diff options
49 files changed, 55 insertions, 8 deletions
diff --git a/Makefile.in b/Makefile.in index 1ed3e4df1..c4b3d238a 100644 --- a/Makefile.in +++ b/Makefile.in | |||
| @@ -136,6 +136,7 @@ realinstall: | |||
| 136 | install -c -m 0644 .etc/Mathematica.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 136 | install -c -m 0644 .etc/Mathematica.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
| 137 | install -c -m 0644 .etc/uget-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 137 | install -c -m 0644 .etc/uget-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
| 138 | install -c -m 0644 .etc/mupen64plus.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 138 | install -c -m 0644 .etc/mupen64plus.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
| 139 | install -c -m 0644 .etc/disable-terminals.inc $(DESTDIR)/$(sysconfdir)/firejail/. | ||
| 139 | bash -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" | 140 | bash -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" |
| 140 | rm -fr .etc | 141 | rm -fr .etc |
| 141 | # man pages | 142 | # man pages |
diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile index 3b76afa0d..d1f4b1de1 100644 --- a/etc/Mathematica.profile +++ b/etc/Mathematica.profile | |||
| @@ -7,6 +7,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 7 | include /etc/firejail/disable-secret.inc | 7 | include /etc/firejail/disable-secret.inc |
| 8 | include /etc/firejail/disable-common.inc | 8 | include /etc/firejail/disable-common.inc |
| 9 | include /etc/firejail/disable-devel.inc | 9 | include /etc/firejail/disable-devel.inc |
| 10 | include /etc/firejail/disable-terminals.inc | ||
| 10 | caps.drop all | 11 | caps.drop all |
| 11 | seccomp | 12 | seccomp |
| 12 | noroot | 13 | noroot |
diff --git a/etc/audacious.profile b/etc/audacious.profile index fa9cbbc52..f9a48f33c 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile | |||
| @@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
| 4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
| 5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
| 6 | include /etc/firejail/disable-terminals.inc | ||
| 6 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
| 7 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
| 8 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index 4cd24fd0a..5eeddb815 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile | |||
| @@ -3,6 +3,7 @@ noblacklist /sbin | |||
| 3 | noblacklist /usr/sbin | 3 | noblacklist /usr/sbin |
| 4 | include /etc/firejail/disable-mgmt.inc | 4 | include /etc/firejail/disable-mgmt.inc |
| 5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
| 6 | include /etc/firejail/disable-terminals.inc | ||
| 6 | protocol unix,inet,inet6 | 7 | protocol unix,inet,inet6 |
| 7 | private | 8 | private |
| 8 | private-dev | 9 | private-dev |
diff --git a/etc/chromium.profile b/etc/chromium.profile index 35bdaa801..af2c740a8 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
| @@ -3,6 +3,7 @@ noblacklist ${HOME}/.config/chromium | |||
| 3 | include /etc/firejail/disable-mgmt.inc | 3 | include /etc/firejail/disable-mgmt.inc |
| 4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
| 5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
| 6 | include /etc/firejail/disable-terminals.inc | ||
| 6 | 7 | ||
| 7 | # chromium is distributed with a perl script on Arch | 8 | # chromium is distributed with a perl script on Arch |
| 8 | # include /etc/firejail/disable-devel.inc | 9 | # include /etc/firejail/disable-devel.inc |
diff --git a/etc/clementine.profile b/etc/clementine.profile index e84d8f19a..c9c0ca724 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile | |||
| @@ -2,7 +2,9 @@ | |||
| 2 | include /etc/firejail/disable-mgmt.inc | 2 | include /etc/firejail/disable-mgmt.inc |
| 3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
| 4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
| 5 | include /etc/firejail/disable-terminals.inc | ||
| 5 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
| 7 | include /etc/firejail/disable-terminals.inc | ||
| 6 | blacklist ${HOME}/.pki/nssdb | 8 | blacklist ${HOME}/.pki/nssdb |
| 7 | blacklist ${HOME}/.lastpass | 9 | blacklist ${HOME}/.lastpass |
| 8 | blacklist ${HOME}/.keepassx | 10 | blacklist ${HOME}/.keepassx |
diff --git a/etc/conkeror.profile b/etc/conkeror.profile index e2e55a045..09f491c61 100644 --- a/etc/conkeror.profile +++ b/etc/conkeror.profile | |||
| @@ -3,6 +3,7 @@ noblacklist ${HOME}/.conkeror.mozdev.org | |||
| 3 | include /etc/firejail/disable-mgmt.inc | 3 | include /etc/firejail/disable-mgmt.inc |
| 4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
| 5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
| 6 | include /etc/firejail/disable-terminals.inc | ||
| 6 | caps.drop all | 7 | caps.drop all |
| 7 | seccomp | 8 | seccomp |
| 8 | protocol unix,inet,inet6 | 9 | protocol unix,inet,inet6 |
diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile index 0d6e70a4a..35760bf13 100644 --- a/etc/deadbeef.profile +++ b/etc/deadbeef.profile | |||
| @@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
| 4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
| 5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
| 6 | include /etc/firejail/disable-terminals.inc | ||
| 6 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
| 7 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
| 8 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/deluge.profile b/etc/deluge.profile index 4f76f3666..30e9f91ad 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile | |||
| @@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
| 4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
| 5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
| 6 | include /etc/firejail/disable-terminals.inc | ||
| 6 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
| 7 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
| 8 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 46dd04bcd..d97740860 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
| @@ -125,10 +125,3 @@ read-only ${HOME}/.xscreensaver | |||
| 125 | # The user ~/bin directory can override commands such as ls | 125 | # The user ~/bin directory can override commands such as ls |
| 126 | read-only ${HOME}/bin | 126 | read-only ${HOME}/bin |
| 127 | 127 | ||
| 128 | # disable terminals running as server | ||
| 129 | blacklist ${PATH}/lxterminal | ||
| 130 | blacklist ${PATH}/gnome-terminal | ||
| 131 | blacklist ${PATH}/gnome-terminal.wrapper | ||
| 132 | blacklist ${PATH}/xfce4-terminal | ||
| 133 | blacklist ${PATH}/xfce4-terminal.wrapper | ||
| 134 | blacklist ${PATH}/konsole | ||
diff --git a/etc/disable-terminals.inc b/etc/disable-terminals.inc new file mode 100644 index 000000000..b5ff07a61 --- /dev/null +++ b/etc/disable-terminals.inc | |||
| @@ -0,0 +1,7 @@ | |||
| 1 | # disable terminals running as server | ||
| 2 | blacklist ${PATH}/lxterminal | ||
| 3 | blacklist ${PATH}/gnome-terminal | ||
| 4 | blacklist ${PATH}/gnome-terminal.wrapper | ||
| 5 | blacklist ${PATH}/xfce4-terminal | ||
| 6 | blacklist ${PATH}/xfce4-terminal.wrapper | ||
| 7 | blacklist ${PATH}/konsole | ||
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index d13bab06b..0bc7ac78e 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile | |||
| @@ -5,6 +5,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
| 6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
| 7 | include /etc/firejail/disable-secret.inc | 7 | include /etc/firejail/disable-secret.inc |
| 8 | include /etc/firejail/disable-terminals.inc | ||
| 8 | private | 9 | private |
| 9 | private-dev | 10 | private-dev |
| 10 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 11 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open |
diff --git a/etc/dropbox.profile b/etc/dropbox.profile index 248e3ac9e..9d2c612de 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile | |||
| @@ -2,6 +2,7 @@ | |||
| 2 | include /etc/firejail/disable-mgmt.inc | 2 | include /etc/firejail/disable-mgmt.inc |
| 3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
| 4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
| 5 | include /etc/firejail/disable-terminals.inc | ||
| 5 | blacklist ${HOME}/.pki/nssdb | 6 | blacklist ${HOME}/.pki/nssdb |
| 6 | blacklist ${HOME}/.lastpass | 7 | blacklist ${HOME}/.lastpass |
| 7 | blacklist ${HOME}/.keepassx | 8 | blacklist ${HOME}/.keepassx |
diff --git a/etc/empathy.profile b/etc/empathy.profile index 984bbc58e..7c96dc6fa 100644 --- a/etc/empathy.profile +++ b/etc/empathy.profile | |||
| @@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
| 4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
| 5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
| 6 | include /etc/firejail/disable-terminals.inc | ||
| 6 | blacklist ${HOME}/.wine | 7 | blacklist ${HOME}/.wine |
| 7 | caps.drop all | 8 | caps.drop all |
| 8 | seccomp | 9 | seccomp |
diff --git a/etc/evince.profile b/etc/evince.profile index 34d8162b3..070dc7be7 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
| @@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
| 4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
| 5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
| 6 | include /etc/firejail/disable-terminals.inc | ||
| 6 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
| 7 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
| 8 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/fbreader.profile b/etc/fbreader.profile index f94fc28df..a79f36398 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile | |||
| @@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
| 5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
| 6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
| 7 | include /etc/firejail/disable-terminals.inc | ||
| 7 | blacklist ${HOME}/.pki/nssdb | 8 | blacklist ${HOME}/.pki/nssdb |
| 8 | blacklist ${HOME}/.lastpass | 9 | blacklist ${HOME}/.lastpass |
| 9 | blacklist ${HOME}/.keepassx | 10 | blacklist ${HOME}/.keepassx |
diff --git a/etc/filezilla.profile b/etc/filezilla.profile index ba8649067..1462d134e 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile | |||
| @@ -5,6 +5,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 5 | include /etc/firejail/disable-secret.inc | 5 | include /etc/firejail/disable-secret.inc |
| 6 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
| 7 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
| 8 | include /etc/firejail/disable-terminals.inc | ||
| 8 | blacklist ${HOME}/.wine | 9 | blacklist ${HOME}/.wine |
| 9 | caps.drop all | 10 | caps.drop all |
| 10 | seccomp | 11 | seccomp |
diff --git a/etc/firefox.profile b/etc/firefox.profile index fa753e028..0946ebfbe 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
| @@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
| 5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
| 6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
| 7 | include /etc/firejail/disable-terminals.inc | ||
| 7 | caps.drop all | 8 | caps.drop all |
| 8 | seccomp | 9 | seccomp |
| 9 | protocol unix,inet,inet6,netlink | 10 | protocol unix,inet,inet6,netlink |
diff --git a/etc/generic.profile b/etc/generic.profile index cc40ad27e..5618a555e 100644 --- a/etc/generic.profile +++ b/etc/generic.profile | |||
| @@ -4,6 +4,7 @@ | |||
| 4 | include /etc/firejail/disable-mgmt.inc | 4 | include /etc/firejail/disable-mgmt.inc |
| 5 | include /etc/firejail/disable-secret.inc | 5 | include /etc/firejail/disable-secret.inc |
| 6 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
| 7 | include /etc/firejail/disable-terminals.inc | ||
| 7 | blacklist ${HOME}/.pki/nssdb | 8 | blacklist ${HOME}/.pki/nssdb |
| 8 | blacklist ${HOME}/.lastpass | 9 | blacklist ${HOME}/.lastpass |
| 9 | blacklist ${HOME}/.keepassx | 10 | blacklist ${HOME}/.keepassx |
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index 0a495b0b0..8062c859a 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile | |||
| @@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
| 4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
| 5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
| 6 | include /etc/firejail/disable-terminals.inc | ||
| 6 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
| 7 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
| 8 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index a50afa1cd..f6b96575e 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile | |||
| @@ -3,6 +3,7 @@ noblacklist ${HOME}/.config/google-chrome-beta | |||
| 3 | include /etc/firejail/disable-mgmt.inc | 3 | include /etc/firejail/disable-mgmt.inc |
| 4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
| 5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
| 6 | include /etc/firejail/disable-terminals.inc | ||
| 6 | 7 | ||
| 7 | # chromium is distributed with a perl script on Arch | 8 | # chromium is distributed with a perl script on Arch |
| 8 | # include /etc/firejail/disable-devel.inc | 9 | # include /etc/firejail/disable-devel.inc |
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index c3871905d..3054a63db 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile | |||
| @@ -3,6 +3,7 @@ noblacklist ${HOME}/.config/google-chrome-unstable | |||
| 3 | include /etc/firejail/disable-mgmt.inc | 3 | include /etc/firejail/disable-mgmt.inc |
| 4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
| 5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
| 6 | include /etc/firejail/disable-terminals.inc | ||
| 6 | 7 | ||
| 7 | # chromium is distributed with a perl script on Arch | 8 | # chromium is distributed with a perl script on Arch |
| 8 | # include /etc/firejail/disable-devel.inc | 9 | # include /etc/firejail/disable-devel.inc |
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 6b110593e..3d5a6ebbd 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile | |||
| @@ -3,6 +3,7 @@ noblacklist ${HOME}/.config/google-chrome | |||
| 3 | include /etc/firejail/disable-mgmt.inc | 3 | include /etc/firejail/disable-mgmt.inc |
| 4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
| 5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
