diff options
Diffstat (limited to 'etc/profile-a-l')
-rw-r--r-- | etc/profile-a-l/balsa.profile | 78 | ||||
-rw-r--r-- | etc/profile-a-l/celluloid.profile | 6 | ||||
-rw-r--r-- | etc/profile-a-l/chromium-freeworld.profile | 5 | ||||
-rw-r--r-- | etc/profile-a-l/cola.profile | 10 | ||||
-rw-r--r-- | etc/profile-a-l/dbus-send.profile | 59 | ||||
-rw-r--r-- | etc/profile-a-l/default.profile | 1 | ||||
-rw-r--r-- | etc/profile-a-l/electron-mail.profile | 8 | ||||
-rw-r--r-- | etc/profile-a-l/eo-common.profile | 1 | ||||
-rw-r--r-- | etc/profile-a-l/eog.profile | 9 | ||||
-rw-r--r-- | etc/profile-a-l/equalx.profile | 63 | ||||
-rw-r--r-- | etc/profile-a-l/fdns.profile | 8 | ||||
-rw-r--r-- | etc/profile-a-l/firefox.profile | 2 | ||||
-rw-r--r-- | etc/profile-a-l/flameshot.profile | 5 | ||||
-rw-r--r-- | etc/profile-a-l/fractal.profile | 54 | ||||
-rw-r--r-- | etc/profile-a-l/geary.profile | 12 | ||||
-rw-r--r-- | etc/profile-a-l/git-cola.profile | 29 | ||||
-rw-r--r-- | etc/profile-a-l/gnome-builder.profile | 4 | ||||
-rw-r--r-- | etc/profile-a-l/gnome-passwordsafe.profile | 5 | ||||
-rw-r--r-- | etc/profile-a-l/hedgewars.profile | 2 | ||||
-rw-r--r-- | etc/profile-a-l/kazam.profile | 54 | ||||
-rw-r--r-- | etc/profile-a-l/kube.profile | 81 |
21 files changed, 467 insertions, 29 deletions
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile new file mode 100644 index 000000000..a401ac592 --- /dev/null +++ b/etc/profile-a-l/balsa.profile | |||
@@ -0,0 +1,78 @@ | |||
1 | # Firejail profile for balsa | ||
2 | # Description: GNOME mail client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include balsa.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.balsa | ||
10 | noblacklist ${HOME}/.gnupg | ||
11 | noblacklist ${HOME}/.mozilla | ||
12 | noblacklist ${HOME}/mail | ||
13 | noblacklist /var/mail | ||
14 | noblacklist /var/spool/mail | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-shell.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | mkdir ${HOME}/.balsa | ||
26 | mkdir ${HOME}/.gnupg | ||
27 | mkdir ${HOME}/mail | ||
28 | whitelist ${HOME}/.balsa | ||
29 | whitelist ${HOME}/.gnupg | ||
30 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
31 | whitelist ${HOME}/mail | ||
32 | whitelist ${RUNUSER}/gnupg | ||
33 | whitelist /usr/share/balsa | ||
34 | whitelist /usr/share/gnupg | ||
35 | whitelist /usr/share/gnupg2 | ||
36 | whitelist /var/mail | ||
37 | whitelist /var/spool/mail | ||
38 | include whitelist-common.inc | ||
39 | include whitelist-runuser-common.inc | ||
40 | include whitelist-usr-share-common.inc | ||
41 | include whitelist-var-common.inc | ||
42 | |||
43 | apparmor | ||
44 | caps.drop all | ||
45 | netfilter | ||
46 | no3d | ||
47 | nodvd | ||
48 | nogroups | ||
49 | nonewprivs | ||
50 | noroot | ||
51 | nosound | ||
52 | notv | ||
53 | nou2f | ||
54 | novideo | ||
55 | protocol unix,inet,inet6 | ||
56 | seccomp | ||
57 | shell none | ||
58 | tracelog | ||
59 | |||
60 | # disable-mnt | ||
61 | # Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg | ||
62 | # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile. | ||
63 | private-bin balsa,balsa-ab | ||
64 | private-cache | ||
65 | private-dev | ||
66 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg | ||
67 | private-tmp | ||
68 | writable-run-user | ||
69 | writable-var | ||
70 | |||
71 | dbus-user filter | ||
72 | dbus-user.own org.desktop.Balsa | ||
73 | dbus-user.talk ca.desrt.dconf | ||
74 | dbus-user.talk org.freedesktop.secrets | ||
75 | dbus-user.talk org.freedesktop.Notifications | ||
76 | dbus-system none | ||
77 | |||
78 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile index 54d3f742f..888367899 100644 --- a/etc/profile-a-l/celluloid.profile +++ b/etc/profile-a-l/celluloid.profile | |||
@@ -28,12 +28,8 @@ mkdir ${HOME}/.config/youtube-dl | |||
28 | whitelist ${HOME}/.config/celluloid | 28 | whitelist ${HOME}/.config/celluloid |
29 | whitelist ${HOME}/.config/gnome-mpv | 29 | whitelist ${HOME}/.config/gnome-mpv |
30 | whitelist ${HOME}/.config/youtube-dl | 30 | whitelist ${HOME}/.config/youtube-dl |
31 | whitelist ${DESKTOP} | ||
32 | whitelist ${DOWNLOADS} | ||
33 | whitelist ${MUSIC} | ||
34 | whitelist ${PICTURES} | ||
35 | whitelist ${VIDEOS} | ||
36 | include whitelist-common.inc | 31 | include whitelist-common.inc |
32 | include whitelist-players.inc | ||
37 | include whitelist-runuser-common.inc | 33 | include whitelist-runuser-common.inc |
38 | include whitelist-usr-share-common.inc | 34 | include whitelist-usr-share-common.inc |
39 | include whitelist-var-common.inc | 35 | include whitelist-var-common.inc |
diff --git a/etc/profile-a-l/chromium-freeworld.profile b/etc/profile-a-l/chromium-freeworld.profile new file mode 100644 index 000000000..a1de85afa --- /dev/null +++ b/etc/profile-a-l/chromium-freeworld.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile for chromium-freeworld | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include chromium.profile | ||
diff --git a/etc/profile-a-l/cola.profile b/etc/profile-a-l/cola.profile new file mode 100644 index 000000000..e5debfd82 --- /dev/null +++ b/etc/profile-a-l/cola.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for cola | ||
2 | # Description: Linux native frontend for Git,alternative call for git-cola | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include cola.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include git-cola.profile \ No newline at end of file | ||
diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile new file mode 100644 index 000000000..76a14d99b --- /dev/null +++ b/etc/profile-a-l/dbus-send.profile | |||
@@ -0,0 +1,59 @@ | |||
1 | # Firejail profile for dbus-send | ||
2 | # Description: Send a message to a message bus | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include dbus-send.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist /tmp/.X11-unix | ||
11 | blacklist ${RUNUSER}/wayland-* | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-shell.inc | ||
20 | include disable-write-mnt.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | include whitelist-common.inc | ||
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | ipc-namespace | ||
31 | machine-id | ||
32 | # Breaks abstract sockets | ||
33 | #net none | ||
34 | netfilter | ||
35 | no3d | ||
36 | nodvd | ||
37 | nogroups | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | nosound | ||
41 | notv | ||
42 | nou2f | ||
43 | novideo | ||
44 | protocol unix | ||
45 | seccomp | ||
46 | shell none | ||
47 | tracelog | ||
48 | |||
49 | disable-mnt | ||
50 | private | ||
51 | private-bin dbus-send | ||
52 | private-cache | ||
53 | private-dev | ||
54 | private-etc alternatives,dbus-1 | ||
55 | private-lib libpcre2-8.so.0 | ||
56 | private-tmp | ||
57 | |||
58 | memory-deny-write-execute | ||
59 | read-only ${HOME} | ||
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile index 74314cf92..7eb7660dd 100644 --- a/etc/profile-a-l/default.profile +++ b/etc/profile-a-l/default.profile | |||
@@ -14,6 +14,7 @@ include disable-common.inc | |||
