diff options
Diffstat (limited to 'etc')
75 files changed, 1020 insertions, 46 deletions
diff --git a/etc/abrowser.profile b/etc/abrowser.profile index 4aa18aa90..481301420 100644 --- a/etc/abrowser.profile +++ b/etc/abrowser.profile | |||
@@ -1,5 +1,4 @@ | |||
1 | # Firejail profile for Abrowser | 1 | # Firejail profile for Abrowser |
2 | |||
3 | noblacklist ~/.mozilla | 2 | noblacklist ~/.mozilla |
4 | noblacklist ~/.cache/mozilla | 3 | noblacklist ~/.cache/mozilla |
5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
diff --git a/etc/amarok.profile b/etc/amarok.profile new file mode 100644 index 000000000..8d5b35d47 --- /dev/null +++ b/etc/amarok.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # amarok profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | netfilter | ||
9 | nogroups | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | shell none | ||
13 | #seccomp | ||
14 | protocol unix,inet,inet6 | ||
15 | |||
16 | #private-bin amarok | ||
17 | private-dev | ||
18 | private-tmp | ||
19 | #private-etc none | ||
diff --git a/etc/ark.profile b/etc/ark.profile new file mode 100644 index 000000000..61b4c6f60 --- /dev/null +++ b/etc/ark.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # ark profile | ||
2 | noblacklist ~/.config/arkrc | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nogroups | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | nosound | ||
15 | shell none | ||
16 | seccomp | ||
17 | protocol unix | ||
18 | |||
19 | # private-bin | ||
20 | private-dev | ||
21 | private-tmp | ||
22 | # private-etc | ||
23 | |||
diff --git a/etc/atool.profile b/etc/atool.profile new file mode 100644 index 000000000..3fbfb9fc7 --- /dev/null +++ b/etc/atool.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # atool profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | # include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | nogroups | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | nosound | ||
12 | protocol unix | ||
13 | seccomp | ||
14 | netfilter | ||
15 | net none | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | # private-bin atool | ||
20 | private-tmp | ||
21 | private-dev | ||
22 | private-etc none | ||
23 | |||
24 | |||
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile new file mode 100644 index 000000000..0a71db9f0 --- /dev/null +++ b/etc/bleachbit.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # bleachbit profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | # include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | netfilter | ||
9 | nogroups | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | nosound | ||
13 | shell none | ||
14 | seccomp | ||
15 | protocol unix | ||
16 | |||
17 | # private-bin | ||
18 | # private-dev | ||
19 | # private-tmp | ||
20 | # private-etc | ||
21 | |||
diff --git a/etc/brasero.profile b/etc/brasero.profile new file mode 100644 index 000000000..66de6fa50 --- /dev/null +++ b/etc/brasero.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # brasero profile | ||
2 | noblacklist ~/.config/brasero | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix | ||
15 | seccomp | ||
16 | netfilter | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | # private-bin brasero | ||
21 | # private-tmp | ||
22 | # private-dev | ||
23 | # private-etc fonts | ||
diff --git a/etc/brave.profile b/etc/brave.profile index 4fc3a5bb0..21ea7f908 100644 --- a/etc/brave.profile +++ b/etc/brave.profile | |||
@@ -1,5 +1,4 @@ | |||
1 | # Profile for Brave browser | 1 | # Profile for Brave browser |
2 | |||
3 | noblacklist ~/.config/brave | 2 | noblacklist ~/.config/brave |
4 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | 4 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile index 1b6d2f645..8921bb25e 100644 --- a/etc/claws-mail.profile +++ b/etc/claws-mail.profile | |||
@@ -1,5 +1,4 @@ | |||
1 | # claws-mail profile | 1 | # claws-mail profile |
2 | |||
3 | noblacklist ~/.claws-mail | 2 | noblacklist ~/.claws-mail |
4 | noblacklist ~/.signature | 3 | noblacklist ~/.signature |
5 | noblacklist ~/.gnupg | 4 | noblacklist ~/.gnupg |
