diff options
Diffstat (limited to 'etc/profile-m-z')
-rw-r--r-- | etc/profile-m-z/mattermost-desktop.profile | 46 | ||||
-rw-r--r-- | etc/profile-m-z/meld.profile | 1 | ||||
-rw-r--r-- | etc/profile-m-z/minecraft-launcher.profile | 58 | ||||
-rw-r--r-- | etc/profile-m-z/mpv.profile | 7 | ||||
-rw-r--r-- | etc/profile-m-z/newsflash.profile | 60 | ||||
-rw-r--r-- | etc/profile-m-z/signal-desktop.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/teams.profile | 4 | ||||
-rw-r--r-- | etc/profile-m-z/telegram.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/virtualbox.profile | 19 | ||||
-rw-r--r-- | etc/profile-m-z/xfce4-screenshooter.profile | 51 | ||||
-rw-r--r-- | etc/profile-m-z/zoom.profile | 14 |
11 files changed, 257 insertions, 7 deletions
diff --git a/etc/profile-m-z/mattermost-desktop.profile b/etc/profile-m-z/mattermost-desktop.profile new file mode 100644 index 000000000..e4487c8aa --- /dev/null +++ b/etc/profile-m-z/mattermost-desktop.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for mattermost-desktop | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include mattermost-desktop.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/Mattermost | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-shell.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.config/Mattermost | ||
20 | whitelist ${DOWNLOADS} | ||
21 | whitelist ${HOME}/.config/Mattermost | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-runuser-common.inc | ||
24 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | caps.keep sys_admin,sys_chroot | ||
28 | netfilter | ||
29 | nodvd | ||
30 | nogroups | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | shell none | ||
35 | |||
36 | disable-mnt | ||
37 | private-cache | ||
38 | private-dev | ||
39 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl | ||
40 | private-tmp | ||
41 | |||
42 | # Not tested | ||
43 | #dbus-user filter | ||
44 | #dbus-user.own com.mattermost.Desktop | ||
45 | #dbus-user.talk org.freedesktop.Notifications | ||
46 | #dbus-system none | ||
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile index 84db8b785..385700648 100644 --- a/etc/profile-m-z/meld.profile +++ b/etc/profile-m-z/meld.profile | |||
@@ -70,6 +70,7 @@ private-cache | |||
70 | private-dev | 70 | private-dev |
71 | # Uncomment the next line (or put it into your meld.local) if you don't need to compare in /etc. | 71 | # Uncomment the next line (or put it into your meld.local) if you don't need to compare in /etc. |
72 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion | 72 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion |
73 | # Comment the next line (or add 'ignore private-tmp to your meld.local') if you want to use it as a difftool (#3551) | ||
73 | private-tmp | 74 | private-tmp |
74 | 75 | ||
75 | read-only ${HOME}/.ssh | 76 | read-only ${HOME}/.ssh |
diff --git a/etc/profile-m-z/minecraft-launcher.profile b/etc/profile-m-z/minecraft-launcher.profile new file mode 100644 index 000000000..8c7d18c58 --- /dev/null +++ b/etc/profile-m-z/minecraft-launcher.profile | |||
@@ -0,0 +1,58 @@ | |||
1 | # Firejail profile for minecraft-launcher | ||
2 | # Description: Official Minecraft launcher from Mojang | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include minecraft-launcher.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # On some distros executable may be in '/opt/minecraft-launcher/', if so, run 'firejail /opt/minecraft-launcher/minecraft-launcher' to start it. | ||
10 | |||
11 | ignore noexec ${HOME} | ||
12 | |||
13 | noblacklist ${HOME}/.minecraft | ||
14 | |||
15 | include allow-java.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-shell.inc | ||
