diff options
Diffstat (limited to 'etc/profile-a-l')
-rw-r--r-- | etc/profile-a-l/b2sum.profile | 13 | ||||
-rw-r--r-- | etc/profile-a-l/bcompare.profile | 62 | ||||
-rw-r--r-- | etc/profile-a-l/cksum.profile | 13 | ||||
-rw-r--r-- | etc/profile-a-l/clawsker.profile | 2 | ||||
-rw-r--r-- | etc/profile-a-l/engrampa.profile | 3 | ||||
-rw-r--r-- | etc/profile-a-l/firefox.profile | 5 | ||||
-rw-r--r-- | etc/profile-a-l/gnome-logs.profile | 9 | ||||
-rw-r--r-- | etc/profile-a-l/hasher-common.profile | 60 | ||||
-rw-r--r-- | etc/profile-a-l/k3b.profile | 2 |
9 files changed, 161 insertions, 8 deletions
diff --git a/etc/profile-a-l/b2sum.profile b/etc/profile-a-l/b2sum.profile new file mode 100644 index 000000000..48cb9619b --- /dev/null +++ b/etc/profile-a-l/b2sum.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for b2sum | ||
2 | # Description: compute and check BLAKE2 message digest | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include b2sum.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | private-bin b2sum | ||
11 | |||
12 | # Redirect | ||
13 | include hasher-common.profile | ||
diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile new file mode 100644 index 000000000..178e2dc9f --- /dev/null +++ b/etc/profile-a-l/bcompare.profile | |||
@@ -0,0 +1,62 @@ | |||
1 | # Firejail profile for Beyond Compare by Scooter Software | ||
2 | # Description: directory and file compare utility | ||
3 | # Disables the network, which only impacts checking for updates. | ||
4 | # This file is overwritten after every install/update | ||
5 | # Persistent local customizations | ||
6 | include bcompare.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.config/bcompare | ||
11 | # In case the user decides to include disable-programs.inc, still allow | ||
12 | # KDE's Gwenview to view images via right click -> Open With -> Associated Application | ||
13 | noblacklist ${HOME}/.config/gwenviewrc | ||
14 | |||
15 | # Uncomment the next line (or put it into your bcompare.local) if you don't need to compare files in disable-common.inc | ||
16 | #include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | # Uncomment the next line (or put it into your bcompare.local) if you don't need to compare files in disable-programs.inc | ||
22 | #include disable-programs.inc | ||
23 | # Uncommenting this breaks launch | ||
24 | # include disable-shell.inc | ||
25 | include disable-write-mnt.inc | ||
26 | # Don't disable ${DOCUMENTS}, ${MUSIC}, ${PICTURES}, ${VIDEOS} | ||
27 | # include disable-xdg.inc | ||
28 | |||
29 | # include whitelist-common.inc | ||
30 | # include whitelist-runuser-common.inc | ||
31 | # include whitelist-usr-share-common.inc | ||
32 | # include whitelist-var-common.inc | ||
33 | |||
34 | apparmor | ||
35 | caps.drop all | ||
36 | # Uncommenting might break Pulse Audio | ||
37 | #machine-id | ||
38 | net none | ||
39 | no3d | ||
40 | nodvd | ||
41 | nogroups | ||
42 | nonewprivs | ||
43 | noroot | ||
44 | # Allow applications launched on sound files to play them | ||
45 | #nosound | ||
46 | notv | ||
47 | nou2f | ||
48 | novideo | ||
49 | protocol unix | ||
50 | seccomp | ||
51 | shell none | ||
52 | tracelog | ||
53 | |||
54 | private-cache | ||
55 | private-dev | ||
56 | # see /usr/share/doc/firejail/profile.template for more common private-etc paths. | ||
57 | # private-etc alternatives,fonts,machine-id | ||
58 | # Necessary because of the `include disable-exec.inc` line. Prevents error "Error fstat: fs.c:504 fs_remount_simple: Transport endpoint is not connected ... cannot sync with peer: unexpected EOF Peer [...] unexpectedly exited with status 1" | ||
59 | private-tmp | ||
60 | |||
61 | dbus-user none | ||
62 | dbus-system none | ||
diff --git a/etc/profile-a-l/cksum.profile b/etc/profile-a-l/cksum.profile new file mode 100644 index 000000000..2baeed2ed --- /dev/null +++ b/etc/profile-a-l/cksum.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for cksum | ||
2 | # Description: checksum and count the bytes in a file | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include cksum.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | private-bin cksum | ||
11 | |||
12 | # Redirect | ||
13 | include hasher-common.profile | ||
diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile index ac74d25c9..f71b35c26 100644 --- a/etc/profile-a-l/clawsker.profile +++ b/etc/profile-a-l/clawsker.profile | |||
@@ -45,7 +45,7 @@ private-bin bash,clawsker,perl,sh,which | |||
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc alternatives,fonts | 47 | private-etc alternatives,fonts |
48 | private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl* | 48 | private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-3.so.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl* |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | dbus-user none | 51 | dbus-user none |
diff --git a/etc/profile-a-l/engrampa.profile b/etc/profile-a-l/engrampa.profile index 54fe6a0f9..7ec611293 100644 --- a/etc/profile-a-l/engrampa.profile +++ b/etc/profile-a-l/engrampa.profile | |||
@@ -17,6 +17,7 @@ include whitelist-var-common.inc | |||
17 | 17 | ||
18 | apparmor | 18 | apparmor |
19 | caps.drop all | 19 | caps.drop all |