14 | # include disable-interpreters.inc | 14 | # include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | # include disable-write-mnt.inc | ||
17 | # include disable-xdg.inc | 18 | # include disable-xdg.inc |
18 | 19 | ||
19 | # include whitelist-common.inc | 20 | # include whitelist-common.inc |
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile index 39366470f..5957d4316 100644 --- a/etc/profile-a-l/electron-mail.profile +++ b/etc/profile-a-l/electron-mail.profile | |||
@@ -8,8 +8,6 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/electron-mail | 9 | noblacklist ${HOME}/.config/electron-mail |
10 | 10 | ||
11 | whitelist ${DOWNLOADS} | ||
12 | |||
13 | include disable-common.inc | 11 | include disable-common.inc |
14 | include disable-devel.inc | 12 | include disable-devel.inc |
15 | include disable-exec.inc | 13 | include disable-exec.inc |
@@ -21,8 +19,10 @@ include disable-xdg.inc | |||
21 | 19 | ||
22 | mkdir ${HOME}/.config/electron-mail | 20 | mkdir ${HOME}/.config/electron-mail |
23 | whitelist ${HOME}/.config/electron-mail | 21 | whitelist ${HOME}/.config/electron-mail |
22 | whitelist ${DOWNLOADS} | ||
24 | 23 | ||
25 | include whitelist-common.inc | 24 | include whitelist-common.inc |
25 | include whitelist-runuser-common.inc | ||
26 | include whitelist-usr-share-common.inc | 26 | include whitelist-usr-share-common.inc |
27 | include whitelist-var-common.inc | 27 | include whitelist-var-common.inc |
28 | 28 | ||
@@ -45,12 +45,12 @@ shell none | |||
45 | private-bin electron-mail | 45 | private-bin electron-mail |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,fonts | 48 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,nsswitch.conf,pki,resolv.conf,selinux,ssl,xdg |
49 | private-opt ElectronMail | 49 | private-opt ElectronMail |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
52 | # breaks tray functionality | 52 | # breaks tray functionality |
53 | # dbus-user none | 53 | # dbus-user none |
54 | # dbus-system none | 54 | dbus-system none |
55 | 55 | ||
56 | # memory-deny-write-execute - breaks on Arch | 56 | # memory-deny-write-execute - breaks on Arch |
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile index 80c704c6b..e8b49a395 100644 --- a/etc/profile-a-l/eo-common.profile +++ b/etc/profile-a-l/eo-common.profile | |||
@@ -17,6 +17,7 @@ include disable-exec.inc | |||
17 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
18 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | include disable-write-mnt.inc | ||
20 | 21 | ||
21 | include whitelist-runuser-common.inc | 22 | include whitelist-runuser-common.inc |
22 | include whitelist-usr-share-common.inc | 23 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-a-l/eog.profile b/etc/profile-a-l/eog.profile index 0d0153fc2..aabef65fc 100644 --- a/etc/profile-a-l/eog.profile +++ b/etc/profile-a-l/eog.profile | |||
@@ -15,9 +15,12 @@ whitelist /usr/share/eog | |||
15 | # or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eog.local | 15 | # or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eog.local |
16 | private-bin eog | 16 | private-bin eog |
17 | 17 | ||
18 | dbus-user filter | 18 | |
19 | dbus-user.own org.gnome.eog | 19 | # broken on Debian 10 (buster) running LXDE got the folowing error: |
20 | dbus-user.talk ca.desrt.dconf | 20 | # Failed to register: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown |
21 | #dbus-user filter | ||
22 | #dbus-user.own org.gnome.eog | ||
23 | #dbus-user.talk ca.desrt.dconf | ||
21 | dbus-system none | 24 | dbus-system none |
22 | 25 | ||
23 | # Redirect | 26 | # Redirect |
diff --git a/etc/profile-a-l/equalx.profile b/etc/profile-a-l/equalx.profile new file mode 100644 index 000000000..58b053041 --- /dev/null +++ b/etc/profile-a-l/equalx.profile | |||
@@ -0,0 +1,63 @@ | |||
1 | # Firejail profile for equalx | ||
2 | # Description: A graphical editor for writing LaTeX equations | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include equalx.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/equalx | ||
10 | noblacklist ${HOME}/.equalx | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-shell.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | mkdir ${HOME}/.config/equalx | ||
22 | mkdir ${HOME}/.equalx | ||
23 | whitelist ${HOME}/.config/equalx | ||
24 | whitelist ${HOME}/.equalx | ||
25 | whitelist /usr/share/poppler | ||
26 | whitelist /usr/share/ghostscript | ||
27 | whitelist /usr/share/texlive | ||
28 | whitelist /usr/share/equalx | ||
29 | whitelist /var/lib/texmf | ||
30 | include whitelist-common.inc | ||
31 | include whitelist-runuser-common.inc | ||
32 | include whitelist-usr-share-common.inc | ||
33 | include whitelist-var-common.inc | ||
34 | |||
35 | apparmor | ||
36 | caps.drop all | ||
37 | machine-id | ||
38 | net none | ||
39 | no3d | ||
40 | nodvd | ||
41 | nogroups | ||
42 | nonewprivs | ||
43 | noroot | ||
44 | nosound | ||
45 | notv | ||
46 | nou2f | ||
47 | novideo | ||
48 | protocol unix | ||
49 | seccomp | ||
50 | shell none | ||
51 | tracelog | ||
52 | |||
53 | disable-mnt | ||
54 | private-bin equalx,gs,pdflatex,pdftocairo | ||
55 | private-cache | ||
56 | private-dev | ||
57 | private-etc equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,machine-id,papersize,passwd,texlive,Trolltech.conf | ||
58 | private-tmp | ||
59 | |||
60 | dbus-user none | ||
61 | dbus-system none | ||
62 | |||
63 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile index 179540806..31cb1776c 100644 --- a/etc/profile-a-l/fdns.profile +++ b/etc/profile-a-l/fdns.profile | |||
@@ -29,20 +29,20 @@ no3d | |||
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | nonewprivs | 31 | nonewprivs |
32 | # noroot | 32 | noroot |
33 | nosound | 33 | nosound |
34 | notv | 34 | notv |
35 | nou2f | 35 | nou2f |
36 | novideo | 36 | novideo |
37 | protocol unix,inet,inet6 | 37 | protocol unix,inet,inet6,netlink |
38 | #seccomp | 38 | #seccomp |
39 | #shell none | 39 | #shell none |
40 | 40 | ||
41 | disable-mnt | 41 | disable-mnt |
42 | private | 42 | private |
43 | private-bin bash,fdns,sh | 43 | private-bin bash,fdns,sh |
44 | # private-cache | 44 | private-cache |
45 | private-dev | 45 | #private-dev |
46 | private-etc ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl | 46 | private-etc ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl |
47 | # private-lib | 47 | # private-lib |
48 | private-tmp | 48 | private-tmp |
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 337311ed8..ce2013c57 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile | |||
@@ -24,7 +24,7 @@ include whitelist-usr-share-common.inc | |||
24 | # firefox requires a shell to launch on Arch. | 24 | # firefox requires a shell to launch on Arch. |
25 | #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which | 25 | #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which |
26 | # Fedora use shell scripts to launch firefox, at least this is required | 26 | # Fedora use shell scripts to launch firefox, at least this is required |
