diff options
Diffstat (limited to 'etc/profile-a-l')
483 files changed, 15478 insertions, 0 deletions
diff --git a/etc/profile-a-l/0ad.profile b/etc/profile-a-l/0ad.profile new file mode 100644 index 000000000..6869ea631 --- /dev/null +++ b/etc/profile-a-l/0ad.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for 0ad | ||
2 | # Description: Real-time strategy game of ancient warfare | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include 0ad.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/0ad | ||
10 | noblacklist ${HOME}/.config/0ad | ||
11 | noblacklist ${HOME}/.local/share/0ad | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | mkdir ${HOME}/.cache/0ad | ||
21 | mkdir ${HOME}/.config/0ad | ||
22 | mkdir ${HOME}/.local/share/0ad | ||
23 | whitelist ${HOME}/.cache/0ad | ||
24 | whitelist ${HOME}/.config/0ad | ||
25 | whitelist ${HOME}/.local/share/0ad | ||
26 | whitelist /usr/share/0ad | ||
27 | whitelist /usr/share/games | ||
28 | include whitelist-common.inc | ||
29 | include whitelist-usr-share-common.inc | ||
30 | include whitelist-var-common.inc | ||
31 | |||
32 | caps.drop all | ||
33 | netfilter | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | notv | ||
39 | nou2f | ||
40 | novideo | ||
41 | protocol unix,inet,inet6 | ||
42 | seccomp | ||
43 | shell none | ||
44 | tracelog | ||
45 | |||
46 | disable-mnt | ||
47 | private-bin 0ad,pyrogenesis,sh,which | ||
48 | private-cache | ||
49 | private-dev | ||
50 | private-tmp | ||
51 | |||
52 | dbus-user none | ||
53 | dbus-system none | ||
diff --git a/etc/profile-a-l/2048-qt.profile b/etc/profile-a-l/2048-qt.profile new file mode 100644 index 000000000..12268706a --- /dev/null +++ b/etc/profile-a-l/2048-qt.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for 2048-qt | ||
2 | # Description: Mathematics based puzzle game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include 2048-qt.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/2048-qt | ||
10 | noblacklist ${HOME}/.config/xiaoyong | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | mkdir ${HOME}/.config/2048-qt | ||
20 | mkdir ${HOME}/.config/xiaoyong | ||
21 | whitelist ${HOME}/.config/2048-qt | ||
22 | whitelist ${HOME}/.config/xiaoyong | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | net none | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | shell none | ||
40 | |||
41 | disable-mnt | ||
42 | private-dev | ||
43 | private-tmp | ||
diff --git a/etc/profile-a-l/7z.profile b/etc/profile-a-l/7z.profile new file mode 100644 index 000000000..02a2e7ea0 --- /dev/null +++ b/etc/profile-a-l/7z.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for 7z | ||
2 | # Description: File archiver with high compression ratio | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include 7z.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | apparmor | ||
20 | caps.drop all | ||
21 | hostname 7z | ||
22 | ipc-namespace | ||
23 | machine-id | ||
24 | net none | ||
25 | no3d | ||
26 | nodvd | ||
27 | #nogroups | ||
28 | nonewprivs | ||
29 | #noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | x11 none | ||
39 | |||
40 | #private-bin 7z,7z*,p7zip | ||
41 | private-cache | ||
42 | private-dev | ||
43 | |||
44 | dbus-user none | ||
45 | dbus-system none | ||
46 | |||
47 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/7za.profile b/etc/profile-a-l/7za.profile new file mode 100644 index 000000000..9cd04cad1 --- /dev/null +++ b/etc/profile-a-l/7za.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for 7za | ||
2 | # Description: File archiver with high compression ratio | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include 7za.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | # Redirect | ||
12 | include 7z.profile | ||
diff --git a/etc/profile-a-l/7zr.profile b/etc/profile-a-l/7zr.profile new file mode 100644 index 000000000..bd3842900 --- /dev/null +++ b/etc/profile-a-l/7zr.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for 7zr | ||
2 | # Description: File archiver with high compression ratio | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include 7zr.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | # Redirect | ||
12 | include 7z.profile | ||
diff --git a/etc/profile-a-l/Builder.profile b/etc/profile-a-l/Builder.profile new file mode 100644 index 000000000..54b437441 --- /dev/null +++ b/etc/profile-a-l/Builder.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile for gnome-builder | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | ||
5 | # Redirect | ||
6 | include gnome-builder.profile | ||
diff --git a/etc/profile-a-l/Cheese.profile b/etc/profile-a-l/Cheese.profile new file mode 100644 index 000000000..5bb5064f0 --- /dev/null +++ b/etc/profile-a-l/Cheese.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile for cheese | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | ||
5 | # Redirect | ||
6 | include cheese.profile | ||
diff --git a/etc/profile-a-l/Cryptocat.profile b/etc/profile-a-l/Cryptocat.profile new file mode 100644 index 000000000..e9cc07bd7 --- /dev/null +++ b/etc/profile-a-l/Cryptocat.profile | |||
@@ -0,0 +1,31 @@ | |||
1 | # Firejail profile for Cryptocat | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include Cryptocat.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/Cryptocat | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | netfilter | ||
18 | nodvd | ||
19 | nogroups | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | nosound | ||
23 | notv | ||
24 | nou2f | ||
25 | protocol unix,inet,inet6,netlink | ||
26 | seccomp | ||
27 | shell none | ||
28 | |||
29 | private-cache | ||
30 | private-dev | ||
31 | private-tmp | ||
diff --git a/etc/profile-a-l/Cyberfox.profile b/etc/profile-a-l/Cyberfox.profile new file mode 100644 index 000000000..26a4348c9 --- /dev/null +++ b/etc/profile-a-l/Cyberfox.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for cyberfox | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include cyberfox.profile | ||
diff --git a/etc/profile-a-l/Discord.profile b/etc/profile-a-l/Discord.profile new file mode 100644 index 000000000..3f274b21c --- /dev/null +++ b/etc/profile-a-l/Discord.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # Firejail profile for Discord | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include Discord.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/discord | ||
9 | |||
10 | mkdir ${HOME}/.config/discord | ||
11 | whitelist ${HOME}/.config/discord | ||
12 | |||
13 | private-bin Discord | ||
14 | private-opt Discord | ||
15 | |||
16 | # Redirect | ||
17 | include discord-common.profile | ||
diff --git a/etc/profile-a-l/DiscordCanary.profile b/etc/profile-a-l/DiscordCanary.profile new file mode 100644 index 000000000..d24e73ed8 --- /dev/null +++ b/etc/profile-a-l/DiscordCanary.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # Firejail profile for DiscordCanary | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include DiscordCanary.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/discordcanary | ||
9 | |||
10 | mkdir ${HOME}/.config/discordcanary | ||
11 | whitelist ${HOME}/.config/discordcanary | ||
12 | |||
13 | private-bin DiscordCanary | ||
14 | private-opt DiscordCanary | ||
15 | |||
16 | # Redirect | ||
17 | include discord-common.profile | ||
diff --git a/etc/profile-a-l/Documents.profile b/etc/profile-a-l/Documents.profile new file mode 100644 index 000000000..171ab4357 --- /dev/null +++ b/etc/profile-a-l/Documents.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile for gnome-documents | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | ||
5 | # Redirect | ||
6 | include gnome-documents.profile | ||
diff --git a/etc/profile-a-l/FossaMail.profile b/etc/profile-a-l/FossaMail.profile new file mode 100644 index 000000000..9e1f61421 --- /dev/null +++ b/etc/profile-a-l/FossaMail.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for fossamail | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include fossamail.profile | ||
diff --git a/etc/profile-a-l/Fritzing.profile b/etc/profile-a-l/Fritzing.profile new file mode 100644 index 000000000..d318da885 --- /dev/null +++ b/etc/profile-a-l/Fritzing.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for fritzing | ||
2 | # Description: Easy-to-use electronic design software | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include Fritzing.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/Fritzing | ||
10 | noblacklist ${DOCUMENTS} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | caps.drop all | ||
23 | ipc-namespace | ||
24 | netfilter | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | nosound | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix,inet,inet6 | ||
34 | seccomp | ||
35 | shell none | ||
36 | |||
37 | private-dev | ||
38 | private-tmp | ||
39 | |||
diff --git a/etc/profile-a-l/Gitter.profile b/etc/profile-a-l/Gitter.profile new file mode 100644 index 000000000..a8bcb6a54 --- /dev/null +++ b/etc/profile-a-l/Gitter.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for Gitter | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include gitter.profile | ||
diff --git a/etc/profile-a-l/JDownloader.profile b/etc/profile-a-l/JDownloader.profile new file mode 100644 index 000000000..45ec71e63 --- /dev/null +++ b/etc/profile-a-l/JDownloader.profile | |||
@@ -0,0 +1,48 @@ | |||
1 | # Firejail profile for JDownloader | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include JDownloader.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.jd | ||
9 | |||
10 | # Allow java (blacklisted by disable-devel.inc) | ||
11 | include allow-java.inc | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | mkdir ${HOME}/.jd | ||
22 | whitelist ${HOME}/.jd | ||
23 | whitelist ${DOWNLOADS} | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | caps.drop all | ||
28 | ipc-namespace | ||
29 | netfilter | ||
30 | no3d | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | nosound | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix,inet,inet6 | ||
40 | seccomp | ||
41 | shell none | ||
42 | |||
43 | private-cache | ||
44 | private-dev | ||
45 | private-tmp | ||
46 | |||
47 | dbus-user none | ||
48 | dbus-system none | ||
diff --git a/etc/profile-a-l/Logs.profile b/etc/profile-a-l/Logs.profile new file mode 100644 index 000000000..431439f17 --- /dev/null +++ b/etc/profile-a-l/Logs.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile for gnome-logs | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | ||
5 | # Redirect | ||
6 | include gnome-logs.profile | ||
diff --git a/etc/profile-a-l/abiword.profile b/etc/profile-a-l/abiword.profile new file mode 100644 index 000000000..948d3774a --- /dev/null +++ b/etc/profile-a-l/abiword.profile | |||
@@ -0,0 +1,48 @@ | |||
1 | # Firejail profile for abiword | ||
2 | # Description: flexible cross-platform word processor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include abiword.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/abiword | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | whitelist /usr/share/abiword-3.0 | ||
19 | include whitelist-usr-share-common.inc | ||
20 | include whitelist-runuser-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | machine-id | ||
26 | net none | ||
27 | no3d | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | nosound | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix | ||
37 | seccomp | ||
38 | shell none | ||
39 | tracelog | ||
40 | |||
41 | private-bin abiword | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-etc fonts,gtk-3.0,passwd | ||
45 | private-tmp | ||
46 | |||
47 | # dbus-user none | ||
48 | # dbus-system none | ||
diff --git a/etc/profile-a-l/abrowser.profile b/etc/profile-a-l/abrowser.profile new file mode 100644 index 000000000..2e6e8f1af --- /dev/null +++ b/etc/profile-a-l/abrowser.profile | |||
@@ -0,0 +1,20 @@ | |||
1 | # Firejail profile for abrowser | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include abrowser.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.cache/mozilla | ||
9 | noblacklist ${HOME}/.mozilla | ||
10 | |||
11 | mkdir ${HOME}/.cache/mozilla/abrowser | ||
12 | mkdir ${HOME}/.mozilla | ||
13 | whitelist ${HOME}/.cache/mozilla/abrowser | ||
14 | whitelist ${HOME}/.mozilla | ||
15 | |||
16 | # private-etc must first be enabled in firefox-common.profile | ||
17 | #private-etc abrowser | ||
18 | |||
19 | # Redirect | ||
20 | include firefox-common.profile | ||
diff --git a/etc/profile-a-l/acat.profile b/etc/profile-a-l/acat.profile new file mode 100644 index 000000000..522d8db4e --- /dev/null +++ b/etc/profile-a-l/acat.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for acat | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include acat.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include atool.profile | ||
diff --git a/etc/profile-a-l/adiff.profile b/etc/profile-a-l/adiff.profile new file mode 100644 index 000000000..a80886d56 --- /dev/null +++ b/etc/profile-a-l/adiff.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for adiff | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include adiff.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include atool.profile | ||
diff --git a/etc/profile-a-l/akonadi_control.profile b/etc/profile-a-l/akonadi_control.profile new file mode 100644 index 000000000..ffc613f1e --- /dev/null +++ b/etc/profile-a-l/akonadi_control.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for akonadi_control | ||
2 | # Persistent local customizations | ||
3 | include akonadi_control.local | ||
4 | # Persistent global definitions | ||
5 | include globals.local | ||
6 | |||
7 | noblacklist ${HOME}/.cache/akonadi* | ||
8 | noblacklist ${HOME}/.config/akonadi* | ||
9 | noblacklist ${HOME}/.config/baloorc | ||
10 | noblacklist ${HOME}/.config/emaildefaults | ||
11 | noblacklist ${HOME}/.config/emailidentities | ||
12 | noblacklist ${HOME}/.config/kmail2rc | ||
13 | noblacklist ${HOME}/.config/mailtransports | ||
14 | noblacklist ${HOME}/.config/specialmailcollectionsrc | ||
15 | noblacklist ${HOME}/.local/share/akonadi* | ||
16 | noblacklist ${HOME}/.local/share/apps/korganizer | ||
17 | noblacklist ${HOME}/.local/share/contacts | ||
18 | noblacklist ${HOME}/.local/share/local-mail | ||
19 | noblacklist ${HOME}/.local/share/notes | ||
20 | noblacklist /sbin | ||
21 | noblacklist /tmp/akonadi-* | ||
22 | noblacklist /usr/sbin | ||
23 | |||
24 | include disable-common.inc | ||
25 | include disable-devel.inc | ||
26 | include disable-exec.inc | ||
27 | include disable-interpreters.inc | ||
28 | include disable-passwdmgr.inc | ||
29 | include disable-programs.inc | ||
30 | |||
31 | include whitelist-var-common.inc | ||
32 | |||
33 | # disabled options below are not compatible with the apparmor profile for mysqld-akonadi. | ||
34 | # this affects ubuntu and debian currently | ||
35 | |||
36 | # apparmor | ||
37 | caps.drop all | ||
38 | ipc-namespace | ||
39 | netfilter | ||
40 | no3d | ||
41 | nodvd | ||
42 | nogroups | ||
43 | # nonewprivs | ||
44 | noroot | ||
45 | nosound | ||
46 | notv | ||
47 | nou2f | ||
48 | novideo | ||
49 | # protocol unix,inet,inet6,netlink | ||
50 | # seccomp !io_getevents,!io_setup,!io_submit,!ioprio_set | ||
51 | tracelog | ||
52 | |||
53 | private-dev | ||
54 | # private-tmp - breaks programs that depend on akonadi | ||
55 | |||
diff --git a/etc/profile-a-l/akregator.profile b/etc/profile-a-l/akregator.profile new file mode 100644 index 000000000..34933f283 --- /dev/null +++ b/etc/profile-a-l/akregator.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for akregator | ||
2 | # Description: RSS/Atom feed aggregator | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include akregator.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/akregatorrc | ||
10 | noblacklist ${HOME}/.local/share/akregator | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | mkfile ${HOME}/.config/akregatorrc | ||
20 | mkdir ${HOME}/.local/share/akregator | ||
21 | whitelist ${HOME}/.config/akregatorrc | ||
22 | whitelist ${HOME}/.local/share/akregator | ||
23 | whitelist ${HOME}/.local/share/kssl | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | caps.drop all | ||
28 | netfilter | ||
29 | no3d | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix,inet,inet6,netlink | ||
38 | # chroot syscalls are needed for setting up the built-in sandbox | ||
39 | seccomp !chroot | ||
40 | shell none | ||
41 | |||
42 | disable-mnt | ||
43 | private-bin akregator,akregatorstorageexporter,dbus-launch,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kshell4,kshell5 | ||
44 | private-dev | ||
45 | private-tmp | ||
46 | |||
diff --git a/etc/profile-a-l/als.profile b/etc/profile-a-l/als.profile new file mode 100644 index 000000000..5eae228b6 --- /dev/null +++ b/etc/profile-a-l/als.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for als | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include als.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include atool.profile | ||
diff --git a/etc/profile-a-l/amarok.profile b/etc/profile-a-l/amarok.profile new file mode 100644 index 000000000..0b974e9ac --- /dev/null +++ b/etc/profile-a-l/amarok.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | # Firejail profile for amarok | ||
2 | # Description: Easy to use media player based on the KDE Platform | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include amarok.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${MUSIC} | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | include whitelist-var-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | netfilter | ||
22 | nogroups | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | notv | ||
26 | nou2f | ||
27 | novideo | ||
28 | protocol unix,inet,inet6 | ||
29 | # seccomp | ||
30 | shell none | ||
31 | |||
32 | # private-bin amarok | ||
33 | private-dev | ||
34 | # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl | ||
35 | private-tmp | ||
diff --git a/etc/profile-a-l/amule.profile b/etc/profile-a-l/amule.profile new file mode 100644 index 000000000..feb4a5e7e --- /dev/null +++ b/etc/profile-a-l/amule.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for amule | ||
2 | # Description: Client for the eD2k and Kad networks, like eMule | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include amule.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.aMule | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | mkdir ${HOME}/.aMule | ||
19 | whitelist ${DOWNLOADS} | ||
20 | whitelist ${HOME}/.aMule | ||
21 | include whitelist-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | ipc-namespace | ||
25 | netfilter | ||
26 | no3d | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | nosound | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6 | ||
36 | seccomp | ||
37 | shell none | ||
38 | |||
39 | private-bin amule | ||
40 | private-dev | ||
41 | private-tmp | ||
42 | |||
diff --git a/etc/profile-a-l/amuled.profile b/etc/profile-a-l/amuled.profile new file mode 100644 index 000000000..58b796875 --- /dev/null +++ b/etc/profile-a-l/amuled.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for amuled | ||
2 | # Description: Daemon for amule | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include amule.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | private-bin amuled | ||
11 | |||
12 | # Redirect | ||
13 | include amule.profile | ||
diff --git a/etc/profile-a-l/android-studio.profile b/etc/profile-a-l/android-studio.profile new file mode 100644 index 000000000..2e4e564dd --- /dev/null +++ b/etc/profile-a-l/android-studio.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Firejail profile for android-studio | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include android-studio.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.AndroidStudio* | ||
9 | noblacklist ${HOME}/.android | ||
10 | noblacklist ${HOME}/.jack-server | ||
11 | noblacklist ${HOME}/.jack-settings | ||
12 | noblacklist ${HOME}/.local/share/JetBrains | ||
13 | noblacklist ${HOME}/.ssh | ||
14 | noblacklist ${HOME}/.tooling | ||
15 | |||
16 | # Allows files commonly used by IDEs | ||
17 | include allow-common-devel.inc | ||
18 | |||
19 | include disable-common.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | |||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | caps.drop all | ||
26 | netfilter | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | notv | ||
32 | novideo | ||
33 | protocol unix,inet,inet6 | ||
34 | seccomp | ||
35 | shell none | ||
36 | |||
37 | private-cache | ||
38 | # private-tmp | ||
39 | |||
40 | # noexec /tmp breaks 'Android Profiler' | ||
41 | #noexec /tmp | ||
diff --git a/etc/profile-a-l/anki.profile b/etc/profile-a-l/anki.profile new file mode 100644 index 000000000..fa688f1a5 --- /dev/null +++ b/etc/profile-a-l/anki.profile | |||
@@ -0,0 +1,57 @@ | |||
1 | # Firejail profile for anki | ||
2 | # Description: flexible, intelligent flashcard program | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include anki.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${DOCUMENTS} | ||
10 | noblacklist ${HOME}/.local/share/Anki2 | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python2.inc | ||
14 | include allow-python3.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | mkdir ${HOME}/.local/share/Anki2 | ||
25 | whitelist ${DOCUMENTS} | ||
26 | whitelist ${HOME}/.local/share/Anki2 | ||
27 | include whitelist-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | apparmor | ||
31 | caps.drop all | ||
32 | machine-id | ||
33 | netfilter | ||
34 | no3d | ||
35 | nodvd | ||
36 | nogroups | ||
37 | nonewprivs | ||
38 | noroot | ||
39 | nosound | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix,inet,inet6 | ||
44 | # QtWebengine needs chroot to set up its own sandbox | ||
45 | seccomp !chroot | ||
46 | shell none | ||
47 | tracelog | ||
48 | |||
49 | disable-mnt | ||
50 | private-bin anki,python* | ||
51 | private-cache | ||
52 | private-dev | ||
53 | private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,machine-id,pki,resolv.conf,ssl,Trolltech.conf | ||
54 | private-tmp | ||
55 | |||
56 | dbus-user none | ||
57 | dbus-system none | ||
diff --git a/etc/profile-a-l/anydesk.profile b/etc/profile-a-l/anydesk.profile new file mode 100644 index 000000000..35b18bab4 --- /dev/null +++ b/etc/profile-a-l/anydesk.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | # Firejail profile for AnyDesk | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include anydesk.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.anydesk | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-passwdmgr.inc | ||
13 | include disable-programs.inc | ||
14 | include disable-interpreters.inc | ||
15 | |||
16 | mkdir ${HOME}/.anydesk | ||
17 | whitelist ${HOME}/.anydesk | ||
18 | include whitelist-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | netfilter | ||
22 | nodvd | ||
23 | nogroups | ||
24 | nonewprivs | ||
25 | noroot | ||
26 | notv | ||
27 | nou2f | ||
28 | protocol unix,inet,inet6 | ||
29 | seccomp | ||
30 | shell none | ||
31 | |||
32 | disable-mnt | ||
33 | private-bin anydesk | ||
34 | private-dev | ||
35 | private-tmp | ||
diff --git a/etc/profile-a-l/aosp.profile b/etc/profile-a-l/aosp.profile new file mode 100644 index 000000000..a5b1ba9f1 --- /dev/null +++ b/etc/profile-a-l/aosp.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for aosp | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include aosp.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.android | ||
9 | noblacklist ${HOME}/.bash_history | ||
10 | noblacklist ${HOME}/.jack-server | ||
11 | noblacklist ${HOME}/.jack-settings | ||
12 | noblacklist ${HOME}/.repo_.gitconfig.json | ||
13 | noblacklist ${HOME}/.repoconfig | ||
14 | noblacklist ${HOME}/.ssh | ||
15 | noblacklist ${HOME}/.tooling | ||
16 | |||
17 | # Allows files commonly used by IDEs | ||
18 | include allow-common-devel.inc | ||
19 | |||
20 | include disable-common.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | caps.drop all | ||
28 | ipc-namespace | ||
29 | netfilter | ||
30 | no3d | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | nosound | ||
36 | notv | ||
37 | novideo | ||
38 | protocol unix,inet,inet6 | ||
39 | #seccomp | ||
40 | shell none | ||
41 | |||
42 | private-tmp | ||
diff --git a/etc/profile-a-l/apack.profile b/etc/profile-a-l/apack.profile new file mode 100644 index 000000000..9fef911af --- /dev/null +++ b/etc/profile-a-l/apack.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for apack | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include apack.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include atool.profile | ||
diff --git a/etc/profile-a-l/apktool.profile b/etc/profile-a-l/apktool.profile new file mode 100644 index 000000000..39c5da9ab --- /dev/null +++ b/etc/profile-a-l/apktool.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for apktool | ||
2 | # Description: Tool for reverse engineering Android apk files | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include apktool.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-passwdmgr.inc | ||
13 | include disable-programs.inc | ||
14 | include disable-xdg.inc | ||
15 | |||
16 | include whitelist-var-common.inc | ||
17 | |||
18 | caps.drop all | ||
19 | net none | ||
20 | no3d | ||
21 | nodvd | ||
22 | nogroups | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | nosound | ||
26 | notv | ||
27 | nou2f | ||
28 | novideo | ||
29 | protocol unix | ||
30 | seccomp | ||
31 | shell none | ||
32 | |||
33 | private-bin apktool,basename,bash,dirname,expr,java,sh | ||
34 | private-cache | ||
35 | private-dev | ||
36 | |||
37 | dbus-user none | ||
38 | dbus-system none | ||
diff --git a/etc/profile-a-l/ar.profile b/etc/profile-a-l/ar.profile new file mode 100644 index 000000000..6ed60ffe5 --- /dev/null +++ b/etc/profile-a-l/ar.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for ar | ||
2 | # Description: Create, modify, and extract from archives | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include ar.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | apparmor | ||
20 | caps.drop all | ||
21 | hostname ar | ||
22 | ipc-namespace | ||
23 | machine-id | ||
24 | net none | ||
25 | no3d | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | #noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | x11 none | ||
39 | |||
40 | private-bin ar | ||
41 | private-cache | ||
42 | private-dev | ||
43 | |||
44 | dbus-user none | ||
45 | dbus-system none | ||
46 | |||
47 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/arch-audit.profile b/etc/profile-a-l/arch-audit.profile new file mode 100644 index 000000000..324730bde --- /dev/null +++ b/etc/profile-a-l/arch-audit.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for arch-audit | ||
2 | # Description: A utility like pkg-audit based on Arch CVE Monitoring Team data | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include arch-audit.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist /var/lib/pacman | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | whitelist /usr/share/arch-audit | ||
21 | include whitelist-usr-share-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | machine-id | ||
27 | netfilter | ||
28 | no3d | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol inet,inet6 | ||
38 | seccomp | ||
39 | shell none | ||
40 | |||
41 | disable-mnt | ||
42 | private | ||
43 | private-bin arch-audit | ||
44 | private-cache | ||
45 | private-dev | ||
46 | private-tmp | ||
47 | |||
48 | dbus-user none | ||
49 | dbus-system none | ||
50 | |||
51 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/archaudit-report.profile b/etc/profile-a-l/archaudit-report.profile new file mode 100644 index 000000000..19c37f90e --- /dev/null +++ b/etc/profile-a-l/archaudit-report.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for archaudit-report | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include archaudit-report.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist /var/lib/pacman | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | caps.drop all | ||
20 | ipc-namespace | ||
21 | netfilter | ||
22 | no3d | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | ||
28 | notv | ||
29 | novideo | ||
30 | protocol unix,inet,inet6 | ||
31 | seccomp | ||
32 | shell none | ||
33 | |||
34 | disable-mnt | ||
35 | private | ||
36 | private-bin arch-audit,archaudit-report,bash,cat,comm,cut,date,fold,grep,pacman,pactree,rm,sed,sort,whoneeds | ||
37 | #private-dev | ||
38 | private-tmp | ||
39 | |||
40 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/ardour4.profile b/etc/profile-a-l/ardour4.profile new file mode 100644 index 000000000..4ad8dd456 --- /dev/null +++ b/etc/profile-a-l/ardour4.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for ardour5 | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include ardour5.profile | ||
diff --git a/etc/profile-a-l/ardour5.profile b/etc/profile-a-l/ardour5.profile new file mode 100644 index 000000000..a27cb4f6e --- /dev/null +++ b/etc/profile-a-l/ardour5.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for ardour5 | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include ardour5.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/ardour4 | ||
9 | noblacklist ${HOME}/.config/ardour5 | ||
10 | noblacklist ${HOME}/.lv2 | ||
11 | noblacklist ${HOME}/.vst | ||
12 | noblacklist ${DOCUMENTS} | ||
13 | noblacklist ${MUSIC} | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | caps.drop all | ||
24 | ipc-namespace | ||
25 | net none | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | notv | ||
31 | nou2f | ||
32 | protocol unix | ||
33 | seccomp | ||
34 | shell none | ||
35 | |||
36 | #private-bin ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,ldd,nm,sed,sh | ||
37 | private-cache | ||
38 | private-dev | ||
39 | #private-etc alternatives,ardour4,ardour5,asound.conf,fonts,machine-id,pulse,X11 | ||
40 | private-tmp | ||
41 | |||
42 | dbus-user none | ||
43 | dbus-system none | ||
diff --git a/etc/profile-a-l/arduino.profile b/etc/profile-a-l/arduino.profile new file mode 100644 index 000000000..fd1ca9a09 --- /dev/null +++ b/etc/profile-a-l/arduino.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for arduino | ||
2 | # Description: AVR development board IDE and built-in libraries | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include arduino.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.arduino15 | ||
10 | noblacklist ${HOME}/Arduino | ||
11 | noblacklist ${DOCUMENTS} | ||
12 | |||
13 | # Allow java (blacklisted by disable-devel.inc) | ||
14 | include allow-java.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | caps.drop all | ||
25 | netfilter | ||
26 | no3d | ||
27 | nodvd | ||
28 | # nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | nosound | ||
32 | notv | ||
33 | novideo | ||
34 | protocol unix,inet,inet6 | ||
35 | seccomp | ||
36 | shell none | ||
37 | |||
38 | private-cache | ||
39 | private-tmp | ||
40 | |||
diff --git a/etc/profile-a-l/arepack.profile b/etc/profile-a-l/arepack.profile new file mode 100644 index 000000000..012f2f049 --- /dev/null +++ b/etc/profile-a-l/arepack.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for arepack | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include arepack.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include atool.profile | ||
diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile new file mode 100644 index 000000000..d2dcaace1 --- /dev/null +++ b/etc/profile-a-l/aria2c.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for aria2c | ||
2 | # Description: Download utility that supports HTTP(S), FTP, BitTorrent and Metalink | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include aria2c.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.aria2 | ||
10 | noblacklist ${HOME}/.config/aria2 | ||
11 | noblacklist ${HOME}/.netrc | ||
12 | |||
13 | blacklist /tmp/.X11-unix | ||
14 | blacklist ${RUNUSER}/wayland-* | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | |||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | caps.drop all | ||
27 | ipc-namespace | ||
28 | netfilter | ||
29 | no3d | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix,inet,inet6,netlink | ||
39 | seccomp | ||
40 | shell none | ||
41 | |||
42 | # disable-mnt | ||
43 | # Add your custom event hook commands to 'private-bin' in your aria2c.local | ||
44 | private-bin aria2c,gzip | ||
45 | # Uncomment the next line (or put 'private-cache' in your aria2c.local) if you don't use Lutris/winetricks (see issue #2772) | ||
46 | #private-cache | ||
47 | private-dev | ||
48 | private-etc alternatives,ca-certificates,crypto-policies,groups,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl | ||
49 | private-lib libreadline.so.* | ||
50 | private-tmp | ||
51 | |||
52 | dbus-user none | ||
53 | dbus-system none | ||
54 | |||
55 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/ark.profile b/etc/profile-a-l/ark.profile new file mode 100644 index 000000000..01004d772 --- /dev/null +++ b/etc/profile-a-l/ark.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for ark | ||
2 | # Description: Archive utility | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include ark.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/arkrc | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | whitelist /usr/share/ark | ||
19 | include whitelist-usr-share-common.inc | ||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | apparmor | ||
23 | caps.drop all | ||
24 | # net none | ||
25 | netfilter | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | |||
38 | private-bin 7z,ark,bash,lrzip,lsar,lz4,lzop,p7zip,rar,sh,tclsh,unar,unrar,unzip,zip,zipinfo | ||
39 | #private-etc alternatives,drirc,fonts,group,kde5rc,mtab,passwd,samba,smb.conf,xdg | ||
40 | |||
41 | private-dev | ||
42 | private-tmp | ||
43 | |||
44 | # dbus-user none | ||
45 | # dbus-system none | ||
diff --git a/etc/profile-a-l/arm.profile b/etc/profile-a-l/arm.profile new file mode 100644 index 000000000..51dad94d1 --- /dev/null +++ b/etc/profile-a-l/arm.profile | |||
@@ -0,0 +1,48 @@ | |||
1 | # Firejail profile for arm | ||
2 | # Description: Terminal status monitor for Tor relays | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include arm.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.arm | ||
10 | |||
11 | # Allow python (blacklisted by disable-interpreters.inc) | ||
12 | include allow-python2.inc | ||
13 | include allow-python3.inc | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | |||
22 | mkdir ${HOME}/.arm | ||
23 | whitelist ${HOME}/.arm | ||
24 | include whitelist-common.inc | ||
25 | |||
26 | caps.drop all | ||
27 | ipc-namespace | ||
28 | netfilter | ||
29 | no3d | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix,inet,inet6 | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | |||
43 | disable-mnt | ||
44 | private-bin arm,bash,ldconfig,lsof,ps,python*,sh,tor | ||
45 | private-dev | ||
46 | private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor | ||
47 | private-tmp | ||
48 | |||
diff --git a/etc/profile-a-l/artha.profile b/etc/profile-a-l/artha.profile new file mode 100644 index 000000000..19a4771aa --- /dev/null +++ b/etc/profile-a-l/artha.profile | |||
@@ -0,0 +1,65 @@ | |||
1 | # Firejail profile for artha | ||
2 | # Description: A free cross-platform English thesaurus based on WordNet | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include artha.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/artha.conf | ||
10 | noblacklist ${HOME}/.config/artha.log | ||
11 | noblacklist ${HOME}/.config/enchant | ||
12 | |||
13 | blacklist /tmp/.X11-unix | ||
14 | blacklist ${RUNUSER}/wayland-* | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | # whitelisting in ${HOME} makes settings immutable, see #3112 | ||
25 | #mkfile ${HOME}/.config/artha.conf | ||
26 | #mkdir ${HOME}/.config/enchant | ||
27 | #whitelist ${HOME}/.config/artha.conf | ||
28 | #whitelist ${HOME}/.config/artha.log | ||
29 | #whitelist ${HOME}/.config/enchant | ||
30 | whitelist /usr/share/artha | ||
31 | whitelist /usr/share/wordnet | ||
32 | #include whitelist-common.inc | ||
33 | include whitelist-usr-share-common.inc | ||
34 | include whitelist-var-common.inc | ||
35 | |||
36 | apparmor | ||
37 | caps.drop all | ||
38 | ipc-namespace | ||
39 | # net none - breaks on Ubuntu | ||
40 | no3d | ||
41 | nodvd | ||
42 | nogroups | ||
43 | nonewprivs | ||
44 | noroot | ||
45 | nosound | ||
46 | notv | ||
47 | nou2f | ||
48 | novideo | ||
49 | protocol unix | ||
50 | seccomp | ||
51 | shell none | ||
52 | tracelog | ||
53 | |||
54 | disable-mnt | ||
55 | private-bin artha,enchant,notify-send | ||
56 | private-cache | ||
57 | private-dev | ||
58 | private-etc alternatives,fonts,machine-id | ||
59 | private-lib libnotify.so.* | ||
60 | private-tmp | ||
61 | |||
62 | # dbus-user none | ||
63 | # dbus-system none | ||
64 | |||
65 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/assogiate.profile b/etc/profile-a-l/assogiate.profile new file mode 100644 index 000000000..da72a4a73 --- /dev/null +++ b/etc/profile-a-l/assogiate.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for assogiate | ||
2 | # Description: An editor of the MIME file types database for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include assogiate.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${PICTURES} | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | whitelist ${PICTURES} | ||
20 | include whitelist-common.inc | ||
21 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | machine-id | ||
27 | net none | ||
28 | no3d | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | disable-mnt | ||
43 | private-bin assogiate,gtk-update-icon-cache,update-mime-database | ||
44 | private-cache | ||
45 | private-dev | ||
46 | private-lib gnome-vfs-2.0,libacl.so.*,libattr.so.*,libfam.so.* | ||
47 | private-tmp | ||
48 | |||
49 | dbus-user none | ||
50 | dbus-system none | ||
51 | |||
52 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/asunder.profile b/etc/profile-a-l/asunder.profile new file mode 100644 index 000000000..33dd4103f --- /dev/null +++ b/etc/profile-a-l/asunder.profile | |||
@@ -0,0 +1,48 @@ | |||
1 | # Firejail profile for asounder | ||
2 | # Description: Graphical audio CD ripper and encoder | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include asunder.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/asunder | ||
10 | noblacklist ${HOME}/.asunder_album_genre | ||
11 | noblacklist ${HOME}/.asunder_album_title | ||
12 | noblacklist ${HOME}/.asunder_album_artist | ||
13 | noblacklist ${MUSIC} | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | netfilter | ||
29 | no3d | ||
30 | # nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nou2f | ||
34 | notv | ||
35 | novideo | ||
36 | protocol unix,inet,inet6 | ||
37 | seccomp | ||
38 | shell none | ||
39 | |||
40 | private-cache | ||
41 | private-dev | ||
42 | private-tmp | ||
43 | |||
44 | dbus-user none | ||
45 | dbus-system none | ||
46 | |||
47 | # mdwe is disabled due to breaking hardware accelerated decoding | ||
48 | # memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/atom-beta.profile b/etc/profile-a-l/atom-beta.profile new file mode 100644 index 000000000..c0ee2c492 --- /dev/null +++ b/etc/profile-a-l/atom-beta.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for atom-beta | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include atom-beta.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include atom.profile | ||
diff --git a/etc/profile-a-l/atom.profile b/etc/profile-a-l/atom.profile new file mode 100644 index 000000000..fceef9579 --- /dev/null +++ b/etc/profile-a-l/atom.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for atom | ||
2 | # Description: A hackable text editor for the 21st Century | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include atom.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.atom | ||
10 | noblacklist ${HOME}/.config/Atom | ||
11 | |||
12 | # Allows files commonly used by IDEs | ||
13 | include allow-common-devel.inc | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | caps.drop all | ||
21 | # net none | ||
22 | netfilter | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix,inet,inet6,netlink | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | private-cache | ||
36 | private-dev | ||
37 | private-tmp | ||
38 | |||
39 | dbus-user none | ||
40 | dbus-system none | ||
diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile new file mode 100644 index 000000000..e501e956c --- /dev/null +++ b/etc/profile-a-l/atool.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for atool | ||
2 | # Description: Tool for managing file archives of various types | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include atool.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
13 | include allow-perl.inc | ||
14 | |||
15 | include disable-common.inc | ||
16 | # include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | |||
22 | apparmor | ||
23 | caps.drop all | ||
24 | hostname atool | ||
25 | ipc-namespace | ||
26 | machine-id | ||
27 | net none | ||
28 | no3d | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | x11 none | ||
42 | |||
43 | # private-bin atool,perl | ||
44 | private-cache | ||
45 | private-dev | ||
46 | # without login.defs atool complains and uses UID/GID 1000 by default | ||
47 | private-etc alternatives,group,login.defs,passwd | ||
48 | private-tmp | ||
49 | |||
50 | dbus-user none | ||
51 | dbus-system none | ||
52 | |||
53 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/atril-previewer.profile b/etc/profile-a-l/atril-previewer.profile new file mode 100644 index 000000000..7f4697357 --- /dev/null +++ b/etc/profile-a-l/atril-previewer.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for atril-previewer | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include atril-previewer.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include atril.profile | ||
diff --git a/etc/profile-a-l/atril-thumbnailer.profile b/etc/profile-a-l/atril-thumbnailer.profile new file mode 100644 index 000000000..8f6129ea6 --- /dev/null +++ b/etc/profile-a-l/atril-thumbnailer.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for atril-thumbnailer | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include atril-thumbnailer.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include atril.profile | ||
diff --git a/etc/profile-a-l/atril.profile b/etc/profile-a-l/atril.profile new file mode 100644 index 000000000..adca38cb5 --- /dev/null +++ b/etc/profile-a-l/atril.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for atril | ||
2 | # Description: MATE document viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include atril.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/atril | ||
10 | noblacklist ${HOME}/.config/atril | ||
11 | noblacklist ${DOCUMENTS} | ||
12 | |||
13 | #noblacklist ${HOME}/.local/share | ||
14 | # it seems to use only ${HOME}/.local/share/webkitgtk | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | # apparmor | ||
27 | caps.drop all | ||
28 | machine-id | ||
29 | no3d | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | |||
43 | private-bin atril,atril-previewer,atril-thumbnailer | ||
44 | private-dev | ||
45 | private-etc alternatives,fonts,ld.so.cache | ||
46 | # atril uses webkit gtk to display epub files | ||
47 | # waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0 | ||
48 | #private-lib webkit2gtk-4.0 - problems on Arch with the new version of WebKit | ||
49 | private-tmp | ||
50 | |||
51 | # webkit gtk killed by memory-deny-write-execute | ||
52 | #memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/audacious.profile b/etc/profile-a-l/audacious.profile new file mode 100644 index 000000000..2e1f6f32a --- /dev/null +++ b/etc/profile-a-l/audacious.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for audacious | ||
2 | # Description: Small and fast audio player which supports lots of formats | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include audacious.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/Audaciousrc | ||
10 | noblacklist ${HOME}/.config/audacious | ||
11 | noblacklist ${MUSIC} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | netfilter | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix,inet,inet6 | ||
33 | seccomp | ||
34 | shell none | ||
35 | tracelog | ||
36 | |||
37 | # private-bin audacious | ||
38 | private-cache | ||
39 | private-dev | ||
40 | private-tmp | ||
41 | |||
42 | # dbus needed for MPRIS | ||
43 | # dbus-user none | ||
44 | # dbus-system none | ||
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile new file mode 100644 index 000000000..5a454d31d --- /dev/null +++ b/etc/profile-a-l/audacity.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for audacity | ||
2 | # Description: Fast, cross-platform audio editor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include audacity.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.audacity-data | ||
10 | noblacklist ${DOCUMENTS} | ||
11 | noblacklist ${MUSIC} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | net none | ||
26 | no3d | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | private-bin audacity | ||
40 | private-dev | ||
41 | private-tmp | ||
42 | |||
43 | # problems on Fedora 27 | ||
44 | # dbus-user none | ||
45 | # dbus-system none | ||
diff --git a/etc/profile-a-l/audio-recorder.profile b/etc/profile-a-l/audio-recorder.profile new file mode 100644 index 000000000..b2ed3b030 --- /dev/null +++ b/etc/profile-a-l/audio-recorder.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for audio-recorder | ||
2 | # Description: Audio Recorder Application | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include audio-recorder.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${MUSIC} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | whitelist ${MUSIC} | ||
21 | whitelist ${DOWNLOADS} | ||
22 | whitelist /usr/share/audio-recorder | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | net none | ||
31 | no3d | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix | ||
40 | seccomp | ||
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | disable-mnt | ||
45 | # private-bin audio-recorder | ||
46 | private-cache | ||
47 | private-etc alternatives,fonts | ||
48 | private-tmp | ||
49 | |||
50 | # memory-deny-write-execute - breaks on Arch | ||
diff --git a/etc/profile-a-l/aunpack.profile b/etc/profile-a-l/aunpack.profile new file mode 100644 index 000000000..6ce4aa491 --- /dev/null +++ b/etc/profile-a-l/aunpack.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for aunpack | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include aunpack.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include atool.profile | ||
diff --git a/etc/profile-a-l/authenticator.profile b/etc/profile-a-l/authenticator.profile new file mode 100644 index 000000000..131b20c70 --- /dev/null +++ b/etc/profile-a-l/authenticator.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for authenticator | ||
2 | # Description: 2FA code generator for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include authenticator.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/Authenticator | ||
10 | noblacklist ${HOME}/.config/Authenticator | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | #include allow-python2.inc | ||
14 | include allow-python3.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | |||
23 | # apparmor | ||
24 | caps.drop all | ||
25 | netfilter | ||
26 | no3d | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | nosound | ||
32 | notv | ||
33 | nou2f | ||
34 | # novideo | ||
35 | protocol unix,inet,inet6 | ||
36 | seccomp | ||
37 | shell none | ||
38 | |||
39 | disable-mnt | ||
40 | # private-bin authenticator,python* | ||
41 | private-dev | ||
42 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,pki,resolv.conf,ssl | ||
43 | private-tmp | ||
44 | |||
45 | # makes settings immutable | ||
46 | # dbus-user none | ||
47 | # dbus-system none | ||
48 | |||
49 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | ||
diff --git a/etc/profile-a-l/autokey-common.profile b/etc/profile-a-l/autokey-common.profile new file mode 100644 index 000000000..b1a77c0a4 --- /dev/null +++ b/etc/profile-a-l/autokey-common.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for autokey | ||
2 | # Description: Desktop automation utility | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include autokey-common.local | ||
6 | # Persistent global definitions | ||
7 | # added by caller profile | ||
8 | #include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.config/autokey | ||
11 | noblacklist ${HOME}/.local/share/autokey | ||
12 | |||
13 | # Allow python (blacklisted by disable-interpreters.inc) | ||
14 | include allow-python2.inc | ||
15 | include allow-python3.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | # disable-exec.inc might break scripting functionality | ||
20 | #include disable-exec.inc | ||
21 | include disable-interpreters.inc | ||
22 | include disable-passwdmgr.inc | ||
23 | include disable-programs.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | caps.drop all | ||
27 | netfilter | ||
28 | no3d | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | nou2f | ||
33 | protocol unix,inet,inet6 | ||
34 | seccomp | ||
35 | shell none | ||
36 | tracelog | ||
37 | |||
38 | private-cache | ||
39 | private-dev | ||
40 | private-tmp | ||
41 | |||
42 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | ||
diff --git a/etc/profile-a-l/autokey-gtk.profile b/etc/profile-a-l/autokey-gtk.profile new file mode 100644 index 000000000..e16449064 --- /dev/null +++ b/etc/profile-a-l/autokey-gtk.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for autokey-gtk | ||
2 | # Description: Desktop automation utility (GTK version) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include autokey-gtk.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include autokey-common.profile | ||
diff --git a/etc/profile-a-l/autokey-qt.profile b/etc/profile-a-l/autokey-qt.profile new file mode 100644 index 000000000..b6f1210dd --- /dev/null +++ b/etc/profile-a-l/autokey-qt.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for autokey-qt | ||
2 | # Description: Desktop automation utility (Qt version) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include autokey-qt.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include autokey-common.profile | ||
diff --git a/etc/profile-a-l/autokey-run.profile b/etc/profile-a-l/autokey-run.profile new file mode 100644 index 000000000..05669351a --- /dev/null +++ b/etc/profile-a-l/autokey-run.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for autokey-run | ||
2 | # Description: Desktop automation utility (CLI version) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include autokey-run.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include autokey-common.profile | ||
diff --git a/etc/profile-a-l/autokey-shell.profile b/etc/profile-a-l/autokey-shell.profile new file mode 100644 index 000000000..dfbd8759f --- /dev/null +++ b/etc/profile-a-l/autokey-shell.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for autokey-shell | ||
2 | # Description: Desktop automation utility (CLI shell) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include autokey-shell.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include autokey-common.profile | ||
diff --git a/etc/profile-a-l/aweather.profile b/etc/profile-a-l/aweather.profile new file mode 100644 index 000000000..d7228570f --- /dev/null +++ b/etc/profile-a-l/aweather.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for aweather | ||
2 | # Description: Advanced Weather Monitoring Program | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include aweather.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/aweather | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | |||
17 | mkdir ${HOME}/.config/aweather | ||
18 | whitelist ${HOME}/.config/aweather | ||
19 | include whitelist-common.inc | ||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | caps.drop all | ||
23 | netfilter | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | nosound | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix,inet,inet6 | ||
33 | seccomp | ||
34 | shell none | ||
35 | tracelog | ||
36 | |||
37 | private-bin aweather | ||
38 | private-dev | ||
39 | private-tmp | ||
diff --git a/etc/profile-a-l/awesome.profile b/etc/profile-a-l/awesome.profile new file mode 100644 index 000000000..5d1bf5071 --- /dev/null +++ b/etc/profile-a-l/awesome.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Firejail profile for awesome | ||
2 | # Description: Standards-compliant, fast, light-weight and extensible window manager | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include awesome.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # all applications started in awesome will run in this profile | ||
10 | noblacklist ${HOME}/.config/awesome | ||
11 | include disable-common.inc | ||
12 | |||
13 | caps.drop all | ||
14 | netfilter | ||
15 | noroot | ||
16 | protocol unix,inet,inet6 | ||
17 | seccomp | ||
18 | |||
19 | read-only ${HOME}/.config/awesome/autorun.sh | ||
diff --git a/etc/profile-a-l/baloo_file.profile b/etc/profile-a-l/baloo_file.profile new file mode 100644 index 000000000..785e37a16 --- /dev/null +++ b/etc/profile-a-l/baloo_file.profile | |||
@@ -0,0 +1,54 @@ | |||
1 | # Firejail profile for baloo_file | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include baloo_file.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | # Make home directory read-only and allow writing only to ${HOME}/.local/share/baloo | ||
9 | # Note: Baloo will not be able to update the "first run" key in its configuration files. | ||
10 | # mkdir ${HOME}/.local/share/baloo | ||
11 | # read-only ${HOME} | ||
12 | # read-write ${HOME}/.local/share/baloo | ||
13 | # ignore read-write | ||
14 | |||
15 | noblacklist ${HOME}/.config/baloofilerc | ||
16 | noblacklist ${HOME}/.kde/share/config/baloofilerc | ||
17 | noblacklist ${HOME}/.kde/share/config/baloorc | ||
18 | noblacklist ${HOME}/.kde4/share/config/baloofilerc | ||
19 | noblacklist ${HOME}/.kde4/share/config/baloorc | ||
20 | noblacklist ${HOME}/.local/share/baloo | ||
21 | |||
22 | include disable-common.inc | ||
23 | include disable-devel.inc | ||
24 | include disable-exec.inc | ||
