11 files changed, 356 insertions, 0 deletions
diff --git a/etc-fixes/0.9.38/firefox.profile b/etc-fixes/0.9.38/firefox.profile
new file mode 100644
index 000000000..00244aaa4
--- /dev/null
+++ b/etc-fixes/0.9.38/firefox.profile
@@ -0,0 +1,32 @@
+# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
+noblacklist ${HOME}/.mozilla
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+caps.drop all
+#seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp.drop adjtimex,clock_adjtime,clock_settime,settimeofday,stime,modify_ldt,subpage_prot,switch_endian,vm86,vm86old,lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext,delete_module,finit_module,init_module,_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver,ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+protocol unix,inet,inet6,netlink
+netfilter
+# tracelog
+noroot
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.mozilla
+whitelist ${HOME}/.cache/mozilla/firefox
+whitelist ${HOME}/dwhelper
+whitelist ${HOME}/.zotero
+whitelist ${HOME}/.lastpass
+whitelist ${HOME}/.vimperatorrc
+whitelist ${HOME}/.vimperator
+whitelist ${HOME}/.pentadactylrc
+whitelist ${HOME}/.pentadactyl
+whitelist ${HOME}/.keysnail.js
+whitelist ${HOME}/.config/gnome-mplayer
+whitelist ${HOME}/.cache/gnome-mplayer/plugin
+include /etc/firejail/whitelist-common.inc
+# experimental features
+#private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
diff --git a/etc-fixes/0.9.52/atom.profile b/etc-fixes/0.9.52/atom.profile
new file mode 100644
index 000000000..87ffdced9
--- /dev/null
+++ b/etc-fixes/0.9.52/atom.profile
@@ -0,0 +1,31 @@
+# Firejail profile for atom
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/atom.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+# blacklist /run/user/*/bus
+noblacklist ${HOME}/.atom
+noblacklist ${HOME}/.config/Atom
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.keep sys_admin,sys_chroot
+# net none
+netfilter
+nodvd
+nogroups
+nosound
+notv
+novideo
+shell none
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc-fixes/0.9.52/firefox.profile b/etc-fixes/0.9.52/firefox.profile
new file mode 100644
index 000000000..6a9ff977e
--- /dev/null
+++ b/etc-fixes/0.9.52/firefox.profile
@@ -0,0 +1,99 @@
+# Firejail profile for firefox
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/firefox.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.cache/mozilla
+noblacklist ${HOME}/.config/okularpartrc
+noblacklist ${HOME}/.config/okularrc
+noblacklist ${HOME}/.config/qpdfview
+noblacklist ${HOME}/.kde/share/apps/kget
+noblacklist ${HOME}/.kde/share/apps/okular
+noblacklist ${HOME}/.kde/share/config/kgetrc
+noblacklist ${HOME}/.kde/share/config/okularpartrc
+noblacklist ${HOME}/.kde/share/config/okularrc
+noblacklist ${HOME}/.kde4/share/apps/kget
+noblacklist ${HOME}/.kde4/share/apps/okular
+noblacklist ${HOME}/.kde4/share/config/kgetrc
+noblacklist ${HOME}/.kde4/share/config/okularpartrc
+noblacklist ${HOME}/.kde4/share/config/okularrc
+# noblacklist ${HOME}/.local/share/gnome-shell/extensions
+noblacklist ${HOME}/.local/share/okular
+noblacklist ${HOME}/.local/share/qpdfview
+noblacklist ${HOME}/.mozilla
+noblacklist ${HOME}/.pki
+noblacklist ${HOME}/.local/share/pki
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-programs.inc
+mkdir ${HOME}/.cache/mozilla/firefox
+mkdir ${HOME}/.mozilla
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.local/share/pki
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/gnome-mplayer/plugin
+whitelist ${HOME}/.cache/mozilla/firefox
+whitelist ${HOME}/.config/gnome-mplayer
+whitelist ${HOME}/.config/okularpartrc
+whitelist ${HOME}/.config/okularrc
+whitelist ${HOME}/.config/pipelight-silverlight5.1
+whitelist ${HOME}/.config/pipelight-widevine
+whitelist ${HOME}/.config/qpdfview
+whitelist ${HOME}/.kde/share/apps/kget
+whitelist ${HOME}/.kde/share/apps/okular
+whitelist ${HOME}/.kde/share/config/kgetrc
+whitelist ${HOME}/.kde/share/config/okularpartrc
+whitelist ${HOME}/.kde/share/config/okularrc
+whitelist ${HOME}/.kde4/share/apps/kget
+whitelist ${HOME}/.kde4/share/apps/okular
+whitelist ${HOME}/.kde4/share/config/kgetrc
+whitelist ${HOME}/.kde4/share/config/okularpartrc
+whitelist ${HOME}/.kde4/share/config/okularrc
+whitelist ${HOME}/.keysnail.js
+whitelist ${HOME}/.lastpass
+whitelist ${HOME}/.local/share/gnome-shell/extensions
+whitelist ${HOME}/.local/share/okular
+whitelist ${HOME}/.local/share/qpdfview
+whitelist ${HOME}/.mozilla
+whitelist ${HOME}/.pentadactyl
+whitelist ${HOME}/.pentadactylrc
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.local/share/pki
+whitelist ${HOME}/.vimperator
+whitelist ${HOME}/.vimperatorrc
+whitelist ${HOME}/.wine-pipelight
+whitelist ${HOME}/.wine-pipelight64
+whitelist ${HOME}/.zotero
+whitelist ${HOME}/dwhelper
+include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
+caps.drop all
+# machine-id breaks pulse audio; it should work fine in setups where sound is not required
+#machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6,netlink
+#seccomp - replaced with seccomp.drop for Firefox 60
+seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+shell none
+#tracelog - disabled for Firefox 60
+disable-mnt
+# firefox requires a shell to launch on Arch.
+# private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash
+private-dev
+# private-etc below works fine on most distributions. There are some problems on CentOS.
+# private-etc alternatives,iceweasel,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc-fixes/0.9.52/gedit.profile b/etc-fixes/0.9.52/gedit.profile
new file mode 100644
index 000000000..8dd71a196
--- /dev/null
+++ b/etc-fixes/0.9.52/gedit.profile
@@ -0,0 +1,44 @@
+# Firejail profile for gedit
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/gedit.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+# blacklist /run/user/*/bus - makes settings immutable
+noblacklist ${HOME}/.config/enchant
+noblacklist ${HOME}/.config/gedit
+noblacklist ${HOME}/.gitconfig
+include /etc/firejail/disable-common.inc
+# include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
+caps.drop all
+# net none - makes settings immutable
+machine-id
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+# private-bin gedit
+private-dev
+# private-etc alternatives,fonts
+#private-lib gedit - disabled; problems when running "firejail gedit"; "firejail /usr/bin/gedit" works fine
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc-fixes/0.9.52/libreoffice.profile b/etc-fixes/0.9.52/libreoffice.profile
new file mode 100644
index 000000000..bbc52ff5e
--- /dev/null
+++ b/etc-fixes/0.9.52/libreoffice.profile
@@ -0,0 +1,36 @@
+# Firejail profile for libreoffice
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/libreoffice.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.java
+noblacklist /usr/local/sbin
+noblacklist ${HOME}/.config/libreoffice
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+#nonewprivs
+noroot
+notv
+#protocol unix,inet,inet6
+#seccomp
+shell none
+#tracelog
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc-fixes/0.9.56/brave-browser.profile b/etc-fixes/0.9.56/brave-browser.profile
new file mode 100644
index 000000000..6e3a5df28
--- /dev/null
+++ b/etc-fixes/0.9.56/brave-browser.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for brave
+# This file is overwritten after every install/update
+# Redirect
+include /etc/firejail/brave.profile
diff --git a/etc-fixes/0.9.56/brave.profile b/etc-fixes/0.9.56/brave.profile
new file mode 100644
index 000000000..4c59c103f
--- /dev/null
+++ b/etc-fixes/0.9.56/brave.profile
@@ -0,0 +1,24 @@
+# Firejail profile for brave
+# This file is overwritten after every install/update
+# Description: Web browser that blocks ads and trackers by default.
+# Persistent local customizations
+include brave.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/brave
+noblacklist ${HOME}/.config/BraveSoftware
+# brave uses gpg for built-in password manager
+noblacklist ${HOME}/.gnupg
+mkdir ${HOME}/.config/brave
+mkdir ${HOME}/.config/BraveSoftware
+whitelist ${HOME}/.config/brave
+whitelist ${HOME}/.config/BraveSoftware
+whitelist ${HOME}/.gnupg
+# noexec /tmp is included in chromium-common.profile and breaks Brave
+ignore noexec /tmp
+# Redirect
+include /etc/firejail/chromium-common.profile
diff --git a/etc-fixes/0.9.58/atom.profile b/etc-fixes/0.9.58/atom.profile
new file mode 100644
index 000000000..9bc35da5a
--- /dev/null
+++ b/etc-fixes/0.9.58/atom.profile
@@ -0,0 +1,36 @@
+# Firejail profile for atom
+# Description: A hackable text editor for the 21st Century
+# This file is overwritten after every install/update
+# Persistent local customizations
+include atom.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.atom
+noblacklist ${HOME}/.config/Atom
+noblacklist ${HOME}/.cargo/config
+noblacklist ${HOME}/.cargo/registry
+include disable-common.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.keep sys_admin,sys_chroot
+# net none
+netfilter
+nodbus
+nodvd
+nogroups
+nosound
+notv
+nou2f
+novideo
+shell none
+private-cache
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc-fixes/0.9.60/atom.profile b/etc-fixes/0.9.60/atom.profile
new file mode 100644
index 000000000..c8929127b
--- /dev/null
+++ b/etc-fixes/0.9.60/atom.profile
@@ -0,0 +1,37 @@
+# Firejail profile for atom
+# Description: A hackable text editor for the 21st Century
+# This file is overwritten after every install/update
+# Persistent local customizations
+include atom.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.atom
+noblacklist ${HOME}/.config/Atom
+noblacklist ${HOME}/.config/git
+noblacklist ${HOME}/.cargo/config
+noblacklist ${HOME}/.cargo/registry
+noblacklist ${HOME}/.gitconfig
+noblacklist ${HOME}/.git-credentials
+noblacklist ${HOME}/.pythonrc.py
+include disable-common.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.keep sys_admin,sys_chroot
+# net none
+netfilter
+nodbus
+nodvd
+nogroups
+nosound
+notv
+nou2f
+novideo
+shell none
+private-cache
+private-dev
+private-tmp
diff --git a/etc-fixes/seccomp-join-bug/README b/etc-fixes/seccomp-join-bug/README
new file mode 100644
index 000000000..9f85a0e00
--- /dev/null
+++ b/etc-fixes/seccomp-join-bug/README
@@ -0,0 +1,11 @@
+These are patches for various Firejail versions for the security bug reported by Austin Morton
+on May 21, 2019:
+    Seccomp filters are copied into /run/firejail/mnt, and are writable
+    within the jail. A malicious process can modify files from inside the
+    jail. Processes that are later joined to the jail will not have seccomp
+    filters applied.
+The original discussion thread: https://github.com/netblue30/firejail/issues/2718
+The fix on mainline: https://github.com/netblue30/firejail/commit/eecf35c2f8249489a1d3e512bb07f0d427183134
diff --git a/etc-fixes/seccomp-join-bug/eecf35c-backports.zip b/etc-fixes/seccomp-join-bug/eecf35c-backports.zip
new file mode 100644
index 000000000..59782461e
--- /dev/null
+++ b/etc-fixes/seccomp-join-bug/eecf35c-backports.zip
Binary files differ

diff --git a/etc-fixes/0.9.38/firefox.profile b/etc-fixes/0.9.38/firefox.profile new file mode 100644 index 000000000..00244aaa4 --- /dev/null +++ b/etc-fixes/0.9.38/firefox.profile
@@ -0,0 +1,32 @@
	1	# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
	2	noblacklist ${HOME}/.mozilla
	3	include /etc/firejail/disable-mgmt.inc
	4	include /etc/firejail/disable-secret.inc
	5	include /etc/firejail/disable-common.inc
	6	include /etc/firejail/disable-devel.inc
	7	caps.drop all
	8
	9	#seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
	10	seccomp.drop adjtimex,clock_adjtime,clock_settime,settimeofday,stime,modify_ldt,subpage_prot,switch_endian,vm86,vm86old,lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext,delete_module,finit_module,init_module,_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver,ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
	11
	12	protocol unix,inet,inet6,netlink
	13	netfilter
	14	# tracelog
	15	noroot
	16	whitelist ${DOWNLOADS}
	17	whitelist ${HOME}/.mozilla
	18	whitelist ${HOME}/.cache/mozilla/firefox
	19	whitelist ${HOME}/dwhelper
	20	whitelist ${HOME}/.zotero
	21	whitelist ${HOME}/.lastpass
	22	whitelist ${HOME}/.vimperatorrc
	23	whitelist ${HOME}/.vimperator
	24	whitelist ${HOME}/.pentadactylrc
	25	whitelist ${HOME}/.pentadactyl
	26	whitelist ${HOME}/.keysnail.js
	27	whitelist ${HOME}/.config/gnome-mplayer
	28	whitelist ${HOME}/.cache/gnome-mplayer/plugin
	29	include /etc/firejail/whitelist-common.inc
	30
	31	# experimental features
	32	#private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse


diff --git a/etc-fixes/0.9.52/atom.profile b/etc-fixes/0.9.52/atom.profile new file mode 100644 index 000000000..87ffdced9 --- /dev/null +++ b/etc-fixes/0.9.52/atom.profile
@@ -0,0 +1,31 @@
	1	# Firejail profile for atom
	2	# This file is overwritten after every install/update
	3	# Persistent local customizations
	4	include /etc/firejail/atom.local
	5	# Persistent global definitions
	6	include /etc/firejail/globals.local
	7
	8	# blacklist /run/user/*/bus
	9
	10	noblacklist ${HOME}/.atom
	11	noblacklist ${HOME}/.config/Atom
	12
	13	include /etc/firejail/disable-common.inc
	14	include /etc/firejail/disable-passwdmgr.inc
	15	include /etc/firejail/disable-programs.inc
	16
	17	caps.keep sys_admin,sys_chroot
	18	# net none
	19	netfilter
	20	nodvd
	21	nogroups
	22	nosound
	23	notv
	24	novideo
	25	shell none
	26
	27	private-dev
	28	private-tmp
	29
	30	noexec ${HOME}
	31	noexec /tmp


diff --git a/etc-fixes/0.9.52/firefox.profile b/etc-fixes/0.9.52/firefox.profile new file mode 100644 index 000000000..6a9ff977e --- /dev/null +++ b/etc-fixes/0.9.52/firefox.profile
@@ -0,0 +1,99 @@
	1	# Firejail profile for firefox
	2	# This file is overwritten after every install/update
	3	# Persistent local customizations
	4	include /etc/firejail/firefox.local
	5	# Persistent global definitions
	6	include /etc/firejail/globals.local
	7
	8	noblacklist ${HOME}/.cache/mozilla
