diff options
Diffstat (limited to 'etc/profile-a-l')
58 files changed, 569 insertions, 390 deletions
diff --git a/etc/profile-a-l/7z.profile b/etc/profile-a-l/7z.profile index 02a2e7ea0..5e1c17b28 100644 --- a/etc/profile-a-l/7z.profile +++ b/etc/profile-a-l/7z.profile | |||
@@ -7,41 +7,6 @@ include 7z.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | 10 | noblacklist ${PATH}/bash |
11 | 11 | noblacklist ${PATH}/sh | |
12 | include disable-common.inc | 12 | include archiver-common.inc |
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | apparmor | ||
20 | caps.drop all | ||
21 | hostname 7z | ||
22 | ipc-namespace | ||
23 | machine-id | ||
24 | net none | ||
25 | no3d | ||
26 | nodvd | ||
27 | #nogroups | ||
28 | nonewprivs | ||
29 | #noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | x11 none | ||
39 | |||
40 | #private-bin 7z,7z*,p7zip | ||
41 | private-cache | ||
42 | private-dev | ||
43 | |||
44 | dbus-user none | ||
45 | dbus-system none | ||
46 | |||
47 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile new file mode 100644 index 000000000..98188d2a7 --- /dev/null +++ b/etc/profile-a-l/alacarte.profile | |||
@@ -0,0 +1,64 @@ | |||
1 | # Firejail profile for alacarte | ||
2 | # Description: Create desktop and menu launchers easily | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include alacarte.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include allow-python2.inc | ||
10 | include allow-python3.inc | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | # Whitelist your system icon directory,varies by distro | ||
21 | whitelist /usr/share/alacarte | ||
22 | whitelist /usr/share/app-info | ||
23 | whitelist /usr/share/desktop-directories | ||
24 | whitelist /usr/share/icons | ||
25 | whitelist /var/lib/app-info/icons | ||
26 | whitelist /var/lib/flatpak/exports/share/applications | ||
27 | whitelist /var/lib/flatpak/exports/share/icons | ||
28 | include whitelist-runuser-common.inc | ||
29 | include whitelist-usr-share-common.inc | ||
30 | include whitelist-var-common.inc | ||
31 | |||
32 | apparmor | ||
33 | caps.drop all | ||
34 | machine-id | ||
35 | net none | ||
36 | nodvd | ||
37 | no3d | ||
38 | nogroups | ||
39 | nonewprivs | ||
40 | noroot | ||
41 | nosound | ||
42 | notv | ||
43 | nou2f | ||
44 | novideo | ||
45 | protocol unix | ||
46 | seccomp | ||
47 | seccomp.block-secondary | ||
48 | shell none | ||
49 | tracelog | ||
50 | |||
51 | disable-mnt | ||
52 | # private-bin alacarte,bash,python*,sh | ||
53 | private-cache | ||
54 | private-dev | ||
55 | private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg | ||
56 | private-tmp | ||
57 | |||
58 | dbus-user none | ||
59 | dbus-system none | ||
60 | |||
61 | read-write ${HOME}/.config/menus | ||
62 | read-write ${HOME}/.gnome/apps | ||
63 | read-write ${HOME}/.local/share/applications | ||
64 | read-write ${HOME}/.local/share/flatpak/exports | ||
diff --git a/etc/profile-a-l/ar.profile b/etc/profile-a-l/ar.profile index 183587ff8..c2b215807 100644 --- a/etc/profile-a-l/ar.profile +++ b/etc/profile-a-l/ar.profile | |||
@@ -7,42 +7,4 @@ include ar.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | 10 | include archiver-common.inc |
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-shell.inc | ||
19 | |||
20 | apparmor | ||
21 | caps.drop all | ||
22 | hostname ar | ||
23 | ipc-namespace | ||
24 | machine-id | ||
25 | net none | ||
26 | no3d | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | #noroot | ||
31 | nosound | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | x11 none | ||
40 | |||
41 | private-bin ar | ||
42 | private-cache | ||
43 | private-dev | ||
44 | |||
45 | dbus-user none | ||
46 | dbus-system none | ||
47 | |||
48 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/atom.profile b/etc/profile-a-l/atom.profile index cf0a5a42b..f21a5febf 100644 --- a/etc/profile-a-l/atom.profile +++ b/etc/profile-a-l/atom.profile | |||
@@ -6,31 +6,27 @@ include atom.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Disabled until someone reported positive feedback | ||
10 | ignore include disable-devel.inc | ||
11 | ignore include disable-interpreters.inc | ||
12 | ignore include disable-xdg.inc | ||
13 | ignore whitelist ${DOWNLOADS} | ||
14 | ignore include whitelist-common.inc | ||
15 | ignore include whitelist-runuser-common.inc | ||
16 | ignore include whitelist-usr-share-common.inc | ||
17 | ignore include whitelist-var-common.inc | ||
18 | ignore apparmor | ||
19 | ignore disable-mnt | ||
20 | |||
9 | noblacklist ${HOME}/.atom | 21 | noblacklist ${HOME}/.atom |
10 | noblacklist ${HOME}/.config/Atom | 22 | noblacklist ${HOME}/.config/Atom |
11 | 23 | ||
12 | # Allows files commonly used by IDEs | 24 | # Allows files commonly used by IDEs |
13 | include allow-common-devel.inc | 25 | include allow-common-devel.inc |
14 | 26 | ||
15 | include disable-common.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | caps.keep sys_admin,sys_chroot | ||
21 | # net none | 27 | # net none |
22 | netfilter | 28 | netfilter |
23 | nodvd | ||
24 | nogroups | ||
25 | nosound | 29 | nosound |
26 | notv | ||
27 | nou2f | ||
28 | novideo | ||
29 | shell none | ||
30 | |||
31 | private-cache | ||
32 | private-dev | ||
33 | private-tmp | ||
34 | 30 | ||
35 | dbus-user none | 31 | # Redirect |
36 | dbus-system none | 32 | include electron.profile |
diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile index e501e956c..34af47df2 100644 --- a/etc/profile-a-l/atool.profile +++ b/etc/profile-a-l/atool.profile | |||
@@ -7,47 +7,12 @@ include atool.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | # Allow perl (blacklisted by disable-interpreters.inc) | 10 | # Allow perl (blacklisted by disable-interpreters.inc) |
13 | include allow-perl.inc | 11 | include allow-perl.inc |
12 | include archiver-common.inc | ||
14 | 13 | ||
15 | include disable-common.inc | ||
16 | # include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | |||
22 | apparmor | ||
23 | caps.drop all | ||
24 | hostname atool | ||
25 | ipc-namespace | ||
26 | machine-id | ||
27 | net none | ||
28 | no3d | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | 14 | noroot |
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | x11 none | ||
42 | 15 | ||
43 | # private-bin atool,perl | ||
44 | private-cache | ||
45 | private-dev | ||
46 | # without login.defs atool complains and uses UID/GID 1000 by default | 16 | # without login.defs atool complains and uses UID/GID 1000 by default |
47 | private-etc alternatives,group,login.defs,passwd | 17 | private-etc alternatives,group,login.defs,passwd |
48 | private-tmp | 18 | private-tmp |
49 | |||
50 | dbus-user none | ||
51 | dbus-system none | ||
52 | |||
53 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/authenticator-rs.profile b/etc/profile-a-l/authenticator-rs.profile new file mode 100644 index 000000000..fb12018f5 --- /dev/null +++ b/etc/profile-a-l/authenticator-rs.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for authenticator-rs | ||
2 | # Description: Rust based 2FA authentication program | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include authenticator-rs.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/authenticator-rs | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-shell.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.local/share/authenticator-rs | ||
21 | whitelist ${HOME}/.local/share/authenticator-rs | ||
22 | whitelist ${DOWNLOADS} | ||
23 | whitelist /usr/share/uk.co.grumlimited.authenticator-rs | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-runuser-common.inc | ||
26 | include whitelist-usr-share-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | apparmor | ||
30 | caps.drop all | ||
31 | netfilter | ||
32 | no3d | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | nosound | ||
38 | notv | ||
39 | nou2f | ||
40 | novideo | ||
41 | protocol unix,inet,inet6 | ||
42 | seccomp | ||
43 | shell none | ||
44 | tracelog | ||
45 | |||
46 | disable-mnt | ||
47 | private-bin authenticator-rs | ||
48 | private-cache | ||
49 | private-dev | ||
50 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,pki,resolv.conf,ssl,xdg | ||
51 | private-tmp | ||
52 | |||
53 | dbus-user filter | ||
54 | dbus-user.talk ca.desrt.dconf | ||
55 | dbus-system none | ||
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile index a401ac592..cda6b1aa0 100644 --- a/etc/profile-a-l/balsa.profile +++ b/etc/profile-a-l/balsa.profile | |||
@@ -58,7 +58,7 @@ shell none | |||
58 | tracelog | 58 | tracelog |
59 | 59 | ||
60 | # disable-mnt | 60 | # disable-mnt |
61 | # Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg | 61 | # Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg |
62 | # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile. | 62 | # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile. |
63 | private-bin balsa,balsa-ab | 63 | private-bin balsa,balsa-ab |
64 | private-cache | 64 | private-cache |
diff --git a/etc/profile-a-l/beaker.profile b/etc/profile-a-l/beaker.profile index cc1886a49..f3a9568bd 100644 --- a/etc/profile-a-l/beaker.profile +++ b/etc/profile-a-l/beaker.profile | |||
@@ -3,17 +3,26 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include beaker.local | 4 | include beaker.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | # added by included profile | 6 | include globals.local |
7 | #include globals.local | ||
8 | 7 | ||
9 | noblacklist ${HOME}/.config/Beaker Browser | 8 | # Disabled until someone reported positive feedback |
9 | ignore include disable-exec.inc | ||
10 | ignore include disable-xdg.inc | ||
11 | ignore include whitelist-runuser-common.inc | ||
12 | ignore include whitelist-usr-share-common.inc | ||
13 | ignore include whitelist-var-common.inc | ||
14 | ignore nou2f | ||
15 | ignore novideo | ||
16 | ignore shell none | ||
17 | ignore disable-mnt | ||
18 | ignore private-cache | ||
19 | ignore private-dev | ||
20 | ignore private-tmp | ||
10 | 21 | ||
11 | include disable-devel.inc | 22 | noblacklist ${HOME}/.config/Beaker Browser |
12 | include disable-interpreters.inc | ||
13 | 23 | ||
14 | mkdir ${HOME}/.config/Beaker Browser | 24 | mkdir ${HOME}/.config/Beaker Browser |
15 | whitelist ${HOME}/.config/Beaker Browser | 25 | whitelist ${HOME}/.config/Beaker Browser |
16 | include whitelist-common.inc | ||
17 | 26 | ||
18 | # Redirect | 27 | # Redirect |
19 | include electron.profile | 28 | include electron.profile |
diff --git a/etc/profile-a-l/brave.profile b/etc/profile-a-l/brave.profile index 904d3e94f..5a5e9eacd 100644 --- a/etc/profile-a-l/brave.profile +++ b/etc/profile-a-l/brave.profile | |||
@@ -10,10 +10,6 @@ include globals.local | |||
10 | ignore noexec /tmp | 10 | ignore noexec /tmp |
11 | # TOR is installed in ${HOME} | 11 | # TOR is installed in ${HOME} |
12 | ignore noexec ${HOME} | 12 | ignore noexec ${HOME} |
13 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 | ||
14 | ignore whitelist /usr/share/chromium | ||
15 | ignore include whitelist-runuser-common.inc | ||
16 | ignore include whitelist-usr-share-common.inc | ||
17 | 13 | ||
18 | noblacklist ${HOME}/.cache/BraveSoftware | 14 | noblacklist ${HOME}/.cache/BraveSoftware |
19 | noblacklist ${HOME}/.config/BraveSoftware | 15 | noblacklist ${HOME}/.config/BraveSoftware |
diff --git a/etc/profile-a-l/bsdtar.profile b/etc/profile-a-l/bsdtar.profile index 08e51f3c1..c37f4071e 100644 --- a/etc/profile-a-l/bsdtar.profile +++ b/etc/profile-a-l/bsdtar.profile | |||
@@ -6,43 +6,6 @@ include bsdtar.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${RUNUSER}/wayland-* | 9 | include archiver-common.inc |
10 | 10 | ||
11 | include disable-common.inc | ||
12 | # include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | apparmor | ||
19 | caps.drop all | ||
20 | hostname bsdtar | ||
21 | ipc-namespace | ||
22 | machine-id | ||
23 | net none | ||
24 | no3d | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | # noroot | ||
29 | nosound | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix | ||
34 | seccomp | ||
35 | shell none | ||
36 | tracelog | ||
37 | x11 none | ||
38 | |||
39 | # support compressed archives | ||
40 | private-bin bash,bsdcat,bsdcpio,bsdtar,bzip2,compress,gtar,gzip,lbzip2,libarchive,lz4,lzip,lzma,lzop,sh,xz | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-etc alternatives,group,localtime,passwd | 11 | private-etc alternatives,group,localtime,passwd |
44 | |||
45 | dbus-user none | ||
46 | dbus-system none | ||
47 | |||
48 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile index 56709a466..d379651c7 100644 --- a/etc/profile-a-l/celluloid.profile +++ b/etc/profile-a-l/celluloid.profile | |||
@@ -32,7 +32,7 @@ whitelist ${HOME}/.config/celluloid | |||
32 | whitelist ${HOME}/.config/gnome-mpv | 32 | whitelist ${HOME}/.config/gnome-mpv |
33 | whitelist ${HOME}/.config/youtube-dl | 33 | whitelist ${HOME}/.config/youtube-dl |
34 | include whitelist-common.inc | 34 | include whitelist-common.inc |
35 | include whitelist-players.inc | 35 | include whitelist-player-common.inc |
36 | include whitelist-runuser-common.inc | 36 | include whitelist-runuser-common.inc |
37 | include whitelist-usr-share-common.inc | 37 | include whitelist-usr-share-common.inc |
38 | include whitelist-var-common.inc | 38 | include whitelist-var-common.inc |
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index 6a9cf99b0..ce9c652c6 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile | |||
@@ -25,7 +25,6 @@ mkdir ${HOME}/.local/share/pki | |||
25 | whitelist ${DOWNLOADS} | 25 | whitelist ${DOWNLOADS} |
26 | whitelist ${HOME}/.pki | 26 | whitelist ${HOME}/.pki |
27 | whitelist ${HOME}/.local/share/pki | 27 | whitelist ${HOME}/.local/share/pki |
28 | whitelist /usr/share/chromium | ||
29 | include whitelist-common.inc | 28 | include whitelist-common.inc |
30 | include whitelist-runuser-common.inc | 29 | include whitelist-runuser-common.inc |
31 | include whitelist-usr-share-common.inc | 30 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-a-l/chromium.profile b/etc/profile-a-l/chromium.profile index dab9ce449..14f1bbe64 100644 --- a/etc/profile-a-l/chromium.profile +++ b/etc/profile-a-l/chromium.profile | |||
@@ -15,6 +15,7 @@ mkdir ${HOME}/.config/chromium | |||
15 | whitelist ${HOME}/.cache/chromium | 15 | whitelist ${HOME}/.cache/chromium |
16 | whitelist ${HOME}/.config/chromium | 16 | whitelist ${HOME}/.config/chromium |
17 | whitelist ${HOME}/.config/chromium-flags.conf | 17 | whitelist ${HOME}/.config/chromium-flags.conf |
18 | whitelist /usr/share/chromium | ||
18 | 19 | ||
19 | # private-bin chromium,chromium-browser,chromedriver | 20 | # private-bin chromium,chromium-browser,chromedriver |
20 | 21 | ||
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile new file mode 100644 index 000000000..4de7eb497 --- /dev/null +++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for com.github.bleakgrey.tootle | ||
2 | # Description: Gtk Mastodon client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include com.github.bleakgrey.tootle.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/com.github.bleakgrey.tootle | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-shell.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.config/com.github.bleakgrey.tootle | ||
21 | whitelist ${DOWNLOADS} | ||
22 | whitelist ${HOME}/.config/com.github.bleakgrey.tootle | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | machine-id | ||
31 | netfilter | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix,inet,inet6 | ||
40 | seccomp | ||
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | disable-mnt | ||
45 | private-bin com.github.bleakgrey.tootle | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg | ||
49 | private-tmp | ||
50 | |||
51 | # Settings are immutable | ||
52 | # dbus-user filter | ||
53 | # dbus-user.own com.github.bleakgrey.tootle | ||
54 | # dbus-user.talk ca.desrt.dconf | ||
55 | dbus-system none | ||
diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile index 0ab5a7f78..2c6b15e02 100644 --- a/etc/profile-a-l/cower.profile +++ b/etc/profile-a-l/cower.profile | |||
@@ -46,5 +46,4 @@ private-dev | |||
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | memory-deny-write-execute | 48 | memory-deny-write-execute |
49 | |||
50 | read-only ${HOME}/.config/cower/config | 49 | read-only ${HOME}/.config/cower/config |
diff --git a/etc/profile-a-l/cpio.profile b/etc/profile-a-l/cpio.profile index 087a5b2bb..785308ffd 100644 --- a/etc/profile-a-l/cpio.profile +++ b/etc/profile-a-l/cpio.profile | |||
@@ -7,40 +7,7 @@ include cpio.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | noblacklist /sbin | 10 | noblacklist /sbin |
13 | noblacklist /usr/sbin | 11 | noblacklist /usr/sbin |
14 | 12 | ||
15 | include disable-common.inc | 13 | include archiver-common.inc |
16 | # include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | |||
21 | apparmor | ||
22 | caps.drop all | ||
23 | hostname cpio | ||
24 | ipc-namespace | ||
25 | machine-id | ||
26 | net none | ||
27 | no3d | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | nosound | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | x11 none | ||
39 | |||
40 | private-cache | ||
41 | private-dev | ||
42 | |||
43 | dbus-user none | ||
44 | dbus-system none | ||
45 | |||
46 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile index 996ff51d3..f8b194044 100644 --- a/etc/profile-a-l/curl.profile +++ b/etc/profile-a-l/curl.profile | |||
@@ -7,10 +7,15 @@ include curl.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | # curl 7.74.0 introduces experimental support for HSTS cache | ||
11 | # https://daniel.haxx.se/blog/2020/11/03/hsts-your-curl/ | ||
12 | # technically this file can be anywhere but let's assume users have it in ${HOME}/.curl-hsts | ||
13 | # if your setup diverts, add 'blacklist /path/to/curl/hsts/file' to your disable-programs.local | ||
14 | # and 'noblacklist /path/to/curl/hsts/file' to curl.local to keep the sandbox logic intact | ||
15 | noblacklist ${HOME}/.curl-hsts | ||
10 | noblacklist ${HOME}/.curlrc | 16 | noblacklist ${HOME}/.curlrc |
11 | 17 | ||
12 | blacklist /tmp/.X11-unix | 18 | blacklist /tmp/.X11-unix |
13 | blacklist ${RUNUSER}/wayland-* | ||
14 | blacklist ${RUNUSER} | 19 | blacklist ${RUNUSER} |
15 | 20 | ||
16 | include disable-common.inc | 21 | include disable-common.inc |
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile index 7eb7660dd..2ecf1a45d 100644 --- a/etc/profile-a-l/default.profile +++ b/etc/profile-a-l/default.profile | |||
@@ -5,7 +5,7 @@ include default.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # generic gui profile | 8 | # generic GUI profile |
9 | # depending on your usage, you can enable some of the commands below: | 9 | # depending on your usage, you can enable some of the commands below: |
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
@@ -14,12 +14,13 @@ include disable-common.inc | |||
14 | # include disable-interpreters.inc | 14 | # include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | # include disable-shell.inc | ||
17 | # include disable-write-mnt.inc | 18 | # include disable-write-mnt.inc |
18 | # include disable-xdg.inc | 19 | # include disable-xdg.inc |
19 | 20 | ||
20 | # include whitelist-common.inc | 21 | # include whitelist-common.inc |
21 | # include whitelist-usr-share-common.inc | ||
22 | # include whitelist-runuser-common.inc | 22 | # include whitelist-runuser-common.inc |
23 | # include whitelist-usr-share-common.inc | ||
23 | # include whitelist-var-common.inc | 24 | # include whitelist-var-common.inc |
24 | 25 | ||
25 | # apparmor | 26 | # apparmor |
diff --git a/etc/profile-a-l/devhelp.profile b/etc/profile-a-l/devhelp.profile index b8b07469d..a47a71feb 100644 --- a/etc/profile-a-l/devhelp.profile +++ b/etc/profile-a-l/devhelp.profile | |||
@@ -50,5 +50,4 @@ private-tmp | |||
50 | # dbus-system none | 50 | # dbus-system none |
51 | 51 | ||
52 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 52 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
53 | |||
54 | read-only ${HOME} | 53 | read-only ${HOME} |
diff --git a/etc/profile-a-l/devilspie.profile b/etc/profile-a-l/devilspie.profile index 1ab10a6f6..7c3ac50ad 100644 --- a/etc/profile-a-l/devilspie.profile +++ b/etc/profile-a-l/devilspie.profile | |||
@@ -56,5 +56,4 @@ dbus-user none | |||
56 | dbus-system none | 56 | dbus-system none |
57 | 57 | ||
58 | memory-deny-write-execute | 58 | memory-deny-write-execute |
59 | |||
60 | read-only ${HOME} | 59 | read-only ${HOME} |
diff --git a/etc/profile-a-l/dig.profile b/etc/profile-a-l/dig.profile index 152dfd980..80d97a31f 100644 --- a/etc/profile-a-l/dig.profile +++ b/etc/profile-a-l/dig.profile | |||
@@ -11,7 +11,6 @@ noblacklist ${HOME}/.digrc | |||
11 | noblacklist ${PATH}/dig | 11 | noblacklist ${PATH}/dig |
12 | 12 | ||
13 | blacklist /tmp/.X11-unix | 13 | blacklist /tmp/.X11-unix |
14 | blacklist ${RUNUSER}/wayland-* | ||
15 | blacklist ${RUNUSER} | 14 | blacklist ${RUNUSER} |
16 | 15 | ||
17 | include disable-common.inc | 16 | include disable-common.inc |
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile index 35bea4aaa..e6edbd7eb 100644 --- a/etc/profile-a-l/discord-common.profile +++ b/etc/profile-a-l/discord-common.profile | |||
@@ -6,33 +6,24 @@ include discord-common.local | |||
6 | # added by caller profile | 6 | # added by caller profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | ignore noexec ${HOME} | 9 | # Disabled until someone reported positive feedback |
10 | ignore include disable-interpreters.inc | ||
11 | ignore include disable-xdg.inc | ||
12 | ignore include whitelist-runuser-common.inc | ||
13 | ignore include whitelist-usr-share-common.inc | ||
14 | ignore apparmor | ||
15 | ignore disable-mnt | ||
16 | ignore private-cache | ||
17 | ignore dbus-user none | ||
18 | ignore dbus-system none | ||
10 | 19 | ||
11 | include disable-common.inc | 20 | ignore noexec ${HOME} |
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | 21 | ||
17 | whitelist ${DOWNLOADS} | ||
18 | whitelist ${HOME}/.config/BetterDiscord | 22 | whitelist ${HOME}/.config/BetterDiscord |
19 | whitelist ${HOME}/.local/share/betterdiscordctl | 23 | whitelist ${HOME}/.local/share/betterdiscordctl |
20 | include whitelist-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | netfilter | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix,inet,inet6,netlink | ||
33 | seccomp !chroot | ||
34 | 24 | ||
35 | private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh | 25 | private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh |
36 | private-dev | ||
37 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl | 26 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl |
38 | private-tmp | 27 | |
28 | # Redirect | ||
29 | include electron.profile | ||
diff --git a/etc/profile-a-l/dolphin-emu.profile b/etc/profile-a-l/dolphin-emu.profile new file mode 100644 index 000000000..13d830b55 --- /dev/null +++ b/etc/profile-a-l/dolphin-emu.profile | |||
@@ -0,0 +1,63 @@ | |||
1 | # Firejail profile for dolphin-emu | ||
2 | # Description: An emulator for Gamecube and Wii games | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include dolphin-emu.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Note: you must whitelist your games folder in a dolphin-emu.local | ||
10 | |||
11 | noblacklist ${HOME}/.cache/dolphin-emu | ||
12 | noblacklist ${HOME}/.config/dolphin-emu | ||
13 | noblacklist ${HOME}/.local/share/dolphin-emu | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | mkdir ${HOME}/.cache/dolphin-emu | ||
24 | mkdir ${HOME}/.config/dolphin-emu | ||
25 | mkdir ${HOME}/.local/share/dolphin-emu | ||
26 | whitelist ${HOME}/.cache/dolphin-emu | ||
27 | whitelist ${HOME}/.config/dolphin-emu | ||
28 | whitelist ${HOME}/.local/share/dolphin-emu | ||
29 | whitelist /usr/share/dolphin-emu | ||
30 | include whitelist-common.inc | ||
31 | include whitelist-runuser-common.inc | ||
32 | include whitelist-usr-share-common.inc | ||
33 | include whitelist-var-common.inc | ||
34 | |||
35 | apparmor | ||
36 | caps.drop all | ||
37 | ipc-namespace | ||
38 | # uncomment the following line if you do not need NetPlay support | ||
39 | # net none | ||
40 | netfilter | ||
41 | # uncomment the following line if you do not need disc support | ||
42 | #nodvd | ||
43 | nogroups | ||
44 | nonewprivs | ||
45 | noroot | ||
46 | notv | ||
47 | nou2f | ||
48 | novideo | ||
49 | protocol unix,inet,inet6,netlink,bluetooth | ||
50 | seccomp | ||
51 | shell none | ||
52 | tracelog | ||
53 | |||
54 | private-bin bash,dolphin-emu,dolphin-emu-x11,sh | ||
55 | private-cache | ||
56 | # uncomment the following line if you do not need controller support | ||
57 | #private-dev | ||
58 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg | ||
59 | private-opt none | ||
60 | private-tmp | ||
61 | |||
62 | dbus-user none | ||
63 | dbus-system none | ||
diff --git a/etc/profile-a-l/drill.profile b/etc/profile-a-l/drill.profile new file mode 100644 index 000000000..07f47be5d --- /dev/null +++ b/etc/profile-a-l/drill.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for drill | ||
2 | # Description: DNS lookup utility | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include drill.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${PATH}/drill | ||
11 | |||
12 | blacklist /tmp/.X11-unix | ||
13 | blacklist ${RUNUSER} | ||
14 | |||
15 | include disable-common.inc | ||
16 | # include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | # include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | include whitelist-common.inc | ||
24 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | machine-id | ||
31 | netfilter | ||
32 | no3d | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | nosound | ||
38 | notv | ||
39 | nou2f | ||
40 | novideo | ||
41 | protocol unix,inet,inet6 | ||
42 | seccomp | ||
43 | shell none | ||
44 | tracelog | ||
45 | |||
46 | disable-mnt | ||
47 | private | ||
48 | private-bin bash,drill,sh | ||
49 | private-dev | ||
50 | private-tmp | ||
51 | |||
52 | dbus-user none | ||
53 | dbus-system none | ||
54 | |||
55 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/electron.profile b/etc/profile-a-l/electron.profile index 9b99c7ffb..d3be07c9d 100644 --- a/etc/profile-a-l/electron.profile +++ b/etc/profile-a-l/electron.profile | |||
@@ -3,25 +3,39 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include electron.local | 5 | include electron.local |
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | 6 | ||
9 | include disable-common.inc | 7 | include disable-common.inc |
8 | include disable-devel.inc | ||
9 | include disable-exec.inc | ||
10 | include disable-interpreters.inc | ||
10 | include disable-passwdmgr.inc | 11 | include disable-passwdmgr.inc |
11 | include disable-programs.inc | 12 | include disable-programs.inc |
13 | include disable-xdg.inc | ||
12 | 14 | ||
13 | whitelist ${DOWNLOADS} | 15 | whitelist ${DOWNLOADS} |
16 | include whitelist-common.inc | ||
17 | include whitelist-runuser-common.inc | ||
18 | include whitelist-usr-share-common.inc | ||
19 | include whitelist-var-common.inc | ||
20 | |||
21 | # Uncomment the next line (or add it to your chromium-common.local) | ||
22 | # if your kernel allows unprivileged userns clone. | ||
23 | #include chromium-common-hardened.inc | ||
14 | 24 | ||
15 | apparmor | 25 | apparmor |
16 | caps.drop all | 26 | caps.keep sys_admin,sys_chroot |
17 | netfilter | 27 | netfilter |
18 | nodvd | 28 | nodvd |
19 | nogroups | 29 | nogroups |
20 | nonewprivs | ||
21 | noroot | ||
22 | notv | 30 | notv |
23 | protocol unix,inet,inet6,netlink | 31 | nou2f |
24 | seccomp | 32 | novideo |
33 | shell none | ||
34 | |||
35 | disable-mnt | ||
36 | private-cache | ||
37 | private-dev | ||
38 | private-tmp | ||
25 | 39 | ||
26 | dbus-user none | 40 | dbus-user none |
27 | dbus-system none | 41 | dbus-system none |
diff --git a/etc/profile-a-l/element-desktop.profile b/etc/profile-a-l/element-desktop.profile index c1aa821e3..48a826f2e 100644 --- a/etc/profile-a-l/element-desktop.profile +++ b/etc/profile-a-l/element-desktop.profile | |||
@@ -7,16 +7,18 @@ include element-desktop.local | |||
7 | # added by included profile | 7 | # added by included profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | ignore dbus-user none | ||
11 | |||
10 | noblacklist ${HOME}/.config/Element | 12 | noblacklist ${HOME}/.config/Element |
11 | noblacklist ${HOME}/.config/Element (Riot) | ||
12 | 13 | ||
13 | mkdir ${HOME}/.config/Element | 14 | mkdir ${HOME}/.config/Element |
14 | mkdir ${HOME}/.config/Element (Riot) | ||
15 | whitelist ${HOME}/.config/Element | 15 | whitelist ${HOME}/.config/Element |
16 | whitelist ${HOME}/.config/Element (Riot) | ||
17 | whitelist /opt/Element | 16 | whitelist /opt/Element |
18 | 17 | ||
19 | private-opt Element | 18 | private-opt Element |
20 | 19 | ||
20 | dbus-user filter | ||
21 | dbus-user.talk org.freedesktop.secrets | ||
22 | |||
21 | # Redirect | 23 | # Redirect |
22 | include riot-desktop.profile | 24 | include riot-desktop.profile |
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile index 0024b6660..640b0e485 100644 --- a/etc/profile-a-l/falkon.profile +++ b/etc/profile-a-l/falkon.profile | |||
@@ -15,15 +15,20 @@ include disable-exec.inc | |||
15 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | include disable-xdg.inc | ||
18 | 19 | ||
19 | mkdir ${HOME}/.cache/falkon | 20 | mkdir ${HOME}/.cache/falkon |
20 | mkdir ${HOME}/.config/falkon | 21 | mkdir ${HOME}/.config/falkon |
21 | whitelist ${DOWNLOADS} | 22 | whitelist ${DOWNLOADS} |
22 | whitelist ${HOME}/.cache/falkon | 23 | whitelist ${HOME}/.cache/falkon |
23 | whitelist ${HOME}/.config/falkon | 24 | whitelist ${HOME}/.config/falkon |
25 | whitelist /usr/share/falkon | ||
24 | include whitelist-common.inc | 26 | include whitelist-common.inc |
27 | include whitelist-runuser-common.inc | ||
28 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-var-common.inc | 29 | include whitelist-var-common.inc |
26 | 30 | ||
31 | apparmor | ||
27 | caps.drop all | 32 | caps.drop all |
28 | netfilter | 33 | netfilter |
29 | nodvd | 34 | nodvd |
@@ -37,7 +42,13 @@ protocol unix,inet,inet6,netlink | |||
37 | seccomp !chroot | 42 | seccomp !chroot |
38 | # tracelog | 43 | # tracelog |
39 | 44 | ||
45 | disable-mnt | ||
46 | # private-bin falkon | ||
47 | private-cache | ||
40 | private-dev | 48 | private-dev |
41 | # private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies | 49 | private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg |
42 | # private-tmp - interferes with the opening of downloaded files | 50 | private-tmp |
43 | 51 | ||
52 | # dbus-user filter | ||
53 | # dbus-user.own org.kde.Falkon | ||
54 | dbus-system none | ||
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile index 3ee07e559..8ac7755de 100644 --- a/etc/profile-a-l/feh.profile +++ b/etc/profile-a-l/feh.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for feh | 1 | # Firejail profile for feh |
2 | # Description: imlib2 based image viewer | 2 | # Description: imlib2 based image viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include feh.local | 6 | include feh.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/profile-a-l/file.profile b/etc/profile-a-l/file.profile index 74620d4cd..c02f9e3de 100644 --- a/etc/profile-a-l/file.profile +++ b/etc/profile-a-l/file.profile | |||
@@ -7,7 +7,6 @@ include file.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | blacklist ${RUNUSER} | 10 | blacklist ${RUNUSER} |
12 | 11 | ||
13 | include disable-common.inc | 12 | include disable-common.inc |
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 3472ac5c4..772aad7da 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile | |||
@@ -16,6 +16,7 @@ whitelist ${HOME}/.mozilla | |||
16 | 16 | ||
17 | whitelist /usr/share/doc | 17 | whitelist /usr/share/doc |
18 | whitelist /usr/share/firefox | 18 | whitelist /usr/share/firefox |
19 | whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini | ||
19 | whitelist /usr/share/gtk-doc/html | 20 | whitelist /usr/share/gtk-doc/html |
20 | whitelist /usr/share/mozilla | 21 | whitelist /usr/share/mozilla |
21 | whitelist /usr/share/webext | 22 | whitelist /usr/share/webext |
@@ -29,6 +30,7 @@ include whitelist-usr-share-common.inc | |||
29 | #private-etc firefox | 30 | #private-etc firefox |
30 | 31 | ||
31 | dbus-user filter | 32 | dbus-user filter |
33 | dbus-user.own org.mozilla.Firefox.* | ||
32 | dbus-user.own org.mozilla.firefox.* | 34 | dbus-user.own org.mozilla.firefox.* |
33 | dbus-user.own org.mpris.MediaPlayer2.firefox.* | 35 | dbus-user.own org.mpris.MediaPlayer2.firefox.* |
34 | # Uncomment or put in your firefox.local to enable native notifications. | 36 | # Uncomment or put in your firefox.local to enable native notifications. |
diff --git a/etc/profile-a-l/fractal.profile b/etc/profile-a-l/fractal.profile index ab907eb0d..c3af29e15 100644 --- a/etc/profile-a-l/fractal.profile +++ b/etc/profile-a-l/fractal.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for fractal | 1 | # Firejail profile for fractal |
2 | # Description: Desktop client for Matrix | 2 | # Description: Desktop client for Matrix |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include fractal.local | 5 | include fractal.local |
@@ -21,7 +21,7 @@ mkdir ${HOME}/.cache/fractal | |||
21 | whitelist ${HOME}/.cache/fractal | 21 | whitelist ${HOME}/.cache/fractal |
22 | whitelist ${DOWNLOADS} | 22 | whitelist ${DOWNLOADS} |
23 | include whitelist-common.inc | 23 | include whitelist-common.inc |
24 | include whitelist-runuser-common.inc | 24 | include whitelist-runuser-common.inc |
25 | include whitelist-usr-share-common.inc | 25 | include whitelist-usr-share-common.inc |
26 | include whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
27 | 27 | ||
diff --git a/etc/profile-a-l/freeoffice-planmaker.profile b/etc/profile-a-l/freeoffice-planmaker.profile index 9449e7c48..b6ca167eb 100644 --- a/etc/profile-a-l/freeoffice-planmaker.profile +++ b/etc/profile-a-l/freeoffice-planmaker.profile | |||
@@ -7,4 +7,4 @@ include freeoffice-planmaker.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include softmaker-common.inc | 10 | include softmaker-common.profile |
diff --git a/etc/profile-a-l/freeoffice-presentations.profile b/etc/profile-a-l/freeoffice-presentations.profile index 636868e2e..43661028c 100644 --- a/etc/profile-a-l/freeoffice-presentations.profile +++ b/etc/profile-a-l/freeoffice-presentations.profile | |||
@@ -7,4 +7,4 @@ include freeoffice-presentations.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include softmaker-common.inc | 10 | include softmaker-common.profile |
diff --git a/etc/profile-a-l/freeoffice-textmaker.profile b/etc/profile-a-l/freeoffice-textmaker.profile index 5d98d1cc6..f7d30eaed 100644 --- a/etc/profile-a-l/freeoffice-textmaker.profile +++ b/etc/profile-a-l/freeoffice-textmaker.profile | |||
@@ -6,4 +6,4 @@ include freeoffice-textmaker.local | |||
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Redirect | 8 | # Redirect |
9 | include softmaker-common.inc | 9 | include softmaker-common.profile |
diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile index 91f0caf87..e6aff533d 100644 --- a/etc/profile-a-l/freetube.profile +++ b/etc/profile-a-l/freetube.profile | |||
@@ -8,24 +8,13 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/FreeTube | 9 | noblacklist ${HOME}/.config/FreeTube |
10 | 10 | ||
11 | include disable-devel.inc | 11 | include disable-shell.inc |
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-shell.inc | ||
15 | include disable-xdg.inc | ||
16 | 12 | ||
17 | mkdir ${HOME}/.config/FreeTube | 13 | mkdir ${HOME}/.config/FreeTube |
18 | whitelist ${HOME}/.config/FreeTube | 14 | whitelist ${HOME}/.config/FreeTube |
19 | 15 | ||
20 | seccomp !chroot | ||
21 | shell none | ||
22 | |||
23 | disable-mnt | ||
24 | private-bin freetube | 16 | private-bin freetube |
25 | private-cache | ||
26 | private-dev | ||
27 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg | 17 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg |
28 | private-tmp | ||
29 | 18 | ||
30 | # Redirect | 19 | # Redirect |
31 | include electron.profile | 20 | include electron.profile |
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile index e06a9afad..77287769a 100644 --- a/etc/profile-a-l/geekbench.profile +++ b/etc/profile-a-l/geekbench.profile | |||
@@ -51,5 +51,4 @@ dbus-user none | |||
51 | dbus-system none | 51 | dbus-system none |
52 | 52 | ||
53 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 53 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
54 | |||
55 | read-only ${HOME} | 54 | read-only ${HOME} |
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile index c15174815..d56d6714e 100644 --- a/etc/profile-a-l/ghostwriter.profile +++ b/etc/profile-a-l/ghostwriter.profile | |||
@@ -11,6 +11,8 @@ noblacklist ${HOME}/.local/share/ghostwriter | |||
11 | noblacklist ${DOCUMENTS} | 11 | noblacklist ${DOCUMENTS} |
12 | noblacklist ${PICTURES} | 12 | noblacklist ${PICTURES} |
13 | 13 | ||
14 | include allow-lua.inc | ||
15 | |||
14 | include disable-common.inc | 16 | include disable-common.inc |
15 | include disable-devel.inc | 17 | include disable-devel.inc |
16 | include disable-exec.inc | 18 | include disable-exec.inc |
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile index ed27de7f5..bc5ef966c 100644 --- a/etc/profile-a-l/gimp.profile +++ b/etc/profile-a-l/gimp.profile | |||
@@ -52,7 +52,7 @@ nosound | |||
52 | notv | 52 | notv |
53 | nou2f | 53 | nou2f |
54 | protocol unix | 54 | protocol unix |
55 | seccomp | 55 | seccomp !mbind |
56 | shell none | 56 | shell none |
57 | tracelog | 57 | tracelog |
58 | 58 | ||
diff --git a/etc/profile-a-l/github-desktop.profile b/etc/profile-a-l/github-desktop.profile index 152396553..325c54ced 100644 --- a/etc/profile-a-l/github-desktop.profile +++ b/etc/profile-a-l/github-desktop.profile | |||
@@ -6,43 +6,35 @@ include github-desktop.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Note: On debian-based distributions the binary might be located in | ||
10 | # /opt/GitHub Desktop/github-desktop, and therefore not be in PATH. | ||
11 | # If that's the case you can start GitHub Desktop with firejail via | ||
12 | # `firejail "/opt/GitHub Desktop/github-desktop"`. | ||
13 | |||
14 | # Disabled until someone reported positive feedback | ||
15 | ignore include disable-xdg.inc | ||
16 | ignore whitelist ${DOWNLOADS} | ||
17 | ignore include whitelist-common.inc | ||
18 | ignore include whitelist-runuser-common.inc | ||
19 | ignore include whitelist-usr-share-common.inc | ||
20 | ignore include whitelist-var-common.inc | ||
21 | ignore apparmor | ||
22 | ignore dbus-user none | ||
23 | ignore dbus-system none | ||
24 | |||
9 | noblacklist ${HOME}/.config/GitHub Desktop | 25 | noblacklist ${HOME}/.config/GitHub Desktop |
10 | noblacklist ${HOME}/.config/git | 26 | noblacklist ${HOME}/.config/git |
11 | noblacklist ${HOME}/.gitconfig | 27 | noblacklist ${HOME}/.gitconfig |
12 | noblacklist ${HOME}/.git-credentials | 28 | noblacklist ${HOME}/.git-credentials |
13 | 29 | ||
14 | include disable-common.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | |||
21 | caps.drop all | ||
22 | netfilter | ||
23 | # no3d | 30 | # no3d |
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | nosound | 31 | nosound |
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix,inet,inet6,netlink | ||
33 | seccomp !chroot | ||
34 | 32 | ||
35 | # Note: On debian-based distributions the binary might be located in | ||
36 | # /opt/GitHub Desktop/github-desktop, and therefore not be in PATH. | ||
37 | # If that's the case you can start GitHub Desktop with firejail via | ||
38 | # `firejail "/opt/GitHub Desktop/github-desktop"`. | ||
39 | |||
40 | disable-mnt | ||
41 | # private-bin github-desktop | 33 | # private-bin github-desktop |
42 | private-cache | ||
43 | ?HAS_APPIMAGE: ignore private-dev | 34 | ?HAS_APPIMAGE: ignore private-dev |
44 | private-dev | ||
45 | # private-lib | 35 | # private-lib |
46 | private-tmp | ||
47 | 36 | ||
48 | # memory-deny-write-execute | 37 | # memory-deny-write-execute |
38 | |||
39 | # Redirect | ||
40 | include electron.profile | ||
diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile index 14b0f758e..9c0a26a02 100644 --- a/etc/profile-a-l/gnome-system-log.profile +++ b/etc/profile-a-l/gnome-system-log.profile | |||
@@ -53,7 +53,6 @@ writable-var-log | |||
53 | # dbus-system none | 53 | # dbus-system none |
54 | 54 | ||
55 | memory-deny-write-execute | 55 | memory-deny-write-execute |
56 | 56 | # Comment the line below if you export logs to a file in your ${HOME} | |
57 | # comment this if you export logs to a file in your ${HOME} | ||
58 | # or put 'ignore read-only ${HOME}' in your gnome-system-log.local | 57 | # or put 'ignore read-only ${HOME}' in your gnome-system-log.local |
59 | read-only ${HOME} | 58 | read-only ${HOME} |
diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile index 8324a4eb5..f37f345ba 100644 --- a/etc/profile-a-l/godot.profile +++ b/etc/profile-a-l/godot.profile | |||
@@ -38,7 +38,7 @@ tracelog | |||
38 | # private-bin godot | 38 | # private-bin godot |
39 | private-cache | 39 | private-cache |
40 | private-dev | 40 | private-dev |
41 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl | 41 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl |
42 | private-tmp | 42 | private-tmp |
43 | 43 | ||
44 | dbus-user none | 44 | dbus-user none |
diff --git a/etc/profile-a-l/gtk-straw-viewer.profile b/etc/profile-a-l/gtk-straw-viewer.profile new file mode 100644 index 000000000..e2721360b --- /dev/null +++ b/etc/profile-a-l/gtk-straw-viewer.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for gtk-straw-viewer | ||
2 | # Description: Gtk front-end to straw-viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gtk-straw-viewer.local | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | ignore quiet | ||
10 | |||
11 | include whitelist-runuser-common.inc | ||
12 | |||
13 | # Redirect | ||
14 | include straw-viewer.profile | ||
diff --git a/etc/profile-a-l/gtk-youtube-viewer b/etc/profile-a-l/gtk-youtube-viewer.profile index 023f10d3d..848979b52 100644 --- a/etc/profile-a-l/gtk-youtube-viewer +++ b/etc/profile-a-l/gtk-youtube-viewer.profile | |||
@@ -3,16 +3,12 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gtk-youtube-viewer.local | 5 | include gtk-youtube-viewer.local |
6 | # Persistent global definitions | 6 | # added by included profile |
7 | # include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | ignore quiet | 9 | ignore quiet |
10 | 10 | ||
11 | noblacklist /tmp/.X11-unix | ||
12 | noblacklist ${RUNUSER}/wayland-* | ||
13 | noblacklist ${RUNUSER} | ||
14 | |||
15 | include whitelist-runuser-common.inc | 11 | include whitelist-runuser-common.inc |
16 | 12 | ||
17 | # Redirect | 13 | # Redirect |
18 | include youtube-viewer.profile \ No newline at end of file | 14 | include youtube-viewer.profile |
diff --git a/etc/profile-a-l/gtk2-youtube-viewer b/etc/profile-a-l/gtk2-youtube-viewer.profile index 331e73218..787c7bd90 100644 --- a/etc/profile-a-l/gtk2-youtube-viewer +++ b/etc/profile-a-l/gtk2-youtube-viewer.profile | |||
@@ -3,16 +3,15 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gtk2-youtube-viewer.local | 5 | include gtk2-youtube-viewer.local |
6 | # Persistent global definitions | 6 | # added by included profile |
7 | # include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | ignore quiet | 9 | ignore quiet |
10 | 10 | ||
11 | noblacklist /tmp/.X11-unix | 11 | noblacklist /tmp/.X11-unix |
12 | noblacklist ${RUNUSER}/wayland-* | ||
13 | noblacklist ${RUNUSER} | 12 | noblacklist ${RUNUSER} |
14 | 13 | ||
15 | include whitelist-runuser-common.inc | 14 | include whitelist-runuser-common.inc |
16 | 15 | ||
17 | # Redirect | 16 | # Redirect |
18 | include youtube-viewer.profile \ No newline at end of file | 17 | include youtube-viewer.profile |
diff --git a/etc/profile-a-l/gtk3-youtube-viewer b/etc/profile-a-l/gtk3-youtube-viewer.profile index 4c5bde55f..988882622 100644 --- a/etc/profile-a-l/gtk3-youtube-viewer +++ b/etc/profile-a-l/gtk3-youtube-viewer.profile | |||
@@ -3,16 +3,15 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gtk3-youtube-viewer.local | 5 | include gtk3-youtube-viewer.local |
6 | # Persistent global definitions | 6 | # added by included profile |
7 | # include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | ignore quiet | 9 | ignore quiet |
10 | 10 | ||
11 | noblacklist /tmp/.X11-unix | 11 | noblacklist /tmp/.X11-unix |
12 | noblacklist ${RUNUSER}/wayland-* | ||
13 | noblacklist ${RUNUSER} | 12 | noblacklist ${RUNUSER} |
14 | 13 | ||
15 | include whitelist-runuser-common.inc | 14 | include whitelist-runuser-common.inc |
16 | 15 | ||
17 | # Redirect | 16 | # Redirect |
18 | include youtube-viewer.profile \ No newline at end of file | 17 | include youtube-viewer.profile |
diff --git a/etc/profile-a-l/gzip.profile b/etc/profile-a-l/gzip.profile index 8ec39d8ca..9b59e57e7 100644 --- a/etc/profile-a-l/gzip.profile +++ b/etc/profile-a-l/gzip.profile | |||
@@ -7,43 +7,7 @@ include gzip.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only. | 10 | # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only. |
13 | noblacklist /var/lib/pacman | 11 | noblacklist /var/lib/pacman |
14 | 12 | ||
15 | include disable-common.inc | 13 | include archiver-common.inc |
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | |||
22 | apparmor | ||
23 | caps.drop all | ||
24 | hostname gzip | ||
25 | ipc-namespace | ||
26 | machine-id | ||
27 | net none | ||
28 | no3d | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | #noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | x11 none | ||
42 | |||
43 | private-cache | ||
44 | private-dev | ||
45 | |||
46 | dbus-user none | ||
47 | dbus-system none | ||
48 | |||
49 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/highlight.profile b/etc/profile-a-l/highlight.profile index 0761aa2fc..c2812d7f5 100644 --- a/etc/profile-a-l/highlight.profile +++ b/etc/profile-a-l/highlight.profile | |||
@@ -6,7 +6,6 @@ include highlight.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${RUNUSER}/wayland-* | ||
10 | blacklist ${RUNUSER} | 9 | blacklist ${RUNUSER} |
11 | 10 | ||
12 | include disable-common.inc | 11 | include disable-common.inc |
diff --git a/etc/profile-a-l/homebank.profile b/etc/profile-a-l/homebank.profile index 8e600a2d7..da32de640 100644 --- a/etc/profile-a-l/homebank.profile +++ b/etc/profile-a-l/homebank.profile | |||
@@ -10,7 +10,7 @@ noblacklist ${HOME}/.config/homebank | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | 13 | include disable-exec.inc |
14 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include disable-programs.inc | 15 | include disable-programs.inc |
16 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
diff --git a/etc/profile-a-l/jitsi-meet-desktop.profile b/etc/profile-a-l/jitsi-meet-desktop.profile index c4121d835..e5beb741a 100644 --- a/etc/profile-a-l/jitsi-meet-desktop.profile +++ b/etc/profile-a-l/jitsi-meet-desktop.profile | |||
@@ -6,34 +6,22 @@ include jitsi-meet-desktop.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Disabled until someone reported positive feedback | ||
10 | ignore nou2f | ||
11 | ignore novideo | ||
12 | ignore shell none | ||
13 | |||
9 | ignore noexec /tmp | 14 | ignore noexec /tmp |
10 | 15 | ||
11 | noblacklist ${HOME}/.config/Jitsi Meet | 16 | noblacklist ${HOME}/.config/Jitsi Meet |
12 | 17 | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | nowhitelist ${DOWNLOADS} | 18 | nowhitelist ${DOWNLOADS} |
19 | 19 | ||
20 | mkdir ${HOME}/.config/Jitsi Meet | 20 | mkdir ${HOME}/.config/Jitsi Meet |
21 | |||
22 | whitelist ${HOME}/.config/Jitsi Meet | 21 | whitelist ${HOME}/.config/Jitsi Meet |
23 | 22 | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-runuser-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | seccomp !chroot | ||
30 | |||
31 | disable-mnt | ||
32 | private-bin bash,jitsi-meet-desktop | 23 | private-bin bash,jitsi-meet-desktop |
33 | private-cache | ||
34 | private-dev | ||
35 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | 24 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg |
36 | private-tmp | ||
37 | 25 | ||
38 | # Redirect | 26 | # Redirect |
39 | include electron.profile | 27 | include electron.profile |
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile index 9899ff195..9c095e106 100644 --- a/etc/profile-a-l/kazam.profile +++ b/etc/profile-a-l/kazam.profile | |||
@@ -12,12 +12,12 @@ noblacklist ${PICTURES} | |||
12 | noblacklist ${VIDEOS} | 12 | noblacklist ${VIDEOS} |
13 | noblacklist ${HOME}/.config/kazam | 13 | noblacklist ${HOME}/.config/kazam |
14 | 14 | ||
15 | include allow-python2.inc | 15 | include allow-python2.inc |
16 | include allow-python3.inc | 16 | include allow-python3.inc |
17 | 17 | ||
18 | include disable-common.inc | 18 | include disable-common.inc |
19 | include disable-devel.inc | 19 | include disable-devel.inc |
20 | include disable-exec.inc | 20 | include disable-exec.inc |
21 | include disable-interpreters.inc | 21 | include disable-interpreters.inc |
22 | include disable-programs.inc | 22 | include disable-programs.inc |
23 | include disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
@@ -25,7 +25,7 @@ include disable-shell.inc | |||
25 | include disable-xdg.inc | 25 | include disable-xdg.inc |
26 | 26 | ||
27 | whitelist /usr/share/kazam | 27 | whitelist /usr/share/kazam |
28 | include whitelist-runuser-common.inc | 28 | include whitelist-runuser-common.inc |
29 | include whitelist-usr-share-common.inc | 29 | include whitelist-usr-share-common.inc |
30 | include whitelist-var-common.inc | 30 | include whitelist-var-common.inc |
31 | 31 | ||
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile index 6a3b29c9d..a3a1b500a 100644 --- a/etc/profile-a-l/keepassxc.profile +++ b/etc/profile-a-l/keepassxc.profile | |||
@@ -73,12 +73,11 @@ dbus-user.talk org.freedesktop.login1.Session | |||
73 | dbus-user.talk org.gnome.ScreenSaver | 73 | dbus-user.talk org.gnome.ScreenSaver |
74 | dbus-user.talk org.gnome.SessionManager | 74 | dbus-user.talk org.gnome.SessionManager |
75 | dbus-user.talk org.gnome.SessionManager.Presence | 75 | dbus-user.talk org.gnome.SessionManager.Presence |
76 | # Uncomment or add to your keepassxc.local to allow Notifications/Tray. | 76 | # Uncomment or add to your keepassxc.local to allow Notifications. |
77 | #dbus-user.talk org.freedesktop.Notifications | 77 | #dbus-user.talk org.freedesktop.Notifications |
78 | # Uncomment or add to your keepassxc.local to allow Tray. | ||
78 | #dbus-user.talk org.kde.StatusNotifierWatcher | 79 | #dbus-user.talk org.kde.StatusNotifierWatcher |
79 | # These numbers seems to be not stable, see #3713. Play around with them. | 80 | #dbus-user.own org.kde.* |
80 | #dbus-user.own org.kde.StatusNotifierItem-2-2 | ||
81 | #dbus-user.own org.kde.StatusNotifierItem-10-2 | ||
82 | dbus-system none | 81 | dbus-system none |
83 | 82 | ||
84 | # Mutex is stored in /tmp by default, which is broken by private-tmp | 83 | # Mutex is stored in /tmp by default, which is broken by private-tmp |
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile index cf3a69fd7..e0cfb9f24 100644 --- a/etc/profile-a-l/kube.profile +++ b/etc/profile-a-l/kube.profile | |||
@@ -63,7 +63,7 @@ shell none | |||
63 | tracelog | 63 | tracelog |
64 | 64 | ||
65 | # disable-mnt | 65 | # disable-mnt |
66 | # Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg | 66 | # Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg |
67 | # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile. | 67 | # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile. |
68 | private-bin kube,sink_synchronizer | 68 | private-bin kube,sink_synchronizer |
69 | private-cache | 69 | private-cache |
diff --git a/etc/profile-a-l/less.profile b/etc/profile-a-l/less.profile index de6fa67d1..e1f0bc290 100644 --- a/etc/profile-a-l/less.profile +++ b/etc/profile-a-l/less.profile | |||
@@ -7,7 +7,6 @@ include less.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | blacklist ${RUNUSER} | 10 | blacklist ${RUNUSER} |
12 | 11 | ||
13 | noblacklist ${HOME}/.lesshst | 12 | noblacklist ${HOME}/.lesshst |
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile new file mode 100644 index 000000000..5208cb979 --- /dev/null +++ b/etc/profile-a-l/librewolf.profile | |||
@@ -0,0 +1,28 @@ | |||
1 | # Firejail profile for Librewolf | ||
2 | # Description: Firefox fork based on privacy | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include librewolf.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/librewolf | ||
10 | noblacklist ${HOME}/.librewolf | ||
11 | |||
12 | mkdir ${HOME}/.cache/librewolf | ||
13 | mkdir ${HOME}/.librewolf | ||
14 | whitelist ${HOME}/.cache/librewolf | ||
15 | whitelist ${HOME}/.librewolf | ||
16 | |||
17 | # Uncomment (or add to librewolf.local) the following lines if you want to | ||
18 | # use the migration wizard. | ||
19 | #noblacklist ${HOME}/.mozilla | ||
20 | #whitelist ${HOME}/.mozilla | ||
21 | |||
22 | # librewolf requires a shell to launch on Arch. We can possibly remove sh though. | ||
23 | #private-bin bash,dbus-launch,dbus-send,env,librewolf,python*,sh,which | ||
24 | # private-etc must first be enabled in firefox-common.profile | ||
25 | #private-etc librewolf | ||
26 | |||
27 | # Redirect | ||
28 | include firefox-common.profile | ||
diff --git a/etc/profile-a-l/links.profile b/etc/profile-a-l/links.profile index b2f94d3cf..ccc77f274 100644 --- a/etc/profile-a-l/links.profile +++ b/etc/profile-a-l/links.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for links | 1 | # Firejail profile for links |
2 | # Description: Text WWW browser | 2 | # Description: Text WWW browser |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include links.local | 6 | include links.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile new file mode 100644 index 000000000..652f571bb --- /dev/null +++ b/etc/profile-a-l/lutris.profile | |||
@@ -0,0 +1,74 @@ | |||
1 | # Firejail profile for lutris | ||
2 | # Description: Multi-library game handler with special support for Wine | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include lutris.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${PATH}/llvm* | ||
10 | noblacklist ${HOME}/Games | ||
11 | noblacklist ${HOME}/.cache/lutris | ||
12 | noblacklist ${HOME}/.cache/winetricks | ||
13 | noblacklist ${HOME}/.config/lutris | ||
14 | noblacklist ${HOME}/.local/share/lutris | ||
15 | # noblacklist ${HOME}/.wine | ||
16 | noblacklist /tmp/.wine-* | ||
17 | |||
18 | ignore noexec ${HOME} | ||
19 | |||
20 | # Allow python (blacklisted by disable-interpreters.inc) | ||
21 | include allow-python2.inc | ||
22 | include allow-python3.inc | ||
23 | |||
24 | include disable-common.inc | ||
25 | include disable-devel.inc | ||
26 | include disable-exec.inc | ||
27 | include disable-interpreters.inc | ||
28 | include disable-passwdmgr.inc | ||
29 | include disable-programs.inc | ||
30 | include disable-xdg.inc | ||
31 | |||
32 | mkdir ${HOME}/Games | ||
33 | mkdir ${HOME}/.cache/lutris | ||
34 | mkdir ${HOME}/.cache/winetricks | ||
35 | mkdir ${HOME}/.config/lutris | ||
36 | mkdir ${HOME}/.local/share/lutris | ||
37 | # mkdir ${HOME}/.wine | ||
38 | whitelist ${HOME}/Downloads | ||
39 | whitelist ${HOME}/Games | ||
40 | whitelist ${HOME}/.cache/lutris | ||
41 | whitelist ${HOME}/.cache/winetricks | ||
42 | whitelist ${HOME}/.config/lutris | ||
43 | whitelist ${HOME}/.local/share/lutris | ||
44 | # whitelist ${HOME}/.wine | ||
45 | whitelist /usr/share/lutris | ||
46 | whitelist /usr/share/wine | ||
47 | include whitelist-common.inc | ||
48 | include whitelist-usr-share-common.inc | ||
49 | include whitelist-runuser-common.inc | ||
50 | include whitelist-var-common.inc | ||
51 | |||
52 | # allow-debuggers | ||
53 | # apparmor | ||
54 | caps.drop all | ||
55 | ipc-namespace | ||
56 | # net none | ||
57 | netfilter | ||
58 | nodvd | ||
59 | nogroups | ||
60 | nonewprivs | ||
61 | noroot | ||
62 | notv | ||
63 | nou2f | ||
64 | novideo | ||
65 | protocol unix,inet,inet6,netlink | ||
66 | seccomp | ||
67 | shell none | ||
68 | |||
69 | # uncomment the following line if you do not need controller support | ||
70 | # private-dev | ||
71 | private-tmp | ||
72 | |||
73 | dbus-user none | ||
74 | dbus-system none | ||
diff --git a/etc/profile-a-l/lynx.profile b/etc/profile-a-l/lynx.profile index dbd0a61e5..76a0e7ed0 100644 --- a/etc/profile-a-l/lynx.profile +++ b/etc/profile-a-l/lynx.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for lynx | 1 | # Firejail profile for lynx |
2 | # Description: Classic non-graphical (text-mode) web browser | 2 | # Description: Classic non-graphical (text-mode) web browser |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include lynx.local | 6 | include lynx.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/profile-a-l/lyx.profile b/etc/profile-a-l/lyx.profile index b2c0afbe7..ffde057d5 100644 --- a/etc/profile-a-l/lyx.profile +++ b/etc/profile-a-l/lyx.profile | |||
@@ -27,7 +27,7 @@ apparmor | |||
27 | machine-id | 27 | machine-id |
28 | 28 | ||
29 | # private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex | 29 | # private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex |
30 | private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,lyx,mime.types,passwd,texmf,X11,xdg | 30 | private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg |
31 | 31 | ||
32 | # Redirect | 32 | # Redirect |
33 | include latex-common.profile | 33 | include latex-common.profile |