25 | include disable-interpreters.inc | ||
26 | include disable-passwdmgr.inc | ||
27 | include disable-programs.inc | ||
28 | |||
29 | include whitelist-var-common.inc | ||
30 | |||
31 | apparmor | ||
32 | caps.drop all | ||
33 | machine-id | ||
34 | # net none | ||
35 | netfilter | ||
36 | no3d | ||
37 | nodvd | ||
38 | nogroups | ||
39 | nonewprivs | ||
40 | noroot | ||
41 | nosound | ||
42 | notv | ||
43 | nou2f | ||
44 | novideo | ||
45 | protocol unix | ||
46 | # blacklisting of ioprio_set system calls breaks baloo_file | ||
47 | seccomp !ioprio_set | ||
48 | shell none | ||
49 | # x11 xorg | ||
50 | |||
51 | private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kbuildsycoca4 | ||
52 | private-cache | ||
53 | private-dev | ||
54 | private-tmp | ||
diff --git a/etc/profile-a-l/baloo_filemetadata_temp_extractor.profile b/etc/profile-a-l/baloo_filemetadata_temp_extractor.profile new file mode 100644 index 000000000..ff10e9965 --- /dev/null +++ b/etc/profile-a-l/baloo_filemetadata_temp_extractor.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for baloo_filemetadata_temp_extractor | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include baloo_filemetadata_temp_extractor.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | ignore read-write | ||
11 | read-only ${HOME} | ||
12 | |||
13 | # Redirect | ||
14 | include baloo_file.profile | ||
diff --git a/etc/profile-a-l/baobab.profile b/etc/profile-a-l/baobab.profile new file mode 100644 index 000000000..50f7531c0 --- /dev/null +++ b/etc/profile-a-l/baobab.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for baobab | ||
2 | # Description: GNOME disk usage analyzer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include baobab.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | # include disable-programs.inc | ||
15 | # include disable-xdg.inc | ||
16 | |||
17 | include whitelist-runuser-common.inc | ||
18 | |||
19 | caps.drop all | ||
20 | net none | ||
21 | no3d | ||
22 | nodvd | ||
23 | nogroups | ||
24 | nonewprivs | ||
25 | noroot | ||
26 | nosound | ||
27 | notv | ||
28 | nou2f | ||
29 | novideo | ||
30 | protocol unix | ||
31 | seccomp | ||
32 | shell none | ||
33 | tracelog | ||
34 | |||
35 | private-bin baobab | ||
36 | private-dev | ||
37 | private-tmp | ||
38 | |||
39 | # dbus-user none | ||
40 | # dbus-system none | ||
41 | |||
42 | read-only ${HOME} | ||
diff --git a/etc/profile-a-l/barrier.profile b/etc/profile-a-l/barrier.profile new file mode 100644 index 000000000..f5da3782e --- /dev/null +++ b/etc/profile-a-l/barrier.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for barrier | ||
2 | # Description: Keyboard and mouse sharing application | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include barrier.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/Debauchee/Barrier.conf | ||
10 | noblacklist ${HOME}/.local/share/barrier | ||
11 | noblacklist ${PATH}/openssl | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | machine-id | ||
25 | netfilter | ||
26 | no3d | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | nosound | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6,netlink | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-dev | ||
42 | private-cache | ||
43 | private-tmp | ||
44 | |||
45 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/basilisk.profile b/etc/profile-a-l/basilisk.profile new file mode 100644 index 000000000..8dc3847a0 --- /dev/null +++ b/etc/profile-a-l/basilisk.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # Firejail profile for basilisk | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include basilisk.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.cache/moonchild productions/basilisk | ||
9 | noblacklist ${HOME}/.moonchild productions/basilisk | ||
10 | |||
11 | mkdir ${HOME}/.cache/moonchild productions/basilisk | ||
12 | mkdir ${HOME}/.moonchild productions | ||
13 | whitelist ${HOME}/.cache/moonchild productions/basilisk | ||
14 | whitelist ${HOME}/.moonchild productions | ||
15 | |||
16 | # Basilisk can use the full firejail seccomp filter (unlike firefox >= 60) | ||
17 | seccomp | ||
18 | ignore seccomp | ||
19 | |||
20 | #private-bin basilisk | ||
21 | # private-etc must first be enabled in firefox-common.profile | ||
22 | #private-etc basilisk | ||
23 | #private-opt basilisk | ||
24 | |||
25 | # Redirect | ||
26 | include firefox-common.profile | ||
diff --git a/etc/profile-a-l/beaker.profile b/etc/profile-a-l/beaker.profile new file mode 100644 index 000000000..cc1886a49 --- /dev/null +++ b/etc/profile-a-l/beaker.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Firejail profile for beaker | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include beaker.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/Beaker Browser | ||
10 | |||
11 | include disable-devel.inc | ||
12 | include disable-interpreters.inc | ||
13 | |||
14 | mkdir ${HOME}/.config/Beaker Browser | ||
15 | whitelist ${HOME}/.config/Beaker Browser | ||
16 | include whitelist-common.inc | ||
17 | |||
18 | # Redirect | ||
19 | include electron.profile | ||
diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile new file mode 100644 index 000000000..99e2802eb --- /dev/null +++ b/etc/profile-a-l/bibletime.profile | |||
@@ -0,0 +1,58 @@ | |||
1 | # Firejail profile for bibletime | ||
2 | # Description: Bible study tool | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include bibletime.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.bibletime | ||
10 | noblacklist ${HOME}/.sword | ||
11 | noblacklist ${HOME}/.local/share/bibletime | ||
12 | |||
13 | blacklist ${HOME}/.bashrc | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | |||
22 | mkdir ${HOME}/.bibletime | ||
23 | mkdir ${HOME}/.sword | ||
24 | mkdir ${HOME}/.local/share/bibletime | ||
25 | whitelist ${HOME}/.bibletime | ||
26 | whitelist ${HOME}/.sword | ||
27 | whitelist ${HOME}/.local/share/bibletime | ||
28 | whitelist /usr/share/bibletime | ||
29 | whitelist /usr/share/sword | ||
30 | include whitelist-common.inc | ||
31 | include whitelist-usr-share-common.inc | ||
32 | include whitelist-var-common.inc | ||
33 | |||
34 | apparmor | ||
35 | caps.drop all | ||
36 | machine-id | ||
37 | netfilter | ||
38 | nodvd | ||
39 | nogroups | ||
40 | nonewprivs | ||
41 | noroot | ||
42 | nosound | ||
43 | notv | ||
44 | nou2f | ||
45 | novideo | ||
46 | protocol unix,inet,inet6,netlink | ||
47 | seccomp !chroot | ||
48 | shell none | ||
49 | |||
50 | disable-mnt | ||
51 | # private-bin bibletime,qt5ct | ||
52 | private-cache | ||
53 | private-dev | ||
54 | private-etc alternatives,ca-certificates,crypto-policies,fonts,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf | ||
55 | private-tmp | ||
56 | |||
57 | dbus-user none | ||
58 | dbus-system none | ||
diff --git a/etc/profile-a-l/bibtex.profile b/etc/profile-a-l/bibtex.profile new file mode 100644 index 000000000..e868dcbab --- /dev/null +++ b/etc/profile-a-l/bibtex.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for bibtex | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include bibtex.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | private-bin bibtex | ||
9 | |||
10 | # Redirect | ||
11 | include latex-common.profile | ||
12 | |||
diff --git a/etc/profile-a-l/bitcoin-qt.profile b/etc/profile-a-l/bitcoin-qt.profile new file mode 100644 index 000000000..ac1e21ba7 --- /dev/null +++ b/etc/profile-a-l/bitcoin-qt.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for bitcoin-qt | ||
2 | # Description: Bitcoin is a peer-to-peer network based digital currency | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include bitcoin-qt.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.bitcoin | ||
10 | noblacklist ${HOME}/.config/Bitcoin | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | mkdir ${HOME}/.bitcoin | ||
20 | mkdir ${HOME}/.config/Bitcoin | ||
21 | whitelist ${HOME}/.bitcoin | ||
22 | whitelist ${HOME}/.config/Bitcoin | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | caps.drop all | ||
27 | machine-id | ||
28 | netfilter | ||
29 | no3d | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix,inet,inet6 | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | |||
43 | private-bin bitcoin-qt | ||
44 | private-dev | ||
45 | # Causes problem with loading of libGL.so | ||
46 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl | ||
47 | private-tmp | ||
48 | |||
49 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/bitlbee.profile b/etc/profile-a-l/bitlbee.profile new file mode 100644 index 000000000..62eeb88f3 --- /dev/null +++ b/etc/profile-a-l/bitlbee.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for bitlbee | ||
2 | # Description: IRC to other chat networks gateway | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include bitlbee.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | ignore noexec ${HOME} | ||
10 | |||
11 | noblacklist /sbin | ||
12 | noblacklist /usr/sbin | ||
13 | # noblacklist /var/log | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | netfilter | ||
24 | no3d | ||
25 | nodvd | ||
26 | nonewprivs | ||
27 | nosound | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix,inet,inet6 | ||
32 | seccomp | ||
33 | |||
34 | disable-mnt | ||
35 | private | ||
36 | private-cache | ||
37 | private-dev | ||
38 | private-tmp | ||
39 | |||
40 | read-write /var/lib/bitlbee | ||
diff --git a/etc/profile-a-l/bitwarden.profile b/etc/profile-a-l/bitwarden.profile new file mode 100644 index 000000000..3095e7505 --- /dev/null +++ b/etc/profile-a-l/bitwarden.profile | |||
@@ -0,0 +1,57 @@ | |||
1 | # Firejail profile for bitwarden | ||
2 | # Description: A secure and free password manager for all of your devices | ||
3 | # This file is overwritten after every install/update. | ||
4 | # Persistent local customisations | ||
5 | include bitwarden.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | ignore noexec /tmp | ||
10 | |||
11 | noblacklist ${HOME}/.config/Bitwarden | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | mkdir ${HOME}/.config/Bitwarden | ||
22 | whitelist ${HOME}/.config/Bitwarden | ||
23 | whitelist ${DOWNLOADS} | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | machine-id | ||
30 | netfilter | ||
31 | no3d | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix,inet,inet6,netlink | ||
41 | seccomp !chroot | ||
42 | shell none | ||
43 | #tracelog - breaks on Arch | ||
44 | |||
45 | private-bin bitwarden | ||
46 | private-cache | ||
47 | ?HAS_APPIMAGE: ignore private-dev | ||
48 | private-dev | ||
49 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,nsswitch.conf,pki,resolv.conf,ssl | ||
50 | private-opt Bitwarden | ||
51 | private-tmp | ||
52 | |||
53 | # breaks appindicator (tray) functionality | ||
54 | # dbus-user none | ||
55 | # dbus-system none | ||
56 | |||
57 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | ||
diff --git a/etc/profile-a-l/blackbox.profile b/etc/profile-a-l/blackbox.profile new file mode 100644 index 000000000..13e83493d --- /dev/null +++ b/etc/profile-a-l/blackbox.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # Firejail profile for blackbox | ||
2 | # Description: Standards-compliant, fast, light-weight and extensible window manager | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include blackbox.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # all applications started in awesome will run in this profile | ||
10 | noblacklist ${HOME}/.blackbox | ||
11 | include disable-common.inc | ||
12 | |||
13 | caps.drop all | ||
14 | netfilter | ||
15 | noroot | ||
16 | protocol unix,inet,inet6 | ||
17 | seccomp | ||
18 | |||
diff --git a/etc/profile-a-l/bleachbit.profile b/etc/profile-a-l/bleachbit.profile new file mode 100644 index 000000000..8f230a413 --- /dev/null +++ b/etc/profile-a-l/bleachbit.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for bleachbit | ||
2 | # Description: Delete unnecessary files from the system | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include bleachbit.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Allow python (blacklisted by disable-interpreters.inc) | ||
10 | include allow-python2.inc | ||
11 | include allow-python3.inc | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | # include disable-programs.inc | ||
19 | |||
20 | caps.drop all | ||
21 | net none | ||
22 | no3d | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | private-dev | ||
36 | # private-tmp | ||
37 | |||
38 | dbus-user none | ||
39 | dbus-system none | ||
40 | |||
41 | # memory-deny-write-execute breaks some systems, see issue #1850 | ||
42 | # memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/blender-2.8.profile b/etc/profile-a-l/blender-2.8.profile new file mode 100644 index 000000000..b7242c443 --- /dev/null +++ b/etc/profile-a-l/blender-2.8.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for blender | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include blender.profile | ||
diff --git a/etc/profile-a-l/blender.profile b/etc/profile-a-l/blender.profile new file mode 100644 index 000000000..6a72fb602 --- /dev/null +++ b/etc/profile-a-l/blender.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Firejail profile for blender | ||
2 | # Description: Very fast and versatile 3D modeller/renderer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include blender.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/blender | ||
10 | |||
11 | # Allow python (blacklisted by disable-interpreters.inc) | ||
12 | include allow-python2.inc | ||
13 | include allow-python3.inc | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | |||
22 | # Allow usage of AMD GPU by OpenCL | ||
23 | noblacklist /sys/module | ||
24 | whitelist /sys/module/amdgpu | ||
25 | read-only /sys/module/amdgpu | ||
26 | |||
27 | caps.drop all | ||
28 | netfilter | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | notv | ||
34 | nou2f | ||
35 | protocol unix,inet,inet6,netlink | ||
36 | seccomp | ||
37 | shell none | ||
38 | |||
39 | private-dev | ||
40 | private-tmp | ||
41 | |||
diff --git a/etc/profile-a-l/bless.profile b/etc/profile-a-l/bless.profile new file mode 100644 index 000000000..216e86109 --- /dev/null +++ b/etc/profile-a-l/bless.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for bless | ||
2 | # Description: A full featured hexadecimal editor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include bless.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/bless | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | include whitelist-var-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | net none | ||
22 | no3d | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | # private-bin bash,bless,mono,sh | ||
36 | private-cache | ||
37 | private-dev | ||
38 | private-etc alternatives,fonts,mono | ||
39 | private-tmp | ||
40 | |||
41 | dbus-user none | ||
42 | dbus-system none | ||
diff --git a/etc/profile-a-l/blobwars.profile b/etc/profile-a-l/blobwars.profile new file mode 100644 index 000000000..2a56bdf94 --- /dev/null +++ b/etc/profile-a-l/blobwars.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for blobwars | ||
2 | # Description: Mission and Objective based 2D Platform Game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include blobwars.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.parallelrealities/blobwars | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.parallelrealities/blobwars | ||
20 | whitelist ${HOME}/.parallelrealities/blobwars | ||
21 | whitelist /usr/share/blobwars | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | net none | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix,netlink | ||
37 | seccomp | ||
38 | shell none | ||
39 | tracelog | ||
40 | |||
41 | disable-mnt | ||
42 | private-bin blobwars | ||
43 | private-cache | ||
44 | private-dev | ||
45 | private-etc machine-id | ||
46 | private-tmp | ||
47 | |||
48 | dbus-user none | ||
49 | dbus-system none | ||
diff --git a/etc/profile-a-l/bluefish.profile b/etc/profile-a-l/bluefish.profile new file mode 100644 index 000000000..88ac9c0ed --- /dev/null +++ b/etc/profile-a-l/bluefish.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for bluefish | ||
2 | # Description: Advanced Gtk+ text editor for web and software development | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include bluefish.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | |||
16 | include whitelist-var-common.inc | ||
17 | |||
18 | apparmor | ||
19 | caps.drop all | ||
20 | net none | ||
21 | no3d | ||
22 | nodvd | ||
23 | nogroups | ||
24 | nonewprivs | ||
25 | noroot | ||
26 | nosound | ||
27 | notv | ||
28 | nou2f | ||
29 | novideo | ||
30 | protocol unix | ||
31 | seccomp | ||
32 | shell none | ||
33 | tracelog | ||
34 | |||
35 | private-bin bluefish | ||
36 | private-dev | ||
37 | private-tmp | ||
38 | |||
39 | dbus-user none | ||
40 | dbus-system none | ||
diff --git a/etc/profile-a-l/bnox.profile b/etc/profile-a-l/bnox.profile new file mode 100644 index 000000000..031f3f4bd --- /dev/null +++ b/etc/profile-a-l/bnox.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # Firejail profile for bnox | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include bnox.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.cache/bnox | ||
9 | noblacklist ${HOME}/.config/bnox | ||
10 | |||
11 | mkdir ${HOME}/.cache/bnox | ||
12 | mkdir ${HOME}/.config/bnox | ||
13 | whitelist ${HOME}/.cache/bnox | ||
14 | whitelist ${HOME}/.config/bnox | ||
15 | |||
16 | # Redirect | ||
17 | include chromium-common.profile | ||
diff --git a/etc/profile-a-l/brackets.profile b/etc/profile-a-l/brackets.profile new file mode 100644 index 000000000..70f62813e --- /dev/null +++ b/etc/profile-a-l/brackets.profile | |||
@@ -0,0 +1,34 @@ | |||
1 | # Firejail profile for brackets | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include brackets.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/Brackets | ||
9 | #noblacklist /opt/brackets | ||
10 | #noblacklist /opt/google | ||
11 | |||
12 | # Allows files commonly used by IDEs | ||
13 | include allow-common-devel.inc | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | caps.drop all | ||
20 | netfilter | ||
21 | nodvd | ||
22 | nogroups | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | nosound | ||
26 | notv | ||
27 | nou2f | ||
28 | novideo | ||
29 | protocol unix,inet,inet6,netlink | ||
30 | seccomp !chroot,!ioperm | ||
31 | shell none | ||
32 | |||
33 | private-cache | ||
34 | private-dev | ||
diff --git a/etc/profile-a-l/brasero.profile b/etc/profile-a-l/brasero.profile new file mode 100644 index 000000000..417a6b3e0 --- /dev/null +++ b/etc/profile-a-l/brasero.profile | |||
@@ -0,0 +1,37 @@ | |||
1 | # Firejail profile for brasero | ||
2 | # Description: CD/DVD burning application for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include brasero.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/brasero | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | include whitelist-var-common.inc | ||
19 | |||
20 | apparmor | ||
21 | caps.drop all | ||
22 | net none | ||
23 | nogroups | ||
24 | nonewprivs | ||
25 | noroot | ||
26 | nosound | ||
27 | notv | ||
28 | novideo | ||
29 | protocol unix | ||
30 | seccomp | ||
31 | shell none | ||
32 | tracelog | ||
33 | |||
34 | # private-bin brasero | ||
35 | private-cache | ||
36 | # private-dev | ||
37 | # private-tmp | ||
diff --git a/etc/profile-a-l/brave-browser-beta.profile b/etc/profile-a-l/brave-browser-beta.profile new file mode 100644 index 000000000..528a6402d --- /dev/null +++ b/etc/profile-a-l/brave-browser-beta.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for brave (beta channel) | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include brave.profile | ||
diff --git a/etc/profile-a-l/brave-browser-dev.profile b/etc/profile-a-l/brave-browser-dev.profile new file mode 100644 index 000000000..4601de119 --- /dev/null +++ b/etc/profile-a-l/brave-browser-dev.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for brave (development channel) | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include brave.profile | ||
diff --git a/etc/profile-a-l/brave-browser-nightly.profile b/etc/profile-a-l/brave-browser-nightly.profile new file mode 100644 index 000000000..43d3cc724 --- /dev/null +++ b/etc/profile-a-l/brave-browser-nightly.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for brave (nightly channel) | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include brave.profile | ||
diff --git a/etc/profile-a-l/brave-browser-stable.profile b/etc/profile-a-l/brave-browser-stable.profile new file mode 100644 index 000000000..06d33dea4 --- /dev/null +++ b/etc/profile-a-l/brave-browser-stable.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for brave (release channel) | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include brave.profile | ||
diff --git a/etc/profile-a-l/brave-browser.profile b/etc/profile-a-l/brave-browser.profile new file mode 100644 index 000000000..e223ecf87 --- /dev/null +++ b/etc/profile-a-l/brave-browser.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for brave | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include brave.profile | ||
diff --git a/etc/profile-a-l/brave.profile b/etc/profile-a-l/brave.profile new file mode 100644 index 000000000..35c59f5a3 --- /dev/null +++ b/etc/profile-a-l/brave.profile | |||
@@ -0,0 +1,32 @@ | |||
1 | # Firejail profile for brave | ||
2 | # Description: Web browser that blocks ads and trackers by default. | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include brave.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # noexec /tmp is included in chromium-common.profile and breaks Brave | ||
10 | ignore noexec /tmp | ||
11 | |||
12 | noblacklist ${HOME}/.cache/BraveSoftware | ||
13 | noblacklist ${HOME}/.config/BraveSoftware | ||
14 | noblacklist ${HOME}/.config/brave | ||
15 | noblacklist ${HOME}/.config/brave-flags.conf | ||
16 | # brave uses gpg for built-in password manager | ||
17 | noblacklist ${HOME}/.gnupg | ||
18 | |||
19 | mkdir ${HOME}/.cache/BraveSoftware | ||
20 | mkdir ${HOME}/.config/BraveSoftware | ||
21 | mkdir ${HOME}/.config/brave | ||
22 | whitelist ${HOME}/.cache/BraveSoftware | ||
23 | whitelist ${HOME}/.config/BraveSoftware | ||
24 | whitelist ${HOME}/.config/brave | ||
25 | whitelist ${HOME}/.config/brave-flags.conf | ||
26 | whitelist ${HOME}/.gnupg | ||
27 | |||
28 | # Brave sandbox needs read access to /proc/config.gz | ||
29 | noblacklist /proc/config.gz | ||
30 | |||
31 | # Redirect | ||
32 | include chromium-common.profile | ||
diff --git a/etc/profile-a-l/bsdcat.profile b/etc/profile-a-l/bsdcat.profile new file mode 100644 index 000000000..5271ee5d6 --- /dev/null +++ b/etc/profile-a-l/bsdcat.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for bsdtar | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include bsdtar.profile | ||
diff --git a/etc/profile-a-l/bsdcpio.profile b/etc/profile-a-l/bsdcpio.profile new file mode 100644 index 000000000..5271ee5d6 --- /dev/null +++ b/etc/profile-a-l/bsdcpio.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for bsdtar | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include bsdtar.profile | ||
diff --git a/etc/profile-a-l/bsdtar.profile b/etc/profile-a-l/bsdtar.profile new file mode 100644 index 000000000..08e51f3c1 --- /dev/null +++ b/etc/profile-a-l/bsdtar.profile | |||
@@ -0,0 +1,48 @@ | |||
1 | # Firejail profile for bsdtar | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include bsdtar.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | blacklist ${RUNUSER}/wayland-* | ||
10 | |||
11 | include disable-common.inc | ||
12 | # include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | apparmor | ||
19 | caps.drop all | ||
20 | hostname bsdtar | ||
21 | ipc-namespace | ||
22 | machine-id | ||
23 | net none | ||
24 | no3d | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | # noroot | ||
29 | nosound | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix | ||
34 | seccomp | ||
35 | shell none | ||
36 | tracelog | ||
37 | x11 none | ||
38 | |||
39 | # support compressed archives | ||
40 | private-bin bash,bsdcat,bsdcpio,bsdtar,bzip2,compress,gtar,gzip,lbzip2,libarchive,lz4,lzip,lzma,lzop,sh,xz | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-etc alternatives,group,localtime,passwd | ||
44 | |||
45 | dbus-user none | ||
46 | dbus-system none | ||
47 | |||
48 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/bunzip2.profile b/etc/profile-a-l/bunzip2.profile new file mode 100644 index 000000000..37b47c2ce --- /dev/null +++ b/etc/profile-a-l/bunzip2.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for bunzip2 | ||
2 | # Description: A high-quality data compression program | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include bunzip2.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | # Redirect | ||
12 | include gzip.profile | ||
diff --git a/etc/profile-a-l/bzcat.profile b/etc/profile-a-l/bzcat.profile new file mode 100644 index 000000000..edefb6bb8 --- /dev/null +++ b/etc/profile-a-l/bzcat.profile | |||
@@ -0,0 +1,15 @@ | |||
1 | # Firejail profile for bzcat | ||
2 | # Description: A high-quality data compression program | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include bzcat.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | ignore read-write | ||
12 | read-only ${HOME} | ||
13 | |||
14 | # Redirect | ||
15 | include gzip.profile | ||
diff --git a/etc/profile-a-l/bzflag.profile b/etc/profile-a-l/bzflag.profile new file mode 100644 index 000000000..1f56d5169 --- /dev/null +++ b/etc/profile-a-l/bzflag.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for bzflag | ||
2 | # Description: 3D multi-player tank battle game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include bzflag.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.bzf | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.bzf | ||
20 | whitelist ${HOME}/.bzf | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix,inet,inet6 | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | disable-mnt | ||
40 | private-bin bzadmin,bzflag,bzflag-wrapper,bzfs | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-tmp | ||
44 | |||
45 | dbus-user none | ||
46 | dbus-system none | ||
diff --git a/etc/profile-a-l/bzip2.profile b/etc/profile-a-l/bzip2.profile new file mode 100644 index 000000000..0756e0537 --- /dev/null +++ b/etc/profile-a-l/bzip2.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for bzip2 | ||
2 | # Description: A high-quality data compression program | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include bzip2.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | # Redirect | ||
12 | include gzip.profile | ||
diff --git a/etc/profile-a-l/caja.profile b/etc/profile-a-l/caja.profile new file mode 100644 index 000000000..7bf901ae3 --- /dev/null +++ b/etc/profile-a-l/caja.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for caja | ||
2 | # Description: File manager for the MATE desktop | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include caja.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there | ||
10 | # is already a caja process running on MATE desktops firejail will have no effect. | ||
11 | |||
12 | noblacklist ${HOME}/.local/share/Trash | ||
13 | # noblacklist ${HOME}/.config/caja - disable-programs.inc is disabled, see below | ||
14 | # noblacklist ${HOME}/.local/share/caja-python | ||
15 | |||
16 | # Allow python (blacklisted by disable-interpreters.inc) | ||
17 | include allow-python2.inc | ||
18 | include allow-python3.inc | ||
19 | |||
20 | include disable-common.inc | ||
21 | include disable-devel.inc | ||
22 | include disable-interpreters.inc | ||
23 | include disable-passwdmgr.inc | ||
24 | # include disable-programs.inc | ||
25 | |||
26 | allusers | ||
27 | caps.drop all | ||
28 | netfilter | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | notv | ||
34 | novideo | ||
35 | protocol unix | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | # caja needs to be able to start arbitrary applications so we cannot blacklist their files | ||
41 | # private-bin caja | ||
42 | # private-dev | ||
43 | # private-tmp | ||
diff --git a/etc/profile-a-l/calibre.profile b/etc/profile-a-l/calibre.profile new file mode 100644 index 000000000..d17cfa85f --- /dev/null +++ b/etc/profile-a-l/calibre.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for calibre | ||
2 | # Description: Powerful and easy to use e-book manager | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include calibre.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/calibre | ||
10 | noblacklist ${HOME}/.config/calibre | ||
11 | noblacklist ${DOCUMENTS} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | apparmor | ||
23 | caps.drop all | ||
24 | netfilter | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | nosound | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix,inet,inet6,netlink | ||
34 | seccomp !chroot | ||
35 | shell none | ||
36 | |||
37 | private-dev | ||
38 | private-tmp | ||
diff --git a/etc/profile-a-l/calligra.profile b/etc/profile-a-l/calligra.profile new file mode 100644 index 000000000..489036e39 --- /dev/null +++ b/etc/profile-a-l/calligra.profile | |||
@@ -0,0 +1,37 @@ | |||
1 | # Firejail profile for calligra | ||
2 | # Description: Extensive productivity and creative suite | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include calligra.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-interpreters.inc | ||
12 | include disable-passwdmgr.inc | ||
13 | include disable-programs.inc | ||
14 | |||
15 | caps.drop all | ||
16 | ipc-namespace | ||
17 | # net none | ||
18 | netfilter | ||
19 | nodvd | ||
20 | nogroups | ||
21 | nonewprivs | ||
22 | noroot | ||
23 | notv | ||
24 | nou2f | ||
25 | novideo | ||
26 | protocol unix | ||
27 | seccomp | ||
28 | shell none | ||
29 | |||
30 | private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch,kbuildsycoca4,kdeinit4 | ||
31 | private-dev | ||
32 | |||
33 | # dbus-user none | ||
34 | # dbus-system none | ||
35 | |||
36 | # noexec ${HOME} | ||
37 | noexec /tmp | ||
diff --git a/etc/profile-a-l/calligraauthor.profile b/etc/profile-a-l/calligraauthor.profile new file mode 100644 index 000000000..7804a3b97 --- /dev/null +++ b/etc/profile-a-l/calligraauthor.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include calligra.profile | ||
diff --git a/etc/profile-a-l/calligraconverter.profile b/etc/profile-a-l/calligraconverter.profile new file mode 100644 index 000000000..7804a3b97 --- /dev/null +++ b/etc/profile-a-l/calligraconverter.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include calligra.profile | ||
diff --git a/etc/profile-a-l/calligraflow.profile b/etc/profile-a-l/calligraflow.profile new file mode 100644 index 000000000..7804a3b97 --- /dev/null +++ b/etc/profile-a-l/calligraflow.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include calligra.profile | ||
diff --git a/etc/profile-a-l/calligraplan.profile b/etc/profile-a-l/calligraplan.profile new file mode 100644 index 000000000..7804a3b97 --- /dev/null +++ b/etc/profile-a-l/calligraplan.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include calligra.profile | ||
diff --git a/etc/profile-a-l/calligraplanwork.profile b/etc/profile-a-l/calligraplanwork.profile new file mode 100644 index 000000000..7804a3b97 --- /dev/null +++ b/etc/profile-a-l/calligraplanwork.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include calligra.profile | ||
diff --git a/etc/profile-a-l/calligrasheets.profile b/etc/profile-a-l/calligrasheets.profile new file mode 100644 index 000000000..7804a3b97 --- /dev/null +++ b/etc/profile-a-l/calligrasheets.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include calligra.profile | ||
diff --git a/etc/profile-a-l/calligrastage.profile b/etc/profile-a-l/calligrastage.profile new file mode 100644 index 000000000..7804a3b97 --- /dev/null +++ b/etc/profile-a-l/calligrastage.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include calligra.profile | ||
diff --git a/etc/profile-a-l/calligrawords.profile b/etc/profile-a-l/calligrawords.profile new file mode 100644 index 000000000..7804a3b97 --- /dev/null +++ b/etc/profile-a-l/calligrawords.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include calligra.profile | ||
diff --git a/etc/profile-a-l/cameramonitor.profile b/etc/profile-a-l/cameramonitor.profile new file mode 100644 index 000000000..f48cc43a1 --- /dev/null +++ b/etc/profile-a-l/cameramonitor.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for cameramonitor | ||
2 | # Description: A little monitor to check your webcam status | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include cameramonitor.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | # Allow python (blacklisted by disable-interpreters.inc) | ||
11 | include allow-python2.inc | ||
12 | include allow-python3.inc | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | whitelist /usr/share/cameramonitor | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | machine-id | ||
31 | net none | ||
32 | no3d | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | nosound | ||
38 | notv | ||
39 | nou2f | ||
40 | novideo | ||
41 | protocol unix | ||
42 | seccomp | ||
43 | shell none | ||
44 | tracelog | ||
45 | |||
46 | disable-mnt | ||
47 | private-bin cameramonitor,python* | ||
48 | private-cache | ||
49 | private-etc alternatives,fonts | ||
50 | private-tmp | ||
51 | |||
52 | # dbus-user none | ||
53 | # dbus-system none | ||
54 | |||
55 | # memory-deny-write-execute - breaks on Arch | ||
diff --git a/etc/profile-a-l/cantata.profile b/etc/profile-a-l/cantata.profile new file mode 100644 index 000000000..c44d56b90 --- /dev/null +++ b/etc/profile-a-l/cantata.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for Cantata | ||
2 | # Description: Multimedia player - Qt5 client for the music Player daemon (MPD) | ||
3 | # This file is overwritten during software install. | ||
4 | # Persistent local customizations | ||
5 | include cantata.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/cantata | ||
10 | noblacklist ${HOME}/.config/cantata | ||
11 | noblacklist ${HOME}/.local/share/cantata | ||
12 | noblacklist ${MUSIC} | ||
13 | |||
14 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
15 | include allow-perl.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | # apparmor | ||
26 | caps.drop all | ||
27 | ipc-namespace | ||
28 | netfilter | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix,inet,inet6,netlink | ||
34 | seccomp | ||
35 | shell none | ||
36 | |||
37 | # private-etc drirc,fonts,gcrypt,hosts,kde5rc,mpd.conf,passwd,samba,ssl,xdg | ||
38 | private-bin cantata,mpd,perl | ||
39 | private-dev | ||
diff --git a/etc/profile-a-l/catfish.profile b/etc/profile-a-l/catfish.profile new file mode 100644 index 000000000..009d3a049 --- /dev/null +++ b/etc/profile-a-l/catfish.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for catfish | ||
2 | # Description: File searching tool | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include catfish.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # We can't blacklist much since catfish | ||
10 | # is for finding files/content | ||
11 | |||
12 | noblacklist ${HOME}/.config/catfish | ||
13 | |||
14 | # Allow python (blacklisted by disable-interpreters.inc) | ||
15 | include allow-python2.inc | ||
16 | include allow-python3.inc | ||
17 | |||
18 | # include disable-common.inc | ||
19 | # include disable-devel.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | # include disable-programs.inc | ||
23 | |||
24 | whitelist /var/lib/mlocate | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | net none | ||
30 | no3d | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | nosound | ||
36 | notv | ||
37 | novideo | ||
38 | protocol unix | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | |||
43 | # These options work but are disabled in case | ||
44 | # a users wants to search in these directories. | ||
45 | # private-bin bash,catfish,env,locate,ls,mlocate,python* | ||
46 | # private-dev | ||
47 | # private-tmp | ||
48 | |||
49 | dbus-user none | ||
50 | dbus-system none | ||
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile new file mode 100644 index 000000000..9be6b1631 --- /dev/null +++ b/etc/profile-a-l/celluloid.profile | |||
@@ -0,0 +1,54 @@ | |||
1 | # Firejail profile for celluloid | ||
2 | # Description: Simple GTK+ frontend for mpv | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include celluloid.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/celluloid | ||
10 | noblacklist ${HOME}/.config/gnome-mpv | ||
11 | noblacklist ${HOME}/.config/youtube-dl | ||
12 | noblacklist ${MUSIC} | ||
13 | noblacklist ${VIDEOS} | ||
14 | |||
15 | # Allow python (blacklisted by disable-interpreters.inc) | ||
16 | include allow-python2.inc | ||
17 | include allow-python3.inc | ||
18 | |||
19 | include disable-common.inc | ||
20 | include disable-devel.inc | ||
21 | include disable-exec.inc | ||
22 | include disable-interpreters.inc | ||
23 | include disable-passwdmgr.inc | ||
24 | include disable-programs.inc | ||
25 | include disable-xdg.inc | ||
26 | |||
27 | include whitelist-runuser-common.inc | ||
28 | include whitelist-usr-share-common.inc | ||
29 | include whitelist-var-common.inc | ||
30 | |||
31 | apparmor | ||
32 | caps.drop all | ||
33 | netfilter | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | nou2f | ||
38 | protocol unix,inet,inet6 | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | |||
43 | private-bin celluloid,env,gnome-mpv,python*,youtube-dl | ||
44 | private-cache | ||
45 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg | ||
46 | private-dev | ||
47 | private-tmp | ||
48 | |||
49 | # uses dconf, MPRIS | ||
50 | # dbus-user none | ||
51 | # dbus-system none | ||
52 | |||
53 | read-only ${HOME} | ||
54 | read-write ${HOME}/.config/celluloid | ||
diff --git a/etc/profile-a-l/checkbashisms.profile b/etc/profile-a-l/checkbashisms.profile new file mode 100644 index 000000000..93f61091b --- /dev/null +++ b/etc/profile-a-l/checkbashisms.profile | |||
@@ -0,0 +1,56 @@ | |||
1 | # Firejail profile for checkbashisms | ||
2 | # Description: Lint tool for shell scripts | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include checkbashisms.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | noblacklist ${DOCUMENTS} | ||
13 | |||
14 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
15 | include allow-perl.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | whitelist /usr/share/perl5 | ||
26 | include whitelist-usr-share-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | apparmor | ||
30 | caps.drop all | ||
31 | ipc-namespace | ||
32 | machine-id | ||
33 | net none | ||
34 | no3d | ||
35 | nodvd | ||
36 | nogroups | ||
37 | nonewprivs | ||
38 | noroot | ||
39 | nosound | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix | ||
44 | seccomp | ||
45 | shell none | ||
46 | x11 none | ||
47 | |||
48 | private-cache | ||
49 | private-dev | ||
50 | private-lib libfreebl3.so,perl* | ||
51 | private-tmp | ||
52 | |||
53 | dbus-user none | ||
54 | dbus-system none | ||
55 | |||
56 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/cheese.profile b/etc/profile-a-l/cheese.profile new file mode 100644 index 000000000..337117c4a --- /dev/null +++ b/etc/profile-a-l/cheese.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for cheese | ||
2 | # Description: taking pictures and movies from a webcam | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include cheese.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${VIDEOS} | ||
10 | noblacklist ${PICTURES} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | whitelist ${VIDEOS} | ||
21 | whitelist ${PICTURES} | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | apparmor | ||
26 | caps.drop all | ||
27 | machine-id | ||
28 | net none | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | notv | ||
34 | nou2f | ||
35 | protocol unix | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin cheese | ||
42 | private-cache | ||
43 | private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0 | ||
44 | private-tmp | ||
45 | |||
46 | dbus-user none | ||
47 | dbus-system none | ||
diff --git a/etc/profile-a-l/cherrytree.profile b/etc/profile-a-l/cherrytree.profile new file mode 100644 index 000000000..70dea5bd9 --- /dev/null +++ b/etc/profile-a-l/cherrytree.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for cherrytree | ||
2 | # Description: Hierarchical note taking application | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include cherrytree.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/cherrytree | ||
10 | noblacklist ${DOCUMENTS} | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python2.inc | ||
14 | include allow-python3.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | caps.drop all | ||
25 | net none | ||
26 | no3d | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | nosound | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | private-cache | ||
41 | private-dev | ||
42 | private-tmp | ||
43 | |||
diff --git a/etc/profile-a-l/chromium-browser.profile b/etc/profile-a-l/chromium-browser.profile new file mode 100644 index 000000000..f83052d9a --- /dev/null +++ b/etc/profile-a-l/chromium-browser.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for chromium | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include chromium.profile | ||
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile new file mode 100644 index 000000000..c54fb0e19 --- /dev/null +++ b/etc/profile-a-l/chromium-common.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for chromium-common | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include chromium-common.local | ||
5 | # Persistent global definitions | ||
6 | # added by caller profile | ||
7 | #include globals.local | ||
8 | |||
9 | # noexec ${HOME} breaks DRM binaries. | ||
10 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} | ||
11 | |||
12 | noblacklist ${HOME}/.pki | ||
13 | noblacklist ${HOME}/.local/share/pki | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-programs.inc | ||
20 | |||
21 | mkdir ${HOME}/.pki | ||
22 | mkdir ${HOME}/.local/share/pki | ||
23 | whitelist ${DOWNLOADS} | ||
24 | whitelist ${HOME}/.pki | ||
25 | whitelist ${HOME}/.local/share/pki | ||
26 | include whitelist-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | apparmor | ||
30 | caps.keep sys_admin,sys_chroot | ||
31 | netfilter | ||
32 | # nodbus - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector | ||
33 | nodvd | ||
34 | nogroups | ||
35 | notv | ||
36 | ?BROWSER_DISABLE_U2F: nou2f | ||
37 | shell none | ||
38 | |||
39 | disable-mnt | ||
40 | ?BROWSER_DISABLE_U2F: private-dev | ||
41 | # private-tmp - problems with multiple browser sessions | ||
42 | |||
43 | # the file dialog needs to work without d-bus | ||
44 | ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1 | ||
diff --git a/etc/profile-a-l/chromium.profile b/etc/profile-a-l/chromium.profile new file mode 100644 index 000000000..dab9ce449 --- /dev/null +++ b/etc/profile-a-l/chromium.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # Firejail profile for chromium | ||
2 | # Description: A web browser built for speed, simplicity, and security | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include chromium.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/chromium | ||
10 | noblacklist ${HOME}/.config/chromium | ||
11 | noblacklist ${HOME}/.config/chromium-flags.conf | ||
12 | |||
13 | mkdir ${HOME}/.cache/chromium | ||
14 | mkdir ${HOME}/.config/chromium | ||
15 | whitelist ${HOME}/.cache/chromium | ||
16 | whitelist ${HOME}/.config/chromium | ||
17 | whitelist ${HOME}/.config/chromium-flags.conf | ||
18 | |||
19 | # private-bin chromium,chromium-browser,chromedriver | ||
20 | |||
21 | # Redirect | ||
22 | include chromium-common.profile | ||
diff --git a/etc/profile-a-l/cin.profile b/etc/profile-a-l/cin.profile new file mode 100644 index 000000000..8c3fb42d1 --- /dev/null +++ b/etc/profile-a-l/cin.profile | |||
@@ -0,0 +1,37 @@ | |||
1 | # Firejail profile for cin | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include cin.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.bcast5 | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | |||
17 | caps.drop all | ||
18 | ipc-namespace | ||
19 | net none | ||
20 | nodvd | ||
21 | #nogroups | ||
22 | nonewprivs | ||
23 | notv | ||
24 | nou2f | ||
25 | noroot | ||
26 | protocol unix | ||
27 | |||
28 | # if an 1-1.2% gap per thread hurts you, comment seccomp | ||
29 | seccomp | ||
30 | shell none | ||
31 | |||
32 | #private-bin cin,ffmpeg | ||
33 | private-cache | ||
34 | private-dev | ||
35 | |||
36 | dbus-user none | ||
37 | dbus-system none | ||
diff --git a/etc/profile-a-l/cinelerra.profile b/etc/profile-a-l/cinelerra.profile new file mode 100644 index 000000000..88a65037e --- /dev/null +++ b/etc/profile-a-l/cinelerra.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for cin | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include cin.profile | ||
diff --git a/etc/profile-a-l/clamav.profile b/etc/profile-a-l/clamav.profile new file mode 100644 index 000000000..2726ab5af --- /dev/null +++ b/etc/profile-a-l/clamav.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for clamav | ||
2 | # Description: Anti-virus utility for Unix | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include clamav.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | include disable-exec.inc | ||
13 | |||
14 | caps.drop all | ||
15 | ipc-namespace | ||
16 | net none | ||
17 | no3d | ||
18 | nodvd | ||
19 | nogroups | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | nosound | ||
23 | notv | ||
24 | nou2f | ||
25 | novideo | ||
26 | protocol unix | ||
27 | seccomp | ||
28 | shell none | ||
29 | tracelog | ||
30 | x11 none | ||
31 | |||
32 | private-dev | ||
33 | |||
34 | dbus-user none | ||
35 | dbus-system none | ||
36 | |||
37 | read-only ${HOME} | ||
38 | |||
39 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/clamdscan.profile b/etc/profile-a-l/clamdscan.profile new file mode 100644 index 000000000..4c6c56c5f --- /dev/null +++ b/etc/profile-a-l/clamdscan.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for clamav | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include clamav.profile | ||
diff --git a/etc/profile-a-l/clamdtop.profile b/etc/profile-a-l/clamdtop.profile new file mode 100644 index 000000000..4c6c56c5f --- /dev/null +++ b/etc/profile-a-l/clamdtop.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for clamav | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include clamav.profile | ||
diff --git a/etc/profile-a-l/clamscan.profile b/etc/profile-a-l/clamscan.profile new file mode 100644 index 000000000..4c6c56c5f --- /dev/null +++ b/etc/profile-a-l/clamscan.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for clamav | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include clamav.profile | ||
diff --git a/etc/profile-a-l/clamtk.profile b/etc/profile-a-l/clamtk.profile new file mode 100644 index 000000000..4425a2bd0 --- /dev/null +++ b/etc/profile-a-l/clamtk.profile | |||
@@ -0,0 +1,29 @@ | |||
1 | # Firejail profile for clamtk | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include clamtk.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | include disable-exec.inc | ||
9 | |||
10 | caps.drop all | ||
11 | ipc-namespace | ||
12 | net none | ||
13 | no3d | ||
14 | nodvd | ||
15 | nogroups | ||
16 | nonewprivs | ||
17 | noroot | ||
18 | nosound | ||
19 | notv | ||
20 | nou2f | ||
21 | novideo | ||
22 | protocol unix | ||
23 | seccomp | ||
24 | shell none | ||
25 | |||
26 | private-dev | ||
27 | |||
28 | dbus-user none | ||
29 | dbus-system none | ||
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile new file mode 100644 index 000000000..24954b2d8 --- /dev/null +++ b/etc/profile-a-l/claws-mail.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # Firejail profile for claws-mail | ||
2 | # Description: Fast, lightweight and user-friendly GTK+2 based email client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include claws-mail.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.claws-mail | ||
10 | |||
11 | mkdir ${HOME}/.claws-mail | ||
12 | whitelist ${HOME}/.claws-mail | ||
13 | |||
14 | # If you use python-based plugins you need to uncomment the below (or put them in your claws-mail.local) | ||
15 | # Allow python (blacklisted by disable-interpreters.inc) | ||
16 | #include allow-python2.inc | ||
17 | #include allow-python3.inc | ||
18 | |||
19 | whitelist /usr/share/doc/claws-mail | ||
20 | |||
21 | # Redirect | ||
22 | include email-common.profile | ||
diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile new file mode 100644 index 000000000..12ce47401 --- /dev/null +++ b/etc/profile-a-l/clawsker.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for clawsker | ||
2 | # Description: An applet to edit Claws Mail's hidden preferences | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include clawsker.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.claws-mail | ||
10 | |||
11 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
12 | include allow-perl.inc | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | |||
21 | mkdir ${HOME}/.claws-mail | ||
22 | whitelist ${HOME}/.claws-mail | ||
23 | whitelist /usr/share/perl5 | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | net none | ||
31 | no3d | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix | ||
41 | seccomp | ||
42 | shell none | ||
43 | |||
44 | disable-mnt | ||
45 | private-bin bash,clawsker,perl,sh,which | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-etc alternatives,fonts | ||
49 | private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl* | ||
50 | private-tmp | ||
51 | |||
52 | dbus-user none | ||
53 | dbus-system none | ||
54 | |||
55 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | ||
diff --git a/etc/profile-a-l/clementine.profile b/etc/profile-a-l/clementine.profile new file mode 100644 index 000000000..4d92157d0 --- /dev/null +++ b/etc/profile-a-l/clementine.profile | |||
@@ -0,0 +1,33 @@ | |||
1 | # Firejail profile for clementine | ||
2 | # Description: Modern music player and library organizer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include clementine.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/Clementine | ||
10 | noblacklist ${HOME}/.config/Clementine | ||
11 | noblacklist ${MUSIC} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | caps.drop all | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | notv | ||
26 | nou2f | ||
27 | novideo | ||
28 | protocol unix,inet,inet6 | ||
29 | # blacklisting of ioprio_set system calls breaks clementine | ||
30 | seccomp !ioprio_set | ||
31 | |||
32 | private-dev | ||
33 | private-tmp | ||
diff --git a/etc/profile-a-l/clion.profile b/etc/profile-a-l/clion.profile new file mode 100644 index 000000000..b27d93684 --- /dev/null +++ b/etc/profile-a-l/clion.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for CLion | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include clion.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.CLion* | ||
9 | noblacklist ${HOME}/.config/git | ||
10 | noblacklist ${HOME}/.gitconfig | ||
11 | noblacklist ${HOME}/.git-credentials | ||
12 | noblacklist ${HOME}/.java | ||
13 | noblacklist ${HOME}/.local/share/JetBrains | ||
14 | noblacklist ${HOME}/.ssh | ||
15 | noblacklist ${HOME}/.tooling | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | |||
21 | caps.drop all | ||
22 | netfilter | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | notv | ||
28 | nou2f | ||
29 | novideo | ||
30 | protocol unix,inet,inet6 | ||
31 | seccomp | ||
32 | shell none | ||
33 | |||
34 | private-cache | ||
35 | private-dev | ||
36 | # private-tmp | ||
37 | |||
38 | noexec /tmp | ||
diff --git a/etc/profile-a-l/clipgrab.profile b/etc/profile-a-l/clipgrab.profile new file mode 100644 index 000000000..dace5e83e --- /dev/null +++ b/etc/profile-a-l/clipgrab.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for clipgrab | ||
2 | # Description: A free video downloader and converter | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include clipgrab.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/Philipp Schmieder | ||
10 | noblacklist ${HOME}/.pki | ||
11 | noblacklist ${VIDEOS} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | machine-id | ||
27 | netfilter | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | nosound | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix,inet,inet6,netlink | ||
37 | seccomp !chroot | ||
38 | shell none | ||
39 | |||
40 | disable-mnt | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-tmp | ||
44 | |||
45 | # Breaks tray icon, uncomment or add to clipgrab.local if you don't need it | ||
46 | # dbus-user none | ||
47 | # dbus-system none | ||
diff --git a/etc/profile-a-l/clipit.profile b/etc/profile-a-l/clipit.profile new file mode 100644 index 000000000..66b5fc859 --- /dev/null +++ b/etc/profile-a-l/clipit.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for clipit | ||
2 | # Description: Lightweight GTK+ clipboard manager | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include clipit.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/clipit | ||
10 | noblacklist ${HOME}/.local/share/clipit | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.config/clipit | ||
21 | mkdir ${HOME}/.local/share/clipit | ||
22 | whitelist ${HOME}/.config/clipit | ||
23 | whitelist ${HOME}/.local/share/clipit | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | ipc-namespace | ||
31 | machine-id | ||
32 | net none | ||
33 | no3d | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | nosound | ||
39 | notv | ||
40 | nou2f | ||
41 | novideo | ||
42 | protocol unix | ||
43 | seccomp | ||
44 | shell none | ||
45 | |||
46 | disable-mnt | ||
47 | private-cache | ||
48 | private-dev | ||
49 | private-tmp | ||
50 | |||
diff --git a/etc/profile-a-l/cliqz.profile b/etc/profile-a-l/cliqz.profile new file mode 100644 index 000000000..d0b8cc0ef --- /dev/null +++ b/etc/profile-a-l/cliqz.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # Firejail profile for cliqz | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include cliqz.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.cache/cliqz | ||
9 | noblacklist ${HOME}/.cliqz | ||
10 | noblacklist ${HOME}/.config/cliqz | ||
11 | |||
12 | mkdir ${HOME}/.cache/cliqz | ||
13 | mkdir ${HOME}/.cliqz | ||
14 | mkdir ${HOME}/.config/cliqz | ||
15 | whitelist ${HOME}/.cache/cliqz | ||
16 | whitelist ${HOME}/.cliqz | ||
17 | whitelist ${HOME}/.config/cliqz | ||
18 | |||
19 | # private-etc must first be enabled in firefox-common.profile | ||
20 | #private-etc cliqz | ||
21 | |||
22 | # Redirect | ||
23 | include firefox-common.profile | ||
diff --git a/etc/profile-a-l/clocks.profile b/etc/profile-a-l/clocks.profile new file mode 100644 index 000000000..da50e7d49 --- /dev/null +++ b/etc/profile-a-l/clocks.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile for gnome-clocks | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | ||
5 | # Redirect | ||
6 | include gnome-clocks.profile | ||
diff --git a/etc/profile-a-l/cmus.profile b/etc/profile-a-l/cmus.profile new file mode 100644 index 000000000..fa1e5d722 --- /dev/null +++ b/etc/profile-a-l/cmus.profile | |||
@@ -0,0 +1,30 @@ | |||
1 | # Firejail profile for cmus | ||
2 | # Description: Lightweight ncurses audio player | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include cmus.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/cmus | ||
10 | noblacklist ${MUSIC} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | caps.drop all | ||
20 | netfilter | ||
21 | nonewprivs | ||
22 | noroot | ||
23 | notv | ||
24 | novideo | ||
25 | protocol unix,inet,inet6 | ||
26 | seccomp | ||
27 | shell none | ||
28 | |||
29 | private-bin cmus | ||
30 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl | ||
diff --git a/etc/profile-a-l/code-oss.profile b/etc/profile-a-l/code-oss.profile new file mode 100644 index 000000000..6d45d5994 --- /dev/null +++ b/etc/profile-a-l/code-oss.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for Visual Studio Code | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include code-oss.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include code.profile | ||
diff --git a/etc/profile-a-l/code.profile b/etc/profile-a-l/code.profile new file mode 100644 index 000000000..6f8a25211 --- /dev/null +++ b/etc/profile-a-l/code.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for Visual Studio Code | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include code.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/Code | ||
9 | noblacklist ${HOME}/.config/Code - OSS | ||
10 | noblacklist ${HOME}/.vscode | ||
11 | noblacklist ${HOME}/.vscode-oss | ||
12 | |||
13 | # Allows files commonly used by IDEs | ||
14 | include allow-common-devel.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | caps.drop all | ||
21 | netfilter | ||
22 | nodvd | ||
23 | nogroups | ||
24 | nonewprivs | ||
25 | noroot | ||
26 | nosound | ||
27 | notv | ||
28 | nou2f | ||
29 | novideo | ||
30 | protocol unix,inet,inet6,netlink | ||
31 | seccomp | ||
32 | shell none | ||
33 | |||
34 | private-cache | ||
35 | private-dev | ||
36 | private-tmp | ||
37 | |||
38 | # Disabling noexec ${HOME} for now since it will | ||
39 | # probably interfere with running some programmes | ||
40 | # in VS Code | ||
41 | # noexec ${HOME} | ||
42 | noexec /tmp | ||
diff --git a/etc/profile-a-l/com.github.dahenson.agenda.profile b/etc/profile-a-l/com.github.dahenson.agenda.profile new file mode 100644 index 000000000..ea5370649 --- /dev/null +++ b/etc/profile-a-l/com.github.dahenson.agenda.profile | |||
@@ -0,0 +1,60 @@ | |||
1 | # Firejail profile for com.github.dahenson.agenda | ||
2 | # Description: Simple, fast, no-nonsense to-do (task) list | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include com.github.dahenson.agenda.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/agenda | ||
10 | noblacklist ${HOME}/.config/agenda | ||
11 | noblacklist ${HOME}/.local/share/agenda | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | mkdir ${HOME}/.cache/agenda | ||
22 | mkdir ${HOME}/.config/agenda | ||
23 | mkdir ${HOME}/.local/share/agenda | ||
24 | whitelist ${HOME}/.cache/agenda | ||
25 | whitelist ${HOME}/.config/agenda | ||
26 | whitelist ${HOME}/.local/share/agenda | ||
27 | include whitelist-common.inc | ||
28 | include whitelist-usr-share-common.inc | ||
29 | include whitelist-runuser-common.inc | ||
30 | include whitelist-var-common.inc | ||
31 | |||
32 | apparmor | ||
33 | caps.drop all | ||
34 | machine-id | ||
35 | net none | ||
36 | no3d | ||
37 | nodvd | ||
38 | nogroups | ||
39 | nonewprivs | ||
40 | noroot | ||
41 | nosound | ||
42 | notv | ||
43 | nou2f | ||
44 | novideo | ||
45 | protocol unix | ||
46 | seccomp | ||
47 | shell none | ||
48 | tracelog | ||
49 | |||
50 | disable-mnt | ||
51 | private-bin com.github.dahenson.agenda | ||
52 | private-cache | ||
53 | private-dev | ||
54 | private-etc dconf,fonts,gtk-3.0 | ||
55 | private-tmp | ||
56 | |||
57 | read-only ${HOME} | ||
58 | read-write ${HOME}/.cache/agenda | ||
59 | read-write ${HOME}/.config/agenda | ||
60 | read-write ${HOME}/.local/share/agenda | ||
diff --git a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile new file mode 100644 index 000000000..39a9a360d --- /dev/null +++ b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile | |||
@@ -0,0 +1,62 @@ | |||
1 | # Firejail profile for foliate | ||
2 | # Description: Simple and modern GTK eBook reader | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include foliate.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${DOCUMENTS} | ||
10 | noblacklist ${HOME}/.cache/com.github.johnfactotum.Foliate | ||
11 | noblacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate | ||
12 | |||
13 | # Allow gjs (blacklisted by disable-interpreters.inc) | ||
14 | include allow-gjs.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | mkdir ${HOME}/.cache/com.github.johnfactotum.Foliate | ||
25 | mkdir ${HOME}/.local/share/com.github.johnfactotum.Foliate | ||
26 | whitelist ${HOME}/.cache/com.github.johnfactotum.Foliate | ||
27 | whitelist ${HOME}/.local/share/com.github.johnfactotum.Foliate | ||
28 | whitelist ${DOCUMENTS} | ||
29 | whitelist ${DOWNLOADS} | ||
30 | whitelist /usr/share/com.github.johnfactotum.Foliate | ||
31 | whitelist /usr/share/hyphen | ||
32 | include whitelist-common.inc | ||
33 | include whitelist-usr-share-common.inc | ||
34 | include whitelist-var-common.inc | ||
35 | |||
36 | apparmor | ||
37 | caps.drop all | ||
38 | machine-id | ||
39 | net none | ||
40 | nodvd | ||
41 | nogroups | ||
42 | nonewprivs | ||
43 | noroot | ||
44 | nosound | ||
45 | notv | ||
46 | nou2f | ||
47 | novideo | ||
48 | protocol unix | ||
49 | seccomp | ||
50 | shell none | ||
51 | tracelog | ||
52 | |||
53 | disable-mnt | ||
54 | private-bin com.github.johnfactotum.Foliate,gjs | ||
55 | private-cache | ||
56 | private-dev | ||
57 | private-etc dconf,fonts,gconf,gtk-3.0 | ||
58 | private-tmp | ||
59 | |||
60 | read-only ${HOME} | ||
61 | read-write ${HOME}/.cache/com.github.johnfactotum.Foliate | ||
62 | read-write ${HOME}/.local/share/com.github.johnfactotum.Foliate | ||
diff --git a/etc/profile-a-l/conkeror.profile b/etc/profile-a-l/conkeror.profile new file mode 100644 index 000000000..38edf0d21 --- /dev/null +++ b/etc/profile-a-l/conkeror.profile | |||
@@ -0,0 +1,36 @@ | |||
1 | # Firejail profile for conkeror | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include conkeror.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.conkeror.mozdev.org | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-programs.inc | ||
12 | |||
13 | mkdir ${HOME}/.conkeror.mozdev.org | ||
14 | mkfile ${HOME}/.conkerorrc | ||
15 | whitelist ${HOME}/.conkeror.mozdev.org | ||
16 | whitelist ${HOME}/.conkerorrc | ||
17 | whitelist ${HOME}/.lastpass | ||
18 | whitelist ${HOME}/.pentadactyl | ||
19 | whitelist ${HOME}/.pentadactylrc | ||
20 | whitelist ${HOME}/.vimperator | ||
21 | whitelist ${HOME}/.vimperatorrc | ||
22 | whitelist ${HOME}/.zotero | ||
23 | whitelist ${HOME}/dwhelper | ||
24 | whitelist ${DOWNLOADS} | ||
25 | include whitelist-common.inc | ||
26 | |||
27 | caps.drop all | ||
28 | netfilter | ||
29 | nodvd | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | protocol unix,inet,inet6 | ||
34 | seccomp | ||
35 | |||
36 | disable-mnt | ||
diff --git a/etc/profile-a-l/conky.profile b/etc/profile-a-l/conky.profile new file mode 100644 index 000000000..e5cd7085a --- /dev/null +++ b/etc/profile-a-l/conky.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for conky | ||
2 | # Description: Highly configurable system monitor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include conky.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${PICTURES} | ||
10 | |||
11 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
12 | include allow-lua.inc | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | include whitelist-usr-share-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | caps.drop all | ||
26 | ipc-namespace | ||
27 | netfilter | ||
28 | no3d | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix,inet,inet6 | ||
38 | seccomp | ||
39 | shell none | ||
40 | |||
41 | disable-mnt | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
45 | |||
46 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/conplay.profile b/etc/profile-a-l/conplay.profile new file mode 100644 index 000000000..8d9f3324f --- /dev/null +++ b/etc/profile-a-l/conplay.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # Firejail profile for conplay | ||
2 | # Description: MPEG audio player/decoder | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include conplay.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | ## system-wide profile | ||
11 | #+ overrides | ||
12 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
13 | include allow-perl.inc | ||
14 | |||
15 | whitelist /usr/share/perl5 | ||
16 | |||
17 | # Redirect | ||
18 | include mpg123.profile | ||
diff --git a/etc/profile-a-l/corebird.profile b/etc/profile-a-l/corebird.profile new file mode 100644 index 000000000..dbb043c17 --- /dev/null +++ b/etc/profile-a-l/corebird.profile | |||
@@ -0,0 +1,37 @@ | |||
1 | # Firejail profile for corebird | ||
2 | # Description: Native Gtk+ Twitter client for the Linux desktop | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include corebird.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/corebird | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | include whitelist-var-common.inc | ||
20 | |||
21 | caps.drop all | ||
22 | netfilter | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | notv | ||
28 | nou2f | ||
29 | novideo | ||
30 | protocol unix,inet,inet6 | ||
31 | seccomp | ||
32 | shell none | ||
33 | |||
34 | private-bin corebird | ||
35 | private-dev | ||
36 | private-tmp | ||
37 | |||
diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile new file mode 100644 index 000000000..8efe48240 --- /dev/null +++ b/etc/profile-a-l/cower.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for cower | ||
2 | # Description: a simple AUR agent with a pretentious name | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include cower.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.config/cower | ||
11 | noblacklist /var/lib/pacman | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | # This profile could be significantly strengthened by adding the following to cower.local | ||
22 | # whitelist ${HOME}/<Your Build Folder> | ||
23 | # whitelist ${HOME}/.config/cower | ||
24 | |||
25 | caps.drop all | ||
26 | ipc-namespace | ||
27 | netfilter | ||
28 | no3d | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix,inet,inet6 | ||
38 | seccomp | ||
39 | shell none | ||
40 | |||
41 | disable-mnt | ||
42 | private-bin cower | ||
43 | private-cache | ||
44 | private-dev | ||
45 | private-tmp | ||
46 | |||
47 | memory-deny-write-execute | ||
48 | |||
49 | read-only ${HOME}/.config/cower/config | ||
diff --git a/etc/profile-a-l/cpio.profile b/etc/profile-a-l/cpio.profile new file mode 100644 index 000000000..087a5b2bb --- /dev/null +++ b/etc/profile-a-l/cpio.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for cpio | ||
2 | # Description: A program to manage archives of files | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include cpio.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | noblacklist /sbin | ||
13 | noblacklist /usr/sbin | ||
14 | |||
15 | include disable-common.inc | ||
16 | # include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | |||
21 | apparmor | ||
22 | caps.drop all | ||
23 | hostname cpio | ||
24 | ipc-namespace | ||
25 | machine-id | ||
26 | net none | ||
27 | no3d | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | nosound | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | x11 none | ||
39 | |||
40 | private-cache | ||
41 | private-dev | ||
42 | |||
43 | dbus-user none | ||
44 | dbus-system none | ||
45 | |||
46 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/crawl-tiles.profile b/etc/profile-a-l/crawl-tiles.profile new file mode 100644 index 000000000..39151865e --- /dev/null +++ b/etc/profile-a-l/crawl-tiles.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for crawl | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | ignore no3d | ||
5 | |||
6 | # Redirect | ||
7 | include crawl.profile | ||
diff --git a/etc/profile-a-l/crawl.profile b/etc/profile-a-l/crawl.profile new file mode 100644 index 000000000..3da2413d9 --- /dev/null +++ b/etc/profile-a-l/crawl.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for crawl-tiles | ||
2 | # Description: Roguelike dungeon exploration game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include crawl-tiles.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.crawl | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.crawl | ||
20 | whitelist ${HOME}/.crawl | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | net none | ||
27 | no3d | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | nosound | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix | ||
37 | seccomp | ||
38 | shell none | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin crawl,crawl-tiles | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
45 | |||
46 | dbus-user none | ||
47 | dbus-system none | ||
diff --git a/etc/profile-a-l/crow.profile b/etc/profile-a-l/crow.profile new file mode 100644 index 000000000..755b6e9f8 --- /dev/null +++ b/etc/profile-a-l/crow.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for crow | ||
2 | # Description: A translator that allows to translate and say selected text using Google, Yandex and Bing translate API | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include crow.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | mkdir ${HOME}/.config/crow | ||
10 | mkdir ${HOME}/.cache/gstreamer-1.0 | ||
11 | whitelist ${HOME}/.config/crow | ||
12 | whitelist ${HOME}/.cache/gstreamer-1.0 | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | include whitelist-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | netfilter | ||
26 | no3d | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix,inet,inet6,netlink | ||
35 | seccomp | ||
36 | shell none | ||
37 | |||
38 | disable-mnt | ||
39 | private-bin crow | ||
40 | private-dev | ||
41 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl | ||
42 | private-opt none | ||
43 | private-tmp | ||
44 | private-srv none | ||
45 | |||
diff --git a/etc/profile-a-l/cryptocat.profile b/etc/profile-a-l/cryptocat.profile new file mode 100644 index 000000000..69aa39de2 --- /dev/null +++ b/etc/profile-a-l/cryptocat.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for Cryptocat | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include Cryptocat.profile | ||
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile new file mode 100644 index 000000000..996ff51d3 --- /dev/null +++ b/etc/profile-a-l/curl.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for curl | ||
2 | # Description: Command line tool for transferring data with URL syntax | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include curl.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.curlrc | ||
11 | |||
12 | blacklist /tmp/.X11-unix | ||
13 | blacklist ${RUNUSER}/wayland-* | ||
14 | blacklist ${RUNUSER} | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | # depending on workflow you can uncomment the below or put 'include disable-xdg.inc' in your curl.local | ||
21 | #include disable-xdg.inc | ||
22 | |||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | ipc-namespace | ||
29 | machine-id | ||
30 | netfilter | ||
31 | no3d | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol inet,inet6 | ||
41 | seccomp | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | # private-bin curl | ||
46 | private-cache | ||
47 | private-dev | ||
48 | # private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl | ||
49 | private-tmp | ||
50 | |||
51 | dbus-user none | ||
52 | dbus-system none | ||
diff --git a/etc/profile-a-l/cvlc.profile b/etc/profile-a-l/cvlc.profile new file mode 100644 index 000000000..56c0d965c --- /dev/null +++ b/etc/profile-a-l/cvlc.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for cvlc | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include cvlc.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # cvlc doesn't like private-bin | ||
10 | ignore private-bin | ||
11 | |||
12 | # Redirect | ||
13 | include vlc.profile | ||
diff --git a/etc/profile-a-l/cyberfox.profile b/etc/profile-a-l/cyberfox.profile new file mode 100644 index 000000000..d1fff0004 --- /dev/null +++ b/etc/profile-a-l/cyberfox.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # Firejail profile for cyberfox | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include cyberfox.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.8pecxstudios | ||
9 | noblacklist ${HOME}/.cache/8pecxstudios | ||
10 | |||
11 | mkdir ${HOME}/.8pecxstudios | ||
12 | mkdir ${HOME}/.cache/8pecxstudios | ||
13 | whitelist ${HOME}/.8pecxstudios | ||
14 | whitelist ${HOME}/.cache/8pecxstudios | ||
15 | |||
16 | # private-bin cyberfox,dbus-launch,dbus-send,env,sh,which | ||
17 | # private-etc must first be enabled in firefox-common.profile | ||
18 | #private-etc cyberfox | ||
19 | |||
20 | # Redirect | ||
21 | include firefox-common.profile | ||
diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile new file mode 100644 index 000000000..51df7b455 --- /dev/null +++ b/etc/profile-a-l/d-feet.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for d-feet | ||
2 | # Description: D-Bus debugger for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include d-feet.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/d-feet | ||
10 | |||
11 | # Allow python (disabled by disable-interpreters.inc) | ||
12 | include allow-python2.inc | ||
13 | include allow-python3.inc | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | mkdir ${HOME}/.config/d-feet | ||
24 | whitelist ${HOME}/.config/d-feet | ||
25 | whitelist /usr/share/d-feet | ||
26 | include whitelist-common.inc | ||
27 | include whitelist-runuser-common.inc | ||
28 | include whitelist-usr-share-common.inc | ||
29 | include whitelist-var-common.inc | ||
30 | |||
31 | apparmor | ||
32 | caps.drop all | ||
33 | ipc-namespace | ||
34 | # net none - breaks on Ubuntu | ||
35 | no3d | ||
36 | nodvd | ||
37 | nogroups | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | nosound | ||
41 | notv | ||
42 | nou2f | ||
43 | novideo | ||
44 | protocol unix | ||
45 | seccomp | ||
46 | shell none | ||
47 | |||
48 | disable-mnt | ||
49 | private-bin d-feet,python* | ||
50 | private-cache | ||
51 | private-dev | ||
52 | private-etc alternatives,dbus-1,fonts,machine-id | ||
53 | private-tmp | ||
54 | |||
55 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | ||
diff --git a/etc/profile-a-l/darktable.profile b/etc/profile-a-l/darktable.profile new file mode 100644 index 000000000..2a71ad11c --- /dev/null +++ b/etc/profile-a-l/darktable.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for darktable | ||
2 | # Description: Virtual lighttable and darkroom for photographers | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include darktable.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/darktable | ||
10 | noblacklist ${HOME}/.config/darktable | ||
11 | noblacklist ${PICTURES} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | caps.drop all | ||
22 | netfilter | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix,inet,inet6 | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | #private-bin darktable | ||
36 | private-dev | ||
37 | private-tmp | ||
38 | |||
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile new file mode 100644 index 000000000..e7cc66e32 --- /dev/null +++ b/etc/profile-a-l/dconf-editor.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for dconf-editor | ||
2 | # Description: dconf configuration editor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include dconf-editor.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | whitelist ${HOME}/.local/share/glib-2.0 | ||
18 | include whitelist-common.inc | ||
19 | include whitelist-runuser-common.inc | ||
20 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | # net none - breaks application on older versions | ||
26 | no3d | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | nosound | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin dconf-editor | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-etc alternatives,dconf,fonts,gtk-3.0,machine-id | ||
45 | private-lib | ||
46 | private-tmp | ||
diff --git a/etc/profile-a-l/dconf.profile b/etc/profile-a-l/dconf.profile new file mode 100644 index 000000000..ea19b2209 --- /dev/null +++ b/etc/profile-a-l/dconf.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for dconf | ||
2 | # Description: Configuration database system | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include dconf.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | blacklist ${RUNUSER}/wayland-* | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | whitelist ${HOME}/.local/share/glib-2.0 | ||
20 | # dconf paths are whitelisted by the following | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-usr-share-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | apparmor | ||
26 | caps.drop all | ||
27 | ipc-namespace | ||
28 | machine-id | ||
29 | net none | ||
30 | no3d | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | nosound | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix | ||
40 | seccomp | ||
41 | shell none | ||
42 | tracelog | ||
43 | x11 none | ||
44 | |||
45 | disable-mnt | ||
46 | private-bin dconf,gsettings | ||
47 | private-cache | ||
48 | private-dev | ||
49 | private-etc alternatives,dconf | ||
50 | private-lib | ||
51 | private-tmp | ||
52 | |||
53 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/ddgtk.profile b/etc/profile-a-l/ddgtk.profile new file mode 100644 index 000000000..5b95b74be --- /dev/null +++ b/etc/profile-a-l/ddgtk.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for ddgtk | ||
2 | # Description: A frontend GUI to dd for making bootable USB disks | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include ddgtk.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Allow python (blacklisted by disable-interpreters.inc) | ||
10 | include allow-python2.inc | ||
11 | include allow-python3.inc | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | whitelist ${DOWNLOADS} | ||
22 | whitelist /usr/share/ddgtk | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | machine-id | ||
31 | net none | ||
32 | no3d | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | nosound | ||
38 | notv | ||
39 | nou2f | ||
40 | novideo | ||
41 | protocol unix | ||
42 | seccomp | ||
43 | shell none | ||
44 | tracelog | ||
45 | |||
46 | disable-mnt | ||
47 | private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr | ||
48 | private-cache | ||
49 | private-etc alternatives,fonts | ||
50 | private-tmp | ||
51 | |||
52 | dbus-user none | ||
53 | dbus-system none | ||
54 | |||
55 | # memory-deny-write-execute - breaks on Arch | ||
diff --git a/etc/profile-a-l/deadbeef.profile b/etc/profile-a-l/deadbeef.profile new file mode 100644 index 000000000..8e67d9daa --- /dev/null +++ b/etc/profile-a-l/deadbeef.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | # Firejail profile for deadbeef | ||
2 | # Description: A GTK+ audio player for GNU/Linux | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include deadbeef.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/deadbeef | ||
10 | noblacklist ${MUSIC} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | caps.drop all | ||
21 | netfilter | ||
22 | no3d | ||
23 | nogroups | ||
24 | nonewprivs | ||
25 | noroot | ||
26 | notv | ||
27 | nou2f | ||
28 | novideo | ||
29 | protocol unix,inet,inet6 | ||
30 | seccomp | ||
31 | shell none | ||
32 | |||
33 | private-dev | ||
34 | private-tmp | ||
35 | |||
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile new file mode 100644 index 000000000..74314cf92 --- /dev/null +++ b/etc/profile-a-l/default.profile | |||
@@ -0,0 +1,59 @@ | |||
1 | # Firejail profile for default | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include default.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | # generic gui profile | ||
9 | # depending on your usage, you can enable some of the commands below: | ||
10 | |||
11 | include disable-common.inc | ||
12 | # include disable-devel.inc | ||
13 | # include disable-exec.inc | ||
14 | # include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | # include disable-xdg.inc | ||
18 | |||
19 | # include whitelist-common.inc | ||
20 | # include whitelist-usr-share-common.inc | ||
21 | # include whitelist-runuser-common.inc | ||
22 | # include whitelist-var-common.inc | ||
23 | |||
24 | # apparmor | ||
25 | caps.drop all | ||
26 | # ipc-namespace | ||
27 | # machine-id | ||
28 | # net none | ||
29 | netfilter | ||
30 | # no3d | ||
31 | # nodvd | ||
32 | # nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | # nosound | ||
36 | # notv | ||
37 | # nou2f | ||
38 | # novideo | ||
39 | protocol unix,inet,inet6 | ||
40 | seccomp | ||
41 | # shell none | ||
42 | # tracelog | ||
43 | |||
44 | # disable-mnt | ||
45 | # private | ||
46 | # private-bin program | ||
47 | # private-cache | ||
48 | # private-dev | ||
49 | # see /usr/share/doc/firejail/profile.template for more common private-etc paths. | ||
50 | # private-etc alternatives,fonts,machine-id | ||
51 | # private-lib | ||
52 | # private-opt none | ||
53 | # private-tmp | ||
54 | |||
55 | # dbus-user none | ||
56 | # dbus-system none | ||
57 | |||
58 | # memory-deny-write-execute | ||
59 | # read-only ${HOME} | ||
diff --git a/etc/profile-a-l/deluge.profile b/etc/profile-a-l/deluge.profile new file mode 100644 index 000000000..17c5059f5 --- /dev/null +++ b/etc/profile-a-l/deluge.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for deluge | ||
2 | # Description: BitTorrent client written in Python/PyGTK | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include deluge.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/deluge | ||
10 | |||
11 | # Allow python (blacklisted by disable-interpreters.inc) | ||
12 | include allow-python2.inc | ||
13 | include allow-python3.inc | ||
14 | |||
15 | include disable-common.inc | ||
16 | # include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | |||
22 | mkdir ${HOME}/.config/deluge | ||
23 | whitelist ${DOWNLOADS} | ||
24 | whitelist ${HOME}/.config/deluge | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | machine-id | ||
31 | netfilter | ||
32 | nodvd | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | nosound | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix,inet,inet6 | ||
40 | seccomp | ||
41 | shell none | ||
42 | |||
43 | # deluge is using python on Debian | ||
44 | private-bin deluge,deluge-console,deluge-gtk,deluge-web,deluged,python*,sh,uname | ||
45 | private-dev | ||
46 | private-tmp | ||
diff --git a/etc/profile-a-l/desktopeditors.profile b/etc/profile-a-l/desktopeditors.profile new file mode 100644 index 000000000..9a98c4933 --- /dev/null +++ b/etc/profile-a-l/desktopeditors.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for desktopeditors | ||
2 | # Description: ONLYOFFICE DesktopEditors | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include desktopeditors.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/onlyoffice | ||
10 | noblacklist ${HOME}/.local/share/onlyoffice | ||
11 | noblacklist ${HOME}/.pki | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix,inet,inet6,netlink | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | private-bin desktopeditors,sh | ||
40 | private-cache | ||
41 | private-dev | ||
42 | private-tmp | ||
43 | |||
44 | dbus-user none | ||
45 | dbus-system none | ||
diff --git a/etc/profile-a-l/devhelp.profile b/etc/profile-a-l/devhelp.profile new file mode 100644 index 000000000..f3c012acb --- /dev/null +++ b/etc/profile-a-l/devhelp.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for devhelp | ||
2 | # Description: API documentation browser for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include devhelp.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | whitelist /usr/share/devhelp | ||
19 | whitelist /usr/share/doc | ||
20 | whitelist /usr/share/gtk-doc/html | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-usr-share-common.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | # net none - makes settings immutable | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | nosound | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin devhelp | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl | ||
45 | private-tmp | ||
46 | |||
47 | # makes settings immutable | ||
48 | # dbus-user none | ||
49 | # dbus-system none | ||
50 | |||
51 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | ||
52 | |||
53 | read-only ${HOME} | ||
diff --git a/etc/profile-a-l/devilspie.profile b/etc/profile-a-l/devilspie.profile new file mode 100644 index 000000000..1ab10a6f6 --- /dev/null +++ b/etc/profile-a-l/devilspie.profile | |||
@@ -0,0 +1,60 @@ | |||
1 | # Firejail profile for devilspie | ||
2 | # Description: Window matching daemon | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include devilspie.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | blacklist ${RUNUSER}/wayland-* | ||
10 | |||
11 | noblacklist ${HOME}/.devilspie | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | mkdir ${HOME}/.devilspie | ||
22 | whitelist ${HOME}/.devilspie | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | machine-id | ||
31 | net none | ||
32 | no3d | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | nosound | ||
38 | notv | ||
39 | nou2f | ||
40 | novideo | ||
41 | protocol unix | ||
42 | seccomp | ||
43 | shell none | ||
44 | tracelog | ||
45 | x11 none | ||
46 | |||
47 | disable-mnt | ||
48 | private-bin devilspie | ||
49 | private-cache | ||
50 | private-dev | ||
51 | private-etc alternatives | ||
52 | private-lib gconv | ||
53 | private-tmp | ||
54 | |||
55 | dbus-user none | ||
56 | dbus-system none | ||
57 | |||
58 | memory-deny-write-execute | ||
59 | |||
60 | read-only ${HOME} | ||
diff --git a/etc/profile-a-l/devilspie2.profile b/etc/profile-a-l/devilspie2.profile new file mode 100644 index 000000000..9eab3f536 --- /dev/null +++ b/etc/profile-a-l/devilspie2.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # Firejail profile for devilspie2 | ||
2 | # Description: Window matching daemon (Lua) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include devilspie2.local | ||
6 | # Persistent global definitions | ||
7 | #include globals.local | ||
8 | |||
9 | blacklist ${HOME}/.devilspie | ||
10 | |||
11 | blacklist ${RUNUSER}/wayland-* | ||
12 | |||
13 | noblacklist ${HOME}/.config/devilspie2 | ||
14 | |||
15 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
16 | include allow-lua.inc | ||
17 | |||
18 | mkdir ${HOME}/.config/devilspie2 | ||
19 | whitelist ${HOME}/.config/devilspie2 | ||
20 | |||
21 | private-bin devilspie2 | ||
22 | |||
23 | # Redirect | ||
24 | include devilspie.profile | ||
diff --git a/etc/profile-a-l/dex2jar.profile b/etc/profile-a-l/dex2jar.profile new file mode 100644 index 000000000..7a59c5d73 --- /dev/null +++ b/etc/profile-a-l/dex2jar.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for dex2jar | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include dex2jar.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Allow java (blacklisted by disable-devel.inc) | ||
10 | include allow-java.inc | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | caps.drop all | ||
23 | net none | ||
24 | no3d | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | nosound | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix | ||
34 | seccomp | ||
35 | shell none | ||
36 | |||
37 | private-bin bash,dex2jar,dirname,expr,grep,java,ls,sh,uname | ||
38 | private-cache | ||
39 | private-dev | ||
40 | |||
41 | dbus-user none | ||
42 | dbus-system none | ||
diff --git a/etc/profile-a-l/dia.profile b/etc/profile-a-l/dia.profile new file mode 100644 index 000000000..52bf1c7f8 --- /dev/null +++ b/etc/profile-a-l/dia.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for dia | ||
2 | # Description: Diagram editor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include dia.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.dia | ||
10 | noblacklist ${DOCUMENTS} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include allow-python2.inc | ||
16 | include allow-python3.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | net none | ||
27 | no3d | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | nosound | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix | ||
37 | seccomp | ||
38 | shell none | ||
39 | |||
40 | disable-mnt | ||
41 | #private-bin dia | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
45 | |||
46 | dbus-user none | ||
47 | dbus-system none | ||
diff --git a/etc/profile-a-l/dig.profile b/etc/profile-a-l/dig.profile new file mode 100644 index 000000000..152dfd980 --- /dev/null +++ b/etc/profile-a-l/dig.profile | |||
@@ -0,0 +1,60 @@ | |||
1 | # Firejail profile for dig | ||
2 | # Description: DNS lookup utility | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include dig.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.digrc | ||
11 | noblacklist ${PATH}/dig | ||
12 | |||
13 | blacklist /tmp/.X11-unix | ||
14 | blacklist ${RUNUSER}/wayland-* | ||
15 | blacklist ${RUNUSER} | ||
16 | |||
17 | include disable-common.inc | ||
18 | # include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | # include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | #mkfile ${HOME}/.digrc -- see #903 | ||
26 | whitelist ${HOME}/.digrc | ||
27 | include whitelist-common.inc | ||
28 | include whitelist-usr-share-common.inc | ||
29 | include whitelist-var-common.inc | ||
30 | |||
31 | apparmor | ||
32 | caps.drop all | ||
33 | ipc-namespace | ||
34 | machine-id | ||
35 | netfilter | ||
36 | no3d | ||
37 | nodvd | ||
38 | nogroups | ||
39 | nonewprivs | ||
40 | noroot | ||
41 | nosound | ||
42 | notv | ||
43 | nou2f | ||
44 | novideo | ||
45 | protocol unix,inet,inet6 | ||
46 | seccomp | ||
47 | shell none | ||
48 | tracelog | ||
49 | |||
50 | disable-mnt | ||
51 | private-bin bash,dig,sh | ||
52 | private-dev | ||
53 | # Uncomment the next line (or put 'private-lib' in your dig.local) on non Debian/Ubuntu OS (see issue #3038) | ||
54 | #private-lib | ||
55 | private-tmp | ||
56 | |||
57 | dbus-user none | ||
58 | dbus-system none | ||
59 | |||
60 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/digikam.profile b/etc/profile-a-l/digikam.profile new file mode 100644 index 000000000..ae4a63c62 --- /dev/null +++ b/etc/profile-a-l/digikam.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for digikam | ||
2 | # Description: Digital photo management application for KDE | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include digikam.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/digikam | ||
10 | noblacklist ${HOME}/.config/digikamrc | ||
11 | noblacklist ${HOME}/.kde/share/apps/digikam | ||
12 | noblacklist ${HOME}/.kde4/share/apps/digikam | ||
13 | noblacklist ${PICTURES} | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | apparmor | ||
26 | caps.drop all | ||
27 | netfilter | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | protocol unix,inet,inet6,netlink | ||
34 | # QtWebengine needs chroot to set up its own sandbox | ||
35 | seccomp !chroot | ||
36 | shell none | ||
37 | |||
38 | # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device | ||
39 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl | ||
40 | private-tmp | ||
41 | |||
42 | # dbus-user none | ||
43 | # dbus-system none | ||
diff --git a/etc/profile-a-l/dillo.profile b/etc/profile-a-l/dillo.profile new file mode 100644 index 000000000..7103d0285 --- /dev/null +++ b/etc/profile-a-l/dillo.profile | |||
@@ -0,0 +1,37 @@ | |||
1 | # Firejail profile for dillo | ||
2 | # Description: Small and fast web browser | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include dillo.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.dillo | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | |||
17 | mkdir ${HOME}/.dillo | ||
18 | mkdir ${HOME}/.fltk | ||
19 | whitelist ${DOWNLOADS} | ||
20 | whitelist ${HOME}/.dillo | ||
21 | whitelist ${HOME}/.fltk | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | caps.drop all | ||
26 | netfilter | ||
27 | nodvd | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | notv | ||
31 | nou2f | ||
32 | protocol unix,inet,inet6 | ||
33 | seccomp | ||
34 | tracelog | ||
35 | |||
36 | private-dev | ||
37 | private-tmp | ||
diff --git a/etc/profile-a-l/dino.profile b/etc/profile-a-l/dino.profile new file mode 100644 index 000000000..82ddf2819 --- /dev/null +++ b/etc/profile-a-l/dino.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for dino | ||
2 | # Description: Modern XMPP Chat Client using GTK+/Vala | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include dino.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/dino | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | mkdir ${HOME}/.local/share/dino | ||
19 | whitelist ${HOME}/.local/share/dino | ||
20 | whitelist ${DOWNLOADS} | ||
21 | include whitelist-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | netfilter | ||
25 | no3d | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix,inet,inet6 | ||
35 | seccomp | ||
36 | shell none | ||
37 | |||
38 | disable-mnt | ||
39 | private-bin dino | ||
40 | private-dev | ||
41 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl -- breaks server connection | ||
42 | private-tmp | ||
43 | |||
diff --git a/etc/profile-a-l/discord-canary.profile b/etc/profile-a-l/discord-canary.profile new file mode 100644 index 000000000..3e9dacd1e --- /dev/null +++ b/etc/profile-a-l/discord-canary.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # Firejail profile for discord-canary | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include discord-canary.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/discordcanary | ||
9 | |||
10 | mkdir ${HOME}/.config/discordcanary | ||
11 | whitelist ${HOME}/.config/discordcanary | ||
12 | |||
13 | private-bin discord-canary | ||
14 | private-opt discord-canary | ||
15 | |||
16 | # Redirect | ||
17 | include discord-common.profile | ||
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile new file mode 100644 index 000000000..cbeef798f --- /dev/null +++ b/etc/profile-a-l/discord-common.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for discord | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include discord-common.local | ||
5 | # Persistent global definitions | ||
6 | # added by caller profile | ||
7 | #include globals.local | ||
8 | |||
9 | ignore noexec ${HOME} | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | |||
17 | whitelist ${DOWNLOADS} | ||
18 | whitelist ${HOME}/.config/BetterDiscord | ||
19 | whitelist ${HOME}/.local/share/betterdiscordctl | ||
20 | include whitelist-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | netfilter | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix,inet,inet6,netlink | ||
33 | seccomp !chroot | ||
34 | |||
35 | private-bin bash,cut,echo,egrep,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh | ||
36 | private-dev | ||
37 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl | ||
38 | private-tmp | ||
diff --git a/etc/profile-a-l/discord.profile b/etc/profile-a-l/discord.profile new file mode 100644 index 000000000..8ef02a30f --- /dev/null +++ b/etc/profile-a-l/discord.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # Firejail profile for discord | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include discord.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/discord | ||
9 | |||
10 | mkdir ${HOME}/.config/discord | ||
11 | whitelist ${HOME}/.config/discord | ||
12 | |||
13 | private-bin discord | ||
14 | private-opt discord | ||
15 | |||
16 | # Redirect | ||
17 | include discord-common.profile | ||
diff --git a/etc/profile-a-l/display.profile b/etc/profile-a-l/display.profile new file mode 100644 index 000000000..2ae4edced --- /dev/null +++ b/etc/profile-a-l/display.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for display | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include display.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${PICTURES} | ||
9 | |||
10 | # Allow python (blacklisted by disable-interpreters.inc) | ||
11 | include allow-python2.inc | ||
12 | include allow-python3.inc | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | include whitelist-usr-share-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | caps.drop all | ||
26 | net none | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | nosound | ||
32 | notv | ||
33 | nou2f | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | # x11 xorg - problems on kubuntu 17.04 | ||
38 | |||
39 | private-bin display,python* | ||
40 | private-dev | ||
41 | # On Debian-based systems, display is a symlink in /etc/alternatives | ||
42 | private-etc alternatives | ||
43 | private-tmp | ||
44 | |||
45 | dbus-user none | ||
46 | dbus-system none | ||
diff --git a/etc/profile-a-l/dnox.profile b/etc/profile-a-l/dnox.profile new file mode 100644 index 000000000..e02395771 --- /dev/null +++ b/etc/profile-a-l/dnox.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # Firejail profile for dnox | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include dnox.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.cache/dnox | ||
9 | noblacklist ${HOME}/.config/dnox | ||
10 | |||
11 | mkdir ${HOME}/.cache/dnox | ||
12 | mkdir ${HOME}/.config/dnox | ||
13 | whitelist ${HOME}/.cache/dnox | ||
14 | whitelist ${HOME}/.config/dnox | ||
15 | |||
16 | # Redirect | ||
17 | include chromium-common.profile | ||
diff --git a/etc/profile-a-l/dnscrypt-proxy.profile b/etc/profile-a-l/dnscrypt-proxy.profile new file mode 100644 index 000000000..e48e9d1ac --- /dev/null +++ b/etc/profile-a-l/dnscrypt-proxy.profile | |||
@@ -0,0 +1,54 @@ | |||
1 | # Firejail profile for dnscrypt-proxy | ||
2 | # Description: Tool for securing communications between a client and a DNS resolver | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include dnscrypt-proxy.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist /tmp/.X11-unix | ||
11 | blacklist ${RUNUSER}/wayland-* | ||
12 | |||
13 | noblacklist /sbin | ||
14 | noblacklist /usr/sbin | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | whitelist /usr/share/dnscrypt-proxy | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot | ||
30 | ipc-namespace | ||
31 | machine-id | ||
32 | netfilter | ||
33 | no3d | ||
34 | nodvd | ||
35 | nonewprivs | ||
36 | nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol inet,inet6 | ||
41 | seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | disable-mnt | ||
46 | private | ||
47 | private-cache | ||
48 | private-dev | ||
49 | |||
50 | dbus-user none | ||
51 | dbus-system none | ||
52 | |||
53 | # mdwe can break modules/plugins | ||
54 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/dnsmasq.profile b/etc/profile-a-l/dnsmasq.profile new file mode 100644 index 000000000..6db71bd49 --- /dev/null +++ b/etc/profile-a-l/dnsmasq.profile | |||
@@ -0,0 +1,37 @@ | |||
1 | # Firejail profile for dnsmasq | ||
2 | # Description: Small caching DNS proxy and DHCP/TFTP server | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include dnsmasq.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist /sbin | ||
11 | noblacklist /usr/sbin | ||
12 | |||
13 | blacklist /tmp/.X11-unix | ||
14 | blacklist ${RUNUSER}/wayland-* | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | caps.keep net_admin,net_bind_service,net_raw,setgid,setuid | ||
24 | no3d | ||
25 | nodvd | ||
26 | nonewprivs | ||
27 | nosound | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix,inet,inet6,netlink | ||
32 | seccomp | ||
33 | |||
34 | disable-mnt | ||
35 | private | ||
36 | private-cache | ||
37 | private-dev | ||
diff --git a/etc/profile-a-l/dolphin.profile b/etc/profile-a-l/dolphin.profile new file mode 100644 index 000000000..d264470af --- /dev/null +++ b/etc/profile-a-l/dolphin.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for dolphin | ||
2 | # Description: File manager | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include dolphin.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/Trash | ||
10 | # noblacklist ${HOME}/.cache/dolphin - disable-programs.inc is disabled, see below | ||
11 | # noblacklist ${HOME}/.config/dolphinrc | ||
12 | # noblacklist ${HOME}/.local/share/dolphin | ||
13 | |||
14 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
15 | include allow-lua.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | # dolphin needs to be able to start arbitrary applications so we cannot blacklist their files | ||
22 | # include disable-programs.inc | ||
23 | |||
24 | allusers | ||
25 | caps.drop all | ||
26 | # net none | ||
27 | netfilter | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | # Comment the next line (or put 'ignore noroot' in your dolphin.local) if you use MPV+Vulkan (see issue #3012) | ||
32 | noroot | ||
33 | notv | ||
34 | novideo | ||
35 | protocol unix,inet,inet6,netlink | ||
36 | seccomp | ||
37 | shell none | ||
38 | |||
39 | private-dev | ||
40 | # private-tmp | ||
41 | |||
42 | join-or-start dolphin | ||
diff --git a/etc/profile-a-l/dooble-qt4.profile b/etc/profile-a-l/dooble-qt4.profile new file mode 100644 index 000000000..70a21e11c --- /dev/null +++ b/etc/profile-a-l/dooble-qt4.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for dooble | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include dooble.profile | ||
diff --git a/etc/profile-a-l/dooble.profile b/etc/profile-a-l/dooble.profile new file mode 100644 index 000000000..bc197b223 --- /dev/null +++ b/etc/profile-a-l/dooble.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Firejail profile for dooble | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include dooble.local | ||
5 | # Backward compatibility | ||
6 | include dooble-qt4.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.dooble | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | mkdir ${HOME}/.dooble | ||
20 | whitelist ${DOWNLOADS} | ||
21 | whitelist ${HOME}/.dooble | ||
22 | include whitelist-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | netfilter | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix,inet,inet6,netlink | ||
34 | seccomp | ||
35 | shell none | ||
36 | tracelog | ||
37 | |||
38 | disable-mnt | ||
39 | private-dev | ||
40 | private-tmp | ||
41 | |||
diff --git a/etc/profile-a-l/dosbox.profile b/etc/profile-a-l/dosbox.profile new file mode 100644 index 000000000..17ccc9b9a --- /dev/null +++ b/etc/profile-a-l/dosbox.profile | |||
@@ -0,0 +1,37 @@ | |||
1 | # Firejail profile for dosbox | ||
2 | # Description: x86 emulator with Tandy/Herc/CGA/EGA/VGA/SVGA graphics, sound and DOS | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include dosbox.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.dosbox | ||
10 | noblacklist ${DOCUMENTS} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | include whitelist-var-common.inc | ||
20 | |||
21 | caps.drop all | ||
22 | netfilter | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | notv | ||
28 | nou2f | ||
29 | novideo | ||
30 | protocol unix,inet,inet6 | ||
31 | seccomp | ||
32 | shell none | ||
33 | tracelog | ||
34 | |||
35 | private-bin dosbox | ||
36 | private-dev | ||
37 | private-tmp | ||
diff --git a/etc/profile-a-l/dragon.profile b/etc/profile-a-l/dragon.profile new file mode 100644 index 000000000..df839cc47 --- /dev/null +++ b/etc/profile-a-l/dragon.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for dragon | ||
2 | # Description: A multimedia player where the focus is on simplicity, instead of features | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include dragon.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/dragonplayerrc | ||
10 | noblacklist ${MUSIC} | ||
11 | noblacklist ${VIDEOS} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | whitelist /usr/share/dragonplayer | ||
22 | include whitelist-usr-share-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | caps.drop all | ||
26 | netfilter | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix,inet,inet6 | ||
34 | seccomp | ||
35 | shell none | ||
36 | |||
37 | private-bin dragon | ||
38 | private-dev | ||
39 | private-tmp | ||
40 | |||
diff --git a/etc/profile-a-l/drawio.profile b/etc/profile-a-l/drawio.profile new file mode 100644 index 000000000..4132caa4f --- /dev/null +++ b/etc/profile-a-l/drawio.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for drawio | ||
2 | # Description: Diagram drawing application built on web technology - desktop version | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include drawio.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/draw.io | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.config/draw.io | ||
20 | whitelist ${HOME}/.config/draw.io | ||
21 | whitelist ${DOWNLOADS} | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | ipc-namespace | ||
29 | machine-id | ||
30 | net none | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | nosound | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix | ||
40 | seccomp !chroot | ||
41 | shell none | ||
42 | # tracelog - breaks on Arch | ||
43 | |||
44 | private-bin drawio | ||
45 | private-cache | ||
46 | private-dev | ||
47 | private-etc alternatives,fonts | ||
48 | private-tmp | ||
49 | |||
50 | dbus-user none | ||
51 | dbus-system none | ||
52 | |||
53 | # memory-deny-write-execute - breaks on Arch | ||
diff --git a/etc/profile-a-l/dropbox.profile b/etc/profile-a-l/dropbox.profile new file mode 100644 index 000000000..1b242d422 --- /dev/null +++ b/etc/profile-a-l/dropbox.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for dropbox | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include dropbox.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/autostart | ||
9 | noblacklist ${HOME}/.dropbox | ||
10 | noblacklist ${HOME}/.dropbox-dist | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | mkdir ${HOME}/.dropbox | ||
19 | mkdir ${HOME}/.dropbox-dist | ||
20 | mkdir ${HOME}/Dropbox | ||
21 | mkfile ${HOME}/.config/autostart/dropbox.desktop | ||
22 | whitelist ${HOME}/.config/autostart/dropbox.desktop | ||
23 | whitelist ${HOME}/.dropbox | ||
24 | whitelist ${HOME}/.dropbox-dist | ||
25 | whitelist ${HOME}/Dropbox | ||
26 | include whitelist-common.inc | ||
27 | |||
28 | caps.drop all | ||
29 | netfilter | ||
30 | no3d | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | nosound | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix,inet,inet6 | ||
40 | seccomp | ||
41 | shell none | ||
42 | |||
43 | private-dev | ||
44 | private-tmp | ||
45 | |||
46 | noexec /tmp | ||
diff --git a/etc/profile-a-l/easystroke.profile b/etc/profile-a-l/easystroke.profile new file mode 100644 index 000000000..bb711b1bf --- /dev/null +++ b/etc/profile-a-l/easystroke.profile | |||
@@ -0,0 +1,56 @@ | |||
1 | # Firejail profile for easystroke | ||
2 | # Description: Control your desktop using mouse gestures | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include easystroke.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.easystroke | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.easystroke | ||
20 | whitelist ${HOME}/.easystroke | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-usr-share-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | apparmor | ||
26 | caps.drop all | ||
27 | machine-id | ||
28 | net none | ||
29 | no3d | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | |||
43 | disable-mnt | ||
44 | # breaks custom shell command functionality | ||
45 | #private-bin bash,easystroke,sh | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-etc alternatives,fonts,group,passwd | ||
49 | # breaks custom shell command functionality | ||
50 | #private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* | ||
51 | private-tmp | ||
52 | |||
53 | # dbus-user none | ||
54 | # dbus-system none | ||
55 | |||
56 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/ebook-viewer.profile b/etc/profile-a-l/ebook-viewer.profile new file mode 100644 index 000000000..706aec737 --- /dev/null +++ b/etc/profile-a-l/ebook-viewer.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile alias for calibre | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include ebook-viewer.local | ||
5 | |||
6 | net none | ||
7 | dbus-user none | ||
8 | dbus-system none | ||
9 | |||
10 | # Redirect | ||
11 | include calibre.profile | ||
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile new file mode 100644 index 000000000..d5def68c2 --- /dev/null +++ b/etc/profile-a-l/electron-mail.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for electron-mail | ||
2 | # Description: Unofficial desktop app for several E2E encrypted email providers | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include electron-mail.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/electron-mail | ||
10 | |||
11 | whitelist ${DOWNLOADS} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | mkdir ${HOME}/.config/electron-mail | ||
22 | whitelist ${HOME}/.config/electron-mail | ||
23 | |||
24 | include whitelist-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | netfilter | ||
31 | no3d | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix,inet,inet6,netlink | ||
40 | seccomp !chroot | ||
