diff options
Diffstat (limited to 'etc/profile-m-z')
-rw-r--r-- | etc/profile-m-z/mediathekview.profile | 4 | ||||
-rw-r--r-- | etc/profile-m-z/raincat.profile | 49 | ||||
-rw-r--r-- | etc/profile-m-z/seafile-applet.profile | 62 | ||||
-rw-r--r-- | etc/profile-m-z/signal-desktop.profile | 8 | ||||
-rw-r--r-- | etc/profile-m-z/ssh.profile | 1 | ||||
-rw-r--r-- | etc/profile-m-z/steam.profile | 4 | ||||
-rw-r--r-- | etc/profile-m-z/supertuxkart.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/uzbl-browser.profile | 1 | ||||
-rw-r--r-- | etc/profile-m-z/warzone2100.profile | 7 | ||||
-rw-r--r-- | etc/profile-m-z/wget2.profile | 19 | ||||
-rw-r--r-- | etc/profile-m-z/wine.profile | 1 | ||||
-rw-r--r-- | etc/profile-m-z/youtube-viewers-common.profile | 2 |
12 files changed, 153 insertions, 7 deletions
diff --git a/etc/profile-m-z/mediathekview.profile b/etc/profile-m-z/mediathekview.profile index f73ef0935..f0ef7d010 100644 --- a/etc/profile-m-z/mediathekview.profile +++ b/etc/profile-m-z/mediathekview.profile | |||
@@ -17,6 +17,8 @@ noblacklist ${HOME}/.mediathek3 | |||
17 | noblacklist ${HOME}/.mplayer | 17 | noblacklist ${HOME}/.mplayer |
18 | noblacklist ${VIDEOS} | 18 | noblacklist ${VIDEOS} |
19 | 19 | ||
20 | ignore noexec /tmp | ||
21 | |||
20 | # Allow java (blacklisted by disable-devel.inc) | 22 | # Allow java (blacklisted by disable-devel.inc) |
21 | include allow-java.inc | 23 | include allow-java.inc |
22 | 24 | ||
@@ -27,6 +29,8 @@ include disable-interpreters.inc | |||
27 | include disable-programs.inc | 29 | include disable-programs.inc |
28 | include disable-xdg.inc | 30 | include disable-xdg.inc |
29 | 31 | ||
32 | mkdir ${HOME}/.mediathek3 | ||
33 | whitelist ${HOME}/.mediathek3 | ||
30 | include whitelist-var-common.inc | 34 | include whitelist-var-common.inc |
31 | 35 | ||
32 | caps.drop all | 36 | caps.drop all |
diff --git a/etc/profile-m-z/raincat.profile b/etc/profile-m-z/raincat.profile new file mode 100644 index 000000000..104577bdb --- /dev/null +++ b/etc/profile-m-z/raincat.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for raincat | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include raincat.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | include disable-devel.inc | ||
9 | include disable-exec.inc | ||
10 | include disable-interpreters.inc | ||
11 | include disable-programs.inc | ||
12 | include disable-shell.inc | ||
13 | include disable-xdg.inc | ||
14 | |||
15 | whitelist /usr/share/games | ||
16 | whitelist /usr/share/timidity | ||
17 | include whitelist-usr-share-common.inc | ||
18 | include whitelist-var-common.inc | ||
19 | |||
20 | apparmor | ||
21 | caps.drop all | ||
22 | ipc-namespace | ||
23 | netfilter | ||
24 | nodvd | ||
25 | nogroups | ||
26 | noinput | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix | ||
33 | net none | ||
34 | seccomp | ||
35 | shell none | ||
36 | tracelog | ||
37 | |||
38 | disable-mnt | ||
39 | private | ||
40 | private-bin raincat | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-etc alternatives,drirc,ld.so.cache,ld.so.preload,machine-id,passwd,pulse,timidity,timidity.cfg | ||
44 | #private-lib | ||
45 | private-tmp | ||
46 | |||
47 | dbus-user none | ||
48 | dbus-system none | ||
49 | |||
diff --git a/etc/profile-m-z/seafile-applet.profile b/etc/profile-m-z/seafile-applet.profile new file mode 100644 index 000000000..79e072475 --- /dev/null +++ b/etc/profile-m-z/seafile-applet.profile | |||
@@ -0,0 +1,62 @@ | |||
1 | # Firejail profile for Seafile | ||
2 | # Description: Seafile desktop client. | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include seafile-applet.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/Seafile | ||
10 | noblacklist ${HOME}/Seafile/.seafile-data | ||
11 | |||
12 | blacklist /usr/libexec | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | mkdir ${HOME}/.ccnet | ||
22 | mkdir ${HOME}/.config/Seafile | ||
23 | mkdir ${HOME}/Seafile | ||
24 | whitelist ${HOME}/.ccnet | ||
25 | whitelist ${HOME}/.config/Seafile | ||
26 | whitelist ${HOME}/Seafile | ||
27 | |||
28 | include whitelist-common.inc | ||
29 | include whitelist-run-common.inc | ||
30 | include whitelist-runuser-common.inc | ||
31 | include whitelist-usr-share-common.inc | ||
32 | include whitelist-var-common.inc | ||
33 | |||
34 | apparmor | ||
35 | caps.drop all | ||
36 | netfilter | ||
37 | nodvd | ||
38 | nogroups | ||
39 | noinput | ||