27 | #private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,ln,mkdir,pidof,rm,rmdir,sed,sh,tclsh,true,uname | 27 | #private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname |
28 | # private-etc must first be enabled in firefox-common.profile | 28 | # private-etc must first be enabled in firefox-common.profile |
29 | #private-etc firefox | 29 | #private-etc firefox |
30 | 30 | ||
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile index 7c41417ec..357354e70 100644 --- a/etc/profile-a-l/flameshot.profile +++ b/etc/profile-a-l/flameshot.profile | |||
@@ -9,6 +9,7 @@ include globals.local | |||
9 | 9 | ||
10 | noblacklist ${PICTURES} | 10 | noblacklist ${PICTURES} |
11 | noblacklist ${HOME}/.config/Dharkael | 11 | noblacklist ${HOME}/.config/Dharkael |
12 | noblacklist ${HOME}/.config/flameshot | ||
12 | 13 | ||
13 | include disable-common.inc | 14 | include disable-common.inc |
14 | include disable-devel.inc | 15 | include disable-devel.inc |
@@ -19,8 +20,11 @@ include disable-programs.inc | |||
19 | include disable-shell.inc | 20 | include disable-shell.inc |
20 | include disable-xdg.inc | 21 | include disable-xdg.inc |
21 | 22 | ||
23 | #mkdir ${HOME}/.config/Dharkael | ||
24 | #mkdir ${HOME}/.config/flameshot | ||
22 | #whitelist ${PICTURES} | 25 | #whitelist ${PICTURES} |
23 | #whitelist ${HOME}/.config/Dharkael | 26 | #whitelist ${HOME}/.config/Dharkael |
27 | #whitelist ${HOME}/.config/flameshot | ||
24 | whitelist /usr/share/flameshot | 28 | whitelist /usr/share/flameshot |
25 | #include whitelist-common.inc | 29 | #include whitelist-common.inc |
26 | include whitelist-runuser-common.inc | 30 | include whitelist-runuser-common.inc |
@@ -53,4 +57,5 @@ private-tmp | |||
53 | 57 | ||
54 | dbus-user filter | 58 | dbus-user filter |
55 | dbus-user.own org.dharkael.Flameshot | 59 | dbus-user.own org.dharkael.Flameshot |
60 | dbus-user.own org.flameshot.Flameshot | ||
56 | dbus-system none | 61 | dbus-system none |
diff --git a/etc/profile-a-l/fractal.profile b/etc/profile-a-l/fractal.profile new file mode 100644 index 000000000..ab907eb0d --- /dev/null +++ b/etc/profile-a-l/fractal.profile | |||
@@ -0,0 +1,54 @@ | |||
1 | # Firejail profile for fractal | ||
2 | # Description: Desktop client for Matrix | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include fractal.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/fractal | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-shell.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.cache/fractal | ||
21 | whitelist ${HOME}/.cache/fractal | ||
22 | whitelist ${DOWNLOADS} | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | netfilter | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | notv | ||
36 | nou2f | ||
37 | protocol unix,inet,inet6 | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | disable-mnt | ||
43 | private-bin fractal | ||
44 | private-cache | ||
45 | private-dev | ||
46 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | ||
47 | private-tmp | ||
48 | |||
49 | dbus-user filter | ||
50 | dbus-user.own org.gnome.Fractal | ||
51 | dbus-user.talk ca.desrt.dconf | ||
52 | dbus-user.talk org.freedesktop.secrets | ||
53 | dbus-user.talk org.freedesktop.Notifications | ||
54 | dbus-system none | ||
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile index fa01d04b7..118ed62ca 100644 --- a/etc/profile-a-l/geary.profile +++ b/etc/profile-a-l/geary.profile | |||
@@ -10,24 +10,24 @@ include geary.local | |||
10 | # Users have Geary set to open a browser by clicking a link in an email | 10 | # Users have Geary set to open a browser by clicking a link in an email |