diff --git a/etc/corebird.profile b/etc/corebird.profile index 077ae30d0..6fb8219e8 100644 --- a/etc/corebird.profile +++ b/etc/corebird.profile | |||
@@ -1,5 +1,4 @@ | |||
1 | # Firejail corebird profile | 1 | # Firejail corebird profile |
2 | |||
3 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
4 | include /etc/firejail/disable-programs.inc | 3 | include /etc/firejail/disable-programs.inc |
5 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile index ae487fa3c..84021dab3 100644 --- a/etc/cyberfox.profile +++ b/etc/cyberfox.profile | |||
@@ -1,5 +1,4 @@ | |||
1 | # Firejail profile for Cyberfox (based on Mozilla Firefox) | 1 | # Firejail profile for Cyberfox (based on Mozilla Firefox) |
2 | |||
3 | noblacklist ~/.8pecxstudios | 2 | noblacklist ~/.8pecxstudios |
4 | noblacklist ~/.cache/8pecxstudios | 3 | noblacklist ~/.cache/8pecxstudios |
5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
diff --git a/etc/default.profile b/etc/default.profile index a2de72695..603321316 100644 --- a/etc/default.profile +++ b/etc/default.profile | |||
@@ -5,11 +5,20 @@ include /etc/firejail/disable-common.inc | |||
5 | include /etc/firejail/disable-programs.inc | 5 | include /etc/firejail/disable-programs.inc |
6 | include /etc/firejail/disable-passwdmgr.inc | 6 | include /etc/firejail/disable-passwdmgr.inc |
7 | 7 | ||
8 | #blacklist ${HOME}/.wine | ||
9 | |||
10 | caps.drop all | 8 | caps.drop all |
11 | netfilter | 9 | netfilter |
12 | nonewprivs | 10 | nonewprivs |
13 | noroot | 11 | noroot |
14 | protocol unix,inet,inet6 | 12 | protocol unix,inet,inet6 |
15 | seccomp | 13 | seccomp |
14 | |||
15 | # | ||
16 | # depending on you usage, you can enable some of the commands below: | ||
17 | # | ||
18 | # nogroups | ||
19 | # shell none | ||
20 | # private-bin program | ||
21 | # private-etc none | ||
22 | # private-dev | ||
23 | # private-tmp | ||
24 | |||
diff --git a/etc/dillo.profile b/etc/dillo.profile index 2ddd363cb..108787920 100644 --- a/etc/dillo.profile +++ b/etc/dillo.profile | |||
@@ -1,5 +1,4 @@ | |||
1 | # Firejail profile for Dillo web browser | 1 | # Firejail profile for Dillo web browser |
2 | |||
3 | noblacklist ~/.dillo | 2 | noblacklist ~/.dillo |
4 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | 4 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/dolphin.profile b/etc/dolphin.profile new file mode 100644 index 000000000..1a6abb71d --- /dev/null +++ b/etc/dolphin.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # dolphin profile | ||
2 | noblacklist ~/.config/dolphinrc | ||
3 | noblacklist ~/.local/share/dolphin | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | netfilter | ||
12 | nogroups | ||
13 | nonewprivs | ||
14 | noroot | ||
15 | shell none | ||
16 | seccomp | ||
17 | protocol unix | ||
18 | |||
19 | # private-bin | ||
20 | # private-dev | ||
21 | # private-tmp | ||
22 | # private-etc | ||
23 | |||
diff --git a/etc/dragon.profile b/etc/dragon.profile new file mode 100644 index 000000000..09cb73802 --- /dev/null +++ b/etc/dragon.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # dragon player profile | ||
2 | noblacklist ~/.config/dragonplayerrc | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nogroups | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | shell none | ||
15 | seccomp | ||
16 | protocol unix,inet,inet6 | ||
17 | |||
18 | private-bin dragon | ||
19 | private-dev | ||
20 | private-tmp | ||
21 | # private-etc | ||
22 | |||
diff --git a/etc/elinks.profile b/etc/elinks.profile new file mode 100644 index 000000000..df817ea56 --- /dev/null +++ b/etc/elinks.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # elinks profile | ||
2 | noblacklist ~/.elinks | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
16 | netfilter | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | # private-bin elinks | ||
21 | private-tmp | ||
22 | private-dev | ||
23 | # private-etc none | ||
24 | |||
diff --git a/etc/emacs.profile b/etc/emacs.profile index cbdba7712..2b9c5805c 100644 --- a/etc/emacs.profile +++ b/etc/emacs.profile | |||
@@ -1,5 +1,4 @@ | |||
1 | # emacs profile | 1 | # emacs profile |
2 | |||
3 | noblacklist ~/.emacs | 2 | noblacklist ~/.emacs |
4 | noblacklist ~/.emacs.d | 3 | noblacklist ~/.emacs.d |
5 | 4 | ||
diff --git a/etc/enchant.profile b/etc/enchant.profile new file mode 100644 index 000000000..cf8288919 --- /dev/null +++ b/etc/enchant.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # enchant profile | ||
2 | noblacklist ~/.config/enchant | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix | ||
15 | seccomp | ||
16 | netfilter | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | # private-bin enchant | ||
21 | # private-tmp | ||
22 | # private-dev | ||
23 | # private-etc fonts | ||
diff --git a/etc/eog.profile b/etc/eog.profile index 68e950bd7..d463f3a97 100644 --- a/etc/eog.profile +++ b/etc/eog.profile | |||
@@ -1,5 +1,4 @@ | |||
1 | # eog (gnome image viewer) profile | 1 | # eog (gnome image viewer) profile |
2 | |||
3 | noblacklist ~/.config/eog | 2 | noblacklist ~/.config/eog |
4 | 3 | ||
5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
diff --git a/etc/evince.profile b/etc/evince.profile index cbb2083f4..12ea358be 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -19,4 +19,5 @@ tracelog | |||
19 | private-bin evince,evince-previewer,evince-thumbnailer | 19 | private-bin evince,evince-previewer,evince-thumbnailer |
20 | private-dev | 20 | private-dev |
21 | private-etc fonts | 21 | private-etc fonts |
22 | private-tmp \ No newline at end of file | 22 | # evince needs access to /tmp/mozilla* to work in firefox |
23 | # private-tmp | ||
diff --git a/etc/evolution.profile b/etc/evolution.profile index d63eeed74..ab6dd7a4a 100644 --- a/etc/evolution.profile +++ b/etc/evolution.profile | |||
@@ -1,5 +1,4 @@ | |||
1 | # evolution profile | 1 | # evolution profile |
2 | |||
3 | noblacklist ~/.config/evolution | 2 | noblacklist ~/.config/evolution |
4 | noblacklist ~/.local/share/evolution | 3 | noblacklist ~/.local/share/evolution |
5 | noblacklist ~/.cache/evolution | 4 | noblacklist ~/.cache/evolution |
diff --git a/etc/exiftool.profile b/etc/exiftool.profile new file mode 100644 index 000000000..384695473 --- /dev/null +++ b/etc/exiftool.profile | |||
@@ -0,0 +1,28 @@ | |||
1 | # exiftool profile | ||
2 | noblacklist /usr/bin/perl | ||
3 | noblacklist /usr/share/perl* | ||
4 | noblacklist /usr/lib/perl* | ||
5 | |||
6 | include /etc/firejail/disable-common.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-devel.inc | ||
9 | include /etc/firejail/disable-passwdmgr.inc | ||
10 | |||
11 | caps.drop all | ||
12 | nogroups | ||
13 | nonewprivs | ||
14 | noroot | ||
15 | nosound | ||
16 | protocol unix | ||
17 | seccomp | ||
18 | netfilter | ||
19 | net none | ||
20 | shell none | ||
21 | tracelog | ||
22 | |||
23 | # private-bin exiftool,perl | ||
24 | private-tmp | ||
25 | private-dev | ||
26 | private-etc none | ||
27 | |||
28 | |||
diff --git a/etc/file-roller.profile b/etc/file-roller.profile new file mode 100644 index 000000000..6116389db --- /dev/null +++ b/etc/file-roller.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # file-roller profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | nogroups | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | nosound | ||
12 | protocol unix | ||
13 | seccomp | ||
14 | netfilter | ||
15 | shell none | ||
16 | tracelog | ||
17 | |||
18 | # private-bin file-roller | ||
19 | # private-tmp | ||
20 | private-dev | ||
21 | # private-etc fonts | ||
diff --git a/etc/file.profile b/etc/file.profile index 199a97fad..f709e7f0c 100644 --- a/etc/file.profile +++ b/etc/file.profile | |||
@@ -1,16 +1,25 @@ | |||
1 | # file profile | 1 | # file profile |
2 | ignore noroot | 2 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/default.profile | 3 | include /etc/firejail/disable-programs.inc |
4 | 4 | include /etc/firejail/disable-passwdmgr.inc | |
5 | blacklist /tmp/.X11-unix | ||
6 | 5 | ||
6 | caps.drop all | ||
7 | hostname file | 7 | hostname file |
8 | netfilter | ||
8 | net none | 9 | net none |
9 | no3d | 10 | no3d |
11 | nogroups | ||
