653 // extract private srv list 1653 // extract private srv list
1654 if (*(argv[i] + 14) == '\0') { 1654 if (*(argv[i] + 14) == '\0') {
1655 fprintf(stderr, "Error: invalid private-etc option\n"); 1655 fprintf(stderr, "Error: invalid private-srv option\n");
1656 exit(1); 1656 exit(1);
1657 } 1657 }
1658 if (cfg.srv_private_keep) { 1658 if (cfg.srv_private_keep) {
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index de446d032..8fbd11bba 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -170,7 +170,12 @@ void netfilter_print(pid_t pid, int ipv6) {
170 170
171 // join the network namespace 171 // join the network namespace
172 pid_t child; 172 pid_t child;
173 if (find_child(pid, &child) == -1) { 173 if (find_child(pid, &child) == 1) {
174 fprintf(stderr, "Error: cannot join the network namespace\n");
175 exit(1);
176 }
177
178 if (invalid_sandbox(child)) {
174 fprintf(stderr, "Error: cannot join the network namespace\n"); 179 fprintf(stderr, "Error: cannot join the network namespace\n");
175 exit(1); 180 exit(1);
176 } 181 }
diff --git a/src/firejail/network.txt b/src/firejail/network.txt
deleted file mode 100644
index 75bdc346d..000000000
--- a/src/firejail/network.txt
+++ /dev/null
@@ -1,95 +0,0 @@
1struct Bridge {
2 char *dev; // bridge device name
3 uint32_t ip; // bridge device IP address
4 uint32_t mask; // bridge device mask
5 uint32_t ipsandbox // sandbox interface IP address
6}
7
8net_configure_bridge(br, device) {
9 br->dev = devname;
10 br->ip = extracted from kernel device - using net_get_if_addr() in network.c
11 br->mask = extracted from kernel device - using net_get_if_addr() in network.c
12 check available network range; /31 networks are not supported
13}
14
15net_configure_sandbox_ip(br) {
16 if br->ip_sandbox
17 check br->ipsandbox inside the bridge network
18 arp_check(br->ipsandbox) // send an arp req to check if anybody else is using this address
19 else
20 br->ipsandbox = arp_assign();
21}
22
23net_configure_veth_pair {
24 create a veth pair
25 place one interface end in the bridge
26 place the other end in the namespace of the child process
27}
28
29net_bridge_wait_ip {
30 arp_check br->ipsandbox address to come up
31 wait for not more than 5 seconds
32}
33
34main() {
35
36 foreach argv[i] {
37 if --net
38 br = next bridge available
39 net_configure_bridge(br, device name from argv[i]);
40 else if --ip
41 br = last bridge configured
42 br->ipsandbox = ip address extracted from argv[i]
43 else if --defaultgw
44 cfg.defaultgw = ip address extracted from argv[i]
45 }
46
47 net_check_cfg(); // check the validity of network configuration so far
48
49 if (any bridge configured) {
50 lock /var/lock/firejail.lock file
51 for each bridge
52 net_configure_sandbox_ip(br)
53 }
54
55 clone (new network namespace if any bridge configured or --net=none)
56
57 if (any bridge configured) {
58 for each bridge
59 net_configure_veth_pair
60 }
61
62 notify child init is done
63
64 if (any bridge configured) {
65 for each bridge
66 net_bridge_wait_ip
67 unlock /var/lock/firejail.lock file
68 }
69
70 wait on child
71 exit
72}
73
74
75******************************************************
76* macvlan notes
77******************************************************
78Configure a macvlan interface
79
80# ip link add virtual0 link eth0 type macvlan mode bridge
81(you can configure it with # ifconfig virtual0 192.168.1.52/24 up)
82
83Create a new network namespace and move the interface in the new network namespace
84
85# ip netns add dummy0
86# ip link set virtual0 netns dummy0
87
88Join the namespace and configure the interfaces
89
90# ip netns exec dummy0 bash
91# ifconfig lo up
92# ifconfig virtual0 192.168.1.52/24
93
94Investigate ipvlan interface - added to linux kernel 3.19
95https://github.com/torvalds/linux/blob/master/Documentation/networking/ipvlan.txt