24 | include disable-xdg.inc | ||
25 | |||
26 | mkdir ${HOME}/.minecraft | ||
27 | whitelist ${HOME}/.minecraft | ||
28 | include whitelist-common.inc | ||
29 | include whitelist-runuser-common.inc | ||
30 | include whitelist-usr-share-common.inc | ||
31 | include whitelist-var-common.inc | ||
32 | |||
33 | apparmor | ||
34 | caps.drop all | ||
35 | netfilter | ||
36 | nodvd | ||
37 | nogroups | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix,inet,inet6,netlink | ||
44 | seccomp | ||
45 | shell none | ||
46 | tracelog | ||
47 | |||
48 | disable-mnt | ||
49 | private-bin java,java-config,minecraft-launcher | ||
50 | private-cache | ||
51 | private-dev | ||
52 | # If multiplayer or realms break add your own java folder from /etc or comment the line below. | ||
53 | private-etc alternatives,asound.conf,ati,ca-certificates,crypto-policies,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-14-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,login.defs,machine-id,mime.types,nvidia,passwd,pki,pulse,resolv.conf,selinux,services,ssl,timezone,X11,xdg | ||
54 | private-opt minecraft-launcher | ||
55 | private-tmp | ||
56 | |||
57 | dbus-user none | ||
58 | dbus-system none | ||
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index b0e493c5f..2fc027257 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile | |||
@@ -30,6 +30,8 @@ include disable-programs.inc | |||
30 | include disable-shell.inc | 30 | include disable-shell.inc |
31 | include disable-xdg.inc | 31 | include disable-xdg.inc |
32 | 32 | ||
33 | whitelist /usr/share/lua | ||
34 | whitelist /usr/share/lua* | ||
33 | whitelist /usr/share/vulkan | 35 | whitelist /usr/share/vulkan |
34 | include whitelist-usr-share-common.inc | 36 | include whitelist-usr-share-common.inc |
35 | include whitelist-var-common.inc | 37 | include whitelist-var-common.inc |
@@ -37,8 +39,7 @@ include whitelist-var-common.inc | |||
37 | apparmor | 39 | apparmor |
38 | caps.drop all | 40 | caps.drop all |
39 | netfilter | 41 | netfilter |
40 | 42 | # nogroups seems to cause issues with Nvidia drivers sometimes | |
41 | # Seems to cause issues with Nvidia drivers sometimes | ||
42 | nogroups | 43 | nogroups |
43 | nonewprivs | 44 | nonewprivs |
44 | noroot | 45 | noroot |
@@ -49,7 +50,7 @@ shell none | |||
49 | tracelog | 50 | tracelog |
50 | 51 | ||
51 | private-bin env,mpv,python*,youtube-dl | 52 | private-bin env,mpv,python*,youtube-dl |
52 | # Causes slow OSD, see #2838 | 53 | # private-cache causes slow OSD, see #2838 |
53 | #private-cache | 54 | #private-cache |
54 | private-dev | 55 | private-dev |
55 | 56 | ||
diff --git a/etc/profile-m-z/newsflash.profile b/etc/profile-m-z/newsflash.profile new file mode 100644 index 000000000..d0ac83baf --- /dev/null +++ b/etc/profile-m-z/newsflash.profile | |||
@@ -0,0 +1,60 @@ | |||
1 | # Firejail profile for newsflash | ||
2 | # Description: Modern feed reader | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include newsflash.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/NewsFlashGTK | ||
10 | noblacklist ${HOME}/.config/news-flash | ||
11 | noblacklist ${HOME}/.local/share/news-flash | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-shell.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | mkdir ${HOME}/.cache/NewsFlashGTK | ||
23 | mkdir ${HOME}/.config/news-flash | ||
24 | mkdir ${HOME}/.local/share/news-flash | ||
25 | whitelist ${HOME}/.cache/NewsFlashGTK | ||
26 | whitelist ${HOME}/.config/news-flash | ||
27 | whitelist ${HOME}/.local/share/news-flash | ||
28 | include whitelist-common.inc | ||
29 | include whitelist-runuser-common.inc | ||
30 | include whitelist-usr-share-common.inc | ||
31 | include whitelist-var-common.inc | ||
32 | |||
33 | apparmor | ||
34 | caps.drop all | ||
35 | machine-id | ||
36 | netfilter | ||
37 | nodvd | ||
38 | nogroups | ||
39 | nonewprivs | ||
40 | noroot | ||
41 | nosound | ||
42 | notv | ||
43 | nou2f | ||
44 | novideo | ||
45 | protocol unix,inet,inet6 | ||
46 | seccomp | ||
47 | shell none | ||
48 | tracelog | ||
49 | |||
50 | disable-mnt | ||
51 | private-bin com.gitlab.newsflash,newsflash | ||
52 | private-cache | ||
53 | private-dev | ||
54 | private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pango,pki,resolv.conf,ssl,X11 | ||
55 | private-tmp | ||
56 | |||
57 | dbus-user none | ||
58 | #dbus-user.own com.gitlab.newsflash | ||
59 | #dbus-user.talk org.freedesktop.Notifications | ||
60 | dbus-system none | ||
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile index 5d9225705..b51a86e7d 100644 --- a/etc/profile-m-z/signal-desktop.profile +++ b/etc/profile-m-z/signal-desktop.profile | |||
@@ -34,10 +34,12 @@ nodvd | |||
34 | nogroups | 34 | nogroups |
35 | notv | 35 | notv |
36 | nou2f | 36 | nou2f |
37 | novideo | ||
37 | shell none | 38 | shell none |
38 | 39 | ||
39 | disable-mnt | 40 | disable-mnt |
40 | private-dev | 41 | private-dev |
42 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl | ||
41 | private-tmp | 43 | private-tmp |
42 | 44 | ||
43 | dbus-user none | 45 | dbus-user none |
diff --git a/etc/profile-m-z/teams.profile b/etc/profile-m-z/teams.profile index 326b97e4b..bd7faa80a 100644 --- a/etc/profile-m-z/teams.profile +++ b/etc/profile-m-z/teams.profile | |||
@@ -1,14 +1,14 @@ | |||
1 | # Firejail profile for teams | 1 | # Firejail profile for teams |
2 | # Description: Official Microsoft Teams client for Linux using Electron. | 2 | # Description: Official Microsoft Teams client for Linux using Electron. |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Known issues: | ||
5 | # * if Teams crashes on startup try using "ignore apparmor" in your local config | ||
6 | # Persistent local customizations | 4 | # Persistent local customizations |
7 | include teams.local | 5 | include teams.local |
8 | # Persistent global definitions | 6 | # Persistent global definitions |
9 | # added by included profile | 7 | # added by included profile |
10 | #include globals.local | 8 | #include globals.local |
11 | 9 | ||
10 | # see #3404 | ||
11 | ignore apparmor | ||
12 | ignore dbus-user none | 12 | ignore dbus-user none |
13 | ignore dbus-system none | 13 | ignore dbus-system none |
14 | 14 | ||
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile index e3af5600a..8e0741458 100644 --- a/etc/profile-m-z/telegram.profile +++ b/etc/profile-m-z/telegram.profile | |||
@@ -25,5 +25,5 @@ seccomp | |||
25 | 25 | ||
26 | disable-mnt | 26 | disable-mnt |
27 | private-cache | 27 | private-cache |
28 | private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl | ||
28 | private-tmp | 29 | private-tmp |
29 | |||
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile index c0dbc9116..12bef5d1f 100644 --- a/etc/profile-m-z/virtualbox.profile +++ b/etc/profile-m-z/virtualbox.profile | |||
@@ -14,9 +14,12 @@ noblacklist /usr/lib/virtualbox | |||
14 | noblacklist /usr/lib64/virtualbox | 14 | noblacklist /usr/lib64/virtualbox |
15 | 15 | ||
16 | include disable-common.inc | 16 | include disable-common.inc |
17 | include disable-devel.inc | ||
17 | include disable-exec.inc | 18 | include disable-exec.inc |
19 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 21 | include disable-programs.inc |
22 | include disable-xdg.inc | ||
20 | 23 | ||
21 | mkdir ${HOME}/.config/VirtualBox | 24 | mkdir ${HOME}/.config/VirtualBox |
22 | mkdir ${HOME}/VirtualBox VMs | 25 | mkdir ${HOME}/VirtualBox VMs |