41 | shell none | ||
42 | # tracelog - breaks on Arch | ||
43 | |||
44 | private-bin electron-mail | ||
45 | private-cache | ||
46 | private-dev | ||
47 | private-etc alternatives,fonts | ||
48 | private-opt ElectronMail | ||
49 | private-tmp | ||
50 | |||
51 | # breaks tray functionality | ||
52 | # dbus-user none | ||
53 | # dbus-system none | ||
54 | |||
55 | # memory-deny-write-execute - breaks on Arch | ||
diff --git a/etc/profile-a-l/electron.profile b/etc/profile-a-l/electron.profile new file mode 100644 index 000000000..9b99c7ffb --- /dev/null +++ b/etc/profile-a-l/electron.profile | |||
@@ -0,0 +1,27 @@ | |||
1 | # Firejail profile for electron | ||
2 | # Description: Build cross platform desktop apps with web technologies | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include electron.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-passwdmgr.inc | ||
11 | include disable-programs.inc | ||
12 | |||
13 | whitelist ${DOWNLOADS} | ||
14 | |||
15 | apparmor | ||
16 | caps.drop all | ||
17 | netfilter | ||
18 | nodvd | ||
19 | nogroups | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | notv | ||
23 | protocol unix,inet,inet6,netlink | ||
24 | seccomp | ||
25 | |||
26 | dbus-user none | ||
27 | dbus-system none | ||
diff --git a/etc/profile-a-l/electrum.profile b/etc/profile-a-l/electrum.profile new file mode 100644 index 000000000..bcc84ddb8 --- /dev/null +++ b/etc/profile-a-l/electrum.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for electrum | ||
2 | # Description: Lightweight Bitcoin wallet | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include electrum.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.electrum | ||
10 | |||
11 | # Allow python (blacklisted by disable-interpreters.inc) | ||
12 | include allow-python2.inc | ||
13 | include allow-python3.inc | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | mkdir ${HOME}/.electrum | ||
24 | whitelist ${HOME}/.electrum | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | netfilter | ||
31 | no3d | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix,inet,inet6 | ||
41 | seccomp | ||
42 | shell none | ||
43 | |||
44 | disable-mnt | ||
45 | private-bin electrum,python* | ||
46 | private-cache | ||
47 | ?HAS_APPIMAGE: ignore private-dev | ||
48 | private-dev | ||
49 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,machine-id,pki,resolv.conf,ssl | ||
50 | private-tmp | ||
51 | |||
52 | # dbus-user none | ||
53 | # dbus-system none | ||
diff --git a/etc/profile-a-l/elinks.profile b/etc/profile-a-l/elinks.profile new file mode 100644 index 000000000..2a306d704 --- /dev/null +++ b/etc/profile-a-l/elinks.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for elinks | ||
2 | # Description: Advanced text-mode WWW browser | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include elinks.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.elinks | ||
10 | |||
11 | blacklist /tmp/.X11-unix | ||
12 | blacklist ${RUNUSER}/wayland-* | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | include whitelist-runuser-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | netfilter | ||
25 | no3d | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix,inet,inet6 | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | # private-bin elinks | ||
40 | private-cache | ||
41 | private-dev | ||
42 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl | ||
43 | private-tmp | ||
diff --git a/etc/profile-a-l/emacs.profile b/etc/profile-a-l/emacs.profile new file mode 100644 index 000000000..ab378105e --- /dev/null +++ b/etc/profile-a-l/emacs.profile | |||
@@ -0,0 +1,31 @@ | |||
1 | # Firejail profile for emacs | ||
2 | # Description: GNU Emacs editor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include emacs.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.emacs | ||
10 | noblacklist ${HOME}/.emacs.d | ||
11 | # if you need gpg uncomment the following line | ||
12 | # or put it into your emacs.local | ||
13 | #noblacklist ${HOME}/.gnupg | ||
14 | |||
15 | # Allows files commonly used by IDEs | ||
16 | include allow-common-devel.inc | ||
17 | |||
18 | include disable-common.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | |||
22 | caps.drop all | ||
23 | netfilter | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | notv | ||
29 | novideo | ||
30 | protocol unix,inet,inet6 | ||
31 | seccomp | ||
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile new file mode 100644 index 000000000..f9d96858b --- /dev/null +++ b/etc/profile-a-l/email-common.profile | |||
@@ -0,0 +1,68 @@ | |||
1 | # Firejail profile for email-common | ||
2 | # Description: Common profile for claws-mail and sylpheed email clients | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include email-common.local | ||
6 | # Persistent global definitions | ||
7 | # added by caller profile | ||
8 | #include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.gnupg | ||
11 | noblacklist ${HOME}/.signature | ||
12 | # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local | ||
13 | # and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications | ||
14 | noblacklist ${HOME}/Mail | ||
15 | |||
16 | noblacklist ${DOCUMENTS} | ||
17 | |||
18 | include disable-common.inc | ||
19 | include disable-devel.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | whitelist ${DOCUMENTS} | ||
26 | whitelist ${DOWNLOADS} | ||
27 | mkfile ${HOME}/.config/mimeapps.list | ||
28 | mkdir ${HOME}/.gnupg | ||
29 | mkfile ${HOME}/.signature | ||
30 | whitelist ${HOME}/.config/mimeapps.list | ||
31 | whitelist ${HOME}/.gnupg | ||
32 | whitelist ${HOME}/.signature | ||
33 | # when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local | ||
34 | whitelist ${HOME}/Mail | ||
35 | whitelist /usr/share/gnupg | ||
36 | whitelist /usr/share/gnupg2 | ||
37 | include whitelist-common.inc | ||
38 | include whitelist-usr-share-common.inc | ||
39 | include whitelist-var-common.inc | ||
40 | |||
41 | caps.drop all | ||
42 | netfilter | ||
43 | no3d | ||
44 | nodvd | ||
45 | nogroups | ||
46 | nonewprivs | ||
47 | noroot | ||
48 | nosound | ||
49 | notv | ||
50 | nou2f | ||
51 | novideo | ||
52 | protocol unix,inet,inet6 | ||
53 | seccomp | ||
54 | shell none | ||
55 | tracelog | ||
56 | |||
57 | private-cache | ||
58 | private-dev | ||
59 | private-tmp | ||
60 | |||
61 | # encrypting and signing email | ||
62 | read-only ${HOME}/.config/mimeapps.list | ||
63 | writable-run-user | ||
64 | |||
65 | # If you want to read local mail stored in /var/mail, add the following to email-common.local: | ||
66 | # whitelist /var/mail | ||
67 | # whitelist /var/spool/mail | ||
68 | # writable-var | ||
diff --git a/etc/profile-a-l/empathy.profile b/etc/profile-a-l/empathy.profile new file mode 100644 index 000000000..5ca640d30 --- /dev/null +++ b/etc/profile-a-l/empathy.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # Firejail profile for empathy | ||
2 | # Description: GNOME multi-protocol chat and call client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include empathy.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-programs.inc | ||
14 | |||
15 | caps.drop all | ||
16 | netfilter | ||
17 | nodvd | ||
18 | nogroups | ||
19 | nonewprivs | ||
20 | noroot | ||
21 | notv | ||
22 | protocol unix,inet,inet6 | ||
23 | seccomp | ||
24 | |||
25 | private-cache | ||
26 | private-tmp | ||
diff --git a/etc/profile-a-l/enchant-2.profile b/etc/profile-a-l/enchant-2.profile new file mode 100644 index 000000000..32cc0e691 --- /dev/null +++ b/etc/profile-a-l/enchant-2.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for enchant-2 | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include enchant-2.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include enchant.profile | ||
diff --git a/etc/profile-a-l/enchant-lsmod-2.profile b/etc/profile-a-l/enchant-lsmod-2.profile new file mode 100644 index 000000000..a7199955e --- /dev/null +++ b/etc/profile-a-l/enchant-lsmod-2.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for enchant-lsmod-2 | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include enchant-lsmod-2.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include enchant.profile | ||
diff --git a/etc/profile-a-l/enchant-lsmod.profile b/etc/profile-a-l/enchant-lsmod.profile new file mode 100644 index 000000000..ba4353d15 --- /dev/null +++ b/etc/profile-a-l/enchant-lsmod.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for enchant-lsmod | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include enchant-lsmod.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include enchant.profile | ||
diff --git a/etc/profile-a-l/enchant.profile b/etc/profile-a-l/enchant.profile new file mode 100644 index 000000000..2b5de799f --- /dev/null +++ b/etc/profile-a-l/enchant.profile | |||
@@ -0,0 +1,58 @@ | |||
1 | # Firejail profile for enchant | ||
2 | # Description: Wrapper for various spell checker engines | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include enchant.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | blacklist ${RUNUSER}/wayland-* | ||
10 | |||
11 | noblacklist ${HOME}/.config/enchant | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | mkdir ${HOME}/.config/enchant | ||
22 | whitelist ${HOME}/.config/enchant | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | ipc-namespace | ||
31 | machine-id | ||
32 | net none | ||
33 | no3d | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | nosound | ||
39 | notv | ||
40 | nou2f | ||
41 | novideo | ||
42 | protocol unix | ||
43 | seccomp | ||
44 | shell none | ||
45 | tracelog | ||
46 | x11 none | ||
47 | |||
48 | private-bin enchant,enchant-* | ||
49 | private-cache | ||
50 | private-dev | ||
51 | private-etc alternatives | ||
52 | private-lib | ||
53 | private-tmp | ||
54 | |||
55 | dbus-user none | ||
56 | dbus-system none | ||
57 | |||
58 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/engrampa.profile b/etc/profile-a-l/engrampa.profile new file mode 100644 index 000000000..6c0892c56 --- /dev/null +++ b/etc/profile-a-l/engrampa.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for engrampa | ||
2 | # Description: Archive manager for MATE | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include engrampa.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | |||
16 | include whitelist-var-common.inc | ||
17 | |||
18 | apparmor | ||
19 | caps.drop all | ||
20 | net none | ||
21 | no3d | ||
22 | nodvd | ||
23 | nogroups | ||
24 | nonewprivs | ||
25 | noroot | ||
26 | nosound | ||
27 | notv | ||
28 | nou2f | ||
29 | novideo | ||
30 | protocol unix | ||
31 | seccomp | ||
32 | shell none | ||
33 | tracelog | ||
34 | |||
35 | # private-bin engrampa | ||
36 | private-dev | ||
37 | # private-tmp | ||
38 | |||
39 | dbus-user none | ||
40 | dbus-system none | ||
41 | |||
42 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/enox.profile b/etc/profile-a-l/enox.profile new file mode 100644 index 000000000..d8ac8b24a --- /dev/null +++ b/etc/profile-a-l/enox.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Firejail profile for enox | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include enox.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.cache/Enox | ||
9 | noblacklist ${HOME}/.config/Enox | ||
10 | |||
11 | #mkdir ${HOME}/.cache/dnox | ||
12 | #mkdir ${HOME}/.config/dnox | ||
13 | mkdir ${HOME}/.cache/Enox | ||
14 | mkdir ${HOME}/.config/Enox | ||
15 | whitelist ${HOME}/.cache/Enox | ||
16 | whitelist ${HOME}/.config/Enox | ||
17 | |||
18 | # Redirect | ||
19 | include chromium-common.profile | ||
diff --git a/etc/profile-a-l/enpass.profile b/etc/profile-a-l/enpass.profile new file mode 100644 index 000000000..68113e294 --- /dev/null +++ b/etc/profile-a-l/enpass.profile | |||
@@ -0,0 +1,62 @@ | |||
1 | # Firejail profile for enpass | ||
2 | # Description: A multiplatform password manager | ||
3 | # This file is overwritten after every install/update. | ||
4 | # Persistent local customisations | ||
5 | include enpass.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/Enpass | ||
10 | noblacklist ${HOME}/.config/sinew.in | ||
11 | noblacklist ${HOME}/.config/Sinew Software Systems | ||
12 | noblacklist ${HOME}/.local/share/Enpass | ||
13 | noblacklist ${DOCUMENTS} | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | mkdir ${HOME}/.cache/Enpass | ||
24 | mkfile ${HOME}/.config/sinew.in | ||
25 | mkdir ${HOME}/.config/Sinew Software Systems | ||
26 | mkdir ${HOME}/.local/share/Enpass | ||
27 | whitelist ${HOME}/.cache/Enpass | ||
28 | whitelist ${HOME}/.config/sinew.in | ||
29 | whitelist ${HOME}/.config/Sinew Software Systems | ||
30 | whitelist ${HOME}/.local/share/Enpass | ||
31 | whitelist ${DOCUMENTS} | ||
32 | include whitelist-common.inc | ||
33 | include whitelist-var-common.inc | ||
34 | |||
35 | # machine-id and nosound break audio notification functionality | ||
36 | # comment both if you need that functionality or put 'ignore machine-id' | ||
37 | # and 'ignore nosound' in your enpass.local | ||
38 | |||
39 | caps.drop all | ||
40 | machine-id | ||
41 | netfilter | ||
42 | no3d | ||
43 | nodvd | ||
44 | nogroups | ||
45 | nonewprivs | ||
46 | noroot | ||
47 | nosound | ||
48 | notv | ||
49 | nou2f | ||
50 | novideo | ||
51 | protocol unix,inet,inet6,netlink | ||
52 | seccomp | ||
53 | shell none | ||
54 | tracelog | ||
55 | |||
56 | private-bin dirname,Enpass,importer_enpass,readlink,sh | ||
57 | ?HAS_APPIMAGE: ignore private-dev | ||
58 | private-dev | ||
59 | private-opt Enpass | ||
60 | private-tmp | ||
61 | |||
62 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | ||
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile new file mode 100644 index 000000000..80c704c6b --- /dev/null +++ b/etc/profile-a-l/eo-common.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for eo-common | ||
2 | # Description: Common profile for Eye of GNOME/MATE graphics viewer program | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include eo-common.local | ||
6 | # Persistent global definitions | ||
7 | # added by caller profile | ||
8 | #include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.local/share/Trash | ||
11 | noblacklist ${HOME}/.Steam | ||
12 | noblacklist ${HOME}/.steam | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | |||
21 | include whitelist-runuser-common.inc | ||
22 | include whitelist-usr-share-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | apparmor | ||
26 | caps.drop all | ||
27 | ipc-namespace | ||
28 | machine-id | ||
29 | no3d | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix,netlink | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | |||
43 | private-cache | ||
44 | private-dev | ||
45 | private-etc alternatives,dconf,fonts,gtk-3.0 | ||
46 | private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.* | ||
47 | private-tmp | ||
diff --git a/etc/profile-a-l/eog.profile b/etc/profile-a-l/eog.profile new file mode 100644 index 000000000..6690b33ca --- /dev/null +++ b/etc/profile-a-l/eog.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Firejail profile for eog | ||
2 | # Description: Eye of GNOME graphics viewer program | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include eog.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/eog | ||
10 | |||
11 | whitelist /usr/share/eog | ||
12 | |||
13 | # private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager' | ||
14 | # comment those if you need that functionality | ||
15 | # or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eog.local | ||
16 | private-bin eog | ||
17 | |||
18 | # Redirect | ||
19 | include eo-common.profile | ||
diff --git a/etc/profile-a-l/eom.profile b/etc/profile-a-l/eom.profile new file mode 100644 index 000000000..5bfeb8c8f --- /dev/null +++ b/etc/profile-a-l/eom.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Firejail profile for eom | ||
2 | # Description: Eye of MATE graphics viewer program | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include eom.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/mate/eom | ||
10 | |||
11 | whitelist /usr/share/eom | ||
12 | |||
13 | # private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager' | ||
14 | # comment those if you need that functionality | ||
15 | # or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eom.local | ||
16 | private-bin eom | ||
17 | |||
18 | # Redirect | ||
19 | include eo-common.profile | ||
diff --git a/etc/profile-a-l/ephemeral.profile b/etc/profile-a-l/ephemeral.profile new file mode 100644 index 000000000..029f613c6 --- /dev/null +++ b/etc/profile-a-l/ephemeral.profile | |||
@@ -0,0 +1,63 @@ | |||
1 | # Firejail profile for ephemeral | ||
2 | # Description: The always-incognito web browser | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include ephemeral.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # enforce private-cache | ||
10 | #noblacklist ${HOME}/.cache/ephemeral | ||
11 | |||
12 | noblacklist ${HOME}/.pki | ||
13 | noblacklist ${HOME}/.local/share/pki | ||
14 | |||
15 | # noexec ${HOME} breaks DRM binaries. | ||
16 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} | ||
17 | |||
18 | include disable-common.inc | ||
19 | include disable-devel.inc | ||
20 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | ||
22 | include disable-programs.inc | ||
23 | |||
24 | # enforce private-cache | ||
25 | #mkdir ${HOME}/.cache/ephemeral | ||
26 | mkdir ${HOME}/.pki | ||
27 | mkdir ${HOME}/.local/share/pki | ||
28 | # enforce private-cache | ||
29 | #whitelist ${HOME}/.cache/ephemeral | ||
30 | whitelist ${HOME}/.pki | ||
31 | whitelist ${HOME}/.local/share/pki | ||
32 | whitelist ${DOWNLOADS} | ||
33 | include whitelist-common.inc | ||
34 | include whitelist-usr-share-common.inc | ||
35 | include whitelist-var-common.inc | ||
36 | |||
37 | apparmor | ||
38 | caps.drop all | ||
39 | # machine-id breaks pulse audio; it should work fine in setups where sound is not required. | ||
40 | #machine-id | ||
41 | netfilter | ||
42 | nodvd | ||
43 | nogroups | ||
44 | nonewprivs | ||
45 | # noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506. | ||
46 | noroot | ||
47 | notv | ||
48 | ?BROWSER_DISABLE_U2F: nou2f | ||
49 | protocol unix,inet,inet6,netlink | ||
50 | seccomp | ||
51 | shell none | ||
52 | tracelog | ||
53 | |||
54 | disable-mnt | ||
55 | private-cache | ||
56 | ?BROWSER_DISABLE_U2F: private-dev | ||
57 | # private-etc below works fine on most distributions. There are some problems on CentOS. | ||
58 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,login.defs,machine-id,mailcap,mime.types,nsswitch.conf,os-release,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | ||
59 | private-tmp | ||
60 | |||
61 | # breaks preferences | ||
62 | # dbus-user none | ||
63 | # dbus-system none | ||
diff --git a/etc/profile-a-l/epiphany.profile b/etc/profile-a-l/epiphany.profile new file mode 100644 index 000000000..225811226 --- /dev/null +++ b/etc/profile-a-l/epiphany.profile | |||
@@ -0,0 +1,36 @@ | |||
1 | # Firejail profile for epiphany | ||
2 | # Description: The GNOME Web browser | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include epiphany.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Note: Epiphany use bwrap since 3.34 and can not be firejailed any more. | ||
10 | # See https://github.com/netblue30/firejail/issues/2995 | ||
11 | |||
12 | noblacklist ${HOME}/.cache/epiphany | ||
13 | noblacklist ${HOME}/.config/epiphany | ||
14 | noblacklist ${HOME}/.local/share/epiphany | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-programs.inc | ||
20 | |||
21 | mkdir ${HOME}/.cache/epiphany | ||
22 | mkdir ${HOME}/.config/epiphany | ||
23 | mkdir ${HOME}/.local/share/epiphany | ||
24 | whitelist ${DOWNLOADS} | ||
25 | whitelist ${HOME}/.cache/epiphany | ||
26 | whitelist ${HOME}/.config/epiphany | ||
27 | whitelist ${HOME}/.local/share/epiphany | ||
28 | include whitelist-common.inc | ||
29 | |||
30 | caps.drop all | ||
31 | netfilter | ||
32 | nodvd | ||
33 | nonewprivs | ||
34 | notv | ||
35 | protocol unix,inet,inet6 | ||
36 | seccomp | ||
diff --git a/etc/profile-a-l/et.profile b/etc/profile-a-l/et.profile new file mode 100644 index 000000000..4e70bb114 --- /dev/null +++ b/etc/profile-a-l/et.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for et | ||
2 | # Description: WPS Office - Spreadsheets | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include et.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include wps.profile | ||
diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile new file mode 100644 index 000000000..7afcd01d7 --- /dev/null +++ b/etc/profile-a-l/etr.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for etr | ||
2 | # Description: High speed arctic racing game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include etr.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.etr | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | mkdir ${HOME}/.etr | ||
19 | whitelist ${HOME}/.etr | ||
20 | include whitelist-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | net none | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix,netlink | ||
34 | seccomp | ||
35 | shell none | ||
36 | tracelog | ||
37 | |||
38 | disable-mnt | ||
39 | private-bin etr | ||
40 | private-cache | ||
41 | private-dev | ||
42 | # private-etc alternatives,drirc,machine-id,openal | ||
43 | private-tmp | ||
44 | |||
45 | dbus-user none | ||
46 | dbus-system none | ||
diff --git a/etc/profile-a-l/evince-previewer.profile b/etc/profile-a-l/evince-previewer.profile new file mode 100644 index 000000000..3857d6f7b --- /dev/null +++ b/etc/profile-a-l/evince-previewer.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for evince-previewer | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include evince-previewer.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include evince.profile | ||
diff --git a/etc/profile-a-l/evince-thumbnailer.profile b/etc/profile-a-l/evince-thumbnailer.profile new file mode 100644 index 000000000..080a04a52 --- /dev/null +++ b/etc/profile-a-l/evince-thumbnailer.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for evince-thumbnailer | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include evince-thumbnailer.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include evince.profile | ||
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile new file mode 100644 index 000000000..04964ce33 --- /dev/null +++ b/etc/profile-a-l/evince.profile | |||
@@ -0,0 +1,56 @@ | |||
1 | # Firejail profile for evince | ||
2 | # Description: Document (PostScript, PDF) viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include evince.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/evince | ||
10 | noblacklist ${DOCUMENTS} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | whitelist /usr/share/doc | ||
21 | whitelist /usr/share/evince | ||
22 | whitelist /usr/share/poppler | ||
23 | whitelist /usr/share/tracker | ||
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | caps.drop all | ||
29 | machine-id | ||
30 | # net none - breaks AppArmor on Ubuntu systems | ||
31 | netfilter | ||
32 | no3d | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | nosound | ||
38 | notv | ||
39 | nou2f | ||
40 | novideo | ||
41 | protocol unix | ||
42 | seccomp | ||
43 | shell none | ||
44 | tracelog | ||
45 | |||
46 | private-bin evince,evince-previewer,evince-thumbnailer | ||
47 | private-cache | ||
48 | private-dev | ||
49 | private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd | ||
50 | # private-lib might break two-page-view on some systems | ||
51 | private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* | ||
52 | private-tmp | ||
53 | |||
54 | # might break two-page-view on some systems | ||
55 | dbus-user none | ||
56 | dbus-system none | ||
diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile new file mode 100644 index 000000000..4740bf935 --- /dev/null +++ b/etc/profile-a-l/evolution.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for evolution | ||
2 | # Description: Groupware suite with mail client and organizer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include evolution.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist /var/mail | ||
10 | noblacklist /var/spool/mail | ||
11 | noblacklist ${HOME}/.bogofilter | ||
12 | noblacklist ${HOME}/.cache/evolution | ||
13 | noblacklist ${HOME}/.config/evolution | ||
14 | noblacklist ${HOME}/.gnupg | ||
15 | noblacklist ${HOME}/.local/share/evolution | ||
16 | noblacklist ${HOME}/.pki | ||
17 | noblacklist ${HOME}/.local/share/pki | ||
18 | |||
19 | include disable-common.inc | ||
20 | include disable-devel.inc | ||
21 | include disable-exec.inc | ||
22 | include disable-interpreters.inc | ||
23 | include disable-passwdmgr.inc | ||
24 | include disable-programs.inc | ||
25 | |||
26 | include whitelist-runuser-common.inc | ||
27 | |||
28 | caps.drop all | ||
29 | netfilter | ||
30 | # no3d breaks under wayland | ||
31 | #no3d | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix,inet,inet6 | ||
41 | seccomp | ||
42 | shell none | ||
43 | |||
44 | private-dev | ||
45 | private-tmp | ||
46 | |||
diff --git a/etc/profile-a-l/exfalso.profile b/etc/profile-a-l/exfalso.profile new file mode 100644 index 000000000..0b961f534 --- /dev/null +++ b/etc/profile-a-l/exfalso.profile | |||
@@ -0,0 +1,60 @@ | |||
1 | # Firejail profile for exfalso | ||
2 | # Description: GTK audio tag editor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include exfalso.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.quodlibet | ||
10 | noblacklist ${MUSIC} | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python2.inc | ||
14 | include allow-python3.inc | ||
15 | |||
16 | whitelist ${DOWNLOADS} | ||
17 | whitelist ${MUSIC} | ||
18 | |||
19 | include disable-common.inc | ||
20 | include disable-devel.inc | ||
21 | include disable-exec.inc | ||
22 | include disable-interpreters.inc | ||
23 | include disable-passwdmgr.inc | ||
24 | include disable-programs.inc | ||
25 | include disable-xdg.inc | ||
26 | |||
27 | mkdir ${HOME}/.quodlibet | ||
28 | whitelist ${HOME}/.quodlibet | ||
29 | include whitelist-common.inc | ||
30 | include whitelist-usr-share-common.inc | ||
31 | include whitelist-var-common.inc | ||
32 | |||
33 | caps.drop all | ||
34 | ipc-namespace | ||
35 | machine-id | ||
36 | netfilter | ||
37 | no3d | ||
38 | nodvd | ||
39 | nogroups | ||
40 | nonewprivs | ||
41 | noroot | ||
42 | nosound | ||
43 | notv | ||
44 | nou2f | ||
45 | novideo | ||
46 | protocol unix,inet,inet6 | ||
47 | seccomp | ||
48 | shell none | ||
49 | |||
50 | private-bin exfalso,python* | ||
51 | private-cache | ||
52 | private-dev | ||
53 | private-etc alternatives,fonts,group,passwd | ||
54 | private-lib libatk-1.0.so.*,libgdk-3.so.*,libgdk_pixbuf-2.0.so.*,libgirepository-1.0.so.*,libgstreamer-1.0.so.*,libgtk-3.so.*,libgtksourceview-3.0.so.*,libpango-1.0.so.*,libpython*,libreadline.so.*,libsoup-2.4.so.*,libssl.so.1.*,python2*,python3* | ||
55 | private-tmp | ||
56 | |||
57 | dbus-user none | ||
58 | dbus-system none | ||
59 | |||
60 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | ||
diff --git a/etc/profile-a-l/exiftool.profile b/etc/profile-a-l/exiftool.profile new file mode 100644 index 000000000..90d8a0fc2 --- /dev/null +++ b/etc/profile-a-l/exiftool.profile | |||
@@ -0,0 +1,57 @@ | |||
1 | # Firejail profile for exiftool | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include exiftool.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | blacklist ${RUNUSER}/wayland-* | ||
10 | |||
11 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
12 | include allow-perl.inc | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | |||
21 | whitelist /usr/share/perl5 | ||
22 | whitelist /usr/share/perl-image-exiftool | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | ipc-namespace | ||
29 | machine-id | ||
30 | net none | ||
31 | no3d | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix | ||
41 | seccomp | ||
42 | shell none | ||
43 | tracelog | ||
44 | x11 none | ||
45 | |||
46 | # To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool to /usr/bin/exiftool and uncomment the below. | ||
47 | # Users on non-Arch Linux distributions can safely uncomment (or put in exiftool.local) the line below to enable extra hardening. | ||
48 | #private-bin exiftool,perl | ||
49 | private-cache | ||
50 | private-dev | ||
51 | private-etc alternatives | ||
52 | private-tmp | ||
53 | |||
54 | dbus-user none | ||
55 | dbus-system none | ||
56 | |||
57 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile new file mode 100644 index 000000000..0024b6660 --- /dev/null +++ b/etc/profile-a-l/falkon.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for falkon | ||
2 | # Description: Lightweight web browser based on Qt WebEngine | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include falkon.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/falkon | ||
10 | noblacklist ${HOME}/.config/falkon | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | mkdir ${HOME}/.cache/falkon | ||
20 | mkdir ${HOME}/.config/falkon | ||
21 | whitelist ${DOWNLOADS} | ||
22 | whitelist ${HOME}/.cache/falkon | ||
23 | whitelist ${HOME}/.config/falkon | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | caps.drop all | ||
28 | netfilter | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | notv | ||
34 | nou2f | ||
35 | protocol unix,inet,inet6,netlink | ||
36 | # blacklisting of chroot system calls breaks falkon | ||
37 | seccomp !chroot | ||
38 | # tracelog | ||
39 | |||
40 | private-dev | ||
41 | # private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies | ||
42 | # private-tmp - interferes with the opening of downloaded files | ||
43 | |||
diff --git a/etc/profile-a-l/fbreader.profile b/etc/profile-a-l/fbreader.profile new file mode 100644 index 000000000..af670cee2 --- /dev/null +++ b/etc/profile-a-l/fbreader.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for fbreader | ||
2 | # Description: E-book reader | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include fbreader.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.FBReader | ||
10 | noblacklist ${DOCUMENTS} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | apparmor | ||
23 | caps.drop all | ||
24 | net none | ||
25 | nodvd | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | nosound | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix,inet,inet6 | ||
33 | seccomp | ||
34 | shell none | ||
35 | |||
36 | private-bin fbreader,FBReader | ||
37 | private-dev | ||
38 | private-tmp | ||
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile new file mode 100644 index 000000000..179540806 --- /dev/null +++ b/etc/profile-a-l/fdns.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for server | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include fdns.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist /sbin | ||
9 | noblacklist /usr/sbin | ||
10 | |||
11 | blacklist /tmp/.X11-unix | ||
12 | blacklist ${RUNUSER}/wayland-* | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | #include whitelist-usr-share-common.inc | ||
23 | #include whitelist-var-common.inc | ||
24 | |||
25 | caps.keep kill,net_bind_service,setgid,setuid,sys_admin,sys_chroot | ||
26 | ipc-namespace | ||
27 | # netfilter /etc/firejail/webserver.net | ||
28 | no3d | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | # noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix,inet,inet6 | ||
38 | #seccomp | ||
39 | #shell none | ||
40 | |||
41 | disable-mnt | ||
42 | private | ||
43 | private-bin bash,fdns,sh | ||
44 | # private-cache | ||
45 | private-dev | ||
46 | private-etc ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl | ||
47 | # private-lib | ||
48 | private-tmp | ||
49 | |||
50 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/feedreader.profile b/etc/profile-a-l/feedreader.profile new file mode 100644 index 000000000..7d3c7a8f4 --- /dev/null +++ b/etc/profile-a-l/feedreader.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for feedreader | ||
2 | # Description: RSS client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include feedreader.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/feedreader | ||
10 | noblacklist ${HOME}/.local/share/feedreader | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.cache/feedreader | ||
21 | mkdir ${HOME}/.local/share/feedreader | ||
22 | whitelist ${HOME}/.cache/feedreader | ||
23 | whitelist ${HOME}/.local/share/feedreader | ||
24 | whitelist /usr/share/feedreader | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | caps.drop all | ||
31 | netfilter | ||
32 | # no3d | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | # nosound | ||
38 | notv | ||
39 | nou2f | ||
40 | novideo | ||
41 | protocol unix,inet,inet6 | ||
42 | seccomp | ||
43 | shell none | ||
44 | tracelog | ||
45 | |||
46 | disable-mnt | ||
47 | private-cache | ||
48 | private-dev | ||
49 | private-tmp | ||
50 | |||
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile new file mode 100644 index 000000000..91123fa0e --- /dev/null +++ b/etc/profile-a-l/feh.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for feh | ||
2 | # Description: imlib2 based image viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include feh.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | |||
16 | # This profile disables network access | ||
17 | # In order to enable network access, | ||
18 | # uncomment the following or put it in your feh.local: | ||
19 | # include feh-network.inc | ||
20 | |||
21 | caps.drop all | ||
22 | net none | ||
23 | no3d | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | nosound | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix | ||
33 | seccomp | ||
34 | shell none | ||
35 | |||
36 | private-bin feh,jpegexiforient,jpegtran | ||
37 | private-cache | ||
38 | private-dev | ||
39 | private-etc alternatives,feh | ||
40 | private-tmp | ||
41 | |||
42 | dbus-user none | ||
43 | dbus-system none | ||
diff --git a/etc/profile-a-l/ferdi.profile b/etc/profile-a-l/ferdi.profile new file mode 100644 index 000000000..9b4c5f114 --- /dev/null +++ b/etc/profile-a-l/ferdi.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for ferdi | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include ferdi.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | ignore noexec /tmp | ||
9 | |||
10 | noblacklist ${HOME}/.cache/Ferdi | ||
11 | noblacklist ${HOME}/.config/Ferdi | ||
12 | noblacklist ${HOME}/.pki | ||
13 | noblacklist ${HOME}/.local/share/pki | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-programs.inc | ||
20 | |||
21 | mkdir ${HOME}/.cache/Ferdi | ||
22 | mkdir ${HOME}/.config/Ferdi | ||
23 | mkdir ${HOME}/.pki | ||
24 | mkdir ${HOME}/.local/share/pki | ||
25 | whitelist ${DOWNLOADS} | ||
26 | whitelist ${HOME}/.cache/Ferdi | ||
27 | whitelist ${HOME}/.config/Ferdi | ||
28 | whitelist ${HOME}/.pki | ||
29 | whitelist ${HOME}/.local/share/pki | ||
30 | include whitelist-common.inc | ||
31 | |||
32 | caps.drop all | ||
33 | netfilter | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | notv | ||
39 | nou2f | ||
40 | protocol unix,inet,inet6,netlink | ||
41 | seccomp !chroot | ||
42 | shell none | ||
43 | |||
44 | disable-mnt | ||
45 | private-dev | ||
46 | private-tmp | ||
diff --git a/etc/profile-a-l/fetchmail.profile b/etc/profile-a-l/fetchmail.profile new file mode 100644 index 000000000..d64fe830f --- /dev/null +++ b/etc/profile-a-l/fetchmail.profile | |||
@@ -0,0 +1,34 @@ | |||
1 | # Firejail profile for fetchmail | ||
2 | # Description: SSL enabled POP3, APOP, IMAP mail gatherer/forwarder | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include fetchmail.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.fetchmailrc | ||
10 | noblacklist ${HOME}/.netrc | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | caps.drop all | ||
19 | netfilter | ||
20 | no3d | ||
21 | nodvd | ||
22 | nogroups | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | nosound | ||
26 | notv | ||
27 | nou2f | ||
28 | novideo | ||
29 | protocol unix,inet,inet6 | ||
30 | seccomp | ||
31 | shell none | ||
32 | |||
33 | #private-bin bash,chmod,fetchmail,procmail | ||
34 | private-dev | ||
diff --git a/etc/profile-a-l/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile new file mode 100644 index 000000000..37c46e7d6 --- /dev/null +++ b/etc/profile-a-l/ffmpeg.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for ffmpeg | ||
2 | # Description: Tools for transcoding, streaming and playing of multimedia files | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include ffmpeg.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${MUSIC} | ||
11 | noblacklist ${VIDEOS} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | whitelist /usr/share/devedeng | ||
22 | whitelist /usr/share/ffmpeg | ||
23 | whitelist /usr/share/qtchooser | ||
24 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | machine-id | ||
31 | netfilter | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol inet,inet6 | ||
41 | # allow set_mempolicy, which is required to encode using libx265 | ||
42 | seccomp !set_mempolicy | ||
43 | shell none | ||
44 | tracelog | ||
45 | |||
46 | private-bin ffmpeg | ||
47 | private-cache | ||
48 | private-dev | ||
49 | private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pkcs11,pki,resolv.conf,ssl | ||
50 | private-tmp | ||
51 | |||
52 | dbus-user none | ||
53 | dbus-system none | ||
54 | |||
55 | # memory-deny-write-execute - it breaks old versions of ffmpeg | ||
diff --git a/etc/profile-a-l/ffmpegthumbnailer.profile b/etc/profile-a-l/ffmpegthumbnailer.profile new file mode 100644 index 000000000..6d72c3b99 --- /dev/null +++ b/etc/profile-a-l/ffmpegthumbnailer.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # Firejail profile for ffmpegthumbnailer | ||
2 | # Description: FFmpeg-based video thumbnailer | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include ffmpegthumbnailer.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | private-bin ffmpegthumbnailer | ||
12 | private-lib libffmpegthumbnailer.so.* | ||
13 | |||
14 | # fix for ranger video thumbnails | ||
15 | ignore private-cache | ||
16 | |||
17 | # Redirect | ||
18 | include ffmpeg.profile | ||
diff --git a/etc/profile-a-l/ffplay.profile b/etc/profile-a-l/ffplay.profile new file mode 100644 index 000000000..04134cbf4 --- /dev/null +++ b/etc/profile-a-l/ffplay.profile | |||
@@ -0,0 +1,20 @@ | |||
1 | # Firejail profile for ffplay | ||
2 | # Description: FFmpeg-based media player | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include ffplay.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | protocol unix,inet,inet6 | ||
12 | ignore ipc-namespace | ||
13 | ignore nogroups | ||
14 | ignore nosound | ||
15 | |||
16 | private-bin ffplay | ||
17 | private-etc alsa,asound.conf,group | ||
18 | |||
19 | # Redirect | ||
20 | include ffmpeg.profile | ||
diff --git a/etc/profile-a-l/ffprobe.profile b/etc/profile-a-l/ffprobe.profile new file mode 100644 index 000000000..e7c9f678d --- /dev/null +++ b/etc/profile-a-l/ffprobe.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for ffprobe | ||
2 | # Description: FFmpeg-based media prober | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include ffprobe.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | ignore private-bin | ||
12 | |||
13 | # Redirect | ||
14 | include ffmpeg.profile | ||
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile new file mode 100644 index 000000000..70dd030ee --- /dev/null +++ b/etc/profile-a-l/file-roller.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for file-roller | ||
2 | # Description: Archive manager for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include file-roller.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | |||
16 | whitelist /usr/share/file-roller | ||
17 | include whitelist-runuser-common.inc | ||
18 | include whitelist-usr-share-common.inc | ||
19 | include whitelist-var-common.inc | ||
20 | |||
21 | apparmor | ||
22 | caps.drop all | ||
23 | #ipc-namespace - causing issues launching on archlinux | ||
24 | machine-id | ||
25 | # net none - breaks on older Ubuntu versions | ||
26 | no3d | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | nosound | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | private-bin 7z,7za,7zr,ar,arj,bash,brotli,bzip2,compress,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,p7zip,rar,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,xz,zip,zoo | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-etc dconf,fonts,gtk-3.0,xdg | ||
44 | # private-tmp | ||
diff --git a/etc/profile-a-l/file.profile b/etc/profile-a-l/file.profile new file mode 100644 index 000000000..74620d4cd --- /dev/null +++ b/etc/profile-a-l/file.profile | |||
@@ -0,0 +1,48 @@ | |||
1 | # Firejail profile for file | ||
2 | # Description: Recognize the type of data in a file using "magic" numbers | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include file.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | blacklist ${RUNUSER} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | apparmor | ||
19 | caps.drop all | ||
20 | hostname file | ||
21 | ipc-namespace | ||
22 | machine-id | ||
23 | net none | ||
24 | no3d | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | nosound | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix | ||
33 | seccomp | ||
34 | shell none | ||
35 | tracelog | ||
36 | x11 none | ||
37 | |||
38 | #private-bin bzip2,file,gzip,lrzip,lz4,lzip,xz,zstd | ||
39 | private-cache | ||
40 | private-dev | ||
41 | #private-etc alternatives,localtime,magic,magic.mgc | ||
42 | #private-lib file,libarchive.so.*,libfakeroot,libmagic.so.*,libseccomp.so.* | ||
43 | |||
44 | dbus-user none | ||
45 | dbus-system none | ||
46 | |||
47 | memory-deny-write-execute | ||
48 | read-only ${HOME} | ||
diff --git a/etc/profile-a-l/filezilla.profile b/etc/profile-a-l/filezilla.profile new file mode 100644 index 000000000..6c7ab8f0d --- /dev/null +++ b/etc/profile-a-l/filezilla.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for filezilla | ||
2 | # Description: Full-featured graphical FTP/FTPS/SFTP client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include filezilla.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/filezilla | ||
10 | noblacklist ${HOME}/.filezilla | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python2.inc | ||
14 | include allow-python3.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-programs.inc | ||
20 | |||
21 | include whitelist-runuser-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | netfilter | ||
26 | nodvd | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | nosound | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix,inet,inet6 | ||
34 | seccomp | ||
35 | shell none | ||
36 | |||
37 | # private-bin breaks --join if the user has zsh set as $SHELL - adding zsh on private-bin | ||
38 | private-bin bash,filezilla,fzputtygen,fzsftp,lsb_release,python*,sh,uname,zsh | ||
39 | private-dev | ||
40 | private-tmp | ||
diff --git a/etc/profile-a-l/firefox-beta.profile b/etc/profile-a-l/firefox-beta.profile new file mode 100644 index 000000000..fa8bbb1f5 --- /dev/null +++ b/etc/profile-a-l/firefox-beta.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for firefox-beta | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include firefox-beta.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include firefox.profile | ||
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile new file mode 100644 index 000000000..7c343c26d --- /dev/null +++ b/etc/profile-a-l/firefox-common.profile | |||
@@ -0,0 +1,60 @@ | |||
1 | # Firejail profile for firefox-common | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include firefox-common.local | ||
5 | # Persistent global definitions | ||
6 | # added by caller profile | ||
7 | #include globals.local | ||
8 | |||
9 | # noexec ${HOME} breaks DRM binaries. | ||
10 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} | ||
11 | |||
12 | # Uncomment the following line (or put it in your firefox-common.local) to allow access to common programs/addons/plugins. | ||
13 | #include firefox-common-addons.inc | ||
14 | |||
15 | noblacklist ${HOME}/.pki | ||
16 | noblacklist ${HOME}/.local/share/pki | ||
17 | |||
18 | include disable-common.inc | ||
19 | include disable-devel.inc | ||
20 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | ||
22 | include disable-programs.inc | ||
23 | |||
24 | mkdir ${HOME}/.pki | ||
25 | mkdir ${HOME}/.local/share/pki | ||
26 | whitelist ${DOWNLOADS} | ||
27 | whitelist ${HOME}/.pki | ||
28 | whitelist ${HOME}/.local/share/pki | ||
29 | include whitelist-common.inc | ||
30 | include whitelist-var-common.inc | ||
31 | |||
32 | apparmor | ||
33 | caps.drop all | ||
34 | # machine-id breaks pulse audio; it should work fine in setups where sound is not required. | ||
35 | #machine-id | ||
36 | netfilter | ||
37 | nodvd | ||
38 | nogroups | ||
39 | nonewprivs | ||
40 | # noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506. | ||
41 | noroot | ||
42 | notv | ||
43 | ?BROWSER_DISABLE_U2F: nou2f | ||
44 | protocol unix,inet,inet6,netlink | ||
45 | # The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds. | ||
46 | seccomp !chroot | ||
47 | shell none | ||
48 | # Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930. | ||
49 | #tracelog | ||
50 | |||
51 | disable-mnt | ||
52 | ?BROWSER_DISABLE_U2F: private-dev | ||
53 | # private-etc below works fine on most distributions. There are some problems on CentOS. | ||
54 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | ||
55 | private-tmp | ||
56 | |||
57 | # breaks various desktop integration features | ||
58 | # among other things global menus, native notifications, Gnome connector, KDE connect and power management on KDE Plasma | ||
59 | dbus-user none | ||
60 | dbus-system none | ||
diff --git a/etc/profile-a-l/firefox-developer-edition.profile b/etc/profile-a-l/firefox-developer-edition.profile new file mode 100644 index 000000000..8c7ca3887 --- /dev/null +++ b/etc/profile-a-l/firefox-developer-edition.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for firefox-developer-edition | ||
2 | # Description: Developer Edition of the popular Firefox web browser | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include firefox-developer-edition.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include firefox.profile | ||
diff --git a/etc/profile-a-l/firefox-esr.profile b/etc/profile-a-l/firefox-esr.profile new file mode 100644 index 000000000..5e69fdb51 --- /dev/null +++ b/etc/profile-a-l/firefox-esr.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for firefox-esr | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include firefox-esr.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | whitelist /usr/share/firefox-esr | ||
10 | |||
11 | # Redirect | ||
12 | include firefox.profile | ||
diff --git a/etc/profile-a-l/firefox-nightly.profile b/etc/profile-a-l/firefox-nightly.profile new file mode 100644 index 000000000..96d2bf898 --- /dev/null +++ b/etc/profile-a-l/firefox-nightly.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for firefox-nightly | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include firefox-nightly.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include firefox.profile | ||
diff --git a/etc/profile-a-l/firefox-wayland.profile b/etc/profile-a-l/firefox-wayland.profile new file mode 100644 index 000000000..17c9f059e --- /dev/null +++ b/etc/profile-a-l/firefox-wayland.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for firefox-wayland | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include firefox-wayland.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include firefox.profile | ||
diff --git a/etc/profile-a-l/firefox-x11.profile b/etc/profile-a-l/firefox-x11.profile new file mode 100644 index 000000000..ffd64aad7 --- /dev/null +++ b/etc/profile-a-l/firefox-x11.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for firefox-x11 | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include firefox-x11.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include firefox.profile | ||
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile new file mode 100644 index 000000000..4a2cb260f --- /dev/null +++ b/etc/profile-a-l/firefox.profile | |||
@@ -0,0 +1,32 @@ | |||
1 | # Firejail profile for firefox | ||
2 | # Description: Safe and easy web browser from Mozilla | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include firefox.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/mozilla | ||
10 | noblacklist ${HOME}/.mozilla | ||
11 | |||
12 | mkdir ${HOME}/.cache/mozilla/firefox | ||
13 | mkdir ${HOME}/.mozilla | ||
14 | whitelist ${HOME}/.cache/mozilla/firefox | ||
15 | whitelist ${HOME}/.mozilla | ||
16 | |||
17 | whitelist /usr/share/doc | ||
18 | whitelist /usr/share/firefox | ||
19 | whitelist /usr/share/gtk-doc/html | ||
20 | whitelist /usr/share/mozilla | ||
21 | whitelist /usr/share/webext | ||
22 | include whitelist-usr-share-common.inc | ||
23 | |||
24 | # firefox requires a shell to launch on Arch. | ||
25 | #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which | ||
26 | # Fedora use shell scripts to launch firefox, at least this is required | ||
27 | #private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,ln,mkdir,pidof,rm,rmdir,sed,sh,tclsh,true,uname | ||
28 | # private-etc must first be enabled in firefox-common.profile | ||
29 | #private-etc firefox | ||
30 | |||
31 | # Redirect | ||
32 | include firefox-common.profile | ||
diff --git a/etc/profile-a-l/five-or-more.profile b/etc/profile-a-l/five-or-more.profile new file mode 100644 index 000000000..2c86d3ac7 --- /dev/null +++ b/etc/profile-a-l/five-or-more.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # Firejail profile for five-or-more | ||
2 | # Description: GNOME port of the once-popular Colour Lines game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include five-or-more.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/five-or-more | ||
10 | |||
11 | mkdir ${HOME}/.local/share/five-or-more | ||
12 | whitelist ${HOME}/.local/share/five-or-more | ||
13 | |||
14 | whitelist /usr/share/five-or-more | ||
15 | |||
16 | private-bin five-or-more | ||
17 | |||
18 | dbus-user.own org.gnome.five-or-more | ||
19 | |||
20 | # Redirect | ||
21 | include gnome_games-common.profile | ||
diff --git a/etc/profile-a-l/flacsplt.profile b/etc/profile-a-l/flacsplt.profile new file mode 100644 index 000000000..2efef0f22 --- /dev/null +++ b/etc/profile-a-l/flacsplt.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile for flacsplt | ||
2 | # This file is overwritten after every install/update | ||
3 | include flacsplt.local | ||
4 | |||
5 | # Redirect | ||
6 | include mp3splt.profile | ||
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile new file mode 100644 index 000000000..5a69684b5 --- /dev/null +++ b/etc/profile-a-l/flameshot.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for flameshot | ||
2 | # Description: Powerful yet simple-to-use screenshot software | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include flameshot.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${PICTURES} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | include whitelist-runuser-common.inc | ||
21 | |||
22 | caps.drop all | ||
23 | ipc-namespace | ||
24 | netfilter | ||
25 | no3d | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix,inet,inet6 | ||
35 | seccomp | ||
36 | shell none | ||
37 | |||
38 | disable-mnt | ||
39 | private-bin flameshot | ||
40 | private-cache | ||
41 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,pki,resolv.conf,ssl | ||
42 | private-dev | ||
43 | private-tmp | ||
44 | |||
45 | # dbus-user none | ||
46 | # dbus-system none | ||
diff --git a/etc/profile-a-l/flashpeak-slimjet.profile b/etc/profile-a-l/flashpeak-slimjet.profile new file mode 100644 index 000000000..b841bce75 --- /dev/null +++ b/etc/profile-a-l/flashpeak-slimjet.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # Firejail profile for flashpeak-slimjet | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include flashpeak-slimjet.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.cache/slimjet | ||
9 | noblacklist ${HOME}/.config/slimjet | ||
10 | |||
11 | mkdir ${HOME}/.cache/slimjet | ||
12 | mkdir ${HOME}/.config/slimjet | ||
13 | whitelist ${HOME}/.cache/slimjet | ||
14 | whitelist ${HOME}/.config/slimjet | ||
15 | |||
16 | # Redirect | ||
17 | include chromium-common.profile | ||
diff --git a/etc/profile-a-l/flowblade.profile b/etc/profile-a-l/flowblade.profile new file mode 100644 index 000000000..40472ab93 --- /dev/null +++ b/etc/profile-a-l/flowblade.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for flowblade | ||
2 | # Description: Non-linear video editor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include flowblade.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/flowblade | ||
10 | noblacklist ${HOME}/.flowblade | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python2.inc | ||
14 | include allow-python3.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | |||
23 | caps.drop all | ||
24 | netfilter | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | notv | ||
30 | nou2f | ||
31 | protocol unix,inet,inet6,netlink | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | private-cache | ||
36 | private-dev | ||
37 | private-tmp | ||
38 | |||
diff --git a/etc/profile-a-l/fluxbox.profile b/etc/profile-a-l/fluxbox.profile new file mode 100644 index 000000000..c296c0491 --- /dev/null +++ b/etc/profile-a-l/fluxbox.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # Firejail profile for fluxbox | ||
2 | # Description: Standards-compliant, fast, light-weight and extensible window manager | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include fluxbox.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # all applications started in awesome will run in this profile | ||
10 | noblacklist ${HOME}/.fluxbox | ||
11 | include disable-common.inc | ||
12 | |||
13 | caps.drop all | ||
14 | netfilter | ||
15 | noroot | ||
16 | protocol unix,inet,inet6 | ||
17 | seccomp | ||
18 | |||
diff --git a/etc/profile-a-l/font-manager.profile b/etc/profile-a-l/font-manager.profile new file mode 100644 index 000000000..ae0e32d1e --- /dev/null +++ b/etc/profile-a-l/font-manager.profile | |||
@@ -0,0 +1,56 @@ | |||
1 | # Firejail profile for font-manager | ||
2 | # Description: A simple font management application for GTK desktop environments | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include font-manager.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/font-manager | ||
10 | noblacklist ${HOME}/.config/font-manager | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python2.inc | ||
14 | include allow-python3.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | mkdir ${HOME}/.cache/font-manager | ||
25 | mkdir ${HOME}/.config/font-manager | ||
26 | whitelist ${HOME}/.cache/font-manager | ||
27 | whitelist ${HOME}/.config/font-manager | ||
28 | whitelist /usr/share/font-manager | ||
29 | include whitelist-common.inc | ||
30 | include whitelist-usr-share-common.inc | ||
31 | include whitelist-var-common.inc | ||
32 | |||
33 | apparmor | ||
34 | caps.drop all | ||
35 | machine-id | ||
36 | # net none - issues on older versions | ||
37 | no3d | ||
38 | nodvd | ||
39 | nogroups | ||
40 | nonewprivs | ||
41 | noroot | ||
42 | nosound | ||
43 | notv | ||
44 | nou2f | ||
45 | novideo | ||
46 | protocol unix | ||
47 | seccomp | ||
48 | shell none | ||
49 | tracelog | ||
50 | |||
51 | disable-mnt | ||
52 | private-bin font-manager,python*,yelp | ||
53 | private-dev | ||
54 | private-tmp | ||
55 | |||
56 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | ||
diff --git a/etc/profile-a-l/fontforge.profile b/etc/profile-a-l/fontforge.profile new file mode 100644 index 000000000..6d305e2af --- /dev/null +++ b/etc/profile-a-l/fontforge.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Firejail profile for fontforge | ||
2 | # Description: Font editor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include fontforge.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.FontForge | ||
10 | noblacklist ${DOCUMENTS} | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python2.inc | ||
14 | include allow-python3.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | caps.drop all | ||
25 | netfilter | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | |||
38 | private-cache | ||
39 | private-dev | ||
40 | private-tmp | ||
41 | |||
diff --git a/etc/profile-a-l/fossamail.profile b/etc/profile-a-l/fossamail.profile new file mode 100644 index 000000000..2d700d336 --- /dev/null +++ b/etc/profile-a-l/fossamail.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # Firejail profile for fossamail | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include fossamail.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/fossamail | ||
10 | noblacklist ${HOME}/.fossamail | ||
11 | noblacklist ${HOME}/.gnupg | ||
12 | |||
13 | mkdir ${HOME}/.cache/fossamail | ||
14 | mkdir ${HOME}/.fossamail | ||
15 | mkdir ${HOME}/.gnupg | ||
16 | whitelist ${HOME}/.cache/fossamail | ||
17 | whitelist ${HOME}/.fossamail | ||
18 | whitelist ${HOME}/.gnupg | ||
19 | include whitelist-common.inc | ||
20 | |||
21 | # allow browsers | ||
22 | # Redirect | ||
23 | include firefox.profile | ||
diff --git a/etc/profile-a-l/four-in-a-row.profile b/etc/profile-a-l/four-in-a-row.profile new file mode 100644 index 000000000..eb0c43ca5 --- /dev/null +++ b/etc/profile-a-l/four-in-a-row.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Firejail profile for four-in-a-row | ||
2 | # Description: four-in-a-row game for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include four-in-a-row.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | ignore machine-id | ||
10 | ignore nosound | ||
11 | |||
12 | whitelist /usr/share/four-in-a-row | ||
13 | |||
14 | private-bin four-in-a-row | ||
15 | |||
16 | dbus-user.own org.gnome.Four-in-a-row | ||
17 | |||
18 | # Redirect | ||
19 | include gnome_games-common.profile | ||
diff --git a/etc/profile-a-l/franz.profile b/etc/profile-a-l/franz.profile new file mode 100644 index 000000000..344804ca9 --- /dev/null +++ b/etc/profile-a-l/franz.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for franz | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include franz.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | ignore noexec /tmp | ||
9 | |||
10 | noblacklist ${HOME}/.cache/Franz | ||
11 | noblacklist ${HOME}/.config/Franz | ||
12 | noblacklist ${HOME}/.pki | ||
13 | noblacklist ${HOME}/.local/share/pki | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-programs.inc | ||
20 | |||
21 | mkdir ${HOME}/.cache/Franz | ||
22 | mkdir ${HOME}/.config/Franz | ||
23 | mkdir ${HOME}/.pki | ||
24 | mkdir ${HOME}/.local/share/pki | ||
25 | whitelist ${DOWNLOADS} | ||
26 | whitelist ${HOME}/.cache/Franz | ||
27 | whitelist ${HOME}/.config/Franz | ||
28 | whitelist ${HOME}/.pki | ||
29 | whitelist ${HOME}/.local/share/pki | ||
30 | include whitelist-common.inc | ||
31 | |||
32 | caps.drop all | ||
33 | netfilter | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | notv | ||
39 | nou2f | ||
40 | protocol unix,inet,inet6,netlink | ||
41 | seccomp !chroot | ||
42 | shell none | ||
43 | |||
44 | disable-mnt | ||
45 | private-dev | ||
46 | private-tmp | ||
diff --git a/etc/profile-a-l/freecad.profile b/etc/profile-a-l/freecad.profile new file mode 100644 index 000000000..0a1d4a750 --- /dev/null +++ b/etc/profile-a-l/freecad.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for freecad | ||
2 | # Description: Extensible Open Source CAx program | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include freecad.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/FreeCAD | ||
10 | noblacklist ${DOCUMENTS} | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python2.inc | ||
14 | include allow-python3.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | net none | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | nosound | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix | ||
36 | seccomp | ||
37 | shell none | ||
38 | |||
39 | private-bin freecad,freecadcmd,python* | ||
40 | private-cache | ||
41 | private-dev | ||
42 | private-tmp | ||
43 | |||
44 | dbus-user none | ||
45 | dbus-system none | ||
diff --git a/etc/profile-a-l/freecadcmd.profile b/etc/profile-a-l/freecadcmd.profile new file mode 100644 index 000000000..44bf62cfe --- /dev/null +++ b/etc/profile-a-l/freecadcmd.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for freecad | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include freecad.profile | ||
diff --git a/etc/profile-a-l/freeciv-gtk3.profile b/etc/profile-a-l/freeciv-gtk3.profile new file mode 100644 index 000000000..fa36459e7 --- /dev/null +++ b/etc/profile-a-l/freeciv-gtk3.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for freeciv | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include freeciv.profile | ||
diff --git a/etc/profile-a-l/freeciv-mp-gtk3.profile b/etc/profile-a-l/freeciv-mp-gtk3.profile new file mode 100644 index 000000000..fa36459e7 --- /dev/null +++ b/etc/profile-a-l/freeciv-mp-gtk3.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for freeciv | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include freeciv.profile | ||
diff --git a/etc/profile-a-l/freeciv.profile b/etc/profile-a-l/freeciv.profile new file mode 100644 index 000000000..0fe933478 --- /dev/null +++ b/etc/profile-a-l/freeciv.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for freeciv | ||
2 | # Description: A multi-player strategy game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include freeciv.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.freeciv | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.freeciv | ||
20 | whitelist ${HOME}/.freeciv | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | ipc-namespace | ||
27 | netfilter | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6 | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin freeciv-gtk3,freeciv-manual,freeciv-mp-gtk3,freeciv-server | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
45 | |||
46 | dbus-user none | ||
47 | dbus-system none | ||
diff --git a/etc/profile-a-l/freecol.profile b/etc/profile-a-l/freecol.profile new file mode 100644 index 000000000..3cbd2ff53 --- /dev/null +++ b/etc/profile-a-l/freecol.profile | |||
@@ -0,0 +1,58 @@ | |||
1 | # Firejail profile for freecol | ||
2 | # Description: Turn-based multi-player strategy game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include freecol.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.freecol | ||
10 | noblacklist ${HOME}/.cache/freecol | ||
11 | noblacklist ${HOME}/.config/freecol | ||
12 | noblacklist ${HOME}/.local/share/freecol | ||
13 | |||
14 | # Allow java (blacklisted by disable-devel.inc) | ||
15 | include allow-java.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | mkdir ${HOME}/.java | ||
26 | mkdir ${HOME}/.cache/freecol | ||
27 | mkdir ${HOME}/.config/freecol | ||
28 | mkdir ${HOME}/.local/share/freecol | ||
29 | whitelist ${HOME}/.freecol | ||
30 | whitelist ${HOME}/.java | ||
31 | whitelist ${HOME}/.cache/freecol | ||
32 | whitelist ${HOME}/.config/freecol | ||
33 | whitelist ${HOME}/.local/share/freecol | ||
34 | include whitelist-common.inc | ||
35 | include whitelist-var-common.inc | ||
36 | |||
37 | caps.drop all | ||
38 | ipc-namespace | ||
39 | netfilter | ||
40 | nodvd | ||
41 | nogroups | ||
42 | nonewprivs | ||
43 | noroot | ||
44 | notv | ||
45 | nou2f | ||
46 | novideo | ||
47 | protocol unix,inet,inet6 | ||
48 | seccomp | ||
49 | shell none | ||
50 | tracelog | ||
51 | |||
52 | disable-mnt | ||
53 | private-cache | ||
54 | private-dev | ||
55 | private-tmp | ||
56 | |||
57 | dbus-user none | ||
58 | dbus-system none | ||
diff --git a/etc/profile-a-l/freemind.profile b/etc/profile-a-l/freemind.profile new file mode 100644 index 000000000..0ffb5c54d --- /dev/null +++ b/etc/profile-a-l/freemind.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for freemind | ||
2 | # Description: Free mind mapping software | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include freemind.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${DOCUMENTS} | ||
10 | noblacklist ${HOME}/.freemind | ||
11 | |||
12 | # Allow java (blacklisted by disable-devel.inc) | ||
13 | include allow-java.inc | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | apparmor | ||
26 | caps.drop all | ||
27 | machine-id | ||
28 | netfilter | ||
29 | no3d | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix,inet,inet6 | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | |||
43 | disable-mnt | ||
44 | private-bin bash,cp,dirname,dpkg,echo,freemind,grep,java,lsb_release,mkdir,readlink,rpm,sed,sh,uname,which | ||
45 | private-cache | ||
46 | private-dev | ||
47 | #private-etc alternatives,fonts,java | ||
48 | private-tmp | ||
49 | private-opt none | ||
50 | private-srv none | ||
51 | |||
52 | dbus-user none | ||
53 | dbus-system none | ||
diff --git a/etc/profile-a-l/freeoffice-planmaker.profile b/etc/profile-a-l/freeoffice-planmaker.profile new file mode 100644 index 000000000..9449e7c48 --- /dev/null +++ b/etc/profile-a-l/freeoffice-planmaker.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for freeoffice-planmaker | ||
2 | # Description: SoftMaker FreeOffice - spreadsheet program | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include freeoffice-planmaker.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include softmaker-common.inc | ||
diff --git a/etc/profile-a-l/freeoffice-presentations.profile b/etc/profile-a-l/freeoffice-presentations.profile new file mode 100644 index 000000000..636868e2e --- /dev/null +++ b/etc/profile-a-l/freeoffice-presentations.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for freeoffice-presentations | ||
2 | # Description: SoftMaker FreeOffice - presentations software | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include freeoffice-presentations.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include softmaker-common.inc | ||
diff --git a/etc/profile-a-l/freeoffice-textmaker.profile b/etc/profile-a-l/freeoffice-textmaker.profile new file mode 100644 index 000000000..5d98d1cc6 --- /dev/null +++ b/etc/profile-a-l/freeoffice-textmaker.profile | |||
@@ -0,0 +1,9 @@ | |||
1 | # Firejail profile alias for freeoffice-textmaker | ||
2 | # Description: SoftMaker Office - word processor | ||
3 | # This file is overwritten after every install/update | ||
4 | include freeoffice-textmaker.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | # Redirect | ||
9 | include softmaker-common.inc | ||
diff --git a/etc/profile-a-l/freshclam.profile b/etc/profile-a-l/freshclam.profile new file mode 100644 index 000000000..2bab79e2e --- /dev/null +++ b/etc/profile-a-l/freshclam.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | # Firejail profile for freshclam | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include clamav.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include disable-exec.inc | ||
10 | |||
11 | caps.keep setgid,setuid | ||
12 | ipc-namespace | ||
13 | netfilter | ||
14 | no3d | ||
15 | nodvd | ||
16 | nogroups | ||
17 | nonewprivs | ||
18 | nosound | ||
19 | notv | ||
20 | nou2f | ||
21 | novideo | ||
22 | protocol unix,inet,inet6 | ||
23 | seccomp | ||
24 | shell none | ||
25 | tracelog | ||
26 | |||
27 | disable-mnt | ||
28 | private | ||
29 | private-cache | ||
30 | private-dev | ||
31 | private-tmp | ||
32 | writable-var | ||
33 | writable-var-log | ||
34 | |||
35 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile new file mode 100644 index 000000000..06f13e8c6 --- /dev/null +++ b/etc/profile-a-l/frogatto.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for frogatto | ||
2 | # Description: 2D platformer game starring a quixotic frog | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include frogatto.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.frogatto | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.frogatto | ||
20 | whitelist ${HOME}/.frogatto | ||
21 | whitelist /usr/share/frogatto | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | net none | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix | ||
37 | seccomp | ||
38 | shell none | ||
39 | tracelog | ||
40 | |||
41 | disable-mnt | ||
42 | private-bin frogatto,sh | ||
43 | private-cache | ||
44 | private-dev | ||
45 | private-etc machine-id | ||
46 | private-tmp | ||
47 | |||
48 | dbus-user none | ||
49 | dbus-system none | ||
diff --git a/etc/profile-a-l/frozen-bubble.profile b/etc/profile-a-l/frozen-bubble.profile new file mode 100644 index 000000000..d1dc64bb9 --- /dev/null +++ b/etc/profile-a-l/frozen-bubble.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for frozen-bubble | ||
2 | # Description: Cool game where you pop out the bubbles | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include frozen-bubble.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.frozen-bubble | ||
10 | |||
11 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
12 | include allow-perl.inc | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | |||
21 | mkdir ${HOME}/.frozen-bubble | ||
22 | whitelist ${HOME}/.frozen-bubble | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | net none | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix,netlink | ||
37 | seccomp | ||
38 | shell none | ||
39 | |||
40 | disable-mnt | ||
41 | # private-bin frozen-bubble | ||
42 | private-dev | ||
43 | private-tmp | ||
44 | |||
45 | dbus-user none | ||
46 | dbus-system none | ||
diff --git a/etc/profile-a-l/gajim-history-manager.profile b/etc/profile-a-l/gajim-history-manager.profile new file mode 100644 index 000000000..2ae6dd9d8 --- /dev/null +++ b/etc/profile-a-l/gajim-history-manager.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for gajim-history-manager | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include gajim.profile | ||
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile new file mode 100644 index 000000000..85d9b9bd9 --- /dev/null +++ b/etc/profile-a-l/gajim.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for gajim | ||
2 | # Description: GTK+-based Jabber client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gajim.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/gajim | ||
10 | noblacklist ${HOME}/.config/gajim | ||
11 | noblacklist ${HOME}/.local/share/gajim | ||
12 | |||
13 | # Allow python (blacklisted by disable-interpreters.inc) | ||
14 | #include allow-python2.inc | ||
15 | include allow-python3.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | # Comment the following line if you need to whitelist other folders than ~/Downloads | ||
24 | include disable-xdg.inc | ||
25 | |||
26 | mkdir ${HOME}/.cache/gajim | ||
27 | mkdir ${HOME}/.config/gajim | ||
28 | mkdir ${HOME}/.local/share/gajim | ||
29 | whitelist ${HOME}/.cache/gajim | ||
30 | whitelist ${HOME}/.config/gajim | ||
31 | whitelist ${HOME}/.local/share/gajim | ||
32 | whitelist ${DOWNLOADS} | ||
33 | include whitelist-common.inc | ||
34 | include whitelist-var-common.inc | ||
35 | |||
36 | caps.drop all | ||
37 | netfilter | ||
38 | nodvd | ||
39 | nogroups | ||
40 | nonewprivs | ||
41 | noroot | ||
42 | notv | ||
43 | nou2f | ||
44 | protocol unix,inet,inet6,netlink | ||
45 | seccomp | ||
46 | shell none | ||
47 | tracelog | ||
48 | |||
49 | disable-mnt | ||
50 | private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python,python3,sh,zsh | ||
51 | private-dev | ||
52 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl | ||
53 | private-tmp | ||
54 | |||
55 | join-or-start gajim | ||
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile new file mode 100644 index 000000000..404d89742 --- /dev/null +++ b/etc/profile-a-l/galculator.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for galculator | ||
2 | # Description: Scientific calculator | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include galculator.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/galculator | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.config/galculator | ||
20 | whitelist ${HOME}/.config/galculator | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | #hostname galculator - breaks Arch Linux | ||
27 | #ipc-namespace | ||
28 | net none | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | private-bin galculator | ||
43 | private-cache | ||
44 | private-dev | ||
45 | private-etc alternatives,fonts | ||
46 | private-lib | ||
47 | private-tmp | ||
48 | |||
49 | dbus-user none | ||
50 | dbus-system none | ||
51 | |||
52 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | ||
diff --git a/etc/profile-a-l/gcalccmd.profile b/etc/profile-a-l/gcalccmd.profile new file mode 100644 index 000000000..691d6b0c4 --- /dev/null +++ b/etc/profile-a-l/gcalccmd.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for gcalccmd | ||
2 | # Description: GNOME console calculator | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gcalccmd.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | private-bin gcalccmd | ||
11 | |||
12 | # Redirect | ||
13 | include gnome-calculator.profile | ||
diff --git a/etc/profile-a-l/gcloud.profile b/etc/profile-a-l/gcloud.profile new file mode 100644 index 000000000..46a862a21 --- /dev/null +++ b/etc/profile-a-l/gcloud.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for gcloud | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include gcloud.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | # noexec ${HOME} will break user-local installs of gcloud tooling | ||
9 | ignore noexec ${HOME} | ||
10 | |||
11 | noblacklist ${HOME}/.boto | ||
12 | noblacklist ${HOME}/.config/gcloud | ||
13 | noblacklist /var/run/docker.sock | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | apparmor | ||
21 | caps.drop all | ||
22 | machine-id | ||
23 | netfilter | ||
24 | nodvd | ||
25 | # required for sudo-free docker | ||
26 | #nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | notv | ||
30 | nou2f | ||
31 | protocol unix,inet,inet6 | ||
32 | seccomp | ||
33 | shell none | ||
34 | tracelog | ||
35 | |||
36 | disable-mnt | ||
37 | private-dev | ||
38 | private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,localtime,nsswitch.conf,pki,resolv.conf,ssl | ||
39 | private-tmp | ||
40 | |||
41 | dbus-user none | ||
42 | dbus-system none | ||
diff --git a/etc/profile-a-l/gconf-editor.profile b/etc/profile-a-l/gconf-editor.profile new file mode 100644 index 000000000..cb39174e5 --- /dev/null +++ b/etc/profile-a-l/gconf-editor.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # Firejail profile for gconf-editor | ||
2 | # Description: Graphical gconf registry editor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gconf-editor.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | blacklist /tmp/.X11-unix | ||
11 | |||
12 | whitelist /usr/share/gconf-editor | ||
13 | |||
14 | ignore x11 none | ||
15 | |||
16 | # Redirect | ||
17 | include gconf.profile | ||
diff --git a/etc/profile-a-l/gconf-merge-schema.profile b/etc/profile-a-l/gconf-merge-schema.profile new file mode 100644 index 000000000..619f801b0 --- /dev/null +++ b/etc/profile-a-l/gconf-merge-schema.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for gconf-merge-schema | ||
2 | # Description: An obsolete configuration database system (CLI utility) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gconf-merge-schema.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gconf.profile | ||
diff --git a/etc/profile-a-l/gconf-merge-tree.profile b/etc/profile-a-l/gconf-merge-tree.profile new file mode 100644 index 000000000..2f6bfe5e5 --- /dev/null +++ b/etc/profile-a-l/gconf-merge-tree.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for gconf-merge-tree | ||
2 | # Description: An obsolete configuration database system (CLI utility) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gconf-merge-tree.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gconf.profile | ||
diff --git a/etc/profile-a-l/gconf.profile b/etc/profile-a-l/gconf.profile new file mode 100644 index 000000000..96848575d --- /dev/null +++ b/etc/profile-a-l/gconf.profile | |||
@@ -0,0 +1,61 @@ | |||
1 | # Firejail profile for gconf | ||
2 | # Description: An obsolete configuration database system | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gconf.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | blacklist ${RUNUSER}/wayland-* | ||
10 | |||
11 | noblacklist ${HOME}/.config/gconf | ||
12 | |||
13 | # Allow python (blacklisted by disable-interpreters.inc) | ||
14 | include allow-python2.inc | ||
15 | #include allow-python3.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | mkdir ${HOME}/.config/gconf | ||
26 | whitelist ${HOME}/.config/gconf | ||
27 | whitelist /usr/share/GConf | ||
28 | whitelist /usr/share/gconf | ||
29 | include whitelist-common.inc | ||
30 | include whitelist-usr-share-common.inc | ||
31 | include whitelist-var-common.inc | ||
32 | |||
33 | apparmor | ||
34 | caps.drop all | ||
35 | ipc-namespace | ||
36 | machine-id | ||
37 | net none | ||
38 | no3d | ||
39 | nodvd | ||
40 | nogroups | ||
41 | nonewprivs | ||
42 | noroot | ||
43 | nosound | ||
44 | notv | ||
45 | nou2f | ||
46 | novideo | ||
47 | protocol unix | ||
48 | seccomp | ||
49 | shell none | ||
50 | tracelog | ||
51 | x11 none | ||
52 | |||
53 | disable-mnt | ||
54 | private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,python2* | ||
55 | private-cache | ||
56 | private-dev | ||
57 | private-etc alternatives,fonts,gconf | ||
58 | private-lib GConf,libpython*,python2* | ||
59 | private-tmp | ||
60 | |||
61 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/gconfpkg.profile b/etc/profile-a-l/gconfpkg.profile new file mode 100644 index 000000000..5bfc1250a --- /dev/null +++ b/etc/profile-a-l/gconfpkg.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for gconfpkg | ||
2 | # Description: An obsolete configuration database system (CLI utility) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gconfpkg.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gconf.profile | ||
diff --git a/etc/profile-a-l/gconftool-2.profile b/etc/profile-a-l/gconftool-2.profile new file mode 100644 index 000000000..947e4252f --- /dev/null +++ b/etc/profile-a-l/gconftool-2.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for gconftool-2 | ||
2 | # Description: An obsolete configuration database system (CLI utility) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gconftool-2.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gconf.profile | ||
diff --git a/etc/profile-a-l/geany.profile b/etc/profile-a-l/geany.profile new file mode 100644 index 000000000..31599e32a --- /dev/null +++ b/etc/profile-a-l/geany.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | # Firejail profile for geany | ||
2 | # Description: Fast and lightweight IDE | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include geany.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/geany | ||
10 | |||
11 | # Allows files commonly used by IDEs | ||
12 | include allow-common-devel.inc | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | caps.drop all | ||
19 | netfilter | ||
20 | no3d | ||
21 | nodvd | ||
22 | nogroups | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | nosound | ||
26 | notv | ||
27 | nou2f | ||
28 | novideo | ||
29 | protocol unix,inet,inet6 | ||
30 | seccomp | ||
31 | shell none | ||
32 | |||
33 | private-cache | ||
34 | private-dev | ||
35 | private-tmp | ||
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile new file mode 100644 index 000000000..fa01d04b7 --- /dev/null +++ b/etc/profile-a-l/geary.profile | |||
@@ -0,0 +1,33 @@ | |||
1 | # Firejail profile for geary | ||
2 | # Description: Lightweight email client designed for the GNOME desktop | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include geary.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Users have Geary set to open a browser by clicking a link in an email | ||
11 | # We are not allowed to blacklist browser-specific directories | ||
12 | |||
13 | ignore dbus-user none | ||
14 | ignore dbus-system none | ||
15 | ignore private-tmp | ||
16 | |||
17 | noblacklist ${HOME}/.gnupg | ||
18 | noblacklist ${HOME}/.local/share/geary | ||
19 | |||
20 | mkdir ${HOME}/.gnupg | ||
21 | mkdir ${HOME}/.config/geary | ||
22 | mkdir ${HOME}/.local/share/geary | ||
23 | whitelist ${HOME}/.gnupg | ||
24 | whitelist ${HOME}/.config/geary | ||
25 | whitelist ${HOME}/.local/share/geary | ||
26 | |||
27 | read-only ${HOME}/.config/mimeapps.list | ||
28 | |||
29 | whitelist /usr/share/geary | ||
30 | |||
31 | # allow Mozilla browsers | ||
32 | # Redirect | ||
33 | include firefox.profile | ||
diff --git a/etc/profile-a-l/gedit.profile b/etc/profile-a-l/gedit.profile new file mode 100644 index 000000000..17b7ad563 --- /dev/null +++ b/etc/profile-a-l/gedit.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for gedit | ||
2 | # Description: Official text editor of the GNOME desktop environment | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gedit.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/enchant | ||
10 | noblacklist ${HOME}/.config/gedit | ||
11 | |||
12 | # Allows files commonly used by IDEs | ||
13 | include allow-common-devel.inc | ||
14 | |||
15 | include disable-common.inc | ||
16 | # include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | # include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | |||
22 | include whitelist-runuser-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | # apparmor - makes settings immutable | ||
26 | caps.drop all | ||
27 | machine-id | ||
28 | # net none - makes settings immutable | ||
29 | no3d | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | |||
43 | # private-bin gedit | ||
44 | private-dev | ||
45 | # private-lib breaks python plugins, uncomment or add to your gedit.local if you don't use them. | ||
46 | #private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.* | ||
47 | private-tmp | ||
48 | |||
49 | # makes settings immutable | ||
50 | # dbus-user none | ||
51 | # dbus-system none | ||
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile new file mode 100644 index 000000000..e06a9afad --- /dev/null +++ b/etc/profile-a-l/geekbench.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for geekbench | ||
2 | # Description: A cross-platform benchmark that measures processor and memory performance | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include geekbench.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | include whitelist-common.inc | ||
18 | include whitelist-usr-share-common.inc | ||
19 | include whitelist-var-common.inc | ||
20 | |||
21 | apparmor | ||
22 | caps.drop all | ||
23 | hostname geekbench | ||
24 | ipc-namespace | ||
25 | machine-id | ||
26 | netfilter | ||
27 | no3d | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | nosound | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix,inet,inet6 | ||
37 | seccomp | ||
38 | shell none | ||
39 | tracelog | ||
40 | |||
41 | disable-mnt | ||
42 | private-bin bash,geekbenc*,sh | ||
43 | private-cache | ||
44 | private-dev | ||
45 | private-etc alternatives,group,lsb-release,passwd | ||
46 | private-lib gcc/*/*/libstdc++.so.* | ||
47 | private-opt none | ||
48 | private-tmp | ||
49 | |||
50 | dbus-user none | ||
51 | dbus-system none | ||
52 | |||
53 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | ||
54 | |||
55 | read-only ${HOME} | ||
diff --git a/etc/profile-a-l/geeqie.profile b/etc/profile-a-l/geeqie.profile new file mode 100644 index 000000000..8810ca161 --- /dev/null +++ b/etc/profile-a-l/geeqie.profile | |||
@@ -0,0 +1,33 @@ | |||
1 | # Firejail profile for geeqie | ||
2 | # Description: Image viewer using GTK+ | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include geeqie.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/geeqie | ||
10 | noblacklist ${HOME}/.config/geeqie | ||
11 | noblacklist ${HOME}/.local/share/geeqie | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | caps.drop all | ||
20 | nodvd | ||
21 | nogroups | ||
22 | nonewprivs | ||
23 | noroot | ||
24 | nosound | ||
25 | notv | ||
26 | nou2f | ||
27 | novideo | ||
28 | protocol unix | ||
29 | seccomp | ||
30 | shell none | ||
31 | |||
32 | # private-bin geeqie | ||
33 | private-dev | ||
diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile new file mode 100644 index 000000000..e7913f5e4 --- /dev/null +++ b/etc/profile-a-l/gfeeds.profile | |||
@@ -0,0 +1,62 @@ | |||
1 | # Firejail profile for gfeeds | ||
2 | # Description: RSS/Atom feed reader for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gfeeds.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/gfeeds | ||
10 | noblacklist ${HOME}/.cache/org.gabmus.gfeeds | ||
11 | noblacklist ${HOME}/.config/org.gabmus.gfeeds.json | ||
12 | |||
13 | # Allow python (blacklisted by disable-interpreters.inc) | ||
14 | include allow-python3.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | mkdir ${HOME}/.cache/gfeeds | ||
25 | mkdir ${HOME}/.cache/org.gabmus.gfeeds | ||
26 | mkfile ${HOME}/.config/org.gabmus.gfeeds.json | ||
27 | whitelist ${HOME}/.cache/gfeeds | ||
28 | whitelist ${HOME}/.cache/org.gabmus.gfeeds | ||
29 | whitelist ${HOME}/.config/org.gabmus.gfeeds.json | ||
30 | whitelist /usr/share/gfeeds | ||
31 | include whitelist-common.inc | ||
32 | include whitelist-runuser-common.inc | ||
33 | include whitelist-usr-share-common.inc | ||
34 | include whitelist-var-common.inc | ||
35 | |||
36 | apparmor | ||
37 | caps.drop all | ||
38 | machine-id | ||
39 | netfilter | ||
40 | no3d | ||
41 | nodvd | ||
42 | nogroups | ||
43 | nonewprivs | ||
44 | noroot | ||
45 | nosound | ||
46 | notv | ||
47 | nou2f | ||
48 | novideo | ||
49 | protocol unix,inet,inet6 | ||
50 | seccomp | ||
51 | shell none | ||
52 | tracelog | ||
53 | |||
54 | disable-mnt | ||
55 | private-bin gfeeds,python3* | ||
56 | # private-cache -- feeds are stored in ~/.cache | ||
57 | private-dev | ||
58 | private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,fonts,gconf,group,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg | ||
59 | private-tmp | ||
60 | |||
61 | # dbus-user none | ||
62 | # dbus-system none | ||
diff --git a/etc/profile-a-l/ghb.profile b/etc/profile-a-l/ghb.profile new file mode 100644 index 000000000..1e7ce2350 --- /dev/null +++ b/etc/profile-a-l/ghb.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for handbrake | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include handbrake.profile | ||
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile new file mode 100644 index 000000000..c18a6b72e --- /dev/null +++ b/etc/profile-a-l/ghostwriter.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for ghostwriter | ||
2 | # Description: Cross-platform, aesthetic, distraction-free Markdown editor. | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include ghostwriter.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/ghostwriter | ||
10 | noblacklist ${HOME}/.local/share/ghostwriter | ||
11 | noblacklist ${DOCUMENTS} | ||
12 | noblacklist ${PICTURES} | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | whitelist /usr/share/ghostwriter | ||
23 | whitelist /usr/share/mozilla-dicts | ||
24 | whitelist /usr/share/texlive | ||
25 | whitelist /usr/share/pandoc* | ||
26 | include whitelist-usr-share-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | machine-id | ||
31 | netfilter | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix,inet,inet6,netlink | ||
41 | seccomp !chroot | ||
42 | shell none | ||
43 | #tracelog -- breaks | ||
44 | |||
45 | private-bin context,gettext,ghostwriter,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf | ||
46 | private-cache | ||
47 | private-dev | ||
48 | # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed | ||
49 | private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,firejail,fonts,gconf,groups,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,texlive,Trolltech.conf,X11,xdg | ||
50 | private-tmp | ||
diff --git a/etc/profile-a-l/gimp-2.10.profile b/etc/profile-a-l/gimp-2.10.profile new file mode 100644 index 000000000..dbf49ac22 --- /dev/null +++ b/etc/profile-a-l/gimp-2.10.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for gimp | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include gimp.profile | ||
diff --git a/etc/profile-a-l/gimp-2.8.profile b/etc/profile-a-l/gimp-2.8.profile new file mode 100644 index 000000000..dbf49ac22 --- /dev/null +++ b/etc/profile-a-l/gimp-2.8.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for gimp | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include gimp.profile | ||
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile new file mode 100644 index 000000000..8093c0c39 --- /dev/null +++ b/etc/profile-a-l/gimp.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for gimp | ||
2 | # Description: GNU Image Manipulation Program | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gimp.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory | ||
10 | # if you are not using external plugins, you can comment 'ignore noexec' statement below | ||
11 | # or put 'noexec ${HOME}' in your gimp.local | ||
12 | ignore noexec ${HOME} | ||
13 | |||
14 | noblacklist ${HOME}/.cache/babl | ||
15 | noblacklist ${HOME}/.cache/gegl-0.4 | ||
16 | noblacklist ${HOME}/.cache/gimp | ||
17 | noblacklist ${HOME}/.config/GIMP | ||
18 | noblacklist ${HOME}/.gimp* | ||
19 | noblacklist ${DOCUMENTS} | ||
20 | noblacklist ${PICTURES} | ||
21 | |||
22 | include disable-common.inc | ||
23 | include disable-exec.inc | ||
24 | include disable-devel.inc | ||
25 | include disable-passwdmgr.inc | ||
26 | include disable-programs.inc | ||
27 | include disable-xdg.inc | ||
28 | |||
29 | whitelist /usr/share/gegl-0.4 | ||
30 | whitelist /usr/share/gimp | ||
31 | whitelist /usr/share/mypaint-data | ||
32 | whitelist /usr/share/lensfun | ||
33 | include whitelist-usr-share-common.inc | ||
34 | include whitelist-var-common.inc | ||
35 | |||
36 | apparmor | ||
37 | caps.drop all | ||
38 | net none | ||
39 | nodvd | ||
40 | nogroups | ||
41 | nonewprivs | ||
42 | noroot | ||
43 | nosound | ||
44 | notv | ||
45 | nou2f | ||
46 | protocol unix | ||
47 | seccomp | ||
48 | shell none | ||
49 | tracelog | ||
50 | |||
51 | private-dev | ||
52 | private-tmp | ||
53 | |||
54 | dbus-user none | ||
55 | dbus-system none | ||
diff --git a/etc/profile-a-l/gist-paste.profile b/etc/profile-a-l/gist-paste.profile new file mode 100644 index 000000000..56b3176ed --- /dev/null +++ b/etc/profile-a-l/gist-paste.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for gist-paste | ||
2 | # Description: Potentially the best command line gister | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include gist-paste.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | # Redirect | ||
12 | include gist.profile | ||
diff --git a/etc/profile-a-l/gist.profile b/etc/profile-a-l/gist.profile new file mode 100644 index 000000000..681fc2829 --- /dev/null +++ b/etc/profile-a-l/gist.profile | |||
@@ -0,0 +1,61 @@ | |||
1 | # Firejail profile for gist | ||
2 | # Description: Potentially the best command line gister | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include gist.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist /tmp/.X11-unix | ||
11 | blacklist ${RUNUSER}/wayland-* | ||
12 | |||
13 | noblacklist ${HOME}/.gist | ||
14 | |||
15 | # Allow ruby (blacklisted by disable-interpreters.inc) | ||
16 | include allow-ruby.inc | ||
17 | |||
18 | include disable-common.inc | ||
19 | include disable-devel.inc | ||
20 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | ||
22 | include disable-passwdmgr.inc | ||
23 | include disable-programs.inc | ||
24 | include disable-xdg.inc | ||
25 | |||
26 | mkdir ${HOME}/.gist | ||
27 | whitelist ${HOME}/.gist | ||
28 | whitelist ${DOWNLOADS} | ||
29 | include whitelist-common.inc | ||
30 | include whitelist-usr-share-common.inc | ||
31 | include whitelist-var-common.inc | ||
32 | |||
33 | apparmor | ||
34 | caps.drop all | ||
35 | ipc-namespace | ||
36 | machine-id | ||
37 | netfilter | ||
38 | no3d | ||
39 | nodvd | ||
40 | nogroups | ||
41 | nonewprivs | ||
42 | noroot | ||
43 | nosound | ||
44 | notv | ||
45 | nou2f | ||
46 | novideo | ||
47 | protocol unix,inet,inet6 | ||
48 | seccomp | ||
49 | shell none | ||
50 | tracelog | ||
51 | |||
52 | disable-mnt | ||
53 | private-cache | ||
54 | private-dev | ||
55 | private-etc alternatives | ||
56 | private-tmp | ||
57 | |||
58 | dbus-user none | ||
59 | dbus-system none | ||
60 | |||
61 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/git.profile b/etc/profile-a-l/git.profile new file mode 100644 index 000000000..e5a2f3985 --- /dev/null +++ b/etc/profile-a-l/git.profile | |||
@@ -0,0 +1,59 @@ | |||
1 | # Firejail profile for git | ||
2 | # Description: Fast, scalable, distributed revision control system | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include git.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.config/git | ||
11 | noblacklist ${HOME}/.config/nano | ||
12 | noblacklist ${HOME}/.emacs | ||
13 | noblacklist ${HOME}/.emacs.d | ||
14 | noblacklist ${HOME}/.gitconfig | ||
15 | noblacklist ${HOME}/.git-credentials | ||
16 | noblacklist ${HOME}/.gnupg | ||
17 | noblacklist ${HOME}/.nanorc | ||
18 | noblacklist ${HOME}/.ssh | ||
19 | noblacklist ${HOME}/.vim | ||
20 | noblacklist ${HOME}/.viminfo | ||
21 | |||
22 | blacklist /tmp/.X11-unix | ||
23 | blacklist ${RUNUSER}/wayland-* | ||
24 | |||
25 | include disable-common.inc | ||
26 | include disable-exec.inc | ||
27 | include disable-passwdmgr.inc | ||
28 | include disable-programs.inc | ||
29 | |||
30 | whitelist /usr/share/git | ||
31 | whitelist /usr/share/git-core | ||
32 | whitelist /usr/share/gitgui | ||
33 | whitelist /usr/share/gitweb | ||
34 | whitelist /usr/share/nano | ||
35 | include whitelist-usr-share-common.inc | ||
36 | include whitelist-var-common.inc | ||
37 | |||
38 | apparmor | ||
39 | caps.drop all | ||
40 | ipc-namespace | ||
41 | machine-id | ||
42 | netfilter | ||
43 | no3d | ||
44 | nodvd | ||
45 | nogroups | ||
46 | nonewprivs | ||
47 | noroot | ||
48 | nosound | ||
49 | notv | ||
50 | nou2f | ||
51 | novideo | ||
52 | protocol unix,inet,inet6 | ||
53 | seccomp | ||
54 | shell none | ||
55 | |||
56 | private-cache | ||
57 | private-dev | ||
58 | |||
59 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/gitg.profile b/etc/profile-a-l/gitg.profile new file mode 100644 index 000000000..68f38c3ce --- /dev/null +++ b/etc/profile-a-l/gitg.profile | |||
@@ -0,0 +1,54 @@ | |||
1 | # Firejail profile for gitg | ||
2 | # Description: Git repository viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gitg.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/git | ||
10 | noblacklist ${HOME}/.gitconfig | ||
11 | noblacklist ${HOME}/.git-credentials | ||
12 | noblacklist ${HOME}/.local/share/gitg | ||
13 | noblacklist ${HOME}/.ssh | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | |||
22 | #whitelist ${HOME}/YOUR_GIT_PROJECTS_DIRECTORY | ||
23 | #whitelist ${HOME}/.config/git | ||
24 | #whitelist ${HOME}/.gitconfig | ||
25 | #whitelist ${HOME}/.git-credentials | ||
26 | #whitelist ${HOME}/.local/share/gitg | ||
27 | #whitelist ${HOME}/.ssh | ||
28 | #include whitelist-common.inc | ||
29 | |||
30 | whitelist /usr/share/gitg | ||
31 | include whitelist-runuser-common.inc | ||
32 | include whitelist-usr-share-common.inc | ||
33 | include whitelist-var-common.inc | ||
34 | |||
35 | caps.drop all | ||
36 | netfilter | ||
37 | no3d | ||
38 | nodvd | ||
39 | nogroups | ||
40 | nonewprivs | ||
41 | noroot | ||
42 | nosound | ||
43 | notv | ||
44 | nou2f | ||
45 | novideo | ||
46 | protocol unix,inet,inet6 | ||
47 | seccomp | ||
48 | shell none | ||
49 | tracelog | ||
50 | |||
51 | private-bin git,gitg,ssh | ||
52 | private-cache | ||
53 | private-dev | ||
54 | private-tmp | ||
diff --git a/etc/profile-a-l/github-desktop.profile b/etc/profile-a-l/github-desktop.profile new file mode 100644 index 000000000..b25b138ad --- /dev/null +++ b/etc/profile-a-l/github-desktop.profile | |||
@@ -0,0 +1,48 @@ | |||
1 | # Firejail profile for github-desktop | ||
2 | # Description: Extend your GitHub workflow beyond your browser with GitHub Desktop | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include github-desktop.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/GitHub Desktop | ||
10 | noblacklist ${HOME}/.config/git | ||
11 | noblacklist ${HOME}/.gitconfig | ||
12 | noblacklist ${HOME}/.git-credentials | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | |||
21 | caps.drop all | ||
22 | netfilter | ||
23 | # no3d | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | nosound | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix,inet,inet6,netlink | ||
33 | seccomp | ||
34 | |||
35 | # Note: On debian-based distributions the binary might be located in | ||
36 | # /opt/GitHub Desktop/github-desktop, and therefore not be in PATH. | ||
37 | # If that's the case you can start GitHub Desktop with firejail via | ||
38 | # `firejail "/opt/GitHub Desktop/github-desktop"`. | ||
39 | |||
40 | disable-mnt | ||
41 | # private-bin github-desktop | ||
42 | private-cache | ||
43 | ?HAS_APPIMAGE: ignore private-dev | ||
44 | private-dev | ||
45 | # private-lib | ||
46 | private-tmp | ||
47 | |||
48 | # memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/gitter.profile b/etc/profile-a-l/gitter.profile new file mode 100644 index 000000000..017b1765a --- /dev/null +++ b/etc/profile-a-l/gitter.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for gitter | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include gitter.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/autostart | ||
9 | noblacklist ${HOME}/.config/Gitter | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | mkdir ${HOME}/.config/Gitter | ||
19 | whitelist ${DOWNLOADS} | ||
20 | whitelist ${HOME}/.config/autostart | ||
21 | whitelist ${HOME}/.config/Gitter | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | machine-id | ||
26 | netfilter | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | nosound | ||
32 | notv | ||
33 | nou2f | ||
34 | protocol unix,inet,inet6,netlink | ||
35 | seccomp | ||
36 | shell none | ||
37 | |||
38 | disable-mnt | ||
39 | private-bin bash,env,gitter | ||
40 | private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,pulse,resolv.conf,ssl | ||
41 | private-opt Gitter | ||
42 | private-dev | ||
43 | private-tmp | ||
44 | |||
diff --git a/etc/profile-a-l/gjs.profile b/etc/profile-a-l/gjs.profile new file mode 100644 index 000000000..9c8848b8a --- /dev/null +++ b/etc/profile-a-l/gjs.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for gjs | ||
2 | # Description: Mozilla-based javascript bindings for the GNOME platform | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gjs.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
10 | |||
11 | noblacklist ${HOME}/.cache/libgweather | ||
12 | noblacklist ${HOME}/.cache/org.gnome.Books | ||
13 | noblacklist ${HOME}/.config/libreoffice | ||
14 | noblacklist ${HOME}/.local/share/gnome-photos | ||
15 | |||
16 | # Allow gjs (blacklisted by disable-interpreters.inc) | ||
17 | include allow-gjs.inc | ||
18 | |||
19 | include disable-common.inc | ||
20 | include disable-devel.inc | ||
21 | include disable-interpreters.inc | ||
22 | include disable-passwdmgr.inc | ||
23 | include disable-programs.inc | ||
24 | |||
25 | include whitelist-runuser-common.inc | ||
26 | include whitelist-usr-share-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | caps.drop all | ||
30 | netfilter | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | notv | ||
36 | nou2f | ||
37 | protocol unix,inet,inet6 | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | # private-bin gjs,gnome-books,gnome-documents,gnome-maps,gnome-photos,gnome-weather | ||
43 | private-dev | ||
44 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl | ||
45 | private-tmp | ||
diff --git a/etc/profile-a-l/globaltime.profile b/etc/profile-a-l/globaltime.profile new file mode 100644 index 000000000..bb78a608e --- /dev/null +++ b/etc/profile-a-l/globaltime.profile | |||
@@ -0,0 +1,37 @@ | |||
1 | # Firejail profile for globaltime | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include globaltime.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/globaltime | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | caps.drop all | ||
19 | netfilter | ||
20 | no3d | ||
21 | nodvd | ||
22 | nogroups | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | nosound | ||
26 | notv | ||
27 | nou2f | ||
28 | novideo | ||
29 | protocol unix,inet,inet6 | ||
30 | seccomp | ||
31 | shell none | ||
32 | |||
33 | disable-mnt | ||
34 | private-cache | ||
35 | private-dev | ||
36 | private-tmp | ||
37 | |||
diff --git a/etc/profile-a-l/gmpc.profile b/etc/profile-a-l/gmpc.profile new file mode 100644 index 000000000..b3aad8b2c --- /dev/null +++ b/etc/profile-a-l/gmpc.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for gmpc | ||
2 | # Description: MPD client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gmpc.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/gmpc | ||
10 | noblacklist ${MUSIC} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.config/gmpc | ||
21 | whitelist ${HOME}/.config/gmpc | ||
22 | whitelist ${MUSIC} | ||
23 | whitelist /usr/share/gmpc | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | ipc-namespace | ||
31 | netfilter | ||
32 | no3d | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix,inet,inet6 | ||
41 | seccomp | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | disable-mnt | ||
46 | #private-bin gmpc | ||
47 | private-cache | ||
48 | private-etc alternatives,fonts | ||
49 | private-tmp | ||
50 | writable-run-user | ||
51 | |||
52 | # dbus-user none | ||
53 | # dbus-system none | ||
54 | |||
55 | # memory-deny-write-execute - breaks on Arch | ||
diff --git a/etc/profile-a-l/gnome-2048.profile b/etc/profile-a-l/gnome-2048.profile new file mode 100644 index 000000000..777c81dbe --- /dev/null +++ b/etc/profile-a-l/gnome-2048.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Firejail profile for gnome-2048 | ||
2 | # Description: Sliding tile puzzle game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-2048.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/gnome-2048 | ||
10 | |||
11 | mkdir ${HOME}/.local/share/gnome-2048 | ||
12 | whitelist ${HOME}/.local/share/gnome-2048 | ||
13 | |||
14 | private-bin gnome-2048 | ||
15 | |||
16 | dbus-user.own org.gnome.TwentyFortyEight | ||
17 | |||
18 | # Redirect | ||
19 | include gnome_games-common.profile | ||
diff --git a/etc/profile-a-l/gnome-books.profile b/etc/profile-a-l/gnome-books.profile new file mode 100644 index 000000000..998109ca7 --- /dev/null +++ b/etc/profile-a-l/gnome-books.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for gnome-books | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include gnome-books.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
9 | |||
10 | noblacklist ${HOME}/.cache/org.gnome.Books | ||
11 | noblacklist ${DOCUMENTS} | ||
12 | |||
13 | # Allow gjs (blacklisted by disable-interpreters.inc) | ||
14 | include allow-gjs.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | net none | ||
29 | no3d | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | |||
43 | # private-bin gjs,gnome-books | ||
44 | private-dev | ||
45 | private-tmp | ||
46 | |||
diff --git a/etc/profile-a-l/gnome-builder.profile b/etc/profile-a-l/gnome-builder.profile new file mode 100644 index 000000000..7a684dd59 --- /dev/null +++ b/etc/profile-a-l/gnome-builder.profile | |||
@@ -0,0 +1,36 @@ | |||
1 | # Firejail profile for gnome-builder | ||
2 | # Description: IDE for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-builder.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/gnome-builder | ||
10 | noblacklist ${HOME}/.config/gnome-builder | ||
11 | noblacklist ${HOME}/.local/share/gnome-builder | ||
12 | |||
13 | # Allows files commonly used by IDEs | ||
14 | include allow-common-devel.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | include whitelist-runuser-common.inc | ||
21 | |||
22 | caps.drop all | ||
23 | ipc-namespace | ||
24 | netfilter | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix,inet,inet6 | ||
33 | seccomp | ||
34 | shell none | ||
35 | |||
36 | private-dev | ||
diff --git a/etc/profile-a-l/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile new file mode 100644 index 000000000..a18a123d3 --- /dev/null +++ b/etc/profile-a-l/gnome-calculator.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for gnome-calculator | ||
2 | # Description: GNOME desktop calculator | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include gnome-calculator.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-programs.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | include whitelist-common.inc | ||
19 | include whitelist-runuser-common.inc | ||
20 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | machine-id | ||
27 | # net none | ||
28 | netfilter | ||
29 | no3d | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix,inet,inet6 | ||
39 | seccomp | ||
40 | shell none | ||
41 | |||
42 | disable-mnt | ||
43 | private-bin gnome-calculator | ||
44 | private-cache | ||
45 | private-dev | ||
46 | #private-lib gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*,libgnutls.so.*,libproxy.so.*,librsvg-2.so.*,libxml2.so.* | ||
47 | private-tmp | ||
48 | |||
49 | # makes settings immutable | ||
50 | # dbus-user none | ||
51 | # dbus-system none | ||
52 | |||
53 | # memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/gnome-character-map.profile b/etc/profile-a-l/gnome-character-map.profile new file mode 100644 index 000000000..27804fdd0 --- /dev/null +++ b/etc/profile-a-l/gnome-character-map.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for gnome-character-map | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include gnome-character-map.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include gucharmap.profile | ||
diff --git a/etc/profile-a-l/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile new file mode 100644 index 000000000..3d7a2e4a6 --- /dev/null +++ b/etc/profile-a-l/gnome-characters.profile | |||
@@ -0,0 +1,59 @@ | |||
1 | # Firejail profile for gnome-characters | ||
2 | # Description: Character map application for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-characters.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Allow gjs (blacklisted by disable-interpreters.inc) | ||
10 | include allow-gjs.inc | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | whitelist /usr/share/org.gnome.Characters | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-runuser-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | machine-id | ||
29 | net none | ||
30 | no3d | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | nosound | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix | ||
40 | seccomp | ||
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | disable-mnt | ||
45 | # Uncomment the next line (or add it to your gnome-characters.local) | ||
46 | # if you don't need recently used chars | ||
47 | #private | ||
48 | private-bin gjs,gnome-characters | ||
49 | private-cache | ||
50 | private-dev | ||
51 | private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,pango,X11,xdg | ||
52 | private-tmp | ||
53 | |||
54 | # Uncomment the next lines (or add it to your gnome-characters.local) | ||
55 | # if you don't need recently used chars | ||
56 | # dbus-user none | ||
57 | # dbus-system none | ||
58 | |||
59 | read-only ${HOME} | ||
diff --git a/etc/profile-a-l/gnome-chess.profile b/etc/profile-a-l/gnome-chess.profile new file mode 100644 index 000000000..2e2e86ac9 --- /dev/null +++ b/etc/profile-a-l/gnome-chess.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for gnome-chess | ||
2 | # Description: Simple chess game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-chess.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/gnome-chess | ||
10 | noblacklist ${HOME}/.local/share/gnome-chess | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | whitelist /usr/share/gnuchess | ||
21 | whitelist /usr/share/gnome-chess | ||
22 | include whitelist-runuser-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | machine-id | ||
29 | net none | ||
30 | no3d | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | nosound | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix | ||
40 | seccomp | ||
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | disable-mnt | ||
45 | private-bin fairymax,gnome-chess,gnuchess,hoichess | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0 | ||
49 | private-tmp | ||