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c
index e30d07229..e3c750767 100644
--- a/src/firejail/network_main.c
+++ b/src/firejail/network_main.c
@@ -269,18 +269,23 @@ void net_dns_print(pid_t pid) {
269 EUID_ASSERT(); 269 EUID_ASSERT();
270 // drop privileges - will not be able to read /etc/resolv.conf for --noroot option 270 // drop privileges - will not be able to read /etc/resolv.conf for --noroot option
271 271
272 // if the pid is that of a firejail process, use the pid of the first child process 272 // in case the pid is that of a firejail process, use the pid of the first child process
273 EUID_ROOT(); 273 pid = switch_to_child(pid);
274 char *comm = pid_proc_comm(pid); 274
275 EUID_USER(); 275 // now check if the pid belongs to a firejail sandbox
276 if (comm) { 276 if (invalid_sandbox(pid)) {
277 if (strcmp(comm, "firejail") == 0) { 277 fprintf(stderr, "Error: no valid sandbox\n");
278 pid_t child; 278 exit(1);
279 if (find_child(pid, &child) == 0) { 279 }
280 pid = child; 280
281 } 281 // check privileges for non-root users
282 uid_t uid = getuid();
283 if (uid != 0) {
284 uid_t sandbox_uid = pid_get_uid(pid);
285 if (uid != sandbox_uid) {
286 fprintf(stderr, "Error: permission denied.\n");
287 exit(1);
282 } 288 }
283 free(comm);
284 } 289 }
285 290
286 EUID_ROOT(); 291 EUID_ROOT();
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index 5bd3f7e09..7c5cc1df9 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -233,5 +233,5 @@ void run_no_sandbox(int argc, char **argv) {
233 233
234 arg_quiet = 1; 234 arg_quiet = 1;
235 235
236 start_application(1); 236 start_application(1, NULL);
237} 237}
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 79fc36fb5..ea069de76 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1050,7 +1050,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
1050 1050
1051 // filesystem bind 1051 // filesystem bind
1052 if (strncmp(ptr, "bind ", 5) == 0) { 1052 if (strncmp(ptr, "bind ", 5) == 0) {
1053#ifdef HAVE_BIND
1054 if (checkcfg(CFG_BIND)) { 1053 if (checkcfg(CFG_BIND)) {
1055 if (getuid() != 0) { 1054 if (getuid() != 0) {
1056 fprintf(stderr, "Error: --bind option is available only if running as root\n"); 1055 fprintf(stderr, "Error: --bind option is available only if running as root\n");
@@ -1083,7 +1082,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
1083 } 1082 }
1084 else 1083 else
1085 warning_feature_disabled("bind"); 1084 warning_feature_disabled("bind");
1086#endif
1087 return 0; 1085 return 0;
1088 } 1086 }
1089 1087
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c
index eb3763253..9989ddb68 100644
--- a/src/firejail/protocol.c
+++ b/src/firejail/protocol.c
@@ -64,18 +64,13 @@ void protocol_print_filter(pid_t pid) {
64 64
65 (void) pid; 65 (void) pid;
66#ifdef SYS_socket 66#ifdef SYS_socket
67 // if the pid is that of a firejail process, use the pid of the first child process 67 // in case the pid is that of a firejail process, use the pid of the first child process
68 EUID_ROOT(); 68 pid = switch_to_child(pid);
69 char *comm = pid_proc_comm(pid); 69
70 EUID_USER(); 70 // now check if the pid belongs to a firejail sandbox
71 if (comm) { 71 if (invalid_sandbox(pid)) {
72 if (strcmp(comm, "firejail") == 0) { 72 fprintf(stderr, "Error: no valid sandbox\n");
73 pid_t child; 73 exit(1);
74 if (find_child(pid, &child) == 0) {
75 pid = child;
76 }
77 }
78 free(comm);
79 } 74 }
80 75
81 // check privileges for non-root users 76 // check privileges for non-root users
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index 521f144e8..e6696ecb4 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -117,7 +117,7 @@ void pulseaudio_init(void) {
117 117
118 int rv = mkdir(dir1, 0755); 118 int rv = mkdir(dir1, 0755);
119 if (rv == 0) { 119 if (rv == 0) {
