diff options
Diffstat (limited to 'etc/profile-m-z')
-rw-r--r-- | etc/profile-m-z/mcomix.profile | 74 | ||||
-rw-r--r-- | etc/profile-m-z/minecraft-launcher.profile | 1 | ||||
-rw-r--r-- | etc/profile-m-z/qcomicbook.profile | 68 | ||||
-rw-r--r-- | etc/profile-m-z/rtin.profile | 8 | ||||
-rw-r--r-- | etc/profile-m-z/rtv-addons.profile | 5 | ||||
-rw-r--r-- | etc/profile-m-z/rtv.profile | 7 | ||||
-rw-r--r-- | etc/profile-m-z/tin.profile | 69 | ||||
-rw-r--r-- | etc/profile-m-z/w3m.profile | 24 | ||||
-rw-r--r-- | etc/profile-m-z/weechat.profile | 1 |
9 files changed, 252 insertions, 5 deletions
diff --git a/etc/profile-m-z/mcomix.profile b/etc/profile-m-z/mcomix.profile new file mode 100644 index 000000000..fcd1e24e5 --- /dev/null +++ b/etc/profile-m-z/mcomix.profile | |||
@@ -0,0 +1,74 @@ | |||
1 | # Firejail profile for mcomix | ||
2 | # Description: A comic book and manga viewer in python | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mcomix.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/mcomix | ||
10 | noblacklist ${HOME}/.local/share/mcomix | ||
11 | noblacklist ${DOCUMENTS} | ||
12 | |||
13 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
14 | include allow-bin-sh.inc | ||
15 | |||
16 | # Allow python (blacklisted by disable-interpreters.inc) | ||
17 | # mcomix <= 1.2 uses python2 | ||
18 | include allow-python2.inc | ||
19 | include allow-python3.inc | ||
20 | |||
21 | include disable-common.inc | ||
22 | include disable-devel.inc | ||
23 | include disable-exec.inc | ||
24 | include disable-interpreters.inc | ||
25 | include disable-passwdmgr.inc | ||
26 | include disable-programs.inc | ||
27 | include disable-shell.inc | ||
28 | include disable-write-mnt.inc | ||
29 | include disable-xdg.inc | ||
30 | |||
31 | mkdir ${HOME}/.config/mcomix | ||
32 | mkdir ${HOME}/.local/share/mcomix | ||
33 | whitelist /usr/share/mcomix | ||
34 | include whitelist-usr-share-common.inc | ||
35 | include whitelist-var-common.inc | ||
36 | include whitelist-runuser-common.inc | ||
37 | |||
38 | apparmor | ||
39 | caps.drop all | ||
40 | machine-id | ||
41 | net none | ||
42 | nodvd | ||
43 | nogroups | ||
44 | noinput | ||
45 | nonewprivs | ||
46 | noroot | ||
47 | nosound | ||
48 | notv | ||
49 | nou2f | ||
50 | novideo | ||
51 | protocol unix | ||
52 | seccomp | ||
53 | seccomp.block-secondary | ||
54 | shell none | ||
55 | tracelog | ||
56 | |||
57 | # mcomix <= 1.2 uses python2 | ||
58 | private-bin 7z,lha,mcomix,mutool,python*,rar,sh,unrar,unzip | ||
59 | private-cache | ||
60 | private-dev | ||
61 | # mcomix <= 1.2 uses gtk-2.0 | ||
62 | private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,pango,passwd,X11,xdg | ||
63 | private-tmp | ||
64 | |||
65 | dbus-user none | ||
66 | dbus-system none | ||
67 | |||
68 | read-only ${HOME} | ||
69 | read-write ${HOME}/.config/mcomix | ||
70 | read-write ${HOME}/.local/share/mcomix | ||
71 | #to allow ${HOME}/.local/share/recently-used.xbel | ||
72 | read-write ${HOME}/.local/share | ||
73 | # used by mcomix <= 1.2, tip, make a symbolic link to .cache/thumbnails | ||
74 | read-write ${HOME}/.thumbnails | ||
diff --git a/etc/profile-m-z/minecraft-launcher.profile b/etc/profile-m-z/minecraft-launcher.profile index 2536d0b38..1028e374a 100644 --- a/etc/profile-m-z/minecraft-launcher.profile +++ b/etc/profile-m-z/minecraft-launcher.profile | |||