diff --git a/etc/profile-a-l/gnome-clocks.profile b/etc/profile-a-l/gnome-clocks.profile new file mode 100644 index 000000000..b865423c5 --- /dev/null +++ b/etc/profile-a-l/gnome-clocks.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for gnome-clocks | ||
2 | # Description: Simple GNOME app with stopwatch, timer, and world clock support | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-clocks.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | whitelist /usr/share/gnome-clocks | ||
18 | whitelist /usr/share/libgweather | ||
19 | include whitelist-common.inc | ||
20 | include whitelist-runuser-common.inc | ||
21 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | netfilter | ||
27 | no3d | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6 | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin gnome-clocks,gsound-play | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,localtime,machine-id,pkcs11,pki,ssl | ||
45 | private-tmp | ||
46 | |||
diff --git a/etc/profile-a-l/gnome-contacts.profile b/etc/profile-a-l/gnome-contacts.profile new file mode 100644 index 000000000..7c1e4bb58 --- /dev/null +++ b/etc/profile-a-l/gnome-contacts.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for gnome-contacts | ||
2 | # Description: Contacts manager for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-contacts.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${DOCUMENTS} | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | include whitelist-common.inc | ||
20 | include whitelist-runuser-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | netfilter | ||
25 | no3d | ||
26 | nodvd | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | nosound | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix,inet,inet6,netlink | ||
34 | seccomp | ||
35 | |||
36 | disable-mnt | ||
37 | private-dev | ||
38 | private-tmp | ||
39 | |||
diff --git a/etc/profile-a-l/gnome-documents.profile b/etc/profile-a-l/gnome-documents.profile new file mode 100644 index 000000000..705fe624e --- /dev/null +++ b/etc/profile-a-l/gnome-documents.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for gnome-documents | ||
2 | # Description: Document manager for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-documents.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
10 | |||
11 | noblacklist ${HOME}/.config/libreoffice | ||
12 | noblacklist ${DOCUMENTS} | ||
13 | |||
14 | # Allow gjs (blacklisted by disable-interpreters.inc) | ||
15 | include allow-gjs.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | caps.drop all | ||
26 | netfilter | ||
27 | no3d | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | nosound | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix | ||
37 | seccomp | ||
38 | shell none | ||
39 | tracelog | ||
40 | |||
41 | private-cache | ||
42 | private-dev | ||
43 | private-tmp | ||
44 | |||
diff --git a/etc/profile-a-l/gnome-font-viewer.profile b/etc/profile-a-l/gnome-font-viewer.profile new file mode 100644 index 000000000..b2327133c --- /dev/null +++ b/etc/profile-a-l/gnome-font-viewer.profile | |||
@@ -0,0 +1,37 @@ | |||
1 | # Firejail profile for gnome-font-viewer | ||
2 | # Description: Font viewer for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-font-viewer.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | include whitelist-var-common.inc | ||
19 | |||
20 | apparmor | ||
21 | caps.drop all | ||
22 | net none | ||
23 | no3d | ||
24 | nodvd | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix,inet,inet6 | ||
32 | seccomp | ||
33 | |||
34 | disable-mnt | ||
35 | private-dev | ||
36 | private-tmp | ||
37 | |||
diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile new file mode 100644 index 000000000..873a47ea9 --- /dev/null +++ b/etc/profile-a-l/gnome-hexgl.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for gnome-hexgl | ||
2 | # Description: Gthree port of HexGL | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-hexgl.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | mkdir ${HOME}/.cache/mesa_shader_cache | ||
18 | whitelist /usr/share/gnome-hexgl | ||
19 | include whitelist-runuser-common.inc | ||
20 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | net none | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix | ||
34 | seccomp | ||
35 | shell none | ||
36 | tracelog | ||
37 | |||
38 | disable-mnt | ||
39 | private | ||
40 | private-bin gnome-hexgl | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-etc machine-id | ||
44 | private-tmp | ||
45 | |||
46 | dbus-user none | ||
47 | dbus-system none | ||
48 | |||
49 | read-only ${HOME} | ||
50 | read-write ${HOME}/.cache/mesa_shader_cache | ||
diff --git a/etc/profile-a-l/gnome-keyring-3.profile b/etc/profile-a-l/gnome-keyring-3.profile new file mode 100644 index 000000000..e9961e4f0 --- /dev/null +++ b/etc/profile-a-l/gnome-keyring-3.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for gnome-keyring-3 | ||
2 | # Description: Stores passwords and encryption keys | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-keyring-3.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gnome-keyring.profile | ||
diff --git a/etc/profile-a-l/gnome-keyring.profile b/etc/profile-a-l/gnome-keyring.profile new file mode 100644 index 000000000..ecbb74158 --- /dev/null +++ b/etc/profile-a-l/gnome-keyring.profile | |||
@@ -0,0 +1,57 @@ | |||
1 | # Firejail profile for gnome-keyring | ||
2 | # Description: Stores passwords and encryption keys | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include gnome-keyring.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.gnupg | ||
11 | |||
12 | whitelist ${HOME}/.gnupg | ||
13 | whitelist ${DOWNLOADS} | ||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | whitelist /usr/share/gnupg | ||
23 | whitelist /usr/share/gnupg2 | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | ipc-namespace | ||
31 | machine-id | ||
32 | netfilter | ||
33 | no3d | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | nosound | ||
39 | notv | ||
40 | nou2f | ||
41 | novideo | ||
42 | protocol unix,inet,inet6 | ||
43 | seccomp | ||
44 | shell none | ||
45 | tracelog | ||
46 | |||
47 | disable-mnt | ||
48 | #private-bin gnome-keyrin*,secret-tool | ||
49 | private-cache | ||
50 | private-dev | ||
51 | #private-lib alternatives,gnome-keyring,libsecret-1.so.*,pkcs11,security | ||
52 | private-tmp | ||
53 | |||
54 | # dbus-user none | ||
55 | # dbus-system none | ||
56 | |||
57 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/gnome-klotski.profile b/etc/profile-a-l/gnome-klotski.profile new file mode 100644 index 000000000..c67a5c0da --- /dev/null +++ b/etc/profile-a-l/gnome-klotski.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Firejail profile for gnome-klotski | ||
2 | # Description: Sliding block puzzles game for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-klotski.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/gnome-klotski | ||
10 | |||
11 | mkdir ${HOME}/.local/share/gnome-klotski | ||
12 | whitelist ${HOME}/.local/share/gnome-klotski | ||
13 | |||
14 | private-bin gnome-klotski | ||
15 | |||
16 | dbus-user.own org.gnome.Klotski | ||
17 | |||
18 | # Redirect | ||
19 | include gnome_games-common.profile | ||
diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile new file mode 100644 index 000000000..ea4151137 --- /dev/null +++ b/etc/profile-a-l/gnome-latex.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for gnome-latex | ||
2 | # Description: LaTeX editor for the GNOME desktop | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-latex.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/gnome-latex | ||
10 | noblacklist ${HOME}/.local/share/gnome-latex | ||
11 | |||
12 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
13 | include allow-perl.inc | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | |||
22 | whitelist /usr/share/gnome-latex | ||
23 | whitelist /usr/share/perl5 | ||
24 | whitelist /usr/share/texlive | ||
25 | include whitelist-runuser-common.inc | ||
26 | include whitelist-usr-share-common.inc | ||
27 | # May cause issues. | ||
28 | #include whitelist-var-common.inc | ||
29 | |||
30 | apparmor | ||
31 | caps.drop all | ||
32 | machine-id | ||
33 | net none | ||
34 | no3d | ||
35 | nodvd | ||
36 | nogroups | ||
37 | nonewprivs | ||
38 | noroot | ||
39 | nosound | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix | ||
44 | seccomp | ||
45 | shell none | ||
46 | tracelog | ||
47 | |||
48 | private-cache | ||
49 | private-dev | ||
50 | # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed | ||
51 | private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,login.defs,passwd,texlive | ||
diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile new file mode 100644 index 000000000..4b6453015 --- /dev/null +++ b/etc/profile-a-l/gnome-logs.profile | |||
@@ -0,0 +1,57 @@ | |||
1 | # Firejail profile for gnome-logs | ||
2 | # Description: Viewer for the systemd journal | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-logs.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | whitelist /var/log/journal | ||
18 | include whitelist-runuser-common.inc | ||
19 | include whitelist-usr-share-common.inc | ||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | apparmor | ||
23 | caps.drop all | ||
24 | ipc-namespace | ||
25 | net none | ||
26 | no3d | ||
27 | nodvd | ||
28 | # When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html), | ||
29 | # comment both 'nogroups' and 'noroot' | ||
30 | # or put 'ignore nogroups' and 'ignore noroot' in your gnome-logs.local. | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | |||
43 | disable-mnt | ||
44 | private-bin gnome-logs | ||
45 | private-cache | ||
46 | private-dev | ||
47 | private-etc alternatives,fonts,localtime,machine-id | ||
48 | private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* | ||
49 | private-tmp | ||
50 | writable-var-log | ||
51 | |||
52 | dbus-user none | ||
53 | dbus-system none | ||
54 | |||
55 | # comment this if you export logs to a file in your ${HOME} | ||
56 | # or put 'ignore read-only ${HOME}' in your gnome-logs.local. | ||
57 | read-only ${HOME} | ||
diff --git a/etc/profile-a-l/gnome-mahjongg.profile b/etc/profile-a-l/gnome-mahjongg.profile new file mode 100644 index 000000000..42409dce8 --- /dev/null +++ b/etc/profile-a-l/gnome-mahjongg.profile | |||
@@ -0,0 +1,16 @@ | |||
1 | # Firejail profile for gnome-mahjongg | ||
2 | # Description: A matching game played with Mahjongg tiles | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-mahjongg.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | whitelist /usr/share/gnome-mahjongg | ||
10 | |||
11 | private-bin gnome-mahjongg | ||
12 | |||
13 | dbus-user.own org.gnome.Mahjongg | ||
14 | |||
15 | # Redirect | ||
16 | include gnome_games-common.profile | ||
diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile new file mode 100644 index 000000000..bf263efa9 --- /dev/null +++ b/etc/profile-a-l/gnome-maps.profile | |||
@@ -0,0 +1,64 @@ | |||
1 | # Firejail profile for gnome-maps | ||
2 | # Description: Map application for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-maps.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Some distributions use gapplications to start gnome-maps over D-Bus. As firecfg cannot handle that, you need to run the following command. | ||
10 | # sed -e "s/Exec=gapplication launch org.gnome.Maps %U/Exec=gnome-maps %U/" -e "s/DBusActivatable=true/DBusActivatable=false/" "/usr/share/applications/org.gnome.Maps.desktop" > "~/.local/share/applications/org.gnome.Maps.desktop" | ||
11 | |||
12 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
13 | |||
14 | noblacklist ${HOME}/.cache/champlain | ||
15 | noblacklist ${HOME}/.cache/org.gnome.Maps | ||
16 | noblacklist ${HOME}/.local/share/maps-places.json | ||
17 | |||
18 | # Allow gjs (blacklisted by disable-interpreters.inc) | ||
19 | include allow-gjs.inc | ||
20 | |||
21 | include disable-common.inc | ||
22 | include disable-devel.inc | ||
23 | include disable-exec.inc | ||
24 | include disable-interpreters.inc | ||
25 | include disable-passwdmgr.inc | ||
26 | include disable-programs.inc | ||
27 | include disable-xdg.inc | ||
28 | |||
29 | mkdir ${HOME}/.cache/champlain | ||
30 | mkfile ${HOME}/.local/share/maps-places.json | ||
31 | whitelist ${HOME}/.cache/champlain | ||
32 | whitelist ${HOME}/.local/share/maps-places.json | ||
33 | whitelist ${DOWNLOADS} | ||
34 | whitelist ${PICTURES} | ||
35 | whitelist /usr/share/gnome-maps | ||
36 | whitelist /usr/share/libgweather | ||
37 | include whitelist-common.inc | ||
38 | include whitelist-runuser-common.inc | ||
39 | include whitelist-usr-share-common.inc | ||
40 | include whitelist-var-common.inc | ||
41 | |||
42 | apparmor | ||
43 | caps.drop all | ||
44 | machine-id | ||
45 | netfilter | ||
46 | nodvd | ||
47 | nogroups | ||
48 | nonewprivs | ||
49 | noroot | ||
50 | nosound | ||
51 | notv | ||
52 | nou2f | ||
53 | novideo | ||
54 | protocol unix,inet,inet6 | ||
55 | seccomp | ||
56 | shell none | ||
57 | tracelog | ||
58 | |||
59 | disable-mnt | ||
60 | private-bin gjs,gnome-maps | ||
61 | # private-cache -- gnome-maps cache all maps/satelite-images | ||
62 | private-dev | ||
63 | private-etc alternatives,ca-certificates,clutter-1.0,crypto-policies,dconf,drirc,fonts,gconf,gcrypt,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pkcs11,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg | ||
64 | private-tmp | ||
diff --git a/etc/profile-a-l/gnome-mines.profile b/etc/profile-a-l/gnome-mines.profile new file mode 100644 index 000000000..4fe8986c2 --- /dev/null +++ b/etc/profile-a-l/gnome-mines.profile | |||
@@ -0,0 +1,20 @@ | |||
1 | # Firejail profile for gnome-mines | ||
2 | # Description: The popular logic puzzle minesweeper | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-mines.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/gnome-mines | ||
10 | |||
11 | mkdir ${HOME}/.local/share/gnome-mines | ||
12 | whitelist ${HOME}/.local/share/gnome-mines | ||
13 | whitelist /usr/share/gnome-mines | ||
14 | |||
15 | private-bin gnome-mines | ||
16 | |||
17 | dbus-user.own org.gnome.Mines | ||
18 | |||
19 | # Redirect | ||
20 | include gnome_games-common.profile | ||
diff --git a/etc/profile-a-l/gnome-mplayer.profile b/etc/profile-a-l/gnome-mplayer.profile new file mode 100644 index 000000000..12bee6448 --- /dev/null +++ b/etc/profile-a-l/gnome-mplayer.profile | |||
@@ -0,0 +1,34 @@ | |||
1 | # Firejail profile for gnome-mplayer | ||
2 | # Description: GTK/Gnome interface around MPlayer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-mplayer.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/gnome-mplayer | ||
10 | noblacklist ${MUSIC} | ||
11 | noblacklist ${VIDEOS} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | caps.drop all | ||
22 | nogroups | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | nou2f | ||
26 | protocol unix,inet,inet6 | ||
27 | seccomp | ||
28 | shell none | ||
29 | |||
30 | # private-bin gnome-mplayer,mplayer | ||
31 | private-cache | ||
32 | private-dev | ||
33 | private-tmp | ||
34 | |||
diff --git a/etc/profile-a-l/gnome-mpv.profile b/etc/profile-a-l/gnome-mpv.profile new file mode 100644 index 000000000..f5d652732 --- /dev/null +++ b/etc/profile-a-l/gnome-mpv.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for celluloid (formerly GNOME MPV) | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include celluloid.profile | ||
diff --git a/etc/profile-a-l/gnome-music.profile b/etc/profile-a-l/gnome-music.profile new file mode 100644 index 000000000..36b46897c --- /dev/null +++ b/etc/profile-a-l/gnome-music.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for gnome-music | ||
2 | # Description: GNOME music player | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-music.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/gnome-music | ||
10 | noblacklist ${MUSIC} | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python2.inc | ||
14 | include allow-python3.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | netfilter | ||
30 | no3d | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | # private-bin calls a file manager - whatever is installed! | ||
43 | #private-bin env,gio-launch-desktop,gnome-music,python*,yelp | ||
44 | private-dev | ||
45 | private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,machine-id,pulse,selinux,xdg | ||
46 | private-tmp | ||
47 | |||
diff --git a/etc/profile-a-l/gnome-nettool.profile b/etc/profile-a-l/gnome-nettool.profile new file mode 100644 index 000000000..33eb9c81a --- /dev/null +++ b/etc/profile-a-l/gnome-nettool.profile | |||
@@ -0,0 +1,48 @@ | |||
1 | # Firejail profile for gnome-nettool | ||
2 | # Description: Graphical interface for various networking tools | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-nettool.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | whitelist /usr/share/gnome-nettool | ||
18 | #include whitelist-common.inc -- see #903 | ||
19 | include whitelist-runuser-common.inc | ||
20 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | caps.keep net_raw | ||
24 | ipc-namespace | ||
25 | machine-id | ||
26 | netfilter | ||
27 | no3d | ||
28 | nodvd | ||
29 | nogroups | ||
30 | # ping needs to elevate privileges, noroot and nonewprivs will kill it | ||
31 | #nonewprivs | ||
32 | #noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | #seccomp | ||
38 | #shell none | ||
39 | |||
40 | disable-mnt | ||
41 | private | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-lib libbind9.so.*,libcrypto.so.*,libdns.so.*,libgtk-3.so.*,libgtop*,libirs.so.*,liblua.so.*,libssh2.so.*,libssl.so.* | ||
45 | private-tmp | ||
46 | |||
47 | dbus-user none | ||
48 | dbus-system none | ||
diff --git a/etc/profile-a-l/gnome-nibbles.profile b/etc/profile-a-l/gnome-nibbles.profile new file mode 100644 index 000000000..b22810d34 --- /dev/null +++ b/etc/profile-a-l/gnome-nibbles.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # Firejail profile for gnome-nibbles | ||
2 | # Description: A worm game for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-nibbles.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | ignore machine-id | ||
10 | ignore nosound | ||
11 | |||
12 | noblacklist ${HOME}/.local/share/gnome-nibbles | ||
13 | |||
14 | mkdir ${HOME}/.local/share/gnome-nibbles | ||
15 | whitelist ${HOME}/.local/share/gnome-nibbles | ||
16 | whitelist /usr/share/gnome-nibbles | ||
17 | |||
18 | private-bin gnome-nibbles | ||
19 | |||
20 | dbus-user.own org.gnome.Nibbles | ||
21 | |||
22 | # Redirect | ||
23 | include gnome_games-common.profile | ||
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile new file mode 100644 index 000000000..555a59d93 --- /dev/null +++ b/etc/profile-a-l/gnome-passwordsafe.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for gnome-passwordsafe | ||
2 | # Description: Password manager for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-passwordsafe.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${DOCUMENTS} | ||
10 | noblacklist ${HOME}/*.kdb | ||
11 | noblacklist ${HOME}/*.kdbx | ||
12 | |||
13 | # Allow python (blacklisted by disable-interpreters.inc) | ||
14 | include allow-python3.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | whitelist /usr/share/cracklib | ||
25 | whitelist /usr/share/passwordsafe | ||
26 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | apparmor | ||
31 | caps.drop all | ||
32 | machine-id | ||
33 | net none | ||
34 | no3d | ||
35 | nodvd | ||
36 | nogroups | ||
37 | nonewprivs | ||
38 | noroot | ||
39 | nosound | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix | ||
44 | seccomp | ||
45 | shell none | ||
46 | tracelog | ||
47 | |||
48 | disable-mnt | ||
49 | private-bin gnome-passwordsafe,python3* | ||
50 | private-cache | ||
51 | private-dev | ||
52 | private-etc dconf,fonts,gtk-3.0,passwd | ||
53 | private-tmp | ||
diff --git a/etc/profile-a-l/gnome-photos.profile b/etc/profile-a-l/gnome-photos.profile new file mode 100644 index 000000000..2af406af9 --- /dev/null +++ b/etc/profile-a-l/gnome-photos.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for gnome-photos | ||
2 | # Description: Access, organize and share your photos with GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-photos.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
10 | |||
11 | noblacklist ${HOME}/.local/share/gnome-photos | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | include whitelist-runuser-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | netfilter | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | # private-bin gjs,gnome-photos | ||
40 | private-dev | ||
41 | private-tmp | ||
42 | |||
diff --git a/etc/profile-a-l/gnome-pie.profile b/etc/profile-a-l/gnome-pie.profile new file mode 100644 index 000000000..c1d2dae35 --- /dev/null +++ b/etc/profile-a-l/gnome-pie.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Firejail profile for gnome-pie | ||
2 | # Description: Alternative AppMenu | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-pie.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/gnome-pie | ||
10 | |||
11 | #include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | #include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | #include disable-programs.inc | ||
17 | |||
18 | caps.drop all | ||
19 | ipc-namespace | ||
20 | # net none - breaks dbus | ||
21 | no3d | ||
22 | nodvd | ||
23 | nogroups | ||
24 | nonewprivs | ||
25 | noroot | ||
26 | nosound | ||
27 | notv | ||
28 | nou2f | ||
29 | novideo | ||
30 | protocol unix | ||
31 | seccomp | ||
32 | shell none | ||
33 | |||
34 | disable-mnt | ||
35 | private-cache | ||
36 | private-dev | ||
37 | private-etc alternatives,fonts,machine-id | ||
38 | private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* | ||
39 | private-tmp | ||
40 | |||
41 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/gnome-pomodoro.profile b/etc/profile-a-l/gnome-pomodoro.profile new file mode 100644 index 000000000..f8be23f07 --- /dev/null +++ b/etc/profile-a-l/gnome-pomodoro.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for gnome-pomodoro | ||
2 | # Description: time management utility for GNOME based on the pomodoro technique | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-pomodoro.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/gnome-pomodoro | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.local/share/gnome-pomodoro | ||
20 | whitelist ${HOME}/.local/share/gnome-pomodoro | ||
21 | whitelist /usr/share/gnome-pomodoro | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | net none | ||
30 | no3d | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | |||
43 | disable-mnt | ||
44 | private-bin gnome-pomodoro | ||
45 | private-cache | ||
46 | private-dev | ||
47 | private-etc dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id | ||
48 | private-tmp | ||
49 | |||
50 | read-only ${HOME} | ||
51 | read-write ${HOME}/.local/share/gnome-pomodoro | ||
diff --git a/etc/profile-a-l/gnome-recipes.profile b/etc/profile-a-l/gnome-recipes.profile new file mode 100644 index 000000000..20c355371 --- /dev/null +++ b/etc/profile-a-l/gnome-recipes.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for gnome-recipes | ||
2 | # Description: Recipe application for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-recipes.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | |||
10 | noblacklist ${HOME}/.cache/gnome-recipes | ||
11 | noblacklist ${HOME}/.local/share/gnome-recipes | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | mkdir ${HOME}/.cache/gnome-recipes | ||
21 | mkdir ${HOME}/.local/share/gnome-recipes | ||
22 | whitelist ${HOME}/.cache/gnome-recipes | ||
23 | whitelist ${HOME}/.local/share/gnome-recipes | ||
24 | whitelist /usr/share/gnome-recipes | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-usr-share-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | apparmor | ||
30 | caps.drop all | ||
31 | ipc-namespace | ||
32 | machine-id | ||
33 | netfilter | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | nosound | ||
39 | notv | ||
40 | nou2f | ||
41 | novideo | ||
42 | protocol unix,inet,inet6 | ||
43 | seccomp | ||
44 | shell none | ||
45 | |||
46 | disable-mnt | ||
47 | private-bin gnome-recipes,tar | ||
48 | private-dev | ||
49 | private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl | ||
50 | private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.* | ||
51 | private-tmp | ||
52 | |||
diff --git a/etc/profile-a-l/gnome-ring.profile b/etc/profile-a-l/gnome-ring.profile new file mode 100644 index 000000000..78ceb9c4f --- /dev/null +++ b/etc/profile-a-l/gnome-ring.profile | |||
@@ -0,0 +1,34 @@ | |||
1 | # Firejail profile for gnome-ring | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include gnome-ring.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.local/share/gnome-ring | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | |||
17 | include whitelist-var-common.inc | ||
18 | |||
19 | caps.drop all | ||
20 | ipc-namespace | ||
21 | netfilter | ||
22 | nodvd | ||
23 | nogroups | ||
24 | nonewprivs | ||
25 | noroot | ||
26 | notv | ||
27 | protocol unix,inet,inet6,netlink | ||
28 | seccomp | ||
29 | shell none | ||
30 | |||
31 | disable-mnt | ||
32 | # private-dev | ||
33 | private-tmp | ||
34 | |||
diff --git a/etc/profile-a-l/gnome-robots.profile b/etc/profile-a-l/gnome-robots.profile new file mode 100644 index 000000000..8835f2b93 --- /dev/null +++ b/etc/profile-a-l/gnome-robots.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Firejail profile for gnome-robots | ||
2 | # Description: Based on classic BSD Robots | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-robots.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | ignore machine-id | ||
10 | ignore nosound | ||
11 | |||
12 | whitelist /usr/share/gnome-robots | ||
13 | |||
14 | private-bin gnome-robots | ||
15 | |||
16 | dbus-user.own org.gnome.Robots | ||
17 | |||
18 | # Redirect | ||
19 | include gnome_games-common.profile | ||
diff --git a/etc/profile-a-l/gnome-schedule.profile b/etc/profile-a-l/gnome-schedule.profile new file mode 100644 index 000000000..55913a2d7 --- /dev/null +++ b/etc/profile-a-l/gnome-schedule.profile | |||
@@ -0,0 +1,65 @@ | |||
1 | # Firejail profile for gnome-schedule | ||
2 | # Description: Graphical interface to crontab and at for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-schedule.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.gnome/gnome-schedule | ||
10 | |||
11 | # Needs at and crontab to read/write user cron | ||
12 | noblacklist ${PATH}/at | ||
13 | noblacklist ${PATH}/crontab | ||
14 | |||
15 | # Needs access to these files/dirs | ||
16 | noblacklist /etc/cron.allow | ||
17 | noblacklist /etc/cron.deny | ||
18 | noblacklist /etc/shadow | ||
19 | noblacklist /var/spool/cron | ||
20 | |||
21 | # cron job testing needs a terminal, resulting in sandbox escape (see disable-common.inc) | ||
22 | # add 'noblacklist ${PATH}/your-terminal' to gnome-schedule.local if you need that functionality | ||
23 | |||
24 | # Allow python (blacklisted by disable-interpreters.inc) | ||
25 | include allow-python2.inc | ||
26 | include allow-python3.inc | ||
27 | |||
28 | include disable-common.inc | ||
29 | include disable-devel.inc | ||
30 | include disable-exec.inc | ||
31 | include disable-interpreters.inc | ||
32 | include disable-passwdmgr.inc | ||
33 | include disable-programs.inc | ||
34 | include disable-xdg.inc | ||
35 | |||
36 | mkfile ${HOME}/.gnome/gnome-schedule | ||
37 | whitelist ${HOME}/.gnome/gnome-schedule | ||
38 | whitelist /usr/share/gnome-schedule | ||
39 | whitelist /var/spool/atd | ||
40 | whitelist /var/spool/cron | ||
41 | include whitelist-common.inc | ||
42 | include whitelist-runuser-common.inc | ||
43 | include whitelist-usr-share-common.inc | ||
44 | include whitelist-var-common.inc | ||
45 | |||
46 | apparmor | ||
47 | caps.keep chown,dac_override,setgid,setuid | ||
48 | ipc-namespace | ||
49 | machine-id | ||
50 | #net none - breaks on Ubuntu | ||
51 | no3d | ||
52 | nodvd | ||
53 | nogroups | ||
54 | nosound | ||
55 | notv | ||
56 | nou2f | ||
57 | novideo | ||
58 | shell none | ||
59 | tracelog | ||
60 | |||
61 | disable-mnt | ||
62 | private-cache | ||
63 | private-dev | ||
64 | writable-var | ||
65 | |||
diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile new file mode 100644 index 000000000..cc5efb161 --- /dev/null +++ b/etc/profile-a-l/gnome-screenshot.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for gnome-screenshot | ||
2 | # Description: GNOME screenshot tool | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-screenshot.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${PICTURES} | ||
10 | noblacklist ${HOME}/.cache/gnome-screenshot | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-runuser-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | net none | ||
27 | no3d | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin gnome-screenshot | ||
42 | private-dev | ||
43 | private-etc dconf,fonts,gtk-3.0,localtime,machine-id | ||
44 | private-tmp | ||
diff --git a/etc/profile-a-l/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile new file mode 100644 index 000000000..a64ec25a9 --- /dev/null +++ b/etc/profile-a-l/gnome-sound-recorder.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for gnome-sound-recorder | ||
2 | # Description: simple sound recordings for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-sound-recorder.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${MUSIC} | ||
10 | noblacklist ${HOME}/.local/share/Trash | ||
11 | |||
12 | # Allow gjs (blacklisted by disable-interpreters.inc) | ||
13 | include allow-gjs.inc | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | caps.drop all | ||
26 | net none | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | disable-mnt | ||
40 | private-cache | ||
41 | private-dev | ||
42 | private-etc alsa,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,machine-id,openal,pango,pulse,xdg | ||
43 | private-tmp | ||
diff --git a/etc/profile-a-l/gnome-sudoku.profile b/etc/profile-a-l/gnome-sudoku.profile new file mode 100644 index 000000000..12fd48a86 --- /dev/null +++ b/etc/profile-a-l/gnome-sudoku.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Firejail profile for gnome-sudoku | ||
2 | # Description: puzzle game for the popular Japanese sudoku logic puzzle | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-sudoku.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/gnome-sudoku | ||
10 | |||
11 | mkdir ${HOME}/.local/share/gnome-sudoku | ||
12 | whitelist ${HOME}/.local/share/gnome-sudoku | ||
13 | |||
14 | private-bin gnome-sudoku | ||
15 | |||
16 | dbus-user.own org.gnome.Sudoku | ||
17 | |||
18 | # Redirect | ||
19 | include gnome_games-common.profile | ||
diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile new file mode 100644 index 000000000..f597f5cd3 --- /dev/null +++ b/etc/profile-a-l/gnome-system-log.profile | |||
@@ -0,0 +1,58 @@ | |||
1 | # Firejail profile for gnome-system-log | ||
2 | # Description: View your system logs | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-system-log.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | whitelist /var/log | ||
18 | include whitelist-common.inc | ||
19 | include whitelist-usr-share-common.inc | ||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | apparmor | ||
23 | caps.drop all | ||
24 | ipc-namespace | ||
25 | # net none - breaks dbus | ||
26 | no3d | ||
27 | nodvd | ||
28 | # When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html), | ||
29 | # comment both 'nogroups' and 'noroot' | ||
30 | # or put 'ignore nogroups' and 'ignore noroot' in your gnome-system-log.local. | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix | ||
39 | seccomp | ||
40 | shell none | ||
41 | |||
42 | disable-mnt | ||
43 | private-bin gnome-system-log | ||
44 | private-cache | ||
45 | private-dev | ||
46 | private-etc alternatives,fonts,localtime,machine-id | ||
47 | private-lib | ||
48 | private-tmp | ||
49 | writable-var-log | ||
50 | |||
51 | # dbus-user none | ||
52 | # dbus-system none | ||
53 | |||
54 | memory-deny-write-execute | ||
55 | |||
56 | # comment this if you export logs to a file in your ${HOME} | ||
57 | # or put 'ignore read-only ${HOME}' in your gnome-system-log.local | ||
58 | read-only ${HOME} | ||
diff --git a/etc/profile-a-l/gnome-taquin.profile b/etc/profile-a-l/gnome-taquin.profile new file mode 100644 index 000000000..2341334f7 --- /dev/null +++ b/etc/profile-a-l/gnome-taquin.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Firejail profile for gnome-taquin | ||
2 | # Description: A sliding puzzle game for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-taquin.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | ignore machine-id | ||
10 | ignore nosound | ||
11 | |||
12 | whitelist /usr/share/gnome-taquin | ||
13 | |||
14 | private-bin gnome-taquin | ||
15 | |||
16 | dbus-user.own org.gnome.Taquin | ||
17 | |||
18 | # Redirect | ||
19 | include gnome_games-common.profile | ||
diff --git a/etc/profile-a-l/gnome-tetravex.profile b/etc/profile-a-l/gnome-tetravex.profile new file mode 100644 index 000000000..6e820dd70 --- /dev/null +++ b/etc/profile-a-l/gnome-tetravex.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for gnome-tetravex | ||
2 | # Description: A simple puzzle game for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-tetravex.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | private-bin gnome-tetravex | ||
10 | |||
11 | dbus-user.own org.gnome.Tetravex | ||
12 | |||
13 | # Redirect | ||
14 | include gnome_games-common.profile | ||
diff --git a/etc/profile-a-l/gnome-todo.profile b/etc/profile-a-l/gnome-todo.profile new file mode 100644 index 000000000..6240cce65 --- /dev/null +++ b/etc/profile-a-l/gnome-todo.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for gnome-todo | ||
2 | # Description: Personal task manager for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-todo.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Allow python (blacklisted by disable-interpreters.inc) | ||
10 | include allow-python3.inc | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | whitelist /usr/share/gnome-todo | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-usr-share-common.inc | ||
23 | include whitelist-runuser-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | machine-id | ||
29 | net none | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | |||
43 | disable-mnt | ||
44 | #private | ||
45 | private-bin gnome-todo | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-etc dconf,fonts,gtk-3.0,localtime,passwd,xdg | ||
49 | private-tmp | ||
50 | |||
51 | read-only ${HOME} | ||
diff --git a/etc/profile-a-l/gnome-twitch.profile b/etc/profile-a-l/gnome-twitch.profile new file mode 100644 index 000000000..5e8153035 --- /dev/null +++ b/etc/profile-a-l/gnome-twitch.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for gnome-twitch | ||
2 | # Description: GNOME Twitch app for watching Twitch.tv streams without a browser or flash | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-twitch.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/gnome-twitch | ||
10 | noblacklist ${HOME}/.local/share/gnome-twitch | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | mkdir ${HOME}/.cache/gnome-twitch | ||
20 | mkdir ${HOME}/.local/share/gnome-twitch | ||
21 | whitelist ${HOME}/.cache/gnome-twitch | ||
22 | whitelist ${HOME}/.local/share/gnome-twitch | ||
23 | include whitelist-common.inc | ||
24 | |||
25 | caps.drop all | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix,inet,inet6 | ||
34 | seccomp | ||
35 | shell none | ||
36 | |||
37 | disable-mnt | ||
38 | private-dev | ||
39 | private-tmp | ||
40 | |||
diff --git a/etc/profile-a-l/gnome-weather.profile b/etc/profile-a-l/gnome-weather.profile new file mode 100644 index 000000000..a181f1b9e --- /dev/null +++ b/etc/profile-a-l/gnome-weather.profile | |||
@@ -0,0 +1,48 @@ | |||
1 | # Firejail profile for gnome-weather | ||
2 | # Description: Access current conditions and forecasts | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-weather.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
10 | |||
11 | noblacklist ${HOME}/.cache/libgweather | ||
12 | |||
13 | # Allow gjs (blacklisted by disable-interpreters.inc) | ||
14 | include allow-gjs.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | caps.drop all | ||
28 | netfilter | ||
29 | no3d | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix,inet,inet6 | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | |||
43 | disable-mnt | ||
44 | # private-bin gjs,gnome-weather | ||
45 | private-dev | ||
46 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl | ||
47 | private-tmp | ||
48 | |||
diff --git a/etc/profile-a-l/gnome_games-common.profile b/etc/profile-a-l/gnome_games-common.profile new file mode 100644 index 000000000..5a17d0ff8 --- /dev/null +++ b/etc/profile-a-l/gnome_games-common.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for gnome_games-common | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include gnome_games-common.local | ||
5 | # Persistent global definitions | ||
6 | # added by caller profile | ||
7 | #include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | include whitelist-common.inc | ||
18 | include whitelist-runuser-common.inc | ||
19 | include whitelist-usr-share-common.inc | ||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | apparmor | ||
23 | caps.drop all | ||
24 | machine-id | ||
25 | net none | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | disable-mnt | ||
40 | private-cache | ||
41 | private-dev | ||
42 | private-etc dconf,fonts,gconf,gtk-2.0,gtk-3.0,machine-id,pango,passwd,X11 | ||
43 | private-tmp | ||
44 | |||
45 | dbus-user filter | ||
46 | dbus-user.talk ca.desrt.dconf | ||
47 | dbus-system none | ||
diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile new file mode 100644 index 000000000..8324a4eb5 --- /dev/null +++ b/etc/profile-a-l/godot.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for godot | ||
2 | # Description: multi-platform 2D and 3D game engine with a feature-rich editor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include godot.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/godot | ||
10 | noblacklist ${HOME}/.config/godot | ||
11 | noblacklist ${HOME}/.local/share/godot | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | netfilter | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix,inet,inet6,netlink | ||
33 | seccomp | ||
34 | shell none | ||
35 | tracelog | ||
36 | |||
37 | |||
38 | # private-bin godot | ||
39 | private-cache | ||
40 | private-dev | ||
41 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl | ||
42 | private-tmp | ||
43 | |||
44 | dbus-user none | ||
45 | dbus-system none | ||
diff --git a/etc/profile-a-l/goobox.profile b/etc/profile-a-l/goobox.profile new file mode 100644 index 000000000..c932ad528 --- /dev/null +++ b/etc/profile-a-l/goobox.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | # Firejail profile for goobox | ||
2 | # Description: CD player and ripper with GNOME 3 integration | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include goobox.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${MUSIC} | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | caps.drop all | ||
19 | netfilter | ||
20 | no3d | ||
21 | nogroups | ||
22 | nonewprivs | ||
23 | noroot | ||
24 | notv | ||
25 | nou2f | ||
26 | novideo | ||
27 | protocol unix,inet,inet6 | ||
28 | seccomp | ||
29 | shell none | ||
30 | tracelog | ||
31 | |||
32 | # private-bin goobox | ||
33 | private-dev | ||
34 | # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl | ||
35 | # private-tmp | ||
diff --git a/etc/profile-a-l/google-chrome-beta.profile b/etc/profile-a-l/google-chrome-beta.profile new file mode 100644 index 000000000..73101f509 --- /dev/null +++ b/etc/profile-a-l/google-chrome-beta.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # Firejail profile for google-chrome-beta | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include google-chrome-beta.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.cache/google-chrome-beta | ||
9 | noblacklist ${HOME}/.config/google-chrome-beta | ||
10 | |||
11 | mkdir ${HOME}/.cache/google-chrome-beta | ||
12 | mkdir ${HOME}/.config/google-chrome-beta | ||
13 | whitelist ${HOME}/.cache/google-chrome-beta | ||
14 | whitelist ${HOME}/.config/google-chrome-beta | ||
15 | |||
16 | # Redirect | ||
17 | include chromium-common.profile | ||
diff --git a/etc/profile-a-l/google-chrome-stable.profile b/etc/profile-a-l/google-chrome-stable.profile new file mode 100644 index 000000000..a456e8d61 --- /dev/null +++ b/etc/profile-a-l/google-chrome-stable.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for google-chrome | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include google-chrome.profile | ||
diff --git a/etc/profile-a-l/google-chrome-unstable.profile b/etc/profile-a-l/google-chrome-unstable.profile new file mode 100644 index 000000000..50e9923aa --- /dev/null +++ b/etc/profile-a-l/google-chrome-unstable.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # Firejail profile for google-chrome-unstable | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include google-chrome-unstable.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.cache/google-chrome-unstable | ||
9 | noblacklist ${HOME}/.config/google-chrome-unstable | ||
10 | |||
11 | mkdir ${HOME}/.cache/google-chrome-unstable | ||
12 | mkdir ${HOME}/.config/google-chrome-unstable | ||
13 | whitelist ${HOME}/.cache/google-chrome-unstable | ||
14 | whitelist ${HOME}/.config/google-chrome-unstable | ||
15 | |||
16 | # Redirect | ||
17 | include chromium-common.profile | ||
diff --git a/etc/profile-a-l/google-chrome.profile b/etc/profile-a-l/google-chrome.profile new file mode 100644 index 000000000..c69e98271 --- /dev/null +++ b/etc/profile-a-l/google-chrome.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # Firejail profile for google-chrome | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include google-chrome.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.cache/google-chrome | ||
9 | noblacklist ${HOME}/.config/google-chrome | ||
10 | |||
11 | mkdir ${HOME}/.cache/google-chrome | ||
12 | mkdir ${HOME}/.config/google-chrome | ||
13 | whitelist ${HOME}/.cache/google-chrome | ||
14 | whitelist ${HOME}/.config/google-chrome | ||
15 | |||
16 | # Redirect | ||
17 | include chromium-common.profile | ||
diff --git a/etc/profile-a-l/google-earth-pro.profile b/etc/profile-a-l/google-earth-pro.profile new file mode 100644 index 000000000..c1f919769 --- /dev/null +++ b/etc/profile-a-l/google-earth-pro.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for google-earth | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | private-bin google-earth-pro | ||
5 | |||
6 | # Redirect | ||
7 | include google-earth.profile | ||
diff --git a/etc/profile-a-l/google-earth.profile b/etc/profile-a-l/google-earth.profile new file mode 100644 index 000000000..a331ef8d2 --- /dev/null +++ b/etc/profile-a-l/google-earth.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for google-earth | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include google-earth.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/Google | ||
9 | noblacklist ${HOME}/.googleearth/Cache | ||
10 | noblacklist ${HOME}/.googleearth/Temp | ||
11 | noblacklist ${HOME}/.googleearth/myplaces.backup.kml | ||
12 | noblacklist ${HOME}/.googleearth/myplaces.kml | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | |||
21 | mkdir ${HOME}/.config/Google | ||
22 | mkdir ${HOME}/.googleearth/Cache | ||
23 | mkdir ${HOME}/.googleearth/Temp | ||
24 | mkfile ${HOME}/.googleearth/myplaces.backup.kml | ||
25 | mkfile ${HOME}/.googleearth/myplaces.kml | ||
26 | whitelist ${HOME}/.config/Google | ||
27 | whitelist ${HOME}/.googleearth/Cache | ||
28 | whitelist ${HOME}/.googleearth/Temp | ||
29 | whitelist ${HOME}/.googleearth/myplaces.backup.kml | ||
30 | whitelist ${HOME}/.googleearth/myplaces.kml | ||
31 | include whitelist-common.inc | ||
32 | |||
33 | caps.drop all | ||
34 | ipc-namespace | ||
35 | netfilter | ||
36 | nodvd | ||
37 | nogroups | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix,inet,inet6 | ||
44 | seccomp | ||
45 | shell none | ||
46 | |||
47 | disable-mnt | ||
48 | private-bin bash,dirname,google-earth,grep,ls,sed,sh | ||
49 | private-dev | ||
50 | private-opt google | ||
51 | |||
diff --git a/etc/profile-a-l/google-play-music-desktop-player.profile b/etc/profile-a-l/google-play-music-desktop-player.profile new file mode 100644 index 000000000..daa385234 --- /dev/null +++ b/etc/profile-a-l/google-play-music-desktop-player.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for google-play-music-desktop-player | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include google-play-music-desktop-player.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | # noexec /tmp breaks mpris support | ||
9 | ignore noexec /tmp | ||
10 | |||
11 | noblacklist ${HOME}/.config/Google Play Music Desktop Player | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | mkdir ${HOME}/.config/Google Play Music Desktop Player | ||
21 | # whitelist ${HOME}/.config/pulse | ||
22 | # whitelist ${HOME}/.pulse | ||
23 | whitelist ${HOME}/.config/Google Play Music Desktop Player | ||
24 | include whitelist-common.inc | ||
25 | |||
26 | caps.drop all | ||
27 | netfilter | ||
28 | no3d | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix,inet,inet6,netlink | ||
37 | seccomp | ||
38 | shell none | ||
39 | |||
40 | disable-mnt | ||
41 | private-dev | ||
42 | private-tmp | ||
diff --git a/etc/profile-a-l/gpa.profile b/etc/profile-a-l/gpa.profile new file mode 100644 index 000000000..ce7c8496d --- /dev/null +++ b/etc/profile-a-l/gpa.profile | |||
@@ -0,0 +1,33 @@ | |||
1 | # Firejail profile for gpa | ||
2 | # Description: GNU Privacy Assistant (GPA) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gpa.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.gnupg | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | |||
17 | caps.drop all | ||
18 | netfilter | ||
19 | nodvd | ||
20 | nogroups | ||
21 | nonewprivs | ||
22 | noroot | ||
23 | nosound | ||
24 | notv | ||
25 | nou2f | ||
26 | novideo | ||
27 | protocol unix,inet,inet6 | ||
28 | seccomp | ||
29 | shell none | ||
30 | tracelog | ||
31 | |||
32 | # private-bin gpa,gpg | ||
33 | private-dev | ||
diff --git a/etc/profile-a-l/gpg-agent.profile b/etc/profile-a-l/gpg-agent.profile new file mode 100644 index 000000000..adc8957e6 --- /dev/null +++ b/etc/profile-a-l/gpg-agent.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for gpg-agent | ||
2 | # Description: GNU privacy guard - cryptographic agent | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include gpg-agent.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.gnupg | ||
11 | |||
12 | blacklist /tmp/.X11-unix | ||
13 | blacklist ${RUNUSER}/wayland-* | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | mkdir ${HOME}/.gnupg | ||
23 | whitelist ${HOME}/.gnupg | ||
24 | whitelist ${RUNUSER}/gnupg | ||
25 | whitelist ${RUNUSER}/keyring | ||
26 | whitelist /usr/share/gnupg | ||
27 | whitelist /usr/share/gnupg2 | ||
28 | include whitelist-common.inc | ||
29 | include whitelist-runuser-common.inc | ||
30 | include whitelist-usr-share-common.inc | ||
31 | include whitelist-var-common.inc | ||
32 | |||
33 | caps.drop all | ||
34 | machine-id | ||
35 | netfilter | ||
36 | no3d | ||
37 | nodvd | ||
38 | nogroups | ||
39 | nonewprivs | ||
40 | noroot | ||
41 | nosound | ||
42 | notv | ||
43 | nou2f | ||
44 | novideo | ||
45 | protocol unix,inet,inet6 | ||
46 | seccomp | ||
47 | shell none | ||
48 | tracelog | ||
49 | |||
50 | # private-bin gpg-agent,gpg | ||
51 | private-cache | ||
52 | private-dev | ||
diff --git a/etc/profile-a-l/gpg.profile b/etc/profile-a-l/gpg.profile new file mode 100644 index 000000000..787f35f9e --- /dev/null +++ b/etc/profile-a-l/gpg.profile | |||
@@ -0,0 +1,54 @@ | |||
1 | # Firejail profile for gpg | ||
2 | # Description: GNU Privacy Guard -- minimalist public key operations | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include gpg.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.gnupg | ||
11 | |||
12 | blacklist /tmp/.X11-unix | ||
13 | blacklist ${RUNUSER}/wayland-* | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | |||
21 | whitelist ${RUNUSER}/gnupg | ||
22 | whitelist ${RUNUSER}/keyring | ||
23 | whitelist /usr/share/gnupg | ||
24 | whitelist /usr/share/gnupg2 | ||
25 | whitelist /usr/share/pacman/keyrings | ||
26 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | caps.drop all | ||
31 | netfilter | ||
32 | no3d | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | nosound | ||
38 | notv | ||
39 | nou2f | ||
40 | novideo | ||
41 | protocol unix,inet,inet6 | ||
42 | seccomp | ||
43 | shell none | ||
44 | tracelog | ||
45 | |||
46 | # private-bin gpg,gpg-agent | ||
47 | private-cache | ||
48 | private-dev | ||
49 | |||
50 | # On Arch 'archlinux-keyring' needs read-write access to /etc/pacman.d/gnupg | ||
51 | # and /usr/share/pacman/keyrings. Although this works, it makes | ||
52 | # installing/upgrading archlinux-keyring extremely slow. | ||
53 | read-write /etc/pacman.d/gnupg | ||
54 | read-write /usr/share/pacman/keyrings | ||
diff --git a/etc/profile-a-l/gpg2.profile b/etc/profile-a-l/gpg2.profile new file mode 100644 index 000000000..b831b0f62 --- /dev/null +++ b/etc/profile-a-l/gpg2.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for gpg2 | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include gpg2.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # private-bin gpg2 | ||
11 | |||
12 | # Redirect | ||
13 | include gpg.profile | ||
diff --git a/etc/profile-a-l/gpicview.profile b/etc/profile-a-l/gpicview.profile new file mode 100644 index 000000000..578ccaef9 --- /dev/null +++ b/etc/profile-a-l/gpicview.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for gpicview | ||
2 | # Description: Lightweight image viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gpicview.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/gpicview | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | whitelist /usr/share/gpicview | ||
19 | include whitelist-usr-share-common.inc | ||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | apparmor | ||
23 | caps.drop all | ||
24 | ipc-namespace | ||
25 | machine-id | ||
26 | net none | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | nosound | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | private-bin gpicview | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-etc alternatives,fonts,group,passwd | ||
44 | private-lib | ||
45 | private-tmp | ||
46 | |||
47 | dbus-user none | ||
48 | dbus-system none | ||
49 | |||
50 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/gpredict.profile b/etc/profile-a-l/gpredict.profile new file mode 100644 index 000000000..c1f1b53a0 --- /dev/null +++ b/etc/profile-a-l/gpredict.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for gpredict | ||
2 | # Description: Satellite tracking program | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gpredict.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/Gpredict | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | mkdir ${HOME}/.config/Gpredict | ||
19 | whitelist ${HOME}/.config/Gpredict | ||
20 | include whitelist-common.inc | ||
21 | |||
22 | caps.drop all | ||
23 | netfilter | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | nosound | ||
29 | notv | ||
30 | nou2f | ||
31 | protocol unix,inet,inet6 | ||
32 | seccomp | ||
33 | shell none | ||
34 | tracelog | ||
35 | |||
36 | private-bin gpredict | ||
37 | private-dev | ||
38 | private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl | ||
39 | private-tmp | ||
40 | |||
diff --git a/etc/profile-a-l/gradio.profile b/etc/profile-a-l/gradio.profile new file mode 100644 index 000000000..82e2504b9 --- /dev/null +++ b/etc/profile-a-l/gradio.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for gradio | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include gradio.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.cache/gradio | ||
9 | noblacklist ${HOME}/.local/share/gradio | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | mkdir ${HOME}/.cache/gradio | ||
19 | mkdir ${HOME}/.local/share/gradio | ||
20 | whitelist ${HOME}/.cache/gradio | ||
21 | whitelist ${HOME}/.local/share/gradio | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | caps.drop all | ||
26 | netfilter | ||
27 | no3d | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | novideo | ||
34 | protocol unix,inet,inet6 | ||
35 | seccomp | ||
36 | shell none | ||
37 | |||
38 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg | ||
39 | private-tmp | ||
40 | |||
diff --git a/etc/profile-a-l/gramps.profile b/etc/profile-a-l/gramps.profile new file mode 100644 index 000000000..427fe2d7a --- /dev/null +++ b/etc/profile-a-l/gramps.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for gramps | ||
2 | # Description: genealogy program | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gramps.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.gramps | ||
10 | |||
11 | # Allow python (blacklisted by disable-interpreters.inc) | ||
12 | #include allow-python2.inc | ||
13 | include allow-python3.inc | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | mkdir ${HOME}/.gramps | ||
24 | whitelist ${HOME}/.gramps | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | ipc-namespace | ||
31 | netfilter | ||
32 | no3d | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | nosound | ||
38 | notv | ||
39 | nou2f | ||
40 | novideo | ||
41 | protocol unix,inet,inet6 | ||
42 | seccomp | ||
43 | shell none | ||
44 | |||
45 | disable-mnt | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-tmp | ||
49 | |||
50 | dbus-user none | ||
51 | dbus-system none | ||
diff --git a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile new file mode 100644 index 000000000..7a1a9440e --- /dev/null +++ b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for gravity-beams-and-evaporating-stars | ||
2 | # Description: a game about hurling asteroids into the sun | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gravity-beams-and-evaporating-stars.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | whitelist /usr/share/gravity-beams-and-evaporating-stars | ||