120 if (set_perms(dir1, getuid(), getgid(), 0755)) 120 if (chmod(dir1, 0755))
121 {;} // do nothing 121 {;} // do nothing
122 } 122 }
123#ifdef HAVE_GCOV 123#ifdef HAVE_GCOV
@@ -153,7 +153,7 @@ void pulseaudio_init(void) {
153 153
154 int rv = mkdir(dir1, 0700); 154 int rv = mkdir(dir1, 0700);
155 if (rv == 0) { 155 if (rv == 0) {
156 if (set_perms(dir1, getuid(), getgid(), 0700)) 156 if (chmod(dir1, 0700))
157 {;} // do nothing 157 {;} // do nothing
158 } 158 }
159#ifdef HAVE_GCOV 159#ifdef HAVE_GCOV
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index b0a792277..919a2b84e 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -139,6 +139,18 @@ void save_umask(void) {
139 } 139 }
140} 140}
141 141
142static FILE *create_ready_for_join_file(void) {
143 FILE *fp = fopen(RUN_READY_FOR_JOIN, "wxe");
144 if (fp) {
145 ASSERT_PERMS_STREAM(fp, 0, 0, 0644);
146 return fp;
147 }
148 else {
149 fprintf(stderr, "Error: cannot create %s\n", RUN_READY_FOR_JOIN);
150 exit(1);
151 }
152}
153
142static void sandbox_if_up(Bridge *br) { 154static void sandbox_if_up(Bridge *br) {
143 assert(br); 155 assert(br);
144 if (!br->configured) 156 if (!br->configured)
@@ -374,7 +386,7 @@ static int ok_to_run(const char *program) {
374 return 0; 386 return 0;
375} 387}
376 388
377void start_application(int no_sandbox) { 389void start_application(int no_sandbox, FILE *fp) {
378 // set environment 390 // set environment
379 if (no_sandbox == 0) { 391 if (no_sandbox == 0) {
380 env_defaults(); 392 env_defaults();
@@ -394,6 +406,11 @@ void start_application(int no_sandbox) {
394#ifndef LTS 406#ifndef LTS
395 if (arg_audit) { 407 if (arg_audit) {
396 assert(arg_audit_prog); 408 assert(arg_audit_prog);
409
410 if (fp) {
411 fprintf(fp, "ready\n");
412 fclose(fp);
413 }
397#ifdef HAVE_GCOV 414#ifdef HAVE_GCOV
398 __gcov_dump(); 415 __gcov_dump();
399#endif 416#endif
@@ -426,6 +443,11 @@ void start_application(int no_sandbox) {
426 print_time(); 443 print_time();
427 444
428 int rv = ok_to_run(cfg.original_argv[cfg.original_program_index]); 445 int rv = ok_to_run(cfg.original_argv[cfg.original_program_index]);
446
447 if (fp) {
448 fprintf(fp, "ready\n");
449 fclose(fp);
450 }
429#ifdef HAVE_GCOV 451#ifdef HAVE_GCOV
430 __gcov_dump(); 452 __gcov_dump();
431#endif 453#endif
@@ -482,6 +504,11 @@ void start_application(int no_sandbox) {
482 504
483 if (!arg_command && !arg_quiet) 505 if (!arg_command && !arg_quiet)
484 print_time(); 506 print_time();
507
508 if (fp) {
509 fprintf(fp, "ready\n");
510 fclose(fp);
511 }
485#ifdef HAVE_GCOV 512#ifdef HAVE_GCOV
486 __gcov_dump(); 513 __gcov_dump();
487#endif 514#endif
@@ -1080,6 +1107,13 @@ int sandbox(void* sandbox_arg) {
1080#endif 1107#endif
1081 1108
1082 //**************************************** 1109 //****************************************
1110 // communicate progress of sandbox set up
1111 // to --join
1112 //****************************************
1113
1114 FILE *fp = create_ready_for_join_file();
1115
1116 //****************************************
1083 // create a new user namespace 1117 // create a new user namespace
1084 // - too early to drop privileges 1118 // - too early to drop privileges
1085 //**************************************** 1119 //****************************************
@@ -1144,9 +1178,11 @@ int sandbox(void* sandbox_arg) {
1144#endif 1178#endif
1145 1179
1146 prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died 1180 prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
1147 start_application(0); // start app 1181 start_application(0, fp); // start app
1148 } 1182 }
1149 1183
1184 fclose(fp);
1185
1150 int status = monitor_application(app_pid); // monitor application 1186 int status = monitor_application(app_pid); // monitor application
1151 flush_stdin(); 1187 flush_stdin();
1152 1188