11 | # We are not allowed to blacklist browser-specific directories | 11 | # We are not allowed to blacklist browser-specific directories |
12 | 12 | ||
13 | ignore dbus-user none | 13 | ignore dbus-user filter |
14 | ignore dbus-system none | 14 | ignore dbus-system none |
15 | ignore private-tmp | 15 | ignore private-tmp |
16 | 16 | ||
17 | noblacklist ${HOME}/.gnupg | 17 | noblacklist ${HOME}/.cache/geary |
18 | noblacklist ${HOME}/.config/geary | ||
18 | noblacklist ${HOME}/.local/share/geary | 19 | noblacklist ${HOME}/.local/share/geary |
19 | 20 | ||
20 | mkdir ${HOME}/.gnupg | 21 | mkdir ${HOME}/.cache/geary |
21 | mkdir ${HOME}/.config/geary | 22 | mkdir ${HOME}/.config/geary |
22 | mkdir ${HOME}/.local/share/geary | 23 | mkdir ${HOME}/.local/share/geary |
23 | whitelist ${HOME}/.gnupg | 24 | whitelist ${HOME}/.cache/geary |
24 | whitelist ${HOME}/.config/geary | 25 | whitelist ${HOME}/.config/geary |
25 | whitelist ${HOME}/.local/share/geary | 26 | whitelist ${HOME}/.local/share/geary |
27 | whitelist /usr/share/geary | ||
26 | 28 | ||
27 | read-only ${HOME}/.config/mimeapps.list | 29 | read-only ${HOME}/.config/mimeapps.list |
28 | 30 | ||
29 | whitelist /usr/share/geary | ||
30 | |||
31 | # allow Mozilla browsers | 31 | # allow Mozilla browsers |
32 | # Redirect | 32 | # Redirect |
33 | include firefox.profile | 33 | include firefox.profile |
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile index 30e80f519..4708078dd 100644 --- a/etc/profile-a-l/git-cola.profile +++ b/etc/profile-a-l/git-cola.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.gitconfig | |||
12 | noblacklist ${HOME}/.git-credentials | 12 | noblacklist ${HOME}/.git-credentials |
13 | noblacklist ${HOME}/.gnupg | 13 | noblacklist ${HOME}/.gnupg |
14 | noblacklist ${HOME}/.ssh | 14 | noblacklist ${HOME}/.ssh |
15 | noblacklist ${HOME}/.subversion | ||
15 | noblacklist ${HOME}/.config/git | 16 | noblacklist ${HOME}/.config/git |
16 | noblacklist ${HOME}/.config/git-cola | 17 | noblacklist ${HOME}/.config/git-cola |
17 | # Put your editor,diff viewer config path below and uncomment to load settings | 18 | # Put your editor,diff viewer config path below and uncomment to load settings |
@@ -28,7 +29,19 @@ include disable-passwdmgr.inc | |||
28 | include disable-programs.inc | 29 | include disable-programs.inc |
29 | include disable-xdg.inc | 30 | include disable-xdg.inc |
30 | 31 | ||
32 | whitelist ${RUNUSER}/gnupg | ||
33 | whitelist ${RUNUSER}/keyring | ||
34 | # Whitelist your editor, diff viewer, gnupg path below in /usr/share/ | ||
35 | whitelist /usr/share/git | ||
36 | whitelist /usr/share/git-cola | ||
37 | whitelist /usr/share/git-core | ||
38 | whitelist /usr/share/git-gui | ||
39 | whitelist /usr/share/gitk | ||
40 | whitelist /usr/share/gitweb | ||
41 | whitelist /usr/share/gnupg | ||
42 | whitelist /usr/share/gnupg2 | ||
31 | include whitelist-runuser-common.inc | 43 | include whitelist-runuser-common.inc |
44 | include whitelist-usr-share-common.inc | ||
32 | include whitelist-var-common.inc | 45 | include whitelist-var-common.inc |
33 | 46 | ||
34 | apparmor | 47 | apparmor |
@@ -49,18 +62,22 @@ seccomp | |||
49 | shell none | 62 | shell none |
50 | tracelog | 63 | tracelog |
51 | 64 | ||
52 | # private-bin atom,bash,colordiff,emacs,fldiff,geany,gedit,git,git gui,git-cola,git-dag,gitk,gpg,gvim,leafpad,meld,mousepad,nano,notepadqq,python*,sh,ssh,vim,vimdiff,which,xed | 65 | # Add your own diff viewer,editor,pinentry program |
66 | # pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg | ||
67 | private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed | ||
53 | private-cache | 68 | private-cache |
54 | private-dev | 69 | private-dev |
55 | # Comment if you sign commits with GPG | 70 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg |
56 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,X11,xdg | ||
57 | private-tmp | 71 | private-tmp |
72 | writable-run-user | ||
58 | 73 | ||
59 | dbus-user filter | 74 | # Breaks meld as diff viewer |
75 | # dbus-user filter | ||
60 | # Uncomment if you need keyring access | 76 | # Uncomment if you need keyring access |
61 | # dbus-user.talk org.freedesktop.secrets | 77 | # dbus-user.talk org.freedesktop.secrets |
62 | dbus-system none | 78 | dbus-system none |
63 | 79 | ||
64 | read-only ${HOME}/.ssh | ||
65 | read-only ${HOME}/.gnupg | ||
66 | read-only ${HOME}/.git-credentials | 80 | read-only ${HOME}/.git-credentials |
81 | |||
82 | # Comment if you need to allow hosts | ||
83 | read-only ${HOME}/.ssh | ||
diff --git a/etc/profile-a-l/gnome-builder.profile b/etc/profile-a-l/gnome-builder.profile index 7a684dd59..8f637902c 100644 --- a/etc/profile-a-l/gnome-builder.profile +++ b/etc/profile-a-l/gnome-builder.profile | |||
@@ -6,6 +6,8 @@ include gnome-builder.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.bash_history | ||
10 | |||
9 | noblacklist ${HOME}/.cache/gnome-builder | 11 | noblacklist ${HOME}/.cache/gnome-builder |
10 | noblacklist ${HOME}/.config/gnome-builder | 12 | noblacklist ${HOME}/.config/gnome-builder |
11 | noblacklist ${HOME}/.local/share/gnome-builder | 13 | noblacklist ${HOME}/.local/share/gnome-builder |
@@ -34,3 +36,5 @@ seccomp | |||
34 | shell none | 36 | shell none |
35 | 37 | ||
36 | private-dev | 38 | private-dev |
39 | |||
40 | read-write ${HOME}/.bash_history | ||
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile index 615be7873..ed430b654 100644 --- a/etc/profile-a-l/gnome-passwordsafe.profile +++ b/etc/profile-a-l/gnome-passwordsafe.profile | |||
@@ -52,3 +52,8 @@ private-cache | |||
52 | private-dev | 52 | private-dev |
53 | private-etc dconf,fonts,gtk-3.0,passwd | 53 | private-etc dconf,fonts,gtk-3.0,passwd |
54 | private-tmp | 54 | private-tmp |
55 | |||
56 | dbus-user filter | ||
57 | dbus-user.own org.gnome.PasswordSafe | ||
58 | dbus-user.talk ca.desrt.dconf | ||
59 | dbus-system none | ||
diff --git a/etc/profile-a-l/hedgewars.profile b/etc/profile-a-l/hedgewars.profile index 898a07a5f..8ac07d3da 100644 --- a/etc/profile-a-l/hedgewars.profile +++ b/etc/profile-a-l/hedgewars.profile | |||
@@ -8,6 +8,8 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.hedgewars | 9 | noblacklist ${HOME}/.hedgewars |
10 | 10 | ||
11 | include allow-lua.inc | ||
12 | |||
11 | include disable-common.inc | 13 | include disable-common.inc |
12 | include disable-devel.inc | 14 | include disable-devel.inc |
13 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile new file mode 100644 index 000000000..9899ff195 --- /dev/null +++ b/etc/profile-a-l/kazam.profile | |||
@@ -0,0 +1,54 @@ | |||
1 | # Firejail profile for kazam | ||
2 | # Description: Screen capture tool | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include kazam.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | ignore noexec ${HOME} | ||
10 | |||
11 | noblacklist ${PICTURES} | ||
12 | noblacklist ${VIDEOS} | ||
13 | noblacklist ${HOME}/.config/kazam | ||
14 | |||
15 | include allow-python2.inc | ||
16 | include allow-python3.inc | ||
17 | |||