18 | include whitelist-common.inc | ||
19 | include whitelist-usr-share-common.inc | ||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | apparmor | ||
23 | caps.drop all | ||
24 | net none | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix | ||
33 | seccomp | ||
34 | shell none | ||
35 | tracelog | ||
36 | |||
37 | disable-mnt | ||
38 | private | ||
39 | private-bin gravity-beams-and-evaporating-stars | ||
40 | private-cache | ||
41 | private-dev | ||
42 | private-etc fonts,machine-id | ||
43 | private-tmp | ||
44 | |||
45 | dbus-user none | ||
46 | dbus-system none | ||
diff --git a/etc/profile-a-l/gsettings-data-convert.profile b/etc/profile-a-l/gsettings-data-convert.profile new file mode 100644 index 000000000..6f1d43939 --- /dev/null +++ b/etc/profile-a-l/gsettings-data-convert.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for gsettings-data-convert | ||
2 | # Description: An obsolete configuration database system (CLI utility) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gsettings-data-convert.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gconf.profile | ||
diff --git a/etc/profile-a-l/gsettings-schema-convert.profile b/etc/profile-a-l/gsettings-schema-convert.profile new file mode 100644 index 000000000..5c8b0e2e2 --- /dev/null +++ b/etc/profile-a-l/gsettings-schema-convert.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for gsettings-schema-convert | ||
2 | # Description: An obsolete configuration database system (CLI utility) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gsettings-schema-convert.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gconf.profile | ||
diff --git a/etc/profile-a-l/gsettings.profile b/etc/profile-a-l/gsettings.profile new file mode 100644 index 000000000..2203fac15 --- /dev/null +++ b/etc/profile-a-l/gsettings.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for gsettings | ||
2 | # Description: GSettings configuration tool | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gsettings.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include dconf.profile | ||
diff --git a/etc/profile-a-l/gtar.profile b/etc/profile-a-l/gtar.profile new file mode 100644 index 000000000..2391c121b --- /dev/null +++ b/etc/profile-a-l/gtar.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for tar | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include tar.profile | ||
diff --git a/etc/profile-a-l/gthumb.profile b/etc/profile-a-l/gthumb.profile new file mode 100644 index 000000000..77de59802 --- /dev/null +++ b/etc/profile-a-l/gthumb.profile | |||
@@ -0,0 +1,36 @@ | |||
1 | # Firejail profile for gthumb | ||
2 | # Description: Image viewer and browser | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gthumb.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/gthumb | ||
10 | noblacklist ${HOME}/.Steam | ||
11 | noblacklist ${HOME}/.steam | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | caps.drop all | ||
20 | nodvd | ||
21 | nogroups | ||
22 | nonewprivs | ||
23 | noroot | ||
24 | nosound | ||
25 | notv | ||
26 | nou2f | ||
27 | novideo | ||
28 | protocol unix | ||
29 | seccomp | ||
30 | shell none | ||
31 | tracelog | ||
32 | |||
33 | private-bin gthumb | ||
34 | private-cache | ||
35 | private-dev | ||
36 | private-tmp | ||
diff --git a/etc/profile-a-l/gtk-update-icon-cache.profile b/etc/profile-a-l/gtk-update-icon-cache.profile new file mode 100644 index 000000000..ac2e9891b --- /dev/null +++ b/etc/profile-a-l/gtk-update-icon-cache.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for gtk-update-icon-cache | ||
2 | # Description: Icon theme caching utility | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include gtk-update-icon-cache.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | include whitelist-common.inc | ||
21 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | ipc-namespace | ||
27 | machine-id | ||
28 | net none | ||
29 | no3d | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | x11 none | ||
43 | |||
44 | disable-mnt | ||
45 | private-bin gtk-update-icon-cache | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-etc none | ||
49 | private-lib | ||
50 | private-tmp | ||
51 | |||
52 | dbus-user none | ||
53 | dbus-system none | ||
54 | |||
55 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/guayadeque.profile b/etc/profile-a-l/guayadeque.profile new file mode 100644 index 000000000..8ffd7ff58 --- /dev/null +++ b/etc/profile-a-l/guayadeque.profile | |||
@@ -0,0 +1,34 @@ | |||
1 | # Firejail profile for guayadeque | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include guayadeque.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.guayadeque | ||
9 | noblacklist ${MUSIC} | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | caps.drop all | ||
20 | netfilter | ||
21 | nogroups | ||
22 | nonewprivs | ||
23 | noroot | ||
24 | notv | ||
25 | nou2f | ||
26 | novideo | ||
27 | protocol unix,inet,inet6,netlink | ||
28 | seccomp | ||
29 | shell none | ||
30 | |||
31 | private-bin guayadeque | ||
32 | private-dev | ||
33 | private-tmp | ||
34 | |||
diff --git a/etc/profile-a-l/gucharmap.profile b/etc/profile-a-l/gucharmap.profile new file mode 100644 index 000000000..624914759 --- /dev/null +++ b/etc/profile-a-l/gucharmap.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for gucharmap | ||
2 | # Description: Unicode character picker and font browser | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gucharmap.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | include whitelist-common.inc | ||
18 | include whitelist-runuser-common.inc | ||
19 | include whitelist-usr-share-common.inc | ||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | apparmor | ||
23 | caps.drop all | ||
24 | machine-id | ||
25 | #net none - breaks dbus | ||
26 | no3d | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | nosound | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin gnome-character-map,gucharmap | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-etc alternatives,dbus-1,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,pango,X11,xdg | ||
45 | private-lib | ||
46 | private-tmp | ||
47 | |||
48 | # breaks state saving | ||
49 | # dbus-user none | ||
50 | # dbus-system none | ||
51 | |||
52 | read-only ${HOME} | ||
diff --git a/etc/profile-a-l/gummi.profile b/etc/profile-a-l/gummi.profile new file mode 100644 index 000000000..922b2cbde --- /dev/null +++ b/etc/profile-a-l/gummi.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Firejail profile for gummi | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include gummi.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.cache/gummi | ||
9 | noblacklist ${HOME}/.config/gummi | ||
10 | |||
11 | include allow-lua.inc | ||
12 | include allow-perl.inc | ||
13 | include allow-python3.inc | ||
14 | |||
15 | private-bin dvipdf,dvips,env,gummi,latex,latexmk,lua*,lualatex,luatex,pdflatex,pdftex,perl,ps2pdf,python3*,rubber,synctex,tex,xelatex,xetex | ||
16 | |||
17 | # Redirect | ||
18 | include latex-common.profile | ||
19 | |||
diff --git a/etc/profile-a-l/gunzip.profile b/etc/profile-a-l/gunzip.profile new file mode 100644 index 000000000..6e97c6b78 --- /dev/null +++ b/etc/profile-a-l/gunzip.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for gunzip | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include gunzip.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/profile-a-l/gwenview.profile b/etc/profile-a-l/gwenview.profile new file mode 100644 index 000000000..dee0ba9a2 --- /dev/null +++ b/etc/profile-a-l/gwenview.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for gwenview | ||
2 | # Description: Image viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gwenview.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/GIMP | ||
10 | noblacklist ${HOME}/.config/gwenviewrc | ||
11 | noblacklist ${HOME}/.config/org.kde.gwenviewrc | ||
12 | noblacklist ${HOME}/.gimp* | ||
13 | noblacklist ${HOME}/.kde/share/apps/gwenview | ||
14 | noblacklist ${HOME}/.kde/share/config/gwenviewrc | ||
15 | noblacklist ${HOME}/.kde4/share/apps/gwenview | ||
16 | noblacklist ${HOME}/.kde4/share/config/gwenviewrc | ||
17 | noblacklist ${HOME}/.local/share/gwenview | ||
18 | noblacklist ${HOME}/.local/share/org.kde.gwenview | ||
19 | |||
20 | include disable-common.inc | ||
21 | include disable-devel.inc | ||
22 | include disable-exec.inc | ||
23 | include disable-interpreters.inc | ||
24 | include disable-passwdmgr.inc | ||
25 | include disable-programs.inc | ||
26 | |||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | apparmor | ||
30 | caps.drop all | ||
31 | # net none | ||
32 | netfilter | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix | ||
41 | seccomp | ||
42 | shell none | ||
43 | # tracelog | ||
44 | |||
45 | private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4 | ||
46 | private-dev | ||
47 | private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg | ||
48 | |||
49 | # dbus-user none | ||
50 | # dbus-system none | ||
51 | |||
52 | # memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/gzexe.profile b/etc/profile-a-l/gzexe.profile new file mode 100644 index 000000000..bb570d553 --- /dev/null +++ b/etc/profile-a-l/gzexe.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for gzexe | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include gzexe.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/profile-a-l/gzip.profile b/etc/profile-a-l/gzip.profile new file mode 100644 index 000000000..8ec39d8ca --- /dev/null +++ b/etc/profile-a-l/gzip.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for gzip | ||
2 | # Description: GNU compression utilities | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include gzip.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only. | ||
13 | noblacklist /var/lib/pacman | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | |||
22 | apparmor | ||
23 | caps.drop all | ||
24 | hostname gzip | ||
25 | ipc-namespace | ||
26 | machine-id | ||
27 | net none | ||
28 | no3d | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | #noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | x11 none | ||
42 | |||
43 | private-cache | ||
44 | private-dev | ||
45 | |||
46 | dbus-user none | ||
47 | dbus-system none | ||
48 | |||
49 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/handbrake-gtk.profile b/etc/profile-a-l/handbrake-gtk.profile new file mode 100644 index 000000000..1e7ce2350 --- /dev/null +++ b/etc/profile-a-l/handbrake-gtk.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for handbrake | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include handbrake.profile | ||
diff --git a/etc/profile-a-l/handbrake.profile b/etc/profile-a-l/handbrake.profile new file mode 100644 index 000000000..0539ffcb8 --- /dev/null +++ b/etc/profile-a-l/handbrake.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for handbrake | ||
2 | # Description: Versatile DVD ripper and video transcoder (GTK+ GUI) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include handbrake.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/ghb | ||
10 | noblacklist ${MUSIC} | ||
11 | noblacklist ${VIDEOS} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | net none | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix,inet,inet6,netlink | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | private-dev | ||
36 | private-tmp | ||
37 | |||
38 | dbus-user none | ||
39 | dbus-system none | ||
diff --git a/etc/profile-a-l/hashcat.profile b/etc/profile-a-l/hashcat.profile new file mode 100644 index 000000000..8ec67ff19 --- /dev/null +++ b/etc/profile-a-l/hashcat.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for hashcat | ||
2 | # Description: World's fastest and most advanced password recovery utility | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include hashcat.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | noblacklist ${HOME}/.hashcat | ||
13 | noblacklist /usr/include | ||
14 | noblacklist ${DOCUMENTS} | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | caps.drop all | ||
25 | net none | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | x11 none | ||
38 | |||
39 | disable-mnt | ||
40 | private-bin hashcat | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-tmp | ||
44 | |||
45 | dbus-user none | ||
46 | dbus-system none | ||
diff --git a/etc/profile-a-l/hedgewars.profile b/etc/profile-a-l/hedgewars.profile new file mode 100644 index 000000000..898a07a5f --- /dev/null +++ b/etc/profile-a-l/hedgewars.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | # Firejail profile for hedgewars | ||
2 | # Description: Funny turn-based artillery game, featuring fighting hedgehogs | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include hedgewars.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.hedgewars | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | |||
17 | mkdir ${HOME}/.hedgewars | ||
18 | whitelist ${HOME}/.hedgewars | ||
19 | include whitelist-common.inc | ||
20 | |||
21 | caps.drop all | ||
22 | netfilter | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | notv | ||
28 | nou2f | ||
29 | novideo | ||
30 | seccomp | ||
31 | tracelog | ||
32 | |||
33 | disable-mnt | ||
34 | private-dev | ||
35 | private-tmp | ||
diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile new file mode 100644 index 000000000..7723cbd6b --- /dev/null +++ b/etc/profile-a-l/hexchat.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for hexchat | ||
2 | # Description: IRC client for X based on X-Chat 2 | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include hexchat.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/hexchat | ||
10 | noblacklist /usr/share/perl* | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python2.inc | ||
14 | include allow-python3.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | mkdir ${HOME}/.config/hexchat | ||
25 | whitelist ${HOME}/.config/hexchat | ||
26 | include whitelist-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | caps.drop all | ||
30 | #machine-id -- breaks sound | ||
31 | netfilter | ||
32 | no3d | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix,inet,inet6 | ||
41 | seccomp | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | disable-mnt | ||
46 | # debug note: private-bin requires perl, python, etc on some systems | ||
47 | private-bin hexchat,python* | ||
48 | private-dev | ||
49 | #private-lib - python problems | ||
50 | private-tmp | ||
51 | |||
52 | # memory-deny-write-execute - breaks python | ||
diff --git a/etc/profile-a-l/highlight.profile b/etc/profile-a-l/highlight.profile new file mode 100644 index 000000000..8d2987b62 --- /dev/null +++ b/etc/profile-a-l/highlight.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Firejail profile for highlight | ||
2 | # Description: Universal source code to formatted text converter | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include highlight.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | blacklist ${RUNUSER}/wayland-* | ||
10 | blacklist ${RUNUSER} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | caps.drop all | ||
19 | net none | ||
20 | no3d | ||
21 | nodvd | ||
22 | nogroups | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | nosound | ||
26 | notv | ||
27 | nou2f | ||
28 | novideo | ||
29 | protocol unix | ||
30 | seccomp | ||
31 | shell none | ||
32 | tracelog | ||
33 | x11 none | ||
34 | |||
35 | private-bin highlight | ||
36 | private-cache | ||
37 | private-dev | ||
38 | private-tmp | ||
39 | |||
40 | dbus-user none | ||
41 | dbus-system none | ||
diff --git a/etc/profile-a-l/host.profile b/etc/profile-a-l/host.profile new file mode 100644 index 000000000..e5a5a7efa --- /dev/null +++ b/etc/profile-a-l/host.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for host | ||
2 | # Description: DNS lookup utility | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include host.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist ${RUNUSER} | ||
11 | noblacklist ${PATH}/host | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | ipc-namespace | ||
27 | machine-id | ||
28 | netfilter | ||
29 | no3d | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix,inet,inet6 | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | |||
43 | disable-mnt | ||
44 | private | ||
45 | private-bin bash,host,sh | ||
46 | private-dev | ||
47 | private-tmp | ||
48 | |||
49 | dbus-user none | ||
50 | dbus-system none | ||
51 | |||
52 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/hugin.profile b/etc/profile-a-l/hugin.profile new file mode 100644 index 000000000..f8d9f999d --- /dev/null +++ b/etc/profile-a-l/hugin.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Firejail profile for hugin | ||
2 | # Description: Panorama photo stitcher | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include hugin.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.hugin | ||
10 | noblacklist ${DOCUMENTS} | ||
11 | noblacklist ${PICTURES} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | caps.drop all | ||
22 | net none | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | private-bin align_image_stack,autooptimiser,calibrate_lens_gui,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,enblend,fulla,geocpset,hugin,hugin_executor,hugin_hdrmerge,hugin_lensdb,hugin_stitch_project,icpfind,linefind,nona,pano_modify,pano_trafo,PTBatcherGUI,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,tca_correct,verdandi,vig_optimize | ||
36 | private-cache | ||
37 | private-dev | ||
38 | private-tmp | ||
39 | |||
40 | dbus-user none | ||
41 | dbus-system none | ||
diff --git a/etc/profile-a-l/hyperrogue.profile b/etc/profile-a-l/hyperrogue.profile new file mode 100644 index 000000000..1e3663b8f --- /dev/null +++ b/etc/profile-a-l/hyperrogue.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for hyperrogue | ||
2 | # Description: An SDL roguelike in a non-euclidean world | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include hyperrogue.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/hyperrogue.ini | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkfile ${HOME}/hyperrogue.ini | ||
20 | whitelist ${HOME}/hyperrogue.ini | ||
21 | whitelist /usr/share/hyperrogue | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | net none | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix | ||
37 | seccomp | ||
38 | shell none | ||
39 | tracelog | ||
40 | |||
41 | disable-mnt | ||
42 | private-bin hyperrogue | ||
43 | private-cache | ||
44 | private-cwd ${HOME} | ||
45 | private-dev | ||
46 | private-etc fonts,machine-id | ||
47 | private-tmp | ||
48 | |||
49 | dbus-user none | ||
50 | dbus-system none | ||
diff --git a/etc/profile-a-l/i2prouter.profile b/etc/profile-a-l/i2prouter.profile new file mode 100644 index 000000000..9ffdb9e9b --- /dev/null +++ b/etc/profile-a-l/i2prouter.profile | |||
@@ -0,0 +1,71 @@ | |||
1 | # Firejail profile for I2P | ||
2 | # Description: A distributed anonymous network | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include i2prouter.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Notice: default browser will most likely not be able to automatically open, due to sandbox. | ||
10 | # Auto-opening default browser can be disabled in the I2P router console. | ||
11 | # This profile will not currently work with any Arch User Repository I2P packages, | ||
12 | # use the distro-independent official I2P java installer instead | ||
13 | |||
14 | # Only needed if i2prouter binary is in home directory, official I2P java installer does this | ||
15 | ignore noexec ${HOME} | ||
16 | |||
17 | noblacklist ${HOME}/.config/i2p | ||
18 | noblacklist ${HOME}/.i2p | ||
19 | noblacklist ${HOME}/.local/share/i2p | ||
20 | noblacklist ${HOME}/i2p | ||
21 | # Only needed if wrapper is placed in /usr/sbin/, ubuntu official I2P ppa package does this | ||
22 | noblacklist /usr/sbin | ||
23 | |||
24 | # Allow java (blacklisted by disable-devel.inc) | ||
25 | include allow-java.inc | ||
26 | |||
27 | include disable-common.inc | ||
28 | include disable-devel.inc | ||
29 | include disable-exec.inc | ||
30 | include disable-interpreters.inc | ||
31 | include disable-passwdmgr.inc | ||
32 | include disable-programs.inc | ||
33 | include disable-xdg.inc | ||
34 | |||
35 | mkdir ${HOME}/.config/i2p | ||
36 | mkdir ${HOME}/.i2p | ||
37 | mkdir ${HOME}/.local/share/i2p | ||
38 | mkdir ${HOME}/i2p | ||
39 | whitelist ${HOME}/.config/i2p | ||
40 | whitelist ${HOME}/.i2p | ||
41 | whitelist ${HOME}/.local/share/i2p | ||
42 | whitelist ${HOME}/i2p | ||
43 | # Only needed if wrapper is placed in /usr/sbin/, ubuntu official I2P ppa package does this | ||
44 | whitelist /usr/sbin/wrapper* | ||
45 | |||
46 | include whitelist-common.inc | ||
47 | |||
48 | # May break I2P if wrapper is placed in the home directory; official I2P java installer does this | ||
49 | # If using ubuntu official I2P ppa, this should be fine to uncomment, as it puts wrapper in /usr/sbin/ | ||
50 | #apparmor | ||
51 | caps.drop all | ||
52 | ipc-namespace | ||
53 | machine-id | ||
54 | netfilter | ||
55 | no3d | ||
56 | nodvd | ||
57 | nogroups | ||
58 | nonewprivs | ||
59 | nosound | ||
60 | notv | ||
61 | nou2f | ||
62 | novideo | ||
63 | protocol unix,inet,inet6 | ||
64 | seccomp | ||
65 | shell none | ||
66 | |||
67 | disable-mnt | ||
68 | private-cache | ||
69 | private-dev | ||
70 | private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl | ||
71 | private-tmp | ||
diff --git a/etc/profile-a-l/i3.profile b/etc/profile-a-l/i3.profile new file mode 100644 index 000000000..c1ca0e413 --- /dev/null +++ b/etc/profile-a-l/i3.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # Firejail profile for i3 | ||
2 | # Description: Standards-compliant, fast, light-weight and extensible window manager | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include i3.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # all applications started in awesome will run in this profile | ||
10 | noblacklist ${HOME}/.config/i3 | ||
11 | include disable-common.inc | ||
12 | |||
13 | caps.drop all | ||
14 | netfilter | ||
15 | noroot | ||
16 | protocol unix,inet,inet6 | ||
17 | seccomp | ||
18 | |||
diff --git a/etc/profile-a-l/iagno.profile b/etc/profile-a-l/iagno.profile new file mode 100644 index 000000000..a99c603bd --- /dev/null +++ b/etc/profile-a-l/iagno.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for iagno | ||
2 | # Description: Reversi clone for Gnome desktop | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include iagno.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | |||
16 | include whitelist-var-common.inc | ||
17 | |||
18 | apparmor | ||
19 | caps.drop all | ||
20 | net none | ||
21 | nodvd | ||
22 | nogroups | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | notv | ||
26 | nou2f | ||
27 | novideo | ||
28 | protocol unix | ||
29 | seccomp | ||
30 | shell none | ||
31 | |||
32 | disable-mnt | ||
33 | private | ||
34 | private-bin iagno | ||
35 | private-dev | ||
36 | private-tmp | ||
37 | |||
38 | # dbus-user none | ||
39 | # dbus-system none | ||
diff --git a/etc/profile-a-l/icecat.profile b/etc/profile-a-l/icecat.profile new file mode 100644 index 000000000..660343a29 --- /dev/null +++ b/etc/profile-a-l/icecat.profile | |||
@@ -0,0 +1,20 @@ | |||
1 | # Firejail profile for icecat | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include icecat.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.cache/mozilla | ||
9 | noblacklist ${HOME}/.mozilla | ||
10 | |||
11 | mkdir ${HOME}/.cache/mozilla/icecat | ||
12 | mkdir ${HOME}/.mozilla | ||
13 | whitelist ${HOME}/.cache/mozilla/icecat | ||
14 | whitelist ${HOME}/.mozilla | ||
15 | |||
16 | # private-etc must first be enabled in firefox-common.profile | ||
17 | #private-etc icecat | ||
18 | |||
19 | # Redirect | ||
20 | include firefox-common.profile | ||
diff --git a/etc/profile-a-l/icedove.profile b/etc/profile-a-l/icedove.profile new file mode 100644 index 000000000..19690cd5a --- /dev/null +++ b/etc/profile-a-l/icedove.profile | |||
@@ -0,0 +1,28 @@ | |||
1 | # Firejail profile for icedove | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include icedove.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Users have icedove set to open a browser by clicking a link in an email | ||
10 | # We are not allowed to blacklist browser-specific directories | ||
11 | |||
12 | noblacklist ${HOME}/.cache/icedove | ||
13 | noblacklist ${HOME}/.gnupg | ||
14 | noblacklist ${HOME}/.icedove | ||
15 | |||
16 | mkdir ${HOME}/.cache/icedove | ||
17 | mkdir ${HOME}/.gnupg | ||
18 | mkdir ${HOME}/.icedove | ||
19 | whitelist ${HOME}/.cache/icedove | ||
20 | whitelist ${HOME}/.gnupg | ||
21 | whitelist ${HOME}/.icedove | ||
22 | include whitelist-common.inc | ||
23 | |||
24 | ignore private-tmp | ||
25 | |||
26 | # allow browsers | ||
27 | # Redirect | ||
28 | include firefox.profile | ||
diff --git a/etc/profile-a-l/iceweasel.profile b/etc/profile-a-l/iceweasel.profile new file mode 100644 index 000000000..badd2648a --- /dev/null +++ b/etc/profile-a-l/iceweasel.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for iceweasel | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include iceweasel.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # private-etc must first be enabled in firefox-common.profile | ||
10 | #private-etc iceweasel | ||
11 | |||
12 | # Redirect | ||
13 | include firefox.profile | ||
diff --git a/etc/profile-a-l/idea.profile b/etc/profile-a-l/idea.profile new file mode 100644 index 000000000..4e43bb629 --- /dev/null +++ b/etc/profile-a-l/idea.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for idea | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include idea.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include idea.sh.profile | ||
diff --git a/etc/profile-a-l/idea.sh.profile b/etc/profile-a-l/idea.sh.profile new file mode 100644 index 000000000..a7d0d531f --- /dev/null +++ b/etc/profile-a-l/idea.sh.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for idea.sh | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include idea.sh.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.IdeaIC* | ||
9 | noblacklist ${HOME}/.android | ||
10 | noblacklist ${HOME}/.jack-server | ||
11 | noblacklist ${HOME}/.jack-settings | ||
12 | noblacklist ${HOME}/.local/share/JetBrains | ||
13 | noblacklist ${HOME}/.ssh | ||
14 | noblacklist ${HOME}/.tooling | ||
15 | |||
16 | # Allows files commonly used by IDEs | ||
17 | include allow-common-devel.inc | ||
18 | |||
19 | include disable-common.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | |||
23 | caps.drop all | ||
24 | netfilter | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix,inet,inet6 | ||
33 | seccomp | ||
34 | shell none | ||
35 | |||
36 | private-cache | ||
37 | private-dev | ||
38 | # private-tmp | ||
39 | |||
40 | noexec /tmp | ||
diff --git a/etc/profile-a-l/ideaIC.profile b/etc/profile-a-l/ideaIC.profile new file mode 100644 index 000000000..7e1778f58 --- /dev/null +++ b/etc/profile-a-l/ideaIC.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for ideaIC | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include ideaIC.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include idea.sh.profile | ||
diff --git a/etc/profile-a-l/imagej.profile b/etc/profile-a-l/imagej.profile new file mode 100644 index 000000000..91a60c188 --- /dev/null +++ b/etc/profile-a-l/imagej.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Firejail profile for imagej | ||
2 | # Description: Image processing program with a focus on microscopy images | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include imagej.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.imagej | ||
10 | |||
11 | # Allow java (blacklisted by disable-devel.inc) | ||
12 | include allow-java.inc | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | |||
21 | caps.drop all | ||
22 | ipc-namespace | ||
23 | net none | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | nosound | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix | ||
33 | seccomp | ||
34 | shell none | ||
35 | |||
36 | private-bin awk,basename,bash,cut,free,grep,hostname,imagej,ln,ls,mkdir,rm,sort,tail,touch,tr,uname,update-java-alternatives,whoami,xprop | ||
37 | private-dev | ||
38 | private-tmp | ||
39 | |||
40 | dbus-user none | ||
41 | dbus-system none | ||
diff --git a/etc/profile-a-l/img2txt.profile b/etc/profile-a-l/img2txt.profile new file mode 100644 index 000000000..ae03fc8bc --- /dev/null +++ b/etc/profile-a-l/img2txt.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for img2txt | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include img2txt.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | blacklist ${RUNUSER}/wayland-* | ||
9 | |||
10 | noblacklist ${DOCUMENTS} | ||
11 | noblacklist ${PICTURES} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | whitelist /usr/share/imlib2 | ||
22 | include whitelist-usr-share-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | apparmor | ||
26 | caps.drop all | ||
27 | ipc-namespace | ||
28 | machine-id | ||
29 | net none | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | x11 none | ||
43 | |||
44 | # private-bin img2txt | ||
45 | private-cache | ||
46 | private-dev | ||
47 | private-tmp | ||
48 | |||
49 | dbus-user none | ||
50 | dbus-system none | ||
51 | |||
52 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/impressive.profile b/etc/profile-a-l/impressive.profile new file mode 100644 index 000000000..af82fb059 --- /dev/null +++ b/etc/profile-a-l/impressive.profile | |||
@@ -0,0 +1,57 @@ | |||
1 | # Firejail profile for impressive | ||
2 | # Description: presentation tool with eye candy | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include impressive.local | ||
6 | # Persistent global definitions | ||
7 | #include globals.local | ||
8 | |||
9 | noblacklist ${DOCUMENTS} | ||
10 | noblacklist /sbin | ||
11 | noblacklist /usr/sbin | ||
12 | |||
13 | # Allow python (blacklisted by disable-interpreters.inc) | ||
14 | #include allow-python2.inc | ||
15 | include allow-python3.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | mkdir ${HOME}/.cache/mesa_shader_cache | ||
26 | whitelist /usr/share/opengl-games-utils | ||
27 | whitelist /usr/share/zenity | ||
28 | include whitelist-usr-share-common.inc | ||
29 | include whitelist-var-common.inc | ||
30 | |||
31 | apparmor | ||
32 | caps.drop all | ||
33 | ipc-namespace | ||
34 | machine-id | ||
35 | net none | ||
36 | nodvd | ||
37 | nogroups | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | nosound | ||
41 | notv | ||
42 | nou2f | ||
43 | novideo | ||
44 | protocol unix | ||
45 | seccomp | ||
46 | shell none | ||
47 | tracelog | ||
48 | |||
49 | private-cache | ||
50 | private-dev | ||
51 | private-tmp | ||
52 | |||
53 | dbus-user none | ||
54 | dbus-system none | ||
55 | |||
56 | read-only ${HOME} | ||
57 | read-write ${HOME}/.cache/mesa_shader_cache | ||
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile new file mode 100644 index 000000000..f14868668 --- /dev/null +++ b/etc/profile-a-l/inkscape.profile | |||
@@ -0,0 +1,61 @@ | |||
1 | # Firejail profile for inkscape | ||
2 | # Description: Vector-based drawing program | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include inkscape.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/inkscape | ||
10 | noblacklist ${HOME}/.config/inkscape | ||
11 | noblacklist ${HOME}/.inkscape | ||
12 | noblacklist ${DOCUMENTS} | ||
13 | noblacklist ${PICTURES} | ||
14 | # Allow exporting .xcf files | ||
15 | noblacklist ${HOME}/.config/GIMP | ||
16 | noblacklist ${HOME}/.gimp* | ||
17 | |||
18 | |||
19 | # Allow python (blacklisted by disable-interpreters.inc) | ||
20 | include allow-python2.inc | ||
21 | include allow-python3.inc | ||
22 | |||
23 | include disable-common.inc | ||
24 | include disable-devel.inc | ||
25 | include disable-exec.inc | ||
26 | include disable-interpreters.inc | ||
27 | include disable-passwdmgr.inc | ||
28 | include disable-programs.inc | ||
29 | include disable-xdg.inc | ||
30 | |||
31 | whitelist /usr/share/inkscape | ||
32 | include whitelist-usr-share-common.inc | ||
33 | include whitelist-var-common.inc | ||
34 | |||
35 | apparmor | ||
36 | caps.drop all | ||
37 | ipc-namespace | ||
38 | machine-id | ||
39 | net none | ||
40 | nodvd | ||
41 | nogroups | ||
42 | nonewprivs | ||
43 | noroot | ||
44 | nosound | ||
45 | notv | ||
46 | nou2f | ||
47 | novideo | ||
48 | protocol unix | ||
49 | seccomp | ||
50 | shell none | ||
51 | tracelog | ||
52 | |||
53 | # private-bin inkscape,potrace,python* - problems on Debian stretch | ||
54 | private-cache | ||
55 | private-dev | ||
56 | private-tmp | ||
57 | |||
58 | dbus-user none | ||
59 | dbus-system none | ||
60 | |||
61 | # memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/inkview.profile b/etc/profile-a-l/inkview.profile new file mode 100644 index 000000000..4f88b0258 --- /dev/null +++ b/etc/profile-a-l/inkview.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for inkview | ||
2 | # Description: an SVG slideshow program | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include inkview.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include inkscape.profile | ||
diff --git a/etc/profile-a-l/inox.profile b/etc/profile-a-l/inox.profile new file mode 100644 index 000000000..1b3db73b4 --- /dev/null +++ b/etc/profile-a-l/inox.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # Firejail profile for inox | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include inox.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.cache/inox | ||
9 | noblacklist ${HOME}/.config/inox | ||
10 | |||
11 | mkdir ${HOME}/.cache/inox | ||
12 | mkdir ${HOME}/.config/inox | ||
13 | whitelist ${HOME}/.cache/inox | ||
14 | whitelist ${HOME}/.config/inox | ||
15 | |||
16 | # Redirect | ||
17 | include chromium-common.profile | ||
diff --git a/etc/profile-a-l/iridium-browser.profile b/etc/profile-a-l/iridium-browser.profile new file mode 100644 index 000000000..c7ee64d56 --- /dev/null +++ b/etc/profile-a-l/iridium-browser.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for iridium | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include iridium.profile | ||
diff --git a/etc/profile-a-l/iridium.profile b/etc/profile-a-l/iridium.profile new file mode 100644 index 000000000..ebb39b0a3 --- /dev/null +++ b/etc/profile-a-l/iridium.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # Firejail profile for iridium | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include iridium.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.cache/iridium | ||
9 | noblacklist ${HOME}/.config/iridium | ||
10 | |||
11 | mkdir ${HOME}/.cache/iridium | ||
12 | mkdir ${HOME}/.config/iridium | ||
13 | whitelist ${HOME}/.cache/iridium | ||
14 | whitelist ${HOME}/.config/iridium | ||
15 | |||
16 | # Redirect | ||
17 | include chromium-common.profile | ||
diff --git a/etc/profile-a-l/itch.profile b/etc/profile-a-l/itch.profile new file mode 100644 index 000000000..b3c78c810 --- /dev/null +++ b/etc/profile-a-l/itch.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for itch | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include itch.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | # itch.io has native firejail/sandboxing support bundled in | ||
9 | # See https://itch.io/docs/itch/using/sandbox/linux.html | ||
10 | |||
11 | noblacklist ${HOME}/.itch | ||
12 | noblacklist ${HOME}/.config/itch | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | mkdir ${HOME}/.itch | ||
21 | mkdir ${HOME}/.config/itch | ||
22 | whitelist ${HOME}/.itch | ||
23 | whitelist ${HOME}/.config/itch | ||
24 | include whitelist-common.inc | ||
25 | |||
26 | caps.drop all | ||
27 | netfilter | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6,netlink | ||
36 | seccomp | ||
37 | shell none | ||
38 | |||
39 | private-dev | ||
40 | private-tmp | ||
41 | |||
42 | noexec /tmp | ||
diff --git a/etc/profile-a-l/jd-gui.profile b/etc/profile-a-l/jd-gui.profile new file mode 100644 index 000000000..0944051e5 --- /dev/null +++ b/etc/profile-a-l/jd-gui.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for jd-gui | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include jd-gui.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/jd-gui.cfg | ||
9 | |||
10 | # Allow java (blacklisted by disable-devel.inc) | ||
11 | include allow-java.inc | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | net none | ||
25 | no3d | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | |||
38 | private-bin bash,jd-gui,sh | ||
39 | private-cache | ||
40 | private-dev | ||
41 | private-tmp | ||
42 | |||
43 | dbus-user none | ||
44 | dbus-system none | ||
diff --git a/etc/profile-a-l/jdownloader.profile b/etc/profile-a-l/jdownloader.profile new file mode 100644 index 000000000..b5f892a9d --- /dev/null +++ b/etc/profile-a-l/jdownloader.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for jdownloader | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include jdownloader.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include JDownloader.profile | ||
diff --git a/etc/profile-a-l/jerry.profile b/etc/profile-a-l/jerry.profile new file mode 100644 index 000000000..b79ae0ee0 --- /dev/null +++ b/etc/profile-a-l/jerry.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for jerry | ||
2 | # Description: Chess GUI | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include jerry.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/dkl | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | caps.drop all | ||
20 | machine-id | ||
21 | net none | ||
22 | no3d | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | ||
28 | notv | ||
29 | novideo | ||
30 | protocol unix | ||
31 | seccomp | ||
32 | shell none | ||
33 | tracelog | ||
34 | |||
35 | private-bin bash,jerry,sh,stockfish | ||
36 | private-dev | ||
37 | private-etc fonts,gtk-2.0,gtk-3.0 | ||
38 | private-tmp | ||
39 | |||
40 | dbus-user none | ||
41 | dbus-system none | ||
42 | |||
43 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/jitsi-meet-desktop.profile b/etc/profile-a-l/jitsi-meet-desktop.profile new file mode 100644 index 000000000..c4121d835 --- /dev/null +++ b/etc/profile-a-l/jitsi-meet-desktop.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for jitsi-meet-desktop | ||
2 | # Description: Jitsi Meet desktop application powered by Electron | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include jitsi-meet-desktop.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | ignore noexec /tmp | ||
10 | |||
11 | noblacklist ${HOME}/.config/Jitsi Meet | ||
12 | |||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | nowhitelist ${DOWNLOADS} | ||
19 | |||
20 | mkdir ${HOME}/.config/Jitsi Meet | ||
21 | |||
22 | whitelist ${HOME}/.config/Jitsi Meet | ||
23 | |||
24 | include whitelist-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-runuser-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | seccomp !chroot | ||
30 | |||
31 | disable-mnt | ||
32 | private-bin bash,jitsi-meet-desktop | ||
33 | private-cache | ||
34 | private-dev | ||
35 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | ||
36 | private-tmp | ||
37 | |||
38 | # Redirect | ||
39 | include electron.profile | ||
diff --git a/etc/profile-a-l/jitsi.profile b/etc/profile-a-l/jitsi.profile new file mode 100644 index 000000000..223c360b8 --- /dev/null +++ b/etc/profile-a-l/jitsi.profile | |||
@@ -0,0 +1,32 @@ | |||
1 | # Firejail profile for jitsi | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include jitsi.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.jitsi | ||
9 | |||
10 | # Allow java (blacklisted by disable-devel.inc) | ||
11 | include allow-java.inc | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | caps.drop all | ||
20 | nodvd | ||
21 | nogroups | ||
22 | nonewprivs | ||
23 | noroot | ||
24 | notv | ||
25 | protocol unix,inet,inet6 | ||
26 | seccomp | ||
27 | shell none | ||
28 | tracelog | ||
29 | |||
30 | disable-mnt | ||
31 | private-cache | ||
32 | private-tmp | ||
diff --git a/etc/profile-a-l/jumpnbump-menu.profile b/etc/profile-a-l/jumpnbump-menu.profile new file mode 100644 index 000000000..b1852b015 --- /dev/null +++ b/etc/profile-a-l/jumpnbump-menu.profile | |||
@@ -0,0 +1,15 @@ | |||
1 | # Firejail profile for jumpnbump-menu | ||
2 | # Description: Level selection and config menu for the Jump 'n Bump game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include jumpnbump-menu.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | include allow-python3.inc | ||
11 | |||
12 | private-bin jumpnbump-menu,python3* | ||
13 | |||
14 | # Redirect | ||
15 | include jumpnbump.profile | ||
diff --git a/etc/profile-a-l/jumpnbump.profile b/etc/profile-a-l/jumpnbump.profile new file mode 100644 index 000000000..daeb54610 --- /dev/null +++ b/etc/profile-a-l/jumpnbump.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for jumpnbump | ||
2 | # Description: Cute multiplayer platform game with bunnies | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include jumpnbump.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.jumpnbump | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.jumpnbump | ||
20 | whitelist ${HOME}/.jumpnbump | ||
21 | whitelist /usr/share/jumpnbump | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | net none | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix,netlink | ||
37 | seccomp | ||
38 | shell none | ||
39 | tracelog | ||
40 | |||
41 | disable-mnt | ||
42 | private-bin jumpnbump | ||
43 | private-cache | ||
44 | private-dev | ||
45 | private-etc none | ||
46 | private-tmp | ||
47 | |||
48 | dbus-user none | ||
49 | dbus-system none | ||
diff --git a/etc/profile-a-l/k3b.profile b/etc/profile-a-l/k3b.profile new file mode 100644 index 000000000..0c1da7ae1 --- /dev/null +++ b/etc/profile-a-l/k3b.profile | |||
@@ -0,0 +1,37 @@ | |||
1 | # Firejail profile for k3b | ||
2 | # Description: Sophisticated CD/DVD burning application | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include k3b.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/k3brc | ||
10 | noblacklist ${HOME}/.kde/share/config/k3brc | ||
11 | noblacklist ${HOME}/.kde4/share/config/k3brc | ||
12 | noblacklist ${MUSIC} | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | caps.keep ipc_lock,sys_nice,sys_rawio,sys_resource | ||
24 | # net none | ||
25 | netfilter | ||
26 | no3d | ||
27 | # nonewprivs - breaks privileged helpers | ||
28 | # noroot - breaks privileged helpers | ||
29 | nosound | ||
30 | notv | ||
31 | novideo | ||
32 | # protocol unix - breaks privileged helpers | ||
33 | # seccomp - breaks privileged helpers | ||
34 | shell none | ||
35 | |||
36 | private-dev | ||
37 | # private-tmp | ||
diff --git a/etc/profile-a-l/kaffeine.profile b/etc/profile-a-l/kaffeine.profile new file mode 100644 index 000000000..c7f811939 --- /dev/null +++ b/etc/profile-a-l/kaffeine.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for kaffeine | ||
2 | # Description: Versatile media player for KDE | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include kaffeine.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/kaffeinerc | ||
10 | noblacklist ${HOME}/.kde/share/apps/kaffeine | ||
11 | noblacklist ${HOME}/.kde/share/config/kaffeinerc | ||
12 | noblacklist ${HOME}/.kde4/share/apps/kaffeine | ||
13 | noblacklist ${HOME}/.kde4/share/config/kaffeinerc | ||
14 | noblacklist ${HOME}/.local/share/kaffeine | ||
15 | noblacklist ${MUSIC} | ||
16 | noblacklist ${VIDEOS} | ||
17 | |||
18 | include disable-common.inc | ||
19 | include disable-devel.inc | ||
20 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | ||
22 | include disable-passwdmgr.inc | ||
23 | include disable-programs.inc | ||
24 | include disable-xdg.inc | ||
25 | |||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | caps.drop all | ||
29 | netfilter | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6 | ||
36 | seccomp | ||
37 | shell none | ||
38 | |||
39 | # private-bin kaffeine | ||
40 | private-dev | ||
41 | private-tmp | ||
42 | |||
diff --git a/etc/profile-a-l/kalgebra.profile b/etc/profile-a-l/kalgebra.profile new file mode 100644 index 000000000..e1e93163b --- /dev/null +++ b/etc/profile-a-l/kalgebra.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for kalgebra | ||
2 | # Description: 2D and 3D Graph Calculator | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include kalgebra.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/kalgebrarc | ||
10 | noblacklist ${HOME}/.local/share/kalgebra | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | whitelist /usr/share/kalgebramobile | ||
21 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | machine-id | ||
27 | net none | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | nosound | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix,netlink | ||
37 | seccomp !chroot | ||
38 | shell none | ||
39 | # tracelog | ||
40 | |||
41 | disable-mnt | ||
42 | private-bin kalgebra,kalgebramobile | ||
43 | private-cache | ||
44 | private-dev | ||
45 | private-etc fonts,machine-id | ||
46 | private-tmp | ||
47 | |||
48 | dbus-user none | ||
49 | dbus-system none | ||
diff --git a/etc/profile-a-l/kalgebramobile.profile b/etc/profile-a-l/kalgebramobile.profile new file mode 100644 index 000000000..d2394fe20 --- /dev/null +++ b/etc/profile-a-l/kalgebramobile.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile for kalgebramobile | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include kalgebra.profile | ||
diff --git a/etc/profile-a-l/karbon.profile b/etc/profile-a-l/karbon.profile new file mode 100644 index 000000000..3b2e93b0a --- /dev/null +++ b/etc/profile-a-l/karbon.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for krita | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include krita.profile | ||
diff --git a/etc/profile-a-l/kate.profile b/etc/profile-a-l/kate.profile new file mode 100644 index 000000000..321c4558f --- /dev/null +++ b/etc/profile-a-l/kate.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for kate | ||
2 | # Description: Powerful text editor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include kate.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | ignore noexec ${HOME} | ||
10 | |||
11 | noblacklist ${HOME}/.config/katemetainfos | ||
12 | noblacklist ${HOME}/.config/katepartrc | ||
13 | noblacklist ${HOME}/.config/katerc | ||
14 | noblacklist ${HOME}/.config/kateschemarc | ||
15 | noblacklist ${HOME}/.config/katesyntaxhighlightingrc | ||
16 | noblacklist ${HOME}/.config/katevirc | ||
17 | noblacklist ${HOME}/.local/share/kate | ||
18 | |||
19 | include disable-common.inc | ||
20 | # include disable-devel.inc | ||
21 | include disable-exec.inc | ||
22 | # include disable-interpreters.inc | ||
23 | include disable-passwdmgr.inc | ||
24 | include disable-programs.inc | ||
25 | |||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | # apparmor | ||
29 | caps.drop all | ||
30 | # net none | ||
31 | netfilter | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix | ||
41 | seccomp | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | # private-bin kate,kbuildsycoca4,kdeinit4 | ||
46 | private-dev | ||
47 | # private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg | ||
48 | private-tmp | ||
49 | |||
50 | # dbus-user none | ||
51 | # dbus-system none | ||
52 | |||
53 | join-or-start kate | ||
diff --git a/etc/profile-a-l/kcalc.profile b/etc/profile-a-l/kcalc.profile new file mode 100644 index 000000000..6f94777aa --- /dev/null +++ b/etc/profile-a-l/kcalc.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for kcalc | ||
2 | # Description: Simple and scientific calculator | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include kcalc.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | |||
17 | mkfile ${HOME}/.config/kcalcrc | ||
18 | mkfile ${HOME}/.kde/share/config/kcalcrc | ||
19 | mkfile ${HOME}/.kde4/share/config/kcalcrc | ||
20 | whitelist ${HOME}/.config/kcalcrc | ||
21 | whitelist ${HOME}/.kde/share/config/kcalcrc | ||
22 | whitelist ${HOME}/.kde4/share/config/kcalcrc | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | net none | ||
29 | no3d | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix | ||
39 | seccomp | ||
40 | shell none | ||
41 | |||
42 | disable-mnt | ||
43 | private-bin kcalc | ||
44 | private-dev | ||
45 | # private-lib - problems on Arch | ||
46 | private-tmp | ||
47 | |||
48 | dbus-user none | ||
49 | dbus-system none | ||
diff --git a/etc/profile-a-l/kdeinit4.profile b/etc/profile-a-l/kdeinit4.profile new file mode 100644 index 000000000..082045c62 --- /dev/null +++ b/etc/profile-a-l/kdeinit4.profile | |||
@@ -0,0 +1,36 @@ | |||
1 | # Firejail profile for kdeinit4 | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include kdeinit4.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | # use outside KDE Plasma 4 | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | |||
17 | include whitelist-var-common.inc | ||
18 | |||
19 | caps.drop all | ||
20 | netfilter | ||
21 | no3d | ||
22 | nogroups | ||
23 | nonewprivs | ||
24 | # nosound - disabled for knotify | ||
25 | noroot | ||
26 | nou2f | ||
27 | novideo | ||
28 | notv | ||
29 | protocol unix,inet,inet6,netlink | ||
30 | seccomp | ||
31 | shell none | ||
32 | |||
33 | private-bin kbuildsycoca4,kded4,kdeinit4,knotify4 | ||
34 | private-dev | ||
35 | private-tmp | ||
36 | |||
diff --git a/etc/profile-a-l/kdenlive.profile b/etc/profile-a-l/kdenlive.profile new file mode 100644 index 000000000..e3560cb35 --- /dev/null +++ b/etc/profile-a-l/kdenlive.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for kdenlive | ||
2 | # Description: Non-linear video editor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include kdenlive.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | ignore noexec ${HOME} | ||
10 | |||
11 | noblacklist ${HOME}/.cache/kdenlive | ||
12 | noblacklist ${HOME}/.config/kdenliverc | ||
13 | noblacklist ${HOME}/.local/share/kdenlive | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | |||
22 | apparmor | ||
23 | caps.drop all | ||
24 | # net none | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | notv | ||
30 | nou2f | ||
31 | protocol unix,netlink | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | private-bin dbus-launch,dvdauthor,ffmpeg,ffplay,ffprobe,genisoimage,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kdenlive,kdenlive_render,kshell4,kshell5,melt,mlt-melt,vlc,xine | ||
36 | private-dev | ||
37 | # private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,X11,xdg | ||
38 | |||
39 | # dbus-user none | ||
40 | # dbus-system none | ||
diff --git a/etc/profile-a-l/keepass.profile b/etc/profile-a-l/keepass.profile new file mode 100644 index 000000000..9852f8a79 --- /dev/null +++ b/etc/profile-a-l/keepass.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for keepass | ||
2 | # Description: An easy-to-use password manager | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include keepass.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/*.kdb | ||
10 | noblacklist ${HOME}/*.kdbx | ||
11 | noblacklist ${HOME}/.config/KeePass | ||
12 | noblacklist ${HOME}/.config/keepass | ||
13 | noblacklist ${HOME}/.keepass | ||
14 | noblacklist ${HOME}/.local/share/KeePass | ||
15 | noblacklist ${HOME}/.local/share/keepass | ||
16 | noblacklist ${DOCUMENTS} | ||
17 | |||
18 | include disable-common.inc | ||
19 | include disable-devel.inc | ||
20 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | ||
22 | include disable-passwdmgr.inc | ||
23 | include disable-programs.inc | ||
24 | include disable-xdg.inc | ||
25 | |||
26 | caps.drop all | ||
27 | netfilter | ||
28 | no3d | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix,inet,inet6,netlink | ||
38 | seccomp | ||
39 | shell none | ||
40 | |||
41 | private-cache | ||
42 | private-dev | ||
43 | private-tmp | ||
44 | |||
diff --git a/etc/profile-a-l/keepass2.profile b/etc/profile-a-l/keepass2.profile new file mode 100644 index 000000000..aef236ccc --- /dev/null +++ b/etc/profile-a-l/keepass2.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for keepass | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include keepass.profile | ||
diff --git a/etc/profile-a-l/keepassx.profile b/etc/profile-a-l/keepassx.profile new file mode 100644 index 000000000..b8239e140 --- /dev/null +++ b/etc/profile-a-l/keepassx.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for keepassx | ||
2 | # Description: Cross Platform Password Manager | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include keepassx.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/*.kdb | ||
10 | noblacklist ${HOME}/*.kdbx | ||
11 | noblacklist ${HOME}/.config/keepassx | ||
12 | noblacklist ${HOME}/.keepassx | ||
13 | noblacklist ${DOCUMENTS} | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | caps.drop all | ||
26 | machine-id | ||
27 | net none | ||
28 | no3d | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | private-bin keepassx,keepassx2 | ||
43 | private-dev | ||
44 | private-etc alternatives,fonts,machine-id | ||
45 | private-tmp | ||
46 | |||
47 | dbus-user none | ||
48 | dbus-system none | ||
49 | |||
50 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/keepassx2.profile b/etc/profile-a-l/keepassx2.profile new file mode 100644 index 000000000..fdd27e9f9 --- /dev/null +++ b/etc/profile-a-l/keepassx2.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile for keepassx2 | ||
2 | # Description: Cross platform password manager | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | # Redirects | ||
6 | include keepassx.profile | ||
diff --git a/etc/profile-a-l/keepassxc-cli.profile b/etc/profile-a-l/keepassxc-cli.profile new file mode 100644 index 000000000..925609384 --- /dev/null +++ b/etc/profile-a-l/keepassxc-cli.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for keepassxc-cli | ||
2 | # Description: command line interface for KeePassXC | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include keepassxc-cli.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include keepassxc.profile | ||
diff --git a/etc/profile-a-l/keepassxc-proxy.profile b/etc/profile-a-l/keepassxc-proxy.profile new file mode 100644 index 000000000..b2b6763ee --- /dev/null +++ b/etc/profile-a-l/keepassxc-proxy.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for keepassxc-cli | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include keepassxc-proxy.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include keepassxc.profile | ||