@@ -24,9 +27,23 @@ whitelist ${HOME}/.config/VirtualBox | |||
24 | whitelist ${HOME}/VirtualBox VMs | 27 | whitelist ${HOME}/VirtualBox VMs |
25 | whitelist ${DOWNLOADS} | 28 | whitelist ${DOWNLOADS} |
26 | include whitelist-common.inc | 29 | include whitelist-common.inc |
30 | include whitelist-runuser-common.inc | ||
31 | include whitelist-usr-share-common.inc | ||
27 | include whitelist-var-common.inc | 32 | include whitelist-var-common.inc |
28 | 33 | ||
29 | caps.keep net_raw,sys_admin,sys_nice | 34 | # For host-only network sys_admin is needed. See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630 |
35 | |||
36 | caps.keep net_raw,sys_nice | ||
30 | netfilter | 37 | netfilter |
31 | nodvd | 38 | nodvd |
39 | #nogroups | ||
32 | notv | 40 | notv |
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | #disable-mnt | ||
45 | private-cache | ||
46 | private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl | ||
47 | |||
48 | dbus-user none | ||
49 | dbus-system none | ||
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile new file mode 100644 index 000000000..b760b44dd --- /dev/null +++ b/etc/profile-m-z/xfce4-screenshooter.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for xfce4-screenshooter | ||
2 | # Description: Xfce screenshot tool | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include xfce4-screenshooter.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${PICTURES} | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-shell.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | whitelist /usr/share/xfce4 | ||
21 | include whitelist-runuser-common.inc | ||
22 | include whitelist-usr-share-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | apparmor | ||
26 | caps.drop all | ||
27 | machine-id | ||
28 | netfilter | ||
29 | no3d | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix,inet,inet6 | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | disable-mnt | ||
43 | private-bin xfce4-screenshooter,xfconf-query | ||
44 | private-dev | ||
45 | private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,pki,resolv.conf,ssl | ||
46 | private-tmp | ||
47 | |||
48 | dbus-user none | ||
49 | dbus-system none | ||
50 | |||
51 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/zoom.profile b/etc/profile-m-z/zoom.profile index 6eac10703..b3125ee50 100644 --- a/etc/profile-m-z/zoom.profile +++ b/etc/profile-m-z/zoom.profile | |||
@@ -10,8 +10,11 @@ noblacklist ${HOME}/.zoom | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-xdg.inc | ||
15 | 18 | ||
16 | mkdir ${HOME}/.cache/zoom | 19 | mkdir ${HOME}/.cache/zoom |
17 | mkfile ${HOME}/.config/zoomus.conf | 20 | mkfile ${HOME}/.config/zoomus.conf |
@@ -20,14 +23,25 @@ whitelist ${HOME}/.cache/zoom | |||
20 | whitelist ${HOME}/.config/zoomus.conf | 23 | whitelist ${HOME}/.config/zoomus.conf |
21 | whitelist ${HOME}/.zoom | 24 | whitelist ${HOME}/.zoom |
22 | include whitelist-common.inc | 25 | include whitelist-common.inc |
26 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | ||
28 | include whitelist-var-common.inc | ||
23 | 29 | ||
24 | caps.drop all | 30 | caps.drop all |
25 | netfilter | 31 | netfilter |
26 | nodvd | 32 | nodvd |
33 | nogroups | ||
27 | nonewprivs | 34 | nonewprivs |
28 | noroot | 35 | noroot |
29 | notv | 36 | notv |
37 | nou2f | ||
30 | protocol unix,inet,inet6,netlink | 38 | protocol unix,inet,inet6,netlink |
31 | seccomp !chroot | 39 | seccomp !chroot |
40 | shell none | ||
41 | tracelog | ||
32 | 42 | ||
43 | disable-mnt | ||
44 | private-cache | ||
45 | private-dev | ||
46 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl | ||
33 | private-tmp | 47 | private-tmp |