diff options
Diffstat (limited to 'etc/profile-m-z')
-rw-r--r-- | etc/profile-m-z/QMediathekView.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/QOwnNotes.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/Viber.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/XMind.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/mov-cli.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/mutt.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/natron.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/neomutt.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/nodejs-common.profile | 5 | ||||
-rw-r--r-- | etc/profile-m-z/pnpm.profile | 11 | ||||
-rw-r--r-- | etc/profile-m-z/pnpx.profile | 11 | ||||
-rw-r--r-- | etc/profile-m-z/postman.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/ppsspp.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/softmaker-common.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/steam.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/telegram.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/tesseract.profile | 1 | ||||
-rw-r--r-- | etc/profile-m-z/tiny-rdm.profile | 61 | ||||
-rw-r--r-- | etc/profile-m-z/transgui.profile | 2 |
19 files changed, 102 insertions, 15 deletions
diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile index dd5639268..853b6ae52 100644 --- a/etc/profile-m-z/QMediathekView.profile +++ b/etc/profile-m-z/QMediathekView.profile | |||
@@ -72,7 +72,7 @@ seccomp | |||
72 | tracelog | 72 | tracelog |
73 | 73 | ||
74 | disable-mnt | 74 | disable-mnt |
75 | private-bin mplayer,mpv,QMediathekView,smplayer,totem,vlc,xplayer | 75 | private-bin QMediathekView,mplayer,mpv,smplayer,totem,vlc,xplayer |
76 | private-cache | 76 | private-cache |
77 | private-dev | 77 | private-dev |
78 | private-etc @tls-ca | 78 | private-etc @tls-ca |
diff --git a/etc/profile-m-z/QOwnNotes.profile b/etc/profile-m-z/QOwnNotes.profile index eed839041..e7dba9cd5 100644 --- a/etc/profile-m-z/QOwnNotes.profile +++ b/etc/profile-m-z/QOwnNotes.profile | |||
@@ -47,7 +47,7 @@ seccomp | |||
47 | tracelog | 47 | tracelog |
48 | 48 | ||
49 | disable-mnt | 49 | disable-mnt |
50 | private-bin gio,QOwnNotes | 50 | private-bin QOwnNotes,gio |
51 | private-dev | 51 | private-dev |
52 | private-etc @tls-ca,host.conf | 52 | private-etc @tls-ca,host.conf |
53 | private-tmp | 53 | private-tmp |
diff --git a/etc/profile-m-z/Viber.profile b/etc/profile-m-z/Viber.profile index fe1f9b877..ea7d8bfa7 100644 --- a/etc/profile-m-z/Viber.profile +++ b/etc/profile-m-z/Viber.profile | |||
@@ -31,7 +31,7 @@ protocol unix,inet,inet6 | |||
31 | seccomp !chroot | 31 | seccomp !chroot |
32 | 32 | ||
33 | disable-mnt | 33 | disable-mnt |
34 | private-bin awk,bash,dig,sh,Viber | 34 | private-bin Viber,awk,bash,dig,sh |
35 | private-etc @tls-ca,@x11,mailcap,proxychains.conf | 35 | private-etc @tls-ca,@x11,mailcap,proxychains.conf |
36 | private-tmp | 36 | private-tmp |
37 | 37 | ||
diff --git a/etc/profile-m-z/XMind.profile b/etc/profile-m-z/XMind.profile index 97b9d2898..5b8747825 100644 --- a/etc/profile-m-z/XMind.profile +++ b/etc/profile-m-z/XMind.profile | |||
@@ -31,7 +31,7 @@ protocol unix,inet,inet6 | |||
31 | seccomp | 31 | seccomp |
32 | 32 | ||
33 | disable-mnt | 33 | disable-mnt |
34 | private-bin cp,sh,XMind | 34 | private-bin XMind,cp,sh |
35 | private-tmp | 35 | private-tmp |
36 | private-dev | 36 | private-dev |
37 | 37 | ||