20 | net none | ||
20 | no3d | 21 | no3d |
21 | nodvd | 22 | nodvd |
22 | nogroups | 23 | nogroups |
@@ -35,4 +36,6 @@ tracelog | |||
35 | private-dev | 36 | private-dev |
36 | # private-tmp | 37 | # private-tmp |
37 | 38 | ||
39 | dbus-user filter | ||
40 | dbus-user.talk ca.desrt.dconf | ||
38 | dbus-system none | 41 | dbus-system none |
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 20bd9824c..68dd350ca 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile | |||
@@ -14,6 +14,11 @@ mkdir ${HOME}/.mozilla | |||
14 | whitelist ${HOME}/.cache/mozilla/firefox | 14 | whitelist ${HOME}/.cache/mozilla/firefox |
15 | whitelist ${HOME}/.mozilla | 15 | whitelist ${HOME}/.mozilla |
16 | 16 | ||
17 | # Uncomment or put in your firefox.local one of the following whitelist to enable KeePassXC Plugin | ||
18 | # NOTE: start KeePassXC before Firefox and keep it open to allow communication between them | ||
19 | #whitelist ${RUNUSER}/kpxc_server | ||
20 | #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer | ||
21 | |||
17 | whitelist /usr/share/doc | 22 | whitelist /usr/share/doc |
18 | whitelist /usr/share/firefox | 23 | whitelist /usr/share/firefox |
19 | whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini | 24 | whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini |
diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile index 41218d3f7..d29c7609e 100644 --- a/etc/profile-a-l/gnome-logs.profile +++ b/etc/profile-a-l/gnome-logs.profile | |||
@@ -26,12 +26,7 @@ ipc-namespace | |||
26 | net none | 26 | net none |
27 | no3d | 27 | no3d |
28 | nodvd | 28 | nodvd |
29 | # When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html), | ||
30 | # comment both 'nogroups' and 'noroot' | ||
31 | # or put 'ignore nogroups' and 'ignore noroot' in your gnome-logs.local. | ||
32 | nogroups | ||
33 | nonewprivs | 29 | nonewprivs |
34 | noroot | ||
35 | nosound | 30 | nosound |
36 | notv | 31 | notv |
37 | nou2f | 32 | nou2f |
@@ -50,7 +45,9 @@ private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.s | |||
50 | private-tmp | 45 | private-tmp |
51 | writable-var-log | 46 | writable-var-log |
52 | 47 | ||
53 | dbus-user none | 48 | dbus-user filter |
49 | dbus-user.own org.gnome.Logs | ||
50 | dbus-user.talk ca.desrt.dconf | ||
54 | dbus-system none | 51 | dbus-system none |
55 | 52 | ||
56 | # comment this if you export logs to a file in your ${HOME} | 53 | # comment this if you export logs to a file in your ${HOME} |
diff --git a/etc/profile-a-l/hasher-common.profile b/etc/profile-a-l/hasher-common.profile new file mode 100644 index 000000000..2f684349d --- /dev/null +++ b/etc/profile-a-l/hasher-common.profile | |||
@@ -0,0 +1,60 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include hasher-common.local | ||
4 | |||
5 | # common profile for hasher/checksum tools | ||
6 | |||
7 | blacklist ${RUNUSER} | ||
8 | |||
9 | # WARNING: | ||
10 | # Users can (un)restrict file access for **all** hashers by commenting/uncommenting the needed | ||
11 | # include file(s) here or by putting those into hasher-common.local. | ||
12 | # Another option is to do this **per hasher** in the relevant <hasher>.local. | ||
13 | # Just beware that things tend to break when overtightening profiles. For example, because you only | ||
14 | # need to hash/check files in ${DOWNLOADS}, other applications may need access to ${HOME}/.local/share. | ||
15 | |||
16 | # Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in disable-common.inc. | ||
17 | #include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | # Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in disable-programs.inc. | ||
23 | #include disable-programs.inc | ||
24 | include disable-shell.inc | ||
25 | include disable-write-mnt.inc | ||
26 | # Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in disable-xdg.inc. | ||
27 | #include disable-xdg.inc | ||
28 | |||
29 | apparmor | ||
30 | caps.drop all | ||
31 | ipc-namespace | ||
32 | machine-id | ||
33 | net none | ||
34 | no3d | ||
35 | nodvd | ||
36 | nogroups | ||
37 | nonewprivs | ||
38 | noroot | ||
39 | nosound | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix | ||
44 | seccomp | ||
45 | seccomp.block-secondary | ||
46 | shell none | ||
47 | tracelog | ||
48 | x11 none | ||
49 | |||
50 | # Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in /tmp. | ||
51 | #private-cache | ||
52 | private-dev | ||
53 | # Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in /tmp. | ||
54 | #private-tmp | ||
55 | |||
56 | dbus-user none | ||
57 | dbus-system none | ||
58 | |||
59 | memory-deny-write-execute | ||
60 | read-only ${HOME} | ||
diff --git a/etc/profile-a-l/k3b.profile b/etc/profile-a-l/k3b.profile index 86292744c..3e686a454 100644 --- a/etc/profile-a-l/k3b.profile +++ b/etc/profile-a-l/k3b.profile | |||
@@ -21,7 +21,7 @@ include disable-xdg.inc | |||
21 | 21 | ||
22 | include whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
23 | 23 | ||
24 | caps.keep ipc_lock,sys_nice,sys_rawio,sys_resource | 24 | caps.keep chown,dac_override,ipc_lock,net_bind_service,sys_admin,sys_nice,sys_rawio,sys_resource |
25 | # net none | 25 | # net none |
26 | netfilter | 26 | netfilter |
27 | no3d | 27 | no3d |