diff options
-rw-r--r-- | etc/discord-common.profile | 1 | ||||
-rw-r--r-- | etc/evince-previewer.profile | 3 | ||||
-rw-r--r-- | etc/evince-thumbnailer.profile | 3 | ||||
-rw-r--r-- | etc/evince.profile | 9 | ||||
-rw-r--r-- | etc/gconf-editor.profile | 45 | ||||
-rw-r--r-- | etc/gconf-merge-schema.profile | 12 | ||||
-rw-r--r-- | etc/gconf-merge-tree.profile | 12 | ||||
-rw-r--r-- | etc/gconf.profile | 57 | ||||
-rw-r--r-- | etc/gconfpkg.profile | 12 | ||||
-rw-r--r-- | etc/gconftool-2.profile | 12 | ||||
-rw-r--r-- | etc/geekbench.profile | 5 | ||||
-rw-r--r-- | etc/gpicview.profile | 2 | ||||
-rw-r--r-- | etc/gsettings-data-convert.profile | 12 | ||||
-rw-r--r-- | etc/gsettings-schema-convert.profile | 12 | ||||
-rw-r--r-- | etc/hardinfo.profile | 38 | ||||
-rw-r--r-- | etc/pavucontrol.profile | 3 | ||||
-rw-r--r-- | etc/spectre-meltdown-checker.profile | 2 | ||||
-rw-r--r-- | etc/sqlitebrowser.profile | 12 | ||||
-rw-r--r-- | etc/sysprof-cli.profile | 2 | ||||
-rw-r--r-- | etc/sysprof.profile | 2 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 1 |
21 files changed, 155 insertions, 102 deletions
diff --git a/etc/discord-common.profile b/etc/discord-common.profile index c453d77d0..44b42aefa 100644 --- a/etc/discord-common.profile +++ b/etc/discord-common.profile | |||
@@ -32,5 +32,4 @@ private-dev | |||
32 | private-etc alternatives,fonts,machine-id,localtime,ld.so.cache,ca-certificates,ssl,pki,crypto-policies,resolv.conf | 32 | private-etc alternatives,fonts,machine-id,localtime,ld.so.cache,ca-certificates,ssl,pki,crypto-policies,resolv.conf |
33 | private-tmp | 33 | private-tmp |
34 | 34 | ||
35 | noexec ${HOME} | ||
36 | noexec /tmp | 35 | noexec /tmp |
diff --git a/etc/evince-previewer.profile b/etc/evince-previewer.profile index e43bb2da8..bd1ea6aa9 100644 --- a/etc/evince-previewer.profile +++ b/etc/evince-previewer.profile | |||
@@ -3,7 +3,8 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include evince-previewer.local | 4 | include evince-previewer.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | # added by included profile |
7 | #include globals.local | ||
7 | 8 | ||
8 | 9 | ||
9 | # Redirect | 10 | # Redirect |
diff --git a/etc/evince-thumbnailer.profile b/etc/evince-thumbnailer.profile index 4036e1ecb..d11d4e1e1 100644 --- a/etc/evince-thumbnailer.profile +++ b/etc/evince-thumbnailer.profile | |||
@@ -3,7 +3,8 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include evince-thumbnailer.local | 4 | include evince-thumbnailer.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | # added by included profile |
7 | #include globals.local | ||
7 | 8 | ||
8 | 9 | ||
9 | # Redirect | 10 | # Redirect |
diff --git a/etc/evince.profile b/etc/evince.profile index e9b530ece..c10e3b04f 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -20,7 +20,7 @@ include whitelist-var-common.inc | |||
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | machine-id | 22 | machine-id |
23 | # net none breaks AppArmor on Ubuntu systems | 23 | # net none - breaks AppArmor on Ubuntu systems |
24 | netfilter | 24 | netfilter |
25 | no3d | 25 | no3d |
26 | nodbus | 26 | nodbus |
@@ -38,13 +38,12 @@ shell none | |||
38 | tracelog | 38 | tracelog |
39 | 39 | ||
40 | private-bin evince,evince-previewer,evince-thumbnailer | 40 | private-bin evince,evince-previewer,evince-thumbnailer |
41 | private-cache | ||
41 | private-dev | 42 | private-dev |
42 | private-etc alternatives,fonts,machine-id | 43 | private-etc alternatives,fonts,group,machine-id,passwd |
43 | |||
44 | private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,gconv | 44 | private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,gconv |
45 | |||
46 | private-tmp | 45 | private-tmp |
47 | 46 | ||
48 | #memory-deny-write-execute - breaks application on Archlinux, issue 1803 | 47 | # memory-deny-write-execute - might break application (https://github.com/netblue30/firejail/issues/1803) |
49 | noexec ${HOME} | 48 | noexec ${HOME} |
50 | noexec /tmp | 49 | noexec /tmp |
diff --git a/etc/gconf-editor.profile b/etc/gconf-editor.profile index 20cc5c36f..e9756f8af 100644 --- a/etc/gconf-editor.profile +++ b/etc/gconf-editor.profile | |||