| 6 | include /etc/firejail/disable-terminals.inc | ||
| 6 | 7 | ||
| 7 | # chromium is distributed with a perl script on Arch | 8 | # chromium is distributed with a perl script on Arch |
| 8 | # include /etc/firejail/disable-devel.inc | 9 | # include /etc/firejail/disable-devel.inc |
diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 61c9ac5bb..35b98fde6 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile | |||
| @@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
| 5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
| 6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
| 7 | include /etc/firejail/disable-terminals.inc | ||
| 7 | caps.drop all | 8 | caps.drop all |
| 8 | seccomp | 9 | seccomp |
| 9 | protocol unix,inet,inet6 | 10 | protocol unix,inet,inet6 |
diff --git a/etc/kmail.profile b/etc/kmail.profile index 05713755e..ca29675a0 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
| @@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
| 5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
| 6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
| 7 | include /etc/firejail/disable-terminals.inc | ||
| 7 | blacklist ${HOME}/.pki/nssdb | 8 | blacklist ${HOME}/.pki/nssdb |
| 8 | blacklist ${HOME}/.lastpass | 9 | blacklist ${HOME}/.lastpass |
| 9 | blacklist ${HOME}/.keepassx | 10 | blacklist ${HOME}/.keepassx |
diff --git a/etc/midori.profile b/etc/midori.profile index 77a6fb984..e46a6baa2 100644 --- a/etc/midori.profile +++ b/etc/midori.profile | |||
| @@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
| 5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
| 6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
| 7 | include /etc/firejail/disable-terminals.inc | ||
| 7 | caps.drop all | 8 | caps.drop all |
| 8 | seccomp | 9 | seccomp |
| 9 | protocol unix,inet,inet6 | 10 | protocol unix,inet,inet6 |
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile index f21c35609..830531c04 100644 --- a/etc/mupen64plus.profile +++ b/etc/mupen64plus.profile | |||
| @@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
| 5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
| 6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
| 7 | include /etc/firejail/disable-terminals.inc | ||
| 7 | whitelist ${HOME}/.local/share/mupen64plus/ | 8 | whitelist ${HOME}/.local/share/mupen64plus/ |
| 8 | whitelist ${HOME}/.config/mupen64plus/ | 9 | whitelist ${HOME}/.config/mupen64plus/ |
| 9 | noroot | 10 | noroot |
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile index 10141615c..783e8b0ef 100644 --- a/etc/opera-beta.profile +++ b/etc/opera-beta.profile | |||
| @@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
| 5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
| 6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
| 7 | include /etc/firejail/disable-terminals.inc | ||
| 7 | netfilter | 8 | netfilter |
| 8 | whitelist ~/.config/opera-beta | 9 | whitelist ~/.config/opera-beta |
| 9 | whitelist ${DOWNLOADS} | 10 | whitelist ${DOWNLOADS} |
diff --git a/etc/opera.profile b/etc/opera.profile index 72205d7fb..dd710a8fe 100644 --- a/etc/opera.profile +++ b/etc/opera.profile | |||
| @@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
| 5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
| 6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
| 7 | include /etc/firejail/disable-terminals.inc | ||
| 7 | netfilter | 8 | netfilter |
| 8 | whitelist ~/.config/opera | 9 | whitelist ~/.config/opera |
| 9 | whitelist ${DOWNLOADS} | 10 | whitelist ${DOWNLOADS} |
diff --git a/etc/parole.profile b/etc/parole.profile index 24181c8d6..fd49bcf07 100644 --- a/etc/parole.profile +++ b/etc/parole.profile | |||
| @@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
| 4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
| 5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
| 6 | include /etc/firejail/disable-terminals.inc | ||
| 6 | private-etc passwd,group,fonts | 7 | private-etc passwd,group,fonts |
| 7 | private-bin parole,dbus-launch | 8 | private-bin parole,dbus-launch |
| 8 | blacklist ${HOME}/.pki/nssdb | 9 | blacklist ${HOME}/.pki/nssdb |
diff --git a/etc/pidgin.profile b/etc/pidgin.profile index 3dd57b623..54bedccc8 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile | |||
| @@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
| 5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
| 6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
| 7 | include /etc/firejail/disable-terminals.inc | ||
| 7 | blacklist ${HOME}/.wine | 8 | blacklist ${HOME}/.wine |
| 8 | caps.drop all | 9 | caps.drop all |
| 9 | seccomp | 10 | seccomp |
