9 files changed, 161 insertions, 8 deletions
diff --git a/etc/profile-a-l/b2sum.profile b/etc/profile-a-l/b2sum.profile
new file mode 100644
index 000000000..48cb9619b
--- /dev/null
+++ b/etc/profile-a-l/b2sum.profile
@@ -0,0 +1,13 @@
+# Firejail profile for b2sum
+# Description: compute and check BLAKE2 message digest
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include b2sum.local
+# Persistent global definitions
+include globals.local
+private-bin b2sum
+# Redirect
+include hasher-common.profile
diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile
new file mode 100644
index 000000000..178e2dc9f
--- /dev/null
+++ b/etc/profile-a-l/bcompare.profile
@@ -0,0 +1,62 @@
+# Firejail profile for Beyond Compare by Scooter Software
+# Description: directory and file compare utility
+# Disables the network, which only impacts checking for updates.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bcompare.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/bcompare
+# In case the user decides to include disable-programs.inc, still allow
+# KDE's Gwenview to view images via right click -> Open With -> Associated Application
+noblacklist ${HOME}/.config/gwenviewrc
+# Uncomment the next line (or put it into your bcompare.local) if you don't need to compare files in disable-common.inc
+#include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+# Uncomment the next line (or put it into your bcompare.local) if you don't need to compare files in disable-programs.inc
+#include disable-programs.inc
+# Uncommenting this breaks launch
+# include disable-shell.inc
+include disable-write-mnt.inc
+# Don't disable ${DOCUMENTS}, ${MUSIC}, ${PICTURES}, ${VIDEOS}
+# include disable-xdg.inc
+# include whitelist-common.inc
+# include whitelist-runuser-common.inc
+# include whitelist-usr-share-common.inc
+# include whitelist-var-common.inc
+apparmor
+caps.drop all
+# Uncommenting might break Pulse Audio
+#machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+# Allow applications launched on sound files to play them
+#nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+private-cache
+private-dev
+# see /usr/share/doc/firejail/profile.template for more common private-etc paths.
+# private-etc alternatives,fonts,machine-id
+# Necessary because of the `include disable-exec.inc` line. Prevents error "Error fstat: fs.c:504 fs_remount_simple: Transport endpoint is not connected ... cannot sync with peer: unexpected EOF Peer [...] unexpectedly exited with status 1"
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/cksum.profile b/etc/profile-a-l/cksum.profile
new file mode 100644
index 000000000..2baeed2ed
--- /dev/null
+++ b/etc/profile-a-l/cksum.profile
@@ -0,0 +1,13 @@
+# Firejail profile for cksum
+# Description: checksum and count the bytes in a file
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include cksum.local
+# Persistent global definitions
+include globals.local
+private-bin cksum
+# Redirect
+include hasher-common.profile
diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile
index ac74d25c9..f71b35c26 100644
--- a/etc/profile-a-l/clawsker.profile
+++ b/etc/profile-a-l/clawsker.profile
@@ -45,7 +45,7 @@ private-bin bash,clawsker,perl,sh,which
 private-cache
 private-dev
 private-etc alternatives,fonts
-private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl*
+private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-3.so.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl*
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/engrampa.profile b/etc/profile-a-l/engrampa.profile
index 54fe6a0f9..7ec611293 100644
--- a/etc/profile-a-l/engrampa.profile
+++ b/etc/profile-a-l/engrampa.profile
@@ -17,6 +17,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
+net none
 no3d
 nodvd
 nogroups
@@ -35,4 +36,6 @@ tracelog
 private-dev
 # private-tmp
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
 dbus-system none
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index 20bd9824c..68dd350ca 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -14,6 +14,11 @@ mkdir ${HOME}/.mozilla
 whitelist ${HOME}/.cache/mozilla/firefox
 whitelist ${HOME}/.mozilla
+# Uncomment or put in your firefox.local one of the following whitelist to enable KeePassXC Plugin
+# NOTE: start KeePassXC before Firefox and keep it open to allow communication between them
+#whitelist ${RUNUSER}/kpxc_server
+#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
 whitelist /usr/share/doc
 whitelist /usr/share/firefox
 whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini
diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile
index 41218d3f7..d29c7609e 100644
--- a/etc/profile-a-l/gnome-logs.profile
+++ b/etc/profile-a-l/gnome-logs.profile
@@ -26,12 +26,7 @@ ipc-namespace
 net none
 no3d
 nodvd
-# When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html),
-# comment both 'nogroups' and 'noroot'
-# or put 'ignore nogroups' and 'ignore noroot' in your gnome-logs.local.
-nogroups
 nonewprivs
-noroot
 nosound
 notv
 nou2f
@@ -50,7 +45,9 @@ private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.s
 private-tmp
 writable-var-log
-dbus-user none
+dbus-user filter
+dbus-user.own org.gnome.Logs
+dbus-user.talk ca.desrt.dconf
 dbus-system none
 # comment this if you export logs to a file in your ${HOME}
diff --git a/etc/profile-a-l/hasher-common.profile b/etc/profile-a-l/hasher-common.profile
new file mode 100644
index 000000000..2f684349d
--- /dev/null
+++ b/etc/profile-a-l/hasher-common.profile
@@ -0,0 +1,60 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include hasher-common.local
+# common profile for hasher/checksum tools
+blacklist ${RUNUSER}
+# WARNING:
+# Users can (un)restrict file access for **all** hashers by commenting/uncommenting the needed
+# include file(s) here or by putting those into hasher-common.local.
+# Another option is to do this **per hasher** in the relevant <hasher>.local.
+# Just beware that things tend to break when overtightening profiles. For example, because you only
+# need to hash/check files in ${DOWNLOADS}, other applications may need access to ${HOME}/.local/share.
+# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in disable-common.inc.
+#include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in disable-programs.inc.
+#include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in disable-xdg.inc.
+#include disable-xdg.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+x11 none
+# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in /tmp.
+#private-cache
+private-dev
+# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in /tmp.
+#private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
+read-only ${HOME}
diff --git a/etc/profile-a-l/k3b.profile b/etc/profile-a-l/k3b.profile
index 86292744c..3e686a454 100644
--- a/etc/profile-a-l/k3b.profile
+++ b/etc/profile-a-l/k3b.profile
@@ -21,7 +21,7 @@ include disable-xdg.inc
 include whitelist-var-common.inc
-caps.keep ipc_lock,sys_nice,sys_rawio,sys_resource
+caps.keep chown,dac_override,ipc_lock,net_bind_service,sys_admin,sys_nice,sys_rawio,sys_resource
 # net none
 netfilter
 no3d