@@ -4,46 +4,9 @@ | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gconf-editor.local | 5 | include gconf-editor.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | # added by included profile |
8 | #include globals.local | ||
8 | 9 | ||
9 | noblacklist ${HOME}/.config/gconf | ||
10 | 10 | ||
11 | include disable-common.inc | 11 | # Redirect |
12 | include disable-devel.inc | 12 | include gconf.profile |
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | whitelist ${HOME}/.config/gconf | ||
19 | include whitelist-common.inc | ||
20 | |||
21 | apparmor | ||
22 | caps.drop all | ||
23 | machine-id | ||
24 | net none | ||
25 | no3d | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | disable-mnt | ||
40 | private-bin gconf-editor | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-etc alternatives,fonts | ||
44 | private-lib | ||
45 | private-tmp | ||
46 | |||
47 | memory-deny-write-execute | ||
48 | noexec ${HOME} | ||
49 | noexec /tmp | ||
diff --git a/etc/gconf-merge-schema.profile b/etc/gconf-merge-schema.profile new file mode 100644 index 000000000..411b7b815 --- /dev/null +++ b/etc/gconf-merge-schema.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for gconf-merge-schema | ||
2 | # Description: An obsolete configuration database system (CLI utility) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gconf-merge-schema.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | |||
11 | # Redirect | ||
12 | include gconf.profile | ||
diff --git a/etc/gconf-merge-tree.profile b/etc/gconf-merge-tree.profile new file mode 100644 index 000000000..66a4226ca --- /dev/null +++ b/etc/gconf-merge-tree.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for gconf-merge-tree | ||
2 | # Description: An obsolete configuration database system (CLI utility) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gconf-merge-tree.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | |||
11 | # Redirect | ||
12 | include gconf.profile | ||
diff --git a/etc/gconf.profile b/etc/gconf.profile new file mode 100644 index 000000000..94af21833 --- /dev/null +++ b/etc/gconf.profile | |||
@@ -0,0 +1,57 @@ | |||
1 | # Firejail profile for gconf | ||
2 | # Description: An obsolete configuration database system | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gconf.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/gconf | ||
10 | |||
11 | # Allow python2 (blacklisted by disable-interpreters.inc) | ||
12 | noblacklist ${PATH}/python2* | ||
13 | #noblacklist ${PATH}/python3* | ||
14 | noblacklist /usr/lib/python2* | ||
15 | #noblacklist /usr/lib/python3* | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | mkdir ${HOME}/.config/gconf | ||
25 | whitelist ${HOME}/.config/gconf | ||
26 | include whitelist-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | ipc-namespace | ||
31 | machine-id | ||
32 | net none | ||
33 | no3d | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | nosound | ||
39 | notv | ||
40 | nou2f | ||
41 | novideo | ||
42 | protocol unix | ||
43 | seccomp | ||
44 | shell none | ||
45 | tracelog | ||
46 | |||
47 | disable-mnt | ||
48 | private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,python2* | ||
49 | private-cache | ||
50 | private-dev | ||
51 | private-etc alternatives,fonts,gconf | ||
52 | private-lib libpython*,python2* | ||
53 | private-tmp | ||
54 | |||
55 | memory-deny-write-execute | ||
56 | noexec ${HOME} | ||
57 | noexec /tmp | ||
diff --git a/etc/gconfpkg.profile b/etc/gconfpkg.profile new file mode 100644 index 000000000..1793ce072 --- /dev/null +++ b/etc/gconfpkg.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for gconfpkg | ||
2 | # Description: An obsolete configuration database system (CLI utility) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gconfpkg.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | |||
11 | # Redirect | ||
12 | include gconf.profile | ||
diff --git a/etc/gconftool-2.profile b/etc/gconftool-2.profile new file mode 100644 index 000000000..59a2242a7 --- /dev/null +++ b/etc/gconftool-2.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for gconftool-2 | ||
2 | # Description: An obsolete configuration database system (CLI utility) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gconftool-2.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | |||
11 | # Redirect | ||
12 | include gconf.profile | ||
diff --git a/etc/geekbench.profile b/etc/geekbench.profile index c6e45b7d0..425fb7bb5 100644 --- a/etc/geekbench.profile +++ b/etc/geekbench.profile | |||
@@ -13,7 +13,7 @@ include disable-passwdmgr.inc | |||
13 | include disable-programs.inc | 13 | include disable-programs.inc |
14 | include disable-xdg.inc | 14 | include disable-xdg.inc |
15 | 15 | ||
16 | inclue whitelist-var-common.inc | 16 | include whitelist-var-common.inc |
17 | 17 | ||
18 | apparmor | 18 | apparmor |
19 | caps.drop all | 19 | caps.drop all |
@@ -40,7 +40,7 @@ disable-mnt | |||
40 | private-bin bash,geekbenc*,sh | 40 | private-bin bash,geekbenc*,sh |
41 | private-cache | 41 | private-cache |
42 | private-dev | 42 | private-dev |
43 | private-etc alternatives,groups,passwd,lsb-release | 43 | private-etc alternatives,group,passwd,lsb-release |
44 | private-lib libstdc++.so.* | 44 | private-lib libstdc++.so.* |
45 | private-opt none | 45 | private-opt none |
46 | private-tmp | 46 | private-tmp |
@@ -49,5 +49,4 @@ private-tmp | |||
49 | noexec ${HOME} | 49 | noexec ${HOME} |
50 | noexec /tmp | 50 | noexec /tmp |
51 | 51 | ||
52 | # never write anything | ||
53 | read-only ${HOME} | 52 | read-only ${HOME} |
diff --git a/etc/gpicview.profile b/etc/gpicview.profile index c43475615..4c66e3772 100644 --- a/etc/gpicview.profile +++ b/etc/gpicview.profile | |||
@@ -38,7 +38,7 @@ tracelog | |||
38 | private-bin gpicview | 38 | private-bin gpicview |
39 | private-cache | 39 | private-cache |
40 | private-dev | 40 | private-dev |
41 | private-etc alternatives,fonts,groups,passwd | 41 | private-etc alternatives,fonts,group,passwd |
42 | private-lib | 42 | private-lib |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
diff --git a/etc/gsettings-data-convert.profile b/etc/gsettings-data-convert.profile new file mode 100644 index 000000000..21a232440 --- /dev/null +++ b/etc/gsettings-data-convert.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for gsettings-data-convert | ||
2 | # Description: An obsolete configuration database system (CLI utility) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gsettings-data-convert.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | |||
11 | # Redirect | ||
12 | include gconf.profile | ||
diff --git a/etc/gsettings-schema-convert.profile b/etc/gsettings-schema-convert.profile new file mode 100644 index 000000000..2dbf4fb44 --- /dev/null +++ b/etc/gsettings-schema-convert.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for gsettings-schema-convert | ||
2 | # Description: An obsolete configuration database system (CLI utility) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gsettings-schema-convert.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | |||
11 | # Redirect | ||
12 | include gconf.profile | ||
diff --git a/etc/hardinfo.profile b/etc/hardinfo.profile deleted file mode 100644 index 6be3044b4..000000000 --- a/etc/hardinfo.profile +++ /dev/null | |||
@@ -1,38 +0,0 @@ | |||
1 | # Firejail profile for hardinfo | ||
2 | # Description: A system information and benchmark tool | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include hardinfo.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-passwdmgr.inc | ||
12 | include disable-programs.inc | ||
13 | include disable-xdg.inc | ||
14 | |||
15 | apparmor | ||
16 | caps.drop all | ||
17 | machine-id | ||
18 | ipc-namespace | ||
19 | netfilter | ||
20 | nodbus | ||
21 | nodvd | ||
22 | nogroups | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | nosound | ||
26 | nou2f | ||
27 | protocol unix,inet,inet6 | ||
28 | seccomp | ||
29 | shell none | ||
30 | |||
31 | disable-mnt | ||
32 | private-cache | ||
33 | private-dev | ||
34 | private-tmp | ||
35 | |||
36 | # memory-deny-write-execute - Breaks on Arch | ||
37 | noexec ${HOME} | ||
38 | noexec /tmp | ||
diff --git a/etc/pavucontrol.profile b/etc/pavucontrol.profile index 159846a28..6bda9e7d3 100644 --- a/etc/pavucontrol.profile +++ b/etc/pavucontrol.profile | |||
@@ -15,9 +15,6 @@ include disable-passwdmgr.inc | |||
15 | include disable-programs.inc | 15 | include disable-programs.inc |
16 | include disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | mkfile ${HOME}/.config/pavucontrol.ini | ||
19 | whitelist ${HOME}/.config/pavucontrol.ini | ||
20 | include whitelist-common.inc | ||
21 | include whitelist-var-common.inc | 18 | include whitelist-var-common.inc |
22 | 19 | ||
23 | apparmor | 20 | apparmor |
diff --git a/etc/spectre-meltdown-checker.profile b/etc/spectre-meltdown-checker.profile index 350f10632..b43047401 100644 --- a/etc/spectre-meltdown-checker.profile +++ b/etc/spectre-meltdown-checker.profile | |||
@@ -44,7 +44,7 @@ shell none | |||
44 | 44 | ||
45 | disable-mnt | 45 | disable-mnt |
46 | private | 46 | private |
47 | private-bin awk,bzip2,cat,coreos-install,cpucontrol,cut,dd,dmesg,dnf,echo,grep,gunzip,gz,gzip,head,id,kldload,kldstat,liblz4-tool,lzop,mktemp,modinfo,modprobe,mount,nm,objdump,od,perl,printf,readelf,rm,sed,seq,sh,sort,spectre-meltdown-checker,spectre-meltdown-checker.sh,stat,strings,sysctl,tail,test,toolbox,tr,uname,which,xz-utils | 47 | private-bin awk,bzip2,cat,coreos-install,cpucontrol,cut,dd,dirname,dmesg,dnf,echo,grep,gunzip,gz,gzip,head,id,kldload,kldstat,liblz4-tool,lzop,mktemp,modinfo,modprobe,mount,nm,objdump,od,perl,printf,readelf,rm,sed,seq,sh,sort,spectre-meltdown-checker,spectre-meltdown-checker.sh,stat,strings,sysctl,tail,test,toolbox,tr,uname,which,xz-utils |
48 | private-cache | 48 | private-cache |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile index 6bdd437cd..8122079e1 100644 --- a/etc/sqlitebrowser.profile +++ b/etc/sqlitebrowser.profile | |||
@@ -18,10 +18,11 @@ include disable-xdg.inc | |||
18 | 18 | ||
19 | include whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
20 | 20 | ||
21 | apparmor | ||
21 | caps.drop all | 22 | caps.drop all |
22 | net none | 23 | ipc-namespace |
23 | no3d | 24 | netfilter |
24 | nodbus | 25 | # nodbus - breaks proxy creation |
25 | nodvd | 26 | nodvd |
26 | nogroups | 27 | nogroups |
27 | nonewprivs | 28 | nonewprivs |
@@ -30,15 +31,16 @@ nosound | |||
30 | notv | 31 | notv |
31 | nou2f | 32 | nou2f |
32 | novideo | 33 | novideo |
33 | protocol unix | 34 | protocol unix,inet,inet6,netlink |
34 | seccomp | 35 | seccomp |
35 | shell none | 36 | shell none |
36 | 37 | ||
37 | private-bin sqlitebrowser | 38 | private-bin sqlitebrowser |
38 | private-cache | 39 | private-cache |
39 | private-dev | 40 | private-dev |
41 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,ssl | ||
40 | private-tmp | 42 | private-tmp |
41 | 43 | ||
42 | # memory-deny-write-execute - breaks on Arch | 44 | memory-deny-write-execute |
43 | noexec ${HOME} | 45 | noexec ${HOME} |
44 | noexec /tmp | 46 | noexec /tmp |
diff --git a/etc/sysprof-cli.profile b/etc/sysprof-cli.profile index 28d279d77..62672b22b 100644 --- a/etc/sysprof-cli.profile +++ b/etc/sysprof-cli.profile | |||
@@ -13,6 +13,8 @@ nodbus | |||
13 | private-bin sysprof-cli | 13 | private-bin sysprof-cli |
14 | private-lib | 14 | private-lib |
15 | 15 | ||
16 | memory-deny-write-execute | ||
17 | |||
16 | 18 | ||
17 | # Redirect | 19 | # Redirect |
18 | include sysprof.profile | 20 | include sysprof.profile |
diff --git a/etc/sysprof.profile b/etc/sysprof.profile index a3135d001..eedf4c4b4 100644 --- a/etc/sysprof.profile +++ b/etc/sysprof.profile | |||
@@ -42,6 +42,6 @@ private-etc alternatives,fonts,ld.so.cache,machine-id,ssl | |||
42 | #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so | 42 | #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
45 | memory-deny-write-execute | 45 | # memory-deny-write-execute - Breaks GUI on Arch |
46 | noexec ${HOME} | 46 | noexec ${HOME} |
47 | noexec /tmp | 47 | noexec /tmp |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 321c2d548..0633d62e9 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -235,7 +235,6 @@ gucharmap | |||
235 | gwenview | 235 | gwenview |
236 | handbrake | 236 | handbrake |
237 | handbrake-gtk | 237 | handbrake-gtk |
238 | hardinfo | ||
239 | hashcat | 238 | hashcat |
240 | hedgewars | 239 | hedgewars |
241 | hexchat | 240 | hexchat |