diff options
638 files changed, 2040 insertions, 514 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 40ba00db6..fd1f23954 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
@@ -10,6 +10,9 @@ on: | |||
10 | - RELNOTES | 10 | - RELNOTES |
11 | - SECURITY.md | 11 | - SECURITY.md |
12 | - 'etc/**' | 12 | - 'etc/**' |
13 | - 'src/firecfg/firecfg.config' | ||
14 | - '.github/ISSUE_TEMPLATE/*' | ||
15 | - '.github/pull_request_template.md' | ||
13 | pull_request: | 16 | pull_request: |
14 | branches: [ master ] | 17 | branches: [ master ] |
15 | paths-ignore: | 18 | paths-ignore: |
@@ -19,6 +22,9 @@ on: | |||
19 | - RELNOTES | 22 | - RELNOTES |
20 | - SECURITY.md | 23 | - SECURITY.md |
21 | - 'etc/**' | 24 | - 'etc/**' |
25 | - 'src/firecfg/firecfg.config' | ||
26 | - '.github/ISSUE_TEMPLATE/*' | ||
27 | - '.github/pull_request_template.md' | ||
22 | 28 | ||
23 | jobs: | 29 | jobs: |
24 | build-clang: | 30 | build-clang: |
@@ -26,19 +32,19 @@ jobs: | |||
26 | steps: | 32 | steps: |
27 | - uses: actions/checkout@v2 | 33 | - uses: actions/checkout@v2 |
28 | - name: configure | 34 | - name: configure |
29 | run: CC=clang-10 ./configure --enable-fatal-warnings | 35 | run: CC=clang-11 ./configure --enable-fatal-warnings |
30 | - name: make | 36 | - name: make |
31 | run: make | 37 | run: make |
32 | scan-build: | 38 | scan-build: |
33 | runs-on: ubuntu-20.04 | 39 | runs-on: ubuntu-20.04 |
34 | steps: | 40 | steps: |
35 | - uses: actions/checkout@v2 | 41 | - uses: actions/checkout@v2 |
36 | - name: install clang-tools-10 | 42 | - name: install clang-tools-11 |
37 | run: sudo apt-get install clang-tools-10 | 43 | run: sudo apt-get install clang-tools-11 |
38 | - name: configure | 44 | - name: configure |
39 | run: CC=clang-10 ./configure --enable-fatal-warnings | 45 | run: CC=clang-11 ./configure --enable-fatal-warnings |
40 | - name: scan-build | 46 | - name: scan-build |
41 | run: NO_EXTRA_CFLAGS="yes" scan-build-10 --status-bugs make | 47 | run: NO_EXTRA_CFLAGS="yes" scan-build-11 --status-bugs make |
42 | cppcheck: | 48 | cppcheck: |
43 | runs-on: ubuntu-20.04 | 49 | runs-on: ubuntu-20.04 |
44 | steps: | 50 | steps: |
@@ -278,6 +278,7 @@ David Thole (https://github.com/TheDarkTrumpet) | |||
278 | Davide Beatrici (https://github.com/davidebeatrici) | 278 | Davide Beatrici (https://github.com/davidebeatrici) |
279 | - steam.profile: correctly blacklist unneeded directories in user's home | 279 | - steam.profile: correctly blacklist unneeded directories in user's home |
280 | - minetest fixes | 280 | - minetest fixes |
281 | - map /dev/input with "--private-dev", add "--no-input" option to disable it | ||
281 | David Hyrule (https://github.com/Svaag) | 282 | David Hyrule (https://github.com/Svaag) |
282 | - remove nou2f in ssh profile | 283 | - remove nou2f in ssh profile |
283 | Deelvesh Bunjun (https://github.com/DeelveshBunjun) | 284 | Deelvesh Bunjun (https://github.com/DeelveshBunjun) |
@@ -553,6 +554,7 @@ Kishore96in (https://github.com/Kishore96in) | |||
553 | - okular profile fixes | 554 | - okular profile fixes |
554 | - jitsi-meet-desktop profile | 555 | - jitsi-meet-desktop profile |
555 | - konversatin profile fix | 556 | - konversatin profile fix |
557 | - added Neochat profile | ||
556 | KOLANICH (https://github.com/KOLANICH) | 558 | KOLANICH (https://github.com/KOLANICH) |
557 | - added symlink fixer fix_private-bin.py in contrib section | 559 | - added symlink fixer fix_private-bin.py in contrib section |
558 | - update fix_private-bin.py | 560 | - update fix_private-bin.py |
@@ -619,6 +621,8 @@ Melvin Vermeeren (https://github.com/melvinvermeeren) | |||
619 | - added --noautopulse command line option | 621 | - added --noautopulse command line option |
620 | Michael Haas (https://github.com/mhaas) | 622 | Michael Haas (https://github.com/mhaas) |
621 | - bugfixes | 623 | - bugfixes |
624 | Michael Hoffmann (https://github.com/brisad) | ||
625 | - added support for subdirs in private-etc | ||
622 | Mike Frysinger (vapier@gentoo.org) | 626 | Mike Frysinger (vapier@gentoo.org) |
623 | - Gentoo compile patch | 627 | - Gentoo compile patch |
624 | mirabellette (https://github.com/mirabellette) | 628 | mirabellette (https://github.com/mirabellette) |
@@ -827,7 +831,7 @@ soredake (https://github.com/soredake) | |||
827 | - fix handling of STEAM_RUNTIME_PREFER_HOST_LIBRARIES in steam profile | 831 | - fix handling of STEAM_RUNTIME_PREFER_HOST_LIBRARIES in steam profile |
828 | - fix keepassxc.profile | 832 | - fix keepassxc.profile |
829 | - fix qtox.profile | 833 | - fix qtox.profile |
830 | - add ocaltime to private-etc to make qtox show correct time | 834 | - add localtime to private-etc to make qtox show correct time |
831 | - fixes for the keepassxc 2.2.5 version | 835 | - fixes for the keepassxc 2.2.5 version |
832 | SkewedZeppelin (https://github.com/SkewedZeppelin) | 836 | SkewedZeppelin (https://github.com/SkewedZeppelin) |
833 | - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles | 837 | - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles |
@@ -333,4 +333,7 @@ Stats: | |||
333 | vmware-view, display-im6.q16, ipcalc, ipcalc-ng, ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop, | 333 | vmware-view, display-im6.q16, ipcalc, ipcalc-ng, ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop, |
334 | avidemux, calligragemini, vmware-player, vmware-workstation, gget, com.github.phase1geo.minder, nextcloud-desktop, | 334 | avidemux, calligragemini, vmware-player, vmware-workstation, gget, com.github.phase1geo.minder, nextcloud-desktop, |
335 | pcsxr, PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, bcompare, b2sum, cksum, md5sum, sha1sum, sha224sum, | 335 | pcsxr, PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, bcompare, b2sum, cksum, md5sum, sha1sum, sha224sum, |
336 | sha256sum, sha384sum, sha512sum, sum, librewold-nightly | 336 | sha256sum, sha384sum, sha512sum, sum, librewold-nightly, Quodlibet, tmux, sway, alienarena, alienarena-wrapper, |
337 | ballbuster, ballbuster-wrapper, colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium, glaxium-wrapper, | ||
338 | pinball, pinball-wrapper, etr-wrapper, neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, firedragon | ||
339 | neochat, node, nvm | ||
@@ -9,16 +9,25 @@ firejail (0.9.65) baseline; urgency=low | |||
9 | * removed --audit options, relpaced by jailtest | 9 | * removed --audit options, relpaced by jailtest |
10 | * capabilities list update | 10 | * capabilities list update |
11 | * faccessat2 syscall support | 11 | * faccessat2 syscall support |
12 | * --private-dev keeps /dev/input | ||
13 | * added --noinput to disable /dev/input | ||
14 | * Add support for subdirs in --private-etc | ||
12 | * compile time: --enable-force-nonewprivs | 15 | * compile time: --enable-force-nonewprivs |
13 | * compile time: --disable-output | 16 | * compile time: --disable-output |
14 | * compile time: --enable-lts | 17 | * compile time: --enable-lts |
18 | * subdirs support in private-etc | ||
19 | * input devices support in private-dev, --no-input | ||
15 | * new profiles: vmware-view, display-im6.q16, ipcalc, ipcalc-ng | 20 | * new profiles: vmware-view, display-im6.q16, ipcalc, ipcalc-ng |
16 | * ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop, | 21 | * ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop, |
17 | * avidemux, calligragemini, vmware-player, vmware-workstation | 22 | * avidemux, calligragemini, vmware-player, vmware-workstation |
18 | * gget, com.github.phase1geo.minder, nextcloud-desktop, pcsxr | 23 | * gget, com.github.phase1geo.minder, nextcloud-desktop, pcsxr |
19 | * PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, sum | 24 | * PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, sum |
20 | * bcompare, b2sum, cksum, md5sum, sha1sum, sha224sum, sha256sum | 25 | * bcompare, b2sum, cksum, md5sum, sha1sum, sha224sum, sha256sum |
21 | * sha384sum, sha512sum, librewold-nightly | 26 | * sha384sum, sha512sum, librewold-nightly, Quodlibet, tmux, sway |
27 | * alienarena, alienarena-wrapper, ballbuster, ballbuster-wrapper, | ||
28 | * colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium, | ||
29 | * glaxium-wrapper, pinball, pinball-wrapper, etr-wrapper, firedragon | ||
30 | * neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, neochat | ||
22 | -- netblue30 <netblue30@yahoo.com> Tue, 9 Feb 2021 09:00:00 -0500 | 31 | -- netblue30 <netblue30@yahoo.com> Tue, 9 Feb 2021 09:00:00 -0500 |
23 | 32 | ||
24 | firejail (0.9.64.4) baseline; urgency=low | 33 | firejail (0.9.64.4) baseline; urgency=low |
diff --git a/contrib/sort.py b/contrib/sort.py index 9e5062c3c..c7325facb 100755 --- a/contrib/sort.py +++ b/contrib/sort.py | |||
@@ -35,43 +35,16 @@ def sort_alphabetical(raw_items): | |||
35 | 35 | ||
36 | def sort_protocol(protocols): | 36 | def sort_protocol(protocols): |
37 | """sort the given protocole into this scheme: unix,inet,inet6,netlink,packet,bluetooth""" | 37 | """sort the given protocole into this scheme: unix,inet,inet6,netlink,packet,bluetooth""" |
38 | |||
38 | # shortcut for common protocol lines | 39 | # shortcut for common protocol lines |
39 | if protocols in ("unix", "unix,inet,inet6"): | 40 | if protocols in ("unix", "unix,inet,inet6"): |
40 | return protocols | 41 | return protocols |
42 | |||
41 | fixed_protocols = "" | 43 | fixed_protocols = "" |
42 | present_protocols = { | 44 | for protocol in ("unix", "inet", "inet6", "netlink", "packet", "bluetooth"): |
43 | "unix": False, | 45 | for prefix in ("", "-", "+", "="): |
44 | "inet": False, | 46 | if f",{prefix}{protocol}," in f",{protocols},": |
45 | "inet6": False, | 47 | fixed_protocols += f"{prefix}{protocol}," |
46 | "netlink": False, | ||
47 | "packet": False, | ||
48 | "bluetooth": False, | ||
49 | } | ||
50 | for protocol in protocols.split(","): | ||
51 | if protocol == "unix": | ||
52 | present_protocols["unix"] = True | ||
53 | elif protocol == "inet": | ||
54 | present_protocols["inet"] = True | ||
55 | elif protocol == "inet6": | ||
56 | present_protocols["inet6"] = True | ||
57 | elif protocol == "netlink": | ||
58 | present_protocols["netlink"] = True | ||
59 | elif protocol == "packet": | ||
60 | present_protocols["packet"] = True | ||
61 | elif protocol == "bluetooth": | ||
62 | present_protocols["bluetooth"] = True | ||
63 | if present_protocols["unix"]: | ||
64 | fixed_protocols += "unix," | ||
65 | if present_protocols["inet"]: | ||
66 | fixed_protocols += "inet," | ||
67 | if present_protocols["inet6"]: | ||
68 | fixed_protocols += "inet6," | ||
69 | if present_protocols["netlink"]: | ||
70 | fixed_protocols += "netlink," | ||
71 | if present_protocols["packet"]: | ||
72 | fixed_protocols += "packet," | ||
73 | if present_protocols["bluetooth"]: | ||
74 | fixed_protocols += "bluetooth," | ||
75 | return fixed_protocols[:-1] | 48 | return fixed_protocols[:-1] |
76 | 49 | ||
77 | 50 | ||
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim index 65eb690ac..8775ae71d 100644 --- a/contrib/vim/syntax/firejail.vim +++ b/contrib/vim/syntax/firejail.vim | |||
@@ -49,7 +49,7 @@ syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES | |||
49 | " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) | 49 | " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) |
50 | syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained | 50 | syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained |
51 | " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below | 51 | " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below |
52 | syn match fjCommand /\v(allusers|apparmor|caps|disable-mnt|ipc-namespace|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-dev|private-lib|private-tmp|seccomp|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained | 52 | syn match fjCommand /\v(allusers|apparmor|caps|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-dev|private-lib|private-tmp|seccomp|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained |
53 | syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained | 53 | syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained |
54 | syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained | 54 | syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained |
55 | syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained | 55 | syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained |
diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc index 41643657d..babe46571 100644 --- a/etc/inc/allow-common-devel.inc +++ b/etc/inc/allow-common-devel.inc | |||
@@ -15,6 +15,7 @@ noblacklist ${HOME}/.java | |||
15 | noblacklist ${HOME}/.node-gyp | 15 | noblacklist ${HOME}/.node-gyp |
16 | noblacklist ${HOME}/.npm | 16 | noblacklist ${HOME}/.npm |
17 | noblacklist ${HOME}/.npmrc | 17 | noblacklist ${HOME}/.npmrc |
18 | noblacklist ${HOME}/.nvm | ||
18 | noblacklist ${HOME}/.yarn | 19 | noblacklist ${HOME}/.yarn |
19 | noblacklist ${HOME}/.yarn-config | 20 | noblacklist ${HOME}/.yarn-config |
20 | noblacklist ${HOME}/.yarncache | 21 | noblacklist ${HOME}/.yarncache |
diff --git a/etc/inc/allow-nodejs.inc b/etc/inc/allow-nodejs.inc index 78a4bed80..351c94ab8 100644 --- a/etc/inc/allow-nodejs.inc +++ b/etc/inc/allow-nodejs.inc | |||
@@ -4,3 +4,7 @@ include allow-nodejs.local | |||
4 | 4 | ||
5 | noblacklist ${PATH}/node | 5 | noblacklist ${PATH}/node |
6 | noblacklist /usr/include/node | 6 | noblacklist /usr/include/node |
7 | |||
8 | # Allow python for node-gyp (blacklisted by disable-interpreters.inc) | ||
9 | include allow-python2.inc | ||
10 | include allow-python3.inc | ||
diff --git a/etc/inc/allow-opengl-game.inc b/etc/inc/allow-opengl-game.inc new file mode 100644 index 000000000..b5ff1bd50 --- /dev/null +++ b/etc/inc/allow-opengl-game.inc | |||
@@ -0,0 +1,3 @@ | |||
1 | noblacklist ${PATH}/bash | ||
2 | whitelist /usr/share/opengl-games-utils/opengl-game-functions.sh | ||
3 | private-bin basename,bash,cut,glxinfo,grep,head,sed,zenity | ||
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 35f89e11b..2dc53d311 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -338,10 +338,12 @@ read-only ${HOME}/dotfiles | |||
338 | read-only ${HOME}/.gem | 338 | read-only ${HOME}/.gem |
339 | read-only ${HOME}/.luarocks | 339 | read-only ${HOME}/.luarocks |
340 | read-only ${HOME}/.npm-packages | 340 | read-only ${HOME}/.npm-packages |
341 | read-only ${HOME}/.nvm | ||
341 | read-only ${HOME}/bin | 342 | read-only ${HOME}/bin |
342 | read-only ${HOME}/.bin | 343 | read-only ${HOME}/.bin |
343 | read-only ${HOME}/.local/bin | 344 | read-only ${HOME}/.local/bin |
344 | read-only ${HOME}/.cargo/bin | 345 | read-only ${HOME}/.cargo/bin |
346 | read-only ${HOME}/.rustup | ||
345 | 347 | ||
346 | # Write-protection for desktop entries | 348 | # Write-protection for desktop entries |
347 | read-only ${HOME}/.config/menus | 349 | read-only ${HOME}/.config/menus |
@@ -366,6 +368,7 @@ blacklist ${HOME}/*.key | |||
366 | blacklist ${HOME}/.Private | 368 | blacklist ${HOME}/.Private |
367 | blacklist ${HOME}/.caff | 369 | blacklist ${HOME}/.caff |
368 | blacklist ${HOME}/.cargo/credentials | 370 | blacklist ${HOME}/.cargo/credentials |
371 | blacklist ${HOME}/.cargo/credentials.toml | ||
369 | blacklist ${HOME}/.cert | 372 | blacklist ${HOME}/.cert |
370 | blacklist ${HOME}/.config/keybase | 373 | blacklist ${HOME}/.config/keybase |
371 | blacklist ${HOME}/.davfs2/secrets | 374 | blacklist ${HOME}/.davfs2/secrets |
diff --git a/etc/inc/disable-passwdmgr.inc b/etc/inc/disable-passwdmgr.inc index 316378cb8..3ed9a1b14 100644 --- a/etc/inc/disable-passwdmgr.inc +++ b/etc/inc/disable-passwdmgr.inc | |||
@@ -7,6 +7,7 @@ blacklist ${HOME}/.config/KeePass | |||
7 | blacklist ${HOME}/.config/keepass | 7 | blacklist ${HOME}/.config/keepass |
8 | blacklist ${HOME}/.config/keepassx | 8 | blacklist ${HOME}/.config/keepassx |
9 | blacklist ${HOME}/.config/keepassxc | 9 | blacklist ${HOME}/.config/keepassxc |
10 | blacklist ${HOME}/.config/KeePassXCrc | ||
10 | blacklist ${HOME}/.config/Sinew Software Systems | 11 | blacklist ${HOME}/.config/Sinew Software Systems |
11 | blacklist ${HOME}/.fpm | 12 | blacklist ${HOME}/.fpm |
12 | blacklist ${HOME}/.keepass | 13 | blacklist ${HOME}/.keepass |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 8ccbae5ca..90abe1d3e 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -52,6 +52,7 @@ blacklist ${HOME}/.atom | |||
52 | blacklist ${HOME}/.attic | 52 | blacklist ${HOME}/.attic |
53 | blacklist ${HOME}/.audacity-data | 53 | blacklist ${HOME}/.audacity-data |
54 | blacklist ${HOME}/.avidemux6 | 54 | blacklist ${HOME}/.avidemux6 |
55 | blacklist ${HOME}/.ballbuster.hs | ||
55 | blacklist ${HOME}/.balsa | 56 | blacklist ${HOME}/.balsa |
56 | blacklist ${HOME}/.bcast5 | 57 | blacklist ${HOME}/.bcast5 |
57 | blacklist ${HOME}/.bibletime | 58 | blacklist ${HOME}/.bibletime |
@@ -105,6 +106,7 @@ blacklist ${HOME}/.config/Gpredict | |||
105 | blacklist ${HOME}/.config/INRIA | 106 | blacklist ${HOME}/.config/INRIA |
106 | blacklist ${HOME}/.config/InSilmaril | 107 | blacklist ${HOME}/.config/InSilmaril |
107 | blacklist ${HOME}/.config/Jitsi Meet | 108 | blacklist ${HOME}/.config/Jitsi Meet |
109 | blacklist ${HOME}/.config/KDE/neochat | ||
108 | blacklist ${HOME}/.config/Kid3 | 110 | blacklist ${HOME}/.config/Kid3 |
109 | blacklist ${HOME}/.config/Kingsoft | 111 | blacklist ${HOME}/.config/Kingsoft |
110 | blacklist ${HOME}/.config/Loop_Hero | 112 | blacklist ${HOME}/.config/Loop_Hero |
@@ -137,6 +139,7 @@ blacklist ${HOME}/.config/Rambox | |||
137 | blacklist ${HOME}/.config/Riot | 139 | blacklist ${HOME}/.config/Riot |
138 | blacklist ${HOME}/.config/Rocket.Chat | 140 | blacklist ${HOME}/.config/Rocket.Chat |
139 | blacklist ${HOME}/.config/RogueLegacy | 141 | blacklist ${HOME}/.config/RogueLegacy |
142 | blacklist ${HOME}/.config/RogueLegacyStorageContainer | ||
140 | blacklist ${HOME}/.config/Signal | 143 | blacklist ${HOME}/.config/Signal |
141 | blacklist ${HOME}/.config/Sinew Software Systems | 144 | blacklist ${HOME}/.config/Sinew Software Systems |
142 | blacklist ${HOME}/.config/Slack | 145 | blacklist ${HOME}/.config/Slack |
@@ -220,6 +223,7 @@ blacklist ${HOME}/.config/d-feet | |||
220 | blacklist ${HOME}/.config/electron-mail | 223 | blacklist ${HOME}/.config/electron-mail |
221 | blacklist ${HOME}/.config/emaildefaults | 224 | blacklist ${HOME}/.config/emaildefaults |
222 | blacklist ${HOME}/.config/emailidentities | 225 | blacklist ${HOME}/.config/emailidentities |
226 | blacklist ${HOME}/.config/emilia | ||
223 | blacklist ${HOME}/.config/enchant | 227 | blacklist ${HOME}/.config/enchant |
224 | blacklist ${HOME}/.config/eog | 228 | blacklist ${HOME}/.config/eog |
225 | blacklist ${HOME}/.config/epiphany | 229 | blacklist ${HOME}/.config/epiphany |
@@ -339,6 +343,8 @@ blacklist ${HOME}/.config/mypaint | |||
339 | blacklist ${HOME}/.config/nano | 343 | blacklist ${HOME}/.config/nano |
340 | blacklist ${HOME}/.config/nautilus | 344 | blacklist ${HOME}/.config/nautilus |
341 | blacklist ${HOME}/.config/nemo | 345 | blacklist ${HOME}/.config/nemo |
346 | blacklist ${HOME}/.config/neochatrc | ||
347 | blacklist ${HOME}/.config/neochat.notifyrc | ||
342 | blacklist ${HOME}/.config/neomutt | 348 | blacklist ${HOME}/.config/neomutt |
343 | blacklist ${HOME}/.config/netsurf | 349 | blacklist ${HOME}/.config/netsurf |
344 | blacklist ${HOME}/.config/newsbeuter | 350 | blacklist ${HOME}/.config/newsbeuter |
@@ -479,6 +485,7 @@ blacklist ${HOME}/.equalx | |||
479 | blacklist ${HOME}/.ethereum | 485 | blacklist ${HOME}/.ethereum |
480 | blacklist ${HOME}/.etr | 486 | blacklist ${HOME}/.etr |
481 | blacklist ${HOME}/.filezilla | 487 | blacklist ${HOME}/.filezilla |
488 | blacklist ${HOME}/.firedragon | ||
482 | blacklist ${HOME}/.flowblade | 489 | blacklist ${HOME}/.flowblade |
483 | blacklist ${HOME}/.fltk | 490 | blacklist ${HOME}/.fltk |
484 | blacklist ${HOME}/.fossamail | 491 | blacklist ${HOME}/.fossamail |
@@ -490,6 +497,8 @@ blacklist ${HOME}/.frozen-bubble | |||
490 | blacklist ${HOME}/.gimp* | 497 | blacklist ${HOME}/.gimp* |
491 | blacklist ${HOME}/.gist | 498 | blacklist ${HOME}/.gist |
492 | blacklist ${HOME}/.gitconfig | 499 | blacklist ${HOME}/.gitconfig |
500 | blacklist ${HOME}/.gl-117 | ||
501 | blacklist ${HOME}/.glaxiumrc | ||
493 | blacklist ${HOME}/.gnome/gnome-schedule | 502 | blacklist ${HOME}/.gnome/gnome-schedule |
494 | blacklist ${HOME}/.googleearth | 503 | blacklist ${HOME}/.googleearth |
495 | blacklist ${HOME}/.gradle | 504 | blacklist ${HOME}/.gradle |
@@ -595,6 +604,7 @@ blacklist ${HOME}/.local/share/Empathy | |||
595 | blacklist ${HOME}/.local/share/Enpass | 604 | blacklist ${HOME}/.local/share/Enpass |
596 | blacklist ${HOME}/.local/share/Flavio Tordini | 605 | blacklist ${HOME}/.local/share/Flavio Tordini |
597 | blacklist ${HOME}/.local/share/JetBrains | 606 | blacklist ${HOME}/.local/share/JetBrains |
607 | blacklist ${HOME}/.local/share/KDE/neochat | ||
598 | blacklist ${HOME}/.local/share/Kingsoft | 608 | blacklist ${HOME}/.local/share/Kingsoft |
599 | blacklist ${HOME}/.local/share/Mendeley Ltd. | 609 | blacklist ${HOME}/.local/share/Mendeley Ltd. |
600 | blacklist ${HOME}/.local/share/Mumble | 610 | blacklist ${HOME}/.local/share/Mumble |
@@ -607,7 +617,8 @@ blacklist ${HOME}/.local/share/QGIS | |||
607 | blacklist ${HOME}/.local/share/QMediathekView | 617 | blacklist ${HOME}/.local/share/QMediathekView |
608 | blacklist ${HOME}/.local/share/QuiteRss | 618 | blacklist ${HOME}/.local/share/QuiteRss |
609 | blacklist ${HOME}/.local/share/Ricochet | 619 | blacklist ${HOME}/.local/share/Ricochet |
610 | blacklist ${HOME}/.local/share/RogueLegacy* | 620 | blacklist ${HOME}/.local/share/RogueLegacy |
621 | blacklist ${HOME}/.local/share/RogueLegacyStorageContainer | ||
611 | blacklist ${HOME}/.local/share/Shortwave | 622 | blacklist ${HOME}/.local/share/Shortwave |
612 | blacklist ${HOME}/.local/share/Steam | 623 | blacklist ${HOME}/.local/share/Steam |
613 | blacklist ${HOME}/.local/share/SteamWorldDig | 624 | blacklist ${HOME}/.local/share/SteamWorldDig |
@@ -637,6 +648,7 @@ blacklist ${HOME}/.local/share/cdprojektred | |||
637 | blacklist ${HOME}/.local/share/clipit | 648 | blacklist ${HOME}/.local/share/clipit |
638 | blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate | 649 | blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate |
639 | blacklist ${HOME}/.local/share/contacts | 650 | blacklist ${HOME}/.local/share/contacts |
651 | blacklist ${HOME}/.local/share/cor-games | ||
640 | blacklist ${HOME}/.local/share/data/Mendeley Ltd. | 652 | blacklist ${HOME}/.local/share/data/Mendeley Ltd. |
641 | blacklist ${HOME}/.local/share/data/Mumble | 653 | blacklist ${HOME}/.local/share/data/Mumble |
642 | blacklist ${HOME}/.local/share/data/MusE | 654 | blacklist ${HOME}/.local/share/data/MusE |
@@ -804,6 +816,7 @@ blacklist ${HOME}/.node-gyp | |||
804 | blacklist ${HOME}/.npm | 816 | blacklist ${HOME}/.npm |
805 | blacklist ${HOME}/.npmrc | 817 | blacklist ${HOME}/.npmrc |
806 | blacklist ${HOME}/.nv | 818 | blacklist ${HOME}/.nv |
819 | blacklist ${HOME}/.nvm | ||
807 | blacklist ${HOME}/.nylas-mail | 820 | blacklist ${HOME}/.nylas-mail |
808 | blacklist ${HOME}/.openarena | 821 | blacklist ${HOME}/.openarena |
809 | blacklist ${HOME}/.opencity | 822 | blacklist ${HOME}/.opencity |
@@ -844,6 +857,7 @@ blacklist ${HOME}/.steampid | |||
844 | blacklist ${HOME}/.stellarium | 857 | blacklist ${HOME}/.stellarium |
845 | blacklist ${HOME}/.subversion | 858 | blacklist ${HOME}/.subversion |
846 | blacklist ${HOME}/.surf | 859 | blacklist ${HOME}/.surf |
860 | blacklist ${HOME}/.suve/colorful | ||
847 | blacklist ${HOME}/.swb.ini | 861 | blacklist ${HOME}/.swb.ini |
848 | blacklist ${HOME}/.sword | 862 | blacklist ${HOME}/.sword |
849 | blacklist ${HOME}/.sylpheed-2.0 | 863 | blacklist ${HOME}/.sylpheed-2.0 |
@@ -952,6 +966,7 @@ blacklist ${HOME}/.cache/epiphany | |||
952 | blacklist ${HOME}/.cache/evolution | 966 | blacklist ${HOME}/.cache/evolution |
953 | blacklist ${HOME}/.cache/falkon | 967 | blacklist ${HOME}/.cache/falkon |
954 | blacklist ${HOME}/.cache/feedreader | 968 | blacklist ${HOME}/.cache/feedreader |
969 | blacklist ${HOME}/.cache/firedragon | ||
955 | blacklist ${HOME}/.cache/flaska.net/trojita | 970 | blacklist ${HOME}/.cache/flaska.net/trojita |
956 | blacklist ${HOME}/.cache/folks | 971 | blacklist ${HOME}/.cache/folks |
957 | blacklist ${HOME}/.cache/font-manager | 972 | blacklist ${HOME}/.cache/font-manager |
@@ -983,6 +998,7 @@ blacklist ${HOME}/.cache/inkscape | |||
983 | blacklist ${HOME}/.cache/inox | 998 | blacklist ${HOME}/.cache/inox |
984 | blacklist ${HOME}/.cache/iridium | 999 | blacklist ${HOME}/.cache/iridium |
985 | blacklist ${HOME}/.cache/kcmshell5 | 1000 | blacklist ${HOME}/.cache/kcmshell5 |
1001 | blacklist ${HOME}/.cache/KDE/neochat | ||
986 | blacklist ${HOME}/.cache/kdenlive | 1002 | blacklist ${HOME}/.cache/kdenlive |
987 | blacklist ${HOME}/.cache/keepassxc | 1003 | blacklist ${HOME}/.cache/keepassxc |
988 | blacklist ${HOME}/.cache/kfind | 1004 | blacklist ${HOME}/.cache/kfind |
diff --git a/etc/inc/whitelist-1793-workaround.inc b/etc/inc/whitelist-1793-workaround.inc new file mode 100644 index 000000000..862837f12 --- /dev/null +++ b/etc/inc/whitelist-1793-workaround.inc | |||
@@ -0,0 +1,29 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include whitelist-1793-workaround.local | ||
4 | # This works around bug 1793, and allows whitelisting to be used for some KDE applications. | ||
5 | |||
6 | noblacklist ${HOME}/.config/ibus | ||
7 | noblacklist ${HOME}/.config/mimeapps.list | ||
8 | noblacklist ${HOME}/.config/pkcs11 | ||
9 | noblacklist ${HOME}/.config/user-dirs.dirs | ||
10 | noblacklist ${HOME}/.config/user-dirs.locale | ||
11 | noblacklist ${HOME}/.config/dconf | ||
12 | noblacklist ${HOME}/.config/fontconfig | ||
13 | noblacklist ${HOME}/.config/gtk-2.0 | ||
14 | noblacklist ${HOME}/.config/gtk-3.0 | ||
15 | noblacklist ${HOME}/.config/gtk-4.0 | ||
16 | noblacklist ${HOME}/.config/gtkrc | ||
17 | noblacklist ${HOME}/.config/gtkrc-2.0 | ||
18 | noblacklist ${HOME}/.config/Kvantum | ||
19 | noblacklist ${HOME}/.config/Trolltech.conf | ||
20 | noblacklist ${HOME}/.config/QtProject.conf | ||
21 | noblacklist ${HOME}/.config/kdeglobals | ||
22 | noblacklist ${HOME}/.config/kio_httprc | ||
23 | noblacklist ${HOME}/.config/kioslaverc | ||
24 | noblacklist ${HOME}/.config/ksslcablacklist | ||
25 | noblacklist ${HOME}/.config/qt5ct | ||
26 | noblacklist ${HOME}/.config/qtcurve | ||
27 | |||
28 | blacklist ${HOME}/.config/* | ||
29 | whitelist ${HOME}/.config | ||
diff --git a/etc/inc/whitelist-runuser-common.inc b/etc/inc/whitelist-runuser-common.inc index 0a1030b34..48309ffe3 100644 --- a/etc/inc/whitelist-runuser-common.inc +++ b/etc/inc/whitelist-runuser-common.inc | |||
@@ -13,3 +13,4 @@ whitelist ${RUNUSER}/pulse/native | |||
13 | whitelist ${RUNUSER}/wayland-0 | 13 | whitelist ${RUNUSER}/wayland-0 |
14 | whitelist ${RUNUSER}/wayland-1 | 14 | whitelist ${RUNUSER}/wayland-1 |
15 | whitelist ${RUNUSER}/xauth_* | 15 | whitelist ${RUNUSER}/xauth_* |
16 | whitelist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]] | ||
diff --git a/etc/inc/whitelist-var-common.inc b/etc/inc/whitelist-var-common.inc index 1c077b232..d8ba84ad0 100644 --- a/etc/inc/whitelist-var-common.inc +++ b/etc/inc/whitelist-var-common.inc | |||
@@ -4,6 +4,7 @@ include whitelist-var-common.local | |||
4 | 4 | ||
5 | # common /var whitelist for all profiles | 5 | # common /var whitelist for all profiles |
6 | 6 | ||
7 | whitelist /var/lib/aspell | ||
7 | whitelist /var/lib/ca-certificates | 8 | whitelist /var/lib/ca-certificates |
8 | whitelist /var/lib/dbus | 9 | whitelist /var/lib/dbus |
9 | whitelist /var/lib/menu-xdg | 10 | whitelist /var/lib/menu-xdg |
diff --git a/etc/profile-a-l/0ad.profile b/etc/profile-a-l/0ad.profile index c4e820078..454a15ab2 100644 --- a/etc/profile-a-l/0ad.profile +++ b/etc/profile-a-l/0ad.profile | |||
@@ -34,6 +34,7 @@ caps.drop all | |||
34 | netfilter | 34 | netfilter |
35 | nodvd | 35 | nodvd |
36 | nogroups | 36 | nogroups |
37 | noinput | ||
37 | nonewprivs | 38 | nonewprivs |
38 | noroot | 39 | noroot |
39 | notv | 40 | notv |
diff --git a/etc/profile-a-l/2048-qt.profile b/etc/profile-a-l/2048-qt.profile index 12268706a..1d787cba7 100644 --- a/etc/profile-a-l/2048-qt.profile +++ b/etc/profile-a-l/2048-qt.profile | |||
@@ -28,6 +28,7 @@ caps.drop all | |||
28 | net none | 28 | net none |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | nosound | 34 | nosound |
diff --git a/etc/profile-a-l/Cryptocat.profile b/etc/profile-a-l/Cryptocat.profile index e9cc07bd7..1d86b0fbf 100644 --- a/etc/profile-a-l/Cryptocat.profile +++ b/etc/profile-a-l/Cryptocat.profile | |||
@@ -17,6 +17,7 @@ caps.drop all | |||
17 | netfilter | 17 | netfilter |
18 | nodvd | 18 | nodvd |
19 | nogroups | 19 | nogroups |
20 | noinput | ||
20 | nonewprivs | 21 | nonewprivs |
21 | noroot | 22 | noroot |
22 | nosound | 23 | nosound |
diff --git a/etc/profile-a-l/Fritzing.profile b/etc/profile-a-l/Fritzing.profile index d318da885..7dc6b5ff0 100644 --- a/etc/profile-a-l/Fritzing.profile +++ b/etc/profile-a-l/Fritzing.profile | |||
@@ -24,6 +24,7 @@ ipc-namespace | |||
24 | netfilter | 24 | netfilter |
25 | nodvd | 25 | nodvd |
26 | nogroups | 26 | nogroups |
27 | noinput | ||
27 | nonewprivs | 28 | nonewprivs |
28 | noroot | 29 | noroot |
29 | nosound | 30 | nosound |
diff --git a/etc/profile-a-l/JDownloader.profile b/etc/profile-a-l/JDownloader.profile index 45ec71e63..d10b70796 100644 --- a/etc/profile-a-l/JDownloader.profile +++ b/etc/profile-a-l/JDownloader.profile | |||
@@ -30,6 +30,7 @@ netfilter | |||
30 | no3d | 30 | no3d |
31 | nodvd | 31 | nodvd |
32 | nogroups | 32 | nogroups |
33 | noinput | ||
33 | nonewprivs | 34 | nonewprivs |
34 | noroot | 35 | noroot |
35 | nosound | 36 | nosound |
diff --git a/etc/profile-a-l/abiword.profile b/etc/profile-a-l/abiword.profile index 1fdc9e9fe..75da9a956 100644 --- a/etc/profile-a-l/abiword.profile +++ b/etc/profile-a-l/abiword.profile | |||
@@ -28,6 +28,7 @@ net none | |||
28 | no3d | 28 | no3d |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | nosound | 34 | nosound |
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile index 6d5dab41a..34f59769e 100644 --- a/etc/profile-a-l/agetpkg.profile +++ b/etc/profile-a-l/agetpkg.profile | |||
@@ -32,11 +32,11 @@ caps.drop all | |||
32 | hostname agetpkg | 32 | hostname agetpkg |
33 | ipc-namespace | 33 | ipc-namespace |
34 | machine-id | 34 | machine-id |
35 | noautopulse | ||
36 | netfilter | 35 | netfilter |
37 | no3d | 36 | no3d |
38 | nodvd | 37 | nodvd |
39 | nogroups | 38 | nogroups |
39 | noinput | ||
40 | nonewprivs | 40 | nonewprivs |
41 | noroot | 41 | noroot |
42 | nosound | 42 | nosound |
diff --git a/etc/profile-a-l/akonadi_control.profile b/etc/profile-a-l/akonadi_control.profile index 4ab1967a6..37fdb38b5 100644 --- a/etc/profile-a-l/akonadi_control.profile +++ b/etc/profile-a-l/akonadi_control.profile | |||
@@ -40,6 +40,7 @@ netfilter | |||
40 | no3d | 40 | no3d |
41 | nodvd | 41 | nodvd |
42 | nogroups | 42 | nogroups |
43 | noinput | ||
43 | # nonewprivs | 44 | # nonewprivs |
44 | noroot | 45 | noroot |
45 | nosound | 46 | nosound |
diff --git a/etc/profile-a-l/akregator.profile b/etc/profile-a-l/akregator.profile index 6a4d775e7..38fcd2dc1 100644 --- a/etc/profile-a-l/akregator.profile +++ b/etc/profile-a-l/akregator.profile | |||
@@ -33,6 +33,7 @@ netfilter | |||
33 | no3d | 33 | no3d |
34 | nodvd | 34 | nodvd |
35 | nogroups | 35 | nogroups |
36 | noinput | ||
36 | nonewprivs | 37 | nonewprivs |
37 | noroot | 38 | noroot |
38 | notv | 39 | notv |
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile index 57b5e5d95..4c6d68020 100644 --- a/etc/profile-a-l/alacarte.profile +++ b/etc/profile-a-l/alacarte.profile | |||
@@ -37,6 +37,7 @@ net none | |||
37 | nodvd | 37 | nodvd |
38 | no3d | 38 | no3d |
39 | nogroups | 39 | nogroups |
40 | noinput | ||
40 | nonewprivs | 41 | nonewprivs |
41 | noroot | 42 | noroot |
42 | nosound | 43 | nosound |
diff --git a/etc/profile-a-l/alienarena-wrapper.profile b/etc/profile-a-l/alienarena-wrapper.profile new file mode 100644 index 000000000..b31996cd2 --- /dev/null +++ b/etc/profile-a-l/alienarena-wrapper.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for alienarena-wrapper | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include alienarena-wrapper.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | include allow-opengl-game.inc | ||
10 | |||
11 | private-bin alienarena-wrapper | ||
12 | |||
13 | # Redirect | ||
14 | include alienarena.profile | ||
diff --git a/etc/profile-a-l/alienarena.profile b/etc/profile-a-l/alienarena.profile new file mode 100644 index 000000000..81ee6bd46 --- /dev/null +++ b/etc/profile-a-l/alienarena.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for alienarena | ||
2 | # Description: Multiplayer retro sci-fi deathmatch game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include alienarena.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/cor-games | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-shell.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.local/share/cor-games | ||
21 | whitelist ${HOME}/.local/share/cor-games | ||
22 | whitelist /usr/share/alienarena | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | netfilter | ||
31 | nodvd | ||
32 | nogroups | ||
33 | noinput | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix,inet,inet6 | ||
40 | seccomp | ||
41 | seccomp.block-secondary | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | disable-mnt | ||
46 | private-bin alienarena | ||
47 | private-cache | ||
48 | private-dev | ||
49 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11 | ||
50 | private-tmp | ||
51 | |||
52 | dbus-user none | ||
53 | dbus-system none | ||
diff --git a/etc/profile-a-l/amarok.profile b/etc/profile-a-l/amarok.profile index 678b97be2..a7caddc4c 100644 --- a/etc/profile-a-l/amarok.profile +++ b/etc/profile-a-l/amarok.profile | |||
@@ -20,6 +20,7 @@ include whitelist-var-common.inc | |||
20 | caps.drop all | 20 | caps.drop all |
21 | netfilter | 21 | netfilter |
22 | nogroups | 22 | nogroups |
23 | noinput | ||
23 | nonewprivs | 24 | nonewprivs |
24 | noroot | 25 | noroot |
25 | notv | 26 | notv |
@@ -34,14 +35,14 @@ private-dev | |||
34 | # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl | 35 | # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl |
35 | private-tmp | 36 | private-tmp |
36 | 37 | ||
37 | # If you ain't on kde-plasma you need to uncomment the following | ||
38 | dbus-user filter | 38 | dbus-user filter |
39 | dbus-user.own org.kde.amarok | 39 | dbus-user.own org.kde.amarok |
40 | #dbus-user.own org.kde.kded | ||
41 | #dbus-user.own org.kde.klauncher | ||
42 | dbus-user.own org.mpris.amarok | 40 | dbus-user.own org.mpris.amarok |
43 | dbus-user.own org.mpris.MediaPlayer2.amarok | 41 | dbus-user.own org.mpris.MediaPlayer2.amarok |
44 | dbus-user.talk org.freedesktop.Notifications | 42 | dbus-user.talk org.freedesktop.Notifications |
45 | #dbus-user.talk org.kde.knotify | ||
46 | dbus-user.talk org.kde.StatusNotifierWatcher | 43 | dbus-user.talk org.kde.StatusNotifierWatcher |
44 | # If you're not on kde-plasma add the next lines to your amarok.local. | ||
45 | #dbus-user.own org.kde.kded | ||
46 | #dbus-user.own org.kde.klauncher | ||
47 | #dbus-user.talk org.kde.knotify | ||
47 | dbus-system none | 48 | dbus-system none |
diff --git a/etc/profile-a-l/amule.profile b/etc/profile-a-l/amule.profile index feb4a5e7e..e3c4164ee 100644 --- a/etc/profile-a-l/amule.profile +++ b/etc/profile-a-l/amule.profile | |||
@@ -26,6 +26,7 @@ netfilter | |||
26 | no3d | 26 | no3d |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | nosound | 32 | nosound |
diff --git a/etc/profile-a-l/anki.profile b/etc/profile-a-l/anki.profile index 61e5f2eea..ef60e91c2 100644 --- a/etc/profile-a-l/anki.profile +++ b/etc/profile-a-l/anki.profile | |||
@@ -35,6 +35,7 @@ netfilter | |||
35 | no3d | 35 | no3d |
36 | nodvd | 36 | nodvd |
37 | nogroups | 37 | nogroups |
38 | noinput | ||
38 | nonewprivs | 39 | nonewprivs |
39 | noroot | 40 | noroot |
40 | nosound | 41 | nosound |
diff --git a/etc/profile-a-l/anydesk.profile b/etc/profile-a-l/anydesk.profile index c847a04dc..fdaf10259 100644 --- a/etc/profile-a-l/anydesk.profile +++ b/etc/profile-a-l/anydesk.profile | |||
@@ -22,6 +22,7 @@ caps.drop all | |||
22 | netfilter | 22 | netfilter |
23 | nodvd | 23 | nodvd |
24 | nogroups | 24 | nogroups |
25 | noinput | ||
25 | nonewprivs | 26 | nonewprivs |
26 | noroot | 27 | noroot |
27 | notv | 28 | notv |
diff --git a/etc/profile-a-l/apktool.profile b/etc/profile-a-l/apktool.profile index 39c5da9ab..4ea43c434 100644 --- a/etc/profile-a-l/apktool.profile +++ b/etc/profile-a-l/apktool.profile | |||
@@ -20,6 +20,7 @@ net none | |||
20 | no3d | 20 | no3d |
21 | nodvd | 21 | nodvd |
22 | nogroups | 22 | nogroups |
23 | noinput | ||
23 | nonewprivs | 24 | nonewprivs |
24 | noroot | 25 | noroot |
25 | nosound | 26 | nosound |
diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile index f265c8406..54abdb234 100644 --- a/etc/profile-a-l/apostrophe.profile +++ b/etc/profile-a-l/apostrophe.profile | |||
@@ -47,6 +47,7 @@ net none | |||
47 | no3d | 47 | no3d |
48 | nodvd | 48 | nodvd |
49 | nogroups | 49 | nogroups |
50 | noinput | ||
50 | nonewprivs | 51 | nonewprivs |
51 | noroot | 52 | noroot |
52 | nosound | 53 | nosound |
diff --git a/etc/profile-a-l/arch-audit.profile b/etc/profile-a-l/arch-audit.profile index 934b89404..accabb6f5 100644 --- a/etc/profile-a-l/arch-audit.profile +++ b/etc/profile-a-l/arch-audit.profile | |||
@@ -29,6 +29,7 @@ netfilter | |||
29 | no3d | 29 | no3d |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | nosound | 35 | nosound |
diff --git a/etc/profile-a-l/archiver-common.profile b/etc/profile-a-l/archiver-common.profile index 0ab6465ca..1fab4606b 100644 --- a/etc/profile-a-l/archiver-common.profile +++ b/etc/profile-a-l/archiver-common.profile | |||
@@ -31,6 +31,7 @@ net none | |||
31 | no3d | 31 | no3d |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | #noroot | 36 | #noroot |
36 | nosound | 37 | nosound |
diff --git a/etc/profile-a-l/ardour5.profile b/etc/profile-a-l/ardour5.profile index a27cb4f6e..84b1d6c18 100644 --- a/etc/profile-a-l/ardour5.profile +++ b/etc/profile-a-l/ardour5.profile | |||
@@ -25,6 +25,7 @@ ipc-namespace | |||
25 | net none | 25 | net none |
26 | nodvd | 26 | nodvd |
27 | nogroups | 27 | nogroups |
28 | noinput | ||
28 | nonewprivs | 29 | nonewprivs |
29 | noroot | 30 | noroot |
30 | notv | 31 | notv |
diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile index bef708bdc..22b8ecd65 100644 --- a/etc/profile-a-l/aria2c.profile +++ b/etc/profile-a-l/aria2c.profile | |||
@@ -29,6 +29,7 @@ netfilter | |||
29 | no3d | 29 | no3d |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | nosound | 35 | nosound |
diff --git a/etc/profile-a-l/ark.profile b/etc/profile-a-l/ark.profile index 4b81b2717..a63dd8f5f 100644 --- a/etc/profile-a-l/ark.profile +++ b/etc/profile-a-l/ark.profile | |||
@@ -26,6 +26,7 @@ caps.drop all | |||
26 | netfilter | 26 | netfilter |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | nosound | 32 | nosound |
diff --git a/etc/profile-a-l/arm.profile b/etc/profile-a-l/arm.profile index 51dad94d1..2c8b630ce 100644 --- a/etc/profile-a-l/arm.profile +++ b/etc/profile-a-l/arm.profile | |||
@@ -29,6 +29,7 @@ netfilter | |||
29 | no3d | 29 | no3d |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | nosound | 35 | nosound |
diff --git a/etc/profile-a-l/artha.profile b/etc/profile-a-l/artha.profile index adb33fae1..fab72b7d3 100644 --- a/etc/profile-a-l/artha.profile +++ b/etc/profile-a-l/artha.profile | |||
@@ -41,6 +41,7 @@ ipc-namespace | |||
41 | no3d | 41 | no3d |
42 | nodvd | 42 | nodvd |
43 | nogroups | 43 | nogroups |
44 | noinput | ||
44 | nonewprivs | 45 | nonewprivs |
45 | noroot | 46 | noroot |
46 | nosound | 47 | nosound |
diff --git a/etc/profile-a-l/assogiate.profile b/etc/profile-a-l/assogiate.profile index 1332f4db4..977fe30a4 100644 --- a/etc/profile-a-l/assogiate.profile +++ b/etc/profile-a-l/assogiate.profile | |||
@@ -29,6 +29,7 @@ net none | |||
29 | no3d | 29 | no3d |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | nosound | 35 | nosound |
diff --git a/etc/profile-a-l/asunder.profile b/etc/profile-a-l/asunder.profile index 33dd4103f..c97fd691a 100644 --- a/etc/profile-a-l/asunder.profile +++ b/etc/profile-a-l/asunder.profile | |||
@@ -28,6 +28,7 @@ caps.drop all | |||
28 | netfilter | 28 | netfilter |
29 | no3d | 29 | no3d |
30 | # nogroups | 30 | # nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | nou2f | 34 | nou2f |
diff --git a/etc/profile-a-l/atril.profile b/etc/profile-a-l/atril.profile index 2b032e977..1c3ed66ff 100644 --- a/etc/profile-a-l/atril.profile +++ b/etc/profile-a-l/atril.profile | |||
@@ -29,6 +29,7 @@ machine-id | |||
29 | no3d | 29 | no3d |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | nosound | 35 | nosound |
diff --git a/etc/profile-a-l/audacious.profile b/etc/profile-a-l/audacious.profile index 2e1f6f32a..f9f209786 100644 --- a/etc/profile-a-l/audacious.profile +++ b/etc/profile-a-l/audacious.profile | |||
@@ -24,6 +24,7 @@ apparmor | |||
24 | caps.drop all | 24 | caps.drop all |
25 | netfilter | 25 | netfilter |
26 | nogroups | 26 | nogroups |
27 | noinput | ||
27 | nonewprivs | 28 | nonewprivs |
28 | noroot | 29 | noroot |
29 | notv | 30 | notv |
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile index a11e59553..a2de8436a 100644 --- a/etc/profile-a-l/audacity.profile +++ b/etc/profile-a-l/audacity.profile | |||
@@ -27,6 +27,7 @@ net none | |||
27 | no3d | 27 | no3d |
28 | nodvd | 28 | nodvd |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | notv | 33 | notv |
diff --git a/etc/profile-a-l/audio-recorder.profile b/etc/profile-a-l/audio-recorder.profile index b2ed3b030..2c7fdc812 100644 --- a/etc/profile-a-l/audio-recorder.profile +++ b/etc/profile-a-l/audio-recorder.profile | |||
@@ -20,6 +20,7 @@ include disable-xdg.inc | |||
20 | whitelist ${MUSIC} | 20 | whitelist ${MUSIC} |
21 | whitelist ${DOWNLOADS} | 21 | whitelist ${DOWNLOADS} |
22 | whitelist /usr/share/audio-recorder | 22 | whitelist /usr/share/audio-recorder |
23 | whitelist /usr/share/gstreamer-1.0 | ||
23 | include whitelist-common.inc | 24 | include whitelist-common.inc |
24 | include whitelist-usr-share-common.inc | 25 | include whitelist-usr-share-common.inc |
25 | include whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
@@ -44,7 +45,11 @@ tracelog | |||
44 | disable-mnt | 45 | disable-mnt |
45 | # private-bin audio-recorder | 46 | # private-bin audio-recorder |
46 | private-cache | 47 | private-cache |
47 | private-etc alternatives,fonts | 48 | private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload |
48 | private-tmp | 49 | private-tmp |
49 | 50 | ||
51 | dbus-user filter | ||
52 | dbus-user.talk ca.desrt.dconf | ||
53 | dbus-system none | ||
54 | |||
50 | # memory-deny-write-execute - breaks on Arch | 55 | # memory-deny-write-execute - breaks on Arch |
diff --git a/etc/profile-a-l/authenticator-rs.profile b/etc/profile-a-l/authenticator-rs.profile index fb12018f5..2ebe35dd5 100644 --- a/etc/profile-a-l/authenticator-rs.profile +++ b/etc/profile-a-l/authenticator-rs.profile | |||
@@ -32,6 +32,7 @@ netfilter | |||
32 | no3d | 32 | no3d |
33 | nodvd | 33 | nodvd |
34 | nogroups | 34 | nogroups |
35 | noinput | ||
35 | nonewprivs | 36 | nonewprivs |
36 | noroot | 37 | noroot |
37 | nosound | 38 | nosound |
diff --git a/etc/profile-a-l/authenticator.profile b/etc/profile-a-l/authenticator.profile index 131b20c70..42d9cd56a 100644 --- a/etc/profile-a-l/authenticator.profile +++ b/etc/profile-a-l/authenticator.profile | |||
@@ -26,6 +26,7 @@ netfilter | |||
26 | no3d | 26 | no3d |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | nosound | 32 | nosound |
diff --git a/etc/profile-a-l/autokey-common.profile b/etc/profile-a-l/autokey-common.profile index b1a77c0a4..891928e5a 100644 --- a/etc/profile-a-l/autokey-common.profile +++ b/etc/profile-a-l/autokey-common.profile | |||
@@ -27,6 +27,7 @@ caps.drop all | |||
27 | netfilter | 27 | netfilter |
28 | no3d | 28 | no3d |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | nou2f | 33 | nou2f |
diff --git a/etc/profile-a-l/avidemux.profile b/etc/profile-a-l/avidemux.profile index b5d662d60..1ecc03da1 100644 --- a/etc/profile-a-l/avidemux.profile +++ b/etc/profile-a-l/avidemux.profile | |||
@@ -33,6 +33,7 @@ caps.drop all | |||
33 | net none | 33 | net none |
34 | nodvd | 34 | nodvd |
35 | nogroups | 35 | nogroups |
36 | noinput | ||
36 | nonewprivs | 37 | nonewprivs |
37 | noroot | 38 | noroot |
38 | notv | 39 | notv |
diff --git a/etc/profile-a-l/aweather.profile b/etc/profile-a-l/aweather.profile index 44c3110a0..a57ad4014 100644 --- a/etc/profile-a-l/aweather.profile +++ b/etc/profile-a-l/aweather.profile | |||
@@ -24,6 +24,7 @@ caps.drop all | |||
24 | netfilter | 24 | netfilter |
25 | nodvd | 25 | nodvd |
26 | nogroups | 26 | nogroups |
27 | noinput | ||
27 | nonewprivs | 28 | nonewprivs |
28 | noroot | 29 | noroot |
29 | nosound | 30 | nosound |
diff --git a/etc/profile-a-l/ballbuster-wrapper.profile b/etc/profile-a-l/ballbuster-wrapper.profile new file mode 100644 index 000000000..419dcaab5 --- /dev/null +++ b/etc/profile-a-l/ballbuster-wrapper.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for ballbuster-wrapper | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include ballbuster-wrapper.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | include allow-opengl-game.inc | ||
10 | |||
11 | private-bin ballbuster-wrapper | ||
12 | |||
13 | # Redirect | ||
14 | include ballbuster.profile | ||
diff --git a/etc/profile-a-l/ballbuster.profile b/etc/profile-a-l/ballbuster.profile new file mode 100644 index 000000000..3952921a3 --- /dev/null +++ b/etc/profile-a-l/ballbuster.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for ballbuster | ||
2 | # Description: Move the paddle to bounce the ball and break all the bricks | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include ballbuster.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.ballbuster.hs | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-shell.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkfile ${HOME}/.ballbuster.hs | ||
21 | whitelist ${HOME}/.ballbuster.hs | ||
22 | whitelist /usr/share/ballbuster | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | net none | ||
31 | nodvd | ||
32 | nogroups | ||
33 | noinput | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix | ||
40 | seccomp | ||
41 | seccomp.block-secondary | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | disable-mnt | ||
46 | private-bin ballbuster | ||
47 | private-cache | ||
48 | private-dev | ||
49 | private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pulse | ||
50 | private-tmp | ||
51 | |||
52 | dbus-user none | ||
53 | dbus-system none | ||
diff --git a/etc/profile-a-l/baloo_file.profile b/etc/profile-a-l/baloo_file.profile index 785e37a16..fe86d9b80 100644 --- a/etc/profile-a-l/baloo_file.profile +++ b/etc/profile-a-l/baloo_file.profile | |||
@@ -36,6 +36,7 @@ netfilter | |||
36 | no3d | 36 | no3d |
37 | nodvd | 37 | nodvd |
38 | nogroups | 38 | nogroups |
39 | noinput | ||
39 | nonewprivs | 40 | nonewprivs |
40 | noroot | 41 | noroot |
41 | nosound | 42 | nosound |
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile index 573776a71..8c69652c5 100644 --- a/etc/profile-a-l/balsa.profile +++ b/etc/profile-a-l/balsa.profile | |||
@@ -49,6 +49,7 @@ netfilter | |||
49 | no3d | 49 | no3d |
50 | nodvd | 50 | nodvd |
51 | nogroups | 51 | nogroups |
52 | noinput | ||
52 | nonewprivs | 53 | nonewprivs |
53 | noroot | 54 | noroot |
54 | nosound | 55 | nosound |
diff --git a/etc/profile-a-l/baobab.profile b/etc/profile-a-l/baobab.profile index 4401c9dfd..ac03c663a 100644 --- a/etc/profile-a-l/baobab.profile +++ b/etc/profile-a-l/baobab.profile | |||
@@ -22,6 +22,7 @@ net none | |||
22 | no3d | 22 | no3d |
23 | nodvd | 23 | nodvd |
24 | nogroups | 24 | nogroups |
25 | noinput | ||
25 | nonewprivs | 26 | nonewprivs |
26 | noroot | 27 | noroot |
27 | nosound | 28 | nosound |
diff --git a/etc/profile-a-l/barrier.profile b/etc/profile-a-l/barrier.profile index f5da3782e..7b50e9199 100644 --- a/etc/profile-a-l/barrier.profile +++ b/etc/profile-a-l/barrier.profile | |||
@@ -26,6 +26,7 @@ netfilter | |||
26 | no3d | 26 | no3d |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | nosound | 32 | nosound |
diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile index 5c93f8be9..3ecaea7fe 100644 --- a/etc/profile-a-l/bcompare.profile +++ b/etc/profile-a-l/bcompare.profile | |||
@@ -29,6 +29,7 @@ net none | |||
29 | no3d | 29 | no3d |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | notv | 35 | notv |
diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile index 235b84be3..c7a82afbd 100644 --- a/etc/profile-a-l/bibletime.profile +++ b/etc/profile-a-l/bibletime.profile | |||
@@ -38,6 +38,7 @@ machine-id | |||
38 | netfilter | 38 | netfilter |
39 | nodvd | 39 | nodvd |
40 | nogroups | 40 | nogroups |
41 | noinput | ||
41 | nonewprivs | 42 | nonewprivs |
42 | noroot | 43 | noroot |
43 | nosound | 44 | nosound |
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile index b074cc0b0..721a6c082 100644 --- a/etc/profile-a-l/bijiben.profile +++ b/etc/profile-a-l/bijiben.profile | |||
@@ -22,6 +22,7 @@ whitelist ${HOME}/.local/share/bijiben | |||
22 | whitelist ${HOME}/.cache/tracker | 22 | whitelist ${HOME}/.cache/tracker |
23 | whitelist /usr/share/bijiben | 23 | whitelist /usr/share/bijiben |
24 | whitelist /usr/share/tracker | 24 | whitelist /usr/share/tracker |
25 | whitelist /usr/share/tracker3 | ||
25 | include whitelist-common.inc | 26 | include whitelist-common.inc |
26 | include whitelist-runuser-common.inc | 27 | include whitelist-runuser-common.inc |
27 | include whitelist-usr-share-common.inc | 28 | include whitelist-usr-share-common.inc |
@@ -33,6 +34,7 @@ machine-id | |||
33 | net none | 34 | net none |
34 | nodvd | 35 | nodvd |
35 | nogroups | 36 | nogroups |
37 | noinput | ||
36 | nonewprivs | 38 | nonewprivs |
37 | noroot | 39 | noroot |
38 | nosound | 40 | nosound |
diff --git a/etc/profile-a-l/bitcoin-qt.profile b/etc/profile-a-l/bitcoin-qt.profile index 3a3f2b62c..932db9b73 100644 --- a/etc/profile-a-l/bitcoin-qt.profile +++ b/etc/profile-a-l/bitcoin-qt.profile | |||
@@ -30,6 +30,7 @@ netfilter | |||
30 | no3d | 30 | no3d |
31 | nodvd | 31 | nodvd |
32 | nogroups | 32 | nogroups |
33 | noinput | ||
33 | nonewprivs | 34 | nonewprivs |
34 | noroot | 35 | noroot |
35 | nosound | 36 | nosound |
diff --git a/etc/profile-a-l/bitlbee.profile b/etc/profile-a-l/bitlbee.profile index 62eeb88f3..dd7651979 100644 --- a/etc/profile-a-l/bitlbee.profile +++ b/etc/profile-a-l/bitlbee.profile | |||
@@ -23,6 +23,7 @@ include disable-xdg.inc | |||
23 | netfilter | 23 | netfilter |
24 | no3d | 24 | no3d |
25 | nodvd | 25 | nodvd |
26 | noinput | ||
26 | nonewprivs | 27 | nonewprivs |
27 | nosound | 28 | nosound |
28 | notv | 29 | notv |
diff --git a/etc/profile-a-l/bitwarden.profile b/etc/profile-a-l/bitwarden.profile index 41f8e51fd..bef25276d 100644 --- a/etc/profile-a-l/bitwarden.profile +++ b/etc/profile-a-l/bitwarden.profile | |||
@@ -32,6 +32,7 @@ netfilter | |||
32 | no3d | 32 | no3d |
33 | nodvd | 33 | nodvd |
34 | nogroups | 34 | nogroups |
35 | noinput | ||
35 | nonewprivs | 36 | nonewprivs |
36 | noroot | 37 | noroot |
37 | nosound | 38 | nosound |
diff --git a/etc/profile-a-l/bleachbit.profile b/etc/profile-a-l/bleachbit.profile index 8f230a413..09fa24577 100644 --- a/etc/profile-a-l/bleachbit.profile +++ b/etc/profile-a-l/bleachbit.profile | |||
@@ -22,6 +22,7 @@ net none | |||
22 | no3d | 22 | no3d |
23 | nodvd | 23 | nodvd |
24 | nogroups | 24 | nogroups |
25 | noinput | ||
25 | nonewprivs | 26 | nonewprivs |
26 | noroot | 27 | noroot |
27 | nosound | 28 | nosound |
diff --git a/etc/profile-a-l/blender.profile b/etc/profile-a-l/blender.profile index 0f80f0a63..701ae431e 100644 --- a/etc/profile-a-l/blender.profile +++ b/etc/profile-a-l/blender.profile | |||
@@ -28,6 +28,7 @@ caps.drop all | |||
28 | netfilter | 28 | netfilter |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | notv | 34 | notv |
diff --git a/etc/profile-a-l/bless.profile b/etc/profile-a-l/bless.profile index 216e86109..80dc750f7 100644 --- a/etc/profile-a-l/bless.profile +++ b/etc/profile-a-l/bless.profile | |||
@@ -22,6 +22,7 @@ net none | |||
22 | no3d | 22 | no3d |
23 | nodvd | 23 | nodvd |
24 | nogroups | 24 | nogroups |
25 | noinput | ||
25 | nonewprivs | 26 | nonewprivs |
26 | noroot | 27 | noroot |
27 | nosound | 28 | nosound |
diff --git a/etc/profile-a-l/blobwars.profile b/etc/profile-a-l/blobwars.profile index d43a9d241..904710cb5 100644 --- a/etc/profile-a-l/blobwars.profile +++ b/etc/profile-a-l/blobwars.profile | |||
@@ -29,6 +29,7 @@ caps.drop all | |||
29 | net none | 29 | net none |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | notv | 35 | notv |
diff --git a/etc/profile-a-l/bluefish.profile b/etc/profile-a-l/bluefish.profile index 88ac9c0ed..f28435987 100644 --- a/etc/profile-a-l/bluefish.profile +++ b/etc/profile-a-l/bluefish.profile | |||
@@ -21,6 +21,7 @@ net none | |||
21 | no3d | 21 | no3d |
22 | nodvd | 22 | nodvd |
23 | nogroups | 23 | nogroups |
24 | noinput | ||
24 | nonewprivs | 25 | nonewprivs |
25 | noroot | 26 | noroot |
26 | nosound | 27 | nosound |
diff --git a/etc/profile-a-l/brackets.profile b/etc/profile-a-l/brackets.profile index 70f62813e..0cbac049a 100644 --- a/etc/profile-a-l/brackets.profile +++ b/etc/profile-a-l/brackets.profile | |||
@@ -20,6 +20,7 @@ caps.drop all | |||
20 | netfilter | 20 | netfilter |
21 | nodvd | 21 | nodvd |
22 | nogroups | 22 | nogroups |
23 | noinput | ||
23 | nonewprivs | 24 | nonewprivs |
24 | noroot | 25 | noroot |
25 | nosound | 26 | nosound |
diff --git a/etc/profile-a-l/bzflag.profile b/etc/profile-a-l/bzflag.profile index f06bead1e..bda96bbb3 100644 --- a/etc/profile-a-l/bzflag.profile +++ b/etc/profile-a-l/bzflag.profile | |||
@@ -27,6 +27,7 @@ ipc-namespace | |||
27 | netfilter | 27 | netfilter |
28 | nodvd | 28 | nodvd |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | notv | 33 | notv |
diff --git a/etc/profile-a-l/calibre.profile b/etc/profile-a-l/calibre.profile index d17cfa85f..83571397b 100644 --- a/etc/profile-a-l/calibre.profile +++ b/etc/profile-a-l/calibre.profile | |||
@@ -24,6 +24,7 @@ caps.drop all | |||
24 | netfilter | 24 | netfilter |
25 | nodvd | 25 | nodvd |
26 | nogroups | 26 | nogroups |
27 | noinput | ||
27 | nonewprivs | 28 | nonewprivs |
28 | noroot | 29 | noroot |
29 | nosound | 30 | nosound |
diff --git a/etc/profile-a-l/calligra.profile b/etc/profile-a-l/calligra.profile index a14433369..fcff47662 100644 --- a/etc/profile-a-l/calligra.profile +++ b/etc/profile-a-l/calligra.profile | |||
@@ -20,6 +20,7 @@ ipc-namespace | |||
20 | netfilter | 20 | netfilter |
21 | nodvd | 21 | nodvd |
22 | nogroups | 22 | nogroups |
23 | noinput | ||
23 | nonewprivs | 24 | nonewprivs |
24 | noroot | 25 | noroot |
25 | notv | 26 | notv |
diff --git a/etc/profile-a-l/cantata.profile b/etc/profile-a-l/cantata.profile index 294bb31b3..96f88a7c4 100644 --- a/etc/profile-a-l/cantata.profile +++ b/etc/profile-a-l/cantata.profile | |||
@@ -27,6 +27,7 @@ include disable-xdg.inc | |||
27 | caps.drop all | 27 | caps.drop all |
28 | ipc-namespace | 28 | ipc-namespace |
29 | netfilter | 29 | netfilter |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | nou2f | 33 | nou2f |
diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile index 3d29c3817..6e137010c 100644 --- a/etc/profile-a-l/cawbird.profile +++ b/etc/profile-a-l/cawbird.profile | |||
@@ -24,6 +24,7 @@ netfilter | |||
24 | no3d | 24 | no3d |
25 | nodvd | 25 | nodvd |
26 | nogroups | 26 | nogroups |
27 | noinput | ||
27 | nonewprivs | 28 | nonewprivs |
28 | noroot | 29 | noroot |
29 | nosound | 30 | nosound |
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile index 6a76dc129..f02161b9b 100644 --- a/etc/profile-a-l/celluloid.profile +++ b/etc/profile-a-l/celluloid.profile | |||
@@ -41,6 +41,7 @@ apparmor | |||
41 | caps.drop all | 41 | caps.drop all |
42 | netfilter | 42 | netfilter |
43 | nogroups | 43 | nogroups |
44 | noinput | ||
44 | nonewprivs | 45 | nonewprivs |
45 | noroot | 46 | noroot |
46 | nou2f | 47 | nou2f |
diff --git a/etc/profile-a-l/checkbashisms.profile b/etc/profile-a-l/checkbashisms.profile index d7f8674e8..24939fc70 100644 --- a/etc/profile-a-l/checkbashisms.profile +++ b/etc/profile-a-l/checkbashisms.profile | |||
@@ -33,6 +33,7 @@ net none | |||
33 | no3d | 33 | no3d |
34 | nodvd | 34 | nodvd |
35 | nogroups | 35 | nogroups |
36 | noinput | ||
36 | nonewprivs | 37 | nonewprivs |
37 | noroot | 38 | noroot |
38 | nosound | 39 | nosound |
diff --git a/etc/profile-a-l/cherrytree.profile b/etc/profile-a-l/cherrytree.profile index 70dea5bd9..7621b3c8c 100644 --- a/etc/profile-a-l/cherrytree.profile +++ b/etc/profile-a-l/cherrytree.profile | |||
@@ -26,6 +26,7 @@ net none | |||
26 | no3d | 26 | no3d |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | nosound | 32 | nosound |
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index e9bef8df7..f7493aa82 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile | |||
@@ -12,6 +12,10 @@ include chromium-common.local | |||
12 | noblacklist ${HOME}/.pki | 12 | noblacklist ${HOME}/.pki |
13 | noblacklist ${HOME}/.local/share/pki | 13 | noblacklist ${HOME}/.local/share/pki |
14 | 14 | ||
15 | # Add the next line to your chromium-common.local if you want Google Chrome/Chromium browser | ||
16 | # to have access to Gnome extensions (extensions.gnome.org) via browser connector | ||
17 | #include allow-python3.inc | ||
18 | |||
15 | include disable-common.inc | 19 | include disable-common.inc |
16 | include disable-devel.inc | 20 | include disable-devel.inc |
17 | include disable-exec.inc | 21 | include disable-exec.inc |
@@ -41,6 +45,7 @@ caps.keep sys_admin,sys_chroot | |||
41 | netfilter | 45 | netfilter |
42 | nodvd | 46 | nodvd |
43 | nogroups | 47 | nogroups |
48 | noinput | ||
44 | notv | 49 | notv |
45 | ?BROWSER_DISABLE_U2F: nou2f | 50 | ?BROWSER_DISABLE_U2F: nou2f |
46 | shell none | 51 | shell none |
diff --git a/etc/profile-a-l/chromium.profile b/etc/profile-a-l/chromium.profile index 14f1bbe64..9ac33aa1c 100644 --- a/etc/profile-a-l/chromium.profile +++ b/etc/profile-a-l/chromium.profile | |||
@@ -16,6 +16,7 @@ whitelist ${HOME}/.cache/chromium | |||
16 | whitelist ${HOME}/.config/chromium | 16 | whitelist ${HOME}/.config/chromium |
17 | whitelist ${HOME}/.config/chromium-flags.conf | 17 | whitelist ${HOME}/.config/chromium-flags.conf |
18 | whitelist /usr/share/chromium | 18 | whitelist /usr/share/chromium |
19 | whitelist /usr/share/mozilla/extensions | ||
19 | 20 | ||
20 | # private-bin chromium,chromium-browser,chromedriver | 21 | # private-bin chromium,chromium-browser,chromedriver |
21 | 22 | ||
diff --git a/etc/profile-a-l/cin.profile b/etc/profile-a-l/cin.profile index 8c3fb42d1..e1f9523c4 100644 --- a/etc/profile-a-l/cin.profile +++ b/etc/profile-a-l/cin.profile | |||
@@ -19,13 +19,14 @@ ipc-namespace | |||
19 | net none | 19 | net none |
20 | nodvd | 20 | nodvd |
21 | #nogroups | 21 | #nogroups |
22 | noinput | ||
22 | nonewprivs | 23 | nonewprivs |
23 | notv | 24 | notv |
24 | nou2f | 25 | nou2f |
25 | noroot | 26 | noroot |
26 | protocol unix | 27 | protocol unix |
27 | 28 | ||
28 | # if an 1-1.2% gap per thread hurts you, comment seccomp | 29 | # If a 1-1.2% gap per thread hurts you, add 'ignore seccomp' to your cin.local. |
29 | seccomp | 30 | seccomp |
30 | shell none | 31 | shell none |
31 | 32 | ||
diff --git a/etc/profile-a-l/clamav.profile b/etc/profile-a-l/clamav.profile index 2726ab5af..e403c2c41 100644 --- a/etc/profile-a-l/clamav.profile +++ b/etc/profile-a-l/clamav.profile | |||
@@ -17,6 +17,7 @@ net none | |||
17 | no3d | 17 | no3d |
18 | nodvd | 18 | nodvd |
19 | nogroups | 19 | nogroups |
20 | noinput | ||
20 | nonewprivs | 21 | nonewprivs |
21 | noroot | 22 | noroot |
22 | nosound | 23 | nosound |
diff --git a/etc/profile-a-l/clamtk.profile b/etc/profile-a-l/clamtk.profile index 4425a2bd0..2a06178a5 100644 --- a/etc/profile-a-l/clamtk.profile +++ b/etc/profile-a-l/clamtk.profile | |||
@@ -13,6 +13,7 @@ net none | |||
13 | no3d | 13 | no3d |
14 | nodvd | 14 | nodvd |
15 | nogroups | 15 | nogroups |
16 | noinput | ||
16 | nonewprivs | 17 | nonewprivs |
17 | noroot | 18 | noroot |
18 | nosound | 19 | nosound |
diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile index f71b35c26..9b62a1f73 100644 --- a/etc/profile-a-l/clawsker.profile +++ b/etc/profile-a-l/clawsker.profile | |||
@@ -30,6 +30,7 @@ net none | |||
30 | no3d | 30 | no3d |
31 | nodvd | 31 | nodvd |
32 | nogroups | 32 | nogroups |
33 | noinput | ||
33 | nonewprivs | 34 | nonewprivs |
34 | noroot | 35 | noroot |
35 | nosound | 36 | nosound |
diff --git a/etc/profile-a-l/clementine.profile b/etc/profile-a-l/clementine.profile index 387b5f0a7..fa33795c1 100644 --- a/etc/profile-a-l/clementine.profile +++ b/etc/profile-a-l/clementine.profile | |||
@@ -24,6 +24,7 @@ include whitelist-runuser-common.inc | |||
24 | 24 | ||
25 | apparmor | 25 | apparmor |
26 | caps.drop all | 26 | caps.drop all |
27 | noinput | ||
27 | nonewprivs | 28 | nonewprivs |
28 | noroot | 29 | noroot |
29 | notv | 30 | notv |
diff --git a/etc/profile-a-l/clion.profile b/etc/profile-a-l/clion.profile index 09246ccbc..22cecff09 100644 --- a/etc/profile-a-l/clion.profile +++ b/etc/profile-a-l/clion.profile | |||
@@ -24,6 +24,7 @@ caps.drop all | |||
24 | netfilter | 24 | netfilter |
25 | nodvd | 25 | nodvd |
26 | nogroups | 26 | nogroups |
27 | noinput | ||
27 | nonewprivs | 28 | nonewprivs |
28 | noroot | 29 | noroot |
29 | notv | 30 | notv |
diff --git a/etc/profile-a-l/clipgrab.profile b/etc/profile-a-l/clipgrab.profile index 130d23522..c8258da07 100644 --- a/etc/profile-a-l/clipgrab.profile +++ b/etc/profile-a-l/clipgrab.profile | |||
@@ -27,6 +27,7 @@ machine-id | |||
27 | netfilter | 27 | netfilter |
28 | nodvd | 28 | nodvd |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | nosound | 33 | nosound |
diff --git a/etc/profile-a-l/clipit.profile b/etc/profile-a-l/clipit.profile index 66b5fc859..d421903a3 100644 --- a/etc/profile-a-l/clipit.profile +++ b/etc/profile-a-l/clipit.profile | |||
@@ -33,6 +33,7 @@ net none | |||
33 | no3d | 33 | no3d |
34 | nodvd | 34 | nodvd |
35 | nogroups | 35 | nogroups |
36 | noinput | ||
36 | nonewprivs | 37 | nonewprivs |
37 | noroot | 38 | noroot |
38 | nosound | 39 | nosound |
diff --git a/etc/profile-a-l/code.profile b/etc/profile-a-l/code.profile index 6f8a25211..e19b78908 100644 --- a/etc/profile-a-l/code.profile +++ b/etc/profile-a-l/code.profile | |||
@@ -21,6 +21,7 @@ caps.drop all | |||
21 | netfilter | 21 | netfilter |
22 | nodvd | 22 | nodvd |
23 | nogroups | 23 | nogroups |
24 | noinput | ||
24 | nonewprivs | 25 | nonewprivs |
25 | noroot | 26 | noroot |
26 | nosound | 27 | nosound |
diff --git a/etc/profile-a-l/colorful-wrapper.profile b/etc/profile-a-l/colorful-wrapper.profile new file mode 100644 index 000000000..4b762047d --- /dev/null +++ b/etc/profile-a-l/colorful-wrapper.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for colorful-wrapper | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include colorful-wrapper.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | include allow-opengl-game.inc | ||
10 | |||
11 | private-bin colorful-wrapper | ||
12 | |||
13 | # Redirect | ||
14 | include colorful.profile | ||
diff --git a/etc/profile-a-l/colorful.profile b/etc/profile-a-l/colorful.profile new file mode 100644 index 000000000..bd6d8f5b0 --- /dev/null +++ b/etc/profile-a-l/colorful.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for colorful | ||
2 | # Description: simple 2D sideview shooter | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include colorful.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.suve/colorful | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-shell.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.suve/colorful | ||
21 | whitelist ${HOME}/.suve/colorful | ||
22 | whitelist /usr/share/suve | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | net none | ||
31 | nodvd | ||
32 | nogroups | ||
33 | noinput | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix | ||
40 | seccomp | ||
41 | seccomp.block-secondary | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | disable-mnt | ||
46 | private-bin colorful | ||
47 | private-cache | ||
48 | private-dev | ||
49 | private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pulse | ||
50 | private-tmp | ||
51 | |||
52 | dbus-user none | ||
53 | dbus-system none | ||
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile index 4de7eb497..c8bdfec23 100644 --- a/etc/profile-a-l/com.github.bleakgrey.tootle.profile +++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile | |||
@@ -31,6 +31,7 @@ machine-id | |||
31 | netfilter | 31 | netfilter |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | notv | 37 | notv |
diff --git a/etc/profile-a-l/com.github.dahenson.agenda.profile b/etc/profile-a-l/com.github.dahenson.agenda.profile index 77b6c7bd8..b467a0f7a 100644 --- a/etc/profile-a-l/com.github.dahenson.agenda.profile +++ b/etc/profile-a-l/com.github.dahenson.agenda.profile | |||
@@ -37,6 +37,7 @@ net none | |||
37 | no3d | 37 | no3d |
38 | nodvd | 38 | nodvd |
39 | nogroups | 39 | nogroups |
40 | noinput | ||
40 | nonewprivs | 41 | nonewprivs |
41 | noroot | 42 | noroot |
42 | nosound | 43 | nosound |
diff --git a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile index c1800fe4c..c13f9618b 100644 --- a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile +++ b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile | |||
@@ -40,6 +40,7 @@ machine-id | |||
40 | net none | 40 | net none |
41 | nodvd | 41 | nodvd |
42 | nogroups | 42 | nogroups |
43 | noinput | ||
43 | nonewprivs | 44 | nonewprivs |
44 | noroot | 45 | noroot |
45 | nosound | 46 | nosound |
diff --git a/etc/profile-a-l/com.github.phase1geo.minder.profile b/etc/profile-a-l/com.github.phase1geo.minder.profile index 8be06a4b3..d0402d188 100644 --- a/etc/profile-a-l/com.github.phase1geo.minder.profile +++ b/etc/profile-a-l/com.github.phase1geo.minder.profile | |||
@@ -36,6 +36,7 @@ net none | |||
36 | no3d | 36 | no3d |
37 | nodvd | 37 | nodvd |
38 | nogroups | 38 | nogroups |
39 | noinput | ||
39 | nonewprivs | 40 | nonewprivs |
40 | noroot | 41 | noroot |
41 | nosound | 42 | nosound |
diff --git a/etc/profile-a-l/conky.profile b/etc/profile-a-l/conky.profile index e5cd7085a..eaa18739d 100644 --- a/etc/profile-a-l/conky.profile +++ b/etc/profile-a-l/conky.profile | |||
@@ -28,6 +28,7 @@ netfilter | |||
28 | no3d | 28 | no3d |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | nosound | 34 | nosound |
diff --git a/etc/profile-a-l/corebird.profile b/etc/profile-a-l/corebird.profile index e9a2c9441..2fb446e2a 100644 --- a/etc/profile-a-l/corebird.profile +++ b/etc/profile-a-l/corebird.profile | |||
@@ -23,6 +23,7 @@ caps.drop all | |||
23 | netfilter | 23 | netfilter |
24 | nodvd | 24 | nodvd |
25 | nogroups | 25 | nogroups |
26 | noinput | ||
26 | nonewprivs | 27 | nonewprivs |
27 | noroot | 28 | noroot |
28 | notv | 29 | notv |
diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile index 2c6b15e02..1635995dc 100644 --- a/etc/profile-a-l/cower.profile +++ b/etc/profile-a-l/cower.profile | |||
@@ -29,6 +29,7 @@ netfilter | |||
29 | no3d | 29 | no3d |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | nosound | 35 | nosound |
diff --git a/etc/profile-a-l/coyim.profile b/etc/profile-a-l/coyim.profile index 75813c494..7ece35c2b 100644 --- a/etc/profile-a-l/coyim.profile +++ b/etc/profile-a-l/coyim.profile | |||
@@ -28,6 +28,7 @@ caps.drop all | |||
28 | netfilter | 28 | netfilter |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | notv | 34 | notv |
diff --git a/etc/profile-a-l/crawl.profile b/etc/profile-a-l/crawl.profile index 3da2413d9..b10216895 100644 --- a/etc/profile-a-l/crawl.profile +++ b/etc/profile-a-l/crawl.profile | |||
@@ -27,6 +27,7 @@ net none | |||
27 | no3d | 27 | no3d |
28 | nodvd | 28 | nodvd |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | nosound | 33 | nosound |
diff --git a/etc/profile-a-l/crow.profile b/etc/profile-a-l/crow.profile index db4be7679..02b15ecc2 100644 --- a/etc/profile-a-l/crow.profile +++ b/etc/profile-a-l/crow.profile | |||
@@ -27,6 +27,7 @@ netfilter | |||
27 | no3d | 27 | no3d |
28 | nodvd | 28 | nodvd |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | notv | 33 | notv |
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile index 9366edfa1..c9867c5d7 100644 --- a/etc/profile-a-l/curl.profile +++ b/etc/profile-a-l/curl.profile | |||
@@ -36,6 +36,7 @@ netfilter | |||
36 | no3d | 36 | no3d |
37 | nodvd | 37 | nodvd |
38 | nogroups | 38 | nogroups |
39 | noinput | ||
39 | nonewprivs | 40 | nonewprivs |
40 | noroot | 41 | noroot |
41 | nosound | 42 | nosound |
diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile index 7e622799a..ba1e7adad 100644 --- a/etc/profile-a-l/d-feet.profile +++ b/etc/profile-a-l/d-feet.profile | |||
@@ -36,6 +36,7 @@ ipc-namespace | |||
36 | no3d | 36 | no3d |
37 | nodvd | 37 | nodvd |
38 | nogroups | 38 | nogroups |
39 | noinput | ||
39 | nonewprivs | 40 | nonewprivs |
40 | noroot | 41 | noroot |
41 | nosound | 42 | nosound |
diff --git a/etc/profile-a-l/darktable.profile b/etc/profile-a-l/darktable.profile index 2a71ad11c..61fa52928 100644 --- a/etc/profile-a-l/darktable.profile +++ b/etc/profile-a-l/darktable.profile | |||
@@ -22,6 +22,7 @@ caps.drop all | |||
22 | netfilter | 22 | netfilter |
23 | nodvd | 23 | nodvd |
24 | nogroups | 24 | nogroups |
25 | noinput | ||
25 | nonewprivs | 26 | nonewprivs |
26 | noroot | 27 | noroot |
27 | nosound | 28 | nosound |
diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile index 0000de441..67a61bb60 100644 --- a/etc/profile-a-l/dbus-send.profile +++ b/etc/profile-a-l/dbus-send.profile | |||
@@ -35,6 +35,7 @@ netfilter | |||
35 | no3d | 35 | no3d |
36 | nodvd | 36 | nodvd |
37 | nogroups | 37 | nogroups |
38 | noinput | ||
38 | nonewprivs | 39 | nonewprivs |
39 | noroot | 40 | noroot |
40 | nosound | 41 | nosound |
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile index b41a73916..0c221850a 100644 --- a/etc/profile-a-l/dconf-editor.profile +++ b/etc/profile-a-l/dconf-editor.profile | |||
@@ -27,6 +27,7 @@ caps.drop all | |||
27 | no3d | 27 | no3d |
28 | nodvd | 28 | nodvd |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | nosound | 33 | nosound |
diff --git a/etc/profile-a-l/dconf.profile b/etc/profile-a-l/dconf.profile index ea19b2209..be7514cbf 100644 --- a/etc/profile-a-l/dconf.profile +++ b/etc/profile-a-l/dconf.profile | |||
@@ -30,6 +30,7 @@ net none | |||
30 | no3d | 30 | no3d |
31 | nodvd | 31 | nodvd |
32 | nogroups | 32 | nogroups |
33 | noinput | ||
33 | nonewprivs | 34 | nonewprivs |
34 | noroot | 35 | noroot |
35 | nosound | 36 | nosound |
diff --git a/etc/profile-a-l/deadbeef.profile b/etc/profile-a-l/deadbeef.profile index 8e67d9daa..a221ebbd7 100644 --- a/etc/profile-a-l/deadbeef.profile +++ b/etc/profile-a-l/deadbeef.profile | |||
@@ -21,6 +21,7 @@ caps.drop all | |||
21 | netfilter | 21 | netfilter |
22 | no3d | 22 | no3d |
23 | nogroups | 23 | nogroups |
24 | noinput | ||
24 | nonewprivs | 25 | nonewprivs |
25 | noroot | 26 | noroot |
26 | notv | 27 | notv |
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile index 2ecf1a45d..5bdf5df7f 100644 --- a/etc/profile-a-l/default.profile +++ b/etc/profile-a-l/default.profile | |||
@@ -32,12 +32,13 @@ netfilter | |||
32 | # no3d | 32 | # no3d |
33 | # nodvd | 33 | # nodvd |
34 | # nogroups | 34 | # nogroups |
35 | noinput | ||
35 | nonewprivs | 36 | nonewprivs |
36 | noroot | 37 | noroot |
37 | # nosound | 38 | # nosound |
38 | # notv | 39 | notv |
39 | # nou2f | 40 | # nou2f |
40 | # novideo | 41 | novideo |
41 | protocol unix,inet,inet6 | 42 | protocol unix,inet,inet6 |
42 | seccomp | 43 | seccomp |
43 | # shell none | 44 | # shell none |
diff --git a/etc/profile-a-l/deluge.profile b/etc/profile-a-l/deluge.profile index 17c5059f5..ad7aa6ed5 100644 --- a/etc/profile-a-l/deluge.profile +++ b/etc/profile-a-l/deluge.profile | |||
@@ -30,6 +30,7 @@ caps.drop all | |||
30 | machine-id | 30 | machine-id |
31 | netfilter | 31 | netfilter |
32 | nodvd | 32 | nodvd |
33 | noinput | ||
33 | nonewprivs | 34 | nonewprivs |
34 | noroot | 35 | noroot |
35 | nosound | 36 | nosound |
diff --git a/etc/profile-a-l/desktopeditors.profile b/etc/profile-a-l/desktopeditors.profile index 9a98c4933..212cdab60 100644 --- a/etc/profile-a-l/desktopeditors.profile +++ b/etc/profile-a-l/desktopeditors.profile | |||
@@ -26,6 +26,7 @@ ipc-namespace | |||
26 | netfilter | 26 | netfilter |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | notv | 32 | notv |
diff --git a/etc/profile-a-l/devhelp.profile b/etc/profile-a-l/devhelp.profile index a47a71feb..5007f8e74 100644 --- a/etc/profile-a-l/devhelp.profile +++ b/etc/profile-a-l/devhelp.profile | |||
@@ -27,6 +27,7 @@ caps.drop all | |||
27 | # net none - makes settings immutable | 27 | # net none - makes settings immutable |
28 | nodvd | 28 | nodvd |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | nosound | 33 | nosound |
diff --git a/etc/profile-a-l/devilspie.profile b/etc/profile-a-l/devilspie.profile index 7c3ac50ad..6267b5709 100644 --- a/etc/profile-a-l/devilspie.profile +++ b/etc/profile-a-l/devilspie.profile | |||
@@ -32,6 +32,7 @@ net none | |||
32 | no3d | 32 | no3d |
33 | nodvd | 33 | nodvd |
34 | nogroups | 34 | nogroups |
35 | noinput | ||
35 | nonewprivs | 36 | nonewprivs |
36 | noroot | 37 | noroot |
37 | nosound | 38 | nosound |
diff --git a/etc/profile-a-l/dex2jar.profile b/etc/profile-a-l/dex2jar.profile index 7a59c5d73..8f3703369 100644 --- a/etc/profile-a-l/dex2jar.profile +++ b/etc/profile-a-l/dex2jar.profile | |||
@@ -24,6 +24,7 @@ net none | |||
24 | no3d | 24 | no3d |
25 | nodvd | 25 | nodvd |
26 | nogroups | 26 | nogroups |
27 | noinput | ||
27 | nonewprivs | 28 | nonewprivs |
28 | noroot | 29 | noroot |
29 | nosound | 30 | nosound |
diff --git a/etc/profile-a-l/dia.profile b/etc/profile-a-l/dia.profile index 31031edeb..531734b7d 100644 --- a/etc/profile-a-l/dia.profile +++ b/etc/profile-a-l/dia.profile | |||
@@ -36,6 +36,7 @@ net none | |||
36 | no3d | 36 | no3d |
37 | nodvd | 37 | nodvd |
38 | nogroups | 38 | nogroups |
39 | noinput | ||
39 | nonewprivs | 40 | nonewprivs |
40 | noroot | 41 | noroot |
41 | nosound | 42 | nosound |
diff --git a/etc/profile-a-l/dig.profile b/etc/profile-a-l/dig.profile index b99b31df8..247159a8a 100644 --- a/etc/profile-a-l/dig.profile +++ b/etc/profile-a-l/dig.profile | |||
@@ -35,6 +35,7 @@ netfilter | |||
35 | no3d | 35 | no3d |
36 | nodvd | 36 | nodvd |
37 | nogroups | 37 | nogroups |
38 | noinput | ||
38 | nonewprivs | 39 | nonewprivs |
39 | noroot | 40 | noroot |
40 | nosound | 41 | nosound |
diff --git a/etc/profile-a-l/digikam.profile b/etc/profile-a-l/digikam.profile index ae4a63c62..2ca7bd400 100644 --- a/etc/profile-a-l/digikam.profile +++ b/etc/profile-a-l/digikam.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/digikam | |||
10 | noblacklist ${HOME}/.config/digikamrc | 10 | noblacklist ${HOME}/.config/digikamrc |
11 | noblacklist ${HOME}/.kde/share/apps/digikam | 11 | noblacklist ${HOME}/.kde/share/apps/digikam |
12 | noblacklist ${HOME}/.kde4/share/apps/digikam | 12 | noblacklist ${HOME}/.kde4/share/apps/digikam |
13 | noblacklist ${HOME}/.local/share/kxmlgui5/digikam | ||
13 | noblacklist ${PICTURES} | 14 | noblacklist ${PICTURES} |
14 | 15 | ||
15 | include disable-common.inc | 16 | include disable-common.inc |
diff --git a/etc/profile-a-l/dillo.profile b/etc/profile-a-l/dillo.profile index 7103d0285..9871a6095 100644 --- a/etc/profile-a-l/dillo.profile +++ b/etc/profile-a-l/dillo.profile | |||
@@ -25,6 +25,7 @@ include whitelist-var-common.inc | |||
25 | caps.drop all | 25 | caps.drop all |
26 | netfilter | 26 | netfilter |
27 | nodvd | 27 | nodvd |
28 | noinput | ||
28 | nonewprivs | 29 | nonewprivs |
29 | noroot | 30 | noroot |
30 | notv | 31 | notv |
diff --git a/etc/profile-a-l/dino.profile b/etc/profile-a-l/dino.profile index d06ca042e..c3174b35f 100644 --- a/etc/profile-a-l/dino.profile +++ b/etc/profile-a-l/dino.profile | |||
@@ -20,21 +20,24 @@ mkdir ${HOME}/.local/share/dino | |||
20 | whitelist ${HOME}/.local/share/dino | 20 | whitelist ${HOME}/.local/share/dino |
21 | whitelist ${DOWNLOADS} | 21 | whitelist ${DOWNLOADS} |
22 | include whitelist-common.inc | 22 | include whitelist-common.inc |
23 | include whitelist-runuser-common.inc | ||
24 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-var-common.inc | ||
23 | 26 | ||
24 | caps.drop all | 27 | caps.drop all |
25 | netfilter | 28 | netfilter |
26 | no3d | ||
27 | nodvd | 29 | nodvd |
28 | nogroups | 30 | nogroups |
31 | noinput | ||
29 | nonewprivs | 32 | nonewprivs |
30 | noroot | 33 | noroot |
31 | nosound | ||
32 | notv | 34 | notv |
33 | nou2f | 35 | nou2f |
34 | novideo | ||
35 | protocol unix,inet,inet6 | 36 | protocol unix,inet,inet6 |
36 | seccomp | 37 | seccomp |
38 | seccomp.block-secondary | ||
37 | shell none | 39 | shell none |
40 | tracelog | ||
38 | 41 | ||
39 | disable-mnt | 42 | disable-mnt |
40 | private-bin dino | 43 | private-bin dino |
@@ -42,3 +45,4 @@ private-dev | |||
42 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl -- breaks server connection | 45 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl -- breaks server connection |
43 | private-tmp | 46 | private-tmp |
44 | 47 | ||
48 | dbus-system none | ||
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile index b583f1a1d..19e7bd9ab 100644 --- a/etc/profile-a-l/discord-common.profile +++ b/etc/profile-a-l/discord-common.profile | |||
@@ -18,6 +18,7 @@ ignore dbus-user none | |||
18 | ignore dbus-system none | 18 | ignore dbus-system none |
19 | 19 | ||
20 | ignore noexec ${HOME} | 20 | ignore noexec ${HOME} |
21 | ignore novideo | ||
21 | 22 | ||
22 | whitelist ${HOME}/.config/BetterDiscord | 23 | whitelist ${HOME}/.config/BetterDiscord |
23 | whitelist ${HOME}/.local/share/betterdiscordctl | 24 | whitelist ${HOME}/.local/share/betterdiscordctl |
@@ -25,5 +26,7 @@ whitelist ${HOME}/.local/share/betterdiscordctl | |||
25 | private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh | 26 | private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh |
26 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl | 27 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl |
27 | 28 | ||
29 | join-or-start discord | ||
30 | |||
28 | # Redirect | 31 | # Redirect |
29 | include electron.profile | 32 | include electron.profile |
diff --git a/etc/profile-a-l/display.profile b/etc/profile-a-l/display.profile index 9de634da9..11f3fd36e 100644 --- a/etc/profile-a-l/display.profile +++ b/etc/profile-a-l/display.profile | |||
@@ -27,6 +27,7 @@ caps.drop all | |||
27 | net none | 27 | net none |
28 | nodvd | 28 | nodvd |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | nosound | 33 | nosound |
diff --git a/etc/profile-a-l/dnscrypt-proxy.profile b/etc/profile-a-l/dnscrypt-proxy.profile index e48e9d1ac..f8fb1a331 100644 --- a/etc/profile-a-l/dnscrypt-proxy.profile +++ b/etc/profile-a-l/dnscrypt-proxy.profile | |||
@@ -32,6 +32,7 @@ machine-id | |||
32 | netfilter | 32 | netfilter |
33 | no3d | 33 | no3d |
34 | nodvd | 34 | nodvd |
35 | noinput | ||
35 | nonewprivs | 36 | nonewprivs |
36 | nosound | 37 | nosound |
37 | notv | 38 | notv |
diff --git a/etc/profile-a-l/dnsmasq.profile b/etc/profile-a-l/dnsmasq.profile index 6db71bd49..01398c2b2 100644 --- a/etc/profile-a-l/dnsmasq.profile +++ b/etc/profile-a-l/dnsmasq.profile | |||
@@ -23,6 +23,7 @@ include disable-xdg.inc | |||
23 | caps.keep net_admin,net_bind_service,net_raw,setgid,setuid | 23 | caps.keep net_admin,net_bind_service,net_raw,setgid,setuid |
24 | no3d | 24 | no3d |
25 | nodvd | 25 | nodvd |
26 | noinput | ||
26 | nonewprivs | 27 | nonewprivs |
27 | nosound | 28 | nosound |
28 | notv | 29 | notv |
diff --git a/etc/profile-a-l/dooble.profile b/etc/profile-a-l/dooble.profile index bc197b223..37a4113cb 100644 --- a/etc/profile-a-l/dooble.profile +++ b/etc/profile-a-l/dooble.profile | |||
@@ -25,6 +25,7 @@ caps.drop all | |||
25 | netfilter | 25 | netfilter |
26 | nodvd | 26 | nodvd |
27 | nogroups | 27 | nogroups |
28 | noinput | ||
28 | nonewprivs | 29 | nonewprivs |
29 | noroot | 30 | noroot |
30 | notv | 31 | notv |
diff --git a/etc/profile-a-l/dosbox.profile b/etc/profile-a-l/dosbox.profile index b9ef5d49d..988f66f28 100644 --- a/etc/profile-a-l/dosbox.profile +++ b/etc/profile-a-l/dosbox.profile | |||
@@ -26,6 +26,7 @@ caps.drop all | |||
26 | netfilter | 26 | netfilter |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | notv | 32 | notv |
diff --git a/etc/profile-a-l/dragon.profile b/etc/profile-a-l/dragon.profile index d355cd121..8fa01d504 100644 --- a/etc/profile-a-l/dragon.profile +++ b/etc/profile-a-l/dragon.profile | |||
@@ -26,6 +26,7 @@ include whitelist-var-common.inc | |||
26 | caps.drop all | 26 | caps.drop all |
27 | netfilter | 27 | netfilter |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | notv | 32 | notv |
diff --git a/etc/profile-a-l/drawio.profile b/etc/profile-a-l/drawio.profile index 4d723c8aa..82d96e405 100644 --- a/etc/profile-a-l/drawio.profile +++ b/etc/profile-a-l/drawio.profile | |||
@@ -31,6 +31,7 @@ machine-id | |||
31 | net none | 31 | net none |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | nosound | 37 | nosound |
diff --git a/etc/profile-a-l/drill.profile b/etc/profile-a-l/drill.profile index 07f47be5d..068bd88d8 100644 --- a/etc/profile-a-l/drill.profile +++ b/etc/profile-a-l/drill.profile | |||
@@ -32,6 +32,7 @@ netfilter | |||
32 | no3d | 32 | no3d |
33 | nodvd | 33 | nodvd |
34 | nogroups | 34 | nogroups |
35 | noinput | ||
35 | nonewprivs | 36 | nonewprivs |
36 | noroot | 37 | noroot |
37 | nosound | 38 | nosound |
diff --git a/etc/profile-a-l/dropbox.profile b/etc/profile-a-l/dropbox.profile index 641d26d0d..b3b2aaf40 100644 --- a/etc/profile-a-l/dropbox.profile +++ b/etc/profile-a-l/dropbox.profile | |||
@@ -33,6 +33,7 @@ netfilter | |||
33 | no3d | 33 | no3d |
34 | nodvd | 34 | nodvd |
35 | nogroups | 35 | nogroups |
36 | noinput | ||
36 | nonewprivs | 37 | nonewprivs |
37 | noroot | 38 | noroot |
38 | nosound | 39 | nosound |
diff --git a/etc/profile-a-l/easystroke.profile b/etc/profile-a-l/easystroke.profile index bb711b1bf..38e4b16f7 100644 --- a/etc/profile-a-l/easystroke.profile +++ b/etc/profile-a-l/easystroke.profile | |||
@@ -29,6 +29,7 @@ net none | |||
29 | no3d | 29 | no3d |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | nosound | 35 | nosound |
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile index 5957d4316..278dd6cbd 100644 --- a/etc/profile-a-l/electron-mail.profile +++ b/etc/profile-a-l/electron-mail.profile | |||
@@ -32,6 +32,7 @@ netfilter | |||
32 | no3d | 32 | no3d |
33 | nodvd | 33 | nodvd |
34 | nogroups | 34 | nogroups |
35 | noinput | ||
35 | nonewprivs | 36 | nonewprivs |
36 | noroot | 37 | noroot |
37 | notv | 38 | notv |
diff --git a/etc/profile-a-l/electron.profile b/etc/profile-a-l/electron.profile index 8785a192c..493af79d4 100644 --- a/etc/profile-a-l/electron.profile +++ b/etc/profile-a-l/electron.profile | |||
@@ -26,6 +26,7 @@ caps.keep sys_admin,sys_chroot | |||
26 | netfilter | 26 | netfilter |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | notv | 30 | notv |
30 | nou2f | 31 | nou2f |
31 | novideo | 32 | novideo |
diff --git a/etc/profile-a-l/electrum.profile b/etc/profile-a-l/electrum.profile index 73c19f380..ad636d71a 100644 --- a/etc/profile-a-l/electrum.profile +++ b/etc/profile-a-l/electrum.profile | |||
@@ -32,6 +32,7 @@ netfilter | |||
32 | no3d | 32 | no3d |
33 | nodvd | 33 | nodvd |
34 | nogroups | 34 | nogroups |
35 | noinput | ||
35 | nonewprivs | 36 | nonewprivs |
36 | noroot | 37 | noroot |
37 | nosound | 38 | nosound |
diff --git a/etc/profile-a-l/elinks.profile b/etc/profile-a-l/elinks.profile index 2a306d704..8120725d2 100644 --- a/etc/profile-a-l/elinks.profile +++ b/etc/profile-a-l/elinks.profile | |||
@@ -25,6 +25,7 @@ netfilter | |||
25 | no3d | 25 | no3d |
26 | nodvd | 26 | nodvd |
27 | nogroups | 27 | nogroups |
28 | noinput | ||
28 | nonewprivs | 29 | nonewprivs |
29 | noroot | 30 | noroot |
30 | nosound | 31 | nosound |
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile index 6b55c2126..6c9a8a6ea 100644 --- a/etc/profile-a-l/email-common.profile +++ b/etc/profile-a-l/email-common.profile | |||
@@ -50,6 +50,7 @@ netfilter | |||
50 | no3d | 50 | no3d |
51 | nodvd | 51 | nodvd |
52 | nogroups | 52 | nogroups |
53 | noinput | ||
53 | nonewprivs | 54 | nonewprivs |
54 | noroot | 55 | noroot |
55 | nosound | 56 | nosound |
diff --git a/etc/profile-a-l/enchant.profile b/etc/profile-a-l/enchant.profile index 2b5de799f..ac17b1726 100644 --- a/etc/profile-a-l/enchant.profile +++ b/etc/profile-a-l/enchant.profile | |||
@@ -33,6 +33,7 @@ net none | |||
33 | no3d | 33 | no3d |
34 | nodvd | 34 | nodvd |
35 | nogroups | 35 | nogroups |
36 | noinput | ||
36 | nonewprivs | 37 | nonewprivs |
37 | noroot | 38 | noroot |
38 | nosound | 39 | nosound |
diff --git a/etc/profile-a-l/engrampa.profile b/etc/profile-a-l/engrampa.profile index 7ec611293..f926610e2 100644 --- a/etc/profile-a-l/engrampa.profile +++ b/etc/profile-a-l/engrampa.profile | |||
@@ -21,6 +21,7 @@ net none | |||
21 | no3d | 21 | no3d |
22 | nodvd | 22 | nodvd |
23 | nogroups | 23 | nogroups |
24 | noinput | ||
24 | nonewprivs | 25 | nonewprivs |
25 | noroot | 26 | noroot |
26 | nosound | 27 | nosound |
diff --git a/etc/profile-a-l/enpass.profile b/etc/profile-a-l/enpass.profile index 68113e294..c4123b4c2 100644 --- a/etc/profile-a-l/enpass.profile +++ b/etc/profile-a-l/enpass.profile | |||
@@ -32,16 +32,17 @@ whitelist ${DOCUMENTS} | |||
32 | include whitelist-common.inc | 32 | include whitelist-common.inc |
33 | include whitelist-var-common.inc | 33 | include whitelist-var-common.inc |
34 | 34 | ||
35 | # machine-id and nosound break audio notification functionality | 35 | # machine-id and nosound break audio notification functionality. |
36 | # comment both if you need that functionality or put 'ignore machine-id' | 36 | # Add the next lines to your enpass.local if you need that functionality. |
37 | # and 'ignore nosound' in your enpass.local | 37 | #ignore machine-id |
38 | 38 | #ignore nosound | |
39 | caps.drop all | 39 | caps.drop all |
40 | machine-id | 40 | machine-id |
41 | netfilter | 41 | netfilter |
42 | no3d | 42 | no3d |
43 | nodvd | 43 | nodvd |
44 | nogroups | 44 | nogroups |
45 | noinput | ||
45 | nonewprivs | 46 | nonewprivs |
46 | noroot | 47 | noroot |
47 | nosound | 48 | nosound |
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile index e059f3b74..8e8047b00 100644 --- a/etc/profile-a-l/eo-common.profile +++ b/etc/profile-a-l/eo-common.profile | |||
@@ -31,6 +31,7 @@ net none | |||
31 | no3d | 31 | no3d |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | nosound | 37 | nosound |
diff --git a/etc/profile-a-l/eog.profile b/etc/profile-a-l/eog.profile index aabef65fc..5892374bd 100644 --- a/etc/profile-a-l/eog.profile +++ b/etc/profile-a-l/eog.profile | |||
@@ -10,11 +10,13 @@ noblacklist ${HOME}/.config/eog | |||
10 | 10 | ||
11 | whitelist /usr/share/eog | 11 | whitelist /usr/share/eog |
12 | 12 | ||
13 | # private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager' | 13 | # private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager'. |
14 | # comment those if you need that functionality | 14 | # Add the next lines to your eog.local if you need that functionality. |
15 | # or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eog.local | 15 | #ignore private-bin |
16 | private-bin eog | 16 | #ignore private-etc |
17 | #ignore private-lib | ||
17 | 18 | ||
19 | private-bin eog | ||
18 | 20 | ||
19 | # broken on Debian 10 (buster) running LXDE got the folowing error: | 21 | # broken on Debian 10 (buster) running LXDE got the folowing error: |
20 | # Failed to register: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown | 22 | # Failed to register: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown |
diff --git a/etc/profile-a-l/eom.profile b/etc/profile-a-l/eom.profile index 5bfeb8c8f..7143a8e03 100644 --- a/etc/profile-a-l/eom.profile +++ b/etc/profile-a-l/eom.profile | |||
@@ -10,9 +10,12 @@ noblacklist ${HOME}/.config/mate/eom | |||
10 | 10 | ||
11 | whitelist /usr/share/eom | 11 | whitelist /usr/share/eom |
12 | 12 | ||
13 | # private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager' | 13 | # private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager'. |
14 | # comment those if you need that functionality | 14 | # Add the next lines to your eom.local if you need that functionality. |
15 | # or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eom.local | 15 | #ignore private-bin |
16 | #ignore private-etc | ||
17 | #ignore private-lib | ||
18 | |||
16 | private-bin eom | 19 | private-bin eom |
17 | 20 | ||
18 | # Redirect | 21 | # Redirect |
diff --git a/etc/profile-a-l/ephemeral.profile b/etc/profile-a-l/ephemeral.profile index 029f613c6..131d68951 100644 --- a/etc/profile-a-l/ephemeral.profile +++ b/etc/profile-a-l/ephemeral.profile | |||
@@ -41,6 +41,7 @@ caps.drop all | |||
41 | netfilter | 41 | netfilter |
42 | nodvd | 42 | nodvd |
43 | nogroups | 43 | nogroups |
44 | noinput | ||
44 | nonewprivs | 45 | nonewprivs |
45 | # noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506. | 46 | # noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506. |
46 | noroot | 47 | noroot |
diff --git a/etc/profile-a-l/equalx.profile b/etc/profile-a-l/equalx.profile index 58b053041..964d3b7ca 100644 --- a/etc/profile-a-l/equalx.profile +++ b/etc/profile-a-l/equalx.profile | |||
@@ -39,6 +39,7 @@ net none | |||
39 | no3d | 39 | no3d |
40 | nodvd | 40 | nodvd |
41 | nogroups | 41 | nogroups |
42 | noinput | ||
42 | nonewprivs | 43 | nonewprivs |
43 | noroot | 44 | noroot |
44 | nosound | 45 | nosound |
diff --git a/etc/profile-a-l/etr-wrapper.profile b/etc/profile-a-l/etr-wrapper.profile new file mode 100644 index 000000000..98f949918 --- /dev/null +++ b/etc/profile-a-l/etr-wrapper.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for etr-wrapper | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include etr-wrapper.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | include allow-opengl-game.inc | ||
10 | |||
11 | private-bin etr-wrapper | ||
12 | |||
13 | # Redirect | ||
14 | include etr.profile | ||
diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile index 1c34335d2..b970b0dfd 100644 --- a/etc/profile-a-l/etr.profile +++ b/etc/profile-a-l/etr.profile | |||
@@ -30,6 +30,7 @@ caps.drop all | |||
30 | net none | 30 | net none |
31 | nodvd | 31 | nodvd |
32 | nogroups | 32 | nogroups |
33 | noinput | ||
33 | nonewprivs | 34 | nonewprivs |
34 | noroot | 35 | noroot |
35 | notv | 36 | notv |
@@ -37,6 +38,7 @@ nou2f | |||
37 | novideo | 38 | novideo |
38 | protocol unix,netlink | 39 | protocol unix,netlink |
39 | seccomp | 40 | seccomp |
41 | seccomp.block-secondary | ||
40 | shell none | 42 | shell none |
41 | tracelog | 43 | tracelog |
42 | 44 | ||
@@ -44,7 +46,7 @@ disable-mnt | |||
44 | private-bin etr | 46 | private-bin etr |
45 | private-cache | 47 | private-cache |
46 | private-dev | 48 | private-dev |
47 | # private-etc alternatives,drirc,machine-id,openal | 49 | # private-etc alternatives,drirc,machine-id,openal,passwd |
48 | private-tmp | 50 | private-tmp |
49 | 51 | ||
50 | dbus-user none | 52 | dbus-user none |
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile index eeccb81be..adcb29063 100644 --- a/etc/profile-a-l/evince.profile +++ b/etc/profile-a-l/evince.profile | |||
@@ -37,6 +37,7 @@ netfilter | |||
37 | no3d | 37 | no3d |
38 | nodvd | 38 | nodvd |
39 | nogroups | 39 | nogroups |
40 | noinput | ||
40 | nonewprivs | 41 | nonewprivs |
41 | noroot | 42 | noroot |
42 | nosound | 43 | nosound |
diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile index 422200ffe..7222493ac 100644 --- a/etc/profile-a-l/evolution.profile +++ b/etc/profile-a-l/evolution.profile | |||
@@ -31,6 +31,7 @@ netfilter | |||
31 | #no3d | 31 | #no3d |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | nosound | 37 | nosound |
diff --git a/etc/profile-a-l/exiftool.profile b/etc/profile-a-l/exiftool.profile index b6741d701..7b09a2c64 100644 --- a/etc/profile-a-l/exiftool.profile +++ b/etc/profile-a-l/exiftool.profile | |||
@@ -30,6 +30,7 @@ net none | |||
30 | no3d | 30 | no3d |
31 | nodvd | 31 | nodvd |
32 | nogroups | 32 | nogroups |
33 | noinput | ||
33 | nonewprivs | 34 | nonewprivs |
34 | noroot | 35 | noroot |
35 | nosound | 36 | nosound |
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile index 640b0e485..b2061db79 100644 --- a/etc/profile-a-l/falkon.profile +++ b/etc/profile-a-l/falkon.profile | |||
@@ -33,6 +33,7 @@ caps.drop all | |||
33 | netfilter | 33 | netfilter |
34 | nodvd | 34 | nodvd |
35 | nogroups | 35 | nogroups |
36 | noinput | ||
36 | nonewprivs | 37 | nonewprivs |
37 | noroot | 38 | noroot |
38 | notv | 39 | notv |
diff --git a/etc/profile-a-l/fbreader.profile b/etc/profile-a-l/fbreader.profile index e9fcc2231..8e81000fd 100644 --- a/etc/profile-a-l/fbreader.profile +++ b/etc/profile-a-l/fbreader.profile | |||
@@ -24,6 +24,7 @@ apparmor | |||
24 | caps.drop all | 24 | caps.drop all |
25 | net none | 25 | net none |
26 | nodvd | 26 | nodvd |
27 | noinput | ||
27 | nonewprivs | 28 | nonewprivs |
28 | noroot | 29 | noroot |
29 | nosound | 30 | nosound |
diff --git a/etc/profile-a-l/feedreader.profile b/etc/profile-a-l/feedreader.profile index 2abd80b06..664ec2da6 100644 --- a/etc/profile-a-l/feedreader.profile +++ b/etc/profile-a-l/feedreader.profile | |||
@@ -33,6 +33,7 @@ netfilter | |||
33 | # no3d | 33 | # no3d |
34 | nodvd | 34 | nodvd |
35 | nogroups | 35 | nogroups |
36 | noinput | ||
36 | nonewprivs | 37 | nonewprivs |
37 | noroot | 38 | noroot |
38 | # nosound | 39 | # nosound |
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile index 68ce0da61..2f2d8a4c7 100644 --- a/etc/profile-a-l/feh.profile +++ b/etc/profile-a-l/feh.profile | |||
@@ -23,6 +23,7 @@ net none | |||
23 | no3d | 23 | no3d |
24 | nodvd | 24 | nodvd |
25 | nogroups | 25 | nogroups |
26 | noinput | ||
26 | nonewprivs | 27 | nonewprivs |
27 | noroot | 28 | noroot |
28 | nosound | 29 | nosound |
diff --git a/etc/profile-a-l/ferdi.profile b/etc/profile-a-l/ferdi.profile index 9b4c5f114..a2372ec8a 100644 --- a/etc/profile-a-l/ferdi.profile +++ b/etc/profile-a-l/ferdi.profile | |||
@@ -33,6 +33,7 @@ caps.drop all | |||
33 | netfilter | 33 | netfilter |
34 | nodvd | 34 | nodvd |
35 | nogroups | 35 | nogroups |
36 | noinput | ||
36 | nonewprivs | 37 | nonewprivs |
37 | noroot | 38 | noroot |
38 | notv | 39 | notv |
diff --git a/etc/profile-a-l/fetchmail.profile b/etc/profile-a-l/fetchmail.profile index d64fe830f..7358ed5c7 100644 --- a/etc/profile-a-l/fetchmail.profile +++ b/etc/profile-a-l/fetchmail.profile | |||
@@ -20,6 +20,7 @@ netfilter | |||
20 | no3d | 20 | no3d |
21 | nodvd | 21 | nodvd |
22 | nogroups | 22 | nogroups |
23 | noinput | ||
23 | nonewprivs | 24 | nonewprivs |
24 | noroot | 25 | noroot |
25 | nosound | 26 | nosound |
diff --git a/etc/profile-a-l/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile index c6e9ba095..13ef1beb9 100644 --- a/etc/profile-a-l/ffmpeg.profile +++ b/etc/profile-a-l/ffmpeg.profile | |||
@@ -32,6 +32,7 @@ machine-id | |||
32 | netfilter | 32 | netfilter |
33 | nodvd | 33 | nodvd |
34 | nogroups | 34 | nogroups |
35 | noinput | ||
35 | nonewprivs | 36 | nonewprivs |
36 | noroot | 37 | noroot |
37 | nosound | 38 | nosound |
diff --git a/etc/profile-a-l/file-manager-common.profile b/etc/profile-a-l/file-manager-common.profile index face34c40..23ec4a432 100644 --- a/etc/profile-a-l/file-manager-common.profile +++ b/etc/profile-a-l/file-manager-common.profile | |||
@@ -36,6 +36,7 @@ caps.drop all | |||
36 | netfilter | 36 | netfilter |
37 | nodvd | 37 | nodvd |
38 | nogroups | 38 | nogroups |
39 | noinput | ||
39 | nonewprivs | 40 | nonewprivs |
40 | noroot | 41 | noroot |
41 | notv | 42 | notv |
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile index 2a1eb2001..0b8a8cd6c 100644 --- a/etc/profile-a-l/file-roller.profile +++ b/etc/profile-a-l/file-roller.profile | |||
@@ -20,12 +20,13 @@ include whitelist-var-common.inc | |||
20 | 20 | ||
21 | apparmor | 21 | apparmor |
22 | caps.drop all | 22 | caps.drop all |
23 | #ipc-namespace - causing issues launching on archlinux | ||
24 | machine-id | 23 | machine-id |
25 | # net none - breaks on older Ubuntu versions | 24 | # net none - breaks on older Ubuntu versions |
25 | netfilter | ||
26 | no3d | 26 | no3d |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | nosound | 32 | nosound |
@@ -38,7 +39,7 @@ seccomp.block-secondary | |||
38 | shell none | 39 | shell none |
39 | tracelog | 40 | tracelog |
40 | 41 | ||
41 | private-bin 7z,7za,7zr,ar,arj,bash,brotli,bzip2,compress,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,p7zip,rar,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,xz,zip,zoo | 42 | private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd |
42 | private-cache | 43 | private-cache |
43 | private-dev | 44 | private-dev |
44 | private-etc dconf,fonts,gtk-3.0,xdg | 45 | private-etc dconf,fonts,gtk-3.0,xdg |
diff --git a/etc/profile-a-l/file.profile b/etc/profile-a-l/file.profile index c02f9e3de..5c7583605 100644 --- a/etc/profile-a-l/file.profile +++ b/etc/profile-a-l/file.profile | |||
@@ -23,6 +23,7 @@ net none | |||
23 | no3d | 23 | no3d |
24 | nodvd | 24 | nodvd |
25 | nogroups | 25 | nogroups |
26 | noinput | ||
26 | nonewprivs | 27 | nonewprivs |
27 | nosound | 28 | nosound |
28 | notv | 29 | notv |
diff --git a/etc/profile-a-l/filezilla.profile b/etc/profile-a-l/filezilla.profile index 728929638..dc5def54f 100644 --- a/etc/profile-a-l/filezilla.profile +++ b/etc/profile-a-l/filezilla.profile | |||
@@ -27,6 +27,7 @@ include whitelist-var-common.inc | |||
27 | caps.drop all | 27 | caps.drop all |
28 | netfilter | 28 | netfilter |
29 | nodvd | 29 | nodvd |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | nosound | 33 | nosound |
diff --git a/etc/profile-a-l/firedragon.profile b/etc/profile-a-l/firedragon.profile new file mode 100644 index 000000000..77487161e --- /dev/null +++ b/etc/profile-a-l/firedragon.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # Firejail profile for FireDragon | ||
2 | # Description: Librewolf fork with enhanced KDE integration | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include firedragon.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/firedragon | ||
10 | noblacklist ${HOME}/.firedragon | ||
11 | |||
12 | mkdir ${HOME}/.cache/firedragon | ||
13 | mkdir ${HOME}/.firedragon | ||
14 | whitelist ${HOME}/.cache/firedragon | ||
15 | whitelist ${HOME}/.firedragon | ||
16 | |||
17 | # Add the next lines to your firedragon.local if you want to use the migration wizard. | ||
18 | #noblacklist ${HOME}/.mozilla | ||
19 | #whitelist ${HOME}/.mozilla | ||
20 | |||
21 | # FireDragon requires a shell to launch on Arch. We can possibly remove sh though. | ||
22 | # Add the next line to your firedragon.local to enable private-bin. | ||
23 | #private-bin bash,dbus-launch,dbus-send,env,firedragon,python*,sh,which | ||
24 | |||
25 | # Redirect | ||
26 | include firefox-common.profile | ||
diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile index 4da087f7f..d282f9a60 100644 --- a/etc/profile-a-l/firefox-common-addons.profile +++ b/etc/profile-a-l/firefox-common-addons.profile | |||
@@ -73,8 +73,9 @@ whitelist /usr/share/vulkan | |||
73 | # GNOME Shell integration (chrome-gnome-shell) needs dbus and python | 73 | # GNOME Shell integration (chrome-gnome-shell) needs dbus and python |
74 | noblacklist ${HOME}/.local/share/gnome-shell | 74 | noblacklist ${HOME}/.local/share/gnome-shell |
75 | whitelist ${HOME}/.local/share/gnome-shell | 75 | whitelist ${HOME}/.local/share/gnome-shell |
76 | ignore dbus-user none | 76 | dbus-user.talk ca.desrt.dconf |
77 | ignore dbus-system none | 77 | dbus-user.talk org.gnome.ChromeGnomeShell |
78 | dbus-user.talk org.gnome.Shell | ||
78 | # Allow python (blacklisted by disable-interpreters.inc) | 79 | # Allow python (blacklisted by disable-interpreters.inc) |
79 | include allow-python3.inc | 80 | include allow-python3.inc |
80 | 81 | ||
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index b0ead7590..8b74ed979 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile | |||
@@ -37,6 +37,7 @@ caps.drop all | |||
37 | netfilter | 37 | netfilter |
38 | nodvd | 38 | nodvd |
39 | nogroups | 39 | nogroups |
40 | noinput | ||
40 | nonewprivs | 41 | nonewprivs |
41 | # noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506. | 42 | # noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506. |
42 | noroot | 43 | noroot |
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index cefba93d4..b22a78458 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile | |||
@@ -6,6 +6,14 @@ include firefox.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # NOTE: sandboxing web browsers is as important as it is complex. Users might be | ||
10 | # interested in creating custom profiles depending on use case (e.g. one for | ||
11 | # general browsing, another for banking, ...). Consult our FAQ/issue tracker for more | ||
12 | # info. Here are a few links to get you going. | ||
13 | # https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#firefox-doesnt-open-in-a-new-sandbox-instead-it-opens-a-new-tab-in-an-existing-firefox-instance | ||
14 | # https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox | ||
15 | # https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968 | ||
16 | |||
9 | noblacklist ${HOME}/.cache/mozilla | 17 | noblacklist ${HOME}/.cache/mozilla |
10 | noblacklist ${HOME}/.mozilla | 18 | noblacklist ${HOME}/.mozilla |
11 | 19 | ||
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile index d1c18e690..55af96c84 100644 --- a/etc/profile-a-l/flameshot.profile +++ b/etc/profile-a-l/flameshot.profile | |||
@@ -37,6 +37,7 @@ netfilter | |||
37 | no3d | 37 | no3d |
38 | nodvd | 38 | nodvd |
39 | nogroups | 39 | nogroups |
40 | noinput | ||
40 | nonewprivs | 41 | nonewprivs |
41 | noroot | 42 | noroot |
42 | nosound | 43 | nosound |
diff --git a/etc/profile-a-l/flowblade.profile b/etc/profile-a-l/flowblade.profile index 40472ab93..a4421e3ce 100644 --- a/etc/profile-a-l/flowblade.profile +++ b/etc/profile-a-l/flowblade.profile | |||
@@ -24,6 +24,7 @@ caps.drop all | |||
24 | netfilter | 24 | netfilter |
25 | nodvd | 25 | nodvd |
26 | nogroups | 26 | nogroups |
27 | noinput | ||
27 | nonewprivs | 28 | nonewprivs |
28 | noroot | 29 | noroot |
29 | notv | 30 | notv |
diff --git a/etc/profile-a-l/font-manager.profile b/etc/profile-a-l/font-manager.profile index acad6ad13..cd0129436 100644 --- a/etc/profile-a-l/font-manager.profile +++ b/etc/profile-a-l/font-manager.profile | |||
@@ -38,6 +38,7 @@ machine-id | |||
38 | no3d | 38 | no3d |
39 | nodvd | 39 | nodvd |
40 | nogroups | 40 | nogroups |
41 | noinput | ||
41 | nonewprivs | 42 | nonewprivs |
42 | noroot | 43 | noroot |
43 | nosound | 44 | nosound |
diff --git a/etc/profile-a-l/fontforge.profile b/etc/profile-a-l/fontforge.profile index 6d305e2af..bd1495877 100644 --- a/etc/profile-a-l/fontforge.profile +++ b/etc/profile-a-l/fontforge.profile | |||
@@ -25,6 +25,7 @@ caps.drop all | |||
25 | netfilter | 25 | netfilter |
26 | nodvd | 26 | nodvd |
27 | nogroups | 27 | nogroups |
28 | noinput | ||
28 | nonewprivs | 29 | nonewprivs |
29 | noroot | 30 | noroot |
30 | nosound | 31 | nosound |
diff --git a/etc/profile-a-l/fractal.profile b/etc/profile-a-l/fractal.profile index dede61b71..1b1d031b4 100644 --- a/etc/profile-a-l/fractal.profile +++ b/etc/profile-a-l/fractal.profile | |||
@@ -34,6 +34,7 @@ caps.drop all | |||
34 | netfilter | 34 | netfilter |
35 | nodvd | 35 | nodvd |
36 | nogroups | 36 | nogroups |
37 | noinput | ||
37 | nonewprivs | 38 | nonewprivs |
38 | noroot | 39 | noroot |
39 | notv | 40 | notv |
diff --git a/etc/profile-a-l/franz.profile b/etc/profile-a-l/franz.profile index 344804ca9..9b780a572 100644 --- a/etc/profile-a-l/franz.profile +++ b/etc/profile-a-l/franz.profile | |||
@@ -33,6 +33,7 @@ caps.drop all | |||
33 | netfilter | 33 | netfilter |
34 | nodvd | 34 | nodvd |
35 | nogroups | 35 | nogroups |
36 | noinput | ||
36 | nonewprivs | 37 | nonewprivs |
37 | noroot | 38 | noroot |
38 | notv | 39 | notv |
diff --git a/etc/profile-a-l/freecad.profile b/etc/profile-a-l/freecad.profile index 0a1d4a750..8043d0530 100644 --- a/etc/profile-a-l/freecad.profile +++ b/etc/profile-a-l/freecad.profile | |||
@@ -26,6 +26,7 @@ ipc-namespace | |||
26 | net none | 26 | net none |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | nosound | 32 | nosound |
diff --git a/etc/profile-a-l/freeciv.profile b/etc/profile-a-l/freeciv.profile index 0fe933478..23c19682c 100644 --- a/etc/profile-a-l/freeciv.profile +++ b/etc/profile-a-l/freeciv.profile | |||
@@ -27,6 +27,7 @@ ipc-namespace | |||
27 | netfilter | 27 | netfilter |
28 | nodvd | 28 | nodvd |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | notv | 33 | notv |
diff --git a/etc/profile-a-l/freecol.profile b/etc/profile-a-l/freecol.profile index 3cbd2ff53..93fa7da03 100644 --- a/etc/profile-a-l/freecol.profile +++ b/etc/profile-a-l/freecol.profile | |||
@@ -39,6 +39,7 @@ ipc-namespace | |||
39 | netfilter | 39 | netfilter |
40 | nodvd | 40 | nodvd |
41 | nogroups | 41 | nogroups |
42 | noinput | ||
42 | nonewprivs | 43 | nonewprivs |
43 | noroot | 44 | noroot |
44 | notv | 45 | notv |
diff --git a/etc/profile-a-l/freemind.profile b/etc/profile-a-l/freemind.profile index 0ffb5c54d..699177039 100644 --- a/etc/profile-a-l/freemind.profile +++ b/etc/profile-a-l/freemind.profile | |||
@@ -29,6 +29,7 @@ netfilter | |||
29 | no3d | 29 | no3d |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | nosound | 35 | nosound |
diff --git a/etc/profile-a-l/freshclam.profile b/etc/profile-a-l/freshclam.profile index 2bab79e2e..6382b80af 100644 --- a/etc/profile-a-l/freshclam.profile +++ b/etc/profile-a-l/freshclam.profile | |||
@@ -14,6 +14,7 @@ netfilter | |||
14 | no3d | 14 | no3d |
15 | nodvd | 15 | nodvd |
16 | nogroups | 16 | nogroups |
17 | noinput | ||
17 | nonewprivs | 18 | nonewprivs |
18 | nosound | 19 | nosound |
19 | notv | 20 | notv |
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile index 23d259337..fa56d2b2d 100644 --- a/etc/profile-a-l/frogatto.profile +++ b/etc/profile-a-l/frogatto.profile | |||
@@ -29,6 +29,7 @@ caps.drop all | |||
29 | net none | 29 | net none |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | notv | 35 | notv |
diff --git a/etc/profile-a-l/frozen-bubble.profile b/etc/profile-a-l/frozen-bubble.profile index c11567804..76352e41e 100644 --- a/etc/profile-a-l/frozen-bubble.profile +++ b/etc/profile-a-l/frozen-bubble.profile | |||
@@ -31,6 +31,7 @@ caps.drop all | |||
31 | net none | 31 | net none |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | notv | 37 | notv |
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile index e2da1747e..ed3f0357d 100644 --- a/etc/profile-a-l/gajim.profile +++ b/etc/profile-a-l/gajim.profile | |||
@@ -46,6 +46,7 @@ caps.drop all | |||
46 | netfilter | 46 | netfilter |
47 | nodvd | 47 | nodvd |
48 | nogroups | 48 | nogroups |
49 | noinput | ||
49 | nonewprivs | 50 | nonewprivs |
50 | noroot | 51 | noroot |
51 | notv | 52 | notv |
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile index 89f20b923..550b3808b 100644 --- a/etc/profile-a-l/galculator.profile +++ b/etc/profile-a-l/galculator.profile | |||
@@ -29,6 +29,7 @@ caps.drop all | |||
29 | net none | 29 | net none |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | nosound | 35 | nosound |
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile index 5e1b024fe..f2da60c87 100644 --- a/etc/profile-a-l/gapplication.profile +++ b/etc/profile-a-l/gapplication.profile | |||
@@ -30,6 +30,7 @@ net none | |||
30 | no3d | 30 | no3d |
31 | nodvd | 31 | nodvd |
32 | nogroups | 32 | nogroups |
33 | noinput | ||
33 | nonewprivs | 34 | nonewprivs |
34 | noroot | 35 | noroot |
35 | nosound | 36 | nosound |
diff --git a/etc/profile-a-l/gcloud.profile b/etc/profile-a-l/gcloud.profile index 46a862a21..388f4c0df 100644 --- a/etc/profile-a-l/gcloud.profile +++ b/etc/profile-a-l/gcloud.profile | |||
@@ -24,6 +24,7 @@ netfilter | |||
24 | nodvd | 24 | nodvd |
25 | # required for sudo-free docker | 25 | # required for sudo-free docker |
26 | #nogroups | 26 | #nogroups |
27 | noinput | ||
27 | nonewprivs | 28 | nonewprivs |
28 | noroot | 29 | noroot |
29 | notv | 30 | notv |
diff --git a/etc/profile-a-l/gconf.profile b/etc/profile-a-l/gconf.profile index 96848575d..fec1a555a 100644 --- a/etc/profile-a-l/gconf.profile +++ b/etc/profile-a-l/gconf.profile | |||
@@ -38,6 +38,7 @@ net none | |||
38 | no3d | 38 | no3d |
39 | nodvd | 39 | nodvd |
40 | nogroups | 40 | nogroups |
41 | noinput | ||
41 | nonewprivs | 42 | nonewprivs |
42 | noroot | 43 | noroot |
43 | nosound | 44 | nosound |
diff --git a/etc/profile-a-l/geany.profile b/etc/profile-a-l/geany.profile index 31599e32a..6fdb9b37a 100644 --- a/etc/profile-a-l/geany.profile +++ b/etc/profile-a-l/geany.profile | |||
@@ -20,6 +20,7 @@ netfilter | |||
20 | no3d | 20 | no3d |
21 | nodvd | 21 | nodvd |
22 | nogroups | 22 | nogroups |
23 | noinput | ||
23 | nonewprivs | 24 | nonewprivs |
24 | noroot | 25 | noroot |
25 | nosound | 26 | nosound |
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile index b11863c6a..74e135a7c 100644 --- a/etc/profile-a-l/geary.profile +++ b/etc/profile-a-l/geary.profile | |||
@@ -53,6 +53,7 @@ netfilter | |||
53 | no3d | 53 | no3d |
54 | nodvd | 54 | nodvd |
55 | nogroups | 55 | nogroups |
56 | noinput | ||
56 | nonewprivs | 57 | nonewprivs |
57 | noroot | 58 | noroot |
58 | nosound | 59 | nosound |
diff --git a/etc/profile-a-l/gedit.profile b/etc/profile-a-l/gedit.profile index d61bea6c4..108b7041d 100644 --- a/etc/profile-a-l/gedit.profile +++ b/etc/profile-a-l/gedit.profile | |||
@@ -29,6 +29,7 @@ machine-id | |||
29 | no3d | 29 | no3d |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | nosound | 35 | nosound |
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile index 77287769a..e0aadff24 100644 --- a/etc/profile-a-l/geekbench.profile +++ b/etc/profile-a-l/geekbench.profile | |||
@@ -27,6 +27,7 @@ netfilter | |||
27 | no3d | 27 | no3d |
28 | nodvd | 28 | nodvd |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | nosound | 33 | nosound |
diff --git a/etc/profile-a-l/geeqie.profile b/etc/profile-a-l/geeqie.profile index 8810ca161..dd33b3fb5 100644 --- a/etc/profile-a-l/geeqie.profile +++ b/etc/profile-a-l/geeqie.profile | |||
@@ -19,6 +19,7 @@ include disable-programs.inc | |||
19 | caps.drop all | 19 | caps.drop all |
20 | nodvd | 20 | nodvd |
21 | nogroups | 21 | nogroups |
22 | noinput | ||