diff --git a/etc/profile-a-l/b2sum.profile b/etc/profile-a-l/b2sum.profile new file mode 100644 index 000000000..48cb9619b --- /dev/null +++ b/etc/profile-a-l/b2sum.profile
@@ -0,0 +1,13 @@
		1	# Firejail profile for b2sum
		2	# Description: compute and check BLAKE2 message digest
		3	# This file is overwritten after every install/update
		4	quiet
		5	# Persistent local customizations
		6	include b2sum.local
		7	# Persistent global definitions
		8	include globals.local
		9
		10	private-bin b2sum
		11
		12	# Redirect
		13	include hasher-common.profile


diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile new file mode 100644 index 000000000..178e2dc9f --- /dev/null +++ b/etc/profile-a-l/bcompare.profile
@@ -0,0 +1,62 @@
		1	# Firejail profile for Beyond Compare by Scooter Software
		2	# Description: directory and file compare utility
		3	# Disables the network, which only impacts checking for updates.
		4	# This file is overwritten after every install/update
		5	# Persistent local customizations
		6	include bcompare.local
		7	# Persistent global definitions
		8	include globals.local
		9
		10	noblacklist ${HOME}/.config/bcompare
		11	# In case the user decides to include disable-programs.inc, still allow
		12	# KDE's Gwenview to view images via right click -> Open With -> Associated Application
		13	noblacklist ${HOME}/.config/gwenviewrc
		14
		15	# Uncomment the next line (or put it into your bcompare.local) if you don't need to compare files in disable-common.inc
		16	#include disable-common.inc
		17	include disable-devel.inc
		18	include disable-exec.inc
		19	include disable-interpreters.inc
		20	include disable-passwdmgr.inc
		21	# Uncomment the next line (or put it into your bcompare.local) if you don't need to compare files in disable-programs.inc
		22	#include disable-programs.inc
		23	# Uncommenting this breaks launch
		24	# include disable-shell.inc
		25	include disable-write-mnt.inc
		26	# Don't disable ${DOCUMENTS}, ${MUSIC}, ${PICTURES}, ${VIDEOS}
		27	# include disable-xdg.inc
		28
		29	# include whitelist-common.inc
		30	# include whitelist-runuser-common.inc
		31	# include whitelist-usr-share-common.inc
		32	# include whitelist-var-common.inc
		33
		34	apparmor
		35	caps.drop all
		36	# Uncommenting might break Pulse Audio
		37	#machine-id
		38	net none
		39	no3d
		40	nodvd
		41	nogroups
		42	nonewprivs
		43	noroot
		44	# Allow applications launched on sound files to play them
		45	#nosound
		46	notv
		47	nou2f
		48	novideo
		49	protocol unix
		50	seccomp
		51	shell none
		52	tracelog
		53
		54	private-cache
		55	private-dev
		56	# see /usr/share/doc/firejail/profile.template for more common private-etc paths.
		57	# private-etc alternatives,fonts,machine-id
		58	# Necessary because of the `include disable-exec.inc` line. Prevents error "Error fstat: fs.c:504 fs_remount_simple: Transport endpoint is not connected ... cannot sync with peer: unexpected EOF Peer [...] unexpectedly exited with status 1"
		59	private-tmp
		60
		61	dbus-user none
		62	dbus-system none


diff --git a/etc/profile-a-l/cksum.profile b/etc/profile-a-l/cksum.profile new file mode 100644 index 000000000..2baeed2ed --- /dev/null +++ b/etc/profile-a-l/cksum.profile
@@ -0,0 +1,13 @@
		1	# Firejail profile for cksum
		2	# Description: checksum and count the bytes in a file
		3	# This file is overwritten after every install/update
		4	quiet
		5	# Persistent local customizations
		6	include cksum.local
		7	# Persistent global definitions
		8	include globals.local
		9
		10	private-bin cksum
		11
		12	# Redirect
		13	include hasher-common.profile


diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile index ac74d25c9..f71b35c26 100644 --- a/etc/profile-a-l/clawsker.profile +++ b/etc/profile-a-l/clawsker.profile
@@ -45,7 +45,7 @@ private-bin bash,clawsker,perl,sh,which
45	private-cache	45	private-cache
46	private-dev	46	private-dev
47	private-etc alternatives,fonts	47	private-etc alternatives,fonts
48	private-lib girepository-1.,libdbus-glib-1.so.,libetpan.so.,libgirepository-1.,libgtk-x11-2.0.so.,libstartup-notification-1.so.,perl*	48	private-lib girepository-1.,libdbus-glib-1.so.,libetpan.so.,libgirepository-1.,libgtk-3.so.,libgtk-x11-2.0.so.,libstartup-notification-1.so.,perl
49	private-tmp	49	private-tmp
50		50
51	dbus-user none	51	dbus-user none


diff --git a/etc/profile-a-l/engrampa.profile b/etc/profile-a-l/engrampa.profile index 54fe6a0f9..7ec611293 100644 --- a/etc/profile-a-l/engrampa.profile +++ b/etc/profile-a-l/engrampa.profile
@@ -17,6 +17,7 @@ include whitelist-var-common.inc
17		17
18	apparmor	18	apparmor
19	caps.drop all	19	caps.drop all
		20	net none
20	no3d	21	no3d
21	nodvd	22	nodvd
22	nogroups	23	nogroups
@@ -35,4 +36,6 @@ tracelog
35	private-dev	36	private-dev
36	# private-tmp	37	# private-tmp
37		38
		39	dbus-user filter
		40	dbus-user.talk ca.desrt.dconf
38	dbus-system none	41	dbus-system none


diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 20bd9824c..68dd350ca 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile
@@ -14,6 +14,11 @@ mkdir ${HOME}/.mozilla
14	whitelist ${HOME}/.cache/mozilla/firefox	14	whitelist ${HOME}/.cache/mozilla/firefox
15	whitelist ${HOME}/.mozilla	15	whitelist ${HOME}/.mozilla
16		16
		17	# Uncomment or put in your firefox.local one of the following whitelist to enable KeePassXC Plugin
		18	# NOTE: start KeePassXC before Firefox and keep it open to allow communication between them
		19	#whitelist ${RUNUSER}/kpxc_server
		20	#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
		21
17	whitelist /usr/share/doc	22	whitelist /usr/share/doc
18	whitelist /usr/share/firefox	23	whitelist /usr/share/firefox
19	whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini	24	whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini


diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile index 41218d3f7..d29c7609e 100644 --- a/etc/profile-a-l/gnome-logs.profile +++ b/etc/profile-a-l/gnome-logs.profile
@@ -26,12 +26,7 @@ ipc-namespace
26	net none	26	net none
27	no3d	27	no3d
28	nodvd	28	nodvd
29	# When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html),
30	# comment both 'nogroups' and 'noroot'
31	# or put 'ignore nogroups' and 'ignore noroot' in your gnome-logs.local.
32	nogroups
33	nonewprivs	29	nonewprivs
34	noroot
35	nosound	30	nosound
36	notv	31	notv
37	nou2f	32	nou2f
@@ -50,7 +45,9 @@ private-lib gdk-pixbuf-2.,gio,gvfs/libgvfscommon.so,libgconf-2.so.,librsvg-2.s
50	private-tmp	45	private-tmp
51	writable-var-log	46	writable-var-log
52		47
53	dbus-user none	48	dbus-user filter
		49	dbus-user.own org.gnome.Logs
		50	dbus-user.talk ca.desrt.dconf
54	dbus-system none	51	dbus-system none
55		52
56	# comment this if you export logs to a file in your ${HOME}	53	# comment this if you export logs to a file in your ${HOME}


diff --git a/etc/profile-a-l/hasher-common.profile b/etc/profile-a-l/hasher-common.profile new file mode 100644 index 000000000..2f684349d --- /dev/null +++ b/etc/profile-a-l/hasher-common.profile
@@ -0,0 +1,60 @@
		1	# This file is overwritten during software install.
		2	# Persistent customizations should go in a .local file.
		3	include hasher-common.local
		4
		5	# common profile for hasher/checksum tools
		6
		7	blacklist ${RUNUSER}
		8
		9	# WARNING:
		10	# Users can (un)restrict file access for all hashers by commenting/uncommenting the needed
		11	# include file(s) here or by putting those into hasher-common.local.
		12	# Another option is to do this per hasher in the relevant <hasher>.local.
		13	# Just beware that things tend to break when overtightening profiles. For example, because you only
		14	# need to hash/check files in ${DOWNLOADS}, other applications may need access to ${HOME}/.local/share.
		15
		16	# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in disable-common.inc.
		17	#include disable-common.inc
		18	include disable-devel.inc
		19	include disable-exec.inc
		20	include disable-interpreters.inc
		21	include disable-passwdmgr.inc
		22	# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in disable-programs.inc.
		23	#include disable-programs.inc
		24	include disable-shell.inc
		25	include disable-write-mnt.inc
		26	# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in disable-xdg.inc.
		27	#include disable-xdg.inc
		28
		29	apparmor
		30	caps.drop all
		31	ipc-namespace
		32	machine-id
		33	net none
		34	no3d
		35	nodvd
		36	nogroups
		37	nonewprivs
		38	noroot
		39	nosound
		40	notv
		41	nou2f
		42	novideo
		43	protocol unix
		44	seccomp
		45	seccomp.block-secondary
		46	shell none
		47	tracelog
		48	x11 none
		49
		50	# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in /tmp.
		51	#private-cache
		52	private-dev
		53	# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in /tmp.
		54	#private-tmp
		55
		56	dbus-user none
		57	dbus-system none
		58
		59	memory-deny-write-execute
		60	read-only ${HOME}


diff --git a/etc/profile-a-l/k3b.profile b/etc/profile-a-l/k3b.profile index 86292744c..3e686a454 100644 --- a/etc/profile-a-l/k3b.profile +++ b/etc/profile-a-l/k3b.profile
@@ -21,7 +21,7 @@ include disable-xdg.inc
21		21
22	include whitelist-var-common.inc	22	include whitelist-var-common.inc
23		23
24	caps.keep ipc_lock,sys_nice,sys_rawio,sys_resource	24	caps.keep chown,dac_override,ipc_lock,net_bind_service,sys_admin,sys_nice,sys_rawio,sys_resource
25	# net none	25	# net none
26	netfilter	26	netfilter
27	no3d	27	no3d