18 | include disable-common.inc | ||
19 | include disable-devel.inc | ||
20 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-passwdmgr.inc | ||
24 | include disable-shell.inc | ||
25 | include disable-xdg.inc | ||
26 | |||
27 | whitelist /usr/share/kazam | ||
28 | include whitelist-runuser-common.inc | ||
29 | include whitelist-usr-share-common.inc | ||
30 | include whitelist-var-common.inc | ||
31 | |||
32 | apparmor | ||
33 | caps.drop all | ||
34 | net none | ||
35 | nodvd | ||
36 | nogroups | ||
37 | nonewprivs | ||
38 | noroot | ||
39 | notv | ||
40 | nou2f | ||
41 | novideo | ||
42 | protocol unix | ||
43 | seccomp | ||
44 | shell none | ||
45 | tracelog | ||
46 | |||
47 | disable-mnt | ||
48 | # private-bin kazam,python* | ||
49 | private-cache | ||
50 | private-dev | ||
51 | private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,machine-id,pulse,selinux,X11,xdg | ||
52 | private-tmp | ||
53 | |||
54 | dbus-system none | ||
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile new file mode 100644 index 000000000..cf3a69fd7 --- /dev/null +++ b/etc/profile-a-l/kube.profile | |||
@@ -0,0 +1,81 @@ | |||
1 | # Firejail profile for kube | ||
2 | # Description: Qt mail client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include kube.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.gnupg | ||
10 | noblacklist ${HOME}/.mozilla | ||
11 | noblacklist ${HOME}/.cache/kube | ||
12 | noblacklist ${HOME}/.config/kube | ||
13 | noblacklist ${HOME}/.config/sink | ||
14 | noblacklist ${HOME}/.local/share/kube | ||
15 | noblacklist ${HOME}/.local/share/sink | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-shell.inc | ||
24 | include disable-xdg.inc | ||
25 | |||
26 | mkdir ${HOME}/.gnupg | ||
27 | mkdir ${HOME}/.cache/kube | ||
28 | mkdir ${HOME}/.config/kube | ||
29 | mkdir ${HOME}/.config/sink | ||
30 | mkdir ${HOME}/.local/share/kube | ||
31 | mkdir ${HOME}/.local/share/sink | ||
32 | whitelist ${HOME}/.gnupg | ||
33 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
34 | whitelist ${HOME}/.cache/kube | ||
35 | whitelist ${HOME}/.config/kube | ||
36 | whitelist ${HOME}/.config/sink | ||
37 | whitelist ${HOME}/.local/share/kube | ||
38 | whitelist ${HOME}/.local/share/sink | ||
39 | whitelist ${RUNUSER}/gnupg | ||
40 | whitelist /usr/share/kube | ||
41 | whitelist /usr/share/gnupg | ||
42 | whitelist /usr/share/gnupg2 | ||
43 | include whitelist-common.inc | ||
44 | include whitelist-runuser-common.inc | ||
45 | include whitelist-usr-share-common.inc | ||
46 | include whitelist-var-common.inc | ||
47 | |||
48 | apparmor | ||
49 | caps.drop all | ||
50 | netfilter | ||
51 | no3d | ||
52 | nodvd | ||
53 | nogroups | ||
54 | nonewprivs | ||
55 | noroot | ||
56 | nosound | ||
57 | notv | ||
58 | nou2f | ||
59 | novideo | ||
60 | protocol unix,inet,inet6 | ||
61 | seccomp | ||
62 | shell none | ||
63 | tracelog | ||
64 | |||
65 | # disable-mnt | ||
66 | # Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg | ||
67 | # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile. | ||
68 | private-bin kube,sink_synchronizer | ||
69 | private-cache | ||
70 | private-dev | ||
71 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg | ||
72 | private-tmp | ||
73 | writable-run-user | ||
74 | |||
75 | dbus-user filter | ||
76 | dbus-user.talk ca.desrt.dconf | ||
77 | dbus-user.talk org.freedesktop.secrets | ||
78 | dbus-user.talk org.freedesktop.Notifications | ||
79 | dbus-system none | ||
80 | |||
81 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||