@@ -31,7 +31,6 @@ include whitelist-runuser-common.inc | |||
31 | include whitelist-usr-share-common.inc | 31 | include whitelist-usr-share-common.inc |
32 | include whitelist-var-common.inc | 32 | include whitelist-var-common.inc |
33 | 33 | ||
34 | apparmor | ||
35 | caps.drop all | 34 | caps.drop all |
36 | netfilter | 35 | netfilter |
37 | nodvd | 36 | nodvd |
diff --git a/etc/profile-m-z/qcomicbook.profile b/etc/profile-m-z/qcomicbook.profile new file mode 100644 index 000000000..0e52d7fc4 --- /dev/null +++ b/etc/profile-m-z/qcomicbook.profile | |||
@@ -0,0 +1,68 @@ | |||
1 | # Firejail profile for qcomicbook | ||
2 | # Description: A comic book and manga viewer in QT | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include qcomicbook.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/PawelStolowski | ||
10 | noblacklist ${HOME}/.config/PawelStolowski | ||
11 | noblacklist ${HOME}/.local/share/PawelStolowski | ||
12 | noblacklist ${DOCUMENTS} | ||
13 | |||
14 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
15 | include allow-bin-sh.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-shell.inc | ||
24 | include disable-write-mnt.inc | ||
25 | include disable-xdg.inc | ||
26 | |||
27 | mkdir ${HOME}/.cache/PawelStolowski | ||
28 | mkdir ${HOME}/.config/PawelStolowski | ||
29 | mkdir ${HOME}/.local/share/PawelStolowski | ||
30 | whitelist /usr/share/qcomicbook | ||
31 | include whitelist-runuser-common.inc | ||
32 | include whitelist-usr-share-common.inc | ||
33 | include whitelist-var-common.inc | ||
34 | |||
35 | apparmor | ||
36 | caps.drop all | ||
37 | machine-id | ||
38 | net none | ||
39 | nodvd | ||
40 | nogroups | ||
41 | noinput | ||
42 | nonewprivs | ||
43 | noroot | ||
44 | nosound | ||
45 | notv | ||
46 | nou2f | ||
47 | novideo | ||
48 | protocol unix | ||
49 | seccomp | ||
50 | seccomp.block-secondary | ||
51 | shell none | ||
52 | tracelog | ||
53 | |||
54 | private-bin 7z,7zr,qcomicbook,rar,sh,tar,unace,unrar,unzip | ||
55 | private-cache | ||
56 | private-dev | ||
57 | private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,pango,passwd,Trolltech.conf,X11,xdg | ||
58 | private-tmp | ||
59 | |||
60 | dbus-user none | ||
61 | dbus-system none | ||
62 | |||
63 | read-only ${HOME} | ||
64 | read-write ${HOME}/.cache/PawelStolowski | ||
65 | read-write ${HOME}/.config/PawelStolowski | ||
66 | read-write ${HOME}/.local/share/PawelStolowski | ||
67 | #to allow ${HOME}/.local/share/recently-used.xbel | ||
68 | read-write ${HOME}/.local/share | ||
diff --git a/etc/profile-m-z/rtin.profile b/etc/profile-m-z/rtin.profile new file mode 100644 index 000000000..cd84ce05e --- /dev/null +++ b/etc/profile-m-z/rtin.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # Firejail profile for rtin | ||
2 | # Description: ncurses-based Usenet newsreader | ||
3 | # symlink to tin, same as `tin -r` | ||
4 | # This file is overwritten after every install/update | ||
5 | # Persistent local customizations | ||
6 | include rtin.local | ||
7 | |||
8 | include tin.profile | ||
diff --git a/etc/profile-m-z/rtv-addons.profile b/etc/profile-m-z/rtv-addons.profile index c9da0b628..cc6db5043 100644 --- a/etc/profile-m-z/rtv-addons.profile +++ b/etc/profile-m-z/rtv-addons.profile | |||
@@ -21,3 +21,8 @@ whitelist ${HOME}/.config/mpv | |||
21 | whitelist ${HOME}/.mailcap | 21 | whitelist ${HOME}/.mailcap |
22 | whitelist ${HOME}/.netrc | 22 | whitelist ${HOME}/.netrc |
23 | whitelist ${HOME}/.w3m | 23 | whitelist ${HOME}/.w3m |
24 | |||
25 | #private-bin w3m,mpv,youtube-dl | ||
26 | |||
27 | # tells rtv, which browser to use | ||
28 | #env RTV_BROWSER=w3m | ||
diff --git a/etc/profile-m-z/rtv.profile b/etc/profile-m-z/rtv.profile index f0b8d31e9..2f1fe0155 100644 --- a/etc/profile-m-z/rtv.profile +++ b/etc/profile-m-z/rtv.profile | |||
@@ -12,6 +12,9 @@ blacklist ${RUNUSER}/wayland-* | |||
12 | noblacklist ${HOME}/.config/rtv | 12 | noblacklist ${HOME}/.config/rtv |
13 | noblacklist ${HOME}/.local/share/rtv | 13 | noblacklist ${HOME}/.local/share/rtv |
14 | 14 | ||
15 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
16 | include allow-bin-sh.inc | ||
17 | |||
15 | # Allow python (blacklisted by disable-interpreters.inc) | 18 | # Allow python (blacklisted by disable-interpreters.inc) |
16 | include allow-python2.inc | 19 | include allow-python2.inc |
17 | include allow-python3.inc | 20 | include allow-python3.inc |
@@ -54,10 +57,10 @@ shell none | |||
54 | tracelog | 57 | tracelog |
55 | 58 | ||
56 | disable-mnt | 59 | disable-mnt |
57 | private-bin python*,rtv,sh,xdg-settings | 60 | private-bin less,python*,rtv,sh,xdg-settings |
58 | private-cache | 61 | private-cache |
59 | private-dev | 62 | private-dev |
60 | private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg | 63 | private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mailcap,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg |
61 | 64 | ||
62 | dbus-user none | 65 | dbus-user none |
63 | dbus-system none | 66 | dbus-system none |
diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile new file mode 100644 index 000000000..e0ed3090a --- /dev/null +++ b/etc/profile-m-z/tin.profile | |||
@@ -0,0 +1,69 @@ | |||
1 | # Firejail profile for tin | ||
2 | # Description: ncurses-based Usenet newsreader | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include tin.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.newsrc | ||
10 | noblacklist ${HOME}/.tin | ||
11 | |||
12 | blacklist /tmp/.X11-unix | ||
13 | blacklist ${RUNUSER} | ||
14 | blacklist /usr/libexec | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-shell.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | mkdir ${HOME}/.tin | ||
26 | mkfile ${HOME}/.newsrc | ||
27 | # Note: files/directories directly in ${HOME} can't be whitelisted, as | ||
28 | # tin saves .newsrc by renaming a temporary file, which is not possible for | ||
29 | # bind-mounted files. | ||
30 | #whitelist ${HOME}/.newsrc | ||
31 | #whitelist ${HOME}/.tin | ||
32 | #include whitelist-common.inc | ||
33 | include whitelist-runuser-common.inc | ||
34 | include whitelist-usr-share-common.inc | ||
35 | include whitelist-var-common.inc | ||
36 | |||
37 | apparmor | ||
38 | caps.drop all | ||
39 | ipc-namespace | ||
40 | machine-id | ||
41 | netfilter | ||
42 | no3d | ||
43 | nodvd | ||
44 | nogroups | ||
45 | noinput | ||
46 | nonewprivs | ||
47 | noroot | ||
48 | nosound | ||
49 | notv | ||
50 | nou2f | ||
51 | novideo | ||
52 | protocol inet,inet6 | ||
53 | seccomp | ||
54 | seccomp.block-secondary | ||
55 | shell none | ||
56 | tracelog | ||
57 | |||
58 | disable-mnt | ||
59 | private-bin rtin,tin | ||
60 | private-cache | ||
61 | private-dev | ||
62 | private-etc passwd,resolv.conf,terminfo,tin | ||
63 | private-lib terminfo | ||
64 | private-tmp | ||
65 | |||
66 | dbus-user none | ||
67 | dbus-system none | ||
68 | |||
69 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile index 131213ed2..69b2c6c59 100644 --- a/etc/profile-m-z/w3m.profile +++ b/etc/profile-m-z/w3m.profile | |||
@@ -17,18 +17,32 @@ noblacklist ${HOME}/.w3m | |||
17 | blacklist /tmp/.X11-unix | 17 | blacklist /tmp/.X11-unix |
18 | blacklist ${RUNUSER}/wayland-* | 18 | blacklist ${RUNUSER}/wayland-* |
19 | 19 | ||
20 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
21 | include allow-bin-sh.inc | ||
22 | |||
23 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
20 | include allow-perl.inc | 24 | include allow-perl.inc |
21 | 25 | ||
22 | include disable-common.inc | 26 | include disable-common.inc |
23 | include disable-devel.inc | 27 | include disable-devel.inc |
28 | include disable-exec.inc | ||
24 | include disable-interpreters.inc | 29 | include disable-interpreters.inc |
25 | include disable-passwdmgr.inc | 30 | include disable-passwdmgr.inc |
26 | include disable-programs.inc | 31 | include disable-programs.inc |
32 | include disable-shell.inc | ||
27 | include disable-xdg.inc | 33 | include disable-xdg.inc |
28 | 34 | ||
35 | mkdir ${HOME}/.w3m | ||
36 | whitelist /usr/share/w3m | ||
37 | whitelist ${DOWNLOADS} | ||
38 | whitelist ${HOME}/.w3m | ||
29 | include whitelist-runuser-common.inc | 39 | include whitelist-runuser-common.inc |
40 | include whitelist-usr-share-common.inc | ||
41 | include whitelist-var-common.inc | ||
30 | 42 | ||
31 | caps.drop all | 43 | caps.drop all |
44 | ipc-namespace | ||
45 | machine-id | ||
32 | netfilter | 46 | netfilter |
33 | no3d | 47 | no3d |
34 | nodvd | 48 | nodvd |
@@ -45,8 +59,14 @@ seccomp | |||
45 | shell none | 59 | shell none |
46 | tracelog | 60 | tracelog |
47 | 61 | ||
48 | # private-bin w3m | 62 | disable-mnt |
63 | private-bin perl,sh,w3m | ||
49 | private-cache | 64 | private-cache |
50 | private-dev | 65 | private-dev |
51 | private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl | 66 | private-etc alternatives,ca-certificates,crypto-policies,mailcap,nsswitch.conf,pki,resolv.conf,ssl |
52 | private-tmp | 67 | private-tmp |
68 | |||
69 | dbus-user none | ||
70 | dbus-system none | ||
71 | |||
72 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/weechat.profile b/etc/profile-m-z/weechat.profile index 3a93d2ec7..76935212f 100644 --- a/etc/profile-m-z/weechat.profile +++ b/etc/profile-m-z/weechat.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.weechat | |||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-programs.inc | 12 | include disable-programs.inc |
13 | 13 | ||
14 | whitelist /usr/share/weechat | ||
14 | include whitelist-usr-share-common.inc | 15 | include whitelist-usr-share-common.inc |
15 | include whitelist-var-common.inc | 16 | include whitelist-var-common.inc |
16 | 17 | ||