22 | nonewprivs | 23 | nonewprivs |
23 | noroot | 24 | noroot |
24 | nosound | 25 | nosound |
diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile index caeb3ce51..7ec8ba810 100644 --- a/etc/profile-a-l/gfeeds.profile +++ b/etc/profile-a-l/gfeeds.profile | |||
@@ -44,6 +44,7 @@ netfilter | |||
44 | no3d | 44 | no3d |
45 | nodvd | 45 | nodvd |
46 | nogroups | 46 | nogroups |
47 | noinput | ||
47 | nonewprivs | 48 | nonewprivs |
48 | noroot | 49 | noroot |
49 | nosound | 50 | nosound |
diff --git a/etc/profile-a-l/gget.profile b/etc/profile-a-l/gget.profile index 828d638ed..d9c5a0d9a 100644 --- a/etc/profile-a-l/gget.profile +++ b/etc/profile-a-l/gget.profile | |||
@@ -33,6 +33,7 @@ netfilter | |||
33 | no3d | 33 | no3d |
34 | nodvd | 34 | nodvd |
35 | nogroups | 35 | nogroups |
36 | noinput | ||
36 | nonewprivs | 37 | nonewprivs |
37 | noroot | 38 | noroot |
38 | nosound | 39 | nosound |
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile index 820d5e694..276ab76df 100644 --- a/etc/profile-a-l/ghostwriter.profile +++ b/etc/profile-a-l/ghostwriter.profile | |||
@@ -36,6 +36,7 @@ machine-id | |||
36 | netfilter | 36 | netfilter |
37 | nodvd | 37 | nodvd |
38 | nogroups | 38 | nogroups |
39 | noinput | ||
39 | nonewprivs | 40 | nonewprivs |
40 | noroot | 41 | noroot |
41 | nosound | 42 | nosound |
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile index e26fadca2..dfc1304d1 100644 --- a/etc/profile-a-l/gimp.profile +++ b/etc/profile-a-l/gimp.profile | |||
@@ -45,6 +45,7 @@ caps.drop all | |||
45 | net none | 45 | net none |
46 | nodvd | 46 | nodvd |
47 | nogroups | 47 | nogroups |
48 | noinput | ||
48 | nonewprivs | 49 | nonewprivs |
49 | noroot | 50 | noroot |
50 | nosound | 51 | nosound |
diff --git a/etc/profile-a-l/gist.profile b/etc/profile-a-l/gist.profile index 681fc2829..661c3a375 100644 --- a/etc/profile-a-l/gist.profile +++ b/etc/profile-a-l/gist.profile | |||
@@ -38,6 +38,7 @@ netfilter | |||
38 | no3d | 38 | no3d |
39 | nodvd | 39 | nodvd |
40 | nogroups | 40 | nogroups |
41 | noinput | ||
41 | nonewprivs | 42 | nonewprivs |
42 | noroot | 43 | noroot |
43 | nosound | 44 | nosound |
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile index 7894e4d8d..5e4249376 100644 --- a/etc/profile-a-l/git-cola.profile +++ b/etc/profile-a-l/git-cola.profile | |||
@@ -54,6 +54,7 @@ netfilter | |||
54 | no3d | 54 | no3d |
55 | nodvd | 55 | nodvd |
56 | nogroups | 56 | nogroups |
57 | noinput | ||
57 | nonewprivs | 58 | nonewprivs |
58 | noroot | 59 | noroot |
59 | nosound | 60 | nosound |
diff --git a/etc/profile-a-l/git.profile b/etc/profile-a-l/git.profile index aefb2917d..bfa0081c6 100644 --- a/etc/profile-a-l/git.profile +++ b/etc/profile-a-l/git.profile | |||
@@ -45,6 +45,7 @@ netfilter | |||
45 | no3d | 45 | no3d |
46 | nodvd | 46 | nodvd |
47 | nogroups | 47 | nogroups |
48 | noinput | ||
48 | nonewprivs | 49 | nonewprivs |
49 | noroot | 50 | noroot |
50 | nosound | 51 | nosound |
diff --git a/etc/profile-a-l/gitg.profile b/etc/profile-a-l/gitg.profile index 7b6820a81..05d7dffa9 100644 --- a/etc/profile-a-l/gitg.profile +++ b/etc/profile-a-l/gitg.profile | |||
@@ -39,6 +39,7 @@ netfilter | |||
39 | no3d | 39 | no3d |
40 | nodvd | 40 | nodvd |
41 | nogroups | 41 | nogroups |
42 | noinput | ||
42 | nonewprivs | 43 | nonewprivs |
43 | noroot | 44 | noroot |
44 | nosound | 45 | nosound |
diff --git a/etc/profile-a-l/gitter.profile b/etc/profile-a-l/gitter.profile index 017b1765a..460e2b990 100644 --- a/etc/profile-a-l/gitter.profile +++ b/etc/profile-a-l/gitter.profile | |||
@@ -26,6 +26,7 @@ machine-id | |||
26 | netfilter | 26 | netfilter |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | nosound | 32 | nosound |
diff --git a/etc/profile-a-l/gjs.profile b/etc/profile-a-l/gjs.profile index 9c8848b8a..ed68b3c2d 100644 --- a/etc/profile-a-l/gjs.profile +++ b/etc/profile-a-l/gjs.profile | |||
@@ -30,6 +30,7 @@ caps.drop all | |||
30 | netfilter | 30 | netfilter |
31 | nodvd | 31 | nodvd |
32 | nogroups | 32 | nogroups |
33 | noinput | ||
33 | nonewprivs | 34 | nonewprivs |
34 | noroot | 35 | noroot |
35 | notv | 36 | notv |
diff --git a/etc/profile-a-l/gl-117-wrapper.profile b/etc/profile-a-l/gl-117-wrapper.profile new file mode 100644 index 000000000..d783940f3 --- /dev/null +++ b/etc/profile-a-l/gl-117-wrapper.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for gl-117-wrapper | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include gl-117-wrapper.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | include allow-opengl-game.inc | ||
10 | |||
11 | private-bin gl-117-wrapper | ||
12 | |||
13 | # Redirect | ||
14 | include gl-117.profile | ||
diff --git a/etc/profile-a-l/gl-117.profile b/etc/profile-a-l/gl-117.profile new file mode 100644 index 000000000..c8cefc67e --- /dev/null +++ b/etc/profile-a-l/gl-117.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for gl-117 | ||
2 | # Description: Action flight simulator | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gl-117.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.gl-117 | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-shell.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.gl-117 | ||
21 | whitelist ${HOME}/.gl-117 | ||
22 | whitelist /usr/share/gl-117 | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | net none | ||
31 | nodvd | ||
32 | nogroups | ||
33 | noinput | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix | ||
40 | seccomp | ||
41 | seccomp.block-secondary | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | disable-mnt | ||
46 | private-bin gl-117 | ||
47 | private-cache | ||
48 | private-dev | ||
49 | private-etc alsa,alternatives,asound.conf,bumblebee,drirc,glvnd,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nvidia,pulse | ||
50 | private-tmp | ||
51 | |||
52 | dbus-user none | ||
53 | dbus-system none | ||
diff --git a/etc/profile-a-l/glaxium-wrapper.profile b/etc/profile-a-l/glaxium-wrapper.profile new file mode 100644 index 000000000..7dc2cf65e --- /dev/null +++ b/etc/profile-a-l/glaxium-wrapper.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for glaxium-wrapper | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include glaxium-wrapper.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | include allow-opengl-game.inc | ||
10 | |||
11 | private-bin glaxium-wrapper | ||
12 | |||
13 | # Redirect | ||
14 | include glaxium.profile | ||
diff --git a/etc/profile-a-l/glaxium.profile b/etc/profile-a-l/glaxium.profile new file mode 100644 index 000000000..ee7af0546 --- /dev/null +++ b/etc/profile-a-l/glaxium.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for glaxium | ||
2 | # Description: 3d spaceship shoot-em-up | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include glaxium.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.glaxiumrc | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-shell.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkfile ${HOME}/.glaxiumrc | ||
21 | whitelist ${HOME}/.glaxiumrc | ||
22 | whitelist /usr/share/glaxium | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | net none | ||
31 | nodvd | ||
32 | nogroups | ||
33 | noinput | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix | ||
40 | seccomp | ||
41 | seccomp.block-secondary | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | disable-mnt | ||
46 | private-bin glaxium | ||
47 | private-cache | ||
48 | private-dev | ||
49 | private-etc alsa,alternatives,asound.conf,bumblebee,drirc,glvnd,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nvidia,pulse | ||
50 | private-tmp | ||
51 | |||
52 | dbus-user none | ||
53 | dbus-system none | ||
diff --git a/etc/profile-a-l/globaltime.profile b/etc/profile-a-l/globaltime.profile index bb78a608e..14b3ef811 100644 --- a/etc/profile-a-l/globaltime.profile +++ b/etc/profile-a-l/globaltime.profile | |||
@@ -20,6 +20,7 @@ netfilter | |||
20 | no3d | 20 | no3d |
21 | nodvd | 21 | nodvd |
22 | nogroups | 22 | nogroups |
23 | noinput | ||
23 | nonewprivs | 24 | nonewprivs |
24 | noroot | 25 | noroot |
25 | nosound | 26 | nosound |
diff --git a/etc/profile-a-l/gnome-books.profile b/etc/profile-a-l/gnome-books.profile index 998109ca7..34a7f557c 100644 --- a/etc/profile-a-l/gnome-books.profile +++ b/etc/profile-a-l/gnome-books.profile | |||
@@ -29,6 +29,7 @@ net none | |||
29 | no3d | 29 | no3d |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | nosound | 35 | nosound |
diff --git a/etc/profile-a-l/gnome-builder.profile b/etc/profile-a-l/gnome-builder.profile index 8f637902c..37ca5aeff 100644 --- a/etc/profile-a-l/gnome-builder.profile +++ b/etc/profile-a-l/gnome-builder.profile | |||
@@ -26,6 +26,7 @@ ipc-namespace | |||
26 | netfilter | 26 | netfilter |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | notv | 32 | notv |
diff --git a/etc/profile-a-l/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile index 7780dfa65..4c465cc49 100644 --- a/etc/profile-a-l/gnome-calculator.profile +++ b/etc/profile-a-l/gnome-calculator.profile | |||
@@ -30,6 +30,7 @@ netfilter | |||
30 | no3d | 30 | no3d |
31 | nodvd | 31 | nodvd |
32 | nogroups | 32 | nogroups |
33 | noinput | ||
33 | nonewprivs | 34 | nonewprivs |
34 | noroot | 35 | noroot |
35 | nosound | 36 | nosound |
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile index 9927fb869..eaf25b177 100644 --- a/etc/profile-a-l/gnome-calendar.profile +++ b/etc/profile-a-l/gnome-calendar.profile | |||
@@ -28,6 +28,7 @@ netfilter | |||
28 | no3d | 28 | no3d |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | nosound | 34 | nosound |
diff --git a/etc/profile-a-l/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile index 048fad65c..741fe9bf7 100644 --- a/etc/profile-a-l/gnome-characters.profile +++ b/etc/profile-a-l/gnome-characters.profile | |||
@@ -31,6 +31,7 @@ net none | |||
31 | no3d | 31 | no3d |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | nosound | 37 | nosound |
diff --git a/etc/profile-a-l/gnome-chess.profile b/etc/profile-a-l/gnome-chess.profile index 84a3cabd6..bd39f625c 100644 --- a/etc/profile-a-l/gnome-chess.profile +++ b/etc/profile-a-l/gnome-chess.profile | |||
@@ -35,6 +35,7 @@ net none | |||
35 | no3d | 35 | no3d |
36 | nodvd | 36 | nodvd |
37 | nogroups | 37 | nogroups |
38 | noinput | ||
38 | nonewprivs | 39 | nonewprivs |
39 | noroot | 40 | noroot |
40 | nosound | 41 | nosound |
diff --git a/etc/profile-a-l/gnome-clocks.profile b/etc/profile-a-l/gnome-clocks.profile index fc899178f..1e7c70b84 100644 --- a/etc/profile-a-l/gnome-clocks.profile +++ b/etc/profile-a-l/gnome-clocks.profile | |||
@@ -28,6 +28,7 @@ netfilter | |||
28 | no3d | 28 | no3d |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | notv | 34 | notv |
diff --git a/etc/profile-a-l/gnome-contacts.profile b/etc/profile-a-l/gnome-contacts.profile index 03b89e394..dcc6163b6 100644 --- a/etc/profile-a-l/gnome-contacts.profile +++ b/etc/profile-a-l/gnome-contacts.profile | |||
@@ -24,6 +24,7 @@ caps.drop all | |||
24 | netfilter | 24 | netfilter |
25 | #no3d - breaks on Arch | 25 | #no3d - breaks on Arch |
26 | nodvd | 26 | nodvd |
27 | noinput | ||
27 | nonewprivs | 28 | nonewprivs |
28 | noroot | 29 | noroot |
29 | nosound | 30 | nosound |
diff --git a/etc/profile-a-l/gnome-documents.profile b/etc/profile-a-l/gnome-documents.profile index 705fe624e..29ad67af8 100644 --- a/etc/profile-a-l/gnome-documents.profile +++ b/etc/profile-a-l/gnome-documents.profile | |||
@@ -27,6 +27,7 @@ netfilter | |||
27 | no3d | 27 | no3d |
28 | nodvd | 28 | nodvd |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | nosound | 33 | nosound |
diff --git a/etc/profile-a-l/gnome-font-viewer.profile b/etc/profile-a-l/gnome-font-viewer.profile index b2327133c..aa0844b8b 100644 --- a/etc/profile-a-l/gnome-font-viewer.profile +++ b/etc/profile-a-l/gnome-font-viewer.profile | |||
@@ -22,6 +22,7 @@ caps.drop all | |||
22 | net none | 22 | net none |
23 | no3d | 23 | no3d |
24 | nodvd | 24 | nodvd |
25 | noinput | ||
25 | nonewprivs | 26 | nonewprivs |
26 | noroot | 27 | noroot |
27 | nosound | 28 | nosound |
diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile index bb5ef0eab..2db956faf 100644 --- a/etc/profile-a-l/gnome-hexgl.profile +++ b/etc/profile-a-l/gnome-hexgl.profile | |||
@@ -26,6 +26,7 @@ caps.drop all | |||
26 | net none | 26 | net none |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | notv | 32 | notv |
diff --git a/etc/profile-a-l/gnome-keyring.profile b/etc/profile-a-l/gnome-keyring.profile index a0b9ef04e..25b4c47de 100644 --- a/etc/profile-a-l/gnome-keyring.profile +++ b/etc/profile-a-l/gnome-keyring.profile | |||
@@ -37,6 +37,7 @@ netfilter | |||
37 | no3d | 37 | no3d |
38 | nodvd | 38 | nodvd |
39 | nogroups | 39 | nogroups |
40 | noinput | ||
40 | nonewprivs | 41 | nonewprivs |
41 | noroot | 42 | noroot |
42 | nosound | 43 | nosound |
diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile index 87376da40..1a7eafeca 100644 --- a/etc/profile-a-l/gnome-latex.profile +++ b/etc/profile-a-l/gnome-latex.profile | |||
@@ -33,6 +33,7 @@ net none | |||
33 | no3d | 33 | no3d |
34 | nodvd | 34 | nodvd |
35 | nogroups | 35 | nogroups |
36 | noinput | ||
36 | nonewprivs | 37 | nonewprivs |
37 | noroot | 38 | noroot |
38 | nosound | 39 | nosound |
diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile index d29c7609e..9d2ea7b7b 100644 --- a/etc/profile-a-l/gnome-logs.profile +++ b/etc/profile-a-l/gnome-logs.profile | |||
@@ -26,6 +26,7 @@ ipc-namespace | |||
26 | net none | 26 | net none |
27 | no3d | 27 | no3d |
28 | nodvd | 28 | nodvd |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | nosound | 31 | nosound |
31 | notv | 32 | notv |
@@ -50,6 +51,5 @@ dbus-user.own org.gnome.Logs | |||
50 | dbus-user.talk ca.desrt.dconf | 51 | dbus-user.talk ca.desrt.dconf |
51 | dbus-system none | 52 | dbus-system none |
52 | 53 | ||
53 | # comment this if you export logs to a file in your ${HOME} | 54 | # Add 'ignore read-only ${HOME}' to your gnome-logs.local if you export logs to a file under your ${HOME}. |
54 | # or put 'ignore read-only ${HOME}' in your gnome-logs.local. | ||
55 | read-only ${HOME} | 55 | read-only ${HOME} |
diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile index 23629df95..cf2ac2f75 100644 --- a/etc/profile-a-l/gnome-maps.profile +++ b/etc/profile-a-l/gnome-maps.profile | |||
@@ -46,6 +46,7 @@ machine-id | |||
46 | netfilter | 46 | netfilter |
47 | nodvd | 47 | nodvd |
48 | nogroups | 48 | nogroups |
49 | noinput | ||
49 | nonewprivs | 50 | nonewprivs |
50 | noroot | 51 | noroot |
51 | nosound | 52 | nosound |
diff --git a/etc/profile-a-l/gnome-mplayer.profile b/etc/profile-a-l/gnome-mplayer.profile index 12bee6448..43fe71f5e 100644 --- a/etc/profile-a-l/gnome-mplayer.profile +++ b/etc/profile-a-l/gnome-mplayer.profile | |||
@@ -20,6 +20,7 @@ include disable-xdg.inc | |||
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | nogroups | 22 | nogroups |
23 | noinput | ||
23 | nonewprivs | 24 | nonewprivs |
24 | noroot | 25 | noroot |
25 | nou2f | 26 | nou2f |
diff --git a/etc/profile-a-l/gnome-music.profile b/etc/profile-a-l/gnome-music.profile index 36b46897c..2fcbe9910 100644 --- a/etc/profile-a-l/gnome-music.profile +++ b/etc/profile-a-l/gnome-music.profile | |||
@@ -29,6 +29,7 @@ caps.drop all | |||
29 | netfilter | 29 | netfilter |
30 | no3d | 30 | no3d |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | notv | 35 | notv |
diff --git a/etc/profile-a-l/gnome-nettool.profile b/etc/profile-a-l/gnome-nettool.profile index 33eb9c81a..814751db3 100644 --- a/etc/profile-a-l/gnome-nettool.profile +++ b/etc/profile-a-l/gnome-nettool.profile | |||
@@ -27,6 +27,7 @@ netfilter | |||
27 | no3d | 27 | no3d |
28 | nodvd | 28 | nodvd |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
30 | # ping needs to elevate privileges, noroot and nonewprivs will kill it | 31 | # ping needs to elevate privileges, noroot and nonewprivs will kill it |
31 | #nonewprivs | 32 | #nonewprivs |
32 | #noroot | 33 | #noroot |
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile index 073de47b9..763d67b92 100644 --- a/etc/profile-a-l/gnome-passwordsafe.profile +++ b/etc/profile-a-l/gnome-passwordsafe.profile | |||
@@ -35,6 +35,7 @@ net none | |||
35 | no3d | 35 | no3d |
36 | nodvd | 36 | nodvd |
37 | nogroups | 37 | nogroups |
38 | noinput | ||
38 | nonewprivs | 39 | nonewprivs |
39 | noroot | 40 | noroot |
40 | nosound | 41 | nosound |
diff --git a/etc/profile-a-l/gnome-photos.profile b/etc/profile-a-l/gnome-photos.profile index 65cc23b5f..58bf3f349 100644 --- a/etc/profile-a-l/gnome-photos.profile +++ b/etc/profile-a-l/gnome-photos.profile | |||
@@ -25,6 +25,7 @@ caps.drop all | |||
25 | netfilter | 25 | netfilter |
26 | nodvd | 26 | nodvd |
27 | nogroups | 27 | nogroups |
28 | noinput | ||
28 | nonewprivs | 29 | nonewprivs |
29 | noroot | 30 | noroot |
30 | nosound | 31 | nosound |
diff --git a/etc/profile-a-l/gnome-pie.profile b/etc/profile-a-l/gnome-pie.profile index c1d2dae35..41903b136 100644 --- a/etc/profile-a-l/gnome-pie.profile +++ b/etc/profile-a-l/gnome-pie.profile | |||
@@ -21,6 +21,7 @@ ipc-namespace | |||
21 | no3d | 21 | no3d |
22 | nodvd | 22 | nodvd |
23 | nogroups | 23 | nogroups |
24 | noinput | ||
24 | nonewprivs | 25 | nonewprivs |
25 | noroot | 26 | noroot |
26 | nosound | 27 | nosound |
diff --git a/etc/profile-a-l/gnome-pomodoro.profile b/etc/profile-a-l/gnome-pomodoro.profile index a46e47759..c2ba7556d 100644 --- a/etc/profile-a-l/gnome-pomodoro.profile +++ b/etc/profile-a-l/gnome-pomodoro.profile | |||
@@ -30,6 +30,7 @@ net none | |||
30 | no3d | 30 | no3d |
31 | nodvd | 31 | nodvd |
32 | nogroups | 32 | nogroups |
33 | noinput | ||
33 | nonewprivs | 34 | nonewprivs |
34 | noroot | 35 | noroot |
35 | notv | 36 | notv |
diff --git a/etc/profile-a-l/gnome-recipes.profile b/etc/profile-a-l/gnome-recipes.profile index c4969590f..48c98ebe0 100644 --- a/etc/profile-a-l/gnome-recipes.profile +++ b/etc/profile-a-l/gnome-recipes.profile | |||
@@ -34,6 +34,7 @@ machine-id | |||
34 | netfilter | 34 | netfilter |
35 | nodvd | 35 | nodvd |
36 | nogroups | 36 | nogroups |
37 | noinput | ||
37 | nonewprivs | 38 | nonewprivs |
38 | noroot | 39 | noroot |
39 | nosound | 40 | nosound |
diff --git a/etc/profile-a-l/gnome-schedule.profile b/etc/profile-a-l/gnome-schedule.profile index 55913a2d7..69c90b33d 100644 --- a/etc/profile-a-l/gnome-schedule.profile +++ b/etc/profile-a-l/gnome-schedule.profile | |||
@@ -51,6 +51,7 @@ machine-id | |||
51 | no3d | 51 | no3d |
52 | nodvd | 52 | nodvd |
53 | nogroups | 53 | nogroups |
54 | noinput | ||
54 | nosound | 55 | nosound |
55 | notv | 56 | notv |
56 | nou2f | 57 | nou2f |
diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile index 2534eed5a..b683b6f6c 100644 --- a/etc/profile-a-l/gnome-screenshot.profile +++ b/etc/profile-a-l/gnome-screenshot.profile | |||
@@ -28,6 +28,7 @@ net none | |||
28 | no3d | 28 | no3d |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | notv | 34 | notv |
diff --git a/etc/profile-a-l/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile index 2e063ebfe..34f5fdeff 100644 --- a/etc/profile-a-l/gnome-sound-recorder.profile +++ b/etc/profile-a-l/gnome-sound-recorder.profile | |||
@@ -26,6 +26,7 @@ caps.drop all | |||
26 | net none | 26 | net none |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | notv | 32 | notv |
diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile index 9c0a26a02..8a818695d 100644 --- a/etc/profile-a-l/gnome-system-log.profile +++ b/etc/profile-a-l/gnome-system-log.profile | |||
@@ -27,9 +27,9 @@ ipc-namespace | |||
27 | no3d | 27 | no3d |
28 | nodvd | 28 | nodvd |
29 | # When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html), | 29 | # When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html), |
30 | # comment both 'nogroups' and 'noroot' | 30 | # put 'ignore nogroups' and 'ignore noroot' in your gnome-system-log.local. |
31 | # or put 'ignore nogroups' and 'ignore noroot' in your gnome-system-log.local. | ||
32 | nogroups | 31 | nogroups |
32 | noinput | ||
33 | nonewprivs | 33 | nonewprivs |
34 | noroot | 34 | noroot |
35 | nosound | 35 | nosound |
@@ -53,6 +53,5 @@ writable-var-log | |||
53 | # dbus-system none | 53 | # dbus-system none |
54 | 54 | ||
55 | memory-deny-write-execute | 55 | memory-deny-write-execute |
56 | # Comment the line below if you export logs to a file in your ${HOME} | 56 | # Add 'ignore read-only ${HOME}' to your gnome-system-log.local if you export logs to a file under your ${HOME}. |
57 | # or put 'ignore read-only ${HOME}' in your gnome-system-log.local | ||
58 | read-only ${HOME} | 57 | read-only ${HOME} |
diff --git a/etc/profile-a-l/gnome-todo.profile b/etc/profile-a-l/gnome-todo.profile index 5bef96ae7..3b147cd48 100644 --- a/etc/profile-a-l/gnome-todo.profile +++ b/etc/profile-a-l/gnome-todo.profile | |||
@@ -30,6 +30,7 @@ machine-id | |||
30 | net none | 30 | net none |
31 | nodvd | 31 | nodvd |
32 | nogroups | 32 | nogroups |
33 | noinput | ||
33 | nonewprivs | 34 | nonewprivs |
34 | noroot | 35 | noroot |
35 | nosound | 36 | nosound |
diff --git a/etc/profile-a-l/gnome-twitch.profile b/etc/profile-a-l/gnome-twitch.profile index 5e8153035..b8ec195d3 100644 --- a/etc/profile-a-l/gnome-twitch.profile +++ b/etc/profile-a-l/gnome-twitch.profile | |||
@@ -25,6 +25,7 @@ include whitelist-common.inc | |||
25 | caps.drop all | 25 | caps.drop all |
26 | nodvd | 26 | nodvd |
27 | nogroups | 27 | nogroups |
28 | noinput | ||
28 | nonewprivs | 29 | nonewprivs |
29 | noroot | 30 | noroot |
30 | notv | 31 | notv |
diff --git a/etc/profile-a-l/gnome-weather.profile b/etc/profile-a-l/gnome-weather.profile index beed92a7d..2e08fa41d 100644 --- a/etc/profile-a-l/gnome-weather.profile +++ b/etc/profile-a-l/gnome-weather.profile | |||
@@ -29,6 +29,7 @@ netfilter | |||
29 | no3d | 29 | no3d |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | nosound | 35 | nosound |
diff --git a/etc/profile-a-l/gnome_games-common.profile b/etc/profile-a-l/gnome_games-common.profile index 56ed7a436..5627842f5 100644 --- a/etc/profile-a-l/gnome_games-common.profile +++ b/etc/profile-a-l/gnome_games-common.profile | |||
@@ -26,6 +26,7 @@ machine-id | |||
26 | net none | 26 | net none |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | nosound | 32 | nosound |
diff --git a/etc/profile-a-l/gnote.profile b/etc/profile-a-l/gnote.profile index 1b5129fc5..c3014a288 100644 --- a/etc/profile-a-l/gnote.profile +++ b/etc/profile-a-l/gnote.profile | |||
@@ -35,6 +35,7 @@ net none | |||
35 | no3d | 35 | no3d |
36 | nodvd | 36 | nodvd |
37 | nogroups | 37 | nogroups |
38 | noinput | ||
38 | nonewprivs | 39 | nonewprivs |
39 | noroot | 40 | noroot |
40 | nosound | 41 | nosound |
diff --git a/etc/profile-a-l/gnubik.profile b/etc/profile-a-l/gnubik.profile index 8eaba161c..22851ce9f 100644 --- a/etc/profile-a-l/gnubik.profile +++ b/etc/profile-a-l/gnubik.profile | |||
@@ -27,6 +27,7 @@ machine-id | |||
27 | net none | 27 | net none |
28 | nodvd | 28 | nodvd |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | nosound | 33 | nosound |
diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile index f37f345ba..09ca17caa 100644 --- a/etc/profile-a-l/godot.profile +++ b/etc/profile-a-l/godot.profile | |||
@@ -24,6 +24,7 @@ caps.drop all | |||
24 | netfilter | 24 | netfilter |
25 | nodvd | 25 | nodvd |
26 | nogroups | 26 | nogroups |
27 | noinput | ||
27 | nonewprivs | 28 | nonewprivs |
28 | noroot | 29 | noroot |
29 | notv | 30 | notv |
diff --git a/etc/profile-a-l/goobox.profile b/etc/profile-a-l/goobox.profile index c932ad528..8399d77c4 100644 --- a/etc/profile-a-l/goobox.profile +++ b/etc/profile-a-l/goobox.profile | |||
@@ -19,6 +19,7 @@ caps.drop all | |||
19 | netfilter | 19 | netfilter |
20 | no3d | 20 | no3d |
21 | nogroups | 21 | nogroups |
22 | noinput | ||
22 | nonewprivs | 23 | nonewprivs |
23 | noroot | 24 | noroot |
24 | notv | 25 | notv |
diff --git a/etc/profile-a-l/google-earth.profile b/etc/profile-a-l/google-earth.profile index 12b1cbafd..65ac04771 100644 --- a/etc/profile-a-l/google-earth.profile +++ b/etc/profile-a-l/google-earth.profile | |||
@@ -26,6 +26,7 @@ ipc-namespace | |||
26 | netfilter | 26 | netfilter |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | notv | 32 | notv |
diff --git a/etc/profile-a-l/google-play-music-desktop-player.profile b/etc/profile-a-l/google-play-music-desktop-player.profile index daa385234..a7aabe105 100644 --- a/etc/profile-a-l/google-play-music-desktop-player.profile +++ b/etc/profile-a-l/google-play-music-desktop-player.profile | |||
@@ -28,6 +28,7 @@ netfilter | |||
28 | no3d | 28 | no3d |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | notv | 34 | notv |
diff --git a/etc/profile-a-l/gpa.profile b/etc/profile-a-l/gpa.profile index ce7c8496d..37b4f0b1c 100644 --- a/etc/profile-a-l/gpa.profile +++ b/etc/profile-a-l/gpa.profile | |||
@@ -18,6 +18,7 @@ caps.drop all | |||
18 | netfilter | 18 | netfilter |
19 | nodvd | 19 | nodvd |
20 | nogroups | 20 | nogroups |
21 | noinput | ||
21 | nonewprivs | 22 | nonewprivs |
22 | noroot | 23 | noroot |
23 | nosound | 24 | nosound |
diff --git a/etc/profile-a-l/gpg-agent.profile b/etc/profile-a-l/gpg-agent.profile index adc8957e6..7f0b614b1 100644 --- a/etc/profile-a-l/gpg-agent.profile +++ b/etc/profile-a-l/gpg-agent.profile | |||
@@ -36,6 +36,7 @@ netfilter | |||
36 | no3d | 36 | no3d |
37 | nodvd | 37 | nodvd |
38 | nogroups | 38 | nogroups |
39 | noinput | ||
39 | nonewprivs | 40 | nonewprivs |
40 | noroot | 41 | noroot |
41 | nosound | 42 | nosound |
diff --git a/etc/profile-a-l/gpg.profile b/etc/profile-a-l/gpg.profile index 787f35f9e..4a4d6527c 100644 --- a/etc/profile-a-l/gpg.profile +++ b/etc/profile-a-l/gpg.profile | |||
@@ -32,6 +32,7 @@ netfilter | |||
32 | no3d | 32 | no3d |
33 | nodvd | 33 | nodvd |
34 | nogroups | 34 | nogroups |
35 | noinput | ||
35 | nonewprivs | 36 | nonewprivs |
36 | noroot | 37 | noroot |
37 | nosound | 38 | nosound |
diff --git a/etc/profile-a-l/gpicview.profile b/etc/profile-a-l/gpicview.profile index a536e5985..fa53c26c8 100644 --- a/etc/profile-a-l/gpicview.profile +++ b/etc/profile-a-l/gpicview.profile | |||
@@ -27,6 +27,7 @@ machine-id | |||
27 | net none | 27 | net none |
28 | nodvd | 28 | nodvd |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | nosound | 33 | nosound |
diff --git a/etc/profile-a-l/gpredict.profile b/etc/profile-a-l/gpredict.profile index 3152db096..253d644f1 100644 --- a/etc/profile-a-l/gpredict.profile +++ b/etc/profile-a-l/gpredict.profile | |||
@@ -24,6 +24,7 @@ caps.drop all | |||
24 | netfilter | 24 | netfilter |
25 | nodvd | 25 | nodvd |
26 | nogroups | 26 | nogroups |
27 | noinput | ||
27 | nonewprivs | 28 | nonewprivs |
28 | noroot | 29 | noroot |
29 | nosound | 30 | nosound |
diff --git a/etc/profile-a-l/gradio.profile b/etc/profile-a-l/gradio.profile index a16e65efb..2b4c536d2 100644 --- a/etc/profile-a-l/gradio.profile +++ b/etc/profile-a-l/gradio.profile | |||
@@ -30,6 +30,7 @@ netfilter | |||
30 | no3d | 30 | no3d |
31 | nodvd | 31 | nodvd |
32 | nogroups | 32 | nogroups |
33 | noinput | ||
33 | nonewprivs | 34 | nonewprivs |
34 | noroot | 35 | noroot |
35 | notv | 36 | notv |
diff --git a/etc/profile-a-l/gramps.profile b/etc/profile-a-l/gramps.profile index 427fe2d7a..c7e0c2977 100644 --- a/etc/profile-a-l/gramps.profile +++ b/etc/profile-a-l/gramps.profile | |||
@@ -32,6 +32,7 @@ netfilter | |||
32 | no3d | 32 | no3d |
33 | nodvd | 33 | nodvd |
34 | nogroups | 34 | nogroups |
35 | noinput | ||
35 | nonewprivs | 36 | nonewprivs |
36 | noroot | 37 | noroot |
37 | nosound | 38 | nosound |
diff --git a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile index 0cb3aa864..890ba2560 100644 --- a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile +++ b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile | |||
@@ -25,6 +25,7 @@ caps.drop all | |||
25 | net none | 25 | net none |
26 | nodvd | 26 | nodvd |
27 | nogroups | 27 | nogroups |
28 | noinput | ||
28 | nonewprivs | 29 | nonewprivs |
29 | noroot | 30 | noroot |
30 | notv | 31 | notv |
diff --git a/etc/profile-a-l/gthumb.profile b/etc/profile-a-l/gthumb.profile index de0fc96ae..5927e8c4d 100644 --- a/etc/profile-a-l/gthumb.profile +++ b/etc/profile-a-l/gthumb.profile | |||
@@ -20,6 +20,7 @@ include disable-shell.inc | |||
20 | caps.drop all | 20 | caps.drop all |
21 | nodvd | 21 | nodvd |
22 | nogroups | 22 | nogroups |
23 | noinput | ||
23 | nonewprivs | 24 | nonewprivs |
24 | noroot | 25 | noroot |
25 | nosound | 26 | nosound |
diff --git a/etc/profile-a-l/gtk-update-icon-cache.profile b/etc/profile-a-l/gtk-update-icon-cache.profile index 2051a8af6..c8addae75 100644 --- a/etc/profile-a-l/gtk-update-icon-cache.profile +++ b/etc/profile-a-l/gtk-update-icon-cache.profile | |||
@@ -30,6 +30,7 @@ net none | |||
30 | no3d | 30 | no3d |
31 | nodvd | 31 | nodvd |
32 | nogroups | 32 | nogroups |
33 | noinput | ||
33 | nonewprivs | 34 | nonewprivs |
34 | noroot | 35 | noroot |
35 | nosound | 36 | nosound |
diff --git a/etc/profile-a-l/guayadeque.profile b/etc/profile-a-l/guayadeque.profile index 8a7f65918..3d2b71e9d 100644 --- a/etc/profile-a-l/guayadeque.profile +++ b/etc/profile-a-l/guayadeque.profile | |||
@@ -20,6 +20,7 @@ include disable-xdg.inc | |||
20 | caps.drop all | 20 | caps.drop all |
21 | netfilter | 21 | netfilter |
22 | nogroups | 22 | nogroups |
23 | noinput | ||
23 | nonewprivs | 24 | nonewprivs |
24 | noroot | 25 | noroot |
25 | notv | 26 | notv |
diff --git a/etc/profile-a-l/gucharmap.profile b/etc/profile-a-l/gucharmap.profile index 3df42d209..6adb79852 100644 --- a/etc/profile-a-l/gucharmap.profile +++ b/etc/profile-a-l/gucharmap.profile | |||
@@ -27,6 +27,7 @@ machine-id | |||
27 | no3d | 27 | no3d |
28 | nodvd | 28 | nodvd |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | nosound | 33 | nosound |
diff --git a/etc/profile-a-l/guvcview.profile b/etc/profile-a-l/guvcview.profile index 46fc06940..9221ca31c 100644 --- a/etc/profile-a-l/guvcview.profile +++ b/etc/profile-a-l/guvcview.profile | |||
@@ -34,6 +34,7 @@ caps.drop all | |||
34 | net none | 34 | net none |
35 | nodvd | 35 | nodvd |
36 | nogroups | 36 | nogroups |
37 | noinput | ||
37 | nonewprivs | 38 | nonewprivs |
38 | noroot | 39 | noroot |
39 | notv | 40 | notv |
diff --git a/etc/profile-a-l/gwenview.profile b/etc/profile-a-l/gwenview.profile index efdc56e38..d33e2a673 100644 --- a/etc/profile-a-l/gwenview.profile +++ b/etc/profile-a-l/gwenview.profile | |||
@@ -34,6 +34,7 @@ caps.drop all | |||
34 | netfilter | 34 | netfilter |
35 | nodvd | 35 | nodvd |
36 | nogroups | 36 | nogroups |
37 | noinput | ||
37 | nonewprivs | 38 | nonewprivs |
38 | noroot | 39 | noroot |
39 | notv | 40 | notv |
diff --git a/etc/profile-a-l/handbrake.profile b/etc/profile-a-l/handbrake.profile index 0539ffcb8..847e1ec1e 100644 --- a/etc/profile-a-l/handbrake.profile +++ b/etc/profile-a-l/handbrake.profile | |||
@@ -24,6 +24,7 @@ apparmor | |||
24 | caps.drop all | 24 | caps.drop all |
25 | net none | 25 | net none |
26 | nogroups | 26 | nogroups |
27 | noinput | ||
27 | nonewprivs | 28 | nonewprivs |
28 | noroot | 29 | noroot |
29 | nou2f | 30 | nou2f |
diff --git a/etc/profile-a-l/hashcat.profile b/etc/profile-a-l/hashcat.profile index 8ec67ff19..aab4b0c21 100644 --- a/etc/profile-a-l/hashcat.profile +++ b/etc/profile-a-l/hashcat.profile | |||
@@ -25,6 +25,7 @@ caps.drop all | |||
25 | net none | 25 | net none |
26 | nodvd | 26 | nodvd |
27 | nogroups | 27 | nogroups |
28 | noinput | ||
28 | nonewprivs | 29 | nonewprivs |
29 | noroot | 30 | noroot |
30 | nosound | 31 | nosound |
diff --git a/etc/profile-a-l/hasher-common.profile b/etc/profile-a-l/hasher-common.profile index 1633cc3ee..44584f26b 100644 --- a/etc/profile-a-l/hasher-common.profile +++ b/etc/profile-a-l/hasher-common.profile | |||
@@ -33,6 +33,7 @@ net none | |||
33 | no3d | 33 | no3d |
34 | nodvd | 34 | nodvd |
35 | nogroups | 35 | nogroups |
36 | noinput | ||
36 | nonewprivs | 37 | nonewprivs |
37 | noroot | 38 | noroot |
38 | nosound | 39 | nosound |
diff --git a/etc/profile-a-l/hedgewars.profile b/etc/profile-a-l/hedgewars.profile index 8ac07d3da..c0675d8ec 100644 --- a/etc/profile-a-l/hedgewars.profile +++ b/etc/profile-a-l/hedgewars.profile | |||
@@ -24,6 +24,7 @@ caps.drop all | |||
24 | netfilter | 24 | netfilter |
25 | nodvd | 25 | nodvd |
26 | nogroups | 26 | nogroups |
27 | noinput | ||
27 | nonewprivs | 28 | nonewprivs |
28 | noroot | 29 | noroot |
29 | notv | 30 | notv |
diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile index c60510260..f72af0b4a 100644 --- a/etc/profile-a-l/hexchat.profile +++ b/etc/profile-a-l/hexchat.profile | |||
@@ -35,6 +35,7 @@ netfilter | |||
35 | no3d | 35 | no3d |
36 | nodvd | 36 | nodvd |
37 | nogroups | 37 | nogroups |
38 | noinput | ||
38 | nonewprivs | 39 | nonewprivs |
39 | noroot | 40 | noroot |
40 | notv | 41 | notv |
diff --git a/etc/profile-a-l/highlight.profile b/etc/profile-a-l/highlight.profile index c2812d7f5..643736ac7 100644 --- a/etc/profile-a-l/highlight.profile +++ b/etc/profile-a-l/highlight.profile | |||
@@ -20,6 +20,7 @@ net none | |||
20 | no3d | 20 | no3d |
21 | nodvd | 21 | nodvd |
22 | nogroups | 22 | nogroups |
23 | noinput | ||
23 | nonewprivs | 24 | nonewprivs |
24 | noroot | 25 | noroot |
25 | nosound | 26 | nosound |
diff --git a/etc/profile-a-l/homebank.profile b/etc/profile-a-l/homebank.profile index da32de640..199b1a5e5 100644 --- a/etc/profile-a-l/homebank.profile +++ b/etc/profile-a-l/homebank.profile | |||
@@ -35,6 +35,7 @@ nodvd | |||
35 | no3d | 35 | no3d |
36 | nodvd | 36 | nodvd |
37 | nogroups | 37 | nogroups |
38 | noinput | ||
38 | nonewprivs | 39 | nonewprivs |
39 | noroot | 40 | noroot |
40 | nosound | 41 | nosound |
diff --git a/etc/profile-a-l/host.profile b/etc/profile-a-l/host.profile index e5a5a7efa..00d9f7a76 100644 --- a/etc/profile-a-l/host.profile +++ b/etc/profile-a-l/host.profile | |||
@@ -29,6 +29,7 @@ netfilter | |||
29 | no3d | 29 | no3d |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | nosound | 35 | nosound |
diff --git a/etc/profile-a-l/hugin.profile b/etc/profile-a-l/hugin.profile index e03b68128..267712c87 100644 --- a/etc/profile-a-l/hugin.profile +++ b/etc/profile-a-l/hugin.profile | |||
@@ -23,6 +23,7 @@ caps.drop all | |||
23 | net none | 23 | net none |
24 | nodvd | 24 | nodvd |
25 | nogroups | 25 | nogroups |
26 | noinput | ||
26 | nonewprivs | 27 | nonewprivs |
27 | noroot | 28 | noroot |
28 | nosound | 29 | nosound |
diff --git a/etc/profile-a-l/hyperrogue.profile b/etc/profile-a-l/hyperrogue.profile index f2cb25edf..e66ffd7e1 100644 --- a/etc/profile-a-l/hyperrogue.profile +++ b/etc/profile-a-l/hyperrogue.profile | |||
@@ -29,6 +29,7 @@ caps.drop all | |||
29 | net none | 29 | net none |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | notv | 35 | notv |
diff --git a/etc/profile-a-l/i2prouter.profile b/etc/profile-a-l/i2prouter.profile index d95d53b7a..47c984175 100644 --- a/etc/profile-a-l/i2prouter.profile +++ b/etc/profile-a-l/i2prouter.profile | |||
@@ -56,6 +56,7 @@ netfilter | |||
56 | no3d | 56 | no3d |
57 | nodvd | 57 | nodvd |
58 | nogroups | 58 | nogroups |
59 | noinput | ||
59 | nonewprivs | 60 | nonewprivs |
60 | nosound | 61 | nosound |
61 | notv | 62 | notv |
diff --git a/etc/profile-a-l/iagno.profile b/etc/profile-a-l/iagno.profile index 42fc7d449..363d3dc2e 100644 --- a/etc/profile-a-l/iagno.profile +++ b/etc/profile-a-l/iagno.profile | |||
@@ -21,6 +21,7 @@ caps.drop all | |||
21 | net none | 21 | net none |
22 | nodvd | 22 | nodvd |
23 | nogroups | 23 | nogroups |
24 | noinput | ||
24 | nonewprivs | 25 | nonewprivs |
25 | noroot | 26 | noroot |
26 | notv | 27 | notv |
diff --git a/etc/profile-a-l/idea.sh.profile b/etc/profile-a-l/idea.sh.profile index 0a048a38a..680b8e777 100644 --- a/etc/profile-a-l/idea.sh.profile +++ b/etc/profile-a-l/idea.sh.profile | |||
@@ -26,6 +26,7 @@ caps.drop all | |||
26 | netfilter | 26 | netfilter |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | notv | 32 | notv |
diff --git a/etc/profile-a-l/imagej.profile b/etc/profile-a-l/imagej.profile index 91a60c188..12ce7976b 100644 --- a/etc/profile-a-l/imagej.profile +++ b/etc/profile-a-l/imagej.profile | |||
@@ -23,6 +23,7 @@ ipc-namespace | |||
23 | net none | 23 | net none |
24 | nodvd | 24 | nodvd |
25 | nogroups | 25 | nogroups |
26 | noinput | ||
26 | nonewprivs | 27 | nonewprivs |
27 | noroot | 28 | noroot |
28 | nosound | 29 | nosound |
diff --git a/etc/profile-a-l/img2txt.profile b/etc/profile-a-l/img2txt.profile index ae03fc8bc..c26958d06 100644 --- a/etc/profile-a-l/img2txt.profile +++ b/etc/profile-a-l/img2txt.profile | |||
@@ -29,6 +29,7 @@ machine-id | |||
29 | net none | 29 | net none |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | nosound | 35 | nosound |
diff --git a/etc/profile-a-l/impressive.profile b/etc/profile-a-l/impressive.profile index af82fb059..c152be01c 100644 --- a/etc/profile-a-l/impressive.profile +++ b/etc/profile-a-l/impressive.profile | |||
@@ -35,6 +35,7 @@ machine-id | |||
35 | net none | 35 | net none |
36 | nodvd | 36 | nodvd |
37 | nogroups | 37 | nogroups |
38 | noinput | ||
38 | nonewprivs | 39 | nonewprivs |
39 | noroot | 40 | noroot |
40 | nosound | 41 | nosound |
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile index f14868668..35dd86b32 100644 --- a/etc/profile-a-l/inkscape.profile +++ b/etc/profile-a-l/inkscape.profile | |||
@@ -39,6 +39,7 @@ machine-id | |||
39 | net none | 39 | net none |
40 | nodvd | 40 | nodvd |
41 | nogroups | 41 | nogroups |
42 | noinput | ||
42 | nonewprivs | 43 | nonewprivs |
43 | noroot | 44 | noroot |
44 | nosound | 45 | nosound |
diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile index 4b97b83b7..791065c1a 100644 --- a/etc/profile-a-l/ipcalc.profile +++ b/etc/profile-a-l/ipcalc.profile | |||
@@ -33,6 +33,7 @@ netfilter | |||
33 | no3d | 33 | no3d |
34 | nodvd | 34 | nodvd |
35 | nogroups | 35 | nogroups |
36 | noinput | ||
36 | nonewprivs | 37 | nonewprivs |
37 | noroot | 38 | noroot |
38 | nosound | 39 | nosound |
diff --git a/etc/profile-a-l/itch.profile b/etc/profile-a-l/itch.profile index b3c78c810..e02dcbdb1 100644 --- a/etc/profile-a-l/itch.profile +++ b/etc/profile-a-l/itch.profile | |||
@@ -27,6 +27,7 @@ caps.drop all | |||
27 | netfilter | 27 | netfilter |
28 | nodvd | 28 | nodvd |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | notv | 33 | notv |
diff --git a/etc/profile-a-l/jami-gnome.profile b/etc/profile-a-l/jami-gnome.profile index 226bb0008..3e9abf369 100644 --- a/etc/profile-a-l/jami-gnome.profile +++ b/etc/profile-a-l/jami-gnome.profile | |||
@@ -28,6 +28,7 @@ ipc-namespace | |||
28 | netfilter | 28 | netfilter |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | notv | 34 | notv |
diff --git a/etc/profile-a-l/jd-gui.profile b/etc/profile-a-l/jd-gui.profile index 0944051e5..7d29f1068 100644 --- a/etc/profile-a-l/jd-gui.profile +++ b/etc/profile-a-l/jd-gui.profile | |||
@@ -25,6 +25,7 @@ net none | |||
25 | no3d | 25 | no3d |
26 | nodvd | 26 | nodvd |
27 | nogroups | 27 | nogroups |
28 | noinput | ||
28 | nonewprivs | 29 | nonewprivs |
29 | noroot | 30 | noroot |
30 | nosound | 31 | nosound |
diff --git a/etc/profile-a-l/jerry.profile b/etc/profile-a-l/jerry.profile index b79ae0ee0..85b1f2120 100644 --- a/etc/profile-a-l/jerry.profile +++ b/etc/profile-a-l/jerry.profile | |||
@@ -22,6 +22,7 @@ net none | |||
22 | no3d | 22 | no3d |
23 | nodvd | 23 | nodvd |
24 | nogroups | 24 | nogroups |
25 | noinput | ||
25 | nonewprivs | 26 | nonewprivs |
26 | noroot | 27 | noroot |
27 | nosound | 28 | nosound |
diff --git a/etc/profile-a-l/jumpnbump.profile b/etc/profile-a-l/jumpnbump.profile index daeb54610..9954b8aea 100644 --- a/etc/profile-a-l/jumpnbump.profile +++ b/etc/profile-a-l/jumpnbump.profile | |||
@@ -28,6 +28,7 @@ caps.drop all | |||
28 | net none | 28 | net none |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | notv | 34 | notv |
diff --git a/etc/profile-a-l/k3b.profile b/etc/profile-a-l/k3b.profile index 3e686a454..5ae90dff6 100644 --- a/etc/profile-a-l/k3b.profile +++ b/etc/profile-a-l/k3b.profile | |||
@@ -26,6 +26,7 @@ caps.keep chown,dac_override,ipc_lock,net_bind_service,sys_admin,sys_nice,sys_ra | |||
26 | netfilter | 26 | netfilter |
27 | no3d | 27 | no3d |
28 | # nonewprivs - breaks privileged helpers | 28 | # nonewprivs - breaks privileged helpers |
29 | noinput | ||
29 | # noroot - breaks privileged helpers | 30 | # noroot - breaks privileged helpers |
30 | nosound | 31 | nosound |
31 | notv | 32 | notv |
diff --git a/etc/profile-a-l/kaffeine.profile b/etc/profile-a-l/kaffeine.profile index c7f811939..d55fd22cb 100644 --- a/etc/profile-a-l/kaffeine.profile +++ b/etc/profile-a-l/kaffeine.profile | |||
@@ -28,6 +28,7 @@ include whitelist-var-common.inc | |||
28 | caps.drop all | 28 | caps.drop all |
29 | netfilter | 29 | netfilter |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | nou2f | 34 | nou2f |
diff --git a/etc/profile-a-l/kalgebra.profile b/etc/profile-a-l/kalgebra.profile index e1e93163b..503dac4b6 100644 --- a/etc/profile-a-l/kalgebra.profile +++ b/etc/profile-a-l/kalgebra.profile | |||
@@ -27,6 +27,7 @@ machine-id | |||
27 | net none | 27 | net none |
28 | nodvd | 28 | nodvd |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | nosound | 33 | nosound |
diff --git a/etc/profile-a-l/kate.profile b/etc/profile-a-l/kate.profile index 37605dfa9..27b87e7c3 100644 --- a/etc/profile-a-l/kate.profile +++ b/etc/profile-a-l/kate.profile | |||
@@ -38,6 +38,7 @@ caps.drop all | |||
38 | netfilter | 38 | netfilter |
39 | nodvd | 39 | nodvd |
40 | nogroups | 40 | nogroups |
41 | noinput | ||
41 | nonewprivs | 42 | nonewprivs |
42 | noroot | 43 | noroot |
43 | nosound | 44 | nosound |
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile index 7d9f4c22f..9795cf168 100644 --- a/etc/profile-a-l/kazam.profile +++ b/etc/profile-a-l/kazam.profile | |||
@@ -35,6 +35,7 @@ caps.drop all | |||
35 | net none | 35 | net none |
36 | nodvd | 36 | nodvd |
37 | nogroups | 37 | nogroups |
38 | noinput | ||
38 | nonewprivs | 39 | nonewprivs |
39 | noroot | 40 | noroot |
40 | notv | 41 | notv |
diff --git a/etc/profile-a-l/kcalc.profile b/etc/profile-a-l/kcalc.profile index fa82e76f3..e36ee5ed2 100644 --- a/etc/profile-a-l/kcalc.profile +++ b/etc/profile-a-l/kcalc.profile | |||
@@ -15,6 +15,7 @@ include disable-interpreters.inc | |||
15 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-shell.inc | 17 | include disable-shell.inc |
18 | include disable-xdg.inc | ||
18 | 19 | ||
19 | mkdir ${HOME}/.local/share/kxmlgui5/kcalc | 20 | mkdir ${HOME}/.local/share/kxmlgui5/kcalc |
20 | mkfile ${HOME}/.config/kcalcrc | 21 | mkfile ${HOME}/.config/kcalcrc |
@@ -24,7 +25,12 @@ whitelist ${HOME}/.config/kcalcrc | |||
24 | whitelist ${HOME}/.kde/share/config/kcalcrc | 25 | whitelist ${HOME}/.kde/share/config/kcalcrc |
25 | whitelist ${HOME}/.kde4/share/config/kcalcrc | 26 | whitelist ${HOME}/.kde4/share/config/kcalcrc |
26 | whitelist ${HOME}/.local/share/kxmlgui5/kcalc | 27 | whitelist ${HOME}/.local/share/kxmlgui5/kcalc |
28 | whitelist /usr/share/config.kcfg/kcalc.kcfg | ||
29 | whitelist /usr/share/kcalc | ||
30 | whitelist /usr/share/kconf_update/kcalcrc.upd | ||
27 | include whitelist-common.inc | 31 | include whitelist-common.inc |
32 | include whitelist-runuser-common.inc | ||
33 | include whitelist-usr-share-common.inc | ||
28 | include whitelist-var-common.inc | 34 | include whitelist-var-common.inc |
29 | 35 | ||
30 | apparmor | 36 | apparmor |
@@ -33,6 +39,7 @@ net none | |||
33 | no3d | 39 | no3d |
34 | nodvd | 40 | nodvd |
35 | nogroups | 41 | nogroups |
42 | noinput | ||
36 | nonewprivs | 43 | nonewprivs |
37 | noroot | 44 | noroot |
38 | nosound | 45 | nosound |
@@ -41,13 +48,19 @@ nou2f | |||
41 | novideo | 48 | novideo |
42 | protocol unix | 49 | protocol unix |
43 | seccomp | 50 | seccomp |
51 | seccomp.block-secondary | ||
44 | shell none | 52 | shell none |
53 | tracelog | ||
45 | 54 | ||
46 | disable-mnt | 55 | disable-mnt |
47 | private-bin kcalc | 56 | private-bin kcalc |
57 | private-cache | ||
48 | private-dev | 58 | private-dev |
59 | private-etc alternatives,fonts,ld.so.cache,locale,locale.conf | ||
49 | # private-lib - problems on Arch | 60 | # private-lib - problems on Arch |
50 | private-tmp | 61 | private-tmp |
51 | 62 | ||
52 | dbus-user none | 63 | dbus-user none |
53 | dbus-system none | 64 | dbus-system none |
65 | |||
66 | #memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/kdeinit4.profile b/etc/profile-a-l/kdeinit4.profile index f7235ea84..925ab3517 100644 --- a/etc/profile-a-l/kdeinit4.profile +++ b/etc/profile-a-l/kdeinit4.profile | |||
@@ -21,6 +21,7 @@ caps.drop all | |||
21 | netfilter | 21 | netfilter |
22 | no3d | 22 | no3d |
23 | nogroups | 23 | nogroups |
24 | noinput | ||
24 | nonewprivs | 25 | nonewprivs |
25 | # nosound - disabled for knotify | 26 | # nosound - disabled for knotify |
26 | noroot | 27 | noroot |
diff --git a/etc/profile-a-l/kdenlive.profile b/etc/profile-a-l/kdenlive.profile index 9ca33b68e..d2a08a269 100644 --- a/etc/profile-a-l/kdenlive.profile +++ b/etc/profile-a-l/kdenlive.profile | |||
@@ -25,6 +25,7 @@ caps.drop all | |||
25 | # net none | 25 | # net none |
26 | nodvd | 26 | nodvd |
27 | nogroups | 27 | nogroups |
28 | noinput | ||
28 | nonewprivs | 29 | nonewprivs |
29 | noroot | 30 | noroot |
30 | notv | 31 | notv |
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile index eb1e219ab..7c1cb2294 100644 --- a/etc/profile-a-l/kdiff3.profile +++ b/etc/profile-a-l/kdiff3.profile | |||
@@ -36,6 +36,7 @@ machine-id | |||
36 | net none | 36 | net none |
37 | nodvd | 37 | nodvd |
38 | nogroups | 38 | nogroups |
39 | noinput | ||
39 | nonewprivs | 40 | nonewprivs |
40 | noroot | 41 | noroot |
41 | nosound | 42 | nosound |
diff --git a/etc/profile-a-l/keepass.profile b/etc/profile-a-l/keepass.profile index 9852f8a79..ae8971ab4 100644 --- a/etc/profile-a-l/keepass.profile +++ b/etc/profile-a-l/keepass.profile | |||
@@ -28,6 +28,7 @@ netfilter | |||
28 | no3d | 28 | no3d |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | nosound | 34 | nosound |
diff --git a/etc/profile-a-l/keepassx.profile b/etc/profile-a-l/keepassx.profile index b8239e140..ac364986d 100644 --- a/etc/profile-a-l/keepassx.profile +++ b/etc/profile-a-l/keepassx.profile | |||
@@ -28,6 +28,7 @@ net none | |||
28 | no3d | 28 | no3d |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | nosound | 34 | nosound |
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile index 11c279911..c352a5d89 100644 --- a/etc/profile-a-l/keepassxc.profile +++ b/etc/profile-a-l/keepassxc.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/*.kdb | |||
10 | noblacklist ${HOME}/*.kdbx | 10 | noblacklist ${HOME}/*.kdbx |
11 | noblacklist ${HOME}/.cache/keepassxc | 11 | noblacklist ${HOME}/.cache/keepassxc |
12 | noblacklist ${HOME}/.config/keepassxc | 12 | noblacklist ${HOME}/.config/keepassxc |
13 | noblacklist ${HOME}/.config/KeePassXCrc | ||
13 | noblacklist ${HOME}/.keepassxc | 14 | noblacklist ${HOME}/.keepassxc |
14 | noblacklist ${DOCUMENTS} | 15 | noblacklist ${DOCUMENTS} |
15 | 16 | ||
@@ -51,6 +52,7 @@ include disable-xdg.inc | |||
51 | #mkdir ${HOME}/.config/keepassxc | 52 | #mkdir ${HOME}/.config/keepassxc |
52 | #whitelist ${HOME}/.cache/keepassxc | 53 | #whitelist ${HOME}/.cache/keepassxc |
53 | #whitelist ${HOME}/.config/keepassxc | 54 | #whitelist ${HOME}/.config/keepassxc |
55 | #whitelist ${HOME}/.config/KeePassXCrc | ||
54 | #include whitelist-common.inc | 56 | #include whitelist-common.inc |
55 | 57 | ||
56 | whitelist /usr/share/keepassxc | 58 | whitelist /usr/share/keepassxc |
@@ -63,6 +65,7 @@ net none | |||
63 | no3d | 65 | no3d |
64 | nodvd | 66 | nodvd |
65 | nogroups | 67 | nogroups |
68 | noinput | ||
66 | nonewprivs | 69 | nonewprivs |
67 | noroot | 70 | noroot |
68 | nosound | 71 | nosound |
diff --git a/etc/profile-a-l/kfind.profile b/etc/profile-a-l/kfind.profile index ed815676a..6f6fe8d0a 100644 --- a/etc/profile-a-l/kfind.profile +++ b/etc/profile-a-l/kfind.profile | |||
@@ -29,6 +29,7 @@ netfilter | |||
29 | no3d | 29 | no3d |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | nosound | 35 | nosound |
diff --git a/etc/profile-a-l/kget.profile b/etc/profile-a-l/kget.profile index 5990d0752..2c684504b 100644 --- a/etc/profile-a-l/kget.profile +++ b/etc/profile-a-l/kget.profile | |||
@@ -27,6 +27,7 @@ caps.drop all | |||
27 | netfilter | 27 | netfilter |
28 | nodvd | 28 | nodvd |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | nosound | 33 | nosound |
diff --git a/etc/profile-a-l/kid3.profile b/etc/profile-a-l/kid3.profile index aa2e0ad1e..e18292e99 100644 --- a/etc/profile-a-l/kid3.profile +++ b/etc/profile-a-l/kid3.profile | |||
@@ -25,6 +25,7 @@ caps.drop all | |||
25 | netfilter | 25 | netfilter |
26 | nodvd | 26 | nodvd |
27 | nogroups | 27 | nogroups |
28 | noinput | ||
28 | nonewprivs | 29 | nonewprivs |
29 | noroot | 30 | noroot |
30 | notv | 31 | notv |
diff --git a/etc/profile-a-l/kino.profile b/etc/profile-a-l/kino.profile index b3ade0dd9..74014ffe6 100644 --- a/etc/profile-a-l/kino.profile +++ b/etc/profile-a-l/kino.profile | |||
@@ -22,6 +22,7 @@ apparmor | |||
22 | caps.drop all | 22 | caps.drop all |
23 | netfilter | 23 | netfilter |
24 | nogroups | 24 | nogroups |
25 | noinput | ||
25 | nonewprivs | 26 | nonewprivs |
26 | noroot | 27 | noroot |
27 | notv | 28 | notv |
diff --git a/etc/profile-a-l/kiwix-desktop.profile b/etc/profile-a-l/kiwix-desktop.profile index d222d6d24..40ee0bbc7 100644 --- a/etc/profile-a-l/kiwix-desktop.profile +++ b/etc/profile-a-l/kiwix-desktop.profile | |||
@@ -31,6 +31,7 @@ netfilter | |||
31 | # no3d | 31 | # no3d |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | # nosound | 37 | # nosound |
diff --git a/etc/profile-a-l/klatexformula.profile b/etc/profile-a-l/klatexformula.profile index 10b689ce5..c6a9023f1 100644 --- a/etc/profile-a-l/klatexformula.profile +++ b/etc/profile-a-l/klatexformula.profile | |||
@@ -26,6 +26,7 @@ machine-id | |||
26 | net none | 26 | net none |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | nosound | 32 | nosound |
diff --git a/etc/profile-a-l/klavaro.profile b/etc/profile-a-l/klavaro.profile index c03d75098..f5cd3a48c 100644 --- a/etc/profile-a-l/klavaro.profile +++ b/etc/profile-a-l/klavaro.profile | |||
@@ -31,6 +31,7 @@ net none | |||
31 | no3d | 31 | no3d |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | notv | 37 | notv |
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile index ab4ff10b9..95ae98e53 100644 --- a/etc/profile-a-l/kmail.profile +++ b/etc/profile-a-l/kmail.profile | |||
@@ -45,6 +45,7 @@ caps.drop all | |||
45 | netfilter | 45 | netfilter |
46 | nodvd | 46 | nodvd |
47 | nogroups | 47 | nogroups |
48 | noinput | ||
48 | nonewprivs | 49 | nonewprivs |
49 | noroot | 50 | noroot |
50 | nosound | 51 | nosound |
diff --git a/etc/profile-a-l/kmplayer.profile b/etc/profile-a-l/kmplayer.profile index 7eabde61d..e88b53499 100644 --- a/etc/profile-a-l/kmplayer.profile +++ b/etc/profile-a-l/kmplayer.profile | |||
@@ -27,6 +27,7 @@ apparmor | |||
27 | caps.drop all | 27 | caps.drop all |
28 | netfilter | 28 | netfilter |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | nou2f | 33 | nou2f |
diff --git a/etc/profile-a-l/kodi.profile b/etc/profile-a-l/kodi.profile index 63cae6231..b72632bf4 100644 --- a/etc/profile-a-l/kodi.profile +++ b/etc/profile-a-l/kodi.profile | |||
@@ -32,6 +32,7 @@ apparmor | |||
32 | caps.drop all | 32 | caps.drop all |
33 | netfilter | 33 | netfilter |
34 | nogroups | 34 | nogroups |
35 | noinput | ||
35 | nonewprivs | 36 | nonewprivs |
36 | # Seems to cause issues with Nvidia drivers sometimes (#3501) | 37 | # Seems to cause issues with Nvidia drivers sometimes (#3501) |
37 | noroot | 38 | noroot |
diff --git a/etc/profile-a-l/konversation.profile b/etc/profile-a-l/konversation.profile index 4dd929c6b..5b5ed6e24 100644 --- a/etc/profile-a-l/konversation.profile +++ b/etc/profile-a-l/konversation.profile | |||
@@ -27,6 +27,7 @@ caps.drop all | |||
27 | netfilter | 27 | netfilter |
28 | nodvd | 28 | nodvd |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | notv | 33 | notv |
diff --git a/etc/profile-a-l/kopete.profile b/etc/profile-a-l/kopete.profile index a5269373d..88f47d1bf 100644 --- a/etc/profile-a-l/kopete.profile +++ b/etc/profile-a-l/kopete.profile | |||
@@ -26,6 +26,7 @@ caps.drop all | |||
26 | netfilter | 26 | netfilter |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | notv | 32 | notv |
diff --git a/etc/profile-a-l/krita.profile b/etc/profile-a-l/krita.profile index be9921478..8604e63d0 100644 --- a/etc/profile-a-l/krita.profile +++ b/etc/profile-a-l/krita.profile | |||
@@ -33,6 +33,7 @@ ipc-namespace | |||
33 | netfilter | 33 | netfilter |
34 | nodvd | 34 | nodvd |
35 | nogroups | 35 | nogroups |
36 | noinput | ||
36 | nonewprivs | 37 | nonewprivs |
37 | noroot | 38 | noroot |
38 | nosound | 39 | nosound |
diff --git a/etc/profile-a-l/ktorrent.profile b/etc/profile-a-l/ktorrent.profile index b55e00f22..5a85194e0 100644 --- a/etc/profile-a-l/ktorrent.profile +++ b/etc/profile-a-l/ktorrent.profile | |||
@@ -46,6 +46,7 @@ netfilter | |||
46 | no3d | 46 | no3d |
47 | nodvd | 47 | nodvd |
48 | nogroups | 48 | nogroups |
49 | noinput | ||
49 | nonewprivs | 50 | nonewprivs |
50 | noroot | 51 | noroot |
51 | nosound | 52 | nosound |
diff --git a/etc/profile-a-l/ktouch.profile b/etc/profile-a-l/ktouch.profile index 8d8bcdd7d..4cf72b74c 100644 --- a/etc/profile-a-l/ktouch.profile +++ b/etc/profile-a-l/ktouch.profile | |||
@@ -31,6 +31,7 @@ machine-id | |||
31 | net none | 31 | net none |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | nosound | 37 | nosound |
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile index e0cfb9f24..4e9a12e5f 100644 --- a/etc/profile-a-l/kube.profile +++ b/etc/profile-a-l/kube.profile | |||
@@ -51,6 +51,7 @@ netfilter | |||
51 | no3d | 51 | no3d |
52 | nodvd | 52 | nodvd |
53 | nogroups | 53 | nogroups |
54 | noinput | ||
54 | nonewprivs | 55 | nonewprivs |
55 | noroot | 56 | noroot |
56 | nosound | 57 | nosound |
diff --git a/etc/profile-a-l/kwin_x11.profile b/etc/profile-a-l/kwin_x11.profile index 316a93d30..15e7ceb17 100644 --- a/etc/profile-a-l/kwin_x11.profile +++ b/etc/profile-a-l/kwin_x11.profile | |||
@@ -28,6 +28,7 @@ caps.drop all | |||
28 | netfilter | 28 | netfilter |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | nosound | 34 | nosound |
diff --git a/etc/profile-a-l/kwrite.profile b/etc/profile-a-l/kwrite.profile index 4ff8efa70..804ffafeb 100644 --- a/etc/profile-a-l/kwrite.profile +++ b/etc/profile-a-l/kwrite.profile | |||
@@ -33,6 +33,7 @@ caps.drop all | |||
33 | netfilter | 33 | netfilter |
34 | nodvd | 34 | nodvd |
35 | nogroups | 35 | nogroups |
36 | noinput | ||
36 | nonewprivs | 37 | nonewprivs |
37 | noroot | 38 | noroot |
38 | # nosound - KWrite is using ALSA! | 39 | # nosound - KWrite is using ALSA! |
diff --git a/etc/profile-a-l/latex-common.profile b/etc/profile-a-l/latex-common.profile index b090be726..ac1b8785d 100644 --- a/etc/profile-a-l/latex-common.profile +++ b/etc/profile-a-l/latex-common.profile | |||
@@ -22,6 +22,7 @@ net none | |||
22 | no3d | 22 | no3d |
23 | nodvd | 23 | nodvd |
24 | nogroups | 24 | nogroups |
25 | noinput | ||
25 | nonewprivs | 26 | nonewprivs |
26 | noroot | 27 | noroot |
27 | nosound | 28 | nosound |
diff --git a/etc/profile-a-l/leafpad.profile b/etc/profile-a-l/leafpad.profile index eb23b200b..4bbb0a86d 100644 --- a/etc/profile-a-l/leafpad.profile +++ b/etc/profile-a-l/leafpad.profile | |||
@@ -24,6 +24,7 @@ net none | |||
24 | no3d | 24 | no3d |
25 | nodvd | 25 | nodvd |
26 | nogroups | 26 | nogroups |
27 | noinput | ||
27 | nonewprivs | 28 | nonewprivs |
28 | noroot | 29 | noroot |
29 | nosound | 30 | nosound |
diff --git a/etc/profile-a-l/less.profile b/etc/profile-a-l/less.profile index e1f0bc290..8eb5ad0c2 100644 --- a/etc/profile-a-l/less.profile +++ b/etc/profile-a-l/less.profile | |||
@@ -23,6 +23,7 @@ machine-id | |||
23 | net none | 23 | net none |
24 | no3d | 24 | no3d |
25 | nodvd | 25 | nodvd |
26 | noinput | ||
26 | nonewprivs | 27 | nonewprivs |
27 | #noroot | 28 | #noroot |
28 | nosound | 29 | nosound |
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile index 031f0e19f..e4440eac0 100644 --- a/etc/profile-a-l/libreoffice.profile +++ b/etc/profile-a-l/libreoffice.profile | |||
@@ -9,8 +9,8 @@ include globals.local | |||
9 | noblacklist /usr/local/sbin | 9 | noblacklist /usr/local/sbin |
10 | noblacklist ${HOME}/.config/libreoffice | 10 | noblacklist ${HOME}/.config/libreoffice |
11 | 11 | ||
12 | # libreoffice uses java for some certain operations | 12 | # libreoffice uses java for some functionality. |
13 | # comment if you don't care about java functionality | 13 | # Add 'ignore include allow-java.inc' to your libreoffice.local if you don't need that functionality. |
14 | # Allow java (blacklisted by disable-devel.inc) | 14 | # Allow java (blacklisted by disable-devel.inc) |
15 | include allow-java.inc | 15 | include allow-java.inc |
16 | 16 | ||
@@ -22,25 +22,28 @@ include disable-programs.inc | |||
22 | 22 | ||
23 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
24 | 24 | ||
25 | # ubuntu 18.04 comes with its own apparmor profile, but it is not in enforce mode. | 25 | # Debian 10/Ubuntu 18.04 come with their own apparmor profile, but it is not in enforce mode. |
26 | # comment the next line to use the ubuntu profile instead of firejail's apparmor profile | 26 | # Add the next lines to your libreoffice.local to use the Ubuntu profile instead of firejail's apparmor profile. |
27 | #ignore apparmor | ||
28 | #ignore nonewprivs | ||
29 | #ignore protocol | ||
30 | #ignore seccomp | ||
31 | #ignore tracelog | ||
32 | |||
27 | apparmor | 33 | apparmor |
28 | caps.drop all | 34 | caps.drop all |
29 | netfilter | 35 | netfilter |
30 | nodvd | 36 | nodvd |
31 | nogroups | 37 | nogroups |
32 | # comment nonewprivs when using the ubuntu 18.04/debian 10 apparmor profile | 38 | noinput |
33 | nonewprivs | 39 | nonewprivs |
34 | noroot | 40 | noroot |
35 | notv | 41 | notv |
36 | nou2f | 42 | nou2f |
37 | novideo | 43 | novideo |
38 | # comment the protocol line when using the ubuntu 18.04/debian 10 apparmor profile | ||
39 | protocol unix,inet,inet6 | 44 | protocol unix,inet,inet6 |
40 | # comment seccomp when using the ubuntu 18.04/debian 10 apparmor profile | ||
41 | seccomp | 45 | seccomp |
42 | shell none | 46 | shell none |
43 | # comment tracelog when using the ubuntu 18.04/debian 10 apparmor profile | ||
44 | tracelog | 47 | tracelog |
45 | 48 | ||
46 | #private-bin libreoffice,sh,uname,dirname,grep,sed,basename,ls | 49 | #private-bin libreoffice,sh,uname,dirname,grep,sed,basename,ls |
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile index 0934e1271..8e3e58f19 100644 --- a/etc/profile-a-l/librewolf.profile +++ b/etc/profile-a-l/librewolf.profile | |||
@@ -18,8 +18,8 @@ whitelist ${HOME}/.librewolf | |||
18 | #noblacklist ${HOME}/.mozilla | 18 | #noblacklist ${HOME}/.mozilla |
19 | #whitelist ${HOME}/.mozilla | 19 | #whitelist ${HOME}/.mozilla |
20 | 20 | ||
21 | # Uncomment or put in your librewolf.local one of the following whitelist to enable KeePassXC Plugin | 21 | # To enable KeePassXC Plugin add one of the following lines to your librewolf.local. |
22 | # NOTE: start KeePassXC before Librewolf and keep it open to allow communication between them | 22 | # NOTE: start KeePassXC before Librewolf and keep it open to allow communication between them. |
23 | #whitelist ${RUNUSER}/kpxc_server | 23 | #whitelist ${RUNUSER}/kpxc_server |
24 | #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer | 24 | #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer |
25 | 25 | ||
@@ -31,25 +31,24 @@ include whitelist-usr-share-common.inc | |||
31 | 31 | ||
32 | # Add the next line to your librewolf.local to enable private-bin (Arch Linux). | 32 | # Add the next line to your librewolf.local to enable private-bin (Arch Linux). |
33 | #private-bin dbus-launch,dbus-send,librewolf,sh | 33 | #private-bin dbus-launch,dbus-send,librewolf,sh |
34 | # Add the next line to your librewolf.local to enable private-etc. Note | 34 | # Add the next line to your librewolf.local to enable private-etc. |
35 | # that private-etc must first be enabled in firefox-common.local. | 35 | # NOTE: private-etc must first be enabled in firefox-common.local. |
36 | #private-etc librewolf | 36 | #private-etc librewolf |
37 | 37 | ||
38 | dbus-user filter | 38 | dbus-user filter |
39 | # Uncomment or put in your librewolf.local to enable native notifications. | 39 | # Add the next line to your librewolf.local to enable native notifications. |
40 | #dbus-user.talk org.freedesktop.Notifications | 40 | #dbus-user.talk org.freedesktop.Notifications |
41 | # Uncomment or put in your librewolf.local to allow to inhibit screensavers | 41 | # Add the next line to your librewolf.local to allow inhibiting screensavers. |
42 | #dbus-user.talk org.freedesktop.ScreenSaver | 42 | #dbus-user.talk org.freedesktop.ScreenSaver |
43 | # Uncomment or put in your librewolf.local for plasma browser integration | 43 | # Add the next lines to your librewolf.local for plasma browser integration. |
44 | #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration | 44 | #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration |
45 | #dbus-user.talk org.kde.JobViewServer | 45 | #dbus-user.talk org.kde.JobViewServer |
46 | #dbus-user.talk org.kde.kuiserver | 46 | #dbus-user.talk org.kde.kuiserver |
47 | # Uncomment or put in your librewolf.local to allow screen sharing under wayland. | 47 | # Add the next lines to your librewolf.local to allow screensharing under Wayland. |
48 | #whitelist ${RUNUSER}/pipewire-0 | 48 | #whitelist ${RUNUSER}/pipewire-0 |
49 | #dbus-user.talk org.freedesktop.portal.* | 49 | #dbus-user.talk org.freedesktop.portal.* |
50 | # Also uncomment or put in your librewolf.local if screen sharing sharing still | 50 | # Also add the next line to your librewolf.local if screensharing does not work with |
51 | # does not work with the above lines (might depend on the portal | 51 | # the above lines (depends on the portal implementation). |
52 | # implementation) | ||
53 | #ignore noroot | 52 | #ignore noroot |
54 | ignore dbus-user none | 53 | ignore dbus-user none |
55 | 54 | ||
diff --git a/etc/profile-a-l/liferea.profile b/etc/profile-a-l/liferea.profile index 1b10f0934..7afca1d5f 100644 --- a/etc/profile-a-l/liferea.profile +++ b/etc/profile-a-l/liferea.profile | |||
@@ -37,6 +37,7 @@ netfilter | |||
37 | # no3d | 37 | # no3d |
38 | nodvd | 38 | nodvd |
39 | nogroups | 39 | nogroups |
40 | noinput | ||
40 | nonewprivs | 41 | nonewprivs |
41 | noroot | 42 | noroot |
42 | # nosound | 43 | # nosound |
diff --git a/etc/profile-a-l/lincity-ng.profile b/etc/profile-a-l/lincity-ng.profile index 91bd12d0d..4254b7f33 100644 --- a/etc/profile-a-l/lincity-ng.profile +++ b/etc/profile-a-l/lincity-ng.profile | |||
@@ -28,6 +28,7 @@ ipc-namespace | |||
28 | net none | 28 | net none |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | notv | 34 | notv |
diff --git a/etc/profile-a-l/links.profile b/etc/profile-a-l/links.profile index 272bc4f3a..a1eeda14a 100644 --- a/etc/profile-a-l/links.profile +++ b/etc/profile-a-l/links.profile | |||
@@ -39,6 +39,7 @@ netfilter | |||
39 | no3d | 39 | no3d |
40 | nodvd | 40 | nodvd |
41 | nogroups | 41 | nogroups |
42 | noinput | ||
42 | nonewprivs | 43 | nonewprivs |
43 | noroot | 44 | noroot |
44 | # Add 'ignore nosound' to your links.local if you want to restrict access to | 45 | # Add 'ignore nosound' to your links.local if you want to restrict access to |
diff --git a/etc/profile-a-l/linphone.profile b/etc/profile-a-l/linphone.profile index c509122e2..7ebdbef4c 100644 --- a/etc/profile-a-l/linphone.profile +++ b/etc/profile-a-l/linphone.profile | |||
@@ -35,6 +35,7 @@ netfilter | |||
35 | no3d | 35 | no3d |
36 | nodvd | 36 | nodvd |
37 | nogroups | 37 | nogroups |
38 | noinput | ||
38 | nonewprivs | 39 | nonewprivs |
39 | noroot | 40 | noroot |
40 | notv | 41 | notv |
diff --git a/etc/profile-a-l/lmms.profile b/etc/profile-a-l/lmms.profile index afe1ad635..48b0e14dc 100644 --- a/etc/profile-a-l/lmms.profile +++ b/etc/profile-a-l/lmms.profile | |||
@@ -24,6 +24,7 @@ net none | |||
24 | no3d | 24 | no3d |
25 | nodvd | 25 | nodvd |
26 | nogroups | 26 | nogroups |
27 | noinput | ||
27 | nonewprivs | 28 | nonewprivs |
28 | noroot | 29 | noroot |
29 | notv | 30 | notv |
diff --git a/etc/profile-a-l/lollypop.profile b/etc/profile-a-l/lollypop.profile index 1ce83822d..f2676fec5 100644 --- a/etc/profile-a-l/lollypop.profile +++ b/etc/profile-a-l/lollypop.profile | |||
@@ -27,6 +27,7 @@ caps.drop all | |||
27 | netfilter | 27 | netfilter |
28 | no3d | 28 | no3d |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | notv | 33 | notv |
diff --git a/etc/profile-a-l/lugaru.profile b/etc/profile-a-l/lugaru.profile index cd8f0e529..174c65a65 100644 --- a/etc/profile-a-l/lugaru.profile +++ b/etc/profile-a-l/lugaru.profile | |||
@@ -32,6 +32,7 @@ ipc-namespace | |||
32 | net none | 32 | net none |
33 | nodvd | 33 | nodvd |
34 | nogroups | 34 | nogroups |
35 | noinput | ||
35 | nonewprivs | 36 | nonewprivs |
36 | noroot | 37 | noroot |
37 | notv | 38 | notv |
diff --git a/etc/profile-a-l/luminance-hdr.profile b/etc/profile-a-l/luminance-hdr.profile index 2b0feaa17..31067034e 100644 --- a/etc/profile-a-l/luminance-hdr.profile +++ b/etc/profile-a-l/luminance-hdr.profile | |||
@@ -21,6 +21,7 @@ caps.drop all | |||
21 | netfilter | 21 | netfilter |
22 | nodvd | 22 | nodvd |
23 | nogroups | 23 | nogroups |
24 | noinput | ||
24 | nonewprivs | 25 | nonewprivs |
25 | noroot | 26 | noroot |
26 | nosound | 27 | nosound |
diff --git a/etc/profile-a-l/lximage-qt.profile b/etc/profile-a-l/lximage-qt.profile index a33ddab78..b2a56012e 100644 --- a/etc/profile-a-l/lximage-qt.profile +++ b/etc/profile-a-l/lximage-qt.profile | |||
@@ -22,6 +22,7 @@ net none | |||
22 | no3d | 22 | no3d |
23 | nodvd | 23 | nodvd |
24 | nogroups | 24 | nogroups |
25 | noinput | ||
25 | nonewprivs | 26 | nonewprivs |
26 | noroot | 27 | noroot |
27 | nosound | 28 | nosound |
diff --git a/etc/profile-a-l/lxmusic.profile b/etc/profile-a-l/lxmusic.profile index 9094f4377..cc4b95551 100644 --- a/etc/profile-a-l/lxmusic.profile +++ b/etc/profile-a-l/lxmusic.profile | |||
@@ -26,6 +26,7 @@ netfilter | |||
26 | no3d | 26 | no3d |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | notv | 32 | notv |
diff --git a/etc/profile-a-l/lynx.profile b/etc/profile-a-l/lynx.profile index 76a0e7ed0..a919e924b 100644 --- a/etc/profile-a-l/lynx.profile +++ b/etc/profile-a-l/lynx.profile | |||
@@ -24,6 +24,7 @@ netfilter | |||
24 | no3d | 24 | no3d |
25 | nodvd | 25 | nodvd |
26 | nogroups | 26 | nogroups |
27 | noinput | ||
27 | nonewprivs | 28 | nonewprivs |
28 | noroot | 29 | noroot |
29 | nosound | 30 | nosound |
diff --git a/etc/profile-m-z/Maelstrom.profile b/etc/profile-m-z/Maelstrom.profile index 77bce4179..62d0a8b3a 100644 --- a/etc/profile-m-z/Maelstrom.profile +++ b/etc/profile-m-z/Maelstrom.profile | |||
@@ -26,6 +26,7 @@ ipc-namespace | |||
26 | net none | 26 | net none |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | #nonewprivs | 30 | #nonewprivs |
30 | #noroot | 31 | #noroot |
31 | notv | 32 | notv |
diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile index 5ab302218..86120587b 100644 --- a/etc/profile-m-z/QMediathekView.profile +++ b/etc/profile-m-z/QMediathekView.profile | |||
@@ -37,6 +37,7 @@ netfilter | |||
37 | # no3d | 37 | # no3d |
38 | nodvd | 38 | nodvd |
39 | nogroups | 39 | nogroups |
40 | noinput | ||
40 | nonewprivs | 41 | nonewprivs |
41 | noroot | 42 | noroot |
42 | notv | 43 | notv |
diff --git a/etc/profile-m-z/QOwnNotes.profile b/etc/profile-m-z/QOwnNotes.profile index e2dcf17e0..660378089 100644 --- a/etc/profile-m-z/QOwnNotes.profile +++ b/etc/profile-m-z/QOwnNotes.profile | |||
@@ -36,6 +36,7 @@ netfilter | |||
36 | no3d | 36 | no3d |
37 | nodvd | 37 | nodvd |
38 | nogroups | 38 | nogroups |
39 | noinput | ||
39 | nonewprivs | 40 | nonewprivs |
40 | noroot | 41 | noroot |
41 | nosound | 42 | nosound |
diff --git a/etc/profile-m-z/XMind.profile b/etc/profile-m-z/XMind.profile index 7e7c0c3cd..d78e04595 100644 --- a/etc/profile-m-z/XMind.profile +++ b/etc/profile-m-z/XMind.profile | |||
@@ -23,6 +23,7 @@ caps.drop all | |||
23 | netfilter | 23 | netfilter |
24 | nodvd | 24 | nodvd |
25 | nogroups | 25 | nogroups |
26 | noinput | ||
26 | nonewprivs | 27 | nonewprivs |
27 | noroot | 28 | noroot |
28 | notv | 29 | notv |
diff --git a/etc/profile-m-z/Xephyr.profile b/etc/profile-m-z/Xephyr.profile index ab5fdf942..5cf5161ce 100644 --- a/etc/profile-m-z/Xephyr.profile +++ b/etc/profile-m-z/Xephyr.profile | |||
@@ -22,6 +22,7 @@ caps.drop all | |||
22 | # Xephyr needs to be allowed access to the abstract Unix socket namespace. | 22 | # Xephyr needs to be allowed access to the abstract Unix socket namespace. |
23 | nodvd | 23 | nodvd |
24 | nogroups | 24 | nogroups |
25 | noinput | ||
25 | nonewprivs | 26 | nonewprivs |
26 | # In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix. | 27 | # In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix. |
27 | # noroot | 28 | # noroot |
diff --git a/etc/profile-m-z/Xvfb.profile b/etc/profile-m-z/Xvfb.profile index 937d02d60..1acd43023 100644 --- a/etc/profile-m-z/Xvfb.profile +++ b/etc/profile-m-z/Xvfb.profile | |||
@@ -25,6 +25,7 @@ caps.drop all | |||
25 | # Xvfb needs to be allowed access to the abstract Unix socket namespace. | 25 | # Xvfb needs to be allowed access to the abstract Unix socket namespace. |
26 | nodvd | 26 | nodvd |
27 | nogroups | 27 | nogroups |
28 | noinput | ||
28 | nonewprivs | 29 | nonewprivs |
29 | # In noroot mode, Xvfb cannot create a socket in the real /tmp/.X11-unix. | 30 | # In noroot mode, Xvfb cannot create a socket in the real /tmp/.X11-unix. |
30 | #noroot | 31 | #noroot |
diff --git a/etc/profile-m-z/ZeGrapher.profile b/etc/profile-m-z/ZeGrapher.profile index 02c5a043d..7686c3442 100644 --- a/etc/profile-m-z/ZeGrapher.profile +++ b/etc/profile-m-z/ZeGrapher.profile | |||
@@ -27,6 +27,7 @@ machine-id | |||
27 | net none | 27 | net none |
28 | nodvd | 28 | nodvd |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | nosound | 33 | nosound |
diff --git a/etc/profile-m-z/macrofusion.profile b/etc/profile-m-z/macrofusion.profile index 2e0071b47..d1dcb6fe0 100644 --- a/etc/profile-m-z/macrofusion.profile +++ b/etc/profile-m-z/macrofusion.profile | |||
@@ -26,6 +26,7 @@ ipc-namespace | |||
26 | net none | 26 | net none |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | nosound | 32 | nosound |
diff --git a/etc/profile-m-z/magicor.profile b/etc/profile-m-z/magicor.profile index d26aed0bb..8a27b2626 100644 --- a/etc/profile-m-z/magicor.profile +++ b/etc/profile-m-z/magicor.profile | |||
@@ -32,6 +32,7 @@ caps.drop all | |||
32 | net none | 32 | net none |
33 | nodvd | 33 | nodvd |
34 | nogroups | 34 | nogroups |
35 | noinput | ||
35 | nonewprivs | 36 | nonewprivs |
36 | notv | 37 | notv |
37 | nou2f | 38 | nou2f |
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile index e199d29d1..bd510fcac 100644 --- a/etc/profile-m-z/man.profile +++ b/etc/profile-m-z/man.profile | |||
@@ -42,6 +42,7 @@ net none | |||
42 | no3d | 42 | no3d |
43 | nodvd | 43 | nodvd |
44 | nogroups | 44 | nogroups |
45 | noinput | ||
45 | nonewprivs | 46 | nonewprivs |
46 | noroot | 47 | noroot |
47 | nosound | 48 | nosound |
diff --git a/etc/profile-m-z/manaplus.profile b/etc/profile-m-z/manaplus.profile index eba77c8f2..f59a56ac6 100644 --- a/etc/profile-m-z/manaplus.profile +++ b/etc/profile-m-z/manaplus.profile | |||
@@ -31,6 +31,7 @@ ipc-namespace | |||
31 | netfilter | 31 | netfilter |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | notv | 37 | notv |
diff --git a/etc/profile-m-z/marker.profile b/etc/profile-m-z/marker.profile index 84039aca3..087c02964 100644 --- a/etc/profile-m-z/marker.profile +++ b/etc/profile-m-z/marker.profile | |||
@@ -38,6 +38,7 @@ netfilter | |||
38 | no3d | 38 | no3d |
39 | nodvd | 39 | nodvd |
40 | nogroups | 40 | nogroups |
41 | noinput | ||
41 | nonewprivs | 42 | nonewprivs |
42 | noroot | 43 | noroot |
43 | nosound | 44 | nosound |
diff --git a/etc/profile-m-z/masterpdfeditor.profile b/etc/profile-m-z/masterpdfeditor.profile index e4da0c66a..de1135071 100644 --- a/etc/profile-m-z/masterpdfeditor.profile +++ b/etc/profile-m-z/masterpdfeditor.profile | |||
@@ -23,6 +23,7 @@ caps.drop all | |||
23 | machine-id | 23 | machine-id |
24 | nodvd | 24 | nodvd |
25 | nogroups | 25 | nogroups |
26 | noinput | ||
26 | nonewprivs | 27 | nonewprivs |
27 | noroot | 28 | noroot |
28 | nosound | 29 | nosound |
diff --git a/etc/profile-m-z/mate-calc.profile b/etc/profile-m-z/mate-calc.profile index ce418d68f..39ee7439d 100644 --- a/etc/profile-m-z/mate-calc.profile +++ b/etc/profile-m-z/mate-calc.profile | |||
@@ -30,6 +30,7 @@ net none | |||
30 | no3d | 30 | no3d |
31 | nodvd | 31 | nodvd |
32 | nogroups | 32 | nogroups |
33 | noinput | ||
33 | nonewprivs | 34 | nonewprivs |
34 | noroot | 35 | noroot |
35 | nosound | 36 | nosound |
diff --git a/etc/profile-m-z/mate-color-select.profile b/etc/profile-m-z/mate-color-select.profile index d30965922..007bab30d 100644 --- a/etc/profile-m-z/mate-color-select.profile +++ b/etc/profile-m-z/mate-color-select.profile | |||
@@ -21,6 +21,7 @@ netfilter | |||
21 | no3d | 21 | no3d |
22 | nodvd | 22 | nodvd |
23 | nogroups | 23 | nogroups |
24 | noinput | ||
24 | nonewprivs | 25 | nonewprivs |
25 | noroot | 26 | noroot |
26 | nosound | 27 | nosound |
diff --git a/etc/profile-m-z/mate-dictionary.profile b/etc/profile-m-z/mate-dictionary.profile index 2267bbb50..ae1fcbf62 100644 --- a/etc/profile-m-z/mate-dictionary.profile +++ b/etc/profile-m-z/mate-dictionary.profile | |||
@@ -25,6 +25,7 @@ netfilter | |||
25 | no3d | 25 | no3d |
26 | nodvd | 26 | nodvd |
27 | nogroups | 27 | nogroups |
28 | noinput | ||
28 | nonewprivs | 29 | nonewprivs |
29 | noroot | 30 | noroot |
30 | nosound | 31 | nosound |
diff --git a/etc/profile-m-z/mcabber.profile b/etc/profile-m-z/mcabber.profile index b63de6c3e..38d2d8d63 100644 --- a/etc/profile-m-z/mcabber.profile +++ b/etc/profile-m-z/mcabber.profile | |||
@@ -19,6 +19,7 @@ include disable-shell.inc | |||
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | 20 | netfilter |
21 | nodvd | 21 | nodvd |
22 | noinput | ||
22 | nonewprivs | 23 | nonewprivs |
23 | noroot | 24 | noroot |
24 | nosound | 25 | nosound |
diff --git a/etc/profile-m-z/mdr.profile b/etc/profile-m-z/mdr.profile index fb97daa27..5d3f8dc41 100644 --- a/etc/profile-m-z/mdr.profile +++ b/etc/profile-m-z/mdr.profile | |||
@@ -29,6 +29,7 @@ net none | |||
29 | no3d | 29 | no3d |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | nosound | 35 | nosound |
diff --git a/etc/profile-m-z/mediainfo.profile b/etc/profile-m-z/mediainfo.profile index be7c8cbca..17363624f 100644 --- a/etc/profile-m-z/mediainfo.profile +++ b/etc/profile-m-z/mediainfo.profile | |||
@@ -27,6 +27,7 @@ net none | |||
27 | no3d | 27 | no3d |
28 | nodvd | 28 | nodvd |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | nosound | 33 | nosound |
diff --git a/etc/profile-m-z/mediathekview.profile b/etc/profile-m-z/mediathekview.profile index 95cd673c6..0063badd8 100644 --- a/etc/profile-m-z/mediathekview.profile +++ b/etc/profile-m-z/mediathekview.profile | |||
@@ -34,6 +34,7 @@ caps.drop all | |||
34 | netfilter | 34 | netfilter |
35 | nodvd | 35 | nodvd |
36 | nogroups | 36 | nogroups |
37 | noinput | ||
37 | nonewprivs | 38 | nonewprivs |
38 | noroot | 39 | noroot |
39 | notv | 40 | notv |
diff --git a/etc/profile-m-z/megaglest.profile b/etc/profile-m-z/megaglest.profile index 37ac9e304..972838729 100644 --- a/etc/profile-m-z/megaglest.profile +++ b/etc/profile-m-z/megaglest.profile | |||
@@ -31,6 +31,7 @@ ipc-namespace | |||
31 | netfilter | 31 | netfilter |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | notv | 37 | notv |
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile index 900523b81..1225cc107 100644 --- a/etc/profile-m-z/meld.profile +++ b/etc/profile-m-z/meld.profile | |||
@@ -56,6 +56,7 @@ netfilter | |||
56 | no3d | 56 | no3d |
57 | nodvd | 57 | nodvd |
58 | nogroups | 58 | nogroups |
59 | noinput | ||
59 | nonewprivs | 60 | nonewprivs |
60 | noroot | 61 | noroot |
61 | nosound | 62 | nosound |
diff --git a/etc/profile-m-z/mendeleydesktop.profile b/etc/profile-m-z/mendeleydesktop.profile index 6022b110a..c0bdbb230 100644 --- a/etc/profile-m-z/mendeleydesktop.profile +++ b/etc/profile-m-z/mendeleydesktop.profile | |||
@@ -31,6 +31,7 @@ caps.drop all | |||
31 | netfilter | 31 | netfilter |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | notv | 37 | notv |
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile index e29e4bc70..2081b8c96 100644 --- a/etc/profile-m-z/menulibre.profile +++ b/etc/profile-m-z/menulibre.profile | |||
@@ -37,6 +37,7 @@ net none | |||
37 | nodvd | 37 | nodvd |
38 | no3d | 38 | no3d |
39 | nogroups | 39 | nogroups |
40 | noinput | ||
40 | nonewprivs | 41 | nonewprivs |
41 | noroot | 42 | noroot |
42 | nosound | 43 | nosound |
diff --git a/etc/profile-m-z/meteo-qt.profile b/etc/profile-m-z/meteo-qt.profile index c8b0a0ff1..85ed7bc74 100644 --- a/etc/profile-m-z/meteo-qt.profile +++ b/etc/profile-m-z/meteo-qt.profile | |||
@@ -31,6 +31,7 @@ caps.drop all | |||
31 | netfilter | 31 | netfilter |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | nosound | 37 | nosound |
diff --git a/etc/profile-m-z/mindless.profile b/etc/profile-m-z/mindless.profile index 6108c0b69..fbf6b58e8 100644 --- a/etc/profile-m-z/mindless.profile +++ b/etc/profile-m-z/mindless.profile | |||
@@ -26,6 +26,7 @@ net none | |||
26 | no3d | 26 | no3d |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | nosound | 32 | nosound |
diff --git a/etc/profile-m-z/minecraft-launcher.profile b/etc/profile-m-z/minecraft-launcher.profile index 8c7d18c58..2536d0b38 100644 --- a/etc/profile-m-z/minecraft-launcher.profile +++ b/etc/profile-m-z/minecraft-launcher.profile | |||
@@ -6,7 +6,8 @@ include minecraft-launcher.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # On some distros executable may be in '/opt/minecraft-launcher/', if so, run 'firejail /opt/minecraft-launcher/minecraft-launcher' to start it. | 9 | # Some distros put the executable in /opt/minecraft-launcher. |
10 | # Run 'firejail /opt/minecraft-launcher/minecraft-launcher' to start it. | ||
10 | 11 | ||
11 | ignore noexec ${HOME} | 12 | ignore noexec ${HOME} |
12 | 13 | ||
@@ -35,6 +36,7 @@ caps.drop all | |||
35 | netfilter | 36 | netfilter |
36 | nodvd | 37 | nodvd |
37 | nogroups | 38 | nogroups |
39 | noinput | ||
38 | nonewprivs | 40 | nonewprivs |
39 | noroot | 41 | noroot |
40 | notv | 42 | notv |
@@ -49,7 +51,8 @@ disable-mnt | |||
49 | private-bin java,java-config,minecraft-launcher | 51 | private-bin java,java-config,minecraft-launcher |
50 | private-cache | 52 | private-cache |
51 | private-dev | 53 | private-dev |
52 | # If multiplayer or realms break add your own java folder from /etc or comment the line below. | 54 | # If multiplayer or realms break, add 'private-etc <your-own-java-folder-from-/etc>' |
55 | # or 'ignore private-etc' to your minecraft-launcher.local. | ||
53 | private-etc alternatives,asound.conf,ati,ca-certificates,crypto-policies,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-14-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,login.defs,machine-id,mime.types,nvidia,passwd,pki,pulse,resolv.conf,selinux,services,ssl,timezone,X11,xdg | 56 | private-etc alternatives,asound.conf,ati,ca-certificates,crypto-policies,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-14-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,login.defs,machine-id,mime.types,nvidia,passwd,pki,pulse,resolv.conf,selinux,services,ssl,timezone,X11,xdg |
54 | private-opt minecraft-launcher | 57 | private-opt minecraft-launcher |
55 | private-tmp | 58 | private-tmp |
diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile index 666af323d..cad1adbda 100644 --- a/etc/profile-m-z/minetest.profile +++ b/etc/profile-m-z/minetest.profile | |||
@@ -40,6 +40,7 @@ ipc-namespace | |||
40 | netfilter | 40 | netfilter |
41 | nodvd | 41 | nodvd |
42 | nogroups | 42 | nogroups |
43 | noinput | ||
43 | nonewprivs | 44 | nonewprivs |
44 | noroot | 45 | noroot |
45 | notv | 46 | notv |
diff --git a/etc/profile-m-z/minitube.profile b/etc/profile-m-z/minitube.profile index 78ef5e398..3fe3428d0 100644 --- a/etc/profile-m-z/minitube.profile +++ b/etc/profile-m-z/minitube.profile | |||
@@ -40,6 +40,7 @@ caps.drop all | |||
40 | netfilter | 40 | netfilter |
41 | nodvd | 41 | nodvd |
42 | nogroups | 42 | nogroups |
43 | noinput | ||
43 | nonewprivs | 44 | nonewprivs |
44 | noroot | 45 | noroot |
45 | notv | 46 | notv |
diff --git a/etc/profile-m-z/mirage.profile b/etc/profile-m-z/mirage.profile index e0ebb4895..505009283 100644 --- a/etc/profile-m-z/mirage.profile +++ b/etc/profile-m-z/mirage.profile | |||
@@ -41,6 +41,7 @@ caps.drop all | |||
41 | netfilter | 41 | netfilter |
42 | nodvd | 42 | nodvd |
43 | nogroups | 43 | nogroups |
44 | noinput | ||
44 | nonewprivs | 45 | nonewprivs |
45 | noroot | 46 | noroot |
46 | notv | 47 | notv |
diff --git a/etc/profile-m-z/mirrormagic.profile b/etc/profile-m-z/mirrormagic.profile index ded84bf7e..58dfd56f5 100644 --- a/etc/profile-m-z/mirrormagic.profile +++ b/etc/profile-m-z/mirrormagic.profile | |||
@@ -29,6 +29,7 @@ caps.drop all | |||
29 | net none | 29 | net none |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | notv | 35 | notv |
diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile index 6fc7a4d67..e71ba4569 100644 --- a/etc/profile-m-z/mocp.profile +++ b/etc/profile-m-z/mocp.profile | |||
@@ -29,6 +29,7 @@ netfilter | |||
29 | no3d | 29 | no3d |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | notv | 35 | notv |
diff --git a/etc/profile-m-z/mousepad.profile b/etc/profile-m-z/mousepad.profile index 5f15b71e2..98063fa7c 100644 --- a/etc/profile-m-z/mousepad.profile +++ b/etc/profile-m-z/mousepad.profile | |||
@@ -23,6 +23,7 @@ caps.drop all | |||
23 | net none | 23 | net none |
24 | nodvd | 24 | nodvd |
25 | nogroups | 25 | nogroups |
26 | noinput | ||
26 | nonewprivs | 27 | nonewprivs |
27 | noroot | 28 | noroot |
28 | nosound | 29 | nosound |
diff --git a/etc/profile-m-z/mp3splt-gtk.profile b/etc/profile-m-z/mp3splt-gtk.profile index 3481a4a82..37ce60e04 100644 --- a/etc/profile-m-z/mp3splt-gtk.profile +++ b/etc/profile-m-z/mp3splt-gtk.profile | |||
@@ -24,6 +24,7 @@ net none | |||
24 | no3d | 24 | no3d |
25 | nodvd | 25 | nodvd |
26 | nogroups | 26 | nogroups |
27 | noinput | ||
27 | nonewprivs | 28 | nonewprivs |
28 | noroot | 29 | noroot |
29 | notv | 30 | notv |
diff --git a/etc/profile-m-z/mp3splt.profile b/etc/profile-m-z/mp3splt.profile index c65754a03..070de8451 100644 --- a/etc/profile-m-z/mp3splt.profile +++ b/etc/profile-m-z/mp3splt.profile | |||
@@ -28,6 +28,7 @@ net none | |||
28 | no3d | 28 | no3d |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | nosound | 34 | nosound |
diff --git a/etc/profile-m-z/mpDris2.profile b/etc/profile-m-z/mpDris2.profile index 4ba1dfbd6..55a0b5897 100644 --- a/etc/profile-m-z/mpDris2.profile +++ b/etc/profile-m-z/mpDris2.profile | |||
@@ -36,6 +36,7 @@ netfilter | |||
36 | no3d | 36 | no3d |
37 | nodvd | 37 | nodvd |
38 | nogroups | 38 | nogroups |
39 | noinput | ||
39 | nonewprivs | 40 | nonewprivs |
40 | noroot | 41 | noroot |
41 | nosound | 42 | nosound |
diff --git a/etc/profile-m-z/mpd.profile b/etc/profile-m-z/mpd.profile index 3fda87a48..b517d4ab2 100644 --- a/etc/profile-m-z/mpd.profile +++ b/etc/profile-m-z/mpd.profile | |||
@@ -26,6 +26,7 @@ caps.drop all | |||
26 | netfilter | 26 | netfilter |
27 | no3d | 27 | no3d |
28 | nodvd | 28 | nodvd |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | notv | 32 | notv |
diff --git a/etc/profile-m-z/mpg123.profile b/etc/profile-m-z/mpg123.profile index b1ab81c1e..25187e894 100644 --- a/etc/profile-m-z/mpg123.profile +++ b/etc/profile-m-z/mpg123.profile | |||
@@ -25,6 +25,7 @@ caps.drop all | |||
25 | netfilter | 25 | netfilter |
26 | no3d | 26 | no3d |
27 | nogroups | 27 | nogroups |
28 | noinput | ||
28 | nonewprivs | 29 | nonewprivs |
29 | noroot | 30 | noroot |
30 | notv | 31 | notv |
diff --git a/etc/profile-m-z/mplayer.profile b/etc/profile-m-z/mplayer.profile index 58384e33c..5d023b7f1 100644 --- a/etc/profile-m-z/mplayer.profile +++ b/etc/profile-m-z/mplayer.profile | |||
@@ -28,6 +28,7 @@ caps.drop all | |||
28 | # net none - mplayer can be used for streaming. | 28 | # net none - mplayer can be used for streaming. |
29 | netfilter | 29 | netfilter |
30 | # nogroups | 30 | # nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | nou2f | 34 | nou2f |
diff --git a/etc/profile-m-z/mpsyt.profile b/etc/profile-m-z/mpsyt.profile index bdf50421b..bfe57a132 100644 --- a/etc/profile-m-z/mpsyt.profile +++ b/etc/profile-m-z/mpsyt.profile | |||
@@ -53,6 +53,7 @@ netfilter | |||
53 | nodvd | 53 | nodvd |
54 | # Seems to cause issues with Nvidia drivers sometimes | 54 | # Seems to cause issues with Nvidia drivers sometimes |
55 | nogroups | 55 | nogroups |
56 | noinput | ||
56 | nonewprivs | 57 | nonewprivs |
57 | noroot | 58 | noroot |
58 | notv | 59 | notv |
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index 1804389c3..310f36ea1 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile | |||
@@ -63,6 +63,7 @@ caps.drop all | |||
63 | netfilter | 63 | netfilter |
64 | # nogroups seems to cause issues with Nvidia drivers sometimes | 64 | # nogroups seems to cause issues with Nvidia drivers sometimes |
65 | nogroups | 65 | nogroups |
66 | noinput | ||
66 | nonewprivs | 67 | nonewprivs |
67 | noroot | 68 | noroot |
68 | nou2f | 69 | nou2f |
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile index f02a4f357..035a7e625 100644 --- a/etc/profile-m-z/mrrescue.profile +++ b/etc/profile-m-z/mrrescue.profile | |||
@@ -8,18 +8,26 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.local/share/love | 9 | noblacklist ${HOME}/.local/share/love |
10 | 10 | ||
11 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
12 | include allow-bin-sh.inc | ||
13 | |||
14 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
15 | include allow-lua.inc | ||
16 | |||
11 | include disable-common.inc | 17 | include disable-common.inc |
12 | include disable-devel.inc | 18 | include disable-devel.inc |
13 | include disable-exec.inc | 19 | include disable-exec.inc |
14 | include disable-interpreters.inc | 20 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 22 | include disable-programs.inc |
23 | include disable-shell.inc | ||
17 | include disable-xdg.inc | 24 | include disable-xdg.inc |
18 | 25 | ||
19 | mkdir ${HOME}/.local/share/love | 26 | mkdir ${HOME}/.local/share/love |
20 | whitelist ${HOME}/.local/share/love | 27 | whitelist ${HOME}/.local/share/love |
21 | whitelist /usr/share/mrrescue | 28 | whitelist /usr/share/mrrescue |
22 | include whitelist-common.inc | 29 | include whitelist-common.inc |
30 | include whitelist-runuser-common.inc | ||
23 | include whitelist-usr-share-common.inc | 31 | include whitelist-usr-share-common.inc |
24 | include whitelist-var-common.inc | 32 | include whitelist-var-common.inc |
25 | 33 | ||
@@ -28,6 +36,7 @@ caps.drop all | |||
28 | net none | 36 | net none |
29 | nodvd | 37 | nodvd |
30 | nogroups | 38 | nogroups |
39 | noinput | ||
31 | nonewprivs | 40 | nonewprivs |
32 | noroot | 41 | noroot |
33 | notv | 42 | notv |
@@ -35,6 +44,7 @@ nou2f | |||
35 | novideo | 44 | novideo |
36 | protocol unix,netlink | 45 | protocol unix,netlink |
37 | seccomp | 46 | seccomp |
47 | seccomp.block-secondary | ||
38 | shell none | 48 | shell none |
39 | tracelog | 49 | tracelog |
40 | 50 | ||
diff --git a/etc/profile-m-z/ms-office.profile b/etc/profile-m-z/ms-office.profile index a6892d698..38fc84ecc 100644 --- a/etc/profile-m-z/ms-office.profile +++ b/etc/profile-m-z/ms-office.profile | |||
@@ -23,6 +23,7 @@ caps.drop all | |||
23 | netfilter | 23 | netfilter |
24 | nodvd | 24 | nodvd |
25 | nogroups | 25 | nogroups |
26 | noinput | ||
26 | nonewprivs | 27 | nonewprivs |
27 | noroot | 28 | noroot |
28 | notv | 29 | notv |
diff --git a/etc/profile-m-z/mtpaint.profile b/etc/profile-m-z/mtpaint.profile index 9f1f0f53d..85c3ee9f2 100644 --- a/etc/profile-m-z/mtpaint.profile +++ b/etc/profile-m-z/mtpaint.profile | |||
@@ -28,6 +28,7 @@ net none | |||
28 | nodvd | 28 | nodvd |
29 | no3d | 29 | no3d |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | nosound | 34 | nosound |
diff --git a/etc/profile-m-z/multimc5.profile b/etc/profile-m-z/multimc5.profile index 475307418..6df681df1 100644 --- a/etc/profile-m-z/multimc5.profile +++ b/etc/profile-m-z/multimc5.profile | |||
@@ -31,6 +31,7 @@ caps.drop all | |||
31 | netfilter | 31 | netfilter |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | notv | 37 | notv |
diff --git a/etc/profile-m-z/mupdf.profile b/etc/profile-m-z/mupdf.profile index a3e56170a..9e4609c48 100644 --- a/etc/profile-m-z/mupdf.profile +++ b/etc/profile-m-z/mupdf.profile | |||
@@ -24,6 +24,7 @@ machine-id | |||
24 | net none | 24 | net none |
25 | nodvd | 25 | nodvd |
26 | nogroups | 26 | nogroups |
27 | noinput | ||
27 | nonewprivs | 28 | nonewprivs |
28 | noroot | 29 | noroot |
29 | nosound | 30 | nosound |
diff --git a/etc/profile-m-z/musictube.profile b/etc/profile-m-z/musictube.profile index dbfd12619..04500ac6a 100644 --- a/etc/profile-m-z/musictube.profile +++ b/etc/profile-m-z/musictube.profile | |||
@@ -36,6 +36,7 @@ caps.drop all | |||
36 | netfilter | 36 | netfilter |
37 | nodvd | 37 | nodvd |
38 | nogroups | 38 | nogroups |
39 | noinput | ||
39 | nonewprivs | 40 | nonewprivs |
40 | noroot | 41 | noroot |
41 | notv | 42 | notv |
diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile index a6b85a8e4..74b3e9a5f 100644 --- a/etc/profile-m-z/musixmatch.profile +++ b/etc/profile-m-z/musixmatch.profile | |||
@@ -20,9 +20,11 @@ netfilter | |||
20 | no3d | 20 | no3d |
21 | nodvd | 21 | nodvd |
22 | nogroups | 22 | nogroups |
23 | noinput | ||
23 | nonewprivs | 24 | nonewprivs |
24 | noroot | 25 | noroot |
25 | nogroups | 26 | nogroups |
27 | noinput | ||
26 | nosound | 28 | nosound |
27 | notv | 29 | notv |
28 | nou2f | 30 | nou2f |
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile index 2c6e047d8..debf81659 100644 --- a/etc/profile-m-z/mutt.profile +++ b/etc/profile-m-z/mutt.profile | |||
@@ -119,6 +119,7 @@ netfilter | |||
119 | no3d | 119 | no3d |
120 | nodvd | 120 | nodvd |
121 | nogroups | 121 | nogroups |
122 | noinput | ||
122 | nonewprivs | 123 | nonewprivs |
123 | noroot | 124 | noroot |
124 | nosound | 125 | nosound |
diff --git a/etc/profile-m-z/mypaint.profile b/etc/profile-m-z/mypaint.profile index c592e8477..d8d487fe7 100644 --- a/etc/profile-m-z/mypaint.profile +++ b/etc/profile-m-z/mypaint.profile | |||
@@ -30,6 +30,7 @@ net none | |||
30 | no3d | 30 | no3d |
31 | nodvd | 31 | nodvd |
32 | nogroups | 32 | nogroups |
33 | noinput | ||
33 | nonewprivs | 34 | nonewprivs |
34 | noroot | 35 | noroot |
35 | nosound | 36 | nosound |
diff --git a/etc/profile-m-z/nano.profile b/etc/profile-m-z/nano.profile index 2a4625896..4698c2287 100644 --- a/etc/profile-m-z/nano.profile +++ b/etc/profile-m-z/nano.profile | |||
@@ -30,6 +30,7 @@ net none | |||
30 | no3d | 30 | no3d |
31 | nodvd | 31 | nodvd |
32 | nogroups | 32 | nogroups |
33 | noinput | ||
33 | nonewprivs | 34 | nonewprivs |
34 | noroot | 35 | noroot |
35 | nosound | 36 | nosound |
@@ -46,8 +47,12 @@ x11 none | |||
46 | private-bin nano,rnano | 47 | private-bin nano,rnano |
47 | private-cache | 48 | private-cache |
48 | private-dev | 49 | private-dev |
49 | # Comment the next line if you want to edit files in /etc directly | 50 | # Add the next lines to your nano.local if you want to edit files in /etc directly. |
51 | #ignore private-etc | ||
52 | #writable-etc | ||
50 | private-etc alternatives,nanorc | 53 | private-etc alternatives,nanorc |
54 | # Add the next line to your nano.local if you want to edit files in /var directly. | ||
55 | #writable-var | ||
51 | 56 | ||
52 | dbus-user none | 57 | dbus-user none |
53 | dbus-system none | 58 | dbus-system none |
diff --git a/etc/profile-m-z/ncdu.profile b/etc/profile-m-z/ncdu.profile index 651804bf1..063e30366 100644 --- a/etc/profile-m-z/ncdu.profile +++ b/etc/profile-m-z/ncdu.profile | |||
@@ -16,6 +16,7 @@ net none | |||
16 | no3d | 16 | no3d |
17 | nodvd | 17 | nodvd |
18 | nogroups | 18 | nogroups |
19 | noinput | ||
19 | nonewprivs | 20 | nonewprivs |
20 | noroot | 21 | noroot |
21 | nosound | 22 | nosound |
diff --git a/etc/profile-m-z/neochat.profile b/etc/profile-m-z/neochat.profile new file mode 100644 index 000000000..9f00448c8 --- /dev/null +++ b/etc/profile-m-z/neochat.profile | |||
@@ -0,0 +1,66 @@ | |||
1 | # Firejail profile for neochat | ||
2 | # Description: Matrix Client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include neochat.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/KDE/neochat | ||
10 | noblacklist ${HOME}/.config/KDE | ||
11 | noblacklist ${HOME}/.config/KDE/neochat | ||
12 | noblacklist ${HOME}/.config/neochatrc | ||
13 | noblacklist ${HOME}/.config/neochat.notifyrc | ||
14 | noblacklist ${HOME}/.local/share/KDE/neochat | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-shell.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | mkdir ${HOME}/.cache/KDE/neochat | ||
26 | mkdir ${HOME}/.local/share/KDE/neochat | ||
27 | whitelist ${HOME}/.cache/KDE/neochat | ||
28 | whitelist ${HOME}/.local/share/KDE/neochat | ||
29 | whitelist ${DOWNLOADS} | ||
30 | include whitelist-1793-workaround.inc | ||
31 | include whitelist-common.inc | ||
32 | include whitelist-runuser-common.inc | ||
33 | include whitelist-usr-share-common.inc | ||
34 | include whitelist-var-common.inc | ||
35 | |||
36 | apparmor | ||
37 | caps.drop all | ||
38 | machine-id | ||
39 | netfilter | ||
40 | nodvd | ||
41 | nogroups | ||
42 | noinput | ||
43 | nonewprivs | ||
44 | noroot | ||
45 | nosound | ||
46 | notv | ||
47 | nou2f | ||
48 | novideo | ||
49 | protocol unix,inet,inet6 | ||
50 | seccomp | ||
51 | seccomp.block-secondary | ||
52 | shell none | ||
53 | tracelog | ||
54 | |||
55 | disable-mnt | ||
56 | private-bin neochat | ||
57 | private-dev | ||
58 | private-etc alternatives,ca-certificates,crypto-policies,dbus-1,fonts,host.conf,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg | ||
59 | private-tmp | ||
60 | |||
61 | dbus-user filter | ||
62 | dbus-user.own org.kde.neochat | ||
63 | dbus-user.talk org.freedesktop.Notifications | ||
64 | dbus-user.talk org.kde.StatusNotifierWatcher | ||
65 | dbus-user.talk org.kde.kwalletd5 | ||
66 | dbus-system none | ||
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile index 26865b90a..fafa129e4 100644 --- a/etc/profile-m-z/neomutt.profile +++ b/etc/profile-m-z/neomutt.profile | |||
@@ -122,6 +122,7 @@ netfilter | |||
122 | no3d | 122 | no3d |
123 | nodvd | 123 | nodvd |
124 | nogroups | 124 | nogroups |
125 | noinput | ||
125 | nonewprivs | 126 | nonewprivs |
126 | noroot | 127 | noroot |
127 | nosound | 128 | nosound |
diff --git a/etc/profile-m-z/netactview.profile b/etc/profile-m-z/netactview.profile index fd73cea89..5d45dd7bc 100644 --- a/etc/profile-m-z/netactview.profile +++ b/etc/profile-m-z/netactview.profile | |||
@@ -32,6 +32,7 @@ netfilter | |||
32 | no3d | 32 | no3d |
33 | nodvd | 33 | nodvd |
34 | nogroups | 34 | nogroups |
35 | noinput | ||
35 | nonewprivs | 36 | nonewprivs |
36 | noroot | 37 | noroot |
37 | nosound | 38 | nosound |
diff --git a/etc/profile-m-z/nethack-vultures.profile b/etc/profile-m-z/nethack-vultures.profile index 4daa8054b..c9a537370 100644 --- a/etc/profile-m-z/nethack-vultures.profile +++ b/etc/profile-m-z/nethack-vultures.profile | |||
@@ -26,6 +26,7 @@ ipc-namespace | |||
26 | net none | 26 | net none |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | #nonewprivs | 30 | #nonewprivs |
30 | #noroot | 31 | #noroot |
31 | notv | 32 | notv |
diff --git a/etc/profile-m-z/nethack.profile b/etc/profile-m-z/nethack.profile index c8c927db2..b57abe260 100644 --- a/etc/profile-m-z/nethack.profile +++ b/etc/profile-m-z/nethack.profile | |||
@@ -25,6 +25,7 @@ net none | |||
25 | no3d | 25 | no3d |
26 | nodvd | 26 | nodvd |
27 | nogroups | 27 | nogroups |
28 | noinput | ||
28 | #nonewprivs | 29 | #nonewprivs |
29 | #noroot | 30 | #noroot |
30 | nosound | 31 | nosound |
diff --git a/etc/profile-m-z/neverball-wrapper.profile b/etc/profile-m-z/neverball-wrapper.profile new file mode 100644 index 000000000..534e41dd1 --- /dev/null +++ b/etc/profile-m-z/neverball-wrapper.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for neverball-wrapper | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include neverball-wrapper.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | include allow-opengl-game.inc | ||
10 | |||
11 | private-bin neverball-wrapper | ||
12 | |||
13 | # Redirect | ||
14 | include neverball.profile | ||
diff --git a/etc/profile-m-z/neverball.profile b/etc/profile-m-z/neverball.profile index 84c634549..ecfbb14e4 100644 --- a/etc/profile-m-z/neverball.profile +++ b/etc/profile-m-z/neverball.profile | |||
@@ -14,26 +14,39 @@ include disable-exec.inc | |||
14 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-shell.inc | ||
18 | include disable-xdg.inc | ||
17 | 19 | ||
18 | mkdir ${HOME}/.neverball | 20 | mkdir ${HOME}/.neverball |
19 | whitelist ${HOME}/.neverball | 21 | whitelist ${HOME}/.neverball |
22 | whitelist /usr/share/neverball | ||
20 | include whitelist-common.inc | 23 | include whitelist-common.inc |
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
21 | 27 | ||
22 | caps.drop all | 28 | caps.drop all |
23 | netfilter | 29 | net none |
24 | nodvd | 30 | nodvd |
25 | nogroups | 31 | nogroups |
32 | noinput | ||
26 | nonewprivs | 33 | nonewprivs |
27 | noroot | 34 | noroot |
28 | notv | 35 | notv |
29 | nou2f | 36 | nou2f |
30 | novideo | 37 | novideo |
31 | protocol unix,netlink | 38 | protocol unix |
32 | seccomp | 39 | seccomp |
40 | seccomp.block-secondary | ||
33 | shell none | 41 | shell none |
42 | tracelog | ||
34 | 43 | ||
35 | disable-mnt | 44 | disable-mnt |
36 | private-bin neverball | 45 | private-bin neverball |
46 | private-cache | ||
37 | private-dev | 47 | private-dev |
48 | private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,machine-id | ||
38 | private-tmp | 49 | private-tmp |
39 | 50 | ||
51 | dbus-user none | ||
52 | dbus-system none | ||
diff --git a/etc/profile-m-z/neverputt-wrapper.profile b/etc/profile-m-z/neverputt-wrapper.profile new file mode 100644 index 000000000..dacd113cc --- /dev/null +++ b/etc/profile-m-z/neverputt-wrapper.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for neverputt-wrapper | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include neverputt-wrapper.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | include allow-opengl-game.inc | ||
10 | |||
11 | private-bin neverputt-wrapper | ||
12 | |||
13 | # Redirect | ||
14 | include neverputt.profile | ||
diff --git a/etc/profile-m-z/newsboat.profile b/etc/profile-m-z/newsboat.profile index 23c2de43c..13bc3a615 100644 --- a/etc/profile-m-z/newsboat.profile +++ b/etc/profile-m-z/newsboat.profile | |||
@@ -40,6 +40,7 @@ netfilter | |||
40 | no3d | 40 | no3d |
41 | nodvd | 41 | nodvd |
42 | nogroups | 42 | nogroups |
43 | noinput | ||
43 | nonewprivs | 44 | nonewprivs |
44 | noroot | 45 | noroot |
45 | notv | 46 | notv |
diff --git a/etc/profile-m-z/newsflash.profile b/etc/profile-m-z/newsflash.profile index d0ac83baf..18d8c6ed4 100644 --- a/etc/profile-m-z/newsflash.profile +++ b/etc/profile-m-z/newsflash.profile | |||
@@ -36,6 +36,7 @@ machine-id | |||
36 | netfilter | 36 | netfilter |
37 | nodvd | 37 | nodvd |
38 | nogroups | 38 | nogroups |
39 | noinput | ||
39 | nonewprivs | 40 | nonewprivs |
40 | noroot | 41 | noroot |
41 | nosound | 42 | nosound |
diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile index 53dd3a05a..9fd76fbe7 100644 --- a/etc/profile-m-z/nextcloud.profile +++ b/etc/profile-m-z/nextcloud.profile | |||
@@ -47,6 +47,7 @@ netfilter | |||
47 | no3d | 47 | no3d |
48 | nodvd | 48 | nodvd |
49 | nogroups | 49 | nogroups |
50 | noinput | ||
50 | nonewprivs | 51 | nonewprivs |
51 | noroot | 52 | noroot |
52 | nosound | 53 | nosound |
diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile index 1b5da8d27..f8062891c 100644 --- a/etc/profile-m-z/nheko.profile +++ b/etc/profile-m-z/nheko.profile | |||
@@ -36,6 +36,7 @@ caps.drop all | |||
36 | netfilter | 36 | netfilter |
37 | nodvd | 37 | nodvd |
38 | nogroups | 38 | nogroups |
39 | noinput | ||
39 | nonewprivs | 40 | nonewprivs |
40 | noroot | 41 | noroot |
41 | notv | 42 | notv |
diff --git a/etc/profile-m-z/nicotine.profile b/etc/profile-m-z/nicotine.profile index 3bf32a3db..1c7dbc009 100644 --- a/etc/profile-m-z/nicotine.profile +++ b/etc/profile-m-z/nicotine.profile | |||
@@ -36,6 +36,7 @@ netfilter | |||
36 | no3d | 36 | no3d |
37 | nodvd | 37 | nodvd |
38 | nogroups | 38 | nogroups |
39 | noinput | ||
39 | nonewprivs | 40 | nonewprivs |
40 | noroot | 41 | noroot |
41 | nosound | 42 | nosound |
diff --git a/etc/profile-m-z/nitroshare.profile b/etc/profile-m-z/nitroshare.profile index 1743a771e..8dba84f02 100644 --- a/etc/profile-m-z/nitroshare.profile +++ b/etc/profile-m-z/nitroshare.profile | |||
@@ -28,6 +28,7 @@ netfilter | |||
28 | no3d | 28 | no3d |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | nosound | 34 | nosound |
diff --git a/etc/profile-m-z/node.profile b/etc/profile-m-z/node.profile new file mode 100644 index 000000000..cd48ed3c7 --- /dev/null +++ b/etc/profile-m-z/node.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for node | ||
2 | # Description: Evented I/O for V8 javascript | ||
3 | quiet | ||
4 | # This file is overwritten after every install/update | ||
5 | # Persistent local customizations | ||
6 | include node.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include nodejs-common.profile | ||
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile index 202905631..fa69f9214 100644 --- a/etc/profile-m-z/nodejs-common.profile +++ b/etc/profile-m-z/nodejs-common.profile | |||
@@ -10,6 +10,20 @@ include nodejs-common.local | |||
10 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
11 | blacklist ${RUNUSER} | 11 | blacklist ${RUNUSER} |
12 | 12 | ||
13 | ignore read-only ${HOME}/.npm-packages | ||
14 | ignore read-only ${HOME}/.npmrc | ||
15 | ignore read-only ${HOME}/.nvm | ||
16 | ignore read-only ${HOME}/.yarnrc | ||
17 | |||
18 | noblacklist ${HOME}/.node-gyp | ||
19 | noblacklist ${HOME}/.npm | ||
20 | noblacklist ${HOME}/.npmrc | ||
21 | noblacklist ${HOME}/.nvm | ||
22 | noblacklist ${HOME}/.yarn | ||
23 | noblacklist ${HOME}/.yarn-config | ||
24 | noblacklist ${HOME}/.yarncache | ||
25 | noblacklist ${HOME}/.yarnrc | ||
26 | |||
13 | ignore noexec ${HOME} | 27 | ignore noexec ${HOME} |
14 | 28 | ||
15 | include allow-bin-sh.inc | 29 | include allow-bin-sh.inc |
@@ -21,6 +35,32 @@ include disable-programs.inc | |||
21 | include disable-shell.inc | 35 | include disable-shell.inc |
22 | include disable-xdg.inc | 36 | include disable-xdg.inc |
23 | 37 | ||
38 | # If you want whitelisting, change ${HOME}/Projects below to your node projects directory | ||
39 | # and add the next lines to your nodejs-common.local. | ||
40 | #mkdir ${HOME}/.node-gyp | ||
41 | #mkdir ${HOME}/.npm | ||
42 | #mkdir ${HOME}/.npm-packages | ||
43 | #mkfile ${HOME}/.npmrc | ||
44 | #mkdir ${HOME}/.nvm | ||
45 | #mkdir ${HOME}/.yarn | ||
46 | #mkdir ${HOME}/.yarn-config | ||
47 | #mkdir ${HOME}/.yarncache | ||
48 | #mkfile ${HOME}/.yarnrc | ||
49 | #whitelist ${HOME}/.node-gyp | ||
50 | #whitelist ${HOME}/.npm | ||
51 | #whitelist ${HOME}/.npm-packages | ||
52 | #whitelist ${HOME}/.npmrc | ||
53 | #whitelist ${HOME}/.nvm | ||
54 | #whitelist ${HOME}/.yarn | ||
55 | #whitelist ${HOME}/.yarn-config | ||
56 | #whitelist ${HOME}/.yarncache | ||
57 | #whitelist ${HOME}/.yarnrc | ||
58 | #whitelist ${HOME}/Projects | ||
59 | #include whitelist-common.inc | ||
60 | |||
61 | whitelist /usr/share/doc/node | ||
62 | whitelist /usr/share/nvm | ||
63 | whitelist /usr/share/systemtap/tapset/node.stp | ||
24 | include whitelist-runuser-common.inc | 64 | include whitelist-runuser-common.inc |
25 | include whitelist-usr-share-common.inc | 65 | include whitelist-usr-share-common.inc |
26 | include whitelist-var-common.inc | 66 | include whitelist-var-common.inc |
@@ -32,6 +72,7 @@ netfilter | |||
32 | no3d | 72 | no3d |
33 | nodvd | 73 | nodvd |
34 | nogroups | 74 | nogroups |
75 | noinput | ||
35 | nonewprivs | 76 | nonewprivs |
36 | noroot | 77 | noroot |
37 | nosound | 78 | nosound |
@@ -45,10 +86,11 @@ shell none | |||
45 | 86 | ||
46 | disable-mnt | 87 | disable-mnt |
47 | private-dev | 88 | private-dev |
48 | # May need to add `passwd` to `private-etc` below to enable debugging with some IDEs | 89 | private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl,xdg |
49 | private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg | 90 | #private-tmp |
50 | # May need to be commented out in order to enable debugging with some IDEs | ||
51 | private-tmp | ||
52 | 91 | ||
53 | dbus-user none | 92 | dbus-user none |
54 | dbus-system none | 93 | dbus-system none |
94 | |||
95 | # Add the next line to your nodejs-common.local if you prefer to disable gatsby telemetry. | ||
96 | #env GATSBY_TELEMETRY_DISABLED=1 | ||
diff --git a/etc/profile-m-z/nomacs.profile b/etc/profile-m-z/nomacs.profile index d081c9cb7..a36dee874 100644 --- a/etc/profile-m-z/nomacs.profile +++ b/etc/profile-m-z/nomacs.profile | |||
@@ -27,6 +27,7 @@ machine-id | |||
27 | netfilter | 27 | netfilter |
28 | nodvd | 28 | nodvd |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | nosound | 33 | nosound |
diff --git a/etc/profile-m-z/notify-send.profile b/etc/profile-m-z/notify-send.profile index ff292f409..650118c98 100644 --- a/etc/profile-m-z/notify-send.profile +++ b/etc/profile-m-z/notify-send.profile | |||
@@ -32,6 +32,7 @@ net none | |||
32 | no3d | 32 | no3d |
33 | nodvd | 33 | nodvd |
34 | nogroups | 34 | nogroups |
35 | noinput | ||
35 | nonewprivs | 36 | nonewprivs |
36 | noroot | 37 | noroot |
37 | nosound | 38 | nosound |
diff --git a/etc/profile-m-z/npm.profile b/etc/profile-m-z/npm.profile index f51d58782..4d8beea5a 100644 --- a/etc/profile-m-z/npm.profile +++ b/etc/profile-m-z/npm.profile | |||
@@ -7,23 +7,5 @@ include npm.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | ignore read-only ${HOME}/.npm-packages | ||
11 | ignore read-only ${HOME}/.npmrc | ||
12 | |||
13 | noblacklist ${HOME}/.node-gyp | ||
14 | noblacklist ${HOME}/.npm | ||
15 | noblacklist ${HOME}/.npmrc | ||
16 | |||
17 | # If you want whitelisting, change ${HOME}/Projects below to your npm projects directory | ||
18 | # and add the next lines to your npm.local. | ||
19 | #mkdir ${HOME}/.node-gyp | ||
20 | #mkdir ${HOME}/.npm | ||
21 | #mkfile ${HOME}/.npmrc | ||
22 | #whitelist ${HOME}/.node-gyp | ||
23 | #whitelist ${HOME}/.npm | ||
24 | #whitelist ${HOME}/.npmrc | ||
25 | #whitelist ${HOME}/Projects | ||
26 | #include whitelist-common.inc | ||
27 | |||
28 | # Redirect | 10 | # Redirect |
29 | include nodejs-common.profile | 11 | include nodejs-common.profile |
diff --git a/etc/profile-m-z/nslookup.profile b/etc/profile-m-z/nslookup.profile index 17798a6fb..c7a131a2c 100644 --- a/etc/profile-m-z/nslookup.profile +++ b/etc/profile-m-z/nslookup.profile | |||
@@ -33,6 +33,7 @@ netfilter | |||
33 | no3d | 33 | no3d |
34 | nodvd | 34 | nodvd |
35 | nogroups | 35 | nogroups |
36 | noinput | ||
36 | nonewprivs | 37 | nonewprivs |
37 | noroot | 38 | noroot |
38 | nosound | 39 | nosound |
diff --git a/etc/profile-m-z/nvm.profile b/etc/profile-m-z/nvm.profile new file mode 100644 index 000000000..80da22834 --- /dev/null +++ b/etc/profile-m-z/nvm.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for nvm | ||
2 | # Description: Node Version Manager - Simple bash script to manage multiple active node.js versions | ||
3 | quiet | ||
4 | # This file is overwritten after every install/update | ||
5 | # Persistent local customizations | ||
6 | include nvm.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | ignore noroot | ||
11 | |||
12 | # Redirect | ||
13 | include nodejs-common.profile | ||
diff --git a/etc/profile-m-z/nylas.profile b/etc/profile-m-z/nylas.profile index c959eb991..fe0c2116b 100644 --- a/etc/profile-m-z/nylas.profile +++ b/etc/profile-m-z/nylas.profile | |||
@@ -25,6 +25,7 @@ caps.drop all | |||
25 | netfilter | 25 | netfilter |
26 | nodvd | 26 | nodvd |
27 | nogroups | 27 | nogroups |
28 | noinput | ||
28 | nonewprivs | 29 | nonewprivs |
29 | noroot | 30 | noroot |
30 | nosound | 31 | nosound |
diff --git a/etc/profile-m-z/nyx.profile b/etc/profile-m-z/nyx.profile index 9e27dafab..d040d42af 100644 --- a/etc/profile-m-z/nyx.profile +++ b/etc/profile-m-z/nyx.profile | |||
@@ -31,6 +31,7 @@ netfilter | |||
31 | no3d | 31 | no3d |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | nosound | 37 | nosound |
diff --git a/etc/profile-m-z/obs.profile b/etc/profile-m-z/obs.profile index 4277bdab3..9345cee4f 100644 --- a/etc/profile-m-z/obs.profile +++ b/etc/profile-m-z/obs.profile | |||
@@ -27,6 +27,7 @@ include whitelist-var-common.inc | |||
27 | caps.drop all | 27 | caps.drop all |
28 | nodvd | 28 | nodvd |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | notv | 33 | notv |
diff --git a/etc/profile-m-z/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile index be3618e31..7be68a201 100644 --- a/etc/profile-m-z/ocenaudio.profile +++ b/etc/profile-m-z/ocenaudio.profile | |||
@@ -32,6 +32,7 @@ netfilter | |||
32 | no3d | 32 | no3d |
33 | nodvd | 33 | nodvd |
34 | nogroups | 34 | nogroups |
35 | noinput | ||
35 | nonewprivs | 36 | nonewprivs |
36 | noroot | 37 | noroot |
37 | notv | 38 | notv |
diff --git a/etc/profile-m-z/odt2txt.profile b/etc/profile-m-z/odt2txt.profile index 6201b6fba..6163d2e22 100644 --- a/etc/profile-m-z/odt2txt.profile +++ b/etc/profile-m-z/odt2txt.profile | |||
@@ -23,6 +23,7 @@ net none | |||
23 | no3d | 23 | no3d |
24 | nodvd | 24 | nodvd |
25 | nogroups | 25 | nogroups |
26 | noinput | ||
26 | nonewprivs | 27 | nonewprivs |
27 | noroot | 28 | noroot |
28 | nosound | 29 | nosound |
diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile index e21ac997a..ab8ccf623 100644 --- a/etc/profile-m-z/okular.profile +++ b/etc/profile-m-z/okular.profile | |||
@@ -28,10 +28,16 @@ include disable-programs.inc | |||
28 | include disable-shell.inc | 28 | include disable-shell.inc |
29 | include disable-xdg.inc | 29 | include disable-xdg.inc |
30 | 30 | ||
31 | whitelist /usr/share/config.kcfg | 31 | whitelist /usr/share/config.kcfg/gssettings.kcfg |
32 | whitelist /usr/share/config.kcfg/pdfsettings.kcfg | ||
33 | whitelist /usr/share/config.kcfg/okular.kcfg | ||
34 | whitelist /usr/share/config.kcfg/okular_core.kcfg | ||
35 | whitelist /usr/share/ghostscript | ||
36 | whitelist /usr/share/kconf_update/okular.upd | ||
32 | whitelist /usr/share/kxmlgui5/okular | 37 | whitelist /usr/share/kxmlgui5/okular |
33 | whitelist /usr/share/okular | 38 | whitelist /usr/share/okular |
34 | whitelist /usr/share/poppler | 39 | whitelist /usr/share/poppler |
40 | include whitelist-runuser-common.inc | ||
35 | include whitelist-usr-share-common.inc | 41 | include whitelist-usr-share-common.inc |
36 | include whitelist-var-common.inc | 42 | include whitelist-var-common.inc |
37 | 43 | ||
@@ -42,6 +48,7 @@ machine-id | |||
42 | netfilter | 48 | netfilter |
43 | nodvd | 49 | nodvd |
44 | nogroups | 50 | nogroups |
51 | noinput | ||
45 | nonewprivs | 52 | nonewprivs |
46 | noroot | 53 | noroot |
47 | nosound | 54 | nosound |
diff --git a/etc/profile-m-z/onboard.profile b/etc/profile-m-z/onboard.profile index 152bd7ac5..5b367b639 100644 --- a/etc/profile-m-z/onboard.profile +++ b/etc/profile-m-z/onboard.profile | |||
@@ -36,6 +36,7 @@ net none | |||
36 | nodvd | 36 | nodvd |
37 | no3d | 37 | no3d |
38 | nogroups | 38 | nogroups |
39 | noinput | ||
39 | nonewprivs | 40 | nonewprivs |
40 | noroot | 41 | noroot |
41 | notv | 42 | notv |
diff --git a/etc/profile-m-z/onionshare-gui.profile b/etc/profile-m-z/onionshare-gui.profile index 5bfcd0527..960df9034 100644 --- a/etc/profile-m-z/onionshare-gui.profile +++ b/etc/profile-m-z/onionshare-gui.profile | |||
@@ -25,6 +25,7 @@ netfilter | |||
25 | no3d | 25 | no3d |
26 | nodvd | 26 | nodvd |
27 | nogroups | 27 | nogroups |
28 | noinput | ||
28 | nonewprivs | 29 | nonewprivs |
29 | noroot | 30 | noroot |
30 | nosound | 31 | nosound |
diff --git a/etc/profile-m-z/open-invaders.profile b/etc/profile-m-z/open-invaders.profile index e18599d1d..7a840d4a9 100644 --- a/etc/profile-m-z/open-invaders.profile +++ b/etc/profile-m-z/open-invaders.profile | |||
@@ -26,6 +26,7 @@ caps.drop all | |||
26 | net none | 26 | net none |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | notv | 32 | notv |
diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile index 88d5d0e1e..36ce0316f 100644 --- a/etc/profile-m-z/openarena.profile +++ b/etc/profile-m-z/openarena.profile | |||
@@ -29,6 +29,7 @@ caps.drop all | |||
29 | netfilter | 29 | netfilter |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | notv | 35 | notv |
diff --git a/etc/profile-m-z/opencity.profile b/etc/profile-m-z/opencity.profile index cb8a511ad..a3d371e15 100644 --- a/etc/profile-m-z/opencity.profile +++ b/etc/profile-m-z/opencity.profile | |||
@@ -28,6 +28,7 @@ ipc-namespace | |||
28 | net none | 28 | net none |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | notv | 34 | notv |
diff --git a/etc/profile-m-z/openclonk.profile b/etc/profile-m-z/openclonk.profile index a6760617c..32b40df42 100644 --- a/etc/profile-m-z/openclonk.profile +++ b/etc/profile-m-z/openclonk.profile | |||
@@ -29,6 +29,7 @@ ipc-namespace | |||
29 | netfilter | 29 | netfilter |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | notv | 35 | notv |
diff --git a/etc/profile-m-z/openmw.profile b/etc/profile-m-z/openmw.profile index 89b146619..d1fe67aed 100644 --- a/etc/profile-m-z/openmw.profile +++ b/etc/profile-m-z/openmw.profile | |||
@@ -39,6 +39,7 @@ netfilter | |||
39 | # Add 'ignore nodvd' to your openmw.local when installing from disc. | 39 | # Add 'ignore nodvd' to your openmw.local when installing from disc. |
40 | nodvd | 40 | nodvd |
41 | nogroups | 41 | nogroups |
42 | noinput | ||
42 | nonewprivs | 43 | nonewprivs |
43 | noroot | 44 | noroot |
44 | notv | 45 | notv |
diff --git a/etc/profile-m-z/openshot.profile b/etc/profile-m-z/openshot.profile index ac960345a..6118630c4 100644 --- a/etc/profile-m-z/openshot.profile +++ b/etc/profile-m-z/openshot.profile | |||
@@ -30,6 +30,7 @@ caps.drop all | |||
30 | net none | 30 | net none |
31 | nodvd | 31 | nodvd |
32 | nogroups | 32 | nogroups |
33 | noinput | ||
33 | nonewprivs | 34 | nonewprivs |
34 | noroot | 35 | noroot |
35 | notv | 36 | notv |
diff --git a/etc/profile-m-z/openttd.profile b/etc/profile-m-z/openttd.profile index b71883d68..546958bb7 100644 --- a/etc/profile-m-z/openttd.profile +++ b/etc/profile-m-z/openttd.profile | |||
@@ -28,6 +28,7 @@ ipc-namespace | |||
28 | net none | 28 | net none |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | notv | 34 | notv |
diff --git a/etc/profile-m-z/orage.profile b/etc/profile-m-z/orage.profile index 4e12892d6..4e4d8bea5 100644 --- a/etc/profile-m-z/orage.profile +++ b/etc/profile-m-z/orage.profile | |||
@@ -22,6 +22,7 @@ netfilter | |||
22 | no3d | 22 | no3d |
23 | nodvd | 23 | nodvd |
24 | nogroups | 24 | nogroups |
25 | noinput | ||
25 | nonewprivs | 26 | nonewprivs |
26 | noroot | 27 | noroot |
27 | # nosound - calendar application, It must be able to play sound to wake you up. | 28 | # nosound - calendar application, It must be able to play sound to wake you up. |
diff --git a/etc/profile-m-z/ostrichriders.profile b/etc/profile-m-z/ostrichriders.profile index 3bfda7946..310b90919 100644 --- a/etc/profile-m-z/ostrichriders.profile +++ b/etc/profile-m-z/ostrichriders.profile | |||
@@ -29,6 +29,8 @@ ipc-namespace | |||
29 | net none | 29 | net none |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | # Add 'ignore noinput' to your ostrichriders.local if you need controller support. | ||
33 | noinput | ||
32 | nonewprivs | 34 | nonewprivs |
33 | noroot | 35 | noroot |
34 | notv | 36 | notv |
@@ -42,7 +44,6 @@ tracelog | |||
42 | disable-mnt | 44 | disable-mnt |
43 | private-bin ostrichriders | 45 | private-bin ostrichriders |
44 | private-cache | 46 | private-cache |
45 | # comment the following line if you need controller support | ||
46 | private-dev | 47 | private-dev |
47 | private-tmp | 48 | private-tmp |
48 | 49 | ||
diff --git a/etc/profile-m-z/otter-browser.profile b/etc/profile-m-z/otter-browser.profile index aa26ddd4e..20a4e25ed 100644 --- a/etc/profile-m-z/otter-browser.profile +++ b/etc/profile-m-z/otter-browser.profile | |||
@@ -41,6 +41,7 @@ caps.drop all | |||
41 | netfilter | 41 | netfilter |
42 | nodvd | 42 | nodvd |
43 | nogroups | 43 | nogroups |
44 | noinput | ||
44 | nonewprivs | 45 | nonewprivs |
45 | noroot | 46 | noroot |
46 | notv | 47 | notv |
diff --git a/etc/profile-m-z/pandoc.profile b/etc/profile-m-z/pandoc.profile index d2dcef0d0..513b4119e 100644 --- a/etc/profile-m-z/pandoc.profile +++ b/etc/profile-m-z/pandoc.profile | |||
@@ -31,6 +31,7 @@ net none | |||
31 | no3d | 31 | no3d |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | nosound | 37 | nosound |
diff --git a/etc/profile-m-z/patch.profile b/etc/profile-m-z/patch.profile index b034efde9..0de968185 100644 --- a/etc/profile-m-z/patch.profile +++ b/etc/profile-m-z/patch.profile | |||
@@ -28,6 +28,7 @@ net none | |||
28 | no3d | 28 | no3d |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | nosound | 34 | nosound |
diff --git a/etc/profile-m-z/pavucontrol.profile b/etc/profile-m-z/pavucontrol.profile index f7d3576da..b46fb3026 100644 --- a/etc/profile-m-z/pavucontrol.profile +++ b/etc/profile-m-z/pavucontrol.profile | |||
@@ -31,6 +31,7 @@ netfilter | |||
31 | no3d | 31 | no3d |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | notv | 37 | notv |
diff --git a/etc/profile-m-z/pdfchain.profile b/etc/profile-m-z/pdfchain.profile index 4b6da4d6f..d72417914 100644 --- a/etc/profile-m-z/pdfchain.profile +++ b/etc/profile-m-z/pdfchain.profile | |||
@@ -22,6 +22,7 @@ ipc-namespace | |||
22 | net none | 22 | net none |
23 | no3d | 23 | no3d |
24 | nogroups | 24 | nogroups |
25 | noinput | ||
25 | nonewprivs | 26 | nonewprivs |
26 | noroot | 27 | noroot |
27 | nosound | 28 | nosound |
diff --git a/etc/profile-m-z/pdfmod.profile b/etc/profile-m-z/pdfmod.profile index fb3c42526..a19826555 100644 --- a/etc/profile-m-z/pdfmod.profile +++ b/etc/profile-m-z/pdfmod.profile | |||
@@ -27,6 +27,7 @@ net none | |||
27 | no3d | 27 | no3d |
28 | nodvd | 28 | nodvd |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | nosound | 33 | nosound |
diff --git a/etc/profile-m-z/pdfsam.profile b/etc/profile-m-z/pdfsam.profile index 2f4227159..e2808d4d2 100644 --- a/etc/profile-m-z/pdfsam.profile +++ b/etc/profile-m-z/pdfsam.profile | |||
@@ -25,6 +25,7 @@ net none | |||
25 | no3d | 25 | no3d |
26 | nodvd | 26 | nodvd |
27 | nogroups | 27 | nogroups |
28 | noinput | ||
28 | nonewprivs | 29 | nonewprivs |
29 | noroot | 30 | noroot |
30 | nosound | 31 | nosound |
diff --git a/etc/profile-m-z/pdftotext.profile b/etc/profile-m-z/pdftotext.profile index 6bbd30b22..d3902a51c 100644 --- a/etc/profile-m-z/pdftotext.profile +++ b/etc/profile-m-z/pdftotext.profile | |||
@@ -32,6 +32,7 @@ net none | |||
32 | no3d | 32 | no3d |
33 | nodvd | 33 | nodvd |
34 | nogroups | 34 | nogroups |
35 | noinput | ||
35 | nonewprivs | 36 | nonewprivs |
36 | noroot | 37 | noroot |
37 | nosound | 38 | nosound |
diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile index 710a533a9..c33953687 100644 --- a/etc/profile-m-z/peek.profile +++ b/etc/profile-m-z/peek.profile | |||
@@ -33,6 +33,7 @@ net none | |||
33 | no3d | 33 | no3d |
34 | nodvd | 34 | nodvd |
35 | nogroups | 35 | nogroups |
36 | noinput | ||
36 | nonewprivs | 37 | nonewprivs |
37 | noroot | 38 | noroot |
38 | nosound | 39 | nosound |
diff --git a/etc/profile-m-z/penguin-command.profile b/etc/profile-m-z/penguin-command.profile index db0d84496..f5ad0321d 100644 --- a/etc/profile-m-z/penguin-command.profile +++ b/etc/profile-m-z/penguin-command.profile | |||
@@ -25,6 +25,7 @@ caps.drop all | |||
25 | net none | 25 | net none |
26 | nodvd | 26 | nodvd |
27 | nogroups | 27 | nogroups |
28 | noinput | ||
28 | nonewprivs | 29 | nonewprivs |
29 | noroot | 30 | noroot |
30 | notv | 31 | notv |
diff --git a/etc/profile-m-z/photoflare.profile b/etc/profile-m-z/photoflare.profile index 9e6b4a87d..40068ff78 100644 --- a/etc/profile-m-z/photoflare.profile +++ b/etc/profile-m-z/photoflare.profile | |||
@@ -28,6 +28,7 @@ net none | |||
28 | nodvd | 28 | nodvd |
29 | no3d | 29 | no3d |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | nosound | 34 | nosound |
diff --git a/etc/profile-m-z/picard.profile b/etc/profile-m-z/picard.profile index 15fc7a454..a5ea47088 100644 --- a/etc/profile-m-z/picard.profile +++ b/etc/profile-m-z/picard.profile | |||
@@ -28,6 +28,7 @@ caps.drop all | |||
28 | no3d | 28 | no3d |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | nosound | 34 | nosound |
diff --git a/etc/profile-m-z/pidgin.profile b/etc/profile-m-z/pidgin.profile index e81e78ca7..26872e9a1 100644 --- a/etc/profile-m-z/pidgin.profile +++ b/etc/profile-m-z/pidgin.profile | |||
@@ -32,6 +32,7 @@ caps.drop all | |||
32 | netfilter | 32 | netfilter |
33 | nodvd | 33 | nodvd |
34 | nogroups | 34 | nogroups |
35 | noinput | ||
35 | nonewprivs | 36 | nonewprivs |
36 | noroot | 37 | noroot |
37 | notv | 38 | notv |
diff --git a/etc/profile-m-z/pinball-wrapper.profile b/etc/profile-m-z/pinball-wrapper.profile new file mode 100644 index 000000000..2b5ed6e27 --- /dev/null +++ b/etc/profile-m-z/pinball-wrapper.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for pinball-wrapper | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include pinball-wrapper.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | include allow-opengl-game.inc | ||
10 | |||
11 | private-bin pinball-wrapper | ||
12 | |||
13 | # Redirect | ||
14 | include pinball.profile | ||
diff --git a/etc/profile-m-z/pinball.profile b/etc/profile-m-z/pinball.profile new file mode 100644 index 000000000..ab433e729 --- /dev/null +++ b/etc/profile-m-z/pinball.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for pinball | ||
2 | # Description: Emilia 3D Pinball Game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include pinball.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/emilia | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-shell.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.config/emilia | ||
21 | whitelist ${HOME}/.config/emilia | ||
22 | whitelist /usr/share/pinball | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | net none | ||
31 | nodvd | ||
32 | nogroups | ||
33 | noinput | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix | ||
40 | seccomp | ||
41 | seccomp.block-secondary | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | disable-mnt | ||
46 | private-bin pinball | ||
47 | private-cache | ||
48 | private-dev | ||
49 | private-etc alsa,alternatives,asound.conf,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,machine-id,pulse | ||
50 | private-tmp | ||
51 | |||
52 | dbus-user none | ||
53 | dbus-system none | ||
diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile index 03b548ffa..e914007c0 100644 --- a/etc/profile-m-z/ping.profile +++ b/etc/profile-m-z/ping.profile | |||
@@ -31,6 +31,7 @@ netfilter | |||
31 | no3d | 31 | no3d |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | ||
34 | # ping needs to rise privileges, noroot and nonewprivs will kill it | 35 | # ping needs to rise privileges, noroot and nonewprivs will kill it |
35 | #nonewprivs | 36 | #nonewprivs |
36 | #noroot | 37 | #noroot |
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile index ebfd236aa..3889d87d2 100644 --- a/etc/profile-m-z/pingus.profile +++ b/etc/profile-m-z/pingus.profile | |||
@@ -8,12 +8,16 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.pingus | 9 | noblacklist ${HOME}/.pingus |
10 | 10 | ||
11 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
12 | include allow-bin-sh.inc | ||
13 | |||
11 | include disable-common.inc | 14 | include disable-common.inc |
12 | include disable-devel.inc | 15 | include disable-devel.inc |
13 | include disable-exec.inc | 16 | include disable-exec.inc |
14 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | include disable-shell.inc | ||
17 | include disable-xdg.inc | 21 | include disable-xdg.inc |
18 | 22 | ||
19 | mkdir ${HOME}/.pingus | 23 | mkdir ${HOME}/.pingus |
@@ -29,6 +33,7 @@ caps.drop all | |||
29 | net none | 33 | net none |
30 | nodvd | 34 | nodvd |
31 | nogroups | 35 | nogroups |
36 | noinput | ||
32 | nonewprivs | 37 | nonewprivs |
33 | noroot | 38 | noroot |
34 | notv | 39 | notv |
@@ -36,6 +41,7 @@ nou2f | |||
36 | novideo | 41 | novideo |
37 | protocol unix,netlink | 42 | protocol unix,netlink |
38 | seccomp | 43 | seccomp |
44 | seccomp.block-secondary | ||
39 | shell none | 45 | shell none |
40 | tracelog | 46 | tracelog |
41 | 47 | ||
diff --git a/etc/profile-m-z/pinta.profile b/etc/profile-m-z/pinta.profile index 7d94972c4..19406c399 100644 --- a/etc/profile-m-z/pinta.profile +++ b/etc/profile-m-z/pinta.profile | |||
@@ -23,6 +23,7 @@ ipc-namespace | |||
23 | net none | 23 | net none |
24 | nodvd | 24 | nodvd |
25 | nogroups | 25 | nogroups |
26 | noinput | ||
26 | nonewprivs | 27 | nonewprivs |
27 | noroot | 28 | noroot |
28 | nosound | 29 | nosound |
diff --git a/etc/profile-m-z/pioneer.profile b/etc/profile-m-z/pioneer.profile index 5f329195b..721b3944a 100644 --- a/etc/profile-m-z/pioneer.profile +++ b/etc/profile-m-z/pioneer.profile | |||
@@ -27,6 +27,7 @@ ipc-namespace | |||
27 | net none | 27 | net none |
28 | nodvd | 28 | nodvd |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | notv | 33 | notv |
diff --git a/etc/profile-m-z/pithos.profile b/etc/profile-m-z/pithos.profile index 0864dd0bc..18990f0b2 100644 --- a/etc/profile-m-z/pithos.profile +++ b/etc/profile-m-z/pithos.profile | |||
@@ -27,6 +27,7 @@ netfilter | |||
27 | no3d | 27 | no3d |
28 | nodvd | 28 | nodvd |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | notv | 33 | notv |
diff --git a/etc/profile-m-z/pitivi.profile b/etc/profile-m-z/pitivi.profile index c722e29b4..a2dd809c4 100644 --- a/etc/profile-m-z/pitivi.profile +++ b/etc/profile-m-z/pitivi.profile | |||
@@ -28,6 +28,7 @@ ipc-namespace | |||
28 | net none | 28 | net none |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | notv | 34 | notv |
diff --git a/etc/profile-m-z/pix.profile b/etc/profile-m-z/pix.profile index a2c35beb5..81d3e9370 100644 --- a/etc/profile-m-z/pix.profile +++ b/etc/profile-m-z/pix.profile | |||
@@ -20,6 +20,7 @@ include disable-shell.inc | |||
20 | caps.drop all | 20 | caps.drop all |
21 | nodvd | 21 | nodvd |
22 | nogroups | 22 | nogroups |
23 | noinput | ||
23 | nonewprivs | 24 | nonewprivs |
24 | noroot | 25 | noroot |
25 | nosound | 26 | nosound |
diff --git a/etc/profile-m-z/pkglog.profile b/etc/profile-m-z/pkglog.profile index cc4f016c5..4eb41b3bd 100644 --- a/etc/profile-m-z/pkglog.profile +++ b/etc/profile-m-z/pkglog.profile | |||
@@ -29,6 +29,7 @@ net none | |||
29 | no3d | 29 | no3d |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | nosound | 35 | nosound |
diff --git a/etc/profile-m-z/pluma.profile b/etc/profile-m-z/pluma.profile index 5303eae8a..10e12e5b1 100644 --- a/etc/profile-m-z/pluma.profile +++ b/etc/profile-m-z/pluma.profile | |||
@@ -29,6 +29,7 @@ machine-id | |||
29 | no3d | 29 | no3d |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | nosound | 35 | nosound |
@@ -49,6 +50,4 @@ private-tmp | |||
49 | # dbus-user none | 50 | # dbus-user none |
50 | # dbus-system none | 51 | # dbus-system none |
51 | 52 | ||
52 | memory-deny-write-execute | ||
53 | |||
54 | join-or-start pluma | 53 | join-or-start pluma |
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile index 7f7ae4204..5201fd853 100644 --- a/etc/profile-m-z/plv.profile +++ b/etc/profile-m-z/plv.profile | |||
@@ -32,6 +32,7 @@ net none | |||
32 | no3d | 32 | no3d |
33 | nodvd | 33 | nodvd |
34 | nogroups | 34 | nogroups |
35 | noinput | ||
35 | nonewprivs | 36 | nonewprivs |
36 | noroot | 37 | noroot |
37 | nosound | 38 | nosound |
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile index 3513e91cc..8a181d5a8 100644 --- a/etc/profile-m-z/pngquant.profile +++ b/etc/profile-m-z/pngquant.profile | |||
@@ -32,6 +32,7 @@ net none | |||
32 | no3d | 32 | no3d |
33 | nodvd | 33 | nodvd |
34 | nogroups | 34 | nogroups |
35 | noinput | ||
35 | nonewprivs | 36 | nonewprivs |
36 | noroot | 37 | noroot |
37 | nosound | 38 | nosound |
diff --git a/etc/profile-m-z/polari.profile b/etc/profile-m-z/polari.profile index 87a53775f..a3d4f9851 100644 --- a/etc/profile-m-z/polari.profile +++ b/etc/profile-m-z/polari.profile | |||
@@ -35,6 +35,7 @@ netfilter | |||
35 | no3d | 35 | no3d |
36 | nodvd | 36 | nodvd |
37 | nogroups | 37 | nogroups |
38 | noinput | ||
38 | nonewprivs | 39 | nonewprivs |
39 | noroot | 40 | noroot |
40 | nosound | 41 | nosound |
diff --git a/etc/profile-m-z/pragha.profile b/etc/profile-m-z/pragha.profile index 019c1a547..f138d785e 100644 --- a/etc/profile-m-z/pragha.profile +++ b/etc/profile-m-z/pragha.profile | |||
@@ -23,6 +23,7 @@ caps.drop all | |||
23 | netfilter | 23 | netfilter |
24 | no3d | 24 | no3d |
25 | nogroups | 25 | nogroups |
26 | noinput | ||
26 | nonewprivs | 27 | nonewprivs |
27 | noroot | 28 | noroot |
28 | notv | 29 | notv |
diff --git a/etc/profile-m-z/profanity.profile b/etc/profile-m-z/profanity.profile index a02bcd826..743458725 100644 --- a/etc/profile-m-z/profanity.profile +++ b/etc/profile-m-z/profanity.profile | |||
@@ -31,6 +31,7 @@ netfilter | |||
31 | no3d | 31 | no3d |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | nosound | 37 | nosound |
diff --git a/etc/profile-m-z/psi-plus.profile b/etc/profile-m-z/psi-plus.profile index 16fffe517..5ac58b0ac 100644 --- a/etc/profile-m-z/psi-plus.profile +++ b/etc/profile-m-z/psi-plus.profile | |||
@@ -30,6 +30,7 @@ netfilter | |||
30 | no3d | 30 | no3d |
31 | nodvd | 31 | nodvd |
32 | nogroups | 32 | nogroups |
33 | noinput | ||
33 | nonewprivs | 34 | nonewprivs |
34 | noroot | 35 | noroot |
35 | notv | 36 | notv |
diff --git a/etc/profile-m-z/psi.profile b/etc/profile-m-z/psi.profile index 376743b8d..7e0ef99fc 100644 --- a/etc/profile-m-z/psi.profile +++ b/etc/profile-m-z/psi.profile | |||
@@ -55,6 +55,7 @@ caps.drop all | |||
55 | netfilter | 55 | netfilter |
56 | nodvd | 56 | nodvd |
57 | nogroups | 57 | nogroups |
58 | noinput | ||
58 | nonewprivs | 59 | nonewprivs |
59 | noroot | 60 | noroot |
60 | notv | 61 | notv |
diff --git a/etc/profile-m-z/pybitmessage.profile b/etc/profile-m-z/pybitmessage.profile index 034c144c7..60ae37930 100644 --- a/etc/profile-m-z/pybitmessage.profile +++ b/etc/profile-m-z/pybitmessage.profile | |||
@@ -28,6 +28,7 @@ netfilter | |||
28 | no3d | 28 | no3d |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | nosound | 34 | nosound |
diff --git a/etc/profile-m-z/pycharm-community.profile b/etc/profile-m-z/pycharm-community.profile index 9ee426a95..00d7239ae 100644 --- a/etc/profile-m-z/pycharm-community.profile +++ b/etc/profile-m-z/pycharm-community.profile | |||
@@ -22,6 +22,7 @@ caps.drop all | |||
22 | machine-id | 22 | machine-id |
23 | nodvd | 23 | nodvd |
24 | nogroups | 24 | nogroups |
25 | noinput | ||
25 | nosound | 26 | nosound |
26 | notv | 27 | notv |
27 | nou2f | 28 | nou2f |
diff --git a/etc/profile-m-z/qbittorrent.profile b/etc/profile-m-z/qbittorrent.profile index 2fb02aefc..506b738cc 100644 --- a/etc/profile-m-z/qbittorrent.profile +++ b/etc/profile-m-z/qbittorrent.profile | |||
@@ -41,6 +41,7 @@ machine-id | |||
41 | netfilter | 41 | netfilter |
42 | nodvd | 42 | nodvd |
43 | nogroups | 43 | nogroups |
44 | noinput | ||
44 | nonewprivs | 45 | nonewprivs |
45 | noroot | 46 | noroot |
46 | nosound | 47 | nosound |
diff --git a/etc/profile-m-z/qgis.profile b/etc/profile-m-z/qgis.profile index eee538383..2e97daea2 100644 --- a/etc/profile-m-z/qgis.profile +++ b/etc/profile-m-z/qgis.profile | |||
@@ -37,6 +37,7 @@ netfilter | |||
37 | machine-id | 37 | machine-id |
38 | nodvd | 38 | nodvd |
39 | nogroups | 39 | nogroups |
40 | noinput | ||
40 | nonewprivs | 41 | nonewprivs |
41 | noroot | 42 | noroot |
42 | nosound | 43 | nosound |
diff --git a/etc/profile-m-z/qlipper.profile b/etc/profile-m-z/qlipper.profile index fb9dca48f..6e94d5845 100644 --- a/etc/profile-m-z/qlipper.profile +++ b/etc/profile-m-z/qlipper.profile | |||
@@ -21,6 +21,7 @@ netfilter | |||
21 | no3d | 21 | no3d |
22 | nodvd | 22 | nodvd |
23 | nogroups | 23 | nogroups |
24 | noinput | ||
24 | nonewprivs | 25 | nonewprivs |
25 | noroot | 26 | noroot |
26 | nosound | 27 | nosound |
diff --git a/etc/profile-m-z/qmmp.profile b/etc/profile-m-z/qmmp.profile index e1f679417..c3d982c17 100644 --- a/etc/profile-m-z/qmmp.profile +++ b/etc/profile-m-z/qmmp.profile | |||
@@ -21,6 +21,7 @@ caps.drop all | |||
21 | netfilter | 21 | netfilter |
22 | # no3d | 22 | # no3d |
23 | nogroups | 23 | nogroups |
24 | noinput | ||
24 | nonewprivs | 25 | nonewprivs |
25 | noroot | 26 | noroot |
26 | notv | 27 | notv |
diff --git a/etc/profile-m-z/qnapi.profile b/etc/profile-m-z/qnapi.profile index 0d1f9c3de..ca11df5be 100644 --- a/etc/profile-m-z/qnapi.profile +++ b/etc/profile-m-z/qnapi.profile | |||
@@ -33,6 +33,7 @@ ipc-namespace | |||
33 | netfilter | 33 | netfilter |
34 | nodvd | 34 | nodvd |
35 | nogroups | 35 | nogroups |
36 | noinput | ||
36 | nonewprivs | 37 | nonewprivs |
37 | noroot | 38 | noroot |
38 | nosound | 39 | nosound |
diff --git a/etc/profile-m-z/qpdfview.profile b/etc/profile-m-z/qpdfview.profile index 80e34334a..be690ffa4 100644 --- a/etc/profile-m-z/qpdfview.profile +++ b/etc/profile-m-z/qpdfview.profile | |||
@@ -26,6 +26,7 @@ caps.drop all | |||
26 | machine-id | 26 | machine-id |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | nosound | 32 | nosound |
diff --git a/etc/profile-m-z/qrencode.profile b/etc/profile-m-z/qrencode.profile index 6480651b2..6cbf8519f 100644 --- a/etc/profile-m-z/qrencode.profile +++ b/etc/profile-m-z/qrencode.profile | |||
@@ -31,6 +31,7 @@ net none | |||
31 | no3d | 31 | no3d |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | nosound | 37 | nosound |
diff --git a/etc/profile-m-z/qtox.profile b/etc/profile-m-z/qtox.profile index eb8e3e314..8ffe24d11 100644 --- a/etc/profile-m-z/qtox.profile +++ b/etc/profile-m-z/qtox.profile | |||
@@ -30,6 +30,7 @@ ipc-namespace | |||
30 | netfilter | 30 | netfilter |
31 | nodvd | 31 | nodvd |
32 | nogroups | 32 | nogroups |
33 | noinput | ||
33 | nonewprivs | 34 | nonewprivs |
34 | noroot | 35 | noroot |
35 | notv | 36 | notv |
diff --git a/etc/profile-m-z/quaternion.profile b/etc/profile-m-z/quaternion.profile index 3041860b3..1d146aa39 100644 --- a/etc/profile-m-z/quaternion.profile +++ b/etc/profile-m-z/quaternion.profile | |||
@@ -34,6 +34,7 @@ caps.drop all | |||
34 | netfilter | 34 | netfilter |
35 | nodvd | 35 | nodvd |
36 | nogroups | 36 | nogroups |
37 | noinput | ||
37 | nonewprivs | 38 | nonewprivs |
38 | noroot | 39 | noroot |
39 | notv | 40 | notv |
diff --git a/etc/profile-m-z/quiterss.profile b/etc/profile-m-z/quiterss.profile index 366cff4ed..9490089b2 100644 --- a/etc/profile-m-z/quiterss.profile +++ b/etc/profile-m-z/quiterss.profile | |||
@@ -37,6 +37,7 @@ caps.drop all | |||
37 | netfilter | 37 | netfilter |
38 | nodvd | 38 | nodvd |
39 | nogroups | 39 | nogroups |
40 | noinput | ||
40 | nonewprivs | 41 | nonewprivs |
41 | noroot | 42 | noroot |
42 | nosound | 43 | nosound |
diff --git a/etc/profile-m-z/quodlibet.profile b/etc/profile-m-z/quodlibet.profile index e3680dcf1..92b02b2bf 100644 --- a/etc/profile-m-z/quodlibet.profile +++ b/etc/profile-m-z/quodlibet.profile | |||
@@ -46,6 +46,7 @@ netfilter | |||
46 | no3d | 46 | no3d |
47 | nodvd | 47 | nodvd |
48 | nogroups | 48 | nogroups |
49 | noinput | ||
49 | nonewprivs | 50 | nonewprivs |
50 | noroot | 51 | noroot |
51 | notv | 52 | notv |
diff --git a/etc/profile-m-z/redeclipse.profile b/etc/profile-m-z/redeclipse.profile index a29205e14..9bc196a16 100644 --- a/etc/profile-m-z/redeclipse.profile +++ b/etc/profile-m-z/redeclipse.profile | |||
@@ -28,6 +28,7 @@ caps.drop all | |||
28 | netfilter | 28 | netfilter |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | notv | 34 | notv |
diff --git a/etc/profile-m-z/redshift.profile b/etc/profile-m-z/redshift.profile index 298ab1902..f87c5f67c 100644 --- a/etc/profile-m-z/redshift.profile +++ b/etc/profile-m-z/redshift.profile | |||
@@ -31,6 +31,7 @@ netfilter | |||
31 | no3d | 31 | no3d |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | nosound | 37 | nosound |
diff --git a/etc/profile-m-z/regextester.profile b/etc/profile-m-z/regextester.profile index 6fb0d4b5f..f5131c5d0 100644 --- a/etc/profile-m-z/regextester.profile +++ b/etc/profile-m-z/regextester.profile | |||
@@ -16,9 +16,8 @@ include disable-shell.inc | |||
16 | include disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | whitelist /usr/share/com.github.artemanufrij.regextester | 18 | whitelist /usr/share/com.github.artemanufrij.regextester |
19 | include whitelist-usr-share-common.inc | ||
20 | |||
21 | include whitelist-common.inc | 19 | include whitelist-common.inc |
20 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
23 | 22 | ||
24 | apparmor | 23 | apparmor |
@@ -29,6 +28,7 @@ net none | |||
29 | no3d | 28 | no3d |
30 | nodvd | 29 | nodvd |
31 | nogroups | 30 | nogroups |
31 | noinput | ||
32 | nonewprivs | 32 | nonewprivs |
33 | noroot | 33 | noroot |
34 | nosound | 34 | nosound |
@@ -48,11 +48,9 @@ private-etc alternatives,fonts | |||
48 | private-lib libgranite.so.* | 48 | private-lib libgranite.so.* |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | # makes settings immutable | 51 | dbus-user filter |
52 | # dbus-user none | 52 | dbus-user.talk ca.desrt.dconf |
53 | # dbus-system none | 53 | dbus-system none |
54 | |||
55 | memory-deny-write-execute | ||
56 | 54 | ||
57 | # never write anything | 55 | # never write anything |
58 | read-only ${HOME} | 56 | read-only ${HOME} |
diff --git a/etc/profile-m-z/remmina.profile b/etc/profile-m-z/remmina.profile index d4c7bdf31..aca22f187 100644 --- a/etc/profile-m-z/remmina.profile +++ b/etc/profile-m-z/remmina.profile | |||
@@ -27,6 +27,7 @@ include whitelist-var-common.inc | |||
27 | caps.drop all | 27 | caps.drop all |
28 | nodvd | 28 | nodvd |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | notv | 33 | notv |
diff --git a/etc/profile-m-z/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile index 9fb7dc713..970e8ffba 100644 --- a/etc/profile-m-z/rhythmbox.profile +++ b/etc/profile-m-z/rhythmbox.profile | |||
@@ -38,6 +38,7 @@ apparmor | |||
38 | caps.drop all | 38 | caps.drop all |
39 | netfilter | 39 | netfilter |
40 | nogroups | 40 | nogroups |
41 | noinput | ||
41 | nonewprivs | 42 | nonewprivs |
42 | noroot | 43 | noroot |
43 | notv | 44 | notv |
diff --git a/etc/profile-m-z/ricochet.profile b/etc/profile-m-z/ricochet.profile index 86e3fbfb5..b664a2be3 100644 --- a/etc/profile-m-z/ricochet.profile +++ b/etc/profile-m-z/ricochet.profile | |||
@@ -26,6 +26,7 @@ netfilter | |||
26 | no3d | 26 | no3d |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | notv | 32 | notv |
diff --git a/etc/profile-m-z/ripperx.profile b/etc/profile-m-z/ripperx.profile index cf6daada5..be815e714 100644 --- a/etc/profile-m-z/ripperx.profile +++ b/etc/profile-m-z/ripperx.profile | |||
@@ -25,6 +25,7 @@ caps.drop all | |||
25 | netfilter | 25 | netfilter |
26 | no3d | 26 | no3d |
27 | nogroups | 27 | nogroups |
28 | noinput | ||
28 | nonewprivs | 29 | nonewprivs |
29 | noroot | 30 | noroot |
30 | nou2f | 31 | nou2f |
diff --git a/etc/profile-m-z/ristretto.profile b/etc/profile-m-z/ristretto.profile index a1cbdf16c..5572cab5a 100644 --- a/etc/profile-m-z/ristretto.profile +++ b/etc/profile-m-z/ristretto.profile | |||
@@ -26,6 +26,7 @@ netfilter | |||
26 | no3d | 26 | no3d |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | nosound | 32 | nosound |
diff --git a/etc/profile-m-z/rsync-download_only.profile b/etc/profile-m-z/rsync-download_only.profile index 4bce35d16..690b44bb1 100644 --- a/etc/profile-m-z/rsync-download_only.profile +++ b/etc/profile-m-z/rsync-download_only.profile | |||
@@ -34,6 +34,7 @@ netfilter | |||
34 | no3d | 34 | no3d |
35 | nodvd | 35 | nodvd |
36 | nogroups | 36 | nogroups |
37 | noinput | ||
37 | nonewprivs | 38 | nonewprivs |
38 | noroot | 39 | noroot |
39 | nosound | 40 | nosound |
diff --git a/etc/profile-m-z/rtorrent.profile b/etc/profile-m-z/rtorrent.profile index 308c1c802..6ef51b7f1 100644 --- a/etc/profile-m-z/rtorrent.profile +++ b/etc/profile-m-z/rtorrent.profile | |||
@@ -18,6 +18,7 @@ caps.drop all | |||
18 | machine-id | 18 | machine-id |
19 | netfilter | 19 | netfilter |
20 | nodvd | 20 | nodvd |
21 | noinput | ||
21 | nonewprivs | 22 | nonewprivs |
22 | noroot | 23 | noroot |
23 | nosound | 24 | nosound |
diff --git a/etc/profile-m-z/rtv.profile b/etc/profile-m-z/rtv.profile index 970545ff6..f0b8d31e9 100644 --- a/etc/profile-m-z/rtv.profile +++ b/etc/profile-m-z/rtv.profile | |||
@@ -41,6 +41,7 @@ netfilter | |||
41 | no3d | 41 | no3d |
42 | nodvd | 42 | nodvd |
43 | nogroups | 43 | nogroups |
44 | noinput | ||
44 | nonewprivs | 45 | nonewprivs |
45 | noroot | 46 | noroot |
46 | nosound | 47 | nosound |
diff --git a/etc/profile-m-z/sayonara.profile b/etc/profile-m-z/sayonara.profile index 6557c0c42..de79913cc 100644 --- a/etc/profile-m-z/sayonara.profile +++ b/etc/profile-m-z/sayonara.profile | |||
@@ -20,6 +20,7 @@ caps.drop all | |||
20 | netfilter | 20 | netfilter |
21 | no3d | 21 | no3d |
22 | nogroups | 22 | nogroups |
23 | noinput | ||
23 | nonewprivs | 24 | nonewprivs |
24 | noroot | 25 | noroot |
25 | notv | 26 | notv |
diff --git a/etc/profile-m-z/scallion.profile b/etc/profile-m-z/scallion.profile index 0f67d4d09..eb8468c3b 100644 --- a/etc/profile-m-z/scallion.profile +++ b/etc/profile-m-z/scallion.profile | |||
@@ -25,6 +25,7 @@ ipc-namespace | |||
25 | net none | 25 | net none |
26 | nodvd | 26 | nodvd |
27 | nogroups | 27 | nogroups |
28 | noinput | ||
28 | nonewprivs | 29 | nonewprivs |
29 | noroot | 30 | noroot |
30 | nosound | 31 | nosound |
diff --git a/etc/profile-m-z/scorched3d-wrapper.profile b/etc/profile-m-z/scorched3d-wrapper.profile index 507d0827e..e76caec1d 100644 --- a/etc/profile-m-z/scorched3d-wrapper.profile +++ b/etc/profile-m-z/scorched3d-wrapper.profile | |||
@@ -1,10 +1,11 @@ | |||
1 | # Firejail profile for scorched3d | 1 | # Firejail profile for scorched3d-wrapper |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include scorched3d-wrapper.local | 4 | include scorched3d-wrapper.local |
5 | 5 | ||
6 | whitelist /usr/share/opengl-games-utils | 6 | include allow-opengl-game.inc |
7 | private-bin basename,bash,cut,glxinfo,grep,head,sed,zenity | 7 | |
8 | private-bin scorched3d-wrapper | ||
8 | 9 | ||
9 | # Redirect | 10 | # Redirect |
10 | include scorched3d.profile | 11 | include scorched3d.profile |
diff --git a/etc/profile-m-z/scorched3d.profile b/etc/profile-m-z/scorched3d.profile index 6a1003c33..aac3e721f 100644 --- a/etc/profile-m-z/scorched3d.profile +++ b/etc/profile-m-z/scorched3d.profile | |||
@@ -29,6 +29,7 @@ ipc-namespace | |||
29 | netfilter | 29 | netfilter |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | notv | 35 | notv |
@@ -40,7 +41,7 @@ shell none | |||
40 | tracelog | 41 | tracelog |
41 | 42 | ||
42 | disable-mnt | 43 | disable-mnt |
43 | private-bin scorched3d,scorched3d-wrapper,scorched3dc,scorched3ds | 44 | private-bin scorched3d,scorched3dc,scorched3ds |
44 | private-cache | 45 | private-cache |
45 | private-dev | 46 | private-dev |
46 | private-tmp | 47 | private-tmp |
diff --git a/etc/profile-m-z/scorchwentbonkers.profile b/etc/profile-m-z/scorchwentbonkers.profile index 484ebc38e..2cb1df6b5 100644 --- a/etc/profile-m-z/scorchwentbonkers.profile +++ b/etc/profile-m-z/scorchwentbonkers.profile | |||
@@ -29,6 +29,7 @@ caps.drop all | |||
29 | net none | 29 | net none |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | notv | 35 | notv |
diff --git a/etc/profile-m-z/scribus.profile b/etc/profile-m-z/scribus.profile index 22cd10737..1fdeaa145 100644 --- a/etc/profile-m-z/scribus.profile +++ b/etc/profile-m-z/scribus.profile | |||
@@ -45,6 +45,7 @@ caps.drop all | |||
45 | net none | 45 | net none |
46 | nodvd | 46 | nodvd |
47 | nogroups | 47 | nogroups |
48 | noinput | ||
48 | nonewprivs | 49 | nonewprivs |
49 | noroot | 50 | noroot |
50 | nosound | 51 | nosound |
diff --git a/etc/profile-m-z/sdat2img.profile b/etc/profile-m-z/sdat2img.profile index 8d16cd07f..aa2fa9b1b 100644 --- a/etc/profile-m-z/sdat2img.profile +++ b/etc/profile-m-z/sdat2img.profile | |||
@@ -26,6 +26,7 @@ net none | |||
26 | no3d | 26 | no3d |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | nosound | 32 | nosound |
diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile index cb2e5ef91..131dcbb68 100644 --- a/etc/profile-m-z/seahorse-adventures.profile +++ b/etc/profile-m-z/seahorse-adventures.profile | |||
@@ -29,6 +29,7 @@ caps.drop all | |||
29 | net none | 29 | net none |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | notv | 35 | notv |
diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile index 2b82e5d06..d3d8e453f 100644 --- a/etc/profile-m-z/seahorse.profile +++ b/etc/profile-m-z/seahorse.profile | |||
@@ -46,6 +46,7 @@ netfilter | |||
46 | no3d | 46 | no3d |
47 | nodvd | 47 | nodvd |
48 | nogroups | 48 | nogroups |
49 | noinput | ||
49 | nonewprivs | 50 | nonewprivs |
50 | noroot | 51 | noroot |
51 | nosound | 52 | nosound |
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile index d47f1289a..7d56684db 100644 --- a/etc/profile-m-z/server.profile +++ b/etc/profile-m-z/server.profile | |||
@@ -60,6 +60,7 @@ machine-id | |||
60 | no3d | 60 | no3d |
61 | nodvd | 61 | nodvd |
62 | # nogroups | 62 | # nogroups |
63 | noinput | ||
63 | # nonewprivs | 64 | # nonewprivs |
64 | # noroot | 65 | # noroot |
65 | nosound | 66 | nosound |
diff --git a/etc/profile-m-z/servo.profile b/etc/profile-m-z/servo.profile index dc3fdaf34..df8fbc3e3 100644 --- a/etc/profile-m-z/servo.profile +++ b/etc/profile-m-z/servo.profile | |||
@@ -29,6 +29,7 @@ caps.drop all | |||
29 | netfilter | 29 | netfilter |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | notv | 35 | notv |
diff --git a/etc/profile-m-z/shellcheck.profile b/etc/profile-m-z/shellcheck.profile index 2ae298142..b7f398f45 100644 --- a/etc/profile-m-z/shellcheck.profile +++ b/etc/profile-m-z/shellcheck.profile | |||
@@ -31,6 +31,7 @@ net none | |||
31 | no3d | 31 | no3d |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | nosound | 37 | nosound |
diff --git a/etc/profile-m-z/shortwave.profile b/etc/profile-m-z/shortwave.profile index ee2314833..d629240ec 100644 --- a/etc/profile-m-z/shortwave.profile +++ b/etc/profile-m-z/shortwave.profile | |||
@@ -32,6 +32,7 @@ caps.drop all | |||
32 | netfilter | 32 | netfilter |
33 | nodvd | 33 | nodvd |
34 | nogroups | 34 | nogroups |
35 | noinput | ||
35 | nonewprivs | 36 | nonewprivs |
36 | noroot | 37 | noroot |
37 | notv | 38 | notv |
diff --git a/etc/profile-m-z/shotcut.profile b/etc/profile-m-z/shotcut.profile index bec0bfbb0..63af4d367 100644 --- a/etc/profile-m-z/shotcut.profile +++ b/etc/profile-m-z/shotcut.profile | |||
@@ -21,6 +21,7 @@ caps.drop all | |||
21 | net none | 21 | net none |
22 | nodvd | 22 | nodvd |
23 | nogroups | 23 | nogroups |
24 | noinput | ||
24 | nonewprivs | 25 | nonewprivs |
25 | noroot | 26 | noroot |
26 | notv | 27 | notv |
diff --git a/etc/profile-m-z/shotwell.profile b/etc/profile-m-z/shotwell.profile index 749029530..ddc8a7743 100644 --- a/etc/profile-m-z/shotwell.profile +++ b/etc/profile-m-z/shotwell.profile | |||
@@ -35,6 +35,7 @@ machine-id | |||
35 | netfilter | 35 | netfilter |
36 | nodvd | 36 | nodvd |
37 | nogroups | 37 | nogroups |
38 | noinput | ||
38 | nonewprivs | 39 | nonewprivs |
39 | noroot | 40 | noroot |
40 | nosound | 41 | nosound |
diff --git a/etc/profile-m-z/signal-cli.profile b/etc/profile-m-z/signal-cli.profile index 6a2f5c434..478377344 100644 --- a/etc/profile-m-z/signal-cli.profile +++ b/etc/profile-m-z/signal-cli.profile | |||
@@ -31,6 +31,7 @@ netfilter | |||
31 | no3d | 31 | no3d |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | nosound | 37 | nosound |
diff --git a/etc/profile-m-z/silentarmy.profile b/etc/profile-m-z/silentarmy.profile index 220035ee7..3f3e2a75d 100644 --- a/etc/profile-m-z/silentarmy.profile +++ b/etc/profile-m-z/silentarmy.profile | |||
@@ -21,6 +21,7 @@ caps.drop all | |||
21 | netfilter | 21 | netfilter |
22 | nodvd | 22 | nodvd |
23 | nogroups | 23 | nogroups |
24 | noinput | ||
24 | nonewprivs | 25 | nonewprivs |
25 | noroot | 26 | noroot |
26 | nosound | 27 | nosound |
diff --git a/etc/profile-m-z/simplescreenrecorder.profile b/etc/profile-m-z/simplescreenrecorder.profile index edcc2a0f4..d664f8bf5 100644 --- a/etc/profile-m-z/simplescreenrecorder.profile +++ b/etc/profile-m-z/simplescreenrecorder.profile | |||
@@ -25,6 +25,7 @@ apparmor | |||
25 | caps.drop all | 25 | caps.drop all |
26 | nodvd | 26 | nodvd |
27 | nogroups | 27 | nogroups |
28 | noinput | ||
28 | nonewprivs | 29 | nonewprivs |
29 | noroot | 30 | noroot |
30 | notv | 31 | notv |
diff --git a/etc/profile-m-z/simutrans.profile b/etc/profile-m-z/simutrans.profile index 1b81f2ea1..afaa0f6d8 100644 --- a/etc/profile-m-z/simutrans.profile +++ b/etc/profile-m-z/simutrans.profile | |||
@@ -25,6 +25,7 @@ caps.drop all | |||
25 | net none | 25 | net none |
26 | nodvd | 26 | nodvd |
27 | nogroups | 27 | nogroups |
28 | noinput | ||
28 | nonewprivs | 29 | nonewprivs |
29 | noroot | 30 | noroot |
30 | notv | 31 | notv |
diff --git a/etc/profile-m-z/slashem.profile b/etc/profile-m-z/slashem.profile index ca0516e65..c5a31c237 100644 --- a/etc/profile-m-z/slashem.profile +++ b/etc/profile-m-z/slashem.profile | |||
@@ -25,6 +25,7 @@ net none | |||
25 | no3d | 25 | no3d |
26 | nodvd | 26 | nodvd |
27 | nogroups | 27 | nogroups |
28 | noinput | ||
28 | #nonewprivs | 29 | #nonewprivs |
29 | #noroot | 30 | #noroot |
30 | nosound | 31 | nosound |
diff --git a/etc/profile-m-z/smplayer.profile b/etc/profile-m-z/smplayer.profile index 9d6db4cdb..01547e5c1 100644 --- a/etc/profile-m-z/smplayer.profile +++ b/etc/profile-m-z/smplayer.profile | |||
@@ -39,6 +39,7 @@ apparmor | |||
39 | caps.drop all | 39 | caps.drop all |
40 | netfilter | 40 | netfilter |
41 | # nogroups | 41 | # nogroups |
42 | noinput | ||
42 | nonewprivs | 43 | nonewprivs |
43 | noroot | 44 | noroot |
44 | nou2f | 45 | nou2f |
diff --git a/etc/profile-m-z/smtube.profile b/etc/profile-m-z/smtube.profile index 79bc02979..196950eaf 100644 --- a/etc/profile-m-z/smtube.profile +++ b/etc/profile-m-z/smtube.profile | |||
@@ -36,6 +36,7 @@ notv | |||
36 | nou2f | 36 | nou2f |
37 | novideo | 37 | novideo |
38 | nogroups | 38 | nogroups |
39 | noinput | ||
39 | nonewprivs | 40 | nonewprivs |
40 | noroot | 41 | noroot |
41 | protocol unix,inet,inet6,netlink | 42 | protocol unix,inet,inet6,netlink |
diff --git a/etc/profile-m-z/smuxi-frontend-gnome.profile b/etc/profile-m-z/smuxi-frontend-gnome.profile index 541e5a1c4..c3a9bb858 100644 --- a/etc/profile-m-z/smuxi-frontend-gnome.profile +++ b/etc/profile-m-z/smuxi-frontend-gnome.profile | |||
@@ -35,6 +35,7 @@ caps.drop all | |||
35 | netfilter | 35 | netfilter |
36 | nodvd | 36 | nodvd |
37 | nogroups | 37 | nogroups |
38 | noinput | ||
38 | nonewprivs | 39 | nonewprivs |
39 | noroot | 40 | noroot |
40 | notv | 41 | notv |
diff --git a/etc/profile-m-z/softmaker-common.profile b/etc/profile-m-z/softmaker-common.profile index a8ec5848c..83315231f 100644 --- a/etc/profile-m-z/softmaker-common.profile +++ b/etc/profile-m-z/softmaker-common.profile | |||
@@ -30,6 +30,7 @@ ipc-namespace | |||
30 | netfilter | 30 | netfilter |
31 | nodvd | 31 | nodvd |
32 | nogroups | 32 | nogroups |
33 | noinput | ||
33 | nonewprivs | 34 | nonewprivs |
34 | noroot | 35 | noroot |
35 | notv | 36 | notv |
diff --git a/etc/profile-m-z/sol.profile b/etc/profile-m-z/sol.profile index 44fb8cfe2..6b8a17813 100644 --- a/etc/profile-m-z/sol.profile +++ b/etc/profile-m-z/sol.profile | |||
@@ -25,6 +25,7 @@ net none | |||
25 | # no3d | 25 | # no3d |
26 | nodvd | 26 | nodvd |
27 | nogroups | 27 | nogroups |
28 | noinput | ||
28 | nonewprivs | 29 | nonewprivs |
29 | noroot | 30 | noroot |
30 | # nosound | 31 | # nosound |
diff --git a/etc/profile-m-z/sound-juicer.profile b/etc/profile-m-z/sound-juicer.profile index b9f3768be..ef00fdfff 100644 --- a/etc/profile-m-z/sound-juicer.profile +++ b/etc/profile-m-z/sound-juicer.profile | |||
@@ -24,6 +24,7 @@ caps.drop all | |||
24 | netfilter | 24 | netfilter |
25 | no3d | 25 | no3d |
26 | nogroups | 26 | nogroups |
27 | noinput | ||
27 | nonewprivs | 28 | nonewprivs |
28 | noroot | 29 | noroot |
29 | nosound | 30 | nosound |
diff --git a/etc/profile-m-z/soundconverter.profile b/etc/profile-m-z/soundconverter.profile index bdd6eb7f5..4dbf34100 100644 --- a/etc/profile-m-z/soundconverter.profile +++ b/etc/profile-m-z/soundconverter.profile | |||
@@ -34,6 +34,7 @@ machine-id | |||
34 | no3d | 34 | no3d |
35 | nodvd | 35 | nodvd |
36 | nogroups | 36 | nogroups |
37 | noinput | ||
37 | nonewprivs | 38 | nonewprivs |
38 | noroot | 39 | noroot |
39 | nosound | 40 | nosound |
diff --git a/etc/profile-m-z/spectacle.profile b/etc/profile-m-z/spectacle.profile index cedff0b83..4468f21e7 100644 --- a/etc/profile-m-z/spectacle.profile +++ b/etc/profile-m-z/spectacle.profile | |||
@@ -26,6 +26,8 @@ include disable-xdg.inc | |||
26 | mkfile ${HOME}/.config/spectaclerc | 26 | mkfile ${HOME}/.config/spectaclerc |
27 | whitelist ${HOME}/.config/spectaclerc | 27 | whitelist ${HOME}/.config/spectaclerc |
28 | whitelist ${PICTURES} | 28 | whitelist ${PICTURES} |
29 | whitelist /usr/share/kconf_update/spectacle_newConfig.upd | ||
30 | whitelist /usr/share/kconf_update/spectacle_shortcuts.upd | ||
29 | include whitelist-common.inc | 31 | include whitelist-common.inc |
30 | include whitelist-runuser-common.inc | 32 | include whitelist-runuser-common.inc |
31 | include whitelist-usr-share-common.inc | 33 | include whitelist-usr-share-common.inc |
@@ -38,6 +40,7 @@ net none | |||
38 | no3d | 40 | no3d |
39 | nodvd | 41 | nodvd |
40 | nogroups | 42 | nogroups |
43 | noinput | ||
41 | nonewprivs | 44 | nonewprivs |
42 | noroot | 45 | noroot |
43 | nosound | 46 | nosound |
diff --git a/etc/profile-m-z/spectral.profile b/etc/profile-m-z/spectral.profile index bf0f9f3a1..283674517 100644 --- a/etc/profile-m-z/spectral.profile +++ b/etc/profile-m-z/spectral.profile | |||
@@ -33,6 +33,7 @@ caps.drop all | |||
33 | netfilter | 33 | netfilter |
34 | nodvd | 34 | nodvd |
35 | nogroups | 35 | nogroups |
36 | noinput | ||
36 | nonewprivs | 37 | nonewprivs |
37 | noroot | 38 | noroot |
38 | notv | 39 | notv |
diff --git a/etc/profile-m-z/spotify.profile b/etc/profile-m-z/spotify.profile index 1a34cb86d..01bc2bc05 100644 --- a/etc/profile-m-z/spotify.profile +++ b/etc/profile-m-z/spotify.profile | |||
@@ -31,6 +31,7 @@ caps.drop all | |||
31 | netfilter | 31 | netfilter |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | notv | 37 | notv |
@@ -43,7 +44,7 @@ tracelog | |||
43 | disable-mnt | 44 | disable-mnt |
44 | private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity | 45 | private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity |
45 | private-dev | 46 | private-dev |
46 | # Comment the next line or put 'ignore private-etc' in your spotify.local if want to see the albums covers or if you want to use the radio | 47 | # If you want to see album covers or want to use the radio, add 'ignore private-etc' to your spotify.local. |
47 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl | 48 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl |
48 | private-opt spotify | 49 | private-opt spotify |
49 | private-srv none | 50 | private-srv none |
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile index 110434736..4dd2c7262 100644 --- a/etc/profile-m-z/sqlitebrowser.profile +++ b/etc/profile-m-z/sqlitebrowser.profile | |||
@@ -28,6 +28,7 @@ ipc-namespace | |||
28 | netfilter | 28 | netfilter |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | nosound | 34 | nosound |
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index 7bc731333..a58642192 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile | |||
@@ -31,6 +31,7 @@ netfilter | |||
31 | no3d | 31 | no3d |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | # noroot - see issue #1543 | 36 | # noroot - see issue #1543 |
36 | nosound | 37 | nosound |
diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile index 1292b806b..48a532876 100644 --- a/etc/profile-m-z/standardnotes-desktop.profile +++ b/etc/profile-m-z/standardnotes-desktop.profile | |||
@@ -27,6 +27,7 @@ machine-id | |||
27 | netfilter | 27 | netfilter |
28 | nodvd | 28 | nodvd |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | nosound | 33 | nosound |
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index 0bcbe6da2..06d08f3a2 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/Epic | |||
10 | noblacklist ${HOME}/.config/Loop_Hero | 10 | noblacklist ${HOME}/.config/Loop_Hero |
11 | noblacklist ${HOME}/.config/ModTheSpire | 11 | noblacklist ${HOME}/.config/ModTheSpire |
12 | noblacklist ${HOME}/.config/RogueLegacy | 12 | noblacklist ${HOME}/.config/RogueLegacy |
13 | noblacklist ${HOME}/.config/RogueLegacyStorageContainer | ||
13 | noblacklist ${HOME}/.killingfloor | 14 | noblacklist ${HOME}/.killingfloor |
14 | noblacklist ${HOME}/.klei | 15 | noblacklist ${HOME}/.klei |
15 | noblacklist ${HOME}/.local/share/3909/PapersPlease | 16 | noblacklist ${HOME}/.local/share/3909/PapersPlease |
@@ -22,7 +23,8 @@ noblacklist ${HOME}/.local/share/feral-interactive | |||
22 | noblacklist ${HOME}/.local/share/IntoTheBreach | 23 | noblacklist ${HOME}/.local/share/IntoTheBreach |
23 | noblacklist ${HOME}/.local/share/Paradox Interactive | 24 | noblacklist ${HOME}/.local/share/Paradox Interactive |
24 | noblacklist ${HOME}/.local/share/PillarsOfEternity | 25 | noblacklist ${HOME}/.local/share/PillarsOfEternity |
25 | noblacklist ${HOME}/.local/share/RogueLegacy* | 26 | noblacklist ${HOME}/.local/share/RogueLegacy |
27 | noblacklist ${HOME}/.local/share/RogueLegacyStorageContainer | ||
26 | noblacklist ${HOME}/.local/share/Steam | 28 | noblacklist ${HOME}/.local/share/Steam |
27 | noblacklist ${HOME}/.local/share/SteamWorldDig | 29 | noblacklist ${HOME}/.local/share/SteamWorldDig |
28 | noblacklist ${HOME}/.local/share/SteamWorld Dig 2 | 30 | noblacklist ${HOME}/.local/share/SteamWorld Dig 2 |
@@ -69,7 +71,7 @@ mkdir ${HOME}/.local/share/feral-interactive | |||
69 | mkdir ${HOME}/.local/share/IntoTheBreach | 71 | mkdir ${HOME}/.local/share/IntoTheBreach |
70 | mkdir ${HOME}/.local/share/Paradox Interactive | 72 | mkdir ${HOME}/.local/share/Paradox Interactive |
71 | mkdir ${HOME}/.local/share/PillarsOfEternity | 73 | mkdir ${HOME}/.local/share/PillarsOfEternity |
72 | mkdir ${HOME}/.local/share/RogueLegacy* | 74 | mkdir ${HOME}/.local/share/RogueLegacy |
73 | mkdir ${HOME}/.local/share/Steam | 75 | mkdir ${HOME}/.local/share/Steam |
74 | mkdir ${HOME}/.local/share/SteamWorldDig | 76 | mkdir ${HOME}/.local/share/SteamWorldDig |
75 | mkdir ${HOME}/.local/share/SteamWorld Dig 2 | 77 | mkdir ${HOME}/.local/share/SteamWorld Dig 2 |
@@ -86,6 +88,7 @@ whitelist ${HOME}/.config/Epic | |||
86 | whitelist ${HOME}/.config/Loop_Hero | 88 | whitelist ${HOME}/.config/Loop_Hero |
87 | whitelist ${HOME}/.config/ModTheSpire | 89 | whitelist ${HOME}/.config/ModTheSpire |
88 | whitelist ${HOME}/.config/RogueLegacy | 90 | whitelist ${HOME}/.config/RogueLegacy |
91 | whitelist ${HOME}/.config/RogueLegacyStorageContainer | ||
89 | whitelist ${HOME}/.config/unity3d | 92 | whitelist ${HOME}/.config/unity3d |
90 | whitelist ${HOME}/.killingfloor | 93 | whitelist ${HOME}/.killingfloor |
91 | whitelist ${HOME}/.klei | 94 | whitelist ${HOME}/.klei |
@@ -99,7 +102,8 @@ whitelist ${HOME}/.local/share/feral-interactive | |||
99 | whitelist ${HOME}/.local/share/IntoTheBreach | 102 | whitelist ${HOME}/.local/share/IntoTheBreach |
100 | whitelist ${HOME}/.local/share/Paradox Interactive | 103 | whitelist ${HOME}/.local/share/Paradox Interactive |
101 | whitelist ${HOME}/.local/share/PillarsOfEternity | 104 | whitelist ${HOME}/.local/share/PillarsOfEternity |
102 | whitelist ${HOME}/.local/share/RogueLegacy* | 105 | whitelist ${HOME}/.local/share/RogueLegacy |
106 | whitelist ${HOME}/.local/share/RogueLegacyStorageContainer | ||
103 | whitelist ${HOME}/.local/share/Steam | 107 | whitelist ${HOME}/.local/share/Steam |
104 | whitelist ${HOME}/.local/share/SteamWorldDig | 108 | whitelist ${HOME}/.local/share/SteamWorldDig |
105 | whitelist ${HOME}/.local/share/SteamWorld Dig 2 | 109 | whitelist ${HOME}/.local/share/SteamWorld Dig 2 |
@@ -115,39 +119,48 @@ whitelist ${HOME}/.steampid | |||
115 | include whitelist-common.inc | 119 | include whitelist-common.inc |
116 | include whitelist-var-common.inc | 120 | include whitelist-var-common.inc |
117 | 121 | ||
122 | # NOTE: The following were intentionally left out as they are alternative | ||
123 | # (i.e.: unnecessary and/or legacy) paths whose existence may potentially | ||
124 | # clobber other paths (see #4225). If you use any, either add the entry to | ||
125 | # steam.local or move the contents to a path listed above (or open an issue if | ||
126 | # it's missing above). | ||
127 | #mkdir ${HOME}/.config/RogueLegacyStorageContainer | ||
128 | #mkdir ${HOME}/.local/share/RogueLegacyStorageContainer | ||
129 | |||
118 | caps.drop all | 130 | caps.drop all |
119 | #ipc-namespace | 131 | #ipc-namespace |
120 | netfilter | 132 | netfilter |
121 | nodvd | 133 | nodvd |
122 | # nVidia users may need to comment / ignore nogroups and noroot | ||
123 | nogroups | 134 | nogroups |
124 | nonewprivs | 135 | nonewprivs |
136 | # If you use nVidia you might need to add 'ignore noroot' to your steam.local. | ||
125 | noroot | 137 | noroot |
126 | notv | 138 | notv |
127 | nou2f | 139 | nou2f |
128 | # novideo should be commented for VR | 140 | # For VR support add 'ignore novideo' to your steam.local. |
129 | novideo | 141 | novideo |
130 | protocol unix,inet,inet6,netlink | 142 | protocol unix,inet,inet6,netlink |
131 | # seccomp sometimes causes issues (see #2951, #3267), | 143 | # seccomp sometimes causes issues (see #2951, #3267). |
132 | # comment it or add 'ignore seccomp' to steam.local if so. | 144 | # Add 'ignore seccomp' to your steam.local if you experience this. |
133 | seccomp !ptrace | 145 | seccomp !ptrace |
134 | shell none | 146 | shell none |
135 | # tracelog breaks integrated browser | 147 | # tracelog breaks integrated browser |
136 | #tracelog | 148 | #tracelog |
137 | 149 | ||
138 | # private-bin is disabled while in testing, but has been tested working with multiple games | 150 | # private-bin is disabled while in testing, but is known to work with multiple games. |
151 | # Add the next line to your steam.local to enable private-bin. | ||
139 | #private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lsof,lspci,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity | 152 | #private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lsof,lspci,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity |
140 | # extra programs are available which might be needed for select games | 153 | # Extra programs are available which might be needed for select games. |
154 | # Add the next line to your steam.local to enable support for these programs. | ||
141 | #private-bin java,java-config,mono | 155 | #private-bin java,java-config,mono |
142 | # picture viewers are needed for viewing screenshots | 156 | # To view screenshots add the next line to your steam.local. |
143 | #private-bin eog,eom,gthumb,pix,viewnior,xviewer | 157 | #private-bin eog,eom,gthumb,pix,viewnior,xviewer |
144 | 158 | ||
145 | # comment the following line if you need controller support | ||
146 | private-dev | 159 | private-dev |
147 | # private-etc breaks a small selection of games on some systems, comment to support those | 160 | # private-etc breaks a small selection of games on some systems. Add 'ignore private-etc' |
161 | # to your steam.local to support those. | ||
148 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl | 162 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl |
149 | private-tmp | 163 | private-tmp |
150 | 164 | ||
151 | # breaks appindicator support | ||
152 | # dbus-user none | 165 | # dbus-user none |
153 | # dbus-system none | 166 | # dbus-system none |
diff --git a/etc/profile-m-z/stellarium.profile b/etc/profile-m-z/stellarium.profile index 3f93fe591..a752ab53c 100644 --- a/etc/profile-m-z/stellarium.profile +++ b/etc/profile-m-z/stellarium.profile | |||
@@ -29,6 +29,7 @@ machine-id | |||
29 | netfilter | 29 | netfilter |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | nosound | 35 | nosound |
diff --git a/etc/profile-m-z/straw-viewer.profile b/etc/profile-m-z/straw-viewer.profile index 2ae35d211..f8108c9d6 100644 --- a/etc/profile-m-z/straw-viewer.profile +++ b/etc/profile-m-z/straw-viewer.profile | |||
@@ -42,6 +42,7 @@ caps.drop all | |||
42 | netfilter | 42 | netfilter |
43 | nodvd | 43 | nodvd |
44 | nogroups | 44 | nogroups |
45 | noinput | ||
45 | nonewprivs | 46 | nonewprivs |
46 | noroot | 47 | noroot |
47 | notv | 48 | notv |
diff --git a/etc/profile-m-z/strawberry.profile b/etc/profile-m-z/strawberry.profile index 0801add28..b87906f55 100644 --- a/etc/profile-m-z/strawberry.profile +++ b/etc/profile-m-z/strawberry.profile | |||
@@ -28,6 +28,7 @@ caps.drop all | |||
28 | netfilter | 28 | netfilter |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | notv | 34 | notv |
diff --git a/etc/profile-m-z/strings.profile b/etc/profile-m-z/strings.profile index 6a582532d..1ebcded7f 100644 --- a/etc/profile-m-z/strings.profile +++ b/etc/profile-m-z/strings.profile | |||
@@ -29,6 +29,7 @@ net none | |||
29 | no3d | 29 | no3d |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | #noroot | 34 | #noroot |
34 | nosound | 35 | nosound |
diff --git a/etc/profile-m-z/subdownloader.profile b/etc/profile-m-z/subdownloader.profile index 428af3737..bbe92fd38 100644 --- a/etc/profile-m-z/subdownloader.profile +++ b/etc/profile-m-z/subdownloader.profile | |||
@@ -32,6 +32,7 @@ netfilter | |||
32 | no3d | 32 | no3d |
33 | nodvd | 33 | nodvd |
34 | nogroups | 34 | nogroups |
35 | noinput | ||
35 | nonewprivs | 36 | nonewprivs |
36 | noroot | 37 | noroot |
37 | nosound | 38 | nosound |
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile index 9cc023765..dd456f085 100644 --- a/etc/profile-m-z/supertux2.profile +++ b/etc/profile-m-z/supertux2.profile | |||
@@ -14,6 +14,7 @@ include disable-exec.inc | |||
14 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-shell.inc | ||
17 | include disable-xdg.inc | 18 | include disable-xdg.inc |
18 | 19 | ||
19 | mkdir ${HOME}/.local/share/supertux2 | 20 | mkdir ${HOME}/.local/share/supertux2 |
@@ -29,6 +30,7 @@ caps.drop all | |||
29 | net none | 30 | net none |
30 | nodvd | 31 | nodvd |
31 | nogroups | 32 | nogroups |
33 | noinput | ||
32 | nonewprivs | 34 | nonewprivs |
33 | noroot | 35 | noroot |
34 | notv | 36 | notv |
@@ -42,6 +44,8 @@ tracelog | |||
42 | 44 | ||
43 | disable-mnt | 45 | disable-mnt |
44 | # private-bin supertux2 | 46 | # private-bin supertux2 |
47 | private-cache | ||
48 | private-etc machine-id | ||
45 | private-dev | 49 | private-dev |
46 | private-tmp | 50 | private-tmp |
47 | 51 | ||
diff --git a/etc/profile-m-z/supertuxkart-wrapper.profile b/etc/profile-m-z/supertuxkart-wrapper.profile new file mode 100644 index 000000000..af8d73deb --- /dev/null +++ b/etc/profile-m-z/supertuxkart-wrapper.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for supertuxkart-wrapper | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include supertuxkart-wrapper.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | include allow-opengl-game.inc | ||
10 | |||
11 | private-bin supertuxkart-wrapper | ||
12 | |||
13 | # Redirect | ||
14 | include supertuxkart.profile | ||
diff --git a/etc/profile-m-z/surf.profile b/etc/profile-m-z/surf.profile index 5ad82601d..8db7d2433 100644 --- a/etc/profile-m-z/surf.profile +++ b/etc/profile-m-z/surf.profile | |||
@@ -22,6 +22,7 @@ include whitelist-common.inc | |||
22 | caps.drop all | 22 | caps.drop all |
23 | netfilter | 23 | netfilter |
24 | nodvd | 24 | nodvd |
25 | noinput | ||
25 | nonewprivs | 26 | nonewprivs |
26 | noroot | 27 | noroot |
27 | notv | 28 | notv |
diff --git a/etc/profile-m-z/sushi.profile b/etc/profile-m-z/sushi.profile index 68abd8c94..2a15a5d09 100644 --- a/etc/profile-m-z/sushi.profile +++ b/etc/profile-m-z/sushi.profile | |||
@@ -24,6 +24,7 @@ caps.drop all | |||
24 | net none | 24 | net none |
25 | nodvd | 25 | nodvd |
26 | nogroups | 26 | nogroups |
27 | noinput | ||
27 | nonewprivs | 28 | nonewprivs |
28 | noroot | 29 | noroot |
29 | notv | 30 | notv |
diff --git a/etc/profile-m-z/synfigstudio.profile b/etc/profile-m-z/synfigstudio.profile index a83080cc3..c60186c42 100644 --- a/etc/profile-m-z/synfigstudio.profile +++ b/etc/profile-m-z/synfigstudio.profile | |||
@@ -20,6 +20,7 @@ caps.drop all | |||
20 | net none | 20 | net none |
21 | nodvd | 21 | nodvd |
22 | nogroups | 22 | nogroups |
23 | noinput | ||
23 | nonewprivs | 24 | nonewprivs |
24 | noroot | 25 | noroot |
25 | nosound | 26 | nosound |
diff --git a/etc/profile-m-z/sysprof.profile b/etc/profile-m-z/sysprof.profile index 9e9d2a448..b52b25b96 100644 --- a/etc/profile-m-z/sysprof.profile +++ b/etc/profile-m-z/sysprof.profile | |||
@@ -15,8 +15,15 @@ include disable-passwdmgr.inc | |||
15 | include disable-programs.inc | 15 | include disable-programs.inc |
16 | include disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | # help menu functionality (yelp) - comment or add this block prepended with 'ignore' | 18 | # Add the next lines to your sysprof.local if you don't need (yelp) help menu functionality. |
19 | # to your sysprof.local if you don't need the help functionality | 19 | #ignore noblacklist ${HOME}/.config/yelp |
20 | #ignore mkdir ${HOME}/.config/yelp | ||
21 | #nowhitelist ${HOME}/.config/yelp | ||
22 | #nowhitelist /usr/share/help/C/sysprof | ||
23 | #nowhitelist /usr/share/yelp | ||
24 | #nowhitelist /usr/share/yelp-tools | ||
25 | #nowhitelist /usr/share/yelp-xsl | ||
26 | |||
20 | noblacklist ${HOME}/.config/yelp | 27 | noblacklist ${HOME}/.config/yelp |
21 | mkdir ${HOME}/.config/yelp | 28 | mkdir ${HOME}/.config/yelp |
22 | whitelist ${HOME}/.config/yelp | 29 | whitelist ${HOME}/.config/yelp |
@@ -39,8 +46,10 @@ net none | |||
39 | no3d | 46 | no3d |
40 | nodvd | 47 | nodvd |
41 | nogroups | 48 | nogroups |
49 | noinput | ||
42 | nonewprivs | 50 | nonewprivs |
43 | # Ubuntu 16.04 version needs root privileges - comment or put 'ignore noroot' in sysprof.local if you run Xenial | 51 | # Some older Debian/Ubuntu sysprof versions need root privileges. |
52 | # Add 'ignore noroot' to your sysprof.local if you run one of these. | ||
44 | noroot | 53 | noroot |
45 | nosound | 54 | nosound |
46 | notv | 55 | notv |
@@ -56,7 +65,7 @@ disable-mnt | |||
56 | private-cache | 65 | private-cache |
57 | private-dev | 66 | private-dev |
58 | private-etc alternatives,fonts,ld.so.cache,machine-id,ssl | 67 | private-etc alternatives,fonts,ld.so.cache,machine-id,ssl |
59 | # private-lib breaks help menu | 68 | # private-lib - breaks help menu |
60 | #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so | 69 | #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so |
61 | private-tmp | 70 | private-tmp |
62 | 71 | ||
diff --git a/etc/profile-m-z/tcpdump.profile b/etc/profile-m-z/tcpdump.profile index 6f863d7a1..e2ba5893c 100644 --- a/etc/profile-m-z/tcpdump.profile +++ b/etc/profile-m-z/tcpdump.profile | |||
@@ -28,6 +28,7 @@ netfilter | |||
28 | no3d | 28 | no3d |
29 | nodvd | 29 | nodvd |
30 | #nogroups | 30 | #nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | #noroot | 33 | #noroot |
33 | nosound | 34 | nosound |
diff --git a/etc/profile-m-z/teamspeak3.profile b/etc/profile-m-z/teamspeak3.profile index c1c666f58..02a2c8ae4 100644 --- a/etc/profile-m-z/teamspeak3.profile +++ b/etc/profile-m-z/teamspeak3.profile | |||
@@ -27,6 +27,7 @@ netfilter | |||
27 | no3d | 27 | no3d |
28 | nodvd | 28 | nodvd |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | notv | 33 | notv |
diff --git a/etc/profile-m-z/teeworlds.profile b/etc/profile-m-z/teeworlds.profile index c0d62bec2..be01aee12 100644 --- a/etc/profile-m-z/teeworlds.profile +++ b/etc/profile-m-z/teeworlds.profile | |||
@@ -27,6 +27,7 @@ ipc-namespace | |||
27 | netfilter | 27 | netfilter |
28 | nodvd | 28 | nodvd |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
32 | notv | 33 | notv |
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile index 38d291324..05c621fb2 100644 --- a/etc/profile-m-z/telegram.profile +++ b/etc/profile-m-z/telegram.profile | |||
@@ -31,6 +31,7 @@ apparmor | |||
31 | caps.drop all | 31 | caps.drop all |
32 | netfilter | 32 | netfilter |
33 | nodvd | 33 | nodvd |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | notv | 37 | notv |
diff --git a/etc/profile-m-z/terasology.profile b/etc/profile-m-z/terasology.profile index 36ce6d469..ce2ca1d17 100644 --- a/etc/profile-m-z/terasology.profile +++ b/etc/profile-m-z/terasology.profile | |||
@@ -30,6 +30,7 @@ ipc-namespace | |||
30 | net none | 30 | net none |
31 | nodvd | 31 | nodvd |
32 | nogroups | 32 | nogroups |
33 | noinput | ||
33 | nonewprivs | 34 | nonewprivs |
34 | noroot | 35 | noroot |
35 | notv | 36 | notv |
diff --git a/etc/profile-m-z/tmux.profile b/etc/profile-m-z/tmux.profile index 706f39f24..0139d7515 100644 --- a/etc/profile-m-z/tmux.profile +++ b/etc/profile-m-z/tmux.profile | |||
@@ -25,6 +25,7 @@ netfilter | |||
25 | no3d | 25 | no3d |
26 | nodvd | 26 | nodvd |
27 | nogroups | 27 | nogroups |
28 | noinput | ||
28 | nonewprivs | 29 | nonewprivs |
29 | noroot | 30 | noroot |
30 | nosound | 31 | nosound |
diff --git a/etc/profile-m-z/tor.profile b/etc/profile-m-z/tor.profile index 13d071635..73ef290f4 100644 --- a/etc/profile-m-z/tor.profile +++ b/etc/profile-m-z/tor.profile | |||
@@ -32,6 +32,7 @@ netfilter | |||
32 | no3d | 32 | no3d |
33 | nodvd | 33 | nodvd |
34 | nogroups | 34 | nogroups |
35 | noinput | ||
35 | nonewprivs | 36 | nonewprivs |
36 | nosound | 37 | nosound |
37 | notv | 38 | notv |
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile index 3cbfe8d8b..7659ed1e9 100644 --- a/etc/profile-m-z/torbrowser-launcher.profile +++ b/etc/profile-m-z/torbrowser-launcher.profile | |||
@@ -45,6 +45,7 @@ caps.drop all | |||
45 | netfilter | 45 | netfilter |
46 | nodvd | 46 | nodvd |
47 | nogroups | 47 | nogroups |
48 | noinput | ||
48 | nonewprivs | 49 | nonewprivs |
49 | noroot | 50 | noroot |
50 | notv | 51 | notv |
diff --git a/etc/profile-m-z/torcs.profile b/etc/profile-m-z/torcs.profile index 1ed78934e..0f98a8f64 100644 --- a/etc/profile-m-z/torcs.profile +++ b/etc/profile-m-z/torcs.profile | |||
@@ -29,6 +29,7 @@ ipc-namespace | |||
29 | net none | 29 | net none |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | notv | 35 | notv |
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile index 90c45c7d0..70d9e0aee 100644 --- a/etc/profile-m-z/totem.profile +++ b/etc/profile-m-z/totem.profile | |||
@@ -40,6 +40,7 @@ include whitelist-var-common.inc | |||
40 | caps.drop all | 40 | caps.drop all |
41 | netfilter | 41 | netfilter |
42 | nogroups | 42 | nogroups |
43 | noinput | ||
43 | nonewprivs | 44 | nonewprivs |
44 | noroot | 45 | noroot |
45 | nou2f | 46 | nou2f |
diff --git a/etc/profile-m-z/transgui.profile b/etc/profile-m-z/transgui.profile index c31055cdc..ea118a9f0 100644 --- a/etc/profile-m-z/transgui.profile +++ b/etc/profile-m-z/transgui.profile | |||
@@ -31,6 +31,7 @@ machine-id | |||
31 | netfilter | 31 | netfilter |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | nosound | 37 | nosound |
diff --git a/etc/profile-m-z/transmission-common.profile b/etc/profile-m-z/transmission-common.profile index d601f0f15..82671b709 100644 --- a/etc/profile-m-z/transmission-common.profile +++ b/etc/profile-m-z/transmission-common.profile | |||
@@ -31,6 +31,7 @@ caps.drop all | |||
31 | machine-id | 31 | machine-id |
32 | netfilter | 32 | netfilter |
33 | nodvd | 33 | nodvd |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | nosound | 37 | nosound |
diff --git a/etc/profile-m-z/tremulous.profile b/etc/profile-m-z/tremulous.profile index 67463a999..aba563fac 100644 --- a/etc/profile-m-z/tremulous.profile +++ b/etc/profile-m-z/tremulous.profile | |||
@@ -30,6 +30,7 @@ ipc-namespace | |||
30 | netfilter | 30 | netfilter |
31 | nodvd | 31 | nodvd |
32 | nogroups | 32 | nogroups |
33 | noinput | ||
33 | nonewprivs | 34 | nonewprivs |
34 | noroot | 35 | noroot |
35 | notv | 36 | notv |
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile index b82aadd13..2d95081f6 100644 --- a/etc/profile-m-z/trojita.profile +++ b/etc/profile-m-z/trojita.profile | |||
@@ -38,6 +38,7 @@ netfilter | |||
38 | no3d | 38 | no3d |
39 | nodvd | 39 | nodvd |
40 | nogroups | 40 | nogroups |
41 | noinput | ||
41 | nonewprivs | 42 | nonewprivs |
42 | noroot | 43 | noroot |
43 | nosound | 44 | nosound |
diff --git a/etc/profile-m-z/truecraft.profile b/etc/profile-m-z/truecraft.profile index e76d52219..749626475 100644 --- a/etc/profile-m-z/truecraft.profile +++ b/etc/profile-m-z/truecraft.profile | |||
@@ -24,6 +24,7 @@ include whitelist-common.inc | |||
24 | caps.drop all | 24 | caps.drop all |
25 | nodvd | 25 | nodvd |
26 | nogroups | 26 | nogroups |
27 | noinput | ||
27 | nonewprivs | 28 | nonewprivs |
28 | noroot | 29 | noroot |
29 | notv | 30 | notv |
diff --git a/etc/profile-m-z/tuxguitar.profile b/etc/profile-m-z/tuxguitar.profile index d2b13d9ee..d0bcbe79f 100644 --- a/etc/profile-m-z/tuxguitar.profile +++ b/etc/profile-m-z/tuxguitar.profile | |||
@@ -29,6 +29,7 @@ netfilter | |||
29 | no3d | 29 | no3d |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | notv | 35 | notv |
diff --git a/etc/profile-m-z/tvbrowser.profile b/etc/profile-m-z/tvbrowser.profile index d3dcbfe53..dae7d86da 100644 --- a/etc/profile-m-z/tvbrowser.profile +++ b/etc/profile-m-z/tvbrowser.profile | |||
@@ -34,6 +34,7 @@ netfilter | |||
34 | no3d | 34 | no3d |
35 | nodvd | 35 | nodvd |
36 | nogroups | 36 | nogroups |
37 | noinput | ||
37 | nonewprivs | 38 | nonewprivs |
38 | noroot | 39 | noroot |
39 | notv | 40 | notv |
diff --git a/etc/profile-m-z/udiskie.profile b/etc/profile-m-z/udiskie.profile index 265f6429d..601b818c2 100644 --- a/etc/profile-m-z/udiskie.profile +++ b/etc/profile-m-z/udiskie.profile | |||
@@ -24,6 +24,7 @@ machine-id | |||
24 | net none | 24 | net none |
25 | no3d | 25 | no3d |
26 | nogroups | 26 | nogroups |
27 | noinput | ||
27 | nonewprivs | 28 | nonewprivs |
28 | noroot | 29 | noroot |
29 | nosound | 30 | nosound |
diff --git a/etc/profile-m-z/uefitool.profile b/etc/profile-m-z/uefitool.profile index 8807b0b2c..3e4fdbb03 100644 --- a/etc/profile-m-z/uefitool.profile +++ b/etc/profile-m-z/uefitool.profile | |||
@@ -21,6 +21,7 @@ net none | |||
21 | no3d | 21 | no3d |
22 | nodvd | 22 | nodvd |
23 | nogroups | 23 | nogroups |
24 | noinput | ||
24 | nonewprivs | 25 | nonewprivs |
25 | noroot | 26 | noroot |
26 | nosound | 27 | nosound |
diff --git a/etc/profile-m-z/uget-gtk.profile b/etc/profile-m-z/uget-gtk.profile index c8f28444f..4420099ff 100644 --- a/etc/profile-m-z/uget-gtk.profile +++ b/etc/profile-m-z/uget-gtk.profile | |||
@@ -23,6 +23,7 @@ include whitelist-var-common.inc | |||
23 | caps.drop all | 23 | caps.drop all |
24 | netfilter | 24 | netfilter |
25 | nodvd | 25 | nodvd |
26 | noinput | ||
26 | nonewprivs | 27 | nonewprivs |
27 | noroot | 28 | noroot |
28 | nosound | 29 | nosound |
diff --git a/etc/profile-m-z/unbound.profile b/etc/profile-m-z/unbound.profile index 714a3f2f4..0c077babf 100644 --- a/etc/profile-m-z/unbound.profile +++ b/etc/profile-m-z/unbound.profile | |||
@@ -31,6 +31,7 @@ machine-id | |||
31 | netfilter | 31 | netfilter |
32 | no3d | 32 | no3d |
33 | nodvd | 33 | nodvd |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | nosound | 36 | nosound |
36 | notv | 37 | notv |
diff --git a/etc/profile-m-z/unf.profile b/etc/profile-m-z/unf.profile index bcd256ba3..6db7ba362 100644 --- a/etc/profile-m-z/unf.profile +++ b/etc/profile-m-z/unf.profile | |||
@@ -32,6 +32,7 @@ net none | |||
32 | no3d | 32 | no3d |
33 | nodvd | 33 | nodvd |
34 | nogroups | 34 | nogroups |
35 | noinput | ||
35 | nonewprivs | 36 | nonewprivs |
36 | noroot | 37 | noroot |
37 | nosound | 38 | nosound |
diff --git a/etc/profile-m-z/unknown-horizons.profile b/etc/profile-m-z/unknown-horizons.profile index 7dc13e284..956492f52 100644 --- a/etc/profile-m-z/unknown-horizons.profile +++ b/etc/profile-m-z/unknown-horizons.profile | |||
@@ -25,6 +25,7 @@ apparmor | |||
25 | caps.drop all | 25 | caps.drop all |
26 | nodvd | 26 | nodvd |
27 | nogroups | 27 | nogroups |
28 | noinput | ||
28 | nonewprivs | 29 | nonewprivs |
29 | noroot | 30 | noroot |
30 | notv | 31 | notv |
diff --git a/etc/profile-m-z/utox.profile b/etc/profile-m-z/utox.profile index cd4374004..dd881f091 100644 --- a/etc/profile-m-z/utox.profile +++ b/etc/profile-m-z/utox.profile | |||
@@ -30,6 +30,7 @@ ipc-namespace | |||
30 | netfilter | 30 | netfilter |
31 | nodvd | 31 | nodvd |
32 | nogroups | 32 | nogroups |
33 | noinput | ||
33 | nonewprivs | 34 | nonewprivs |
34 | noroot | 35 | noroot |
35 | notv | 36 | notv |
diff --git a/etc/profile-m-z/uudeview.profile b/etc/profile-m-z/uudeview.profile index f60c134e0..2adc044e5 100644 --- a/etc/profile-m-z/uudeview.profile +++ b/etc/profile-m-z/uudeview.profile | |||
@@ -26,6 +26,7 @@ machine-id | |||
26 | net none | 26 | net none |
27 | nodvd | 27 | nodvd |
28 | #nogroups | 28 | #nogroups |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | #noroot | 31 | #noroot |
31 | nosound | 32 | nosound |
diff --git a/etc/profile-m-z/viewnior.profile b/etc/profile-m-z/viewnior.profile index 83727d42b..a9ba344dd 100644 --- a/etc/profile-m-z/viewnior.profile +++ b/etc/profile-m-z/viewnior.profile | |||
@@ -29,6 +29,7 @@ net none | |||
29 | no3d | 29 | no3d |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | nosound | 35 | nosound |
diff --git a/etc/profile-m-z/viking.profile b/etc/profile-m-z/viking.profile index 5b6228a94..8f8ef5939 100644 --- a/etc/profile-m-z/viking.profile +++ b/etc/profile-m-z/viking.profile | |||
@@ -23,6 +23,7 @@ netfilter | |||
23 | no3d | 23 | no3d |
24 | nodvd | 24 | nodvd |
25 | nogroups | 25 | nogroups |
26 | noinput | ||
26 | nonewprivs | 27 | nonewprivs |
27 | noroot | 28 | noroot |
28 | nosound | 29 | nosound |
diff --git a/etc/profile-m-z/vim.profile b/etc/profile-m-z/vim.profile index e9a474239..c3cfe5980 100644 --- a/etc/profile-m-z/vim.profile +++ b/etc/profile-m-z/vim.profile | |||
@@ -23,6 +23,7 @@ caps.drop all | |||
23 | netfilter | 23 | netfilter |
24 | nodvd | 24 | nodvd |
25 | nogroups | 25 | nogroups |
26 | noinput | ||
26 | nonewprivs | 27 | nonewprivs |
27 | noroot | 28 | noroot |
28 | notv | 29 | notv |
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile index 64d787bfb..c22fb0ff9 100644 --- a/etc/profile-m-z/virtualbox.profile +++ b/etc/profile-m-z/virtualbox.profile | |||
@@ -44,7 +44,7 @@ shell none | |||
44 | tracelog | 44 | tracelog |
45 | 45 | ||
46 | #disable-mnt | 46 | #disable-mnt |
47 | #private-bin basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami | 47 | #private-bin awk,basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami |
48 | private-cache | 48 | private-cache |
49 | private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl | 49 | private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl |
50 | private-tmp | 50 | private-tmp |
diff --git a/etc/profile-m-z/vlc.profile b/etc/profile-m-z/vlc.profile index 9a12686cd..cd7dccd8a 100644 --- a/etc/profile-m-z/vlc.profile +++ b/etc/profile-m-z/vlc.profile | |||
@@ -34,6 +34,7 @@ include whitelist-var-common.inc | |||
34 | caps.drop all | 34 | caps.drop all |
35 | netfilter | 35 | netfilter |
36 | nogroups | 36 | nogroups |
37 | noinput | ||
37 | nonewprivs | 38 | nonewprivs |
38 | noroot | 39 | noroot |
39 | nou2f | 40 | nou2f |
diff --git a/etc/profile-m-z/vmware-view.profile b/etc/profile-m-z/vmware-view.profile index 0cb6d34d2..f07c31b68 100644 --- a/etc/profile-m-z/vmware-view.profile +++ b/etc/profile-m-z/vmware-view.profile | |||
@@ -33,6 +33,7 @@ caps.drop all | |||
33 | netfilter | 33 | netfilter |
34 | nodvd | 34 | nodvd |
35 | nogroups | 35 | nogroups |
36 | noinput | ||
36 | nonewprivs | 37 | nonewprivs |
37 | noroot | 38 | noroot |
38 | notv | 39 | notv |
diff --git a/etc/profile-m-z/vym.profile b/etc/profile-m-z/vym.profile index fbb53943c..5421c4e4b 100644 --- a/etc/profile-m-z/vym.profile +++ b/etc/profile-m-z/vym.profile | |||
@@ -20,6 +20,7 @@ netfilter | |||
20 | no3d | 20 | no3d |
21 | nodvd | 21 | nodvd |
22 | nogroups | 22 | nogroups |
23 | noinput | ||
23 | nonewprivs | 24 | nonewprivs |
24 | noroot | 25 | noroot |
25 | nosound | 26 | nosound |
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile index a43835944..131213ed2 100644 --- a/etc/profile-m-z/w3m.profile +++ b/etc/profile-m-z/w3m.profile | |||
@@ -33,6 +33,7 @@ netfilter | |||
33 | no3d | 33 | no3d |
34 | nodvd | 34 | nodvd |
35 | nogroups | 35 | nogroups |
36 | noinput | ||
36 | nonewprivs | 37 | nonewprivs |
37 | noroot | 38 | noroot |
38 | nosound | 39 | nosound |
diff --git a/etc/profile-m-z/warmux.profile b/etc/profile-m-z/warmux.profile index aaef652fd..1227a202c 100644 --- a/etc/profile-m-z/warmux.profile +++ b/etc/profile-m-z/warmux.profile | |||
@@ -35,6 +35,7 @@ caps.drop all | |||
35 | netfilter | 35 | netfilter |
36 | nodvd | 36 | nodvd |
37 | nogroups | 37 | nogroups |
38 | noinput | ||
38 | nonewprivs | 39 | nonewprivs |
39 | noroot | 40 | noroot |
40 | notv | 41 | notv |
diff --git a/etc/profile-m-z/warsow.profile b/etc/profile-m-z/warsow.profile index 178e0c7b1..e0cd3daad 100644 --- a/etc/profile-m-z/warsow.profile +++ b/etc/profile-m-z/warsow.profile | |||
@@ -35,6 +35,7 @@ ipc-namespace | |||
35 | netfilter | 35 | netfilter |
36 | nodvd | 36 | nodvd |
37 | nogroups | 37 | nogroups |
38 | noinput | ||
38 | nonewprivs | 39 | nonewprivs |
39 | noroot | 40 | noroot |
40 | notv | 41 | notv |
diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile index 06a7c3412..420e8927e 100644 --- a/etc/profile-m-z/warzone2100.profile +++ b/etc/profile-m-z/warzone2100.profile | |||
@@ -31,6 +31,7 @@ caps.drop all | |||
31 | netfilter | 31 | netfilter |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | notv | 37 | notv |
diff --git a/etc/profile-m-z/webstorm.profile b/etc/profile-m-z/webstorm.profile index e9053f598..69e96d0cd 100644 --- a/etc/profile-m-z/webstorm.profile +++ b/etc/profile-m-z/webstorm.profile | |||
@@ -31,6 +31,7 @@ caps.drop all | |||
31 | netfilter | 31 | netfilter |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | notv | 37 | notv |
diff --git a/etc/profile-m-z/webui-aria2.profile b/etc/profile-m-z/webui-aria2.profile index 8928f8116..d5a998f35 100644 --- a/etc/profile-m-z/webui-aria2.profile +++ b/etc/profile-m-z/webui-aria2.profile | |||
@@ -20,6 +20,7 @@ caps.drop all | |||
20 | netfilter | 20 | netfilter |
21 | nodvd | 21 | nodvd |
22 | nogroups | 22 | nogroups |
23 | noinput | ||
23 | nonewprivs | 24 | nonewprivs |
24 | noroot | 25 | noroot |
25 | nosound | 26 | nosound |
diff --git a/etc/profile-m-z/wesnoth.profile b/etc/profile-m-z/wesnoth.profile index 934edfce9..199b3c6f0 100644 --- a/etc/profile-m-z/wesnoth.profile +++ b/etc/profile-m-z/wesnoth.profile | |||
@@ -26,6 +26,7 @@ include whitelist-common.inc | |||
26 | 26 | ||
27 | caps.drop all | 27 | caps.drop all |
28 | nodvd | 28 | nodvd |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | notv | 32 | notv |
diff --git a/etc/profile-m-z/wget.profile b/etc/profile-m-z/wget.profile index 8a7042f59..53c4711bd 100644 --- a/etc/profile-m-z/wget.profile +++ b/etc/profile-m-z/wget.profile | |||
@@ -35,6 +35,7 @@ netfilter | |||
35 | no3d | 35 | no3d |
36 | nodvd | 36 | nodvd |
37 | nogroups | 37 | nogroups |
38 | noinput | ||
38 | nonewprivs | 39 | nonewprivs |
39 | noroot | 40 | noroot |
40 | nosound | 41 | nosound |
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile index fa7a16093..93871a5a4 100644 --- a/etc/profile-m-z/whois.profile +++ b/etc/profile-m-z/whois.profile | |||
@@ -30,6 +30,7 @@ netfilter | |||
30 | no3d | 30 | no3d |
31 | nodvd | 31 | nodvd |
32 | nogroups | 32 | nogroups |
33 | noinput | ||
33 | nonewprivs | 34 | nonewprivs |
34 | noroot | 35 | noroot |
35 | nosound | 36 | nosound |
diff --git a/etc/profile-m-z/widelands.profile b/etc/profile-m-z/widelands.profile index f18878554..0dc26b11d 100644 --- a/etc/profile-m-z/widelands.profile +++ b/etc/profile-m-z/widelands.profile | |||
@@ -28,6 +28,7 @@ ipc-namespace | |||
28 | netfilter | 28 | netfilter |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | notv | 34 | notv |
diff --git a/etc/profile-m-z/wine.profile b/etc/profile-m-z/wine.profile index 67427209f..0ea24aafd 100644 --- a/etc/profile-m-z/wine.profile +++ b/etc/profile-m-z/wine.profile | |||
@@ -31,6 +31,7 @@ caps.drop all | |||
31 | netfilter | 31 | netfilter |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | # nosound | 37 | # nosound |
diff --git a/etc/profile-m-z/wireshark.profile b/etc/profile-m-z/wireshark.profile index 6a84246e1..1824026a8 100644 --- a/etc/profile-m-z/wireshark.profile +++ b/etc/profile-m-z/wireshark.profile | |||
@@ -31,6 +31,7 @@ caps.keep dac_override,net_admin,net_raw | |||
31 | netfilter | 31 | netfilter |
32 | no3d | 32 | no3d |
33 | # nogroups - breaks network traffic capture for unprivileged users | 33 | # nogroups - breaks network traffic capture for unprivileged users |
34 | noinput | ||
34 | # nonewprivs - breaks network traffic capture for unprivileged users | 35 | # nonewprivs - breaks network traffic capture for unprivileged users |
35 | # noroot | 36 | # noroot |
36 | nodvd | 37 | nodvd |
@@ -39,11 +40,15 @@ notv | |||
39 | nou2f | 40 | nou2f |
40 | novideo | 41 | novideo |
41 | # protocol unix,inet,inet6,netlink,packet,bluetooth - commented out in case they bring in new protocols | 42 | # protocol unix,inet,inet6,netlink,packet,bluetooth - commented out in case they bring in new protocols |
42 | seccomp | 43 | #seccomp |
43 | shell none | 44 | shell none |
44 | tracelog | 45 | tracelog |
45 | 46 | ||
46 | # private-bin wireshark | 47 | # private-bin wireshark |
48 | private-cache | ||
47 | private-dev | 49 | private-dev |
48 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,ssl | 50 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,ssl |
49 | private-tmp | 51 | private-tmp |
52 | |||
53 | dbus-user none | ||
54 | dbus-system none | ||
diff --git a/etc/profile-m-z/wordwarvi.profile b/etc/profile-m-z/wordwarvi.profile index da1210bb8..9c724a5d2 100644 --- a/etc/profile-m-z/wordwarvi.profile +++ b/etc/profile-m-z/wordwarvi.profile | |||
@@ -30,6 +30,7 @@ net none | |||
30 | no3d | 30 | no3d |
31 | nodvd | 31 | nodvd |
32 | nogroups | 32 | nogroups |
33 | noinput | ||
33 | nonewprivs | 34 | nonewprivs |
34 | noroot | 35 | noroot |
35 | notv | 36 | notv |
diff --git a/etc/profile-m-z/wps.profile b/etc/profile-m-z/wps.profile index 2b97d5b0a..a44b6490e 100644 --- a/etc/profile-m-z/wps.profile +++ b/etc/profile-m-z/wps.profile | |||
@@ -29,6 +29,7 @@ netfilter | |||
29 | no3d | 29 | no3d |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | nosound | 35 | nosound |
diff --git a/etc/profile-m-z/x-terminal-emulator.profile b/etc/profile-m-z/x-terminal-emulator.profile index fe0781336..141d167a8 100644 --- a/etc/profile-m-z/x-terminal-emulator.profile +++ b/etc/profile-m-z/x-terminal-emulator.profile | |||
@@ -9,6 +9,7 @@ caps.drop all | |||
9 | ipc-namespace | 9 | ipc-namespace |
10 | net none | 10 | net none |
11 | nogroups | 11 | nogroups |
12 | noinput | ||
12 | noroot | 13 | noroot |
13 | nou2f | 14 | nou2f |
14 | protocol unix | 15 | protocol unix |
diff --git a/etc/profile-m-z/x2goclient.profile b/etc/profile-m-z/x2goclient.profile index 6146016b2..557f07cd9 100644 --- a/etc/profile-m-z/x2goclient.profile +++ b/etc/profile-m-z/x2goclient.profile | |||
@@ -26,6 +26,7 @@ netfilter | |||
26 | #no3d | 26 | #no3d |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | notv | 32 | notv |
diff --git a/etc/profile-m-z/xbill.profile b/etc/profile-m-z/xbill.profile index cdfebfb29..384f76acc 100644 --- a/etc/profile-m-z/xbill.profile +++ b/etc/profile-m-z/xbill.profile | |||
@@ -28,6 +28,7 @@ net none | |||
28 | no3d | 28 | no3d |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | nosound | 34 | nosound |
diff --git a/etc/profile-m-z/xcalc.profile b/etc/profile-m-z/xcalc.profile index 56ce01498..7fb483289 100644 --- a/etc/profile-m-z/xcalc.profile +++ b/etc/profile-m-z/xcalc.profile | |||
@@ -22,6 +22,7 @@ net none | |||
22 | no3d | 22 | no3d |
23 | nodvd | 23 | nodvd |
24 | nogroups | 24 | nogroups |
25 | noinput | ||
25 | nonewprivs | 26 | nonewprivs |
26 | noroot | 27 | noroot |
27 | nosound | 28 | nosound |
diff --git a/etc/profile-m-z/xed.profile b/etc/profile-m-z/xed.profile index b114f9ab5..4a3022e83 100644 --- a/etc/profile-m-z/xed.profile +++ b/etc/profile-m-z/xed.profile | |||
@@ -31,6 +31,7 @@ machine-id | |||
31 | no3d | 31 | no3d |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | nosound | 37 | nosound |
diff --git a/etc/profile-m-z/xfce4-dict.profile b/etc/profile-m-z/xfce4-dict.profile index a3e0c4633..ecd321c7e 100644 --- a/etc/profile-m-z/xfce4-dict.profile +++ b/etc/profile-m-z/xfce4-dict.profile | |||
@@ -23,6 +23,7 @@ netfilter | |||
23 | no3d | 23 | no3d |
24 | nodvd | 24 | nodvd |
25 | nogroups | 25 | nogroups |
26 | noinput | ||
26 | nonewprivs | 27 | nonewprivs |
27 | noroot | 28 | noroot |
28 | nosound | 29 | nosound |
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile index 78cb2862c..bb38dbebd 100644 --- a/etc/profile-m-z/xfce4-mixer.profile +++ b/etc/profile-m-z/xfce4-mixer.profile | |||
@@ -19,7 +19,7 @@ include disable-xdg.inc | |||
19 | 19 | ||
20 | mkfile ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml | 20 | mkfile ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml |
21 | whitelist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml | 21 | whitelist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml |
22 | whitelist /usr/share/gstreamer | 22 | whitelist /usr/share/gstreamer-* |
23 | whitelist /usr/share/xfce4 | 23 | whitelist /usr/share/xfce4 |
24 | whitelist /usr/share/xfce4-mixer | 24 | whitelist /usr/share/xfce4-mixer |
25 | include whitelist-common.inc | 25 | include whitelist-common.inc |
@@ -33,6 +33,7 @@ netfilter | |||
33 | no3d | 33 | no3d |
34 | nodvd | 34 | nodvd |
35 | nogroups | 35 | nogroups |
36 | noinput | ||
36 | nonewprivs | 37 | nonewprivs |
37 | noroot | 38 | noroot |
38 | notv | 39 | notv |
diff --git a/etc/profile-m-z/xfce4-notes.profile b/etc/profile-m-z/xfce4-notes.profile index c3d0930ff..ebfb4333c 100644 --- a/etc/profile-m-z/xfce4-notes.profile +++ b/etc/profile-m-z/xfce4-notes.profile | |||
@@ -25,6 +25,7 @@ netfilter | |||
25 | no3d | 25 | no3d |
26 | nodvd | 26 | nodvd |
27 | nogroups | 27 | nogroups |
28 | noinput | ||
28 | nonewprivs | 29 | nonewprivs |
29 | noroot | 30 | noroot |
30 | nosound | 31 | nosound |
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile index c9200304c..b1e5bafbf 100644 --- a/etc/profile-m-z/xfce4-screenshooter.profile +++ b/etc/profile-m-z/xfce4-screenshooter.profile | |||
@@ -29,6 +29,7 @@ netfilter | |||
29 | no3d | 29 | no3d |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
32 | nonewprivs | 33 | nonewprivs |
33 | noroot | 34 | noroot |
34 | notv | 35 | notv |
diff --git a/etc/profile-m-z/xiphos.profile b/etc/profile-m-z/xiphos.profile index 188589df3..81d98db7a 100644 --- a/etc/profile-m-z/xiphos.profile +++ b/etc/profile-m-z/xiphos.profile | |||
@@ -32,6 +32,7 @@ machine-id | |||
32 | netfilter | 32 | netfilter |
33 | nodvd | 33 | nodvd |
34 | nogroups | 34 | nogroups |
35 | noinput | ||
35 | nonewprivs | 36 | nonewprivs |
36 | noroot | 37 | noroot |
37 | nosound | 38 | nosound |
diff --git a/etc/profile-m-z/xmms.profile b/etc/profile-m-z/xmms.profile index 9391f68de..25261d925 100644 --- a/etc/profile-m-z/xmms.profile +++ b/etc/profile-m-z/xmms.profile | |||
@@ -19,6 +19,7 @@ include disable-xdg.inc | |||
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | 20 | netfilter |
21 | no3d | 21 | no3d |
22 | noinput | ||
22 | nonewprivs | 23 | nonewprivs |
23 | noroot | 24 | noroot |
24 | notv | 25 | notv |
diff --git a/etc/profile-m-z/xmr-stak.profile b/etc/profile-m-z/xmr-stak.profile index 3278e295d..e7020f36b 100644 --- a/etc/profile-m-z/xmr-stak.profile +++ b/etc/profile-m-z/xmr-stak.profile | |||
@@ -24,6 +24,7 @@ ipc-namespace | |||
24 | netfilter | 24 | netfilter |
25 | nodvd | 25 | nodvd |
26 | nogroups | 26 | nogroups |
27 | noinput | ||
27 | nonewprivs | 28 | nonewprivs |
28 | noroot | 29 | noroot |
29 | nosound | 30 | nosound |
diff --git a/etc/profile-m-z/xonotic.profile b/etc/profile-m-z/xonotic.profile index aa8cc7d0e..53c9a0a08 100644 --- a/etc/profile-m-z/xonotic.profile +++ b/etc/profile-m-z/xonotic.profile | |||
@@ -8,12 +8,16 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.xonotic | 9 | noblacklist ${HOME}/.xonotic |
10 | 10 | ||
11 | include allow-bin-sh.inc | ||
12 | include allow-opengl-game.inc | ||
13 | |||
11 | include disable-common.inc | 14 | include disable-common.inc |
12 | include disable-devel.inc | 15 | include disable-devel.inc |
13 | include disable-exec.inc | 16 | include disable-exec.inc |
14 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | include disable-shell.inc | ||
17 | include disable-xdg.inc | 21 | include disable-xdg.inc |
18 | 22 | ||
19 | mkdir ${HOME}/.xonotic | 23 | mkdir ${HOME}/.xonotic |
@@ -29,6 +33,7 @@ caps.drop all | |||
29 | netfilter | 33 | netfilter |
30 | nodvd | 34 | nodvd |
31 | nogroups | 35 | nogroups |
36 | noinput | ||
32 | nonewprivs | 37 | nonewprivs |
33 | noroot | 38 | noroot |
34 | notv | 39 | notv |
@@ -41,7 +46,7 @@ tracelog | |||
41 | 46 | ||
42 | disable-mnt | 47 | disable-mnt |
43 | private-cache | 48 | private-cache |
44 | private-bin basename,bash,blind-id,cut,darkplaces-glx,darkplaces-sdl,dirname,glxinfo,grep,head,ldd,netstat,ps,readlink,sed,sh,uname,xonotic,xonotic-glx,xonotic-linux32-dedicated,xonotic-linux32-glx,xonotic-linux32-sdl,xonotic-linux64-dedicated,xonotic-linux64-glx,xonotic-linux64-sdl,xonotic-sdl,xonotic-sdl-wrapper,zenity | 49 | private-bin blind-id,darkplaces-glx,darkplaces-sdl,dirname,ldd,netstat,ps,readlink,sh,uname,xonotic* |
45 | private-dev | 50 | private-dev |
46 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl | 51 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl |
47 | private-tmp | 52 | private-tmp |
diff --git a/etc/profile-m-z/xournal.profile b/etc/profile-m-z/xournal.profile index 0c6969e09..c4f092d50 100644 --- a/etc/profile-m-z/xournal.profile +++ b/etc/profile-m-z/xournal.profile | |||
@@ -28,6 +28,7 @@ net none | |||
28 | no3d | 28 | no3d |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | nosound | 34 | nosound |
diff --git a/etc/profile-m-z/xpdf.profile b/etc/profile-m-z/xpdf.profile index cdffe4eb7..1447ec9a7 100644 --- a/etc/profile-m-z/xpdf.profile +++ b/etc/profile-m-z/xpdf.profile | |||
@@ -26,6 +26,7 @@ net none | |||
26 | no3d | 26 | no3d |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | nosound | 32 | nosound |
diff --git a/etc/profile-m-z/xplayer.profile b/etc/profile-m-z/xplayer.profile index f0290f461..c3bb3292c 100644 --- a/etc/profile-m-z/xplayer.profile +++ b/etc/profile-m-z/xplayer.profile | |||
@@ -32,6 +32,7 @@ include whitelist-var-common.inc | |||
32 | caps.drop all | 32 | caps.drop all |
33 | netfilter | 33 | netfilter |
34 | nogroups | 34 | nogroups |
35 | noinput | ||
35 | nonewprivs | 36 | nonewprivs |
36 | noroot | 37 | noroot |
37 | nou2f | 38 | nou2f |
diff --git a/etc/profile-m-z/xpra.profile b/etc/profile-m-z/xpra.profile index 1033a7471..6e409e1aa 100644 --- a/etc/profile-m-z/xpra.profile +++ b/etc/profile-m-z/xpra.profile | |||
@@ -33,6 +33,7 @@ caps.drop all | |||
33 | # xpra needs to be allowed access to the abstract Unix socket namespace. | 33 | # xpra needs to be allowed access to the abstract Unix socket namespace. |
34 | nodvd | 34 | nodvd |
35 | nogroups | 35 | nogroups |
36 | noinput | ||
36 | nonewprivs | 37 | nonewprivs |
37 | # In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix. | 38 | # In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix. |
38 | #noroot | 39 | #noroot |
diff --git a/etc/profile-m-z/xreader.profile b/etc/profile-m-z/xreader.profile index 643c5a317..3ab35edfc 100644 --- a/etc/profile-m-z/xreader.profile +++ b/etc/profile-m-z/xreader.profile | |||
@@ -26,6 +26,7 @@ caps.drop all | |||
26 | no3d | 26 | no3d |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | nosound | 32 | nosound |
diff --git a/etc/profile-m-z/xviewer.profile b/etc/profile-m-z/xviewer.profile index 0ac0f665e..4d454f81c 100644 --- a/etc/profile-m-z/xviewer.profile +++ b/etc/profile-m-z/xviewer.profile | |||
@@ -26,6 +26,7 @@ caps.drop all | |||
26 | no3d | 26 | no3d |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | nosound | 32 | nosound |
diff --git a/etc/profile-m-z/yarn.profile b/etc/profile-m-z/yarn.profile index 360bd8442..05b55d071 100644 --- a/etc/profile-m-z/yarn.profile +++ b/etc/profile-m-z/yarn.profile | |||
@@ -6,25 +6,5 @@ include yarn.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | ignore read-only ${HOME}/.yarnrc | ||
10 | |||
11 | noblacklist ${HOME}/.yarn | ||
12 | noblacklist ${HOME}/.yarn-config | ||
13 | noblacklist ${HOME}/.yarncache | ||
14 | noblacklist ${HOME}/.yarnrc | ||
15 | |||
16 | # If you want whitelisting, change ${HOME}/Projects below to your yarn projects directory and | ||
17 | # add the next lines to you yarn.local. | ||
18 | #mkdir ${HOME}/.yarn | ||
19 | #mkdir ${HOME}/.yarn-config | ||
20 | #mkdir ${HOME}/.yarncache | ||
21 | #mkfile ${HOME}/.yarnrc | ||
22 | #whitelist ${HOME}/.yarn | ||
23 | #whitelist ${HOME}/.yarn-config | ||
24 | #whitelist ${HOME}/.yarncache | ||
25 | #whitelist ${HOME}/.yarnrc | ||
26 | #whitelist ${HOME}/Projects | ||
27 | #include whitelist-common.inc | ||
28 | |||
29 | # Redirect | 9 | # Redirect |
30 | include nodejs-common.profile | 10 | include nodejs-common.profile |
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile index a08a30b52..93054bfed 100644 --- a/etc/profile-m-z/yelp.profile +++ b/etc/profile-m-z/yelp.profile | |||
@@ -38,6 +38,7 @@ caps.drop all | |||
38 | net none | 38 | net none |
39 | nodvd | 39 | nodvd |
40 | nogroups | 40 | nogroups |
41 | noinput | ||
41 | nonewprivs | 42 | nonewprivs |
42 | noroot | 43 | noroot |
43 | # nosound - add the next line to your yelp.local if you don't need sound support. | 44 | # nosound - add the next line to your yelp.local if you don't need sound support. |
diff --git a/etc/profile-m-z/youtube-dl-gui.profile b/etc/profile-m-z/youtube-dl-gui.profile index c072d6267..b52271a2c 100644 --- a/etc/profile-m-z/youtube-dl-gui.profile +++ b/etc/profile-m-z/youtube-dl-gui.profile | |||
@@ -33,6 +33,7 @@ machine-id | |||
33 | netfilter | 33 | netfilter |
34 | nodvd | 34 | nodvd |
35 | nogroups | 35 | nogroups |
36 | noinput | ||
36 | nonewprivs | 37 | nonewprivs |
37 | noroot | 38 | noroot |
38 | nosound | 39 | nosound |
diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile index 6ce632682..24c4d6db3 100644 --- a/etc/profile-m-z/youtube-dl.profile +++ b/etc/profile-m-z/youtube-dl.profile | |||
@@ -43,6 +43,7 @@ netfilter | |||
43 | no3d | 43 | no3d |
44 | nodvd | 44 | nodvd |
45 | nogroups | 45 | nogroups |
46 | noinput | ||
46 | nonewprivs | 47 | nonewprivs |
47 | noroot | 48 | noroot |
48 | nosound | 49 | nosound |
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile index b8f97db1d..7d6e9b0eb 100644 --- a/etc/profile-m-z/youtube-viewer.profile +++ b/etc/profile-m-z/youtube-viewer.profile | |||
@@ -38,6 +38,7 @@ caps.drop all | |||
38 | netfilter | 38 | netfilter |
39 | nodvd | 39 | nodvd |
40 | nogroups | 40 | nogroups |
41 | noinput | ||
41 | nonewprivs | 42 | nonewprivs |
42 | noroot | 43 | noroot |
43 | notv | 44 | notv |
diff --git a/etc/profile-m-z/zaproxy.profile b/etc/profile-m-z/zaproxy.profile index 6228ff3bd..5a168feb6 100644 --- a/etc/profile-m-z/zaproxy.profile +++ b/etc/profile-m-z/zaproxy.profile | |||
@@ -31,6 +31,7 @@ netfilter | |||
31 | no3d | 31 | no3d |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | nosound | 37 | nosound |
diff --git a/etc/profile-m-z/zart.profile b/etc/profile-m-z/zart.profile index ca35e3b51..10f83aa30 100644 --- a/etc/profile-m-z/zart.profile +++ b/etc/profile-m-z/zart.profile | |||
@@ -23,6 +23,7 @@ ipc-namespace | |||
23 | net none | 23 | net none |
24 | nodvd | 24 | nodvd |
25 | nogroups | 25 | nogroups |
26 | noinput | ||
26 | nonewprivs | 27 | nonewprivs |
27 | noroot | 28 | noroot |
28 | notv | 29 | notv |
diff --git a/etc/profile-m-z/zathura.profile b/etc/profile-m-z/zathura.profile index 86615341f..a39729685 100644 --- a/etc/profile-m-z/zathura.profile +++ b/etc/profile-m-z/zathura.profile | |||
@@ -32,6 +32,7 @@ machine-id | |||
32 | net none | 32 | net none |
33 | nodvd | 33 | nodvd |
34 | nogroups | 34 | nogroups |
35 | noinput | ||
35 | nonewprivs | 36 | nonewprivs |
36 | noroot | 37 | noroot |
37 | nosound | 38 | nosound |
diff --git a/etc/profile-m-z/zeal.profile b/etc/profile-m-z/zeal.profile index 2d0d944fd..2c6f6910f 100644 --- a/etc/profile-m-z/zeal.profile +++ b/etc/profile-m-z/zeal.profile | |||
@@ -36,6 +36,7 @@ netfilter | |||
36 | no3d | 36 | no3d |
37 | nodvd | 37 | nodvd |
38 | nogroups | 38 | nogroups |
39 | noinput | ||
39 | nonewprivs | 40 | nonewprivs |
40 | noroot | 41 | noroot |
41 | nosound | 42 | nosound |
diff --git a/etc/profile-m-z/zulip.profile b/etc/profile-m-z/zulip.profile index 993f2a64b..093da5212 100644 --- a/etc/profile-m-z/zulip.profile +++ b/etc/profile-m-z/zulip.profile | |||
@@ -31,6 +31,7 @@ netfilter | |||
31 | no3d | 31 | no3d |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | ||
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | notv | 37 | notv |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 043e83c58..fcc7fe949 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -64,7 +64,7 @@ include globals.local | |||
64 | #blacklist /tmp/.X11-unix | 64 | #blacklist /tmp/.X11-unix |
65 | # Disable Wayland | 65 | # Disable Wayland |
66 | #blacklist ${RUNUSER}/wayland-* | 66 | #blacklist ${RUNUSER}/wayland-* |
67 | # Disable RUNUSER (cli only) | 67 | # Disable RUNUSER (cli only; supersedes Disable Wayland) |
68 | #blacklist ${RUNUSER} | 68 | #blacklist ${RUNUSER} |
69 | 69 | ||
70 | # It is common practice to add files/dirs containing program-specific configuration | 70 | # It is common practice to add files/dirs containing program-specific configuration |
@@ -81,6 +81,9 @@ include globals.local | |||
81 | # `ls -aR` | 81 | # `ls -aR` |
82 | #noblacklist PATH | 82 | #noblacklist PATH |
83 | 83 | ||
84 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
85 | #include allow-bin-sh.inc | ||
86 | |||
84 | # Allows files commonly used by IDEs | 87 | # Allows files commonly used by IDEs |
85 | #include allow-common-devel.inc | 88 | #include allow-common-devel.inc |
86 | 89 | ||
@@ -103,12 +106,11 @@ include globals.local | |||
103 | # Allow ruby (blacklisted by disable-interpreters.inc) | 106 | # Allow ruby (blacklisted by disable-interpreters.inc) |
104 | #include allow-ruby.inc | 107 | #include allow-ruby.inc |
105 | 108 | ||
106 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
107 | #include allow-bin-sh.inc | ||
108 | |||
109 | # Allow ssh (blacklisted by disable-common.inc) | 109 | # Allow ssh (blacklisted by disable-common.inc) |
110 | #include allow-ssh.inc | 110 | #include allow-ssh.inc |
111 | 111 | ||
112 | # disable-*.inc includes | ||
113 | # remove disable-write-mnt.inc if you set disable-mnt | ||
112 | #include disable-common.inc | 114 | #include disable-common.inc |
113 | #include disable-devel.inc | 115 | #include disable-devel.inc |
114 | #include disable-exec.inc | 116 | #include disable-exec.inc |
@@ -148,6 +150,7 @@ include globals.local | |||
148 | ##nodbus (deprecated, use 'dbus-user none' and 'dbus-system none', see below) | 150 | ##nodbus (deprecated, use 'dbus-user none' and 'dbus-system none', see below) |
149 | #nodvd | 151 | #nodvd |
150 | #nogroups | 152 | #nogroups |
153 | #noinput | ||
151 | #nonewprivs | 154 | #nonewprivs |
152 | #noroot | 155 | #noroot |
153 | #nosound | 156 | #nosound |
@@ -219,3 +222,4 @@ include globals.local | |||
219 | #memory-deny-write-execute | 222 | #memory-deny-write-execute |
220 | ##noexec PATH | 223 | ##noexec PATH |
221 | ##read-only ${HOME} | 224 | ##read-only ${HOME} |
225 | ##read-write ${HOME} | ||
diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c index 96bd351f3..9577042c4 100644 --- a/src/fbuilder/build_bin.c +++ b/src/fbuilder/build_bin.c | |||
@@ -83,11 +83,9 @@ static void process_bin(const char *fname) { | |||
83 | continue; | 83 | continue; |
84 | *ptr2 = '\0'; | 84 | *ptr2 = '\0'; |
85 | 85 | ||
86 | // skip strace | 86 | // skip strace and firejail (in case we hit a symlink in /usr/local/bin) |
87 | if (strcmp(ptr, "strace") == 0) | 87 | if (strcmp(ptr, "strace") && strcmp(ptr, "firejail")) |
88 | continue; | 88 | bin_out = filedb_add(bin_out, ptr); |
89 | |||
90 | bin_out = filedb_add(bin_out, ptr); | ||
91 | } | 89 | } |
92 | 90 | ||
93 | fclose(fp); | 91 | fclose(fp); |
@@ -121,6 +119,5 @@ void build_bin(const char *fname, FILE *fp) { | |||
121 | ptr = ptr->next; | 119 | ptr = ptr->next; |
122 | } | 120 | } |
123 | fprintf(fp, "\n"); | 121 | fprintf(fp, "\n"); |
124 | fprintf(fp, "# private-lib\n"); | ||
125 | } | 122 | } |
126 | } | 123 | } |
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c index 495f71ab8..8700e0ba1 100644 --- a/src/fbuilder/build_fs.c +++ b/src/fbuilder/build_fs.c | |||
@@ -146,31 +146,49 @@ void build_etc(const char *fname, FILE *fp) { | |||
146 | //******************************************* | 146 | //******************************************* |
147 | // var directory | 147 | // var directory |
148 | //******************************************* | 148 | //******************************************* |
149 | #if 0 | ||
150 | // todo: load the list from whitelist-var-common.inc | ||
151 | static char *var_skip[] = { | ||
152 | "/var/lib/ca-certificates", | ||
153 | "/var/lib/dbus", | ||
154 | "/var/lib/menu-xdg", | ||
155 | "/var/lib/uim", | ||
156 | "/var/cache/fontconfig", | ||
157 | "/var/tmp", | ||
158 | "/var/run", | ||
159 | "/var/lock", | ||
160 | NULL | ||
161 | }; | ||
162 | #endif | ||
149 | static FileDB *var_out = NULL; | 163 | static FileDB *var_out = NULL; |
164 | static FileDB *var_skip = NULL; | ||
150 | static void var_callback(char *ptr) { | 165 | static void var_callback(char *ptr) { |
151 | if (strcmp(ptr, "/var/lib") == 0) | 166 | // extract the directory: |
152 | ; | 167 | assert(strncmp(ptr, "/var", 4) == 0); |
153 | else if (strcmp(ptr, "/var/cache") == 0) | 168 | char *p1 = ptr + 4; |
154 | ; | 169 | if (*p1 != '/') |
155 | else if (strncmp(ptr, "/var/lib/menu-xdg", 17) == 0) | 170 | return; |
156 | var_out = filedb_add(var_out, "/var/lib/menu-xdg"); | 171 | p1++; |
157 | else if (strncmp(ptr, "/var/cache/fontconfig", 21) == 0) | 172 | |
158 | var_out = filedb_add(var_out, "/var/cache/fontconfig"); | 173 | if (*p1 == '/') // double '/' |
159 | else | 174 | p1++; |
160 | var_out = filedb_add(var_out, ptr); | 175 | if (*p1 == '\0') |
176 | return; | ||
177 | |||
178 | if (!filedb_find(var_skip, p1)) | ||
179 | var_out = filedb_add(var_out, p1); | ||
161 | } | 180 | } |
162 | 181 | ||
163 | void build_var(const char *fname, FILE *fp) { | 182 | void build_var(const char *fname, FILE *fp) { |
164 | assert(fname); | 183 | assert(fname); |
165 | 184 | ||
185 | var_skip = filedb_load_whitelist(var_skip, "whitelist-var-common.inc", "whitelist /var/"); | ||
166 | process_files(fname, "/var", var_callback); | 186 | process_files(fname, "/var", var_callback); |
167 | 187 | ||
168 | if (var_out == NULL) { | 188 | // always whitelist /var |
169 | fprintf(fp, "blacklist /var\n"); | 189 | if (var_out) |
170 | } else { | 190 | filedb_print(var_out, "whitelist /var/", fp); |
171 | filedb_print(var_out, "whitelist ", fp); | 191 | fprintf(fp, "include whitelist-var-common.inc\n"); |
172 | fprintf(fp, "include whitelist-var-common.inc\n"); | ||
173 | } | ||
174 | } | 192 | } |
175 | 193 | ||
176 | 194 | ||
@@ -178,6 +196,7 @@ void build_var(const char *fname, FILE *fp) { | |||
178 | // usr/share directory | 196 | // usr/share directory |
179 | //******************************************* | 197 | //******************************************* |
180 | static FileDB *share_out = NULL; | 198 | static FileDB *share_out = NULL; |
199 | static FileDB *share_skip = NULL; | ||
181 | static void share_callback(char *ptr) { | 200 | static void share_callback(char *ptr) { |
182 | // extract the directory: | 201 | // extract the directory: |
183 | assert(strncmp(ptr, "/usr/share", 10) == 0); | 202 | assert(strncmp(ptr, "/usr/share", 10) == 0); |
@@ -195,21 +214,21 @@ static void share_callback(char *ptr) { | |||
195 | if (p2) | 214 | if (p2) |
196 | *p2 = '\0'; | 215 | *p2 = '\0'; |
197 | 216 | ||
198 | // store the file | 217 | |
199 | share_out = filedb_add(share_out, ptr); | 218 | if (!filedb_find(share_skip, p1)) |
219 | share_out = filedb_add(share_out, p1); | ||
200 | } | 220 | } |
201 | 221 | ||
202 | void build_share(const char *fname, FILE *fp) { | 222 | void build_share(const char *fname, FILE *fp) { |
203 | assert(fname); | 223 | assert(fname); |
204 | 224 | ||
225 | share_skip = filedb_load_whitelist(share_skip, "whitelist-usr-share-common.inc", "whitelist /usr/share/"); | ||
205 | process_files(fname, "/usr/share", share_callback); | 226 | process_files(fname, "/usr/share", share_callback); |
206 | 227 | ||
207 | if (share_out == NULL) { | 228 | // always whitelist /usr/share |
208 | fprintf(fp, "blacklist /usr/share\n"); | 229 | if (share_out) |
209 | } else { | 230 | filedb_print(share_out, "whitelist /usr/share/", fp); |
210 | filedb_print(share_out, "whitelist ", fp); | 231 | fprintf(fp, "include whitelist-usr-share-common.inc\n"); |
211 | fprintf(fp, "include whitelist-usr-share-common.inc\n"); | ||
212 | } | ||
213 | } | 232 | } |
214 | 233 | ||
215 | //******************************************* | 234 | //******************************************* |
@@ -220,6 +239,10 @@ static void tmp_callback(char *ptr) { | |||
220 | // skip strace file | 239 | // skip strace file |
221 | if (strncmp(ptr, "/tmp/firejail-strace", 20) == 0) | 240 | if (strncmp(ptr, "/tmp/firejail-strace", 20) == 0) |
222 | return; | 241 | return; |
242 | if (strncmp(ptr, "/tmp/runtime-", 13) == 0) | ||
243 | return; | ||
244 | if (strcmp(ptr, "/tmp") == 0) | ||
245 | return; | ||
223 | 246 | ||
224 | tmp_out = filedb_add(tmp_out, ptr); | 247 | tmp_out = filedb_add(tmp_out, ptr); |
225 | } | 248 | } |
@@ -232,8 +255,7 @@ void build_tmp(const char *fname, FILE *fp) { | |||
232 | if (tmp_out == NULL) | 255 | if (tmp_out == NULL) |
233 | fprintf(fp, "private-tmp\n"); | 256 | fprintf(fp, "private-tmp\n"); |
234 | else { | 257 | else { |
235 | fprintf(fp, "\n"); | 258 | fprintf(fp, "#private-tmp\n"); |
236 | fprintf(fp, "# private-tmp\n"); | ||
237 | fprintf(fp, "# File accessed in /tmp directory:\n"); | 259 | fprintf(fp, "# File accessed in /tmp directory:\n"); |
238 | fprintf(fp, "# "); | 260 | fprintf(fp, "# "); |
239 | FileDB *ptr = tmp_out; | 261 | FileDB *ptr = tmp_out; |
@@ -249,40 +271,37 @@ void build_tmp(const char *fname, FILE *fp) { | |||
249 | // dev directory | 271 | // dev directory |
250 | //******************************************* | 272 | //******************************************* |
251 | static char *dev_skip[] = { | 273 | static char *dev_skip[] = { |
274 | "/dev/stdin", | ||
275 | "/dev/stdout", | ||
276 | "/dev/stderr", | ||
252 | "/dev/zero", | 277 | "/dev/zero", |
253 | "/dev/null", | 278 | "/dev/null", |
254 | "/dev/full", | 279 | "/dev/full", |
255 | "/dev/random", | 280 | "/dev/random", |
281 | "/dev/srandom", | ||
256 | "/dev/urandom", | 282 | "/dev/urandom", |
283 | "/dev/sr0", | ||
284 | "/dev/cdrom", | ||
285 | "/dev/cdrw", | ||
286 | "/dev/dvd", | ||
287 | "/dev/dvdrw", | ||
288 | "/dev/fd", | ||
289 | "/dev/pts", | ||
290 | "/dev/ptmx", | ||
291 | "/dev/log", | ||
292 | |||
293 | "/dev/aload", // old ALSA devices, not covered in private-dev | ||
294 | "/dev/dsp", // old OSS device, deprecated | ||
295 | |||
257 | "/dev/tty", | 296 | "/dev/tty", |
258 | "/dev/snd", | 297 | "/dev/snd", |
259 | "/dev/dri", | 298 | "/dev/dri", |
260 | "/dev/pts", | 299 | "/dev/nvidia", |
261 | "/dev/nvidia0", | 300 | "/dev/video", |
262 | "/dev/nvidia1", | ||
263 | "/dev/nvidia2", | ||
264 | "/dev/nvidia3", | ||
265 | "/dev/nvidia4", | ||
266 | "/dev/nvidia5", | ||
267 | "/dev/nvidia6", | ||
268 | "/dev/nvidia7", | ||
269 | "/dev/nvidia8", | ||
270 | "/dev/nvidia9", | ||
271 | "/dev/nvidiactl", | ||
272 | "/dev/nvidia-modeset", | ||
273 | "/dev/nvidia-uvm", | ||
274 | "/dev/video0", | ||
275 | "/dev/video1", | ||
276 | "/dev/video2", | ||
277 | "/dev/video3", | ||
278 | "/dev/video4", | ||
279 | "/dev/video5", | ||
280 | "/dev/video6", | ||
281 | "/dev/video7", | ||
282 | "/dev/video8", | ||
283 | "/dev/video9", | ||
284 | "/dev/dvb", | 301 | "/dev/dvb", |
285 | "/dev/sr0", | 302 | "/dev/hidraw", |
303 | "/dev/usb", | ||
304 | "/dev/input", | ||
286 | NULL | 305 | NULL |
287 | }; | 306 | }; |
288 | 307 | ||
@@ -292,7 +311,7 @@ static void dev_callback(char *ptr) { | |||
292 | int i = 0; | 311 | int i = 0; |
293 | int found = 0; | 312 | int found = 0; |
294 | while (dev_skip[i]) { | 313 | while (dev_skip[i]) { |
295 | if (strcmp(ptr, dev_skip[i]) == 0) { | 314 | if (strncmp(ptr, dev_skip[i], strlen(dev_skip[i])) == 0) { |
296 | found = 1; | 315 | found = 1; |
297 | break; | 316 | break; |
298 | } | 317 | } |
@@ -310,9 +329,8 @@ void build_dev(const char *fname, FILE *fp) { | |||
310 | if (dev_out == NULL) | 329 | if (dev_out == NULL) |
311 | fprintf(fp, "private-dev\n"); | 330 | fprintf(fp, "private-dev\n"); |
312 | else { | 331 | else { |
313 | fprintf(fp, "\n"); | 332 | fprintf(fp, "#private-dev\n"); |
314 | fprintf(fp, "# private-dev\n"); | 333 | fprintf(fp, "# This is the list of devices accessed on top of regular private-dev devices:\n"); |
315 | fprintf(fp, "# This is the list of devices accessed (on top of regular private-dev devices:\n"); | ||
316 | fprintf(fp, "# "); | 334 | fprintf(fp, "# "); |
317 | FileDB *ptr = dev_out; | 335 | FileDB *ptr = dev_out; |
318 | while (ptr) { | 336 | while (ptr) { |
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c index 683009b71..b3ec6cffd 100644 --- a/src/fbuilder/build_home.c +++ b/src/fbuilder/build_home.c | |||
@@ -23,30 +23,6 @@ | |||
23 | static FileDB *db_skip = NULL; | 23 | static FileDB *db_skip = NULL; |
24 | static FileDB *db_out = NULL; | 24 | static FileDB *db_out = NULL; |
25 | 25 | ||
26 | static void load_whitelist_common(void) { | ||
27 | FILE *fp = fopen(SYSCONFDIR "/whitelist-common.inc", "r"); | ||
28 | if (!fp) { | ||
29 | fprintf(stderr, "Error: cannot open whitelist-common.inc\n"); | ||
30 | exit(1); | ||
31 | } | ||
32 | |||
33 | char buf[MAX_BUF]; | ||
34 | while (fgets(buf, MAX_BUF, fp)) { | ||
35 | if (strncmp(buf, "whitelist ${HOME}/", 18) != 0) | ||
36 | continue; | ||
37 | char *fn = buf + 18; | ||
38 | char *ptr = strchr(buf, '\n'); | ||
39 | if (!ptr) | ||
40 | continue; | ||
41 | *ptr = '\0'; | ||
42 | |||
43 | // add the file to skip list | ||
44 | db_skip = filedb_add(db_skip, fn); | ||
45 | } | ||
46 | |||
47 | fclose(fp); | ||
48 | } | ||
49 | |||
50 | void process_home(const char *fname, char *home, int home_len) { | 26 | void process_home(const char *fname, char *home, int home_len) { |
51 | assert(fname); | 27 | assert(fname); |
52 | assert(home); | 28 | assert(home); |
@@ -141,7 +117,7 @@ void process_home(const char *fname, char *home, int home_len) { | |||
141 | } | 117 | } |
142 | 118 | ||
143 | // skip files and directories in whitelist-common.inc | 119 | // skip files and directories in whitelist-common.inc |
144 | if (filedb_find(db_skip, toadd)) { | 120 | if (strlen(toadd) == 0 || filedb_find(db_skip, toadd)) { |
145 | if (dir) | 121 | if (dir) |
146 | free(dir); | 122 | free(dir); |
147 | continue; | 123 | continue; |
@@ -162,7 +138,7 @@ void build_home(const char *fname, FILE *fp) { | |||
162 | assert(fname); | 138 | assert(fname); |
163 | 139 | ||
164 | // load whitelist common | 140 | // load whitelist common |
165 | load_whitelist_common(); | 141 | db_skip = filedb_load_whitelist(db_skip, "whitelist-common.inc", "whitelist ${HOME}/"); |
166 | 142 | ||
167 | // find user home directory | 143 | // find user home directory |
168 | struct passwd *pw = getpwuid(getuid()); | 144 | struct passwd *pw = getpwuid(getuid()); |
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 96a83954d..1726b4dbb 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
@@ -141,6 +141,12 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
141 | if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { | 141 | if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { |
142 | if (fp == stdout) | 142 | if (fp == stdout) |
143 | printf("--- Built profile beings after this line ---\n"); | 143 | printf("--- Built profile beings after this line ---\n"); |
144 | fprintf(fp, "# Save this file as \"application.profile\" (change \"application\" with the\n"); | ||
145 | fprintf(fp, "# program name) in ~/.config/firejail directory. Firejail will find it\n"); | ||
146 | fprintf(fp, "# automatically every time you sandbox your application.\n#\n"); | ||
147 | fprintf(fp, "# Run \"firejail application\" to test it. In the file there are\n"); | ||
148 | fprintf(fp, "# some other commands you can try. Enable them by removing the \"#\".\n\n"); | ||
149 | |||
144 | fprintf(fp, "# Firejail profile for %s\n", argv[index]); | 150 | fprintf(fp, "# Firejail profile for %s\n", argv[index]); |
145 | fprintf(fp, "# Persistent local customizations\n"); | 151 | fprintf(fp, "# Persistent local customizations\n"); |
146 | fprintf(fp, "#include %s.local\n", argv[index]); | 152 | fprintf(fp, "#include %s.local\n", argv[index]); |
@@ -148,56 +154,69 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
148 | fprintf(fp, "#include globals.local\n"); | 154 | fprintf(fp, "#include globals.local\n"); |
149 | fprintf(fp, "\n"); | 155 | fprintf(fp, "\n"); |
150 | 156 | ||
151 | fprintf(fp, "### basic blacklisting\n"); | 157 | fprintf(fp, "### Basic Blacklisting ###\n"); |
158 | fprintf(fp, "### Enable as many of them as you can! A very important one is\n"); | ||
159 | fprintf(fp, "### \"disable-exec.inc\". This will make among other things your home\n"); | ||
160 | fprintf(fp, "### and /tmp directories non-executable.\n"); | ||
152 | fprintf(fp, "include disable-common.inc\n"); | 161 | fprintf(fp, "include disable-common.inc\n"); |
153 | fprintf(fp, "# include disable-devel.inc\n"); | 162 | fprintf(fp, "#include disable-devel.inc\n"); |
154 | fprintf(fp, "# include disable-exec.inc\n"); | 163 | fprintf(fp, "#include disable-exec.inc\n"); |
155 | fprintf(fp, "# include disable-interpreters.inc\n"); | 164 | fprintf(fp, "#include disable-interpreters.inc\n"); |
156 | fprintf(fp, "include disable-passwdmgr.inc\n"); | 165 | fprintf(fp, "include disable-passwdmgr.inc\n"); |
157 | fprintf(fp, "# include disable-programs.inc\n"); | 166 | fprintf(fp, "include disable-programs.inc\n"); |
158 | fprintf(fp, "# include disable-xdg.inc\n"); | 167 | fprintf(fp, "#include disable-shell.inc\n"); |
168 | fprintf(fp, "#include disable-xdg.inc\n"); | ||
159 | fprintf(fp, "\n"); | 169 | fprintf(fp, "\n"); |
160 | 170 | ||
161 | fprintf(fp, "### home directory whitelisting\n"); | 171 | fprintf(fp, "### Home Directory Whitelisting ###\n"); |
172 | fprintf(fp, "### If something goes wrong, this section is the first one to comment out.\n"); | ||
173 | fprintf(fp, "### Instead, you'll have to relay on the basic blacklisting above.\n"); | ||
162 | build_home(trace_output, fp); | 174 | build_home(trace_output, fp); |
163 | fprintf(fp, "\n"); | 175 | fprintf(fp, "\n"); |
164 | 176 | ||
165 | fprintf(fp, "### filesystem\n"); | 177 | fprintf(fp, "### Filesystem Whitelisting ###\n"); |
166 | fprintf(fp, "# /usr/share:\n"); | ||
167 | build_share(trace_output, fp); | 178 | build_share(trace_output, fp); |
168 | fprintf(fp, "# /var:\n"); | 179 | //todo: include whitelist-runuser-common.inc |
169 | build_var(trace_output, fp); | 180 | build_var(trace_output, fp); |
170 | fprintf(fp, "\n"); | 181 | fprintf(fp, "\n"); |
171 | fprintf(fp, "# $PATH:\n"); | ||
172 | build_bin(trace_output, fp); | ||
173 | fprintf(fp, "# /dev:\n"); | ||
174 | build_dev(trace_output, fp); | ||
175 | fprintf(fp, "# /etc:\n"); | ||
176 | build_etc(trace_output, fp); | ||
177 | fprintf(fp, "# /tmp:\n"); | ||
178 | build_tmp(trace_output, fp); | ||
179 | fprintf(fp, "\n"); | ||
180 | 182 | ||
181 | fprintf(fp, "### security filters\n"); | 183 | fprintf(fp, "#apparmor\n"); |
182 | fprintf(fp, "caps.drop all\n"); | 184 | fprintf(fp, "caps.drop all\n"); |
185 | fprintf(fp, "ipc-namespace\n"); | ||
186 | fprintf(fp, "netfilter\n"); | ||
187 | fprintf(fp, "#nodvd\n"); | ||
188 | fprintf(fp, "#nogroups\n"); | ||
189 | fprintf(fp, "#noinput\n"); | ||
183 | fprintf(fp, "nonewprivs\n"); | 190 | fprintf(fp, "nonewprivs\n"); |
191 | fprintf(fp, "noroot\n"); | ||
192 | fprintf(fp, "#notv\n"); | ||
193 | fprintf(fp, "#nou2f\n"); | ||
194 | fprintf(fp, "#novideo\n"); | ||
195 | build_protocol(trace_output, fp); | ||
184 | fprintf(fp, "seccomp\n"); | 196 | fprintf(fp, "seccomp\n"); |
185 | if (!have_strace) { | 197 | if (!have_strace) { |
186 | fprintf(fp, "# If you install strace on your system, Firejail will also create a\n"); | 198 | fprintf(fp, "### If you install strace on your system, Firejail will also create a\n"); |
187 | fprintf(fp, "# whitelisted seccomp filter.\n"); | 199 | fprintf(fp, "### whitelisted seccomp filter.\n"); |
188 | } | 200 | } |
189 | else if (!have_yama_permission) | 201 | else if (!have_yama_permission) |
190 | fprintf(fp, "# Yama security module prevents creation of a whitelisted seccomp filter\n"); | 202 | fprintf(fp, "### Yama security module prevents creation of a whitelisted seccomp filter\n"); |
191 | else | 203 | else |
192 | build_seccomp(strace_output, fp); | 204 | build_seccomp(strace_output, fp); |
205 | fprintf(fp, "shell none\n"); | ||
206 | fprintf(fp, "#tracelog\n"); | ||
193 | fprintf(fp, "\n"); | 207 | fprintf(fp, "\n"); |
194 | 208 | ||
195 | fprintf(fp, "### network\n"); | 209 | fprintf(fp, "#disable-mnt\n"); |
196 | build_protocol(trace_output, fp); | 210 | build_bin(trace_output, fp); |
211 | fprintf(fp, "#private-lib\n"); | ||
212 | build_dev(trace_output, fp); | ||
213 | build_etc(trace_output, fp); | ||
214 | build_tmp(trace_output, fp); | ||
197 | fprintf(fp, "\n"); | 215 | fprintf(fp, "\n"); |
198 | 216 | ||
199 | fprintf(fp, "### environment\n"); | 217 | fprintf(fp, "#dbus-user none\n"); |
200 | fprintf(fp, "shell none\n"); | 218 | fprintf(fp, "#dbus-system none\n"); |
219 | fprintf(fp, "#memory-deny-write-execute\n"); | ||
201 | 220 | ||
202 | if (!arg_debug) { | 221 | if (!arg_debug) { |
203 | unlink(trace_output); | 222 | unlink(trace_output); |
diff --git a/src/fbuilder/fbuilder.h b/src/fbuilder/fbuilder.h index 8d3621c02..08dd35e10 100644 --- a/src/fbuilder/fbuilder.h +++ b/src/fbuilder/fbuilder.h | |||
@@ -66,5 +66,6 @@ typedef struct filedb_t { | |||
66 | FileDB *filedb_add(FileDB *head, const char *fname); | 66 | FileDB *filedb_add(FileDB *head, const char *fname); |
67 | FileDB *filedb_find(FileDB *head, const char *fname); | 67 | FileDB *filedb_find(FileDB *head, const char *fname); |
68 | void filedb_print(FileDB *head, const char *prefix, FILE *fp); | 68 | void filedb_print(FileDB *head, const char *prefix, FILE *fp); |
69 | FileDB *filedb_load_whitelist(FileDB *head, const char *fname, const char *prefix); | ||
69 | 70 | ||
70 | #endif | 71 | #endif |
diff --git a/src/fbuilder/filedb.c b/src/fbuilder/filedb.c index 6e302a606..94a226cb7 100644 --- a/src/fbuilder/filedb.c +++ b/src/fbuilder/filedb.c | |||
@@ -20,7 +20,9 @@ | |||
20 | 20 | ||
21 | #include "fbuilder.h" | 21 | #include "fbuilder.h" |
22 | 22 | ||
23 | // find exact name or an exact name in a parent directory | ||
23 | FileDB *filedb_find(FileDB *head, const char *fname) { | 24 | FileDB *filedb_find(FileDB *head, const char *fname) { |
25 | assert(fname); | ||
24 | FileDB *ptr = head; | 26 | FileDB *ptr = head; |
25 | int found = 0; | 27 | int found = 0; |
26 | int len = strlen(fname); | 28 | int len = strlen(fname); |
@@ -52,6 +54,8 @@ FileDB *filedb_find(FileDB *head, const char *fname) { | |||
52 | FileDB *filedb_add(FileDB *head, const char *fname) { | 54 | FileDB *filedb_add(FileDB *head, const char *fname) { |
53 | assert(fname); | 55 | assert(fname); |
54 | 56 | ||
57 | // todo: support fnames such as ${RUNUSER}/.mutter-Xwaylandauth.* | ||
58 | |||
55 | // don't add it if it is already there or if the parent directory is already in the list | 59 | // don't add it if it is already there or if the parent directory is already in the list |
56 | if (filedb_find(head, fname)) | 60 | if (filedb_find(head, fname)) |
57 | return head; | 61 | return head; |
@@ -70,9 +74,52 @@ FileDB *filedb_add(FileDB *head, const char *fname) { | |||
70 | }; | 74 | }; |
71 | 75 | ||
72 | void filedb_print(FileDB *head, const char *prefix, FILE *fp) { | 76 | void filedb_print(FileDB *head, const char *prefix, FILE *fp) { |
77 | assert(head); | ||
78 | assert(prefix); | ||
79 | |||
73 | FileDB *ptr = head; | 80 | FileDB *ptr = head; |
74 | while (ptr) { | 81 | while (ptr) { |
75 | fprintf(fp, "%s%s\n", prefix, ptr->fname); | 82 | if (fp) |
83 | fprintf(fp, "%s%s\n", prefix, ptr->fname); | ||
84 | else | ||
85 | printf("%s%s\n", prefix, ptr->fname); | ||
76 | ptr = ptr->next; | 86 | ptr = ptr->next; |
77 | } | 87 | } |
78 | } | 88 | } |
89 | |||
90 | FileDB *filedb_load_whitelist(FileDB *head, const char *fname, const char *prefix) { | ||
91 | assert(fname); | ||
92 | assert(prefix); | ||
93 | int len = strlen(prefix); | ||
94 | char *f; | ||
95 | if (asprintf(&f, "%s/%s", SYSCONFDIR, fname) == -1) | ||
96 | errExit("asprintf"); | ||
97 | FILE *fp = fopen(f, "r"); | ||
98 | if (!fp) { | ||
99 | fprintf(stderr, "Error: cannot open whitelist-common.inc\n"); | ||
100 | free(f); | ||
101 | exit(1); | ||
102 | } | ||
103 | |||
104 | char buf[MAX_BUF]; | ||
105 | while (fgets(buf, MAX_BUF, fp)) { | ||
106 | if (strncmp(buf, prefix, len) != 0) | ||
107 | continue; | ||
108 | |||
109 | char *fn = buf + len; | ||
110 | char *ptr = strchr(buf, '\n'); | ||
111 | if (!ptr) | ||
112 | continue; | ||
113 | *ptr = '\0'; | ||
114 | |||
115 | // add the file to skip list | ||
116 | head = filedb_add(head, fn); | ||
117 | } | ||
118 | |||
119 | fclose(fp); | ||
120 | free(f); | ||
121 | //printf("***************************************************\n"); | ||
122 | //filedb_print(head, prefix, NULL); | ||
123 | //printf("***************************************************\n"); | ||
124 | return head; | ||
125 | } | ||
diff --git a/src/fbuilder/main.c b/src/fbuilder/main.c index f4917aefc..35ec49519 100644 --- a/src/fbuilder/main.c +++ b/src/fbuilder/main.c | |||
@@ -58,10 +58,16 @@ printf("\n"); | |||
58 | exit(1); | 58 | exit(1); |
59 | } | 59 | } |
60 | 60 | ||
61 | // don't run if the file exists | ||
62 | if (access(argv[i] + 8, F_OK) == 0) { | ||
63 | fprintf(stderr, "Error: the profile file already exists. Please use a different file name.\n"); | ||
64 | exit(1); | ||
65 | } | ||
66 | |||
61 | // check file access | 67 | // check file access |
62 | fp = fopen(argv[i] + 8, "w"); | 68 | fp = fopen(argv[i] + 8, "w"); |
63 | if (!fp) { | 69 | if (!fp) { |
64 | fprintf(stderr, "Error fbuild: cannot open profile file.\n"); | 70 | fprintf(stderr, "Error: cannot open profile file.\n"); |
65 | exit(1); | 71 | exit(1); |
66 | } | 72 | } |
67 | prof_file = 1; | 73 | prof_file = 1; |
@@ -69,7 +75,7 @@ printf("\n"); | |||
69 | } | 75 | } |
70 | else { | 76 | else { |
71 | if (*argv[i] == '-') { | 77 | if (*argv[i] == '-') { |
72 | fprintf(stderr, "Error fbuilder: invalid program\n"); | 78 | fprintf(stderr, "Error: invalid program\n"); |
73 | usage(); | 79 | usage(); |
74 | exit(1); | 80 | exit(1); |
75 | } | 81 | } |
@@ -79,7 +85,7 @@ printf("\n"); | |||
79 | } | 85 | } |
80 | 86 | ||
81 | if (prog_index == 0) { | 87 | if (prog_index == 0) { |
82 | fprintf(stderr, "Error fbuilder: program and arguments required\n"); | 88 | fprintf(stderr, "Error : program and arguments required\n"); |
83 | usage(); | 89 | usage(); |
84 | if (prof_file) | 90 | if (prof_file) |
85 | fclose(fp); | 91 | fclose(fp); |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index be50d5f44..474904ebf 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -74,6 +74,7 @@ autokey-run | |||
74 | autokey-shell | 74 | autokey-shell |
75 | avidemux3_qt5 | 75 | avidemux3_qt5 |
76 | aweather | 76 | aweather |
77 | ballbuster | ||
77 | baloo_file | 78 | baloo_file |
78 | baloo_filemetadata_temp_extractor | 79 | baloo_filemetadata_temp_extractor |
79 | balsa | 80 | balsa |
@@ -147,6 +148,7 @@ cmus | |||
147 | code | 148 | code |
148 | code-oss | 149 | code-oss |
149 | cola | 150 | cola |
151 | colorful | ||
150 | com.github.bleakgrey.tootle | 152 | com.github.bleakgrey.tootle |
151 | com.github.dahenson.agenda | 153 | com.github.dahenson.agenda |
152 | com.github.johnfactotum.Foliate | 154 | com.github.johnfactotum.Foliate |
@@ -236,6 +238,7 @@ ffplay | |||
236 | ffprobe | 238 | ffprobe |
237 | file-roller | 239 | file-roller |
238 | filezilla | 240 | filezilla |
241 | firedragon | ||
239 | firefox | 242 | firefox |
240 | firefox-beta | 243 | firefox-beta |
241 | firefox-developer-edition | 244 | firefox-developer-edition |
@@ -293,6 +296,8 @@ git-cola | |||
293 | github-desktop | 296 | github-desktop |
294 | gitter | 297 | gitter |
295 | # gjs -- https://github.com/netblue30/firejail/issues/3333#issuecomment-612601102 | 298 | # gjs -- https://github.com/netblue30/firejail/issues/3333#issuecomment-612601102 |
299 | gl-117 | ||
300 | glaxium | ||
296 | globaltime | 301 | globaltime |
297 | gmpc | 302 | gmpc |
298 | gnome-2048 | 303 | gnome-2048 |
@@ -550,6 +555,7 @@ mypaint | |||
550 | mypaint-ora-thumbnailer | 555 | mypaint-ora-thumbnailer |
551 | natron | 556 | natron |
552 | ncdu | 557 | ncdu |
558 | neochat | ||
553 | neomutt | 559 | neomutt |
554 | netactview | 560 | netactview |
555 | nethack | 561 | nethack |
@@ -615,6 +621,7 @@ penguin-command | |||
615 | photoflare | 621 | photoflare |
616 | picard | 622 | picard |
617 | pidgin | 623 | pidgin |
624 | pinball | ||
618 | #ping - disabled until we fix #1912 | 625 | #ping - disabled until we fix #1912 |
619 | pingus | 626 | pingus |
620 | pinta | 627 | pinta |
@@ -673,7 +680,6 @@ runenpass.sh | |||
673 | sayonara | 680 | sayonara |
674 | scallion | 681 | scallion |
675 | scorched3d | 682 | scorched3d |
676 | scorched3d-wrapper | ||
677 | scorchwentbonkers | 683 | scorchwentbonkers |
678 | scribus | 684 | scribus |
679 | sdat2img | 685 | sdat2img |
@@ -867,7 +873,6 @@ xmr-stak | |||
867 | xonotic | 873 | xonotic |
868 | xonotic-glx | 874 | xonotic-glx |
869 | xonotic-sdl | 875 | xonotic-sdl |
870 | xonotic-sdl-wrapper | ||
871 | xournal | 876 | xournal |
872 | xournalpp | 877 | xournalpp |
873 | xpdf | 878 | xpdf |
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 59758bf2d..6b9fed765 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c | |||
@@ -67,7 +67,7 @@ void appimage_set(const char *appimage) { | |||
67 | 67 | ||
68 | // find or allocate a free loop device to use | 68 | // find or allocate a free loop device to use |
69 | EUID_ROOT(); | 69 | EUID_ROOT(); |
70 | int cfd = open("/dev/loop-control", O_RDWR); | 70 | int cfd = open("/dev/loop-control", O_RDWR|O_CLOEXEC); |
71 | if (cfd == -1) | 71 | if (cfd == -1) |
72 | err_loop(); | 72 | err_loop(); |
73 | int devnr = ioctl(cfd, LOOP_CTL_GET_FREE); | 73 | int devnr = ioctl(cfd, LOOP_CTL_GET_FREE); |
@@ -78,7 +78,7 @@ void appimage_set(const char *appimage) { | |||
78 | errExit("asprintf"); | 78 | errExit("asprintf"); |
79 | 79 | ||
80 | // associate loop device with appimage | 80 | // associate loop device with appimage |
81 | int lfd = open(devloop, O_RDONLY); | 81 | int lfd = open(devloop, O_RDONLY|O_CLOEXEC); |
82 | if (lfd == -1) | 82 | if (lfd == -1) |
83 | err_loop(); | 83 | err_loop(); |
84 | if (ioctl(lfd, LOOP_SET_FD, ffd) == -1) | 84 | if (ioctl(lfd, LOOP_SET_FD, ffd) == -1) |
@@ -146,7 +146,7 @@ void appimage_mount(void) { | |||
146 | void appimage_clear(void) { | 146 | void appimage_clear(void) { |
147 | EUID_ROOT(); | 147 | EUID_ROOT(); |
148 | if (devloop) { | 148 | if (devloop) { |
149 | int lfd = open(devloop, O_RDONLY); | 149 | int lfd = open(devloop, O_RDONLY|O_CLOEXEC); |
150 | if (lfd != -1) { | 150 | if (lfd != -1) { |
151 | if (ioctl(lfd, LOOP_CLR_FD, 0) != -1) | 151 | if (ioctl(lfd, LOOP_CLR_FD, 0) != -1) |
152 | fmessage("AppImage detached\n"); | 152 | fmessage("AppImage detached\n"); |
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index 1c952c0bc..a085f2c27 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c | |||
@@ -22,6 +22,7 @@ | |||
22 | #include <sys/types.h> | 22 | #include <sys/types.h> |
23 | #include <sys/stat.h> | 23 | #include <sys/stat.h> |
24 | #include <unistd.h> | 24 | #include <unistd.h> |
25 | #include <errno.h> | ||
25 | #include <net/if.h> | 26 | #include <net/if.h> |
26 | #include "firejail.h" | 27 | #include "firejail.h" |
27 | 28 | ||
@@ -119,26 +120,19 @@ static void bandwidth_create_run_file(pid_t pid) { | |||
119 | if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1) | 120 | if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1) |
120 | errExit("asprintf"); | 121 | errExit("asprintf"); |
121 | 122 | ||
122 | // if the file already exists, do nothing | ||
123 | struct stat s; | ||
124 | if (stat(fname, &s) == 0) { | ||
125 | free(fname); | ||
126 | return; | ||
127 | } | ||
128 | |||
129 | // create an empty file and set mod and ownership | 123 | // create an empty file and set mod and ownership |
130 | /* coverity[toctou] */ | 124 | // if the file already exists, do nothing |
131 | FILE *fp = fopen(fname, "w"); | 125 | FILE *fp = fopen(fname, "wxe"); |
132 | if (fp) { | 126 | free(fname); |
133 | SET_PERMS_STREAM(fp, 0, 0, 0644); | 127 | if (!fp) { |
134 | fclose(fp); | 128 | if (errno == EEXIST) |
135 | } | 129 | return; |
136 | else { | ||
137 | fprintf(stderr, "Error: cannot create bandwidth file\n"); | 130 | fprintf(stderr, "Error: cannot create bandwidth file\n"); |
138 | exit(1); | 131 | exit(1); |
139 | } | 132 | } |
140 | 133 | ||
141 | free(fname); | 134 | SET_PERMS_STREAM(fp, 0, 0, 0644); |
135 | fclose(fp); | ||
142 | } | 136 | } |
143 | 137 | ||
144 | 138 | ||
@@ -148,7 +142,7 @@ void network_set_run_file(pid_t pid) { | |||
148 | errExit("asprintf"); | 142 | errExit("asprintf"); |
149 | 143 | ||
150 | // create an empty file and set mod and ownership | 144 | // create an empty file and set mod and ownership |
151 | FILE *fp = fopen(fname, "w"); | 145 | FILE *fp = fopen(fname, "we"); |
152 | if (fp) { | 146 | if (fp) { |
153 | if (cfg.bridge0.configured) | 147 | if (cfg.bridge0.configured) |
154 | fprintf(fp, "%s:%s\n", cfg.bridge0.dev, cfg.bridge0.devsandbox); | 148 | fprintf(fp, "%s:%s\n", cfg.bridge0.dev, cfg.bridge0.devsandbox); |
@@ -178,7 +172,7 @@ static void read_bandwidth_file(pid_t pid) { | |||
178 | if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1) | 172 | if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1) |
179 | errExit("asprintf"); | 173 | errExit("asprintf"); |
180 | 174 | ||
181 | FILE *fp = fopen(fname, "r"); | 175 | FILE *fp = fopen(fname, "re"); |
182 | if (fp) { | 176 | if (fp) { |
183 | char buf[1024]; | 177 | char buf[1024]; |
184 | while (fgets(buf, 1024,fp)) { | 178 | while (fgets(buf, 1024,fp)) { |
@@ -214,7 +208,7 @@ static void write_bandwidth_file(pid_t pid) { | |||
214 | if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1) | 208 | if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1) |
215 | errExit("asprintf"); | 209 | errExit("asprintf"); |
216 | 210 | ||
217 | FILE *fp = fopen(fname, "w"); | 211 | FILE *fp = fopen(fname, "we"); |
218 | if (fp) { | 212 | if (fp) { |
219 | IFBW *ptr = ifbw; | 213 | IFBW *ptr = ifbw; |
220 | while (ptr) { | 214 | while (ptr) { |
@@ -307,7 +301,7 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in | |||
307 | char *fname; | 301 | char *fname; |
308 | if (asprintf(&fname, "%s/%d-netmap", RUN_FIREJAIL_NETWORK_DIR, (int) pid) == -1) | 302 | if (asprintf(&fname, "%s/%d-netmap", RUN_FIREJAIL_NETWORK_DIR, (int) pid) == -1) |
309 | errExit("asprintf"); | 303 | errExit("asprintf"); |
310 | FILE *fp = fopen(fname, "r"); | 304 | FILE *fp = fopen(fname, "re"); |
311 | if (!fp) { | 305 | if (!fp) { |
312 | fprintf(stderr, "Error: cannot read network map file %s\n", fname); | 306 | fprintf(stderr, "Error: cannot read network map file %s\n", fname); |
313 | exit(1); | 307 | exit(1); |
diff --git a/src/firejail/caps.c b/src/firejail/caps.c index 597f9915b..5e02b99c2 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c | |||
@@ -389,7 +389,7 @@ static uint64_t extract_caps(int pid) { | |||
389 | errExit("asprintf"); | 389 | errExit("asprintf"); |
390 | 390 | ||
391 | EUID_ROOT(); // grsecurity | 391 | EUID_ROOT(); // grsecurity |
392 | FILE *fp = fopen(file, "r"); | 392 | FILE *fp = fopen(file, "re"); |
393 | EUID_USER(); // grsecurity | 393 | EUID_USER(); // grsecurity |
394 | if (!fp) | 394 | if (!fp) |
395 | goto errexit; | 395 | goto errexit; |
diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c index 986b1157d..e7ffbca36 100644 --- a/src/firejail/cgroup.c +++ b/src/firejail/cgroup.c | |||
@@ -26,7 +26,7 @@ void save_cgroup(void) { | |||
26 | if (cfg.cgroup == NULL) | 26 | if (cfg.cgroup == NULL) |
27 | return; | 27 | return; |
28 | 28 | ||
29 | FILE *fp = fopen(RUN_CGROUP_CFG, "w"); | 29 | FILE *fp = fopen(RUN_CGROUP_CFG, "wxe"); |
30 | if (fp) { | 30 | if (fp) { |
31 | fprintf(fp, "%s", cfg.cgroup); | 31 | fprintf(fp, "%s", cfg.cgroup); |
32 | fflush(0); | 32 | fflush(0); |
@@ -48,7 +48,7 @@ void load_cgroup(const char *fname) { | |||
48 | if (!fname) | 48 | if (!fname) |
49 | return; | 49 | return; |
50 | 50 | ||
51 | FILE *fp = fopen(fname, "r"); | 51 | FILE *fp = fopen(fname, "re"); |
52 | if (fp) { | 52 | if (fp) { |
53 | char buf[MAXBUF]; | 53 | char buf[MAXBUF]; |
54 | if (fgets(buf, MAXBUF, fp)) { | 54 | if (fgets(buf, MAXBUF, fp)) { |
@@ -91,19 +91,19 @@ void set_cgroup(const char *path) { | |||
91 | goto errout; | 91 | goto errout; |
92 | 92 | ||
93 | // tasks file exists | 93 | // tasks file exists |
94 | struct stat s; | 94 | FILE *fp = fopen(path, "ae"); |
95 | if (stat(path, &s) == -1) | 95 | if (!fp) |
96 | goto errout; | 96 | goto errout; |
97 | |||
98 | // task file belongs to the user running the sandbox | 97 | // task file belongs to the user running the sandbox |
98 | int fd = fileno(fp); | ||
99 | if (fd == -1) | ||
100 | errExit("fileno"); | ||
101 | struct stat s; | ||
102 | if (fstat(fd, &s) == -1) | ||
103 | errExit("fstat"); | ||
99 | if (s.st_uid != getuid() && s.st_gid != getgid()) | 104 | if (s.st_uid != getuid() && s.st_gid != getgid()) |
100 | goto errout2; | 105 | goto errout2; |
101 | |||
102 | // add the task to cgroup | 106 | // add the task to cgroup |
103 | /* coverity[toctou] */ | ||
104 | FILE *fp = fopen(path, "a"); | ||
105 | if (!fp) | ||
106 | goto errout; | ||
107 | pid_t pid = getpid(); | 107 | pid_t pid = getpid(); |
108 | int rv = fprintf(fp, "%d\n", pid); | 108 | int rv = fprintf(fp, "%d\n", pid); |
109 | (void) rv; | 109 | (void) rv; |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 8a6e47e17..614b144e5 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -60,7 +60,7 @@ int checkcfg(int val) { | |||
60 | 60 | ||
61 | // open configuration file | 61 | // open configuration file |
62 | const char *fname = SYSCONFDIR "/firejail.config"; | 62 | const char *fname = SYSCONFDIR "/firejail.config"; |
63 | fp = fopen(fname, "r"); | 63 | fp = fopen(fname, "re"); |
64 | if (!fp) { | 64 | if (!fp) { |
65 | #ifdef HAVE_GLOBALCFG | 65 | #ifdef HAVE_GLOBALCFG |
66 | fprintf(stderr, "Error: Firejail configuration file %s not found\n", fname); | 66 | fprintf(stderr, "Error: Firejail configuration file %s not found\n", fname); |
diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c index 3427e8ade..fe7258fb0 100644 --- a/src/firejail/cpu.c +++ b/src/firejail/cpu.c | |||
@@ -75,7 +75,7 @@ void save_cpu(void) { | |||
75 | if (cfg.cpus == 0) | 75 | if (cfg.cpus == 0) |
76 | return; | 76 | return; |
77 | 77 | ||
78 | FILE *fp = fopen(RUN_CPU_CFG, "w"); | 78 | FILE *fp = fopen(RUN_CPU_CFG, "wxe"); |
79 | if (fp) { | 79 | if (fp) { |
80 | fprintf(fp, "%x\n", cfg.cpus); | 80 | fprintf(fp, "%x\n", cfg.cpus); |
81 | SET_PERMS_STREAM(fp, 0, 0, 0600); | 81 | SET_PERMS_STREAM(fp, 0, 0, 0600); |
@@ -91,7 +91,7 @@ void load_cpu(const char *fname) { | |||
91 | if (!fname) | 91 | if (!fname) |
92 | return; | 92 | return; |
93 | 93 | ||
94 | FILE *fp = fopen(fname, "r"); | 94 | FILE *fp = fopen(fname, "re"); |
95 | if (fp) { | 95 | if (fp) { |
96 | unsigned tmp; | 96 | unsigned tmp; |
97 | int rv = fscanf(fp, "%x", &tmp); | 97 | int rv = fscanf(fp, "%x", &tmp); |
@@ -139,7 +139,7 @@ static void print_cpu(int pid) { | |||
139 | } | 139 | } |
140 | 140 | ||
141 | EUID_ROOT(); // grsecurity | 141 | EUID_ROOT(); // grsecurity |
142 | FILE *fp = fopen(file, "r"); | 142 | FILE *fp = fopen(file, "re"); |
143 | EUID_USER(); // grsecurity | 143 | EUID_USER(); // grsecurity |
144 | if (!fp) { | 144 | if (!fp) { |
145 | printf(" Error: cannot open %s\n", file); | 145 | printf(" Error: cannot open %s\n", file); |
diff --git a/src/firejail/dhcp.c b/src/firejail/dhcp.c index bdbb338d5..5bcdcad37 100644 --- a/src/firejail/dhcp.c +++ b/src/firejail/dhcp.c | |||
@@ -93,7 +93,7 @@ static pid_t dhcp_read_pidfile(const Dhclient *client) { | |||
93 | while (found == 0 && tries < 10) { | 93 | while (found == 0 && tries < 10) { |
94 | if (tries >= 1) | 94 | if (tries >= 1) |
95 | usleep(100000); | 95 | usleep(100000); |
96 | FILE *pidfile = fopen(client->pid_file, "r"); | 96 | FILE *pidfile = fopen(client->pid_file, "re"); |
97 | if (pidfile) { | 97 | if (pidfile) { |
98 | long pid; | 98 | long pid; |
99 | if (fscanf(pidfile, "%ld", &pid) == 1) | 99 | if (fscanf(pidfile, "%ld", &pid) == 1) |
diff --git a/src/firejail/env.c b/src/firejail/env.c index 03818df0b..f5e9dd980 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c | |||
@@ -59,12 +59,7 @@ void env_ibus_load(void) { | |||
59 | if (asprintf(&dirname, "%s/.config/ibus/bus", cfg.homedir) == -1) | 59 | if (asprintf(&dirname, "%s/.config/ibus/bus", cfg.homedir) == -1) |
60 | errExit("asprintf"); | 60 | errExit("asprintf"); |
61 | 61 | ||
62 | struct stat s; | ||
63 | if (stat(dirname, &s) == -1) | ||
64 | return; | ||
65 | |||
66 | // find the file | 62 | // find the file |
67 | /* coverity[toctou] */ | ||
68 | DIR *dir = opendir(dirname); | 63 | DIR *dir = opendir(dirname); |
69 | if (!dir) { | 64 | if (!dir) { |
70 | free(dirname); | 65 | free(dirname); |
@@ -84,7 +79,7 @@ void env_ibus_load(void) { | |||
84 | char *fname; | 79 | char *fname; |
85 | if (asprintf(&fname, "%s/%s", dirname, entry->d_name) == -1) | 80 | if (asprintf(&fname, "%s/%s", dirname, entry->d_name) == -1) |
86 | errExit("asprintf"); | 81 | errExit("asprintf"); |
87 | FILE *fp = fopen(fname, "r"); | 82 | FILE *fp = fopen(fname, "re"); |
88 | free(fname); | 83 | free(fname); |
89 | if (!fp) | 84 | if (!fp) |
90 | continue; | 85 | continue; |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 20de229df..1c1ad4e97 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -310,7 +310,6 @@ extern int arg_private_cwd; // private working directory | |||
310 | extern int arg_scan; // arp-scan all interfaces | 310 | extern int arg_scan; // arp-scan all interfaces |
311 | extern int arg_whitelist; // whitelist command | 311 | extern int arg_whitelist; // whitelist command |
312 | extern int arg_nosound; // disable sound | 312 | extern int arg_nosound; // disable sound |
313 | extern int arg_noautopulse; // disable automatic ~/.config/pulse init | ||
314 | extern int arg_novideo; //disable video devices in /dev | 313 | extern int arg_novideo; //disable video devices in /dev |
315 | extern int arg_no3d; // disable 3d hardware acceleration | 314 | extern int arg_no3d; // disable 3d hardware acceleration |
316 | extern int arg_quiet; // no output for scripting | 315 | extern int arg_quiet; // no output for scripting |
@@ -319,6 +318,7 @@ extern int arg_join_filesystem; // join only the mount namespace | |||
319 | extern int arg_nice; // nice value configured | 318 | extern int arg_nice; // nice value configured |
320 | extern int arg_ipc; // enable ipc namespace | 319 | extern int arg_ipc; // enable ipc namespace |
321 | extern int arg_writable_etc; // writable etc | 320 | extern int arg_writable_etc; // writable etc |
321 | extern int arg_keep_config_pulse; // disable automatic ~/.config/pulse init | ||
322 | extern int arg_writable_var; // writable var | 322 | extern int arg_writable_var; // writable var |
323 | extern int arg_keep_var_tmp; // don't overwrite /var/tmp | 323 | extern int arg_keep_var_tmp; // don't overwrite /var/tmp |
324 | extern int arg_writable_run_user; // writable /run/user | 324 | extern int arg_writable_run_user; // writable /run/user |
@@ -335,7 +335,8 @@ extern int arg_noprofile; // use default.profile if none other found/specified | |||
335 | extern int arg_memory_deny_write_execute; // block writable and executable memory | 335 | extern int arg_memory_deny_write_execute; // block writable and executable memory |
336 | extern int arg_notv; // --notv | 336 | extern int arg_notv; // --notv |
337 | extern int arg_nodvd; // --nodvd | 337 | extern int arg_nodvd; // --nodvd |
338 | extern int arg_nou2f; // --nou2f | 338 | extern int arg_nou2f; // --nou2f |
339 | extern int arg_noinput; // --noinput | ||
339 | extern int arg_deterministic_exit_code; // always exit with first child's exit status | 340 | extern int arg_deterministic_exit_code; // always exit with first child's exit status |
340 | 341 | ||
341 | typedef enum { | 342 | typedef enum { |
@@ -565,6 +566,7 @@ void fs_dev_disable_video(void); | |||
565 | void fs_dev_disable_tv(void); | 566 | void fs_dev_disable_tv(void); |
566 | void fs_dev_disable_dvd(void); | 567 | void fs_dev_disable_dvd(void); |
567 | void fs_dev_disable_u2f(void); | 568 | void fs_dev_disable_u2f(void); |
569 | void fs_dev_disable_input(void); | ||
568 | 570 | ||
569 | // fs_home.c | 571 | // fs_home.c |
570 | // private mode (--private) | 572 | // private mode (--private) |
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index b2fa60f63..8c2870a4d 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -41,6 +41,7 @@ typedef enum { | |||
41 | DEV_TV, | 41 | DEV_TV, |
42 | DEV_DVD, | 42 | DEV_DVD, |
43 | DEV_U2F, | 43 | DEV_U2F, |
44 | DEV_INPUT | ||
44 | } DEV_TYPE; | 45 | } DEV_TYPE; |
45 | 46 | ||
46 | 47 | ||
@@ -89,6 +90,7 @@ static DevEntry dev[] = { | |||
89 | {"/dev/hidraw8", RUN_DEV_DIR "/hidraw8", DEV_U2F}, | 90 | {"/dev/hidraw8", RUN_DEV_DIR "/hidraw8", DEV_U2F}, |
90 | {"/dev/hidraw9", RUN_DEV_DIR "/hidraw9", DEV_U2F}, | 91 | {"/dev/hidraw9", RUN_DEV_DIR "/hidraw9", DEV_U2F}, |
91 | {"/dev/usb", RUN_DEV_DIR "/usb", DEV_U2F}, // USB devices such as Yubikey, U2F | 92 | {"/dev/usb", RUN_DEV_DIR "/usb", DEV_U2F}, // USB devices such as Yubikey, U2F |
93 | {"/dev/input", RUN_DEV_DIR "/input", DEV_INPUT}, | ||
92 | {NULL, NULL, DEV_NONE} | 94 | {NULL, NULL, DEV_NONE} |
93 | }; | 95 | }; |
94 | 96 | ||
@@ -103,7 +105,8 @@ static void deventry_mount(void) { | |||
103 | (dev[i].type == DEV_VIDEO && arg_novideo == 0) || | 105 | (dev[i].type == DEV_VIDEO && arg_novideo == 0) || |
104 | (dev[i].type == DEV_TV && arg_notv == 0) || | 106 | (dev[i].type == DEV_TV && arg_notv == 0) || |
105 | (dev[i].type == DEV_DVD && arg_nodvd == 0) || | 107 | (dev[i].type == DEV_DVD && arg_nodvd == 0) || |
106 | (dev[i].type == DEV_U2F && arg_nou2f == 0)) { | 108 | (dev[i].type == DEV_U2F && arg_nou2f == 0) || |
109 | (dev[i].type == DEV_INPUT && arg_noinput == 0)) { | ||
107 | 110 | ||
108 | int dir = is_dir(dev[i].run_fname); | 111 | int dir = is_dir(dev[i].run_fname); |
109 | if (arg_debug) | 112 | if (arg_debug) |
@@ -119,7 +122,7 @@ static void deventry_mount(void) { | |||
119 | i++; | 122 | i++; |
120 | continue; | 123 | continue; |
121 | } | 124 | } |
122 | FILE *fp = fopen(dev[i].dev_fname, "w"); | 125 | FILE *fp = fopen(dev[i].dev_fname, "we"); |
123 | if (fp) { | 126 | if (fp) { |
124 | fprintf(fp, "\n"); | 127 | fprintf(fp, "\n"); |
125 | SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode); | 128 | SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode); |
@@ -215,7 +218,7 @@ void fs_private_dev(void){ | |||
215 | struct stat s; | 218 | struct stat s; |
216 | if (stat("/dev/log", &s) == 0) { | 219 | if (stat("/dev/log", &s) == 0) { |
217 | have_devlog = 1; | 220 | have_devlog = 1; |
218 | FILE *fp = fopen(RUN_DEVLOG_FILE, "w"); | 221 | FILE *fp = fopen(RUN_DEVLOG_FILE, "we"); |
219 | if (!fp) | 222 | if (!fp) |
220 | have_devlog = 0; | 223 | have_devlog = 0; |
221 | else { | 224 | else { |
@@ -236,7 +239,7 @@ void fs_private_dev(void){ | |||
236 | 239 | ||
237 | // bring back /dev/log | 240 | // bring back /dev/log |
238 | if (have_devlog) { | 241 | if (have_devlog) { |
239 | FILE *fp = fopen("/dev/log", "w"); | 242 | FILE *fp = fopen("/dev/log", "we"); |
240 | if (fp) { | 243 | if (fp) { |
241 | fprintf(fp, "\n"); | 244 | fprintf(fp, "\n"); |
242 | fclose(fp); | 245 | fclose(fp); |
@@ -386,3 +389,12 @@ void fs_dev_disable_u2f(void) { | |||
386 | i++; | 389 | i++; |
387 | } | 390 | } |
388 | } | 391 | } |
392 | |||
393 | void fs_dev_disable_input(void) { | ||
394 | int i = 0; | ||
395 | while (dev[i].dev_fname != NULL) { | ||
396 | if (dev[i].type == DEV_INPUT) | ||
397 | disable_file_or_dir(dev[i].dev_fname); | ||
398 | i++; | ||
399 | } | ||
400 | } | ||
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index abec25d45..b0e1e1bf1 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -52,7 +52,7 @@ void fs_machineid(void) { | |||
52 | mid.u8[8] = (mid.u8[8] & 0x3F) | 0x80; | 52 | mid.u8[8] = (mid.u8[8] & 0x3F) | 0x80; |
53 | 53 | ||
54 | // write it in a file | 54 | // write it in a file |
55 | FILE *fp = fopen(RUN_MACHINEID, "w"); | 55 | FILE *fp = fopen(RUN_MACHINEID, "we"); |
56 | if (!fp) | 56 | if (!fp) |
57 | errExit("fopen"); | 57 | errExit("fopen"); |
58 | fprintf(fp, "%08x%08x%08x%08x\n", mid.u32[0], mid.u32[1], mid.u32[2], mid.u32[3]); | 58 | fprintf(fp, "%08x%08x%08x%08x\n", mid.u32[0], mid.u32[1], mid.u32[2], mid.u32[3]); |
@@ -76,6 +76,44 @@ void fs_machineid(void) { | |||
76 | } | 76 | } |
77 | } | 77 | } |
78 | 78 | ||
79 | // Duplicate directory structure from src to dst by creating empty directories. | ||
80 | // The paths _must_ be identical after their respective prefixes. | ||
81 | // When finished, dst will point to the target directory. That is, if | ||
82 | // it starts out pointing to a file, it will instead be truncated so | ||
83 | // that it contains the parent directory instead. | ||
84 | static void build_dirs(char *src, char *dst, size_t src_prefix_len, size_t dst_prefix_len) { | ||
85 | char *p = src + src_prefix_len + 1; | ||
86 | char *q = dst + dst_prefix_len + 1; | ||
87 | char *r = dst + dst_prefix_len; | ||
88 | struct stat s; | ||
89 | bool last = false; | ||
90 | *r = '\0'; | ||
91 | for (; !last; p++, q++) { | ||
92 | if (*p == '\0') { | ||
93 | last = true; | ||
94 | } | ||
95 | if (*p == '\0' || (*p == '/' && *(p - 1) != '/')) { | ||
96 | // We found a new component of our src path. | ||
97 | // Null-terminate it temporarily here so that we can work | ||
98 | // with it. | ||
99 | *p = '\0'; | ||
100 | if (stat(src, &s) == 0 && S_ISDIR(s.st_mode)) { | ||
101 | // Null-terminate the dst path and undo its previous | ||
102 | // termination. | ||
103 | *q = '\0'; | ||
104 | *r = '/'; | ||
105 | r = q; | ||
106 | create_empty_dir_as_root(dst, s.st_mode); | ||
107 | } | ||
108 | if (!last) { | ||
109 | // If we're not at the final terminating null, restore | ||
110 | // the slash so that we can continue our traversal. | ||
111 | *p = '/'; | ||
112 | } | ||
113 | } | ||
114 | } | ||
115 | } | ||
116 | |||
79 | // return 0 if file not found, 1 if found | 117 | // return 0 if file not found, 1 if found |
80 | static int check_dir_or_file(const char *fname) { | 118 | static int check_dir_or_file(const char *fname) { |
81 | assert(fname); | 119 | assert(fname); |
@@ -103,7 +141,7 @@ errexit: | |||
103 | static void duplicate(const char *fname, const char *private_dir, const char *private_run_dir) { | 141 | static void duplicate(const char *fname, const char *private_dir, const char *private_run_dir) { |
104 | assert(fname); | 142 | assert(fname); |
105 | 143 | ||
106 | if (*fname == '~' || strchr(fname, '/') || strcmp(fname, "..") == 0) { | 144 | if (*fname == '~' || *fname == '/' || strncmp(fname, "..", 2) == 0) { |
107 | fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname); | 145 | fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname); |
108 | exit(1); | 146 | exit(1); |
109 | } | 147 | } |
@@ -119,21 +157,16 @@ static void duplicate(const char *fname, const char *private_dir, const char *pr | |||
119 | } | 157 | } |
120 | 158 | ||
121 | if (arg_debug) | 159 | if (arg_debug) |
122 | printf("copying %s to private %s\n", src, private_dir); | 160 | printf("Copying %s to private %s\n", src, private_dir); |
123 | 161 | ||
124 | struct stat s; | 162 | char *dst; |
125 | if (stat(src, &s) == 0 && S_ISDIR(s.st_mode)) { | 163 | if (asprintf(&dst, "%s/%s", private_run_dir, fname) == -1) |
126 | // create the directory in RUN_ETC_DIR | 164 | errExit("asprintf"); |
127 | char *dirname; | 165 | |
128 | if (asprintf(&dirname, "%s/%s", private_run_dir, fname) == -1) | 166 | build_dirs(src, dst, strlen(private_dir), strlen(private_run_dir)); |
129 | errExit("asprintf"); | 167 | sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FCOPY, src, dst); |
130 | create_empty_dir_as_root(dirname, s.st_mode); | ||
131 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, dirname); | ||
132 | free(dirname); | ||
133 | } | ||
134 | else | ||
135 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, private_run_dir); | ||
136 | 168 | ||
169 | free(dst); | ||
137 | fs_logger2("clone", src); | 170 | fs_logger2("clone", src); |
138 | free(src); | 171 | free(src); |
139 | } | 172 | } |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index e3b044a3b..4bcefa443 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -130,7 +130,7 @@ static int store_xauthority(void) { | |||
130 | } | 130 | } |
131 | 131 | ||
132 | // create an empty file as root, and change ownership to user | 132 | // create an empty file as root, and change ownership to user |
133 | FILE *fp = fopen(dest, "w"); | 133 | FILE *fp = fopen(dest, "we"); |
134 | if (fp) { | 134 | if (fp) { |
135 | fprintf(fp, "\n"); | 135 | fprintf(fp, "\n"); |
136 | SET_PERMS_STREAM(fp, getuid(), getgid(), 0600); | 136 | SET_PERMS_STREAM(fp, getuid(), getgid(), 0600); |
@@ -178,7 +178,7 @@ static int store_asoundrc(void) { | |||
178 | } | 178 | } |
179 | 179 | ||
180 | // create an empty file as root, and change ownership to user | 180 | // create an empty file as root, and change ownership to user |
181 | FILE *fp = fopen(dest, "w"); | 181 | FILE *fp = fopen(dest, "we"); |
182 | if (fp) { | 182 | if (fp) { |
183 | fprintf(fp, "\n"); | 183 | fprintf(fp, "\n"); |
184 | SET_PERMS_STREAM(fp, getuid(), getgid(), 0644); | 184 | SET_PERMS_STREAM(fp, getuid(), getgid(), 0644); |
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index 8a3bb71ea..80046f7ae 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c | |||
@@ -47,11 +47,11 @@ void fs_hostname(const char *hostname) { | |||
47 | printf("Creating a new /etc/hosts file\n"); | 47 | printf("Creating a new /etc/hosts file\n"); |
48 | // copy /etc/host into our new file, and modify it on the fly | 48 | // copy /etc/host into our new file, and modify it on the fly |
49 | /* coverity[toctou] */ | 49 | /* coverity[toctou] */ |
50 | FILE *fp1 = fopen("/etc/hosts", "r"); | 50 | FILE *fp1 = fopen("/etc/hosts", "re"); |
51 | if (!fp1) | 51 | if (!fp1) |
52 | goto errexit; | 52 | goto errexit; |
53 | 53 | ||
54 | FILE *fp2 = fopen(RUN_HOSTS_FILE, "w"); | 54 | FILE *fp2 = fopen(RUN_HOSTS_FILE, "we"); |
55 | if (!fp2) { | 55 | if (!fp2) { |
56 | fclose(fp1); | 56 | fclose(fp1); |
57 | goto errexit; | 57 | goto errexit; |
@@ -165,7 +165,7 @@ void fs_resolvconf(void) { | |||
165 | 165 | ||
166 | if (arg_debug) | 166 | if (arg_debug) |
167 | printf("Creating a new /etc/resolv.conf file\n"); | 167 | printf("Creating a new /etc/resolv.conf file\n"); |
168 | FILE *fp = fopen("/etc/resolv.conf", "w"); | 168 | FILE *fp = fopen("/etc/resolv.conf", "wxe"); |
169 | if (!fp) { | 169 | if (!fp) { |
170 | fprintf(stderr, "Error: cannot create /etc/resolv.conf file\n"); | 170 | fprintf(stderr, "Error: cannot create /etc/resolv.conf file\n"); |
171 | exit(1); | 171 | exit(1); |
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 85fb70854..5df356d04 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
@@ -221,7 +221,7 @@ void fslib_mount_libs(const char *full_path, unsigned user) { | |||
221 | sbox_run(mask | SBOX_SECCOMP | SBOX_CAPS_NONE, 3, PATH_FLDD, full_path, RUN_LIB_FILE); | 221 | sbox_run(mask | SBOX_SECCOMP | SBOX_CAPS_NONE, 3, PATH_FLDD, full_path, RUN_LIB_FILE); |
222 | 222 | ||
223 | // open the list of libraries and install them on by one | 223 | // open the list of libraries and install them on by one |
224 | FILE *fp = fopen(RUN_LIB_FILE, "r"); | 224 | FILE *fp = fopen(RUN_LIB_FILE, "re"); |
225 | if (!fp) | 225 | if (!fp) |
226 | errExit("fopen"); | 226 | errExit("fopen"); |
227 | 227 | ||
diff --git a/src/firejail/fs_logger.c b/src/firejail/fs_logger.c index 67ad4b52e..604e297b1 100644 --- a/src/firejail/fs_logger.c +++ b/src/firejail/fs_logger.c | |||
@@ -92,7 +92,7 @@ void fs_logger_print(void) { | |||
92 | if (!head) | 92 | if (!head) |
93 | return; | 93 | return; |
94 | 94 | ||
95 | FILE *fp = fopen(RUN_FSLOGGER_FILE, "a"); | 95 | FILE *fp = fopen(RUN_FSLOGGER_FILE, "ae"); |
96 | if (!fp) { | 96 | if (!fp) { |
97 | perror("fopen"); | 97 | perror("fopen"); |
98 | return; | 98 | return; |
@@ -123,15 +123,8 @@ void fs_logger_print_log(pid_t pid) { | |||
123 | // in case the pid is that of a firejail process, use the pid of the first child process | 123 | // in case the pid is that of a firejail process, use the pid of the first child process |
124 | pid = switch_to_child(pid); | 124 | pid = switch_to_child(pid); |
125 | 125 | ||
126 | // check privileges for non-root users | 126 | // exit if no permission to join the sandbox |
127 | uid_t uid = getuid(); | 127 | check_join_permission(pid); |
128 | if (uid != 0) { | ||
129 | uid_t sandbox_uid = pid_get_uid(pid); | ||
130 | if (uid != sandbox_uid) { | ||
131 | fprintf(stderr, "Error: permission denied\n"); | ||
132 | exit(1); | ||
133 | } | ||
134 | } | ||
135 | 128 | ||
136 | // print RUN_FSLOGGER_FILE | 129 | // print RUN_FSLOGGER_FILE |
137 | char *fname; | 130 | char *fname; |
@@ -139,24 +132,16 @@ void fs_logger_print_log(pid_t pid) { | |||
139 | errExit("asprintf"); | 132 | errExit("asprintf"); |
140 | 133 | ||
141 | EUID_ROOT(); | 134 | EUID_ROOT(); |
142 | struct stat s; | 135 | FILE *fp = fopen(fname, "re"); |
143 | if (stat(fname, &s) == -1 || s.st_uid != 0) { | 136 | free(fname); |
144 | fprintf(stderr, "Error: Cannot access filesystem log\n"); | ||
145 | exit(1); | ||
146 | } | ||
147 | |||
148 | /* coverity[toctou] */ | ||
149 | FILE *fp = fopen(fname, "r"); | ||
150 | if (!fp) { | 137 | if (!fp) { |
151 | fprintf(stderr, "Error: Cannot open filesystem log\n"); | 138 | fprintf(stderr, "Error: Cannot open filesystem log\n"); |
152 | exit(1); | 139 | exit(1); |
153 | } | 140 | } |
154 | |||
155 | char buf[MAXBUF]; | 141 | char buf[MAXBUF]; |
156 | while (fgets(buf, MAXBUF, fp)) | 142 | while (fgets(buf, MAXBUF, fp)) |
157 | printf("%s", buf); | 143 | printf("%s", buf); |
158 | fclose(fp); | 144 | fclose(fp); |
159 | free(fname); | ||
160 | 145 | ||
161 | exit(0); | 146 | exit(0); |
162 | } | 147 | } |
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index 8f939b5f5..1fc38361e 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c | |||
@@ -33,8 +33,7 @@ void fs_trace_preload(void) { | |||
33 | if (stat("/etc/ld.so.preload", &s)) { | 33 | if (stat("/etc/ld.so.preload", &s)) { |
34 | if (arg_debug) | 34 | if (arg_debug) |
35 | printf("Creating an empty /etc/ld.so.preload file\n"); | 35 | printf("Creating an empty /etc/ld.so.preload file\n"); |
36 | /* coverity[toctou] */ | 36 | FILE *fp = fopen("/etc/ld.so.preload", "wxe"); |
37 | FILE *fp = fopen("/etc/ld.so.preload", "w"); | ||
38 | if (!fp) | 37 | if (!fp) |
39 | errExit("fopen"); | 38 | errExit("fopen"); |
40 | SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); | 39 | SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); |
@@ -64,11 +63,11 @@ void fs_tracefile(void) { | |||
64 | if (ftruncate(fd, 0) == -1) | 63 | if (ftruncate(fd, 0) == -1) |
65 | errExit("ftruncate"); | 64 | errExit("ftruncate"); |
66 | EUID_ROOT(); | 65 | EUID_ROOT(); |
67 | FILE *fp = fopen(RUN_TRACE_FILE, "w"); | 66 | FILE *fp = fopen(RUN_TRACE_FILE, "we"); |
68 | if (!fp) | 67 | if (!fp) |
69 | errExit("fopen " RUN_TRACE_FILE); | 68 | errExit("fopen " RUN_TRACE_FILE); |
70 | fclose(fp); | 69 | fclose(fp); |
71 | fs_logger2("touch ", arg_tracefile); | 70 | fs_logger2("touch", arg_tracefile); |
72 | // mount using the symbolic link in /proc/self/fd | 71 | // mount using the symbolic link in /proc/self/fd |
73 | if (arg_debug) | 72 | if (arg_debug) |
74 | printf("Bind mount %s to %s\n", arg_tracefile, RUN_TRACE_FILE); | 73 | printf("Bind mount %s to %s\n", arg_tracefile, RUN_TRACE_FILE); |
@@ -88,7 +87,7 @@ void fs_trace(void) { | |||
88 | if (arg_debug) | 87 | if (arg_debug) |
89 | printf("Create the new ld.so.preload file\n"); | 88 | printf("Create the new ld.so.preload file\n"); |
90 | 89 | ||
91 | FILE *fp = fopen(RUN_LDPRELOAD_FILE, "w"); | 90 | FILE *fp = fopen(RUN_LDPRELOAD_FILE, "we"); |
92 | if (!fp) | 91 | if (!fp) |
93 | errExit("fopen"); | 92 | errExit("fopen"); |
94 | const char *prefix = RUN_FIREJAIL_LIB_DIR; | 93 | const char *prefix = RUN_FIREJAIL_LIB_DIR; |
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index f07581cd8..bae3d6df0 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c | |||
@@ -127,7 +127,7 @@ void fs_var_log(void) { | |||
127 | 127 | ||
128 | // create an empty /var/log/wtmp file | 128 | // create an empty /var/log/wtmp file |
129 | /* coverity[toctou] */ | 129 | /* coverity[toctou] */ |
130 | FILE *fp = fopen("/var/log/wtmp", "w"); | 130 | FILE *fp = fopen("/var/log/wtmp", "wxe"); |
131 | if (fp) { | 131 | if (fp) { |
132 | SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH); | 132 | SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH); |
133 | fclose(fp); | 133 | fclose(fp); |
@@ -135,7 +135,7 @@ void fs_var_log(void) { | |||
135 | fs_logger("touch /var/log/wtmp"); | 135 | fs_logger("touch /var/log/wtmp"); |
136 | 136 | ||
137 | // create an empty /var/log/btmp file | 137 | // create an empty /var/log/btmp file |
138 | fp = fopen("/var/log/btmp", "w"); | 138 | fp = fopen("/var/log/btmp", "wxe"); |
139 | if (fp) { | 139 | if (fp) { |
140 | SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP); | 140 | SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP); |
141 | fclose(fp); | 141 | fclose(fp); |
@@ -158,8 +158,7 @@ void fs_var_lib(void) { | |||
158 | fs_logger("tmpfs /var/lib/dhcp"); | 158 | fs_logger("tmpfs /var/lib/dhcp"); |
159 | 159 | ||
160 | // isc dhcp server requires a /var/lib/dhcp/dhcpd.leases file | 160 | // isc dhcp server requires a /var/lib/dhcp/dhcpd.leases file |
161 | FILE *fp = fopen("/var/lib/dhcp/dhcpd.leases", "w"); | 161 | FILE *fp = fopen("/var/lib/dhcp/dhcpd.leases", "wxe"); |
162 | |||
163 | if (fp) { | 162 | if (fp) { |
164 | fprintf(fp, "\n"); | 163 | fprintf(fp, "\n"); |
165 | SET_PERMS_STREAM(fp, 0, 0, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); | 164 | SET_PERMS_STREAM(fp, 0, 0, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); |
@@ -287,7 +286,7 @@ void fs_var_utmp(void) { | |||
287 | if (stat(UTMP_FILE, &s) == 0) | 286 | if (stat(UTMP_FILE, &s) == 0) |
288 | utmp_group = s.st_gid; | 287 | utmp_group = s.st_gid; |
289 | else { | 288 | else { |
290 | fwarning("cannot find /var/run/utmp\n"); | 289 | fwarning("cannot find %s\n", UTMP_FILE); |
291 | return; | 290 | return; |
292 | } | 291 | } |
293 | 292 | ||
@@ -296,7 +295,7 @@ void fs_var_utmp(void) { | |||
296 | printf("Create the new utmp file\n"); | 295 | printf("Create the new utmp file\n"); |
297 | 296 | ||
298 | /* coverity[toctou] */ | 297 | /* coverity[toctou] */ |
299 | FILE *fp = fopen(RUN_UTMP_FILE, "w"); | 298 | FILE *fp = fopen(RUN_UTMP_FILE, "we"); |
300 | if (!fp) | 299 | if (!fp) |
301 | errExit("fopen"); | 300 | errExit("fopen"); |
302 | 301 | ||
@@ -323,5 +322,5 @@ void fs_var_utmp(void) { | |||
323 | printf("Mount the new utmp file\n"); | 322 | printf("Mount the new utmp file\n"); |
324 | if (mount(RUN_UTMP_FILE, UTMP_FILE, NULL, MS_BIND|MS_NOSUID|MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) | 323 | if (mount(RUN_UTMP_FILE, UTMP_FILE, NULL, MS_BIND|MS_NOSUID|MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) |
325 | errExit("mount bind utmp"); | 324 | errExit("mount bind utmp"); |
326 | fs_logger("create /var/run/utmp"); | 325 | fs_logger2("create", UTMP_FILE); |
327 | } | 326 | } |
diff --git a/src/firejail/join.c b/src/firejail/join.c index 1575a7469..bab4b830f 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -103,7 +103,7 @@ static void extract_x11_display(pid_t pid) { | |||
103 | if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1) | 103 | if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1) |
104 | errExit("asprintf"); | 104 | errExit("asprintf"); |
105 | 105 | ||
106 | FILE *fp = fopen(fname, "r"); | 106 | FILE *fp = fopen(fname, "re"); |
107 | free(fname); | 107 | free(fname); |
108 | if (!fp) | 108 | if (!fp) |
109 | return; | 109 | return; |
@@ -219,7 +219,7 @@ static void extract_caps(pid_t pid) { | |||
219 | perror("asprintf"); | 219 | perror("asprintf"); |
220 | exit(1); | 220 | exit(1); |
221 | } | 221 | } |
222 | FILE *fp = fopen(file, "r"); | 222 | FILE *fp = fopen(file, "re"); |
223 | if (!fp) | 223 | if (!fp) |
224 | goto errexit; | 224 | goto errexit; |
225 | 225 | ||
@@ -266,7 +266,7 @@ static void extract_user_namespace(pid_t pid) { | |||
266 | char *uidmap; | 266 | char *uidmap; |
267 | if (asprintf(&uidmap, "/proc/%u/uid_map", pid) == -1) | 267 | if (asprintf(&uidmap, "/proc/%u/uid_map", pid) == -1) |
268 | errExit("asprintf"); | 268 | errExit("asprintf"); |
269 | FILE *fp = fopen(uidmap, "r"); | 269 | FILE *fp = fopen(uidmap, "re"); |
270 | if (!fp) { | 270 | if (!fp) { |
271 | free(uidmap); | 271 | free(uidmap); |
272 | return; | 272 | return; |
diff --git a/src/firejail/ls.c b/src/firejail/ls.c index 63ef2309b..796c42290 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c | |||
@@ -221,7 +221,7 @@ void cat(const char *path) { | |||
221 | 221 | ||
222 | if (arg_debug) | 222 | if (arg_debug) |
223 | printf("cat %s\n", path); | 223 | printf("cat %s\n", path); |
224 | FILE *fp = fopen(path, "r"); | 224 | FILE *fp = fopen(path, "re"); |
225 | if (!fp) { | 225 | if (!fp) { |
226 | fprintf(stderr, "Error: cannot read %s\n", path); | 226 | fprintf(stderr, "Error: cannot read %s\n", path); |
227 | exit(1); | 227 | exit(1); |
diff --git a/src/firejail/macros.c b/src/firejail/macros.c index 7f2f6dbf3..bcac1feb4 100644 --- a/src/firejail/macros.c +++ b/src/firejail/macros.c | |||
@@ -99,7 +99,7 @@ static char *resolve_xdg(const char *var) { | |||
99 | 99 | ||
100 | if (asprintf(&fname, "%s/.config/user-dirs.dirs", cfg.homedir) == -1) | 100 | if (asprintf(&fname, "%s/.config/user-dirs.dirs", cfg.homedir) == -1) |
101 | errExit("asprintf"); | 101 | errExit("asprintf"); |
102 | FILE *fp = fopen(fname, "r"); | 102 | FILE *fp = fopen(fname, "re"); |
103 | if (!fp) { | 103 | if (!fp) { |
104 | free(fname); | 104 | free(fname); |
105 | return NULL; | 105 | return NULL; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index b3524fcf5..593835843 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -116,7 +116,6 @@ int arg_private_cwd = 0; // private working directory | |||
116 | int arg_scan = 0; // arp-scan all interfaces | 116 | int arg_scan = 0; // arp-scan all interfaces |
117 | int arg_whitelist = 0; // whitelist command | 117 | int arg_whitelist = 0; // whitelist command |
118 | int arg_nosound = 0; // disable sound | 118 | int arg_nosound = 0; // disable sound |
119 | int arg_noautopulse = 0; // disable automatic ~/.config/pulse init | ||
120 | int arg_novideo = 0; //disable video devices in /dev | 119 | int arg_novideo = 0; //disable video devices in /dev |
121 | int arg_no3d; // disable 3d hardware acceleration | 120 | int arg_no3d; // disable 3d hardware acceleration |
122 | int arg_quiet = 0; // no output for scripting | 121 | int arg_quiet = 0; // no output for scripting |
@@ -125,6 +124,7 @@ int arg_join_filesystem = 0; // join only the mount namespace | |||
125 | int arg_nice = 0; // nice value configured | 124 | int arg_nice = 0; // nice value configured |
126 | int arg_ipc = 0; // enable ipc namespace | 125 | int arg_ipc = 0; // enable ipc namespace |
127 | int arg_writable_etc = 0; // writable etc | 126 | int arg_writable_etc = 0; // writable etc |
127 | int arg_keep_config_pulse = 0; // disable automatic ~/.config/pulse init | ||
128 | int arg_writable_var = 0; // writable var | 128 | int arg_writable_var = 0; // writable var |
129 | int arg_keep_var_tmp = 0; // don't overwrite /var/tmp | 129 | int arg_keep_var_tmp = 0; // don't overwrite /var/tmp |
130 | int arg_writable_run_user = 0; // writable /run/user | 130 | int arg_writable_run_user = 0; // writable /run/user |
@@ -143,6 +143,7 @@ int arg_memory_deny_write_execute = 0; // block writable and executable memory | |||
143 | int arg_notv = 0; // --notv | 143 | int arg_notv = 0; // --notv |
144 | int arg_nodvd = 0; // --nodvd | 144 | int arg_nodvd = 0; // --nodvd |
145 | int arg_nou2f = 0; // --nou2f | 145 | int arg_nou2f = 0; // --nou2f |
146 | int arg_noinput = 0; // --noinput | ||
146 | int arg_deterministic_exit_code = 0; // always exit with first child's exit status | 147 | int arg_deterministic_exit_code = 0; // always exit with first child's exit status |
147 | DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW; // --dbus-user | 148 | DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW; // --dbus-user |
148 | DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system | 149 | DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system |
@@ -534,7 +535,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
534 | char *fname; | 535 | char *fname; |
535 | if (asprintf(&fname, RUN_FIREJAIL_PROFILE_DIR "/%d", pid) == -1) | 536 | if (asprintf(&fname, RUN_FIREJAIL_PROFILE_DIR "/%d", pid) == -1) |
536 | errExit("asprintf"); | 537 | errExit("asprintf"); |
537 | FILE *fp = fopen(fname, "r"); | 538 | FILE *fp = fopen(fname, "re"); |
538 | if (!fp) { | 539 | if (!fp) { |
539 | fprintf(stderr, "Error: sandbox %s not found\n", argv[i] + 16); | 540 | fprintf(stderr, "Error: sandbox %s not found\n", argv[i] + 16); |
540 | exit(1); | 541 | exit(1); |
@@ -1042,7 +1043,7 @@ int main(int argc, char **argv, char **envp) { | |||
1042 | preproc_build_firejail_dir(); | 1043 | preproc_build_firejail_dir(); |
1043 | const char *container_name = env_get("container"); | 1044 | const char *container_name = env_get("container"); |
1044 | if (!container_name || strcmp(container_name, "firejail")) { | 1045 | if (!container_name || strcmp(container_name, "firejail")) { |
1045 | lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); | 1046 | lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR); |
1046 | if (lockfd_directory != -1) { | 1047 | if (lockfd_directory != -1) { |
1047 | int rv = fchown(lockfd_directory, 0, 0); | 1048 | int rv = fchown(lockfd_directory, 0, 0); |
1048 | (void) rv; | 1049 | (void) rv; |
@@ -1144,7 +1145,7 @@ int main(int argc, char **argv, char **envp) { | |||
1144 | 1145 | ||
1145 | #ifdef DEBUG_RESTRICTED_SHELL | 1146 | #ifdef DEBUG_RESTRICTED_SHELL |
1146 | {EUID_ROOT(); | 1147 | {EUID_ROOT(); |
1147 | FILE *fp = fopen("/firelog", "w"); | 1148 | FILE *fp = fopen("/firelog", "we"); |
1148 | if (fp) { | 1149 | if (fp) { |
1149 | int i; | 1150 | int i; |
1150 | fprintf(fp, "argc %d: ", argc); | 1151 | fprintf(fp, "argc %d: ", argc); |
@@ -1163,7 +1164,7 @@ int main(int argc, char **argv, char **envp) { | |||
1163 | strncmp(argv[2], "scp ", 4) == 0) { | 1164 | strncmp(argv[2], "scp ", 4) == 0) { |
1164 | #ifdef DEBUG_RESTRICTED_SHELL | 1165 | #ifdef DEBUG_RESTRICTED_SHELL |
1165 | {EUID_ROOT(); | 1166 | {EUID_ROOT(); |
1166 | FILE *fp = fopen("/firelog", "a"); | 1167 | FILE *fp = fopen("/firelog", "ae"); |
1167 | if (fp) { | 1168 | if (fp) { |
1168 | fprintf(fp, "run without a sandbox\n"); | 1169 | fprintf(fp, "run without a sandbox\n"); |
1169 | fclose(fp); | 1170 | fclose(fp); |
@@ -1196,7 +1197,7 @@ int main(int argc, char **argv, char **envp) { | |||
1196 | 1197 | ||
1197 | #ifdef DEBUG_RESTRICTED_SHELL | 1198 | #ifdef DEBUG_RESTRICTED_SHELL |
1198 | {EUID_ROOT(); | 1199 | {EUID_ROOT(); |
1199 | FILE *fp = fopen("/firelog", "a"); | 1200 | FILE *fp = fopen("/firelog", "ae"); |
1200 | if (fp) { | 1201 | if (fp) { |
1201 | fprintf(fp, "fullargc %d: ", fullargc); | 1202 | fprintf(fp, "fullargc %d: ", fullargc); |
1202 | int i; | 1203 | int i; |
@@ -1218,7 +1219,7 @@ int main(int argc, char **argv, char **envp) { | |||
1218 | 1219 | ||
1219 | #ifdef DEBUG_RESTRICTED_SHELL | 1220 | #ifdef DEBUG_RESTRICTED_SHELL |
1220 | {EUID_ROOT(); | 1221 | {EUID_ROOT(); |
1221 | FILE *fp = fopen("/firelog", "a"); | 1222 | FILE *fp = fopen("/firelog", "ae"); |
1222 | if (fp) { | 1223 | if (fp) { |
1223 | fprintf(fp, "argc %d: ", argc); | 1224 | fprintf(fp, "argc %d: ", argc); |
1224 | int i; | 1225 | int i; |
@@ -1823,6 +1824,8 @@ int main(int argc, char **argv, char **envp) { | |||
1823 | exit(1); | 1824 | exit(1); |
1824 | } | 1825 | } |
1825 | arg_noprofile = 1; | 1826 | arg_noprofile = 1; |
1827 | // force keep-config-pulse in order to keep ~/.config/pulse as is | ||
1828 | arg_keep_config_pulse = 1; | ||
1826 | } | 1829 | } |
1827 | else if (strncmp(argv[i], "--ignore=", 9) == 0) { | 1830 | else if (strncmp(argv[i], "--ignore=", 9) == 0) { |
1828 | if (custom_profile) { | 1831 | if (custom_profile) { |
@@ -1873,6 +1876,9 @@ int main(int argc, char **argv, char **envp) { | |||
1873 | } | 1876 | } |
1874 | arg_writable_etc = 1; | 1877 | arg_writable_etc = 1; |
1875 | } | 1878 | } |
1879 | else if (strcmp(argv[i], "--keep-config-pulse") == 0) { | ||
1880 | arg_keep_config_pulse = 1; | ||
1881 | } | ||
1876 | else if (strcmp(argv[i], "--writable-var") == 0) { | 1882 | else if (strcmp(argv[i], "--writable-var") == 0) { |
1877 | arg_writable_var = 1; | 1883 | arg_writable_var = 1; |
1878 | } | 1884 | } |
@@ -2075,7 +2081,7 @@ int main(int argc, char **argv, char **envp) { | |||
2075 | else if (strcmp(argv[i], "--nosound") == 0) | 2081 | else if (strcmp(argv[i], "--nosound") == 0) |
2076 | arg_nosound = 1; | 2082 | arg_nosound = 1; |
2077 | else if (strcmp(argv[i], "--noautopulse") == 0) | 2083 | else if (strcmp(argv[i], "--noautopulse") == 0) |
2078 | arg_noautopulse = 1; | 2084 | arg_keep_config_pulse = 1; |
2079 | else if (strcmp(argv[i], "--novideo") == 0) | 2085 | else if (strcmp(argv[i], "--novideo") == 0) |
2080 | arg_novideo = 1; | 2086 | arg_novideo = 1; |
2081 | else if (strcmp(argv[i], "--no3d") == 0) | 2087 | else if (strcmp(argv[i], "--no3d") == 0) |
@@ -2086,6 +2092,8 @@ int main(int argc, char **argv, char **envp) { | |||
2086 | arg_nodvd = 1; | 2092 | arg_nodvd = 1; |
2087 | else if (strcmp(argv[i], "--nou2f") == 0) | 2093 | else if (strcmp(argv[i], "--nou2f") == 0) |
2088 | arg_nou2f = 1; | 2094 | arg_nou2f = 1; |
2095 | else if (strcmp(argv[i], "--noinput") == 0) | ||
2096 | arg_noinput = 1; | ||
2089 | else if (strcmp(argv[i], "--nodbus") == 0) { | 2097 | else if (strcmp(argv[i], "--nodbus") == 0) { |
2090 | arg_dbus_user = DBUS_POLICY_BLOCK; | 2098 | arg_dbus_user = DBUS_POLICY_BLOCK; |
2091 | arg_dbus_system = DBUS_POLICY_BLOCK; | 2099 | arg_dbus_system = DBUS_POLICY_BLOCK; |
@@ -2847,7 +2855,7 @@ int main(int argc, char **argv, char **envp) { | |||
2847 | // check and assign an IP address - for macvlan it will be done again in the sandbox! | 2855 | // check and assign an IP address - for macvlan it will be done again in the sandbox! |
2848 | if (any_bridge_configured()) { | 2856 | if (any_bridge_configured()) { |
2849 | EUID_ROOT(); | 2857 | EUID_ROOT(); |
2850 | lockfd_network = open(RUN_NETWORK_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); | 2858 | lockfd_network = open(RUN_NETWORK_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR); |
2851 | if (lockfd_network != -1) { | 2859 | if (lockfd_network != -1) { |
2852 | int rv = fchown(lockfd_network, 0, 0); | 2860 | int rv = fchown(lockfd_network, 0, 0); |
2853 | (void) rv; | 2861 | (void) rv; |
@@ -2869,12 +2877,6 @@ int main(int argc, char **argv, char **envp) { | |||
2869 | } | 2877 | } |
2870 | EUID_ASSERT(); | 2878 | EUID_ASSERT(); |
2871 | 2879 | ||
2872 | // create the parent-child communication pipe | ||
2873 | if (pipe(parent_to_child_fds) < 0) | ||
2874 | errExit("pipe"); | ||
2875 | if (pipe(child_to_parent_fds) < 0) | ||
2876 | errExit("pipe"); | ||
2877 | |||
2878 | if (arg_noroot && arg_overlay) { | 2880 | if (arg_noroot && arg_overlay) { |
2879 | fwarning("--overlay and --noroot are mutually exclusive, noroot disabled\n"); | 2881 | fwarning("--overlay and --noroot are mutually exclusive, noroot disabled\n"); |
2880 | arg_noroot = 0; | 2882 | arg_noroot = 0; |
@@ -2887,7 +2889,7 @@ int main(int argc, char **argv, char **envp) { | |||
2887 | 2889 | ||
2888 | // set name and x11 run files | 2890 | // set name and x11 run files |
2889 | EUID_ROOT(); | 2891 | EUID_ROOT(); |
2890 | lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); | 2892 | lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR); |
2891 | if (lockfd_directory != -1) { | 2893 | if (lockfd_directory != -1) { |
2892 | int rv = fchown(lockfd_directory, 0, 0); | 2894 | int rv = fchown(lockfd_directory, 0, 0); |
2893 | (void) rv; | 2895 | (void) rv; |
@@ -2916,6 +2918,12 @@ int main(int argc, char **argv, char **envp) { | |||
2916 | } | 2918 | } |
2917 | #endif | 2919 | #endif |
2918 | 2920 | ||
2921 | // create the parent-child communication pipe | ||
2922 | if (pipe2(parent_to_child_fds, O_CLOEXEC) < 0) | ||
2923 | errExit("pipe"); | ||
2924 | if (pipe2(child_to_parent_fds, O_CLOEXEC) < 0) | ||
2925 | errExit("pipe"); | ||
2926 | |||
2919 | // clone environment | 2927 | // clone environment |
2920 | int flags = CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWUTS | SIGCHLD; | 2928 | int flags = CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWUTS | SIGCHLD; |
2921 | 2929 | ||
diff --git a/src/firejail/network.c b/src/firejail/network.c index f7142cefd..289e164c6 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c | |||
@@ -217,7 +217,7 @@ int net_add_route(uint32_t ip, uint32_t mask, uint32_t gw) { | |||
217 | 217 | ||
218 | #define BUFSIZE 1024 | 218 | #define BUFSIZE 1024 |
219 | uint32_t network_get_defaultgw(void) { | 219 | uint32_t network_get_defaultgw(void) { |
220 | FILE *fp = fopen("/proc/self/net/route", "r"); | 220 | FILE *fp = fopen("/proc/self/net/route", "re"); |
221 | if (!fp) | 221 | if (!fp) |
222 | errExit("fopen"); | 222 | errExit("fopen"); |
223 | 223 | ||
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index ee3c00872..d3e75bbed 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c | |||
@@ -292,7 +292,7 @@ void net_dns_print(pid_t pid) { | |||
292 | errExit("chdir"); | 292 | errExit("chdir"); |
293 | 293 | ||
294 | // access /etc/resolv.conf | 294 | // access /etc/resolv.conf |
295 | FILE *fp = fopen("/etc/resolv.conf", "r"); | 295 | FILE *fp = fopen("/etc/resolv.conf", "re"); |
296 | if (!fp) { | 296 | if (!fp) { |
297 | fprintf(stderr, "Error: cannot access /etc/resolv.conf\n"); | 297 | fprintf(stderr, "Error: cannot access /etc/resolv.conf\n"); |
298 | exit(1); | 298 | exit(1); |
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 60a82821e..0e153c47b 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -20,6 +20,7 @@ | |||
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include <sys/types.h> | 21 | #include <sys/types.h> |
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <errno.h> | ||
23 | #include <unistd.h> | 24 | #include <unistd.h> |
24 | #include <grp.h> | 25 | #include <grp.h> |
25 | 26 | ||
@@ -47,7 +48,7 @@ int check_namespace_virt(void) { | |||
47 | 48 | ||
48 | // check PID 1 container environment variable | 49 | // check PID 1 container environment variable |
49 | EUID_ROOT(); | 50 | EUID_ROOT(); |
50 | FILE *fp = fopen("/proc/1/environ", "r"); | 51 | FILE *fp = fopen("/proc/1/environ", "re"); |
51 | if (fp) { | 52 | if (fp) { |
52 | int c = 0; | 53 | int c = 0; |
53 | while (c != EOF) { | 54 | while (c != EOF) { |
@@ -105,20 +106,15 @@ int check_kernel_procs(void) { | |||
105 | // look at the first 10 processes | 106 | // look at the first 10 processes |
106 | // if a kernel process is found, return 1 | 107 | // if a kernel process is found, return 1 |
107 | for (i = 1; i <= 10; i++) { | 108 | for (i = 1; i <= 10; i++) { |
108 | struct stat s; | ||
109 | char *fname; | 109 | char *fname; |
110 | if (asprintf(&fname, "/proc/%d/comm", i) == -1) | 110 | if (asprintf(&fname, "/proc/%d/comm", i) == -1) |
111 | errExit("asprintf"); | 111 | errExit("asprintf"); |
112 | if (stat(fname, &s) == -1) { | ||
113 | free(fname); | ||
114 | continue; | ||
115 | } | ||
116 | 112 | ||
117 | // open file | 113 | // open file |
118 | /* coverity[toctou] */ | 114 | FILE *fp = fopen(fname, "re"); |
119 | FILE *fp = fopen(fname, "r"); | ||
120 | if (!fp) { | 115 | if (!fp) { |
121 | fwarning("cannot open %s\n", fname); | 116 | if (errno != ENOENT) |
117 | fwarning("cannot open %s\n", fname); | ||
122 | free(fname); | 118 | free(fname); |
123 | continue; | 119 | continue; |
124 | } | 120 | } |
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index 7f602545d..1aafd1ca2 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -164,7 +164,7 @@ void preproc_clean_run(void) { | |||
164 | int max_pids=32769; | 164 | int max_pids=32769; |
165 | int start_pid = 100; | 165 | int start_pid = 100; |
166 | // extract real max_pids | 166 | // extract real max_pids |
167 | FILE *fp = fopen("/proc/sys/kernel/pid_max", "r"); | 167 | FILE *fp = fopen("/proc/sys/kernel/pid_max", "re"); |
168 | if (fp) { | 168 | if (fp) { |
169 | int val; | 169 | int val; |
170 | if (fscanf(fp, "%d", &val) == 1) { | 170 | if (fscanf(fp, "%d", &val) == 1) { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 351b760df..dd4506ac1 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -423,7 +423,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
423 | return 0; | 423 | return 0; |
424 | } | 424 | } |
425 | else if (strcmp(ptr, "noautopulse") == 0) { | 425 | else if (strcmp(ptr, "noautopulse") == 0) { |
426 | arg_noautopulse = 1; | 426 | arg_keep_config_pulse = 1; |
427 | return 0; | 427 | return 0; |
428 | } | 428 | } |
429 | else if (strcmp(ptr, "notv") == 0) { | 429 | else if (strcmp(ptr, "notv") == 0) { |
@@ -442,6 +442,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
442 | arg_no3d = 1; | 442 | arg_no3d = 1; |
443 | return 0; | 443 | return 0; |
444 | } | 444 | } |
445 | else if (strcmp(ptr, "noinput") == 0) { | ||
446 | arg_noinput = 1; | ||
447 | return 0; | ||
448 | } | ||
445 | else if (strcmp(ptr, "nodbus") == 0) { | 449 | else if (strcmp(ptr, "nodbus") == 0) { |
446 | #ifdef HAVE_DBUSPROXY | 450 | #ifdef HAVE_DBUSPROXY |
447 | arg_dbus_user = DBUS_POLICY_BLOCK; | 451 | arg_dbus_user = DBUS_POLICY_BLOCK; |
@@ -1139,6 +1143,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1139 | arg_machineid = 1; | 1143 | arg_machineid = 1; |
1140 | return 0; | 1144 | return 0; |
1141 | } | 1145 | } |
1146 | |||
1147 | if (strcmp(ptr, "keep-config-pulse") == 0) { | ||
1148 | arg_keep_config_pulse = 1; | ||
1149 | return 0; | ||
1150 | } | ||
1151 | |||
1142 | // writable-var | 1152 | // writable-var |
1143 | if (strcmp(ptr, "writable-var") == 0) { | 1153 | if (strcmp(ptr, "writable-var") == 0) { |
1144 | arg_writable_var = 1; | 1154 | arg_writable_var = 1; |
@@ -1687,7 +1697,7 @@ void profile_read(const char *fname) { | |||
1687 | } | 1697 | } |
1688 | 1698 | ||
1689 | // open profile file: | 1699 | // open profile file: |
1690 | FILE *fp = fopen(fname, "r"); | 1700 | FILE *fp = fopen(fname, "re"); |
1691 | if (fp == NULL) { | 1701 | if (fp == NULL) { |
1692 | fprintf(stderr, "Error: cannot open profile file %s\n", fname); | 1702 | fprintf(stderr, "Error: cannot open profile file %s\n", fname); |
1693 | exit(1); | 1703 | exit(1); |
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c index 926af7967..f21f8c96e 100644 --- a/src/firejail/protocol.c +++ b/src/firejail/protocol.c | |||
@@ -23,7 +23,7 @@ | |||
23 | 23 | ||
24 | void protocol_filter_save(void) { | 24 | void protocol_filter_save(void) { |
25 | // save protocol filter configuration in PROTOCOL_CFG | 25 | // save protocol filter configuration in PROTOCOL_CFG |
26 | FILE *fp = fopen(RUN_PROTOCOL_CFG, "w"); | 26 | FILE *fp = fopen(RUN_PROTOCOL_CFG, "wxe"); |
27 | if (!fp) | 27 | if (!fp) |
28 | errExit("fopen"); | 28 | errExit("fopen"); |
29 | fprintf(fp, "%s\n", cfg.protocol); | 29 | fprintf(fp, "%s\n", cfg.protocol); |
@@ -35,7 +35,7 @@ void protocol_filter_load(const char *fname) { | |||
35 | assert(fname); | 35 | assert(fname); |
36 | 36 | ||
37 | // read protocol filter configuration from PROTOCOL_CFG | 37 | // read protocol filter configuration from PROTOCOL_CFG |
38 | FILE *fp = fopen(fname, "r"); | 38 | FILE *fp = fopen(fname, "re"); |
39 | if (!fp) | 39 | if (!fp) |
40 | return; | 40 | return; |
41 | 41 | ||
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index a50134893..1b01a71c6 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
@@ -106,7 +106,7 @@ void pulseaudio_init(void) { | |||
106 | errExit("asprintf"); | 106 | errExit("asprintf"); |
107 | if (copy_file(PULSE_CLIENT_SYSCONF, pulsecfg, -1, -1, 0644)) // root needed | 107 | if (copy_file(PULSE_CLIENT_SYSCONF, pulsecfg, -1, -1, 0644)) // root needed |
108 | errExit("copy_file"); | 108 | errExit("copy_file"); |
109 | FILE *fp = fopen(pulsecfg, "a"); | 109 | FILE *fp = fopen(pulsecfg, "ae"); |
110 | if (!fp) | 110 | if (!fp) |
111 | errExit("fopen"); | 111 | errExit("fopen"); |
112 | fprintf(fp, "%s", "\nenable-shm = no\n"); | 112 | fprintf(fp, "%s", "\nenable-shm = no\n"); |
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 8368d84a1..53e395b89 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -183,10 +183,10 @@ static void sanitize_passwd(void) { | |||
183 | 183 | ||
184 | // open files | 184 | // open files |
185 | /* coverity[toctou] */ | 185 | /* coverity[toctou] */ |
186 | fpin = fopen("/etc/passwd", "r"); | 186 | fpin = fopen("/etc/passwd", "re"); |
187 | if (!fpin) | 187 | if (!fpin) |
188 | goto errout; | 188 | goto errout; |
189 | fpout = fopen(RUN_PASSWD_FILE, "w"); | 189 | fpout = fopen(RUN_PASSWD_FILE, "we"); |
190 | if (!fpout) | 190 | if (!fpout) |
191 | goto errout; | 191 | goto errout; |
192 | 192 | ||
@@ -318,10 +318,10 @@ static void sanitize_group(void) { | |||
318 | 318 | ||
319 | // open files | 319 | // open files |
320 | /* coverity[toctou] */ | 320 | /* coverity[toctou] */ |
321 | fpin = fopen("/etc/group", "r"); | 321 | fpin = fopen("/etc/group", "re"); |
322 | if (!fpin) | 322 | if (!fpin) |
323 | goto errout; | 323 | goto errout; |
324 | fpout = fopen(RUN_GROUP_FILE, "w"); | 324 | fpout = fopen(RUN_GROUP_FILE, "we"); |
325 | if (!fpout) | 325 | if (!fpout) |
326 | goto errout; | 326 | goto errout; |
327 | 327 | ||
diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c index ae453f4f1..ed66903b5 100644 --- a/src/firejail/restricted_shell.c +++ b/src/firejail/restricted_shell.c | |||
@@ -32,7 +32,7 @@ int restricted_shell(const char *user) { | |||
32 | char *fname; | 32 | char *fname; |
33 | if (asprintf(&fname, "%s/login.users", SYSCONFDIR) == -1) | 33 | if (asprintf(&fname, "%s/login.users", SYSCONFDIR) == -1) |
34 | errExit("asprintf"); | 34 | errExit("asprintf"); |
35 | FILE *fp = fopen(fname, "r"); | 35 | FILE *fp = fopen(fname, "re"); |
36 | free(fname); | 36 | free(fname); |
37 | if (fp == NULL) | 37 | if (fp == NULL) |
38 | return 0; | 38 | return 0; |
@@ -96,7 +96,7 @@ int restricted_shell(const char *user) { | |||
96 | fullargv[i] = ptr; | 96 | fullargv[i] = ptr; |
97 | #ifdef DEBUG_RESTRICTED_SHELL | 97 | #ifdef DEBUG_RESTRICTED_SHELL |
98 | {EUID_ROOT(); | 98 | {EUID_ROOT(); |
99 | FILE *fp = fopen("/firelog", "a"); | 99 | FILE *fp = fopen("/firelog", "ae"); |
100 | if (fp) { | 100 | if (fp) { |
101 | fprintf(fp, "i %d ptr #%s#\n", i, fullargv[i]); | 101 | fprintf(fp, "i %d ptr #%s#\n", i, fullargv[i]); |
102 | fclose(fp); | 102 | fclose(fp); |
diff --git a/src/firejail/run_files.c b/src/firejail/run_files.c index cd44f745f..c28c3e01b 100644 --- a/src/firejail/run_files.c +++ b/src/firejail/run_files.c | |||
@@ -101,7 +101,7 @@ void set_name_run_file(pid_t pid) { | |||
101 | errExit("asprintf"); | 101 | errExit("asprintf"); |
102 | 102 | ||
103 | // the file is deleted first | 103 | // the file is deleted first |
104 | FILE *fp = fopen(fname, "w"); | 104 | FILE *fp = fopen(fname, "we"); |
105 | if (!fp) { | 105 | if (!fp) { |
106 | fprintf(stderr, "Error: cannot create %s\n", fname); | 106 | fprintf(stderr, "Error: cannot create %s\n", fname); |
107 | exit(1); | 107 | exit(1); |
@@ -120,7 +120,7 @@ void set_x11_run_file(pid_t pid, int display) { | |||
120 | errExit("asprintf"); | 120 | errExit("asprintf"); |
121 | 121 | ||
122 | // the file is deleted first | 122 | // the file is deleted first |
123 | FILE *fp = fopen(fname, "w"); | 123 | FILE *fp = fopen(fname, "we"); |
124 | if (!fp) { | 124 | if (!fp) { |
125 | fprintf(stderr, "Error: cannot create %s\n", fname); | 125 | fprintf(stderr, "Error: cannot create %s\n", fname); |
126 | exit(1); | 126 | exit(1); |
@@ -139,7 +139,7 @@ void set_profile_run_file(pid_t pid, const char *fname) { | |||
139 | 139 | ||
140 | EUID_ROOT(); | 140 | EUID_ROOT(); |
141 | // the file is deleted first | 141 | // the file is deleted first |
142 | FILE *fp = fopen(runfile, "w"); | 142 | FILE *fp = fopen(runfile, "we"); |
143 | if (!fp) { | 143 | if (!fp) { |
144 | fprintf(stderr, "Error: cannot create %s\n", runfile); | 144 | fprintf(stderr, "Error: cannot create %s\n", runfile); |
145 | exit(1); | 145 | exit(1); |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 743d84b43..08f0f32c9 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -67,7 +67,7 @@ static void sandbox_handler(int sig){ | |||
67 | if (asprintf(&monfile, "/proc/%d/cmdline", monitored_pid) == -1) | 67 | if (asprintf(&monfile, "/proc/%d/cmdline", monitored_pid) == -1) |
68 | errExit("asprintf"); | 68 | errExit("asprintf"); |
69 | while (monsec) { | 69 | while (monsec) { |
70 | FILE *fp = fopen(monfile, "r"); | 70 | FILE *fp = fopen(monfile, "re"); |
71 | if (!fp) | 71 | if (!fp) |
72 | break; | 72 | break; |
73 | 73 | ||
@@ -162,7 +162,7 @@ static void save_nogroups(void) { | |||
162 | if (arg_nogroups == 0) | 162 | if (arg_nogroups == 0) |
163 | return; | 163 | return; |
164 | 164 | ||
165 | FILE *fp = fopen(RUN_GROUPS_CFG, "w"); | 165 | FILE *fp = fopen(RUN_GROUPS_CFG, "wxe"); |
166 | if (fp) { | 166 | if (fp) { |
167 | fprintf(fp, "\n"); | 167 | fprintf(fp, "\n"); |
168 | SET_PERMS_STREAM(fp, 0, 0, 0644); // assume mode 0644 | 168 | SET_PERMS_STREAM(fp, 0, 0, 0644); // assume mode 0644 |
@@ -1015,7 +1015,7 @@ int sandbox(void* sandbox_arg) { | |||
1015 | // disable /dev/snd | 1015 | // disable /dev/snd |
1016 | fs_dev_disable_sound(); | 1016 | fs_dev_disable_sound(); |
1017 | } | 1017 | } |
1018 | else if (!arg_noautopulse) | 1018 | else if (!arg_keep_config_pulse) |
1019 | pulseaudio_init(); | 1019 | pulseaudio_init(); |
1020 | 1020 | ||
1021 | if (arg_no3d) | 1021 | if (arg_no3d) |
@@ -1033,6 +1033,9 @@ int sandbox(void* sandbox_arg) { | |||
1033 | if (arg_novideo) | 1033 | if (arg_novideo) |
1034 | fs_dev_disable_video(); | 1034 | fs_dev_disable_video(); |
1035 | 1035 | ||
1036 | if (arg_noinput) | ||
1037 | fs_dev_disable_input(); | ||
1038 | |||
1036 | //**************************** | 1039 | //**************************** |
1037 | // set dns | 1040 | // set dns |
1038 | //**************************** | 1041 | //**************************** |
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index f9c41f661..4a8dd1bf7 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -248,7 +248,9 @@ int sbox_run(unsigned filtermask, int num, ...) { | |||
248 | va_start(valist, num); | 248 | va_start(valist, num); |
249 | 249 | ||
250 | // build argument list | 250 | // build argument list |
251 | char **arg = malloc((num + 1) * sizeof(char *)); | 251 | char **arg = calloc(num + 1, sizeof(char *)); |
252 | if (!arg) | ||
253 | errExit("calloc"); | ||
252 | int i; | 254 | int i; |
253 | for (i = 0; i < num; i++) | 255 | for (i = 0; i < num; i++) |
254 | arg[i] = va_arg(valist, char *); | 256 | arg[i] = va_arg(valist, char *); |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 785c29517..9670fe816 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -86,7 +86,7 @@ int seccomp_install_filters(void) { | |||
86 | static void seccomp_save_file_list(const char *fname) { | 86 | static void seccomp_save_file_list(const char *fname) { |
87 | assert(fname); | 87 | assert(fname); |
88 | 88 | ||
89 | FILE *fp = fopen(RUN_SECCOMP_LIST, "a+"); | 89 | FILE *fp = fopen(RUN_SECCOMP_LIST, "ae"); |
90 | if (!fp) | 90 | if (!fp) |
91 | errExit("fopen"); | 91 | errExit("fopen"); |
92 | 92 | ||
@@ -99,7 +99,7 @@ static void seccomp_save_file_list(const char *fname) { | |||
99 | #define MAXBUF 4096 | 99 | #define MAXBUF 4096 |
100 | static int load_file_list_flag = 0; | 100 | static int load_file_list_flag = 0; |
101 | void seccomp_load_file_list(void) { | 101 | void seccomp_load_file_list(void) { |
102 | FILE *fp = fopen(RUN_SECCOMP_LIST, "r"); | 102 | FILE *fp = fopen(RUN_SECCOMP_LIST, "re"); |
103 | if (!fp) | 103 | if (!fp) |
104 | return; // no seccomp configuration whatsoever | 104 | return; // no seccomp configuration whatsoever |
105 | 105 | ||
@@ -122,7 +122,7 @@ int seccomp_load(const char *fname) { | |||
122 | assert(fname); | 122 | assert(fname); |
123 | 123 | ||
124 | // open filter file | 124 | // open filter file |
125 | int fd = open(fname, O_RDONLY); | 125 | int fd = open(fname, O_RDONLY|O_CLOEXEC); |
126 | if (fd == -1) | 126 | if (fd == -1) |
127 | goto errexit; | 127 | goto errexit; |
128 | 128 | ||
@@ -438,7 +438,7 @@ void seccomp_print_filter(pid_t pid) { | |||
438 | if (stat(fname, &s) == -1) | 438 | if (stat(fname, &s) == -1) |
439 | goto errexit; | 439 | goto errexit; |
440 | 440 | ||
441 | FILE *fp = fopen(fname, "r"); | 441 | FILE *fp = fopen(fname, "re"); |
442 | if (!fp) | 442 | if (!fp) |
443 | goto errexit; | 443 | goto errexit; |
444 | free(fname); | 444 | free(fname); |
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c index 8fb03d0a6..fbfe1765b 100644 --- a/src/firejail/shutdown.c +++ b/src/firejail/shutdown.c | |||
@@ -64,7 +64,7 @@ void shut(pid_t pid) { | |||
64 | monsec--; | 64 | monsec--; |
65 | 65 | ||
66 | EUID_ROOT(); | 66 | EUID_ROOT(); |
67 | FILE *fp = fopen(monfile, "r"); | 67 | FILE *fp = fopen(monfile, "re"); |
68 | EUID_USER(); | 68 | EUID_USER(); |
69 | if (!fp) { | 69 | if (!fp) { |
70 | killdone = 1; | 70 | killdone = 1; |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 397150158..888a6ffed 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -114,7 +114,8 @@ static char *usage_str = | |||
114 | " --join-network=name|pid - join the network namespace.\n" | 114 | " --join-network=name|pid - join the network namespace.\n" |
115 | #endif | 115 | #endif |
116 | " --join-or-start=name|pid - join the sandbox or start a new one.\n" | 116 | " --join-or-start=name|pid - join the sandbox or start a new one.\n" |
117 | " --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n" | 117 | " --keep-config-pulse - disable automatic ~/.config/pulse init.\n" |
118 | " --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n" | ||
118 | " --keep-var-tmp - /var/tmp directory is untouched.\n" | 119 | " --keep-var-tmp - /var/tmp directory is untouched.\n" |
119 | " --list - list all sandboxes.\n" | 120 | " --list - list all sandboxes.\n" |
120 | #ifdef HAVE_FILE_TRANSFER | 121 | #ifdef HAVE_FILE_TRANSFER |
@@ -154,6 +155,7 @@ static char *usage_str = | |||
154 | " --nodvd - disable DVD and audio CD devices.\n" | 155 | " --nodvd - disable DVD and audio CD devices.\n" |
155 | " --noexec=filename - remount the file or directory noexec nosuid and nodev.\n" | 156 | " --noexec=filename - remount the file or directory noexec nosuid and nodev.\n" |
156 | " --nogroups - disable supplementary groups.\n" | 157 | " --nogroups - disable supplementary groups.\n" |
158 | " --noinput - disable input devices.\n" | ||
157 | " --nonewprivs - sets the NO_NEW_PRIVS prctl.\n" | 159 | " --nonewprivs - sets the NO_NEW_PRIVS prctl.\n" |
158 | " --noprofile - do not use a security profile.\n" | 160 | " --noprofile - do not use a security profile.\n" |
159 | #ifdef HAVE_USERNS | 161 | #ifdef HAVE_USERNS |
diff --git a/src/firejail/util.c b/src/firejail/util.c index def635ea7..2731f61dc 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -298,14 +298,14 @@ int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, m | |||
298 | assert(destname); | 298 | assert(destname); |
299 | 299 | ||
300 | // open source | 300 | // open source |
301 | int src = open(srcname, O_RDONLY); | 301 | int src = open(srcname, O_RDONLY|O_CLOEXEC); |
302 | if (src < 0) { | 302 | if (src < 0) { |
303 | fwarning("cannot open source file %s, file not copied\n", srcname); | 303 | fwarning("cannot open source file %s, file not copied\n", srcname); |
304 | return -1; | 304 | return -1; |
305 | } | 305 | } |
306 | 306 | ||
307 | // open destination | 307 | // open destination |
308 | int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); | 308 | int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
309 | if (dst < 0) { | 309 | if (dst < 0) { |
310 | fwarning("cannot open destination file %s, file not copied\n", destname); | 310 | fwarning("cannot open destination file %s, file not copied\n", destname); |
311 | close(src); | 311 | close(src); |
@@ -348,7 +348,7 @@ void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid | |||
348 | 348 | ||
349 | void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) { | 349 | void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) { |
350 | // open destination | 350 | // open destination |
351 | int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); | 351 | int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
352 | if (dst < 0) { | 352 | if (dst < 0) { |
353 | fwarning("cannot open destination file %s, file not copied\n", destname); | 353 | fwarning("cannot open destination file %s, file not copied\n", destname); |
354 | return; | 354 | return; |
@@ -361,7 +361,7 @@ void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_ | |||
361 | // drop privileges | 361 | // drop privileges |
362 | drop_privs(0); | 362 | drop_privs(0); |
363 | 363 | ||
364 | int src = open(srcname, O_RDONLY); | 364 | int src = open(srcname, O_RDONLY|O_CLOEXEC); |
365 | if (src < 0) { | 365 | if (src < 0) { |
366 | fwarning("cannot open source file %s, file not copied\n", srcname); | 366 | fwarning("cannot open source file %s, file not copied\n", srcname); |
367 | } else { | 367 | } else { |
@@ -626,7 +626,7 @@ int find_child(pid_t parent, pid_t *child) { | |||
626 | perror("asprintf"); | 626 | perror("asprintf"); |
627 | exit(1); | 627 | exit(1); |
628 | } | 628 | } |
629 | FILE *fp = fopen(file, "r"); | 629 | FILE *fp = fopen(file, "re"); |
630 | if (!fp) { | 630 | if (!fp) { |
631 | free(file); | 631 | free(file); |
632 | continue; | 632 | continue; |
@@ -732,7 +732,7 @@ void update_map(char *mapping, char *map_file) { | |||
732 | if (mapping[j] == ',') | 732 | if (mapping[j] == ',') |
733 | mapping[j] = '\n'; | 733 | mapping[j] = '\n'; |
734 | 734 | ||
735 | fd = open(map_file, O_RDWR); | 735 | fd = open(map_file, O_RDWR|O_CLOEXEC); |
736 | if (fd == -1) { | 736 | if (fd == -1) { |
737 | fprintf(stderr, "Error: cannot open %s: %s\n", map_file, strerror(errno)); | 737 | fprintf(stderr, "Error: cannot open %s: %s\n", map_file, strerror(errno)); |
738 | exit(EXIT_FAILURE); | 738 | exit(EXIT_FAILURE); |
@@ -752,9 +752,9 @@ void wait_for_other(int fd) { | |||
752 | // wait for the parent to be initialized | 752 | // wait for the parent to be initialized |
753 | //**************************** | 753 | //**************************** |
754 | char childstr[BUFLEN + 1]; | 754 | char childstr[BUFLEN + 1]; |
755 | int newfd = dup(fd); | 755 | int newfd = fcntl(fd, F_DUPFD_CLOEXEC, 0); |
756 | if (newfd == -1) | 756 | if (newfd == -1) |
757 | errExit("dup"); | 757 | errExit("fcntl"); |
758 | FILE* stream; | 758 | FILE* stream; |
759 | stream = fdopen(newfd, "r"); | 759 | stream = fdopen(newfd, "r"); |
760 | *childstr = '\0'; | 760 | *childstr = '\0'; |
@@ -801,9 +801,9 @@ void wait_for_other(int fd) { | |||
801 | 801 | ||
802 | void notify_other(int fd) { | 802 | void notify_other(int fd) { |
803 | FILE* stream; | 803 | FILE* stream; |
804 | int newfd = dup(fd); | 804 | int newfd = fcntl(fd, F_DUPFD_CLOEXEC, 0); |
805 | if (newfd == -1) | 805 | if (newfd == -1) |
806 | errExit("dup"); | 806 | errExit("fcntl"); |
807 | stream = fdopen(newfd, "w"); | 807 | stream = fdopen(newfd, "w"); |
808 | fprintf(stream, "arg_noroot=%d\n", arg_noroot); | 808 | fprintf(stream, "arg_noroot=%d\n", arg_noroot); |
809 | fflush(stream); | 809 | fflush(stream); |
@@ -821,7 +821,7 @@ uid_t pid_get_uid(pid_t pid) { | |||
821 | exit(1); | 821 | exit(1); |
822 | } | 822 | } |
823 | EUID_ROOT(); // grsecurity fix | 823 | EUID_ROOT(); // grsecurity fix |
824 | FILE *fp = fopen(file, "r"); | 824 | FILE *fp = fopen(file, "re"); |
825 | if (!fp) { | 825 | if (!fp) { |
826 | free(file); | 826 | free(file); |
827 | fprintf(stderr, "Error: cannot open /proc file\n"); | 827 | fprintf(stderr, "Error: cannot open /proc file\n"); |
@@ -1031,8 +1031,7 @@ void create_empty_file_as_root(const char *fname, mode_t mode) { | |||
1031 | if (arg_debug) | 1031 | if (arg_debug) |
1032 | printf("Creating empty %s file\n", fname); | 1032 | printf("Creating empty %s file\n", fname); |
1033 | 1033 | ||
1034 | /* coverity[toctou] */ | 1034 | FILE *fp = fopen(fname, "wxe"); |
1035 | FILE *fp = fopen(fname, "w"); | ||
1036 | if (!fp) | 1035 | if (!fp) |
1037 | errExit("fopen"); | 1036 | errExit("fopen"); |
1038 | SET_PERMS_STREAM(fp, 0, 0, mode); | 1037 | SET_PERMS_STREAM(fp, 0, 0, mode); |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index da0acc69c..257d376a1 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -84,7 +84,7 @@ int x11_display(void) { | |||
84 | static int x11_abstract_sockets_present(void) { | 84 | static int x11_abstract_sockets_present(void) { |
85 | 85 | ||
86 | EUID_ROOT(); // grsecurity fix | 86 | EUID_ROOT(); // grsecurity fix |
87 | FILE *fp = fopen("/proc/net/unix", "r"); | 87 | FILE *fp = fopen("/proc/net/unix", "re"); |
88 | if (!fp) | 88 | if (!fp) |
89 | errExit("fopen"); | 89 | errExit("fopen"); |
90 | EUID_USER(); | 90 | EUID_USER(); |
@@ -1363,7 +1363,7 @@ void fs_x11(void) { | |||
1363 | fs_logger("tmpfs /tmp/.X11-unix"); | 1363 | fs_logger("tmpfs /tmp/.X11-unix"); |
1364 | 1364 | ||
1365 | // create an empty root-owned file which will have the desired socket bind-mounted over it | 1365 | // create an empty root-owned file which will have the desired socket bind-mounted over it |
1366 | int fd = open(x11file, O_RDONLY|O_CREAT|O_EXCL, S_IRUSR | S_IWUSR); | 1366 | int fd = open(x11file, O_RDONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR); |
1367 | if (fd < 0) | 1367 | if (fd < 0) |
1368 | errExit(x11file); | 1368 | errExit(x11file); |
1369 | close(fd); | 1369 | close(fd); |
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c index 37870747d..6c34cd411 100644 --- a/src/firemon/firemon.c +++ b/src/firemon/firemon.c | |||
@@ -52,7 +52,7 @@ static void my_handler(int s){ | |||
52 | 52 | ||
53 | if (terminal_set) | 53 | if (terminal_set) |
54 | tcsetattr(0, TCSANOW, &tlocal); | 54 | tcsetattr(0, TCSANOW, &tlocal); |
55 | exit(0); | 55 | _exit(0); |
56 | } | 56 | } |
57 | 57 | ||
58 | // find the second child process for the specified pid | 58 | // find the second child process for the specified pid |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index ee685da73..49be8d0b0 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -1,12 +1,78 @@ | |||
1 | .TH FIREJAIL-PROFILE 5 "MONTH YEAR" "VERSION" "firejail profiles man page" | 1 | .TH FIREJAIL-PROFILE 5 "MONTH YEAR" "VERSION" "firejail profiles man page" |
2 | .SH NAME | 2 | .SH NAME |
3 | profile \- Security profile file syntax for Firejail | 3 | profile \- Security profile file syntax, and information about building new application profiles. |
4 | 4 | ||
5 | .SH USAGE | 5 | .SH SYNOPSIS |
6 | |||
7 | Using a specific profile: | ||
8 | .PP | ||
9 | .RS | ||
10 | .TP | ||
11 | \fBfirejail \-\-profile=filename.profile | ||
12 | .br | ||
13 | |||
14 | .br | ||
15 | Example: | ||
16 | .br | ||
17 | $ firejail --profile=/etc/firejail/kdenlive.profile --appimage kdenlive.appimage | ||
18 | .br | ||
19 | |||
20 | .br | ||
21 | .TP | ||
22 | \fBfirejail \-\-profile=profile_name | ||
23 | .br | ||
24 | |||
25 | .br | ||
26 | Example: | ||
27 | .br | ||
28 | $ firejail --profile=kdenlive --appimage kdenlive.appimage | ||
29 | .br | ||
30 | |||
31 | .br | ||
32 | .RE | ||
33 | .PP | ||
34 | |||
35 | |||
36 | |||
37 | Building a profile manually: | ||
38 | .PP | ||
39 | .RS | ||
40 | Start with the template in /usr/share/doc/firejail/profile.template and modify it in a text editor. | ||
41 | To integrate the program in your desktop environment copy the profile file in ~/.config/firejail | ||
42 | directory and run "sudo firecfg". | ||
43 | .RE | ||
44 | .PP | ||
45 | |||
46 | Aliases and redirections: | ||
47 | .PP | ||
48 | .RS | ||
49 | In some cases the same profile can be used for several applications. | ||
50 | One such example is LibreOffice. | ||
51 | Build a regular profile for the main application, and for the rest use | ||
52 | /usr/share/doc/firejail/redirect_alias-profile.template. | ||
53 | .RE | ||
54 | .PP | ||
55 | |||
56 | Running the profile builder: | ||
57 | .PP | ||
58 | .RS | ||
6 | .TP | 59 | .TP |
7 | firejail \-\-profile=filename.profile | 60 | \fBfirejail \-\-build=appname.profile appname |
61 | .br | ||
62 | |||
63 | .br | ||
64 | Example: | ||
65 | .br | ||
66 | $ firejail --build=blobby.profile blobby | ||
67 | .br | ||
68 | |||
69 | .br | ||
70 | Run the program in "firejail \-\-build" and try to exercise as many program features as possible. | ||
71 | The profile is extracted and saved in the current directory. Open it in a text editor and add or remove | ||
72 | sandboxing options as necessary. Test again after modifying the profile. To integrate the program | ||
73 | in your desktop environment copy the profile file in ~/.config/firejail directory and run "sudo firecfg". | ||
8 | .RE | 74 | .RE |
9 | firejail \-\-profile=profile_name | 75 | .PP |
10 | 76 | ||
11 | .SH DESCRIPTION | 77 | .SH DESCRIPTION |
12 | Several command line options can be passed to the program using | 78 | Several command line options can be passed to the program using |
@@ -205,6 +271,10 @@ Mount-bind file1 on top of file2. This option is only available when running as | |||
205 | \fBdisable-mnt | 271 | \fBdisable-mnt |
206 | Disable /mnt, /media, /run/mount and /run/media access. | 272 | Disable /mnt, /media, /run/mount and /run/media access. |
207 | .TP | 273 | .TP |
274 | \fBkeep-config-pulse | ||
275 | Disable automatic ~/.config/pulse init, for complex setups such as remote | ||
276 | pulse servers or non-standard socket paths. | ||
277 | .TP | ||
208 | \fBkeep-dev-shm | 278 | \fBkeep-dev-shm |
209 | /dev/shm directory is untouched (even with private-dev). | 279 | /dev/shm directory is untouched (even with private-dev). |
210 | .TP | 280 | .TP |
@@ -295,7 +365,9 @@ Use the options no3d, nodvd, nosound, notv, nou2f and novideo for additional res | |||
295 | Build a new /etc in a temporary | 365 | Build a new /etc in a temporary |
296 | filesystem, and copy the files and directories in the list. | 366 | filesystem, and copy the files and directories in the list. |
297 | The files and directories in the list must be expressed as relative to | 367 | The files and directories in the list must be expressed as relative to |
298 | the /etc directory. | 368 | the /etc directory, and must not contain the / character |
369 | (e.g., /etc/foo must be expressed as foo, but /etc/foo/bar -- | ||
370 | expressed as foo/bar -- is disallowed). | ||
299 | All modifications are discarded when the sandbox is closed. | 371 | All modifications are discarded when the sandbox is closed. |
300 | #ifdef HAVE_PRIVATE_HOME | 372 | #ifdef HAVE_PRIVATE_HOME |
301 | .TP | 373 | .TP |
@@ -319,14 +391,18 @@ This feature is still under development, see \fBman 1 firejail\fR for some examp | |||
319 | Build a new /opt in a temporary | 391 | Build a new /opt in a temporary |
320 | filesystem, and copy the files and directories in the list. | 392 | filesystem, and copy the files and directories in the list. |
321 | The files and directories in the list must be expressed as relative to | 393 | The files and directories in the list must be expressed as relative to |
322 | the /opt directory. | 394 | the /opt directory, and must not contain the / character |
395 | (e.g., /opt/foo must be expressed as foo, but /opt/foo/bar -- | ||
396 | expressed as foo/bar -- is disallowed). | ||
323 | All modifications are discarded when the sandbox is closed. | 397 | All modifications are discarded when the sandbox is closed. |
324 | .TP | 398 | .TP |
325 | \fBprivate-srv file,directory | 399 | \fBprivate-srv file,directory |
326 | Build a new /srv in a temporary | 400 | Build a new /srv in a temporary |
327 | filesystem, and copy the files and directories in the list. | 401 | filesystem, and copy the files and directories in the list. |
328 | The files and directories in the list must be expressed as relative to | 402 | The files and directories in the list must be expressed as relative to |
329 | the /srv directory. | 403 | the /srv directory, and must not contain the / character |
404 | (e.g., /srv/foo must be expressed as foo, but /srv/foo/bar -- | ||
405 | expressed as foo/bar -- is disallowed). | ||
330 | All modifications are discarded when the sandbox is closed. | 406 | All modifications are discarded when the sandbox is closed. |
331 | .TP | 407 | .TP |
332 | \fBprivate-tmp | 408 | \fBprivate-tmp |
@@ -646,9 +722,8 @@ name browser | |||
646 | \fBno3d | 722 | \fBno3d |
647 | Disable 3D hardware acceleration. | 723 | Disable 3D hardware acceleration. |
648 | .TP | 724 | .TP |
649 | \fBnoautopulse | 725 | \fBnoautopulse \fR(deprecated) |
650 | Disable automatic ~/.config/pulse init, for complex setups such as remote | 726 | See keep-config-pulse. |
651 | pulse servers or non-standard socket paths. | ||
652 | .TP | 727 | .TP |
653 | \fBnodvd | 728 | \fBnodvd |
654 | Disable DVD and audio CD devices. | 729 | Disable DVD and audio CD devices. |
@@ -668,6 +743,9 @@ Disable U2F devices. | |||
668 | \fBnovideo | 743 | \fBnovideo |
669 | Disable video capture devices. | 744 | Disable video capture devices. |
670 | .TP | 745 | .TP |
746 | \fBnoinput | ||
747 | Disable input devices. | ||
748 | .TP | ||
671 | \fBshell none | 749 | \fBshell none |
672 | Run the program directly, without a shell. | 750 | Run the program directly, without a shell. |
673 | 751 | ||
@@ -882,7 +960,21 @@ Join the sandbox identified by name or start a new one. | |||
882 | Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname". | 960 | Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname". |
883 | 961 | ||
884 | .SH FILES | 962 | .SH FILES |
885 | /etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile | 963 | .TP |
964 | \fB/etc/firejail/appname.profile | ||
965 | Global Firejail configuration consisting mainly of profiles for each application supported by default. | ||
966 | |||
967 | .TP | ||
968 | \fB$HOME/.config/firejail/appname.profile | ||
969 | User application profiles, will take precedence over the global profiles. | ||
970 | |||
971 | .TP | ||
972 | \fB/usr/share/doc/firejail/profile.template | ||
973 | Template for building new profiles. | ||
974 | |||
975 | .TP | ||
976 | \fB/usr/share/doc/firejail/redirect_alias-profile.template | ||
977 | Template for aliasing/redirecting profiles. | ||
886 | 978 | ||
887 | .SH LICENSE | 979 | .SH LICENSE |
888 | Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. | 980 | Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index f27379a2d..68aea5857 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1052,6 +1052,17 @@ Same as "firejail --join=name" if sandbox with specified name exists, otherwise | |||
1052 | Note that in contrary to other join options there is respective profile option. | 1052 | Note that in contrary to other join options there is respective profile option. |
1053 | 1053 | ||
1054 | .TP | 1054 | .TP |
1055 | \fB\-\-keep-config-pulse | ||
1056 | Disable automatic ~/.config/pulse init, for complex setups such as remote | ||
1057 | pulse servers or non-standard socket paths. | ||
1058 | .br | ||
1059 | |||
1060 | .br | ||
1061 | Example: | ||
1062 | .br | ||
1063 | $ firejail \-\-keep-config-pulse firefox | ||
1064 | |||
1065 | .TP | ||
1055 | \fB\-\-keep-dev-shm | 1066 | \fB\-\-keep-dev-shm |
1056 | /dev/shm directory is untouched (even with --private-dev) | 1067 | /dev/shm directory is untouched (even with --private-dev) |
1057 | .br | 1068 | .br |
@@ -1460,15 +1471,8 @@ Example: | |||
1460 | $ firejail --no3d firefox | 1471 | $ firejail --no3d firefox |
1461 | 1472 | ||
1462 | .TP | 1473 | .TP |
1463 | \fB\-\-noautopulse | 1474 | \fB\-\-noautopulse \fR(deprecated) |
1464 | Disable automatic ~/.config/pulse init, for complex setups such as remote | 1475 | See --keep-config-pulse. |
1465 | pulse servers or non-standard socket paths. | ||
1466 | .br | ||
1467 | |||
1468 | .br | ||
1469 | Example: | ||
1470 | .br | ||
1471 | $ firejail \-\-noautopulse firefox | ||
1472 | 1476 | ||
1473 | .TP | 1477 | .TP |
1474 | \fB\-\-noblacklist=dirname_or_filename | 1478 | \fB\-\-noblacklist=dirname_or_filename |
@@ -1515,6 +1519,15 @@ Example: | |||
1515 | .br | 1519 | .br |
1516 | $ firejail \-\-nodvd | 1520 | $ firejail \-\-nodvd |
1517 | .TP | 1521 | .TP |
1522 | \fB\-\-noinput | ||
1523 | Disable input devices. | ||
1524 | .br | ||
1525 | |||
1526 | .br | ||
1527 | Example: | ||
1528 | .br | ||
1529 | $ firejail \-\-noinput | ||
1530 | .TP | ||
1518 | \fB\-\-noexec=dirname_or_filename | 1531 | \fB\-\-noexec=dirname_or_filename |
1519 | Remount directory or file noexec, nodev and nosuid. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | 1532 | Remount directory or file noexec, nodev and nosuid. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. |
1520 | .br | 1533 | .br |
@@ -1883,7 +1896,7 @@ $ | |||
1883 | Build a new /etc in a temporary | 1896 | Build a new /etc in a temporary |
1884 | filesystem, and copy the files and directories in the list. | 1897 | filesystem, and copy the files and directories in the list. |
1885 | The files and directories in the list must be expressed as relative to | 1898 | The files and directories in the list must be expressed as relative to |
1886 | the /etc directory. | 1899 | the /etc directory (e.g., /etc/foo must be expressed as foo). |
1887 | If no listed file is found, /etc directory will be empty. | 1900 | If no listed file is found, /etc directory will be empty. |
1888 | All modifications are discarded when the sandbox is closed. | 1901 | All modifications are discarded when the sandbox is closed. |
1889 | .br | 1902 | .br |
@@ -1893,7 +1906,7 @@ Example: | |||
1893 | .br | 1906 | .br |
1894 | $ firejail --private-etc=group,hostname,localtime, \\ | 1907 | $ firejail --private-etc=group,hostname,localtime, \\ |
1895 | .br | 1908 | .br |
1896 | nsswitch.conf,passwd,resolv.conf,default/motd-news | 1909 | nsswitch.conf,passwd,resolv.conf |
1897 | #ifdef HAVE_PRIVATE_HOME | 1910 | #ifdef HAVE_PRIVATE_HOME |
1898 | .TP | 1911 | .TP |
1899 | \fB\-\-private-home=file,directory | 1912 | \fB\-\-private-home=file,directory |
@@ -1968,7 +1981,9 @@ $ | |||
1968 | Build a new /opt in a temporary | 1981 | Build a new /opt in a temporary |
1969 | filesystem, and copy the files and directories in the list. | 1982 | filesystem, and copy the files and directories in the list. |
1970 | The files and directories in the list must be expressed as relative to | 1983 | The files and directories in the list must be expressed as relative to |
1971 | the /opt directory. | 1984 | the /opt directory, and must not contain the / character |
1985 | (e.g., /opt/foo must be expressed as foo, but /opt/foo/bar -- | ||
1986 | expressed as foo/bar -- is disallowed). | ||
1972 | If no listed file is found, /opt directory will be empty. | 1987 | If no listed file is found, /opt directory will be empty. |
1973 | All modifications are discarded when the sandbox is closed. | 1988 | All modifications are discarded when the sandbox is closed. |
1974 | .br | 1989 | .br |
@@ -1983,7 +1998,9 @@ $ firejail --private-opt=firefox /opt/firefox/firefox | |||
1983 | Build a new /srv in a temporary | 1998 | Build a new /srv in a temporary |
1984 | filesystem, and copy the files and directories in the list. | 1999 | filesystem, and copy the files and directories in the list. |
1985 | The files and directories in the list must be expressed as relative to | 2000 | The files and directories in the list must be expressed as relative to |
1986 | the /srv directory. | 2001 | the /srv directory, and must not contain the / character |
2002 | (e.g., /srv/foo must be expressed as foo, but /srv/foo/bar -- | ||
2003 | expressed as srv/bar -- is disallowed). | ||
1987 | If no listed file is found, /srv directory will be empty. | 2004 | If no listed file is found, /srv directory will be empty. |
1988 | All modifications are discarded when the sandbox is closed. | 2005 | All modifications are discarded when the sandbox is closed. |
1989 | .br | 2006 | .br |
diff --git a/src/profstats/main.c b/src/profstats/main.c index 5035280b1..10e44bd65 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c | |||
@@ -46,6 +46,7 @@ static int cnt_whitelistusrshare = 0; // include whitelist-usr-share-common.inc | |||
46 | static int cnt_ssh = 0; | 46 | static int cnt_ssh = 0; |
47 | static int cnt_mdwx = 0; | 47 | static int cnt_mdwx = 0; |
48 | static int cnt_whitelisthome = 0; | 48 | static int cnt_whitelisthome = 0; |
49 | static int cnt_noroot = 0; | ||
49 | 50 | ||
50 | static int level = 0; | 51 | static int level = 0; |
51 | static int arg_debug = 0; | 52 | static int arg_debug = 0; |
@@ -65,6 +66,7 @@ static int arg_mdwx = 0; | |||
65 | static int arg_dbus_system_none = 0; | 66 | static int arg_dbus_system_none = 0; |
66 | static int arg_dbus_user_none = 0; | 67 | static int arg_dbus_user_none = 0; |
67 | static int arg_whitelisthome = 0; | 68 | static int arg_whitelisthome = 0; |
69 | static int arg_noroot = 0; | ||
68 | 70 | ||
69 | 71 | ||
70 | static char *profile = NULL; | 72 | static char *profile = NULL; |
@@ -80,6 +82,7 @@ static void usage(void) { | |||
80 | printf(" --dbus-user-none - profiles without \"dbus-user none\"\n"); | 82 | printf(" --dbus-user-none - profiles without \"dbus-user none\"\n"); |
81 | printf(" --ssh - print profiles without \"include disable-common.inc\"\n"); | 83 | printf(" --ssh - print profiles without \"include disable-common.inc\"\n"); |
82 | printf(" --noexec - print profiles without \"include disable-exec.inc\"\n"); | 84 | printf(" --noexec - print profiles without \"include disable-exec.inc\"\n"); |
85 | printf(" --noroot - print profiles without \"noroot\"\n"); | ||
83 | printf(" --private-bin - print profiles without private-bin\n"); | 86 | printf(" --private-bin - print profiles without private-bin\n"); |
84 | printf(" --private-dev - print profiles without private-dev\n"); | 87 | printf(" --private-dev - print profiles without private-dev\n"); |
85 | printf(" --private-etc - print profiles without private-etc\n"); | 88 | printf(" --private-etc - print profiles without private-etc\n"); |
@@ -128,6 +131,8 @@ void process_file(const char *fname) { | |||
128 | cnt_caps++; | 131 | cnt_caps++; |
129 | else if (strncmp(ptr, "include disable-exec.inc", 24) == 0) | 132 | else if (strncmp(ptr, "include disable-exec.inc", 24) == 0) |
130 | cnt_noexec++; | 133 | cnt_noexec++; |
134 | else if (strncmp(ptr, "noroot", 6) == 0) | ||
135 | cnt_noroot++; | ||
131 | else if (strncmp(ptr, "include whitelist-var-common.inc", 32) == 0) | 136 | else if (strncmp(ptr, "include whitelist-var-common.inc", 32) == 0) |
132 | cnt_whitelistvar++; | 137 | cnt_whitelistvar++; |
133 | else if (strncmp(ptr, "include whitelist-runuser-common.inc", 36) == 0 || | 138 | else if (strncmp(ptr, "include whitelist-runuser-common.inc", 36) == 0 || |
@@ -212,6 +217,8 @@ int main(int argc, char **argv) { | |||
212 | arg_mdwx = 1; | 217 | arg_mdwx = 1; |
213 | else if (strcmp(argv[i], "--noexec") == 0) | 218 | else if (strcmp(argv[i], "--noexec") == 0) |
214 | arg_noexec = 1; | 219 | arg_noexec = 1; |
220 | else if (strcmp(argv[i], "--noroot") == 0) | ||
221 | arg_noroot = 1; | ||
215 | else if (strcmp(argv[i], "--private-bin") == 0) | 222 | else if (strcmp(argv[i], "--private-bin") == 0) |
216 | arg_privatebin = 1; | 223 | arg_privatebin = 1; |
217 | else if (strcmp(argv[i], "--private-dev") == 0) | 224 | else if (strcmp(argv[i], "--private-dev") == 0) |
@@ -256,6 +263,7 @@ int main(int argc, char **argv) { | |||
256 | int caps = cnt_caps; | 263 | int caps = cnt_caps; |
257 | int apparmor = cnt_apparmor; | 264 | int apparmor = cnt_apparmor; |
258 | int noexec = cnt_noexec; | 265 | int noexec = cnt_noexec; |
266 | int noroot = cnt_noroot; | ||
259 | int privatebin = cnt_privatebin; | 267 | int privatebin = cnt_privatebin; |
260 | int privatetmp = cnt_privatetmp; | 268 | int privatetmp = cnt_privatetmp; |
261 | int privatedev = cnt_privatedev; | 269 | int privatedev = cnt_privatedev; |
@@ -313,6 +321,8 @@ int main(int argc, char **argv) { | |||
313 | printf("No seccomp found in %s\n", argv[i]); | 321 | printf("No seccomp found in %s\n", argv[i]); |
314 | if (arg_noexec && noexec == cnt_noexec) | 322 | if (arg_noexec && noexec == cnt_noexec) |
315 | printf("No include disable-exec.inc found in %s\n", argv[i]); | 323 | printf("No include disable-exec.inc found in %s\n", argv[i]); |
324 | if (arg_noroot && noroot == cnt_noroot) | ||
325 | printf("No noroot found in %s\n", argv[i]); | ||
316 | if (arg_privatedev && privatedev == cnt_privatedev) | 326 | if (arg_privatedev && privatedev == cnt_privatedev) |
317 | printf("No private-dev found in %s\n", argv[i]); | 327 | printf("No private-dev found in %s\n", argv[i]); |
318 | if (arg_privatebin && privatebin == cnt_privatebin) | 328 | if (arg_privatebin && privatebin == cnt_privatebin) |
@@ -346,6 +356,7 @@ int main(int argc, char **argv) { | |||
346 | printf(" seccomp\t\t\t%d\n", cnt_seccomp); | 356 | printf(" seccomp\t\t\t%d\n", cnt_seccomp); |
347 | printf(" capabilities\t\t%d\n", cnt_caps); | 357 | printf(" capabilities\t\t%d\n", cnt_caps); |
348 | printf(" noexec\t\t\t%d (include disable-exec.inc)\n", cnt_noexec); | 358 | printf(" noexec\t\t\t%d (include disable-exec.inc)\n", cnt_noexec); |
359 | printf(" noroot\t\t\t%d\n", cnt_noroot); | ||
349 | printf(" memory-deny-write-execute\t%d\n", cnt_mdwx); | 360 | printf(" memory-deny-write-execute\t%d\n", cnt_mdwx); |
350 | printf(" apparmor\t\t\t%d\n", cnt_apparmor); | 361 | printf(" apparmor\t\t\t%d\n", cnt_apparmor); |
351 | printf(" private-bin\t\t\t%d\n", cnt_privatebin); | 362 | printf(" private-bin\t\t\t%d\n", cnt_privatebin); |
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index fd27bb35f..f1a19b86d 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -98,6 +98,7 @@ _firejail_args=( | |||
98 | '*--ignore=-[ignore command in profile files]: :' | 98 | '*--ignore=-[ignore command in profile files]: :' |
99 | '--ipc-namespace[enable a new IPC namespace]' | 99 | '--ipc-namespace[enable a new IPC namespace]' |
100 | '--join-or-start=-[join the sandbox or start a new one name|pid]: :_all_firejails' | 100 | '--join-or-start=-[join the sandbox or start a new one name|pid]: :_all_firejails' |
101 | '--keep-config-pulse[disable automatic ~/.config/pulse init]' | ||
101 | '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]' | 102 | '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]' |
102 | '--keep-var-tmp[/var/tmp directory is untouched]' | 103 | '--keep-var-tmp[/var/tmp directory is untouched]' |
103 | '--machine-id[preserve /etc/machine-id]' | 104 | '--machine-id[preserve /etc/machine-id]' |
@@ -116,6 +117,7 @@ _firejail_args=( | |||
116 | '--nodvd[disable DVD and audio CD devices]' | 117 | '--nodvd[disable DVD and audio CD devices]' |
117 | '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files' | 118 | '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files' |
118 | '--nogroups[disable supplementary groups]' | 119 | '--nogroups[disable supplementary groups]' |
120 | '--noinput[disable input devices]' | ||
119 | '--nonewprivs[sets the NO_NEW_PRIVS prctl]' | 121 | '--nonewprivs[sets the NO_NEW_PRIVS prctl]' |
120 | '--nosound[disable sound system]' | 122 | '--nosound[disable sound system]' |
121 | '--nou2f[disable U2F devices]' | 123 | '--nou2f[disable U2F devices]' |
diff --git a/test/utils/build.exp b/test/utils/build.exp index cdc2f3b7b..7fbe969a4 100755 --- a/test/utils/build.exp +++ b/test/utils/build.exp | |||
@@ -21,35 +21,35 @@ expect { | |||
21 | } | 21 | } |
22 | expect { | 22 | expect { |
23 | timeout {puts "TESTING ERROR 2\n";exit} | 23 | timeout {puts "TESTING ERROR 2\n";exit} |
24 | "blacklist /usr/share" | 24 | "include whitelist-usr-share-common.inc" |
25 | } | 25 | } |
26 | expect { | 26 | expect { |
27 | timeout {puts "TESTING ERROR 3\n";exit} | 27 | timeout {puts "TESTING ERROR 3\n";exit} |
28 | "blacklist /var" | 28 | "include whitelist-var-common.inc" |
29 | } | 29 | } |
30 | expect { | 30 | expect { |
31 | timeout {puts "TESTING ERROR 4\n";exit} | 31 | timeout {puts "TESTING ERROR 4\n";exit} |
32 | "private-bin cat," | 32 | "caps.drop all" |
33 | } | 33 | } |
34 | expect { | 34 | expect { |
35 | timeout {puts "TESTING ERROR 5\n";exit} | 35 | timeout {puts "TESTING ERROR 5\n";exit} |
36 | "private-dev" | 36 | "ipc-namespace" |
37 | } | 37 | } |
38 | expect { | 38 | expect { |
39 | timeout {puts "TESTING ERROR 6\n";exit} | 39 | timeout {puts "TESTING ERROR 6\n";exit} |
40 | "private-etc" | 40 | "netfilter" |
41 | } | 41 | } |
42 | expect { | 42 | expect { |
43 | timeout {puts "TESTING ERROR 7\n";exit} | 43 | timeout {puts "TESTING ERROR 7\n";exit} |
44 | "private-tmp" | 44 | "nonewprivs" |
45 | } | 45 | } |
46 | expect { | 46 | expect { |
47 | timeout {puts "TESTING ERROR 8\n";exit} | 47 | timeout {puts "TESTING ERROR 8\n";exit} |
48 | "caps.drop all" | 48 | "noroot" |
49 | } | 49 | } |
50 | expect { | 50 | expect { |
51 | timeout {puts "TESTING ERROR 9\n";exit} | 51 | timeout {puts "TESTING ERROR 9\n";exit} |
52 | "nonewprivs" | 52 | "net none" |
53 | } | 53 | } |
54 | expect { | 54 | expect { |
55 | timeout {puts "TESTING ERROR 10\n";exit} | 55 | timeout {puts "TESTING ERROR 10\n";exit} |
@@ -57,11 +57,23 @@ expect { | |||
57 | } | 57 | } |
58 | expect { | 58 | expect { |
59 | timeout {puts "TESTING ERROR 11\n";exit} | 59 | timeout {puts "TESTING ERROR 11\n";exit} |
60 | "net none" | 60 | "shell none" |
61 | } | ||
62 | expect { | ||
63 | timeout {puts "TESTING ERROR 11\n";exit} | ||
64 | "private-bin cat," | ||
61 | } | 65 | } |
62 | expect { | 66 | expect { |
63 | timeout {puts "TESTING ERROR 12\n";exit} | 67 | timeout {puts "TESTING ERROR 12\n";exit} |
64 | "shell none" | 68 | "private-dev" |
69 | } | ||
70 | expect { | ||
71 | timeout {puts "TESTING ERROR 13\n";exit} | ||
72 | "private-etc none" | ||
73 | } | ||
74 | expect { | ||
75 | timeout {puts "TESTING ERROR 14\n";exit} | ||
76 | "private-tmp" | ||
65 | } | 77 | } |
66 | after 100 | 78 | after 100 |
67 | 79 | ||