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 3da0206e1..7be7b3950 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -295,18 +295,13 @@ int seccomp_filter_keep(void) {
295void seccomp_print_filter(pid_t pid) { 295void seccomp_print_filter(pid_t pid) {
296 EUID_ASSERT(); 296 EUID_ASSERT();
297 297
298 // if the pid is that of a firejail process, use the pid of the first child process 298 // in case the pid is that of a firejail process, use the pid of the first child process
299 EUID_ROOT(); 299 pid = switch_to_child(pid);
300 char *comm = pid_proc_comm(pid); 300
301 EUID_USER(); 301 // now check if the pid belongs to a firejail sandbox
302 if (comm) { 302 if (invalid_sandbox(pid)) {
303 if (strcmp(comm, "firejail") == 0) { 303 fprintf(stderr, "Error: no valid sandbox\n");
304 pid_t child; 304 exit(1);
305 if (find_child(pid, &child) == 0) {
306 pid = child;
307 }
308 }
309 free(comm);
310 } 305 }
311 306
312 // check privileges for non-root users 307 // check privileges for non-root users
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 78cd30926..c8866da3a 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -37,10 +37,8 @@ static char *usage_str =
37#ifdef HAVE_NETWORK 37#ifdef HAVE_NETWORK
38 " --bandwidth=name|pid - set bandwidth limits.\n" 38 " --bandwidth=name|pid - set bandwidth limits.\n"
39#endif 39#endif
40#ifdef HAVE_BIND
41 " --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n" 40 " --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n"
42 " --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n" 41 " --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n"
43#endif
44 " --blacklist=filename - blacklist directory or file.\n" 42 " --blacklist=filename - blacklist directory or file.\n"
45 " --build - build a whitelisted profile for the application.\n" 43 " --build - build a whitelisted profile for the application.\n"
46 " --build=filename - build a whitelisted profile for the application.\n" 44 " --build=filename - build a whitelisted profile for the application.\n"
@@ -153,6 +151,7 @@ static char *usage_str =
153 " --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n" 151 " --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n"
154 " --private - temporary home directory.\n" 152 " --private - temporary home directory.\n"
155 " --private=directory - use directory as user home.\n" 153 " --private=directory - use directory as user home.\n"
154 " --private-cache - temporary ~/.cache directory.\n"
156 " --private-home=file,directory - build a new user home in a temporary\n" 155 " --private-home=file,directory - build a new user home in a temporary\n"
157 "\tfilesystem, and copy the files and directories in the list in\n" 156 "\tfilesystem, and copy the files and directories in the list in\n"
158 "\tthe new home.\n" 157 "\tthe new home.\n"
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 329ae141b..050f7534a 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -156,7 +156,6 @@ int mkpath_as_root(const char* path) {
156 *p='\0'; 156 *p='\0';
157 if (mkdir(file_path, 0755)==-1) { 157 if (mkdir(file_path, 0755)==-1) {
158 if (errno != EEXIST) { 158 if (errno != EEXIST) {
159 *p='/';
160 free(file_path); 159 free(file_path);
161 return -1; 160 return -1;
162 } 161 }
@@ -365,7 +364,7 @@ void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_
365} 364}
366 365
367// return -1 if error, 0 if no error 366// return -1 if error, 0 if no error
368void touch_file_as_user(const char *fname, uid_t uid, gid_t gid, mode_t mode) { 367void touch_file_as_user(const char *fname, mode_t mode) {
369 pid_t child = fork(); 368 pid_t child = fork();
370 if (child < 0) 369 if (child < 0)
371 errExit("fork"); 370 errExit("fork");
@@ -373,10 +372,10 @@ void touch_file_as_user(const char *fname, uid_t uid, gid_t gid, mode_t mode) {
373 // drop privileges 372 // drop privileges
374 drop_privs(0); 373 drop_privs(0);
375 374
376 FILE *fp = fopen(fname, "w"); 375 FILE *fp = fopen(fname, "wx");
377 if (fp) { 376 if (fp) {
378 fprintf(fp, "\n"); 377 fprintf(fp, "\n");
379 SET_PERMS_STREAM(fp, uid, gid, mode); 378 SET_PERMS_STREAM(fp, -1, -1, mode);
380 fclose(fp); 379 fclose(fp);
381 } 380 }
382#ifdef HAVE_GCOV 381#ifdef HAVE_GCOV
@@ -425,15 +424,48 @@ int is_link(const char *fname) {
425 if (*fname == '\0') 424 if (*fname == '\0')
426 return 0; 425 return 0;
427 426
427 char *dup = NULL;
428 struct stat s; 428 struct stat s;
429 if (lstat(fname, &s) == 0) { 429 if (lstat(fname, &s) == 0) {
430 if (S_ISLNK(s.st_mode)) 430 if (S_ISLNK(s.st_mode))
431 return 1; 431 return 1;
432 if (S_ISDIR(s.st_mode)) {
433 // remove trailing slashes and single dots and try again
434 dup = strdup(fname);
435 if (!dup)
436 errExit("strdup");
437 trim_trailing_slash_or_dot(dup);
438 if (lstat(dup, &s) == 0) {
439 if (S_ISLNK(s.st_mode)) {
440 free(dup);
441 return 1;
442 }
443 }
444 }
432 } 445 }
433 446
447 free(dup);
434 return 0; 448 return 0;
435} 449}
436 450
451// remove all slashes and single dots from the end of a path
452// for example /foo/bar///././. -> /foo/bar
453void trim_trailing_slash_or_dot(char *path) {
454 assert(path);
455
456 char *end = strchr(path, '\0');
457 assert(end);
458 if ((end - path) > 1) {
459 end--;
460 while (*end == '/' ||
461 (*end == '.' && *(end - 1) == '/')) {
462 *end = '\0';
463 end--;
464 if (end == path)
465 break;
466 }
467 }
468}
437 469
438// remove multiple spaces and return allocated memory 470// remove multiple spaces and return allocated memory
439char *line_remove_spaces(const char *buf) { 471char *line_remove_spaces(const char *buf) {
@@ -762,12 +794,14 @@ uid_t pid_get_uid(pid_t pid) {
762 char buf[PIDS_BUFLEN]; 794 char buf[PIDS_BUFLEN];
763 while (fgets(buf, PIDS_BUFLEN - 1, fp)) { 795 while (fgets(buf, PIDS_BUFLEN - 1, fp)) {
764 if (strncmp(buf, "Uid:", 4) == 0) { 796 if (strncmp(buf, "Uid:", 4) == 0) {
765 char *ptr = buf + 5; 797 char *ptr = buf + 4;
766 while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) { 798 while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) {
767 ptr++; 799 ptr++;
768 } 800 }
769 if (*ptr == '\0') 801 if (*ptr == '\0') {
770 break; 802 fprintf(stderr, "Error: cannot read /proc file\n");
803 exit(1);
804 }
771 805
772 rv = atoi(ptr); 806 rv = atoi(ptr);
773 break; // break regardless! 807 break; // break regardless!
@@ -778,10 +812,6 @@ uid_t pid_get_uid(pid_t pid) {
778 free(file); 812 free(file);
779 EUID_USER(); // grsecurity fix 813 EUID_USER(); // grsecurity fix
780 814
781 if (rv == 0) {
782 fprintf(stderr, "Error: cannot read /proc file\n");
783 exit(1);
784 }
785 return rv; 815 return rv;
786} 816}
787 817
@@ -891,10 +921,8 @@ void create_empty_file_as_root(const char *fname, mode_t mode) {
891 FILE *fp = fopen(fname, "w"); 921 FILE *fp = fopen(fname, "w");
892 if (!fp) 922 if (!fp)
893 errExit("fopen"); 923 errExit("fopen");
894 SET_PERMS_STREAM(fp, 0, 0, S_IRUSR); 924 SET_PERMS_STREAM(fp, 0, 0, mode);
895 fclose(fp); 925 fclose(fp);
896 if (chmod(fname, mode) == -1)
897 errExit("chmod");
898 } 926 }
899} 927}
900 928
@@ -1022,7 +1050,7 @@ int safe_fd(const char *path, int flags) {
1022 errExit("open"); 1050 errExit("open");
1023 1051
1024 // traverse the path and return -1 if a symlink is encountered 1052 // traverse the path and return -1 if a symlink is encountered
1025 int entered = 0; 1053 int weird_pathname = 1;
1026 int fd = -1; 1054 int fd = -1;
1027 char *tok = strtok(dup, "/"); 1055 char *tok = strtok(dup, "/");
1028 while (tok) { 1056 while (tok) {
@@ -1031,7 +1059,7 @@ int safe_fd(const char *path, int flags) {
1031 tok = strtok(NULL, "/"); 1059 tok = strtok(NULL, "/");