diff --git a/etc/profile-m-z/mov-cli.profile b/etc/profile-m-z/mov-cli.profile index 8007b887a..1efd1e8f9 100644 --- a/etc/profile-m-z/mov-cli.profile +++ b/etc/profile-m-z/mov-cli.profile | |||
@@ -26,7 +26,7 @@ notv | |||
26 | disable-mnt | 26 | disable-mnt |
27 | private-bin ffmpeg,fzf,mov-cli | 27 | private-bin ffmpeg,fzf,mov-cli |
28 | #private-cache | 28 | #private-cache |
29 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,magic,magic.mgc,mime.types,nsswitch.conf,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | 29 | private-etc X11,alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,magic,magic.mgc,mime.types,nsswitch.conf,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,xdg |
30 | private-tmp | 30 | private-tmp |
31 | 31 | ||
32 | # Redirect | 32 | # Redirect |
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile index ab1e0ab02..097ce6e83 100644 --- a/etc/profile-m-z/mutt.profile +++ b/etc/profile-m-z/mutt.profile | |||
@@ -127,7 +127,7 @@ tracelog | |||
127 | #disable-mnt | 127 | #disable-mnt |
128 | private-cache | 128 | private-cache |
129 | private-dev | 129 | private-dev |
130 | private-etc @tls-ca,@x11,msmtprc,Mutt,Muttrc,Muttrc.d,gai.conf,gnupg,gnutls,hosts.conf,mail,mailname,nntpserver,terminfo | 130 | private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gai.conf,gnupg,gnutls,hosts.conf,mail,mailname,msmtprc,nntpserver,terminfo |
131 | private-tmp | 131 | private-tmp |
132 | writable-run-user | 132 | writable-run-user |
133 | writable-var | 133 | writable-var |
diff --git a/etc/profile-m-z/natron.profile b/etc/profile-m-z/natron.profile index b979e1aee..30dd164b6 100644 --- a/etc/profile-m-z/natron.profile +++ b/etc/profile-m-z/natron.profile | |||
@@ -30,7 +30,7 @@ nou2f | |||
30 | protocol unix | 30 | protocol unix |
31 | seccomp | 31 | seccomp |
32 | 32 | ||
33 | private-bin natron,Natron,NatronRenderer | 33 | private-bin Natron,NatronRenderer,natron |
34 | 34 | ||
35 | dbus-user none | 35 | dbus-user none |
36 | dbus-system none | 36 | dbus-system none |
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile index b15e98424..51e2e43bf 100644 --- a/etc/profile-m-z/neomutt.profile +++ b/etc/profile-m-z/neomutt.profile | |||
@@ -119,7 +119,7 @@ tracelog | |||
119 | #disable-mnt | 119 | #disable-mnt |
120 | private-cache | 120 | private-cache |
121 | private-dev | 121 | private-dev |
122 | private-etc @tls-ca,@x11,msmtprc,Mutt,Muttrc,Muttrc.d,gnupg,hosts.conf,mail,mailname,neomuttrc,neomuttrc.d,nntpserver | 122 | private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gnupg,hosts.conf,mail,mailname,msmtprc,neomuttrc,neomuttrc.d,nntpserver |
123 | private-tmp | 123 | private-tmp |
124 | writable-run-user | 124 | writable-run-user |
125 | writable-var | 125 | writable-var |
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile index 4c463521c..f301196c6 100644 --- a/etc/profile-m-z/nodejs-common.profile +++ b/etc/profile-m-z/nodejs-common.profile | |||
@@ -7,7 +7,7 @@ include nodejs-common.local | |||
7 | # added by caller profile | 7 | # added by caller profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | # Note: gulp, node-gyp, npm, npx, semver and yarn are all node scripts | 10 | # Note: gulp, node-gyp, npm, npx, pnpm, pnpx, semver and yarn are all node scripts |
11 | # using the `#!/usr/bin/env node` shebang. By sandboxing node the full | 11 | # using the `#!/usr/bin/env node` shebang. By sandboxing node the full |
12 | # node.js stack will be firejailed. The only exception is nvm, which is implemented | 12 | # node.js stack will be firejailed. The only exception is nvm, which is implemented |
13 | # as a sourced shell function, not an executable binary. Hence it is not | 13 | # as a sourced shell function, not an executable binary. Hence it is not |
@@ -22,6 +22,7 @@ ignore read-only ${HOME}/.npmrc | |||
22 | ignore read-only ${HOME}/.nvm | 22 | ignore read-only ${HOME}/.nvm |
23 | ignore read-only ${HOME}/.yarnrc | 23 | ignore read-only ${HOME}/.yarnrc |
24 | 24 | ||
25 | noblacklist ${HOME}/.local/share/pnpm | ||
25 | noblacklist ${HOME}/.node-gyp | 26 | noblacklist ${HOME}/.node-gyp |
26 | noblacklist ${HOME}/.npm | 27 | noblacklist ${HOME}/.npm |
27 | noblacklist ${HOME}/.npmrc | 28 | noblacklist ${HOME}/.npmrc |
@@ -43,6 +44,7 @@ include disable-xdg.inc | |||
43 | 44 | ||
44 | # If you want whitelisting, change ${HOME}/Projects below to your node projects directory | 45 | # If you want whitelisting, change ${HOME}/Projects below to your node projects directory |
45 | # and add the next lines to your nodejs-common.local. | 46 | # and add the next lines to your nodejs-common.local. |
47 | #mkdir ${HOME}/.local/share/pnpm | ||
46 | #mkdir ${HOME}/.node-gyp | 48 | #mkdir ${HOME}/.node-gyp |
47 | #mkdir ${HOME}/.npm | 49 | #mkdir ${HOME}/.npm |
48 | #mkdir ${HOME}/.npm-packages | 50 | #mkdir ${HOME}/.npm-packages |
@@ -52,6 +54,7 @@ include disable-xdg.inc | |||
52 | #mkdir ${HOME}/.yarn-config | 54 | #mkdir ${HOME}/.yarn-config |
53 | #mkdir ${HOME}/.yarncache | 55 | #mkdir ${HOME}/.yarncache |
54 | #mkfile ${HOME}/.yarnrc | 56 | #mkfile ${HOME}/.yarnrc |
57 | #whitelist ${HOME}/.local/share/pnpm | ||
55 | #whitelist ${HOME}/.node-gyp | 58 | #whitelist ${HOME}/.node-gyp |
56 | #whitelist ${HOME}/.npm | 59 | #whitelist ${HOME}/.npm |
57 | #whitelist ${HOME}/.npm-packages | 60 | #whitelist ${HOME}/.npm-packages |
diff --git a/etc/profile-m-z/pnpm.profile b/etc/profile-m-z/pnpm.profile new file mode 100644 index 000000000..08f88be43 --- /dev/null +++ b/etc/profile-m-z/pnpm.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for pnpm | ||
2 | # Description: Fast, disk space efficient package manager | ||
3 | quiet | ||
4 | # This file is overwritten after every install/update | ||
5 | # Persistent local customizations | ||
6 | include pnpm.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include nodejs-common.profile | ||
diff --git a/etc/profile-m-z/pnpx.profile b/etc/profile-m-z/pnpx.profile new file mode 100644 index 000000000..a99d1232a --- /dev/null +++ b/etc/profile-m-z/pnpx.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for pnpx | ||
2 | # Description: Part of the Node.js stack | ||
3 | quiet | ||
4 | # This file is overwritten after every install/update | ||
5 | # Persistent local customizations | ||
6 | include pnpx.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include nodejs-common.profile | ||
diff --git a/etc/profile-m-z/postman.profile b/etc/profile-m-z/postman.profile index c8f00584d..a74b72695 100644 --- a/etc/profile-m-z/postman.profile +++ b/etc/profile-m-z/postman.profile | |||
@@ -17,7 +17,7 @@ include whitelist-run-common.inc | |||
17 | 17 | ||
18 | protocol unix,inet,inet6,netlink | 18 | protocol unix,inet,inet6,netlink |
19 | 19 | ||