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile new file mode 100644 index 000000000..43dbad5f9 --- /dev/null +++ b/etc/profile-a-l/keepassxc.profile | |||
@@ -0,0 +1,62 @@ | |||
1 | # Firejail profile for keepassxc | ||
2 | # Description: Cross Platform Password Manager | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include keepassxc.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/*.kdb | ||
10 | noblacklist ${HOME}/*.kdbx | ||
11 | noblacklist ${HOME}/.config/keepassxc | ||
12 | noblacklist ${HOME}/.keepassxc | ||
13 | # 2.2.4 needs this path when compiled with "Native messaging browser extension" | ||
14 | noblacklist ${HOME}/.mozilla | ||
15 | noblacklist ${DOCUMENTS} | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | whitelist /usr/share/keepassxc | ||
26 | include whitelist-usr-share-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | caps.drop all | ||
30 | machine-id | ||
31 | net none | ||
32 | no3d | ||
33 | nodvd | ||
34 | # Breaks 'Lock database when session is locked or lid is closed' (#2899). | ||
35 | # Also breaks (Plasma) tray icon, | ||
36 | # you can safely uncomment it or add to keepassxc.local if you don't need these features. | ||
37 | # | ||
38 | nogroups | ||
39 | nonewprivs | ||
40 | noroot | ||
41 | nosound | ||
42 | notv | ||
43 | nou2f | ||
44 | novideo | ||
45 | protocol unix,netlink | ||
46 | seccomp | ||
47 | shell none | ||
48 | tracelog | ||
49 | |||
50 | private-bin keepassxc,keepassxc-cli,keepassxc-proxy | ||
51 | private-dev | ||
52 | private-etc alternatives,fonts,ld.so.cache,machine-id | ||
53 | private-tmp | ||
54 | |||
55 | # Breaks 'Lock database when session is locked or lid is closed' (#2899). | ||
56 | # Also breaks (Plasma) tray icon, | ||
57 | # you can safely uncomment it or add to keepassxc.local if you don't need these features. | ||
58 | # dbus-user none | ||
59 | # dbus-system none | ||
60 | |||
61 | # Mutex is stored in /tmp by default, which is broken by private-tmp | ||
62 | join-or-start keepassxc | ||
diff --git a/etc/profile-a-l/kfind.profile b/etc/profile-a-l/kfind.profile new file mode 100644 index 000000000..ed815676a --- /dev/null +++ b/etc/profile-a-l/kfind.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for kfind | ||
2 | # Description: File search utility | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include kfind.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # searching in blacklisted or masked paths fails silently | ||
10 | # adjust filesystem restrictions as necessary | ||
11 | |||
12 | # noblacklist ${HOME}/.cache/kfind - disable-programs.inc is disabled, see below | ||
13 | # noblacklist ${HOME}/.config/kfindrc | ||
14 | # noblacklist ${HOME}/.kde/share/config/kfindrc | ||
15 | # noblacklist ${HOME}/.kde4/share/config/kfindrc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | # include disable-programs.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | machine-id | ||
27 | # net none | ||
28 | netfilter | ||
29 | no3d | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix | ||
39 | seccomp | ||
40 | shell none | ||
41 | |||
42 | # private-bin kbuildsycoca4,kdeinit4,kfind | ||
43 | private-dev | ||
44 | private-tmp | ||
45 | |||
46 | # dbus-user none | ||
47 | # dbus-system none | ||
diff --git a/etc/profile-a-l/kget.profile b/etc/profile-a-l/kget.profile new file mode 100644 index 000000000..485edc1a4 --- /dev/null +++ b/etc/profile-a-l/kget.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Firejail profile for kget | ||
2 | # Description: Download manager | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include kget.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/kgetrc | ||
10 | noblacklist ${HOME}/.kde/share/apps/kget | ||
11 | noblacklist ${HOME}/.kde/share/config/kgetrc | ||
12 | noblacklist ${HOME}/.kde4/share/apps/kget | ||
13 | noblacklist ${HOME}/.kde4/share/config/kgetrc | ||
14 | noblacklist ${HOME}/.local/share/kget | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | |||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | caps.drop all | ||
26 | netfilter | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | nosound | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6 | ||
36 | seccomp | ||
37 | |||
38 | private-dev | ||
39 | private-tmp | ||
40 | |||
41 | # memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/kid3-cli.profile b/etc/profile-a-l/kid3-cli.profile new file mode 100644 index 000000000..bee62b5d9 --- /dev/null +++ b/etc/profile-a-l/kid3-cli.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile for kid3-cli | ||
2 | # This file is overwritten after every install/update | ||
3 | include kid3-cli.local | ||
4 | |||
5 | # Redirect | ||
6 | include kid3.profile | ||
diff --git a/etc/profile-a-l/kid3-qt.profile b/etc/profile-a-l/kid3-qt.profile new file mode 100644 index 000000000..9bcede077 --- /dev/null +++ b/etc/profile-a-l/kid3-qt.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # Firejail profile for kid3-qt | ||
2 | # This file is overwritten after every install/update | ||
3 | include kid3-qt.local | ||
4 | |||
5 | noblacklist ${HOME}/.config/Kid3 | ||
6 | |||
7 | # Redirect | ||
8 | include kid3.profile | ||
diff --git a/etc/profile-a-l/kid3.profile b/etc/profile-a-l/kid3.profile new file mode 100644 index 000000000..cce92a93f --- /dev/null +++ b/etc/profile-a-l/kid3.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for kid3 | ||
2 | # Description: Audio Tag Editor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include kid3.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${MUSIC} | ||
10 | noblacklist ${HOME}/.config/kid3rc | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | apparmor | ||
23 | caps.drop all | ||
24 | netfilter | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix,inet,inet6,netlink | ||
33 | seccomp | ||
34 | shell none | ||
35 | tracelog | ||
36 | |||
37 | private-cache | ||
38 | private-dev | ||
39 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,machine-id,pki,pulse,resolv.conf,ssl | ||
40 | private-tmp | ||
41 | private-opt none | ||
42 | private-srv none | ||
43 | |||
44 | dbus-user none | ||
45 | dbus-system none | ||
46 | |||
47 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/kino.profile b/etc/profile-a-l/kino.profile new file mode 100644 index 000000000..b3ade0dd9 --- /dev/null +++ b/etc/profile-a-l/kino.profile | |||
@@ -0,0 +1,37 @@ | |||
1 | # Firejail profile for kino | ||
2 | # Description: Non-linear editor for Digital Video data | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include kino.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.kino-history | ||
10 | noblacklist ${HOME}/.kinorc | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | include whitelist-var-common.inc | ||
20 | |||
21 | apparmor | ||
22 | caps.drop all | ||
23 | netfilter | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | notv | ||
28 | nou2f | ||
29 | novideo | ||
30 | protocol unix | ||
31 | seccomp | ||
32 | shell none | ||
33 | |||
34 | private-cache | ||
35 | private-dev | ||
36 | private-tmp | ||
37 | |||
diff --git a/etc/profile-a-l/kiwix-desktop.profile b/etc/profile-a-l/kiwix-desktop.profile new file mode 100644 index 000000000..d222d6d24 --- /dev/null +++ b/etc/profile-a-l/kiwix-desktop.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for kiwix-desktop | ||
2 | # Description: view/manage ZIM files | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include kiwix-desktop.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/kiwix | ||
10 | noblacklist ${HOME}/.local/share/kiwix-desktop | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.local/share/kiwix | ||
21 | mkdir ${HOME}/.local/share/kiwix-desktop | ||
22 | whitelist ${HOME}/.local/share/kiwix | ||
23 | whitelist ${HOME}/.local/share/kiwix-desktop | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | netfilter | ||
31 | # no3d | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | # nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix,inet,inet6,netlink | ||
41 | seccomp !chroot | ||
42 | shell none | ||
43 | |||
44 | disable-mnt | ||
45 | private-cache | ||
46 | private-dev | ||
47 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl | ||
48 | private-tmp | ||
49 | |||
50 | dbus-user none | ||
51 | dbus-system none | ||
diff --git a/etc/profile-a-l/klatexformula.profile b/etc/profile-a-l/klatexformula.profile new file mode 100644 index 000000000..10b689ce5 --- /dev/null +++ b/etc/profile-a-l/klatexformula.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for klatexformula | ||
2 | # Description: generating images from LaTeX equations | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include klatexformula.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.kde/share/apps/klatexformula | ||
10 | noblacklist ${HOME}/.klatexformula | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python2.inc | ||
14 | include allow-python3.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | machine-id | ||
26 | net none | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | nosound | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | private-cache | ||
41 | private-dev | ||
42 | private-tmp | ||
43 | |||
44 | dbus-user none | ||
45 | dbus-system none | ||
diff --git a/etc/profile-a-l/klatexformula_cmdl.profile b/etc/profile-a-l/klatexformula_cmdl.profile new file mode 100644 index 000000000..9137963c4 --- /dev/null +++ b/etc/profile-a-l/klatexformula_cmdl.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for klatexformula_cmdl | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include klatexformula.profile | ||
diff --git a/etc/profile-a-l/klavaro.profile b/etc/profile-a-l/klavaro.profile new file mode 100644 index 000000000..c03d75098 --- /dev/null +++ b/etc/profile-a-l/klavaro.profile | |||
@@ -0,0 +1,54 @@ | |||
1 | # Firejail profile for klavaro | ||
2 | # Description: Yet another touch typing tutor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include klavaro.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/klavaro | ||
10 | noblacklist ${HOME}/.local/share/klavaro | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.local/share/klavaro | ||
21 | mkdir ${HOME}/.config/klavaro | ||
22 | whitelist ${HOME}/.local/share/klavaro | ||
23 | whitelist ${HOME}/.config/klavaro | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | machine-id | ||
30 | net none | ||
31 | no3d | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix | ||
40 | seccomp | ||
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | disable-mnt | ||
45 | private-bin bash,klavaro,sh,tclsh,tclsh* | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-etc alternatives,fonts | ||
49 | private-tmp | ||
50 | private-opt none | ||
51 | private-srv none | ||
52 | |||
53 | dbus-user none | ||
54 | dbus-system none | ||
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile new file mode 100644 index 000000000..198b05a11 --- /dev/null +++ b/etc/profile-a-l/kmail.profile | |||
@@ -0,0 +1,60 @@ | |||
1 | # Firejail profile for kmail | ||
2 | # Description: Full featured graphical email client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include kmail.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # kmail has problems launching akonadi in debian and ubuntu. | ||
10 | # one solution is to have akonadi already running when kmail is started | ||
11 | |||
12 | noblacklist ${HOME}/.cache/akonadi* | ||
13 | noblacklist ${HOME}/.cache/kmail2 | ||
14 | noblacklist ${HOME}/.config/akonadi* | ||
15 | noblacklist ${HOME}/.config/baloorc | ||
16 | noblacklist ${HOME}/.config/emaildefaults | ||
17 | noblacklist ${HOME}/.config/emailidentities | ||
18 | noblacklist ${HOME}/.config/kmail2rc | ||
19 | noblacklist ${HOME}/.config/kmailsearchindexingrc | ||
20 | noblacklist ${HOME}/.config/mailtransports | ||
21 | noblacklist ${HOME}/.config/specialmailcollectionsrc | ||
22 | noblacklist ${HOME}/.gnupg | ||
23 | noblacklist ${HOME}/.local/share/akonadi* | ||
24 | noblacklist ${HOME}/.local/share/apps/korganizer | ||
25 | noblacklist ${HOME}/.local/share/contacts | ||
26 | noblacklist ${HOME}/.local/share/emailidentities | ||
27 | noblacklist ${HOME}/.local/share/kmail2 | ||
28 | noblacklist ${HOME}/.local/share/local-mail | ||
29 | noblacklist ${HOME}/.local/share/notes | ||
30 | noblacklist /tmp/akonadi-* | ||
31 | |||
32 | include disable-common.inc | ||
33 | include disable-devel.inc | ||
34 | include disable-exec.inc | ||
35 | include disable-interpreters.inc | ||
36 | include disable-passwdmgr.inc | ||
37 | include disable-programs.inc | ||
38 | |||
39 | include whitelist-var-common.inc | ||
40 | |||
41 | # apparmor | ||
42 | caps.drop all | ||
43 | netfilter | ||
44 | nodvd | ||
45 | nogroups | ||
46 | nonewprivs | ||
47 | noroot | ||
48 | nosound | ||
49 | notv | ||
50 | nou2f | ||
51 | novideo | ||
52 | protocol unix,inet,inet6,netlink | ||
53 | # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls | ||
54 | seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set | ||
55 | # tracelog | ||
56 | |||
57 | private-dev | ||
58 | # private-tmp - interrupts connection to akonadi, breaks opening of email attachments | ||
59 | # writable-run-user is needed for signing and encrypting emails | ||
60 | writable-run-user | ||
diff --git a/etc/profile-a-l/kmplayer.profile b/etc/profile-a-l/kmplayer.profile new file mode 100644 index 000000000..7eabde61d --- /dev/null +++ b/etc/profile-a-l/kmplayer.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Firejail profile for mplayer | ||
2 | # Description: mplayer KDE GUI (movie player) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include kmplayer.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/kmplayerrc | ||
10 | noblacklist ${HOME}/.kde/share/config/kmplayerrc | ||
11 | noblacklist ${HOME}/.local/share/kmplayer | ||
12 | noblacklist ${MUSIC} | ||
13 | noblacklist ${VIDEOS} | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | netfilter | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | nou2f | ||
33 | protocol unix,inet,inet6,netlink | ||
34 | seccomp | ||
35 | shell none | ||
36 | |||
37 | # private-bin kmplayer,mplayer | ||
38 | private-cache | ||
39 | private-dev | ||
40 | private-tmp | ||
41 | |||
diff --git a/etc/profile-a-l/knotes.profile b/etc/profile-a-l/knotes.profile new file mode 100644 index 000000000..ababfcdb1 --- /dev/null +++ b/etc/profile-a-l/knotes.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # Firejail profile for knotes | ||
2 | # Description: Sticky notes application | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include knotes.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # knotes has problems launching akonadi in debian and ubuntu. | ||
11 | # one solution is to have akonadi already running when knotes is started | ||
12 | |||
13 | noblacklist ${HOME}/.config/knotesrc | ||
14 | noblacklist ${HOME}/.local/share/knotes | ||
15 | |||
16 | # Redirect | ||
17 | include kmail.profile | ||
diff --git a/etc/profile-a-l/kodi.profile b/etc/profile-a-l/kodi.profile new file mode 100644 index 000000000..86afe46b5 --- /dev/null +++ b/etc/profile-a-l/kodi.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for kodi | ||
2 | # Description: Open Source Home Theatre | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include kodi.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # noexec ${HOME} breaks plugins | ||
10 | ignore noexec ${HOME} | ||
11 | |||
12 | noblacklist ${HOME}/.kodi | ||
13 | noblacklist ${MUSIC} | ||
14 | noblacklist ${PICTURES} | ||
15 | noblacklist ${VIDEOS} | ||
16 | |||
17 | # Allow python (blacklisted by disable-interpreters.inc) | ||
18 | include allow-python2.inc | ||
19 | include allow-python3.inc | ||
20 | |||
21 | include disable-common.inc | ||
22 | include disable-devel.inc | ||
23 | include disable-exec.inc | ||
24 | include disable-interpreters.inc | ||
25 | include disable-passwdmgr.inc | ||
26 | include disable-programs.inc | ||
27 | include disable-xdg.inc | ||
28 | |||
29 | include whitelist-var-common.inc | ||
30 | |||
31 | apparmor | ||
32 | caps.drop all | ||
33 | netfilter | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | nou2f | ||
38 | protocol unix,inet,inet6,netlink | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | |||
43 | private-dev | ||
44 | private-tmp | ||
diff --git a/etc/profile-a-l/konversation.profile b/etc/profile-a-l/konversation.profile new file mode 100644 index 000000000..dd3e9617f --- /dev/null +++ b/etc/profile-a-l/konversation.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for konversation | ||
2 | # Description: User friendly Internet Relay Chat (IRC) client for KDE | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include konversation.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/konversationrc | ||
10 | noblacklist ${HOME}/.kde/share/config/konversationrc | ||
11 | noblacklist ${HOME}/.kde4/share/config/konversationrc | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | netfilter | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix,inet,inet6,netlink | ||
33 | seccomp | ||
34 | shell none | ||
35 | tracelog | ||
36 | |||
37 | private-bin kbuildsycoca4,konversation | ||
38 | private-cache | ||
39 | private-dev | ||
40 | private-tmp | ||
41 | |||
42 | # memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/kopete.profile b/etc/profile-a-l/kopete.profile new file mode 100644 index 000000000..e0bdce059 --- /dev/null +++ b/etc/profile-a-l/kopete.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for kopete | ||
2 | # Description: Instant messaging and chat application | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include kopete.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.kde/share/apps/kopete | ||
10 | noblacklist ${HOME}/.kde/share/config/kopeterc | ||
11 | noblacklist ${HOME}/.kde4/share/apps/kopete | ||
12 | noblacklist ${HOME}/.kde4/share/config/kopeterc | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | |||
21 | whitelist /var/lib/winpopup | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | netfilter | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | notv | ||
31 | nou2f | ||
32 | protocol unix,inet,inet6,netlink | ||
33 | seccomp | ||
34 | |||
35 | private-dev | ||
36 | private-tmp | ||
37 | writable-var | ||
38 | |||
diff --git a/etc/profile-a-l/krita.profile b/etc/profile-a-l/krita.profile new file mode 100644 index 000000000..be9921478 --- /dev/null +++ b/etc/profile-a-l/krita.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for krita | ||
2 | # Description: Pixel-based image manipulation program | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include krita.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # noexec ${HOME} may break krita, see issue #1953 | ||
10 | ignore noexec ${HOME} | ||
11 | |||
12 | noblacklist ${HOME}/.config/kritarc | ||
13 | noblacklist ${HOME}/.local/share/krita | ||
14 | noblacklist ${DOCUMENTS} | ||
15 | noblacklist ${PICTURES} | ||
16 | |||
17 | # Allow python (blacklisted by disable-interpreters.inc) | ||
18 | include allow-python2.inc | ||
19 | include allow-python3.inc | ||
20 | |||
21 | include disable-common.inc | ||
22 | include disable-devel.inc | ||
23 | include disable-exec.inc | ||
24 | include disable-interpreters.inc | ||
25 | include disable-passwdmgr.inc | ||
26 | include disable-programs.inc | ||
27 | include disable-xdg.inc | ||
28 | |||
29 | apparmor | ||
30 | caps.drop all | ||
31 | ipc-namespace | ||
32 | # net none | ||
33 | netfilter | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | nosound | ||
39 | notv | ||
40 | nou2f | ||
41 | novideo | ||
42 | protocol unix | ||
43 | seccomp | ||
44 | shell none | ||
45 | |||
46 | private-cache | ||
47 | private-dev | ||
48 | private-tmp | ||
49 | |||
50 | # dbus-user none | ||
51 | # dbus-system none | ||
diff --git a/etc/profile-a-l/krunner.profile b/etc/profile-a-l/krunner.profile new file mode 100644 index 000000000..c64113c15 --- /dev/null +++ b/etc/profile-a-l/krunner.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for krunner | ||
2 | # Description: Framework for providing different actions given a string query | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include krunner.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # - programs started in krunner run with this generic profile. | ||
10 | # - when a file is opened in krunner, the file viewer runs in its own sandbox | ||
11 | # with its own profile, if it is sandboxed automatically. | ||
12 | |||
13 | # noblacklist ${HOME}/.cache/krunner | ||
14 | # noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite* | ||
15 | # noblacklist ${HOME}/.config/chromium | ||
16 | noblacklist ${HOME}/.config/krunnerrc | ||
17 | noblacklist ${HOME}/.kde/share/config/krunnerrc | ||
18 | noblacklist ${HOME}/.kde4/share/config/krunnerrc | ||
19 | # noblacklist ${HOME}/.local/share/baloo | ||
20 | # noblacklist ${HOME}/.mozilla | ||
21 | |||
22 | include disable-common.inc | ||
23 | # include disable-devel.inc | ||
24 | # include disable-interpreters.inc | ||
25 | # include disable-passwdmgr.inc | ||
26 | # include disable-programs.inc | ||
27 | |||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | caps.drop all | ||
31 | netfilter | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | protocol unix,inet,inet6 | ||
36 | seccomp | ||
37 | |||
38 | # private-cache | ||
diff --git a/etc/profile-a-l/ktorrent.profile b/etc/profile-a-l/ktorrent.profile new file mode 100644 index 000000000..2eb46a7e8 --- /dev/null +++ b/etc/profile-a-l/ktorrent.profile | |||
@@ -0,0 +1,60 @@ | |||
1 | # Firejail profile for ktorrent | ||
2 | # Description: BitTorrent client based on the KDE platform | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include ktorrent.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/ktorrentrc | ||
10 | noblacklist ${HOME}/.kde/share/apps/ktorrent | ||
11 | noblacklist ${HOME}/.kde/share/config/ktorrentrc | ||
12 | noblacklist ${HOME}/.kde4/share/apps/ktorrent | ||
13 | noblacklist ${HOME}/.kde4/share/config/ktorrentrc | ||
14 | noblacklist ${HOME}/.local/share/ktorrent | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | |||
23 | mkdir ${HOME}/.kde/share/apps/ktorrent | ||
24 | mkdir ${HOME}/.kde4/share/apps/ktorrent | ||
25 | mkdir ${HOME}/.local/share/ktorrent | ||
26 | mkfile ${HOME}/.config/ktorrentrc | ||
27 | mkfile ${HOME}/.kde/share/config/ktorrentrc | ||
28 | mkfile ${HOME}/.kde4/share/config/ktorrentrc | ||
29 | whitelist ${DOWNLOADS} | ||
30 | whitelist ${HOME}/.config/ktorrentrc | ||
31 | whitelist ${HOME}/.kde/share/apps/ktorrent | ||
32 | whitelist ${HOME}/.kde/share/config/ktorrentrc | ||
33 | whitelist ${HOME}/.kde4/share/apps/ktorrent | ||
34 | whitelist ${HOME}/.kde4/share/config/ktorrentrc | ||
35 | whitelist ${HOME}/.local/share/ktorrent | ||
36 | include whitelist-common.inc | ||
37 | include whitelist-var-common.inc | ||
38 | |||
39 | caps.drop all | ||
40 | machine-id | ||
41 | netfilter | ||
42 | no3d | ||
43 | nodvd | ||
44 | nogroups | ||
45 | nonewprivs | ||
46 | noroot | ||
47 | nosound | ||
48 | notv | ||
49 | nou2f | ||
50 | novideo | ||
51 | protocol unix,inet,inet6,netlink | ||
52 | seccomp | ||
53 | shell none | ||
54 | |||
55 | private-bin kbuildsycoca4,kdeinit4,ktorrent | ||
56 | private-dev | ||
57 | # private-lib - problems on Arch | ||
58 | private-tmp | ||
59 | |||
60 | # memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/ktouch.profile b/etc/profile-a-l/ktouch.profile new file mode 100644 index 000000000..b23b23730 --- /dev/null +++ b/etc/profile-a-l/ktouch.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for KTouch | ||
2 | # Description: a typing tutor by KDE | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include ktouch.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/ktouch2rc | ||
10 | noblacklist ${HOME}/.local/share/ktouch | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkfile ${HOME}/.config/ktouch2rc | ||
21 | mkdir ${HOME}/.local/share/ktouch | ||
22 | whitelist ${HOME}/.config/ktouch2rc | ||
23 | whitelist ${HOME}/.local/share/ktouch | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | machine-id | ||
30 | net none | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | nosound | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix,netlink | ||
40 | seccomp | ||
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | disable-mnt | ||
45 | private-bin ktouch | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-etc alternatives,fonts,kde5rc,machine-id | ||
49 | private-tmp | ||
50 | |||
51 | dbus-user none | ||
52 | dbus-system none | ||
diff --git a/etc/profile-a-l/kwin_x11.profile b/etc/profile-a-l/kwin_x11.profile new file mode 100644 index 000000000..d512dd100 --- /dev/null +++ b/etc/profile-a-l/kwin_x11.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for kwin_x11 | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include kwin_x11.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | # fix automatical kwin_x11 sandboxing: | ||
9 | # echo KDEWM=kwin_x11 >> ~/.pam_environment | ||
10 | |||
11 | noblacklist ${HOME}/.cache/kwin | ||
12 | noblacklist ${HOME}/.config/kwinrc | ||
13 | noblacklist ${HOME}/.config/kwinrulesrc | ||
14 | noblacklist ${HOME}/.local/share/kwin | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | caps.drop all | ||
27 | netfilter | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | nosound | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix | ||
37 | seccomp | ||
38 | shell none | ||
39 | tracelog | ||
40 | |||
41 | disable-mnt | ||
42 | private-bin kwin_x11 | ||
43 | private-dev | ||
44 | private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,machine-id,xdg | ||
45 | private-tmp | ||
diff --git a/etc/profile-a-l/kwrite.profile b/etc/profile-a-l/kwrite.profile new file mode 100644 index 000000000..a71e3bfb9 --- /dev/null +++ b/etc/profile-a-l/kwrite.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for kwrite | ||
2 | # Description: Simple text editor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include kwrite.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/katepartrc | ||
10 | noblacklist ${HOME}/.config/katerc | ||
11 | noblacklist ${HOME}/.config/kateschemarc | ||
12 | noblacklist ${HOME}/.config/katesyntaxhighlightingrc | ||
13 | noblacklist ${HOME}/.config/katevirc | ||
14 | noblacklist ${HOME}/.config/kwriterc | ||
15 | noblacklist ${HOME}/.local/share/kwrite | ||
16 | noblacklist ${DOCUMENTS} | ||
17 | |||
18 | include disable-common.inc | ||
19 | include disable-devel.inc | ||
20 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | ||
22 | include disable-passwdmgr.inc | ||
23 | include disable-programs.inc | ||
24 | include disable-xdg.inc | ||
25 | |||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | # net none | ||
31 | netfilter | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | # nosound - KWrite is using ALSA! | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix | ||
41 | seccomp | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | private-bin kbuildsycoca4,kdeinit4,kwrite | ||
46 | private-dev | ||
47 | private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg | ||
48 | private-tmp | ||
49 | |||
50 | # dbus-user none | ||
51 | # dbus-system none | ||
52 | |||
53 | join-or-start kwrite | ||
diff --git a/etc/profile-a-l/latex-common.profile b/etc/profile-a-l/latex-common.profile new file mode 100644 index 000000000..b090be726 --- /dev/null +++ b/etc/profile-a-l/latex-common.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Firejail profile for latex-common | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include latex-common.local | ||
5 | # Persistent global definitions | ||
6 | # added by caller profile | ||
7 | #include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | |||
16 | whitelist /var/lib | ||
17 | include whitelist-runuser-common.inc | ||
18 | include whitelist-var-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | net none | ||
22 | no3d | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix | ||
32 | seccomp | ||
33 | shell none | ||
34 | tracelog | ||
35 | |||
36 | private-cache | ||
37 | private-dev | ||
38 | private-tmp | ||
39 | |||
40 | dbus-user none | ||
41 | dbus-system none | ||
diff --git a/etc/profile-a-l/latex.profile b/etc/profile-a-l/latex.profile new file mode 100644 index 000000000..2230dd570 --- /dev/null +++ b/etc/profile-a-l/latex.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for latex | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include latex.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | private-bin latex | ||
9 | |||
10 | # Redirect | ||
11 | include latex-common.profile | ||
12 | |||
diff --git a/etc/profile-a-l/lbunzip2.profile b/etc/profile-a-l/lbunzip2.profile new file mode 100644 index 000000000..338d8c8bb --- /dev/null +++ b/etc/profile-a-l/lbunzip2.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for gzip | ||
2 | # Description: GNU compression utilities | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | # Redirect | ||
6 | include gzip.profile | ||
diff --git a/etc/profile-a-l/lbzcat.profile b/etc/profile-a-l/lbzcat.profile new file mode 100644 index 000000000..338d8c8bb --- /dev/null +++ b/etc/profile-a-l/lbzcat.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for gzip | ||
2 | # Description: GNU compression utilities | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | # Redirect | ||
6 | include gzip.profile | ||
diff --git a/etc/profile-a-l/lbzip2.profile b/etc/profile-a-l/lbzip2.profile new file mode 100644 index 000000000..338d8c8bb --- /dev/null +++ b/etc/profile-a-l/lbzip2.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for gzip | ||
2 | # Description: GNU compression utilities | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | # Redirect | ||
6 | include gzip.profile | ||
diff --git a/etc/profile-a-l/leafpad.profile b/etc/profile-a-l/leafpad.profile new file mode 100644 index 000000000..c456541aa --- /dev/null +++ b/etc/profile-a-l/leafpad.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for leafpad | ||
2 | # Description: GTK+ based simple text editor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include leafpad.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/leafpad | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | include whitelist-var-common.inc | ||
19 | |||
20 | apparmor | ||
21 | caps.drop all | ||
22 | net none | ||
23 | no3d | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | nosound | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix | ||
33 | seccomp | ||
34 | shell none | ||
35 | |||
36 | private-bin leafpad | ||
37 | private-dev | ||
38 | private-lib | ||
39 | private-tmp | ||
40 | |||
diff --git a/etc/profile-a-l/less.profile b/etc/profile-a-l/less.profile new file mode 100644 index 000000000..de6fa67d1 --- /dev/null +++ b/etc/profile-a-l/less.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for less | ||
2 | # Description: Pager program similar to more | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include less.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | blacklist ${RUNUSER} | ||
12 | |||
13 | noblacklist ${HOME}/.lesshst | ||
14 | |||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | |||
20 | apparmor | ||
21 | caps.drop all | ||
22 | ipc-namespace | ||
23 | machine-id | ||
24 | net none | ||
25 | no3d | ||
26 | nodvd | ||
27 | nonewprivs | ||
28 | #noroot | ||
29 | nosound | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix | ||
34 | seccomp | ||
35 | shell none | ||
36 | tracelog | ||
37 | x11 none | ||
38 | |||
39 | # The user can have a custom coloring script configured in ${HOME}/.lessfilter. | ||
40 | # Enable private-bin and private-lib if you are not using any filter. | ||
41 | # private-bin less | ||
42 | # private-lib | ||
43 | private-cache | ||
44 | private-dev | ||
45 | writable-var-log | ||
46 | |||
47 | dbus-user none | ||
48 | dbus-system none | ||
49 | |||
50 | memory-deny-write-execute | ||
51 | read-only ${HOME} | ||
52 | read-write ${HOME}/.lesshst | ||
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile new file mode 100644 index 000000000..aa113883e --- /dev/null +++ b/etc/profile-a-l/libreoffice.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for libreoffice | ||
2 | # Description: Office productivity suite | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include libreoffice.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist /usr/local/sbin | ||
10 | noblacklist ${HOME}/.config/libreoffice | ||
11 | |||
12 | # libreoffice uses java for some certain operations | ||
13 | # comment if you don't care about java functionality | ||
14 | # Allow java (blacklisted by disable-devel.inc) | ||
15 | include allow-java.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | |||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | # ubuntu 18.04 comes with its own apparmor profile, but it is not in enforce mode. | ||
26 | # comment the next line to use the ubuntu profile instead of firejail's apparmor profile | ||
27 | apparmor | ||
28 | caps.drop all | ||
29 | netfilter | ||
30 | nodvd | ||
31 | nogroups | ||
32 | # comment nonewprivs when using the ubuntu 18.04/debian 10 apparmor profile | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | # comment the protocol line when using the ubuntu 18.04/debian 10 apparmor profile | ||
39 | protocol unix,inet,inet6 | ||
40 | # comment seccomp when using the ubuntu 18.04/debian 10 apparmor profile | ||
41 | seccomp | ||
42 | shell none | ||
43 | # comment tracelog when using the ubuntu 18.04/debian 10 apparmor profile | ||
44 | tracelog | ||
45 | |||
46 | private-dev | ||
47 | private-tmp | ||
48 | |||
49 | join-or-start libreoffice | ||
diff --git a/etc/profile-a-l/liferea.profile b/etc/profile-a-l/liferea.profile new file mode 100644 index 000000000..7cfd4fc10 --- /dev/null +++ b/etc/profile-a-l/liferea.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for liferea | ||
2 | # Description: Feed/news/podcast client with plugin support | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include liferea.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/liferea | ||
10 | noblacklist ${HOME}/.config/liferea | ||
11 | noblacklist ${HOME}/.local/share/liferea | ||
12 | |||
13 | # Allow python (blacklisted by disable-interpreters.inc) | ||
14 | include allow-python2.inc | ||
15 | include allow-python3.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | |||
24 | mkdir ${HOME}/.cache/liferea | ||
25 | mkdir ${HOME}/.config/liferea | ||
26 | mkdir ${HOME}/.local/share/liferea | ||
27 | whitelist ${HOME}/.cache/liferea | ||
28 | whitelist ${HOME}/.config/liferea | ||
29 | whitelist ${HOME}/.local/share/liferea | ||
30 | whitelist /usr/share/liferea | ||
31 | include whitelist-common.inc | ||
32 | include whitelist-usr-share-common.inc | ||
33 | include whitelist-var-common.inc | ||
34 | |||
35 | caps.drop all | ||
36 | netfilter | ||
37 | # no3d | ||
38 | nodvd | ||
39 | nogroups | ||
40 | nonewprivs | ||
41 | noroot | ||
42 | # nosound | ||
43 | notv | ||
44 | nou2f | ||
45 | # novideo | ||
46 | protocol unix,inet,inet6 | ||
47 | seccomp | ||
48 | shell none | ||
49 | tracelog | ||
50 | |||
51 | disable-mnt | ||
52 | private-dev | ||
53 | private-tmp | ||
diff --git a/etc/profile-a-l/lightsoff.profile b/etc/profile-a-l/lightsoff.profile new file mode 100644 index 000000000..c065c44a9 --- /dev/null +++ b/etc/profile-a-l/lightsoff.profile | |||
@@ -0,0 +1,16 @@ | |||
1 | # Firejail profile for lightsoff | ||
2 | # Description: GNOME Lightsoff game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include lightsoff.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | whitelist /usr/share/lightsoff | ||
10 | |||
11 | private-bin lightsoff | ||
12 | |||
13 | dbus-user.own org.gnome.LightsOff | ||
14 | |||
15 | # Redirect | ||
16 | include gnome_games-common.profile | ||
diff --git a/etc/profile-a-l/lincity-ng.profile b/etc/profile-a-l/lincity-ng.profile new file mode 100644 index 000000000..624d4a8bd --- /dev/null +++ b/etc/profile-a-l/lincity-ng.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for lincity-ng | ||
2 | # Description: City simulation game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include lincity-ng.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.lincity-ng | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.lincity-ng | ||
20 | whitelist ${HOME}/.lincity-ng | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | ipc-namespace | ||
27 | net none | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin lincity-ng | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
45 | |||
46 | dbus-user none | ||
47 | dbus-system none | ||
diff --git a/etc/profile-a-l/links.profile b/etc/profile-a-l/links.profile new file mode 100644 index 000000000..b2f94d3cf --- /dev/null +++ b/etc/profile-a-l/links.profile | |||
@@ -0,0 +1,66 @@ | |||
1 | # Firejail profile for links | ||
2 | # Description: Text WWW browser | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include links.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.links | ||
10 | |||
11 | blacklist /tmp/.X11-unix | ||
12 | blacklist ${RUNUSER}/wayland-* | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | # you may want to noblacklist files/directories blacklisted in | ||
20 | # disable-programs.inc and used as associated programs | ||
21 | include disable-programs.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | mkdir ${HOME}/.links | ||
25 | whitelist ${HOME}/.links | ||
26 | whitelist ${DOWNLOADS} | ||
27 | include whitelist-runuser-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | caps.drop all | ||
31 | ipc-namespace | ||
32 | # comment machine-id (or put 'ignore machine-id' in your links.local) if you want | ||
33 | # to allow access only to user-configured associated media player | ||
34 | machine-id | ||
35 | netfilter | ||
36 | # comment no3d (or put 'ignore no3d' in your links.local) if you want | ||
37 | # to allow access only to user-configured associated media player | ||
38 | no3d | ||
39 | nodvd | ||
40 | nogroups | ||
41 | nonewprivs | ||
42 | noroot | ||
43 | # comment nosound (or put 'ignore nosound' in your links.local) if you want | ||
44 | # to allow access only to user-configured associated media player | ||
45 | nosound | ||
46 | notv | ||
47 | nou2f | ||
48 | novideo | ||
49 | protocol unix,inet,inet6 | ||
50 | seccomp | ||
51 | shell none | ||
52 | tracelog | ||
53 | |||
54 | disable-mnt | ||
55 | # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' to your links.local | ||
56 | # or append 'PROGRAM1,PROGRAM2' to this private-bin line | ||
57 | private-bin links,sh | ||
58 | private-cache | ||
59 | private-dev | ||
60 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | ||
61 | # Uncomment the following line (or put it in your links.local) allow external | ||
62 | # media players | ||
63 | # private-etc alsa,asound.conf,machine-id,openal,pulse | ||
64 | private-tmp | ||
65 | |||
66 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/linphone.profile b/etc/profile-a-l/linphone.profile new file mode 100644 index 000000000..dc156b298 --- /dev/null +++ b/etc/profile-a-l/linphone.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for linphone | ||
2 | # Description: SIP softphone - graphical client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include linphone.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.linphone-history.db | ||
10 | noblacklist ${HOME}/.linphonerc | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | mkfile ${HOME}/.linphone-history.db | ||
20 | mkfile ${HOME}/.linphonerc | ||
21 | whitelist ${HOME}/.linphone-history.db | ||
22 | whitelist ${HOME}/.linphonerc | ||
23 | whitelist ${DOWNLOADS} | ||
24 | include whitelist-common.inc | ||
25 | |||
26 | caps.drop all | ||
27 | netfilter | ||
28 | no3d | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix,inet,inet6 | ||
37 | seccomp | ||
38 | shell none | ||
39 | |||
40 | disable-mnt | ||
41 | private-dev | ||
42 | private-tmp | ||
43 | |||
diff --git a/etc/profile-a-l/lmms.profile b/etc/profile-a-l/lmms.profile new file mode 100644 index 000000000..afe1ad635 --- /dev/null +++ b/etc/profile-a-l/lmms.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for lmms | ||
2 | # Description: Linux Multimedia Studio | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include lmms.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.lmmsrc.xml | ||
10 | noblacklist ${DOCUMENTS} | ||
11 | noblacklist ${MUSIC} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | caps.drop all | ||
22 | ipc-namespace | ||
23 | net none | ||
24 | no3d | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix | ||
33 | seccomp | ||
34 | shell none | ||
35 | |||
36 | private-dev | ||
37 | private-tmp | ||
38 | |||
39 | dbus-user none | ||
40 | dbus-system none | ||
diff --git a/etc/profile-a-l/lobase.profile b/etc/profile-a-l/lobase.profile new file mode 100644 index 000000000..8348a57fe --- /dev/null +++ b/etc/profile-a-l/lobase.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for libreoffice | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include libreoffice.profile | ||
diff --git a/etc/profile-a-l/localc.profile b/etc/profile-a-l/localc.profile new file mode 100644 index 000000000..8348a57fe --- /dev/null +++ b/etc/profile-a-l/localc.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for libreoffice | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include libreoffice.profile | ||
diff --git a/etc/profile-a-l/lodraw.profile b/etc/profile-a-l/lodraw.profile new file mode 100644 index 000000000..8348a57fe --- /dev/null +++ b/etc/profile-a-l/lodraw.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for libreoffice | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include libreoffice.profile | ||
diff --git a/etc/profile-a-l/loffice.profile b/etc/profile-a-l/loffice.profile new file mode 100644 index 000000000..8348a57fe --- /dev/null +++ b/etc/profile-a-l/loffice.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for libreoffice | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include libreoffice.profile | ||
diff --git a/etc/profile-a-l/lofromtemplate.profile b/etc/profile-a-l/lofromtemplate.profile new file mode 100644 index 000000000..8348a57fe --- /dev/null +++ b/etc/profile-a-l/lofromtemplate.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for libreoffice | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include libreoffice.profile | ||
diff --git a/etc/profile-a-l/loimpress.profile b/etc/profile-a-l/loimpress.profile new file mode 100644 index 000000000..8348a57fe --- /dev/null +++ b/etc/profile-a-l/loimpress.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for libreoffice | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include libreoffice.profile | ||
diff --git a/etc/profile-a-l/lollypop.profile b/etc/profile-a-l/lollypop.profile new file mode 100644 index 000000000..1ce83822d --- /dev/null +++ b/etc/profile-a-l/lollypop.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for lollypop | ||
2 | # Description: Music player for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include lollypop.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/lollypop | ||
10 | noblacklist ${MUSIC} | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python2.inc | ||
14 | include allow-python3.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | caps.drop all | ||
27 | netfilter | ||
28 | no3d | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6 | ||
36 | seccomp | ||
37 | shell none | ||
38 | |||
39 | private-dev | ||
40 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg | ||
41 | private-tmp | ||
42 | |||
diff --git a/etc/profile-a-l/lomath.profile b/etc/profile-a-l/lomath.profile new file mode 100644 index 000000000..8348a57fe --- /dev/null +++ b/etc/profile-a-l/lomath.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for libreoffice | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include libreoffice.profile | ||
diff --git a/etc/profile-a-l/loweb.profile b/etc/profile-a-l/loweb.profile new file mode 100644 index 000000000..8348a57fe --- /dev/null +++ b/etc/profile-a-l/loweb.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for libreoffice | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include libreoffice.profile | ||
diff --git a/etc/profile-a-l/lowriter.profile b/etc/profile-a-l/lowriter.profile new file mode 100644 index 000000000..8348a57fe --- /dev/null +++ b/etc/profile-a-l/lowriter.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for libreoffice | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include libreoffice.profile | ||
diff --git a/etc/profile-a-l/lrunzip.profile b/etc/profile-a-l/lrunzip.profile new file mode 100644 index 000000000..c010cbd96 --- /dev/null +++ b/etc/profile-a-l/lrunzip.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for lrunzip | ||
2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include lrunzip.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | # Redirect | ||
12 | include cpio.profile | ||
diff --git a/etc/profile-a-l/lrz.profile b/etc/profile-a-l/lrz.profile new file mode 100644 index 000000000..8077be945 --- /dev/null +++ b/etc/profile-a-l/lrz.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for lrz | ||
2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include lrz.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | # Redirect | ||
12 | include cpio.profile | ||
diff --git a/etc/profile-a-l/lrzcat.profile b/etc/profile-a-l/lrzcat.profile new file mode 100644 index 000000000..d05ee7aae --- /dev/null +++ b/etc/profile-a-l/lrzcat.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for lrzcat | ||
2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include lrzcat.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | # Redirect | ||
12 | include cpio.profile | ||
diff --git a/etc/profile-a-l/lrzip.profile b/etc/profile-a-l/lrzip.profile new file mode 100644 index 000000000..3767767f6 --- /dev/null +++ b/etc/profile-a-l/lrzip.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for lrzip | ||
2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include lrzip.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | # Redirect | ||
12 | include cpio.profile | ||
diff --git a/etc/profile-a-l/lrztar.profile b/etc/profile-a-l/lrztar.profile new file mode 100644 index 000000000..673e9f62e --- /dev/null +++ b/etc/profile-a-l/lrztar.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for lrztar | ||
2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include lrztar.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | # Redirect | ||
12 | include cpio.profile | ||
diff --git a/etc/profile-a-l/lrzuntar.profile b/etc/profile-a-l/lrzuntar.profile new file mode 100644 index 000000000..245d1c669 --- /dev/null +++ b/etc/profile-a-l/lrzuntar.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for lrzuntar | ||
2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include lrzuntar.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | # Redirect | ||
12 | include cpio.profile | ||
diff --git a/etc/profile-a-l/lugaru.profile b/etc/profile-a-l/lugaru.profile new file mode 100644 index 000000000..26157b942 --- /dev/null +++ b/etc/profile-a-l/lugaru.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for lugaru | ||
2 | # Description: Ninja rabbit fighting game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include lugaru.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # note: crashes after entering | ||
10 | |||
11 | noblacklist ${HOME}/.config/lugaru | ||
12 | noblacklist ${HOME}/.local/share/lugaru | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | mkdir ${HOME}/.config/lugaru | ||
23 | mkdir ${HOME}/.local/share/lugaru | ||
24 | whitelist ${HOME}/.config/lugaru | ||
25 | whitelist ${HOME}/.local/share/lugaru | ||
26 | include whitelist-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | caps.drop all | ||
30 | ipc-namespace | ||
31 | net none | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix,netlink | ||
40 | seccomp | ||
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | disable-mnt | ||
45 | private-bin lugaru | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-tmp | ||
49 | |||
50 | dbus-user none | ||
51 | dbus-system none | ||
diff --git a/etc/profile-a-l/luminance-hdr.profile b/etc/profile-a-l/luminance-hdr.profile new file mode 100644 index 000000000..2b0feaa17 --- /dev/null +++ b/etc/profile-a-l/luminance-hdr.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for luminance-hdr | ||
2 | # Description: Graphical user interface providing a workflow for HDR imaging | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include luminance-hdr.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/Luminance | ||
10 | noblacklist ${PICTURES} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | caps.drop all | ||
21 | netfilter | ||
22 | nodvd | ||
23 | nogroups | ||
24 | nonewprivs | ||
25 | noroot | ||
26 | nosound | ||
27 | notv | ||
28 | nou2f | ||
29 | novideo | ||
30 | protocol unix | ||
31 | seccomp | ||
32 | shell none | ||
33 | tracelog | ||
34 | |||
35 | #private-bin luminance-hdr,luminance-hdr-cli,align_image_stack | ||
36 | private-cache | ||
37 | private-dev | ||
38 | private-tmp | ||
39 | |||
diff --git a/etc/profile-a-l/lximage-qt.profile b/etc/profile-a-l/lximage-qt.profile new file mode 100644 index 000000000..a33ddab78 --- /dev/null +++ b/etc/profile-a-l/lximage-qt.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for lximage-qt | ||
2 | # Description: Image viewer for LXQt | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include lximage-qt.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/lximage-qt | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include whitelist-var-common.inc | ||
18 | |||
19 | apparmor | ||
20 | caps.drop all | ||
21 | net none | ||
22 | no3d | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | private-cache | ||
36 | private-dev | ||
37 | private-tmp | ||
38 | |||
diff --git a/etc/profile-a-l/lxmusic.profile b/etc/profile-a-l/lxmusic.profile new file mode 100644 index 000000000..9094f4377 --- /dev/null +++ b/etc/profile-a-l/lxmusic.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for lxmusic | ||
2 | # Description: LXDE music player | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include lxmusic.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/xmms2 | ||
10 | noblacklist ${HOME}/.config/xmms2 | ||
11 | noblacklist ${MUSIC} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | netfilter | ||
26 | no3d | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | |||
38 | private-dev | ||
39 | private-tmp | ||
40 | |||
diff --git a/etc/profile-a-l/lynx.profile b/etc/profile-a-l/lynx.profile new file mode 100644 index 000000000..dbd0a61e5 --- /dev/null +++ b/etc/profile-a-l/lynx.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Firejail profile for lynx | ||
2 | # Description: Classic non-graphical (text-mode) web browser | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include lynx.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | blacklist /tmp/.X11-unix | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | include whitelist-runuser-common.inc | ||
20 | |||
21 | caps.drop all | ||
22 | netfilter | ||
23 | no3d | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | nosound | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix,inet,inet6 | ||
33 | seccomp | ||
34 | shell none | ||
35 | tracelog | ||
36 | |||
37 | # private-bin lynx | ||
38 | private-cache | ||
39 | private-dev | ||
40 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl | ||
41 | private-tmp | ||
diff --git a/etc/profile-a-l/lzcat.profile b/etc/profile-a-l/lzcat.profile new file mode 100644 index 000000000..d9c72407f --- /dev/null +++ b/etc/profile-a-l/lzcat.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/profile-a-l/lzcmp.profile b/etc/profile-a-l/lzcmp.profile new file mode 100644 index 000000000..d9c72407f --- /dev/null +++ b/etc/profile-a-l/lzcmp.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/profile-a-l/lzdiff.profile b/etc/profile-a-l/lzdiff.profile new file mode 100644 index 000000000..f7410b928 --- /dev/null +++ b/etc/profile-a-l/lzdiff.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | # Redirect | ||
6 | include cpio.profile | ||
diff --git a/etc/profile-a-l/lzegrep.profile b/etc/profile-a-l/lzegrep.profile new file mode 100644 index 000000000..d9c72407f --- /dev/null +++ b/etc/profile-a-l/lzegrep.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/profile-a-l/lzfgrep.profile b/etc/profile-a-l/lzfgrep.profile new file mode 100644 index 000000000..d9c72407f --- /dev/null +++ b/etc/profile-a-l/lzfgrep.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/profile-a-l/lzgrep.profile b/etc/profile-a-l/lzgrep.profile new file mode 100644 index 000000000..d9c72407f --- /dev/null +++ b/etc/profile-a-l/lzgrep.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/profile-a-l/lzip.profile b/etc/profile-a-l/lzip.profile new file mode 100644 index 000000000..d9c72407f --- /dev/null +++ b/etc/profile-a-l/lzip.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/profile-a-l/lzless.profile b/etc/profile-a-l/lzless.profile new file mode 100644 index 000000000..d9c72407f --- /dev/null +++ b/etc/profile-a-l/lzless.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/profile-a-l/lzma.profile b/etc/profile-a-l/lzma.profile new file mode 100644 index 000000000..d9c72407f --- /dev/null +++ b/etc/profile-a-l/lzma.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/profile-a-l/lzmadec.profile b/etc/profile-a-l/lzmadec.profile new file mode 100644 index 000000000..0c5ec1b09 --- /dev/null +++ b/etc/profile-a-l/lzmadec.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for xzdec | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | # Redirect | ||
6 | include xzdec.profile | ||
diff --git a/etc/profile-a-l/lzmainfo.profile b/etc/profile-a-l/lzmainfo.profile new file mode 100644 index 000000000..d9c72407f --- /dev/null +++ b/etc/profile-a-l/lzmainfo.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/profile-a-l/lzmore.profile b/etc/profile-a-l/lzmore.profile new file mode 100644 index 000000000..d9c72407f --- /dev/null +++ b/etc/profile-a-l/lzmore.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||