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index dd50c779e..c68eb716b 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
| @@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
| 4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
| 5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
| 6 | include /etc/firejail/disable-terminals.inc | ||
| 6 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
| 7 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
| 8 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/quassel.profile b/etc/quassel.profile index cb97d0752..e8db77973 100644 --- a/etc/quassel.profile +++ b/etc/quassel.profile | |||
| @@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
| 4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
| 5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
| 6 | include /etc/firejail/disable-terminals.inc | ||
| 6 | blacklist ${HOME}/.wine | 7 | blacklist ${HOME}/.wine |
| 7 | caps.drop all | 8 | caps.drop all |
| 8 | seccomp | 9 | seccomp |
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 9fc1fcb80..3326a34ed 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile | |||
| @@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
| 4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
| 5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
| 6 | include /etc/firejail/disable-terminals.inc | ||
| 6 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
| 7 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
| 8 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index c2c0356d9..7ba5677e9 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile | |||
| @@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
| 4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
| 5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
| 6 | include /etc/firejail/disable-terminals.inc | ||
| 6 | caps.drop all | 7 | caps.drop all |
| 7 | seccomp | 8 | seccomp |
| 8 | protocol unix,inet,inet6 | 9 | protocol unix,inet,inet6 |
diff --git a/etc/seamonkey-bin.profile b/etc/seamonkey-bin.profile index 6458d073f..d585c719b 100644 --- a/etc/seamonkey-bin.profile +++ b/etc/seamonkey-bin.profile | |||
| @@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
| 5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
| 6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
| 7 | include /etc/firejail/disable-terminals.inc | ||
| 7 | caps.drop all | 8 | caps.drop all |
| 8 | seccomp | 9 | seccomp |
| 9 | protocol unix,inet,inet6,netlink | 10 | protocol unix,inet,inet6,netlink |
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index 6458d073f..d585c719b 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile | |||
| @@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
| 5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
| 6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
| 7 | include /etc/firejail/disable-terminals.inc | ||
| 7 | caps.drop all | 8 | caps.drop all |
| 8 | seccomp | 9 | seccomp |
| 9 | protocol unix,inet,inet6,netlink | 10 | protocol unix,inet,inet6,netlink |
diff --git a/etc/skype.profile b/etc/skype.profile index 4d2d042cc..a33cc339d 100644 --- a/etc/skype.profile +++ b/etc/skype.profile | |||
| @@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
| 5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
| 6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
| 7 | include /etc/firejail/disable-terminals.inc | ||
| 7 | caps.drop all | 8 | caps.drop all |
| 8 | netfilter | 9 | netfilter |
| 9 | noroot | 10 | noroot |
diff --git a/etc/steam.profile b/etc/steam.profile index 5b9244567..dc17c7a0f 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
| @@ -5,6 +5,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 5 | include /etc/firejail/disable-secret.inc | 5 | include /etc/firejail/disable-secret.inc |
| 6 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
| 7 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
| 8 | include /etc/firejail/disable-terminals.inc | ||
| 8 | caps.drop all | 9 | caps.drop all |
| 9 | netfilter | 10 | netfilter |
| 10 | noroot | 11 | noroot |
diff --git a/etc/telegram.profile b/etc/telegram.profile index 0312a7a09..261da6397 100644 --- a/etc/telegram.profile +++ b/etc/telegram.profile | |||
| @@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
| 5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
| 6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
| 7 | include /etc/firejail/disable-terminals.inc | ||
| 7 | 8 | ||
| 8 | caps.drop all | 9 | caps.drop all |
| 9 | seccomp | 10 | seccomp |
diff --git a/etc/totem.profile b/etc/totem.profile index 52b9450c3..65c62695e 100644 --- a/etc/totem.profile +++ b/etc/totem.profile | |||
| @@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