40 | nonewprivs | ||
41 | noprinters | ||
42 | noroot | ||
43 | nosound | ||
44 | notv | ||
45 | nou2f | ||
46 | novideo | ||
47 | protocol unix,inet,inet6 | ||
48 | seccomp | ||
49 | seccomp.block-secondary | ||
50 | shell none | ||
51 | tracelog | ||
52 | |||
53 | disable-mnt | ||
54 | private-bin seaf-cli,seaf-daemon,seafile-applet | ||
55 | private-cache | ||
56 | private-dev | ||
57 | private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl | ||
58 | #private-opt none | ||
59 | private-tmp | ||
60 | |||
61 | dbus-user none | ||
62 | dbus-system none | ||
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile index 77a7f5b38..1166f378b 100644 --- a/etc/profile-m-z/signal-desktop.profile +++ b/etc/profile-m-z/signal-desktop.profile | |||
@@ -21,9 +21,15 @@ whitelist ${HOME}/.config/Signal | |||
21 | 21 | ||
22 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,nsswitch.conf,pki,resolv.conf,ssl | 22 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,nsswitch.conf,pki,resolv.conf,ssl |
23 | 23 | ||
24 | # allow D-Bus notifications | ||
25 | dbus-user filter | 24 | dbus-user filter |
25 | |||
26 | # allow D-Bus notifications | ||
26 | dbus-user.talk org.freedesktop.Notifications | 27 | dbus-user.talk org.freedesktop.Notifications |
28 | |||
29 | # allow D-Bus communication with firefox for opening links | ||
30 | dbus-user.talk org.mozilla.Firefox.* | ||
31 | dbus-user.talk org.mozilla.firefox.* | ||
32 | |||
27 | ignore dbus-user none | 33 | ignore dbus-user none |
28 | 34 | ||
29 | # Redirect | 35 | # Redirect |
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index 9295013e7..4da0db517 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile | |||
@@ -50,4 +50,5 @@ writable-run-user | |||
50 | dbus-user none | 50 | dbus-user none |
51 | dbus-system none | 51 | dbus-system none |
52 | 52 | ||
53 | deterministic-shutdown | ||
53 | memory-deny-write-execute | 54 | memory-deny-write-execute |
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index bcf94de51..b31818274 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile | |||
@@ -147,7 +147,7 @@ shell none | |||
147 | 147 | ||
148 | # private-bin is disabled while in testing, but is known to work with multiple games. | 148 | # private-bin is disabled while in testing, but is known to work with multiple games. |
149 | # Add the next line to your steam.local to enable private-bin. | 149 | # Add the next line to your steam.local to enable private-bin. |
150 | #private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lsof,lspci,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity | 150 | #private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lsof,lspci,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,wget2,which,whoami,xterm,xz,zenity |
151 | # Extra programs are available which might be needed for select games. | 151 | # Extra programs are available which might be needed for select games. |
152 | # Add the next line to your steam.local to enable support for these programs. | 152 | # Add the next line to your steam.local to enable support for these programs. |
153 | #private-bin java,java-config,mono | 153 | #private-bin java,java-config,mono |
@@ -157,7 +157,7 @@ shell none | |||
157 | private-dev | 157 | private-dev |
158 | # private-etc breaks a small selection of games on some systems. Add 'ignore private-etc' | 158 | # private-etc breaks a small selection of games on some systems. Add 'ignore private-etc' |
159 | # to your steam.local to support those. | 159 | # to your steam.local to support those. |
160 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl | 160 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl,vulkan |
161 | private-tmp | 161 | private-tmp |
162 | 162 | ||
163 | # dbus-user none | 163 | # dbus-user none |
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile index 473472251..23c8a6c58 100644 --- a/etc/profile-m-z/supertuxkart.profile +++ b/etc/profile-m-z/supertuxkart.profile | |||
@@ -43,7 +43,7 @@ noroot | |||
43 | notv | 43 | notv |
44 | nou2f | 44 | nou2f |
45 | novideo | 45 | novideo |
46 | protocol unix,inet,inet6,bluetooth | 46 | protocol unix,inet,inet6,netlink,bluetooth |
47 | seccomp | 47 | seccomp |
48 | seccomp.block-secondary | 48 | seccomp.block-secondary |
49 | shell none | 49 | shell none |