	9	noblacklist ${HOME}/.config/okularpartrc
	10	noblacklist ${HOME}/.config/okularrc
	11	noblacklist ${HOME}/.config/qpdfview
	12	noblacklist ${HOME}/.kde/share/apps/kget
	13	noblacklist ${HOME}/.kde/share/apps/okular
	14	noblacklist ${HOME}/.kde/share/config/kgetrc
	15	noblacklist ${HOME}/.kde/share/config/okularpartrc
	16	noblacklist ${HOME}/.kde/share/config/okularrc
	17	noblacklist ${HOME}/.kde4/share/apps/kget
	18	noblacklist ${HOME}/.kde4/share/apps/okular
	19	noblacklist ${HOME}/.kde4/share/config/kgetrc
	20	noblacklist ${HOME}/.kde4/share/config/okularpartrc
	21	noblacklist ${HOME}/.kde4/share/config/okularrc
	22	# noblacklist ${HOME}/.local/share/gnome-shell/extensions
	23	noblacklist ${HOME}/.local/share/okular
	24	noblacklist ${HOME}/.local/share/qpdfview
	25	noblacklist ${HOME}/.mozilla
	26	noblacklist ${HOME}/.pki
	27	noblacklist ${HOME}/.local/share/pki
	28
	29	include /etc/firejail/disable-common.inc
	30	include /etc/firejail/disable-devel.inc
	31	include /etc/firejail/disable-programs.inc
	32
	33	mkdir ${HOME}/.cache/mozilla/firefox
	34	mkdir ${HOME}/.mozilla
	35	mkdir ${HOME}/.pki
	36	mkdir ${HOME}/.local/share/pki
	37	whitelist ${DOWNLOADS}
	38	whitelist ${HOME}/.cache/gnome-mplayer/plugin
	39	whitelist ${HOME}/.cache/mozilla/firefox
	40	whitelist ${HOME}/.config/gnome-mplayer
	41	whitelist ${HOME}/.config/okularpartrc
	42	whitelist ${HOME}/.config/okularrc
	43	whitelist ${HOME}/.config/pipelight-silverlight5.1
	44	whitelist ${HOME}/.config/pipelight-widevine
	45	whitelist ${HOME}/.config/qpdfview
	46	whitelist ${HOME}/.kde/share/apps/kget
	47	whitelist ${HOME}/.kde/share/apps/okular
	48	whitelist ${HOME}/.kde/share/config/kgetrc
	49	whitelist ${HOME}/.kde/share/config/okularpartrc
	50	whitelist ${HOME}/.kde/share/config/okularrc
	51	whitelist ${HOME}/.kde4/share/apps/kget
	52	whitelist ${HOME}/.kde4/share/apps/okular
	53	whitelist ${HOME}/.kde4/share/config/kgetrc
	54	whitelist ${HOME}/.kde4/share/config/okularpartrc
	55	whitelist ${HOME}/.kde4/share/config/okularrc
	56	whitelist ${HOME}/.keysnail.js
	57	whitelist ${HOME}/.lastpass
	58	whitelist ${HOME}/.local/share/gnome-shell/extensions
	59	whitelist ${HOME}/.local/share/okular
	60	whitelist ${HOME}/.local/share/qpdfview
	61	whitelist ${HOME}/.mozilla
	62	whitelist ${HOME}/.pentadactyl
	63	whitelist ${HOME}/.pentadactylrc
	64	whitelist ${HOME}/.pki
	65	whitelist ${HOME}/.local/share/pki
	66	whitelist ${HOME}/.vimperator
	67	whitelist ${HOME}/.vimperatorrc
	68	whitelist ${HOME}/.wine-pipelight
	69	whitelist ${HOME}/.wine-pipelight64
	70	whitelist ${HOME}/.zotero
	71	whitelist ${HOME}/dwhelper
	72	include /etc/firejail/whitelist-common.inc
	73	include /etc/firejail/whitelist-var-common.inc
	74
	75	caps.drop all
	76	# machine-id breaks pulse audio; it should work fine in setups where sound is not required
	77	#machine-id
	78	netfilter
	79	nodvd
	80	nogroups
	81	nonewprivs
	82	noroot
	83	notv
	84	protocol unix,inet,inet6,netlink
	85	#seccomp - replaced with seccomp.drop for Firefox 60
	86	seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
	87	shell none
	88	#tracelog - disabled for Firefox 60
	89
	90	disable-mnt
	91	# firefox requires a shell to launch on Arch.
	92	# private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash
	93	private-dev
	94	# private-etc below works fine on most distributions. There are some problems on CentOS.
	95	# private-etc alternatives,iceweasel,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
	96	private-tmp
	97
	98	noexec ${HOME}
	99	noexec /tmp


diff --git a/etc-fixes/0.9.52/gedit.profile b/etc-fixes/0.9.52/gedit.profile new file mode 100644 index 000000000..8dd71a196 --- /dev/null +++ b/etc-fixes/0.9.52/gedit.profile
@@ -0,0 +1,44 @@
	1	# Firejail profile for gedit
	2	# This file is overwritten after every install/update
	3	# Persistent local customizations
	4	include /etc/firejail/gedit.local
	5	# Persistent global definitions
	6	include /etc/firejail/globals.local
	7
	8	# blacklist /run/user/*/bus - makes settings immutable
	9
	10	noblacklist ${HOME}/.config/enchant
	11	noblacklist ${HOME}/.config/gedit
	12	noblacklist ${HOME}/.gitconfig
	13
	14	include /etc/firejail/disable-common.inc
	15	# include /etc/firejail/disable-devel.inc
	16	include /etc/firejail/disable-passwdmgr.inc
	17	include /etc/firejail/disable-programs.inc
	18
	19	include /etc/firejail/whitelist-var-common.inc
	20
	21	caps.drop all
	22	# net none - makes settings immutable
	23	machine-id
	24	no3d
	25	nodvd
	26	nogroups
	27	nonewprivs
	28	noroot
	29	nosound
	30	notv
	31	novideo
	32	protocol unix
	33	seccomp
	34	shell none
	35	tracelog
	36
	37	# private-bin gedit
	38	private-dev
	39	# private-etc alternatives,fonts
	40	#private-lib gedit - disabled; problems when running "firejail gedit"; "firejail /usr/bin/gedit" works fine
	41	private-tmp
	42
	43	noexec ${HOME}
	44	noexec /tmp


diff --git a/etc-fixes/0.9.52/libreoffice.profile b/etc-fixes/0.9.52/libreoffice.profile new file mode 100644 index 000000000..bbc52ff5e --- /dev/null +++ b/etc-fixes/0.9.52/libreoffice.profile
@@ -0,0 +1,36 @@
	1	# Firejail profile for libreoffice
	2	# This file is overwritten after every install/update
	3	# Persistent local customizations
	4	include /etc/firejail/libreoffice.local
	5	# Persistent global definitions
	6	include /etc/firejail/globals.local
	7
	8	noblacklist ${HOME}/.java
	9	noblacklist /usr/local/sbin
	10	noblacklist ${HOME}/.config/libreoffice
	11
	12	include /etc/firejail/disable-common.inc
	13	include /etc/firejail/disable-devel.inc
	14	include /etc/firejail/disable-passwdmgr.inc
	15	include /etc/firejail/disable-programs.inc
	16
	17	include /etc/firejail/whitelist-var-common.inc
	18
	19	caps.drop all
	20	machine-id
	21	netfilter
	22	nodvd
	23	nogroups
	24	#nonewprivs
	25	noroot
	26	notv
	27	#protocol unix,inet,inet6
	28	#seccomp
	29	shell none
	30	#tracelog
	31
	32	private-dev
	33	private-tmp
	34
	35	noexec ${HOME}
	36	noexec /tmp


diff --git a/etc-fixes/0.9.56/brave-browser.profile b/etc-fixes/0.9.56/brave-browser.profile new file mode 100644 index 000000000..6e3a5df28 --- /dev/null +++ b/etc-fixes/0.9.56/brave-browser.profile
@@ -0,0 +1,6 @@
	1	# Firejail profile alias for brave
	2	# This file is overwritten after every install/update
	3
	4
	5	# Redirect
	6	include /etc/firejail/brave.profile


diff --git a/etc-fixes/0.9.56/brave.profile b/etc-fixes/0.9.56/brave.profile new file mode 100644 index 000000000..4c59c103f --- /dev/null +++ b/etc-fixes/0.9.56/brave.profile
@@ -0,0 +1,24 @@
	1	# Firejail profile for brave
	2	# This file is overwritten after every install/update
	3	# Description: Web browser that blocks ads and trackers by default.