20 | private-bin electron,electron[0-9],electron[0-9][0-9],locale,node,Postman,postman,sh | 20 | private-bin Postman,electron,electron[0-9],electron[0-9][0-9],locale,node,postman,sh |
21 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl | 21 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl |
22 | # private-opt breaks file-copy-limit, use a whitelist instead of draining RAM | 22 | # private-opt breaks file-copy-limit, use a whitelist instead of draining RAM |
23 | # https://github.com/netblue30/firejail/discussions/5307 | 23 | # https://github.com/netblue30/firejail/discussions/5307 |
diff --git a/etc/profile-m-z/ppsspp.profile b/etc/profile-m-z/ppsspp.profile index da16ae912..5ae6ccf04 100644 --- a/etc/profile-m-z/ppsspp.profile +++ b/etc/profile-m-z/ppsspp.profile | |||
@@ -39,7 +39,7 @@ novideo | |||
39 | protocol unix,netlink | 39 | protocol unix,netlink |
40 | seccomp | 40 | seccomp |
41 | 41 | ||
42 | private-bin ppsspp,PPSSPP,PPSSPPQt,PPSSPPSDL | 42 | private-bin PPSSPP,PPSSPPQt,PPSSPPSDL,ppsspp |
43 | # Add the next line to your ppsspp.local if you do not need controller support. | 43 | # Add the next line to your ppsspp.local if you do not need controller support. |
44 | #private-dev | 44 | #private-dev |
45 | private-etc @tls-ca,@x11,host.conf | 45 | private-etc @tls-ca,@x11,host.conf |
diff --git a/etc/profile-m-z/softmaker-common.profile b/etc/profile-m-z/softmaker-common.profile index 7ce6748d1..3a3a9062e 100644 --- a/etc/profile-m-z/softmaker-common.profile +++ b/etc/profile-m-z/softmaker-common.profile | |||
@@ -42,7 +42,7 @@ tracelog | |||
42 | private-bin freeoffice-planmaker,freeoffice-presentations,freeoffice-textmaker,planmaker18,planmaker18free,presentations18,presentations18free,sh,textmaker18,textmaker18free | 42 | private-bin freeoffice-planmaker,freeoffice-presentations,freeoffice-textmaker,planmaker18,planmaker18free,presentations18,presentations18free,sh,textmaker18,textmaker18free |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc @tls-ca,fstab,SoftMaker | 45 | private-etc @tls-ca,SoftMaker,fstab |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | dbus-user none | 48 | dbus-user none |
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index 34cb3631a..41de746dd 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile | |||
@@ -163,7 +163,7 @@ protocol unix,inet,inet6,netlink | |||
163 | # Add 'ignore seccomp' to your steam.local if you experience this. | 163 | # Add 'ignore seccomp' to your steam.local if you experience this. |
164 | # mount, name_to_handle_at, pivot_root and umount2 are used by Proton >= 5.13 | 164 | # mount, name_to_handle_at, pivot_root and umount2 are used by Proton >= 5.13 |
165 | # (see #4366). | 165 | # (see #4366). |
166 | seccomp !chroot,!mount,!name_to_handle_at,!pivot_root,!ptrace,!umount2 | 166 | seccomp !chroot,!mount,!name_to_handle_at,!pivot_root,!process_vm_readv,!ptrace,!umount2 |
167 | # process_vm_readv is used by GE-Proton7-18 (see #5185). | 167 | # process_vm_readv is used by GE-Proton7-18 (see #5185). |
168 | seccomp.32 !process_vm_readv | 168 | seccomp.32 !process_vm_readv |
169 | # tracelog breaks integrated browser | 169 | # tracelog breaks integrated browser |
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile index fa992ad1a..7ed3d98d4 100644 --- a/etc/profile-m-z/telegram.profile +++ b/etc/profile-m-z/telegram.profile | |||
@@ -46,7 +46,7 @@ seccomp | |||
46 | seccomp.block-secondary | 46 | seccomp.block-secondary |
47 | 47 | ||
48 | disable-mnt | 48 | disable-mnt |