| 4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
| 5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
| 6 | include /etc/firejail/disable-terminals.inc | ||
| 6 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
| 7 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
| 8 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index a66ab0d63..290de9445 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
| @@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
| 4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
| 5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
| 6 | include /etc/firejail/disable-terminals.inc | ||
| 6 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
| 7 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
| 8 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index ad23c62dc..6ff49e476 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile | |||
| @@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
| 4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
| 5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
| 6 | include /etc/firejail/disable-terminals.inc | ||
| 6 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
| 7 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
| 8 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 6d0c5becb..0430f12b4 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile | |||
| @@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
| 4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
| 5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
| 6 | include /etc/firejail/disable-terminals.inc | ||
| 6 | caps.drop all | 7 | caps.drop all |
| 7 | seccomp | 8 | seccomp |
| 8 | protocol unix,inet,inet6 | 9 | protocol unix,inet,inet6 |
diff --git a/etc/unbound.profile b/etc/unbound.profile index aba5a9ba1..c4f009159 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile | |||
| @@ -5,7 +5,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
| 6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
| 7 | include /etc/firejail/disable-secret.inc | 7 | include /etc/firejail/disable-secret.inc |
| 8 | private | 8 | include /etc/firejail/disable-terminals.inc |
| 9 | private | 9 | private |
| 10 | private-dev | 10 | private-dev |
| 11 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 11 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open |
diff --git a/etc/vlc.profile b/etc/vlc.profile index 37ff29308..028de0ad1 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
| @@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
| 4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
| 5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
| 6 | include /etc/firejail/disable-terminals.inc | ||
| 6 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
| 7 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
| 8 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/weechat.profile b/etc/weechat.profile index 79e3ae774..218df3b33 100644 --- a/etc/weechat.profile +++ b/etc/weechat.profile | |||
| @@ -3,6 +3,7 @@ noblacklist ${HOME}/.weechat | |||
| 3 | include /etc/firejail/disable-mgmt.inc | 3 | include /etc/firejail/disable-mgmt.inc |
| 4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
| 5 | include /etc/firejail/disable-secret.inc | 5 | include /etc/firejail/disable-secret.inc |
| 6 | include /etc/firejail/disable-terminals.inc | ||
| 6 | caps.drop all | 7 | caps.drop all |
| 7 | seccomp | 8 | seccomp |
| 8 | protocol unix,inet,inet6 | 9 | protocol unix,inet,inet6 |
diff --git a/etc/wine.profile b/etc/wine.profile index 8a7f66773..ae1f5d1b6 100644 --- a/etc/wine.profile +++ b/etc/wine.profile | |||
| @@ -6,6 +6,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 6 | include /etc/firejail/disable-secret.inc | 6 | include /etc/firejail/disable-secret.inc |
| 7 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
| 8 | include /etc/firejail/disable-devel.inc | 8 | include /etc/firejail/disable-devel.inc |
| 9 | include /etc/firejail/disable-terminals.inc | ||
| 9 | caps.drop all | 10 | caps.drop all |
| 10 | netfilter | 11 | netfilter |
| 11 | noroot | 12 | noroot |
diff --git a/etc/xchat.profile b/etc/xchat.profile index 37e1371e6..be68e0add 100644 --- a/etc/xchat.profile +++ b/etc/xchat.profile | |||
| @@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
| 4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
| 5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
| 6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
| 7 | include /etc/firejail/disable-terminals.inc | ||
| 7 | blacklist ${HOME}/.wine | 8 | blacklist ${HOME}/.wine |
| 8 | caps.drop all | 9 | caps.drop all |
| 9 | seccomp | 10 | seccomp |