	4	# Persistent local customizations
	5	include brave.local
	6	# Persistent global definitions
	7	include globals.local
	8
	9	noblacklist ${HOME}/.config/brave
	10	noblacklist ${HOME}/.config/BraveSoftware
	11	# brave uses gpg for built-in password manager
	12	noblacklist ${HOME}/.gnupg
	13
	14	mkdir ${HOME}/.config/brave
	15	mkdir ${HOME}/.config/BraveSoftware
	16	whitelist ${HOME}/.config/brave
	17	whitelist ${HOME}/.config/BraveSoftware
	18	whitelist ${HOME}/.gnupg
	19
	20	# noexec /tmp is included in chromium-common.profile and breaks Brave
	21	ignore noexec /tmp
	22
	23	# Redirect
	24	include /etc/firejail/chromium-common.profile


diff --git a/etc-fixes/0.9.58/atom.profile b/etc-fixes/0.9.58/atom.profile new file mode 100644 index 000000000..9bc35da5a --- /dev/null +++ b/etc-fixes/0.9.58/atom.profile
@@ -0,0 +1,36 @@
	1
	2	# Firejail profile for atom
	3	# Description: A hackable text editor for the 21st Century
	4	# This file is overwritten after every install/update
	5	# Persistent local customizations
	6	include atom.local
	7	# Persistent global definitions
	8	include globals.local
	9
	10	noblacklist ${HOME}/.atom
	11	noblacklist ${HOME}/.config/Atom
	12	noblacklist ${HOME}/.cargo/config
	13	noblacklist ${HOME}/.cargo/registry
	14
	15	include disable-common.inc
	16	include disable-passwdmgr.inc
	17	include disable-programs.inc
	18
	19	caps.keep sys_admin,sys_chroot
	20	# net none
	21	netfilter
	22	nodbus
	23	nodvd
	24	nogroups
	25	nosound
	26	notv
	27	nou2f
	28	novideo
	29	shell none
	30
	31	private-cache
	32	private-dev
	33	private-tmp
	34
	35	noexec ${HOME}
	36	noexec /tmp


diff --git a/etc-fixes/0.9.60/atom.profile b/etc-fixes/0.9.60/atom.profile new file mode 100644 index 000000000..c8929127b --- /dev/null +++ b/etc-fixes/0.9.60/atom.profile
@@ -0,0 +1,37 @@
	1	# Firejail profile for atom
	2	# Description: A hackable text editor for the 21st Century
	3	# This file is overwritten after every install/update
	4	# Persistent local customizations
	5	include atom.local
	6	# Persistent global definitions
	7	include globals.local
	8
	9	noblacklist ${HOME}/.atom
	10	noblacklist ${HOME}/.config/Atom
	11	noblacklist ${HOME}/.config/git
	12	noblacklist ${HOME}/.cargo/config
	13	noblacklist ${HOME}/.cargo/registry
	14	noblacklist ${HOME}/.gitconfig
	15	noblacklist ${HOME}/.git-credentials
	16	noblacklist ${HOME}/.pythonrc.py
	17
	18	include disable-common.inc
	19	include disable-exec.inc
	20	include disable-passwdmgr.inc
	21	include disable-programs.inc
	22
	23	caps.keep sys_admin,sys_chroot
	24	# net none
	25	netfilter
	26	nodbus
	27	nodvd
	28	nogroups
	29	nosound
	30	notv
	31	nou2f
	32	novideo
	33	shell none
	34
	35	private-cache
	36	private-dev
	37	private-tmp


diff --git a/etc-fixes/seccomp-join-bug/README b/etc-fixes/seccomp-join-bug/README new file mode 100644 index 000000000..9f85a0e00 --- /dev/null +++ b/etc-fixes/seccomp-join-bug/README
@@ -0,0 +1,11 @@
	1	These are patches for various Firejail versions for the security bug reported by Austin Morton
	2	on May 21, 2019:
	3
	4	Seccomp filters are copied into /run/firejail/mnt, and are writable
	5	within the jail. A malicious process can modify files from inside the
	6	jail. Processes that are later joined to the jail will not have seccomp
	7	filters applied.
	8
	9	The original discussion thread: https://github.com/netblue30/firejail/issues/2718
	10	The fix on mainline: https://github.com/netblue30/firejail/commit/eecf35c2f8249489a1d3e512bb07f0d427183134
	11


diff --git a/etc-fixes/seccomp-join-bug/eecf35c-backports.zip b/etc-fixes/seccomp-join-bug/eecf35c-backports.zip new file mode 100644 index 000000000..59782461e --- /dev/null +++ b/etc-fixes/seccomp-join-bug/eecf35c-backports.zip
Binary files differ