49 | private-bin bash,sh,telegram,Telegram,telegram-desktop,xdg-open | 49 | private-bin Telegram,bash,sh,telegram,telegram-desktop,xdg-open |
50 | private-cache | 50 | private-cache |
51 | private-dev | 51 | private-dev |
52 | private-etc @tls-ca,@x11,os-release | 52 | private-etc @tls-ca,@x11,os-release |
diff --git a/etc/profile-m-z/tesseract.profile b/etc/profile-m-z/tesseract.profile index 5babfb8d2..c0293406d 100644 --- a/etc/profile-m-z/tesseract.profile +++ b/etc/profile-m-z/tesseract.profile | |||
@@ -26,6 +26,7 @@ include whitelist-common.inc | |||
26 | include whitelist-run-common.inc | 26 | include whitelist-run-common.inc |
27 | include whitelist-runuser-common.inc | 27 | include whitelist-runuser-common.inc |
28 | whitelist /usr/share/tessdata | 28 | whitelist /usr/share/tessdata |
29 | whitelist /usr/share/tesseract-ocr | ||
29 | include whitelist-usr-share-common.inc | 30 | include whitelist-usr-share-common.inc |
30 | include whitelist-var-common.inc | 31 | include whitelist-var-common.inc |
31 | 32 | ||
diff --git a/etc/profile-m-z/tiny-rdm.profile b/etc/profile-m-z/tiny-rdm.profile new file mode 100644 index 000000000..4134d666c --- /dev/null +++ b/etc/profile-m-z/tiny-rdm.profile | |||
@@ -0,0 +1,61 @@ | |||
1 | # Firejail profile for tiny-rdm | ||
2 | # Description: A Modern Redis GUI Client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include tiny-rdm.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/tiny-rdm | ||
10 | noblacklist ${HOME}/.config/TinyRDM | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-proc.inc | ||
18 | include disable-shell.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | mkdir ${HOME}/.cache/tiny-rdm | ||
22 | mkdir ${HOME}/.config/TinyRDM | ||
23 | whitelist ${HOME}/.cache/tiny-rdm | ||
24 | whitelist ${HOME}/.config/TinyRDM | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-run-common.inc | ||
27 | include whitelist-runuser-common.inc | ||
28 | include whitelist-usr-share-common.inc | ||
29 | include whitelist-var-common.inc | ||
30 | |||
31 | apparmor | ||
32 | caps.drop all | ||
33 | ipc-namespace | ||
34 | netfilter | ||
35 | no3d | ||
36 | nodvd | ||
37 | nogroups | ||
38 | noinput | ||
39 | nonewprivs | ||
40 | noprinters | ||
41 | noroot | ||
42 | notv | ||
43 | nou2f | ||
44 | novideo | ||
45 | nosound | ||
46 | protocol unix,inet,inet6 | ||
47 | seccomp | ||
48 | seccomp.block-secondary | ||
49 | tracelog | ||
50 | |||
51 | disable-mnt | ||
52 | private-bin tiny-rdm | ||
53 | private-cache | ||
54 | private-dev | ||
55 | private-etc @network,@tls-ca,@x11 | ||
56 | private-tmp | ||
57 | |||
58 | dbus-user none | ||
59 | dbus-system none | ||
60 | |||
61 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/transgui.profile b/etc/profile-m-z/transgui.profile index 9f1f1c241..bac48805c 100644 --- a/etc/profile-m-z/transgui.profile +++ b/etc/profile-m-z/transgui.profile | |||
@@ -49,7 +49,7 @@ private-bin geoiplookup,geoiplookup6,transgui | |||
49 | private-cache | 49 | private-cache |
50 | private-dev | 50 | private-dev |
51 | private-etc @network,@tls-ca,@x11 | 51 | private-etc @network,@tls-ca,@x11 |
52 | private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.* | 52 | private-lib libGeoIP.so*,libX11.so.*,libgdk_pixbuf-2.0.so.*,libgthread-2.0.so.*,libgtk-x11-2.0.so.* |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
55 | dbus-user none | 55 | dbus-user none |