1032 continue; 1060 continue;
1033 } 1061 }
1034 entered = 1; 1062 weird_pathname = 0;
1035 1063
1036 // open the directory 1064 // open the directory
1037 fd = openat(parentfd, tok, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); 1065 fd = openat(parentfd, tok, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
@@ -1046,7 +1074,7 @@ int safe_fd(const char *path, int flags) {
1046 } 1074 }
1047 if (p != dup) { 1075 if (p != dup) {
1048 // consistent flags for top level directories (////foo, /.///foo) 1076 // consistent flags for top level directories (////foo, /.///foo)
1049 if (!entered) 1077 if (weird_pathname)
1050 flags = O_PATH|O_DIRECTORY|O_CLOEXEC; 1078 flags = O_PATH|O_DIRECTORY|O_CLOEXEC;
1051 // open last path segment 1079 // open last path segment
1052 fd = openat(parentfd, p + 1, flags|O_NOFOLLOW); 1080 fd = openat(parentfd, p + 1, flags|O_NOFOLLOW);
@@ -1059,3 +1087,66 @@ errexit:
1059 fprintf(stderr, "Error: cannot open \"%s\", invalid filename\n", path); 1087 fprintf(stderr, "Error: cannot open \"%s\", invalid filename\n", path);
1060 exit(1); 1088 exit(1);
1061} 1089}
1090
1091
1092// return 1 if the sandbox identified by pid is not fully set up yet or if
1093// it is no firejail sandbox at all, return 0 if the sandbox is complete
1094int invalid_sandbox(const pid_t pid) {
1095 // check if a file "ready-for-join" exists
1096 char *fname;
1097 if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_READY_FOR_JOIN) == -1)
1098 errExit("asprintf");
1099 EUID_ROOT();
1100 FILE *fp = fopen(fname, "re");
1101 EUID_USER();
1102 free(fname);
1103 if (!fp)
1104 return 1;
1105 // regular file owned by root
1106 int fd = fileno(fp);
1107 if (fd == -1)
1108 errExit("fileno");
1109 struct stat s;
1110 if (fstat(fd, &s) == -1)
1111 errExit("fstat");
1112 if (!S_ISREG(s.st_mode) || s.st_uid != 0) {
1113 fclose(fp);
1114 return 1;
1115 }
1116 // check if it is non-empty
1117 char buf[BUFLEN];
1118 if (fgets(buf, BUFLEN, fp) == NULL) {
1119 fclose(fp);
1120 return 1;
1121 }
1122 fclose(fp);
1123 // confirm "ready" string was written
1124 if (strncmp(buf, "ready\n", 6) != 0)
1125 return 1;
1126
1127 // walk down the process tree a few nodes, there should be no firejail leaf
1128#define MAXNODES 5
1129 pid_t current = pid, next;
1130 int i;
1131 for (i = 0; i < MAXNODES; i++) {
1132 if (find_child(current, &next) == 1) {
1133 // found a leaf
1134 EUID_ROOT();
1135 char *comm = pid_proc_comm(current);
1136 EUID_USER();
1137 if (!comm) {
1138 fprintf(stderr, "Error: cannot read /proc file\n");
1139 exit(1);
1140 }
1141 if (strcmp(comm, "firejail") == 0) {
1142 free(comm);
1143 return 1;
1144 }
1145 free(comm);
1146 break;
1147 }
1148 current = next;
1149 }
1150
1151 return 0;
1152}
diff --git a/src/lib/common.c b/src/lib/common.c
index fa988446b..d6dd43c4b 100644
--- a/src/lib/common.c
+++ b/src/lib/common.c
@@ -129,7 +129,7 @@ char *pid_proc_comm(const pid_t pid) {
129 // open /proc/pid/cmdline file 129 // open /proc/pid/cmdline file
130 char *fname; 130 char *fname;
131 int fd; 131 int fd;
132 if (asprintf(&fname, "/proc/%d//comm", pid) == -1) 132 if (asprintf(&fname, "/proc/%d/comm", pid) == -1)
133 return NULL; 133 return NULL;
134 if ((fd = open(fname, O_RDONLY)) < 0) { 134 if ((fd = open(fname, O_RDONLY)) < 0) {
135 free(fname); 135 free(fname);
@@ -154,6 +154,8 @@ char *pid_proc_comm(const pid_t pid) {
154 154
155 // return a malloc copy of the command line 155 // return a malloc copy of the command line
156 char *rv = strdup(buffer); 156 char *rv = strdup(buffer);
157 if (!rv)
158 return NULL;
157 if (strlen(rv) == 0) { 159 if (strlen(rv) == 0) {
158 free(rv); 160 free(rv);
159 return NULL; 161 return NULL;
@@ -192,6 +194,8 @@ char *pid_proc_cmdline(const pid_t pid) {
192 194
193 // return a malloc copy of the command line 195 // return a malloc copy of the command line
194 char *rv = strdup((char *) buffer); 196 char *rv = strdup((char *) buffer);
197 if (!rv)
198 return NULL;
195 if (strlen(rv) == 0) { 199 if (strlen(rv) == 0) {
196 free(rv); 200 free(rv);
197 return NULL; 201 return NULL;
diff --git a/src/lib/pid.c b/src/lib/pid.c
index 3c804716d..75576c787 100644
--- a/src/lib/pid.c
+++ b/src/lib/pid.c
@@ -149,7 +149,7 @@ uid_t pid_get_uid(pid_t pid) {
149 char buf[PIDS_BUFLEN]; 149 char buf[PIDS_BUFLEN];
150 while (fgets(buf, PIDS_BUFLEN - 1, fp)) { 150 while (fgets(buf, PIDS_BUFLEN - 1, fp)) {
151 if (strncmp(buf, "Uid:", 4) == 0) { 151 if (strncmp(buf, "Uid:", 4) == 0) {
152 char *ptr = buf + 5; 152 char *ptr = buf + 4;
153 while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) { 153 while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) {
154 ptr++; 154 ptr++;
155 } 155 }
@@ -398,7 +398,7 @@ void pid_read(pid_t mon_pid) {
398 pids[pid].parent = parent; 398 pids[pid].parent = parent;
399 } 399 }
400 else if (strncmp(buf, "Uid:", 4) == 0) { 400 else if (strncmp(buf, "Uid:", 4) == 0) {
401 char *ptr = buf + 5; 401 char *ptr = buf + 4;
402 while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) { 402 while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) {
403 ptr++; 403 ptr++;
404 } 404 }
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index e29cf4f4b..17562c503 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -113,6 +113,8 @@ Example: "nowhitelist ~/.config"
113Ignore command. 113Ignore command.
114 114
115Example: "ignore seccomp" 115Example: "ignore seccomp"
116.br
117Example: "ignore net ehh0"
116 118
117.TP 119.TP
118\fBquiet 120\fBquiet
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index f29d9cddf..7de1bff50 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -170,7 +170,7 @@ in order to allow strace to run. Chromium and Chromium-based browsers will not w
170.br 170.br
171Example: 171Example:
172.br 172.br
173$ firejail --build=profile-file vlc ~/Videos/test.mp4 173$ firejail --build vlc ~/Videos/test.mp4
174.TP 174.TP
175\fB\-\-build=profile-file 175\fB\-\-build=profile-file
176The command builds a whitelisted profile, and saves it in profile-file. If /usr/bin/strace is installed on the system, it also 176The command builds a whitelisted profile, and saves it in profile-file. If /usr/bin/strace is installed on the system, it also
@@ -509,7 +509,8 @@ Ignore command in profile file.
509Example: 509Example:
510.br 510.br
511$ firejail \-\-ignore=shell --ignore=seccomp firefox 511$ firejail \-\-ignore=shell --ignore=seccomp firefox
512 512.br
513$ firejail \-\-ignore="net eth0" firefox
513.TP 514.TP
514\fB\-\-interface=interface 515\fB\-\-interface=interface
515Move interface in a new network namespace. Up to four --interface options can be specified. 516Move interface in a new network namespace. Up to four --interface options can be specified.
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index 9cae72b54..214fcac44 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -105,7 +105,7 @@ The owner of the sandbox.
105.SH LICENSE 105.SH LICENSE
106This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. 106This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
107.PP 107.PP
108Homepage: http://firejail.wordpress.com 108Homepage: https://firejail.wordpress.com
109.SH SEE ALSO 109.SH SEE ALSO
110\&\flfirejail\fR\|(1), 110\&\flfirejail\fR\|(1),
111\&\flfirecfg\fR\|(1), 111\&\flfirecfg\fR\|(1),
diff --git a/status b/status
index 44f9318f8..505a900bb 100644
--- a/status
+++ b/status
@@ -1,3 +1,5 @@
1Aug 26 - merge mainline
2
1Phase 2 3Phase 2
2- Aug 21 4- Aug 21
3- remove --output --libtrace --libtracelog 5- remove --output --libtrace --libtracelog
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-08 21:22:47 +0000