diff --git a/etc/profile-m-z/uzbl-browser.profile b/etc/profile-m-z/uzbl-browser.profile index 41487a8f2..dcdae279f 100644 --- a/etc/profile-m-z/uzbl-browser.profile +++ b/etc/profile-m-z/uzbl-browser.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | noblacklist ${HOME}/.config/uzbl | 8 | noblacklist ${HOME}/.config/uzbl |
9 | noblacklist ${HOME}/.gnupg | 9 | noblacklist ${HOME}/.gnupg |
10 | noblacklist ${HOME}/.local/share/uzbl | 10 | noblacklist ${HOME}/.local/share/uzbl |
11 | noblacklist ${HOME}/.password-store | ||
11 | 12 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | include allow-python2.inc | 14 | include allow-python2.inc |
diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile index 46dca0547..5519c3c1e 100644 --- a/etc/profile-m-z/warzone2100.profile +++ b/etc/profile-m-z/warzone2100.profile | |||
@@ -7,19 +7,22 @@ include warzone2100.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.warzone2100-3.* | 9 | noblacklist ${HOME}/.warzone2100-3.* |
10 | noblacklist ${HOME}/.local/share/warzone2100-3.* | ||
10 | 11 | ||
11 | include disable-common.inc | 12 | include disable-common.inc |
12 | include disable-devel.inc | 13 | include disable-devel.inc |
13 | include disable-exec.inc | 14 | include disable-exec.inc |
14 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
16 | include disable-shell.inc | 17 | #include disable-shell.inc - problems on Debian 11 |
17 | 18 | ||
18 | mkdir ${HOME}/.warzone2100-3.1 | 19 | mkdir ${HOME}/.warzone2100-3.1 |
19 | mkdir ${HOME}/.warzone2100-3.2 | 20 | mkdir ${HOME}/.warzone2100-3.2 |
21 | whitelist ${HOME}/.local/share/warzone2100-3.3.0 # config dir moved under .local/share | ||
20 | whitelist ${HOME}/.warzone2100-3.1 | 22 | whitelist ${HOME}/.warzone2100-3.1 |
21 | whitelist ${HOME}/.warzone2100-3.2 | 23 | whitelist ${HOME}/.warzone2100-3.2 |
22 | whitelist /usr/share/games | 24 | whitelist /usr/share/games |
25 | whitelist /usr/share/gdm | ||
23 | include whitelist-common.inc | 26 | include whitelist-common.inc |
24 | include whitelist-runuser-common.inc | 27 | include whitelist-runuser-common.inc |
25 | include whitelist-usr-share-common.inc | 28 | include whitelist-usr-share-common.inc |
@@ -42,6 +45,6 @@ shell none | |||
42 | tracelog | 45 | tracelog |
43 | 46 | ||
44 | disable-mnt | 47 | disable-mnt |
45 | private-bin warzone2100 | 48 | private-bin bash,dash,sh,warzone2100,which |
46 | private-dev | 49 | private-dev |
47 | private-tmp | 50 | private-tmp |
diff --git a/etc/profile-m-z/wget2.profile b/etc/profile-m-z/wget2.profile new file mode 100644 index 000000000..18918c6af --- /dev/null +++ b/etc/profile-m-z/wget2.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Firejail profile for wget2 | ||
2 | # Description: Updated version of the popular wget URL retrieval tool | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include wget2.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | noblacklist ${HOME}/.config/wget | ||
12 | ignore noblacklist ${HOME}/.wgetrc | ||
13 | |||
14 | private-bin wget2 | ||
15 | # Depending on workflow you can add the next line to your wget2.local. | ||
16 | #private-etc wget2rc | ||
17 | |||
18 | # Redirect | ||
19 | include wget.profile | ||
diff --git a/etc/profile-m-z/wine.profile b/etc/profile-m-z/wine.profile index 1e9b9341b..f30fc971f 100644 --- a/etc/profile-m-z/wine.profile +++ b/etc/profile-m-z/wine.profile | |||
@@ -6,6 +6,7 @@ include wine.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/wine | ||
9 | noblacklist ${HOME}/.cache/winetricks | 10 | noblacklist ${HOME}/.cache/winetricks |
10 | noblacklist ${HOME}/.Steam | 11 | noblacklist ${HOME}/.Steam |
11 | noblacklist ${HOME}/.local/share/Steam | 12 | noblacklist ${HOME}/.local/share/Steam |
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile index 80d551038..f212a6721 100644 --- a/etc/profile-m-z/youtube-viewers-common.profile +++ b/etc/profile-m-z/youtube-viewers-common.profile | |||
@@ -50,7 +50,7 @@ shell none | |||
50 | tracelog | 50 | tracelog |
51 | 51 | ||
52 | disable-mnt | 52 | disable-mnt |
53 | private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python*,sh,smplayer,stty,wget,which,xterm,youtube-dl,yt-dlp | 53 | private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python*,sh,smplayer,stty,wget,wget2,which,xterm,youtube-dl,yt-dlp |
54 | private-cache | 54 | private-cache |
55 | private-dev | 55 | private-dev |
56 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg | 56 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg |