diff options
Diffstat (limited to 'etc/profile-m-z')
-rw-r--r-- | etc/profile-m-z/mocp.profile | 53 | ||||
-rw-r--r-- | etc/profile-m-z/mpg123.profile | 10 | ||||
-rw-r--r-- | etc/profile-m-z/plv.profile | 59 | ||||
-rw-r--r-- | etc/profile-m-z/secret-tool.profile | 1 | ||||
-rw-r--r-- | etc/profile-m-z/steam.profile | 10 | ||||
-rw-r--r-- | etc/profile-m-z/wire-desktop.profile | 4 | ||||
-rw-r--r-- | etc/profile-m-z/yelp.profile | 1 |
7 files changed, 132 insertions, 6 deletions
diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile new file mode 100644 index 000000000..6fc7a4d67 --- /dev/null +++ b/etc/profile-m-z/mocp.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for mocp | ||
2 | # Description: A powerful & easy to use console audio player | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include mocp.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.moc | ||
11 | noblacklist ${MUSIC} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-runuser-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | apparmor | ||
26 | caps.drop all | ||
27 | ipc-namespace | ||
28 | netfilter | ||
29 | no3d | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix,inet,inet6,netlink | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | private-bin mocp | ||
43 | private-cache | ||
44 | private-dev | ||
45 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl | ||
46 | private-tmp | ||
47 | |||
48 | dbus-user none | ||
49 | dbus-system none | ||
50 | |||
51 | memory-deny-write-execute | ||
52 | read-only ${HOME} | ||
53 | read-write ${HOME}/.moc | ||
diff --git a/etc/profile-m-z/mpg123.profile b/etc/profile-m-z/mpg123.profile index 6e18aa401..b1ab81c1e 100644 --- a/etc/profile-m-z/mpg123.profile +++ b/etc/profile-m-z/mpg123.profile | |||
@@ -1,13 +1,13 @@ | |||
1 | # Firejail profile for mpg123 | 1 | # Firejail profile for mpg123 |
2 | # Description: MPEG audio player/decoder | 2 | # Description: MPEG audio player/decoder |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include mpg123.local | 6 | include mpg123.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
7 | include globals.local | 8 | include globals.local |
8 | 9 | ||
9 | noblacklist ${MUSIC} | 10 | noblacklist ${MUSIC} |
10 | noblacklist ${VIDEOS} | ||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
@@ -23,19 +23,23 @@ include whitelist-var-common.inc | |||
23 | apparmor | 23 | apparmor |
24 | caps.drop all | 24 | caps.drop all |
25 | netfilter | 25 | netfilter |
26 | no3d | ||
26 | nogroups | 27 | nogroups |
27 | nonewprivs | 28 | nonewprivs |
28 | noroot | 29 | noroot |
30 | notv | ||
29 | nou2f | 31 | nou2f |
32 | novideo | ||
30 | protocol unix,inet,inet6,netlink | 33 | protocol unix,inet,inet6,netlink |
31 | seccomp | 34 | seccomp |
32 | shell none | 35 | shell none |
36 | tracelog | ||
33 | 37 | ||
34 | #private-bin mpg123* | 38 | #private-bin mpg123* |
35 | private-dev | 39 | private-dev |
36 | private-tmp | 40 | private-tmp |
37 | 41 | ||
38 | memory-deny-write-execute | ||
39 | |||
40 | dbus-user none | 42 | dbus-user none |
41 | dbus-system none | 43 | dbus-system none |
44 | |||
45 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile new file mode 100644 index 000000000..7ff59ea77 --- /dev/null +++ b/etc/profile-m-z/plv.profile | |||
@@ -0,0 +1,59 @@ | |||
1 | # Firejail profile for plv | ||
2 | # Description: Inspect pacman log files | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include plv.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/PacmanLogViewer | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.config/PacmanLogViewer | ||
20 | whitelist ${HOME}/.config/PacmanLogViewer | ||
21 | whitelist /var/log/pacman* | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | machine-id | ||
31 | net none | ||
32 | no3d | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | nosound | ||
38 | notv | ||
39 | nou2f | ||
40 | novideo | ||
41 | seccomp | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | disable-mnt | ||
46 | private-bin plv | ||
47 | private-cache | ||
48 | private-dev | ||
49 | private-etc alternatives,fonts | ||
50 | private-opt none | ||
51 | private-tmp | ||
52 | writable-var-log | ||
53 | |||
54 | dbus-user none | ||
55 | dbus-system none | ||
56 | |||
57 | #memory-deny-write-execute - breaks opening file-chooser | ||
58 | read-only ${HOME} | ||
59 | read-write ${HOME}/.config/PacmanLogViewer | ||
diff --git a/etc/profile-m-z/secret-tool.profile b/etc/profile-m-z/secret-tool.profile index 70d9a5b1d..99ba11d30 100644 --- a/etc/profile-m-z/secret-tool.profile +++ b/etc/profile-m-z/secret-tool.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for secret-tool | 1 | # Firejail profile for secret-tool |
2 | # Description: Library for storing and retrieving passwords and other secrets | 2 | # Description: Library for storing and retrieving passwords and other secrets |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include secret-tool.local | 6 | include secret-tool.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index a5e9a9932..004664a79 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile | |||
@@ -10,12 +10,17 @@ noblacklist ${HOME}/.killingfloor | |||
10 | noblacklist ${HOME}/.local/share/3909/PapersPlease | 10 | noblacklist ${HOME}/.local/share/3909/PapersPlease |
11 | noblacklist ${HOME}/.local/share/aspyr-media | 11 | noblacklist ${HOME}/.local/share/aspyr-media |
12 | noblacklist ${HOME}/.local/share/cdprojektred | 12 | noblacklist ${HOME}/.local/share/cdprojektred |
13 | noblacklist ${HOME}/.local/share/FasterThanLight | ||
13 | noblacklist ${HOME}/.local/share/feral-interactive | 14 | noblacklist ${HOME}/.local/share/feral-interactive |
15 | noblacklist ${HOME}/.local/share/IntoTheBreach | ||
16 | noblacklist ${HOME}/.local/share/Paradox Interactive | ||
14 | noblacklist ${HOME}/.local/share/Steam | 17 | noblacklist ${HOME}/.local/share/Steam |
15 | noblacklist ${HOME}/.local/share/SuperHexagon | 18 | noblacklist ${HOME}/.local/share/SuperHexagon |
16 | noblacklist ${HOME}/.local/share/Terraria | 19 | noblacklist ${HOME}/.local/share/Terraria |
17 | noblacklist ${HOME}/.local/share/vpltd | 20 | noblacklist ${HOME}/.local/share/vpltd |
18 | noblacklist ${HOME}/.local/share/vulkan | 21 | noblacklist ${HOME}/.local/share/vulkan |
22 | noblacklist ${HOME}/.mbwarband | ||
23 | noblacklist ${HOME}/.paradoxinteractive | ||
19 | noblacklist ${HOME}/.steam | 24 | noblacklist ${HOME}/.steam |
20 | noblacklist ${HOME}/.steampath | 25 | noblacklist ${HOME}/.steampath |
21 | noblacklist ${HOME}/.steampid | 26 | noblacklist ${HOME}/.steampid |
@@ -41,7 +46,9 @@ mkdir ${HOME}/.killingfloor | |||
41 | mkdir ${HOME}/.local/share/3909/PapersPlease | 46 | mkdir ${HOME}/.local/share/3909/PapersPlease |
42 | mkdir ${HOME}/.local/share/aspyr-media | 47 | mkdir ${HOME}/.local/share/aspyr-media |
43 | mkdir ${HOME}/.local/share/cdprojektred | 48 | mkdir ${HOME}/.local/share/cdprojektred |
49 | mkdir ${HOME}/.local/share/FasterThanLight | ||
44 | mkdir ${HOME}/.local/share/feral-interactive | 50 | mkdir ${HOME}/.local/share/feral-interactive |
51 | mkdir ${HOME}/.local/share/IntoTheBreach | ||
45 | mkdir ${HOME}/.local/share/Paradox Interactive | 52 | mkdir ${HOME}/.local/share/Paradox Interactive |
46 | mkdir ${HOME}/.local/share/Steam | 53 | mkdir ${HOME}/.local/share/Steam |
47 | mkdir ${HOME}/.local/share/SuperHexagon | 54 | mkdir ${HOME}/.local/share/SuperHexagon |
@@ -58,7 +65,9 @@ whitelist ${HOME}/.killingfloor | |||
58 | whitelist ${HOME}/.local/share/3909/PapersPlease | 65 | whitelist ${HOME}/.local/share/3909/PapersPlease |
59 | whitelist ${HOME}/.local/share/aspyr-media | 66 | whitelist ${HOME}/.local/share/aspyr-media |
60 | whitelist ${HOME}/.local/share/cdprojektred | 67 | whitelist ${HOME}/.local/share/cdprojektred |
68 | whitelist ${HOME}/.local/share/FasterThanLight | ||
61 | whitelist ${HOME}/.local/share/feral-interactive | 69 | whitelist ${HOME}/.local/share/feral-interactive |
70 | whitelist ${HOME}/.local/share/IntoTheBreach | ||
62 | whitelist ${HOME}/.local/share/Paradox Interactive | 71 | whitelist ${HOME}/.local/share/Paradox Interactive |
63 | whitelist ${HOME}/.local/share/Steam | 72 | whitelist ${HOME}/.local/share/Steam |
64 | whitelist ${HOME}/.local/share/SuperHexagon | 73 | whitelist ${HOME}/.local/share/SuperHexagon |
@@ -70,7 +79,6 @@ whitelist ${HOME}/.paradoxinteractive | |||
70 | whitelist ${HOME}/.steam | 79 | whitelist ${HOME}/.steam |
71 | whitelist ${HOME}/.steampath | 80 | whitelist ${HOME}/.steampath |
72 | whitelist ${HOME}/.steampid | 81 | whitelist ${HOME}/.steampid |
73 | whitelist ${HOME}/.steampid | ||
74 | include whitelist-common.inc | 82 | include whitelist-common.inc |
75 | include whitelist-var-common.inc | 83 | include whitelist-var-common.inc |
76 | 84 | ||
diff --git a/etc/profile-m-z/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile index c1250b1f0..8f6014dc3 100644 --- a/etc/profile-m-z/wire-desktop.profile +++ b/etc/profile-m-z/wire-desktop.profile | |||
@@ -9,7 +9,6 @@ include wire-desktop.local | |||
9 | 9 | ||
10 | # Debian/Ubuntu use /opt/Wire. As that is not in PATH by default, run `firejail /opt/Wire/wire-desktop` to start it. | 10 | # Debian/Ubuntu use /opt/Wire. As that is not in PATH by default, run `firejail /opt/Wire/wire-desktop` to start it. |
11 | 11 | ||
12 | ignore caps.drop all | ||
13 | ignore dbus-user none | 12 | ignore dbus-user none |
14 | ignore dbus-system none | 13 | ignore dbus-system none |
15 | 14 | ||
@@ -22,8 +21,9 @@ mkdir ${HOME}/.config/Wire | |||
22 | whitelist ${HOME}/.config/Wire | 21 | whitelist ${HOME}/.config/Wire |
23 | include whitelist-common.inc | 22 | include whitelist-common.inc |
24 | 23 | ||
25 | caps.keep sys_admin,sys_chroot | ||
26 | nou2f | 24 | nou2f |
25 | ignore seccomp | ||
26 | seccomp !chroot | ||
27 | shell none | 27 | shell none |
28 | 28 | ||
29 | disable-mnt | 29 | disable-mnt |
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile index 7053f98e8..08b31f1ff 100644 --- a/etc/profile-m-z/yelp.profile +++ b/etc/profile-m-z/yelp.profile | |||
@@ -21,6 +21,7 @@ whitelist ${HOME}/.config/yelp | |||
21 | whitelist /usr/share/doc | 21 | whitelist /usr/share/doc |
22 | whitelist /usr/share/help | 22 | whitelist /usr/share/help |
23 | whitelist /usr/share/yelp | 23 | whitelist /usr/share/yelp |
24 | whitelist /usr/share/yelp-tools | ||
24 | whitelist /usr/share/yelp-xsl | 25 | whitelist /usr/share/yelp-xsl |
25 | include whitelist-common.inc | 26 | include whitelist-common.inc |
26 | include whitelist-runuser-common.inc | 27 | include whitelist-runuser-common.inc |