12 | nonewprivs | ||
13 | #noroot | ||
10 | nosound | 14 | nosound |
11 | quiet | 15 | protocol unix |
16 | seccomp | ||
12 | shell none | 17 | shell none |
13 | tracelog | 18 | tracelog |
19 | quiet | ||
20 | x11 none | ||
21 | |||
22 | blacklist /tmp/.X11-unix | ||
14 | 23 | ||
15 | private-dev | 24 | private-dev |
16 | private-bin file | 25 | private-bin file |
diff --git a/etc/firefox.profile b/etc/firefox.profile index 6bb581f4f..4f971f330 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -1,5 +1,4 @@ | |||
1 | # Firejail profile for Mozilla Firefox (Iceweasel in Debian) | 1 | # Firejail profile for Mozilla Firefox (Iceweasel in Debian) |
2 | |||
3 | noblacklist ~/.mozilla | 2 | noblacklist ~/.mozilla |
4 | noblacklist ~/.cache/mozilla | 3 | noblacklist ~/.cache/mozilla |
5 | noblacklist ~/.config/qpdfview | 4 | noblacklist ~/.config/qpdfview |
diff --git a/etc/gajim.profile b/etc/gajim.profile index 809378ef9..b030a68b4 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile | |||
@@ -1,5 +1,4 @@ | |||
1 | # Firejail profile for Gajim | 1 | # Firejail profile for Gajim |
2 | |||
3 | mkdir ${HOME}/.cache/gajim | 2 | mkdir ${HOME}/.cache/gajim |
4 | mkdir ${HOME}/.local/share/gajim | 3 | mkdir ${HOME}/.local/share/gajim |
5 | mkdir ${HOME}/.config/gajim | 4 | mkdir ${HOME}/.config/gajim |
diff --git a/etc/gedit.profile b/etc/gedit.profile new file mode 100644 index 000000000..a25286bfa --- /dev/null +++ b/etc/gedit.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # gedit profile | ||
2 | |||
3 | # when gedit is started via gnome-shell, firejail is not applied because systemd will start it | ||
4 | |||
5 | noblacklist ~/.config/gedit | ||
6 | |||
7 | include /etc/firejail/disable-common.inc | ||
8 | include /etc/firejail/disable-programs.inc | ||
9 | #include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-passwdmgr.inc | ||
11 | |||
12 | caps.drop all | ||
13 | nogroups | ||
14 | nonewprivs | ||
15 | noroot | ||
16 | nosound | ||
17 | protocol unix | ||
18 | seccomp | ||
19 | netfilter | ||
20 | shell none | ||
21 | tracelog | ||
22 | |||
23 | # private-bin gedit | ||
24 | private-tmp | ||
25 | private-dev | ||
26 | # private-etc fonts | ||
diff --git a/etc/git.profile b/etc/git.profile index 73122d347..edb59ce13 100644 --- a/etc/git.profile +++ b/etc/git.profile | |||
@@ -1,5 +1,4 @@ | |||
1 | # git profile | 1 | # git profile |
2 | |||
3 | noblacklist ~/.gitconfig | 2 | noblacklist ~/.gitconfig |
4 | noblacklist ~/.ssh | 3 | noblacklist ~/.ssh |
5 | noblacklist ~/.gnupg | 4 | noblacklist ~/.gnupg |
diff --git a/etc/gjs.profile b/etc/gjs.profile new file mode 100644 index 000000000..8d71728a2 --- /dev/null +++ b/etc/gjs.profile | |||
@@ -0,0 +1,28 @@ | |||
1 | # gjs (gnome javascript bindings) profile | ||
2 | |||
3 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
4 | |||
5 | noblacklist ~/.cache/org.gnome.Books | ||
6 | noblacklist ~/.config/libreoffice | ||
7 | noblacklist ~/.local/share/gnome-photos | ||
8 | noblacklist ~/.cache/libgweather | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-programs.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | |||
15 | caps.drop all | ||
16 | nogroups | ||
17 | nonewprivs | ||
18 | noroot | ||
19 | protocol unix,inet,inet6 | ||
20 | seccomp | ||
21 | netfilter | ||
22 | shell none | ||
23 | tracelog | ||
24 | |||
25 | # private-bin gjs,gnome-books,gnome-documents,gnome-photos,gnome-maps,gnome-weather | ||
26 | private-tmp | ||
27 | private-dev | ||
28 | # private-etc fonts | ||
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile new file mode 100644 index 000000000..10b06e173 --- /dev/null +++ b/etc/gnome-books.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # gnome-books profile | ||
2 | |||
3 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
4 | |||
5 | noblacklist ~/.cache/org.gnome.Books | ||
6 | |||
7 | include /etc/firejail/disable-common.inc | ||
8 | include /etc/firejail/disable-programs.inc | ||
9 | include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-passwdmgr.inc | ||
11 | |||
12 | caps.drop all | ||
13 | nogroups | ||
14 | nonewprivs | ||
15 | noroot | ||
16 | nosound | ||
17 | protocol unix | ||
18 | seccomp | ||
19 | netfilter | ||
20 | shell none | ||
21 | tracelog | ||
22 | |||
23 | # private-bin gjs gnome-books | ||
24 | private-tmp | ||
25 | private-dev | ||
26 | private-etc fonts | ||
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile new file mode 100644 index 000000000..6cccf9d32 --- /dev/null +++ b/etc/gnome-clocks.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # gnome-clocks profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | nogroups | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | nosound | ||
12 | protocol unix,inet,inet6 | ||
13 | seccomp | ||
14 | netfilter | ||
15 | shell none | ||
16 | tracelog | ||
17 | |||
18 | # private-bin gnome-clocks | ||
19 | private-tmp | ||
20 | private-dev | ||
21 | # private-etc fonts | ||
diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile new file mode 100644 index 000000000..c5def7aff --- /dev/null +++ b/etc/gnome-documents.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # gnome-documents profile | ||
2 | |||
3 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
4 | |||
5 | noblacklist ~/.config/libreoffice | ||
6 | |||
7 | include /etc/firejail/disable-common.inc | ||
8 | include /etc/firejail/disable-programs.inc | ||
9 | include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-passwdmgr.inc | ||
11 | |||
12 | caps.drop all | ||
13 | nogroups | ||
14 | nonewprivs | ||
15 | noroot | ||
16 | nosound | ||
17 | protocol unix | ||
18 | seccomp | ||
19 | netfilter | ||
20 | shell none | ||
21 | tracelog | ||
22 | |||
23 | private-tmp | ||
24 | private-dev | ||
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile new file mode 100644 index 000000000..f1451506e --- /dev/null +++ b/etc/gnome-maps.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # gnome-maps profile | ||
2 | |||
3 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | nogroups | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | nosound | ||
15 | protocol unix,inet,inet6 | ||
16 | seccomp | ||
17 | netfilter | ||
18 | shell none | ||
19 | tracelog | ||
20 | |||
21 | # private-bin gjs gnome-maps | ||
22 | private-tmp | ||
23 | private-dev | ||
24 | # private-etc fonts | ||
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile new file mode 100644 index 000000000..4a8adeb22 --- /dev/null +++ b/etc/gnome-music.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # gnome-music profile | ||
2 | noblacklist ~/.local/share/gnome-music | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | protocol unix | ||
14 | seccomp | ||
15 | netfilter | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | # private-bin gnome-music,python3 | ||
20 | private-tmp | ||
21 | private-dev | ||
22 | # private-etc fonts | ||
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile new file mode 100644 index 000000000..8f9d60cb5 --- /dev/null +++ b/etc/gnome-photos.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # gnome-photos profile | ||
2 | |||
3 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
4 | |||
5 | noblacklist ~/.local/share/gnome-photos | ||
6 | |||
7 | include /etc/firejail/disable-common.inc | ||
8 | include /etc/firejail/disable-programs.inc | ||
9 | include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-passwdmgr.inc | ||
11 | |||
12 | caps.drop all | ||
13 | nogroups | ||
14 | nonewprivs | ||
15 | noroot | ||
16 | nosound | ||
17 | protocol unix | ||
18 | seccomp | ||
19 | netfilter | ||
20 | shell none | ||
21 | tracelog | ||
22 | |||
23 | # private-bin gjs gnome-photos | ||
24 | private-tmp | ||
25 | private-dev | ||
26 | # private-etc fonts | ||
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile new file mode 100644 index 000000000..9f93b8f15 --- /dev/null +++ b/etc/gnome-weather.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # gnome-weather profile | ||
2 | |||
3 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
4 | |||
5 | noblacklist ~/.cache/libgweather | ||
6 | |||
7 | include /etc/firejail/disable-common.inc | ||
8 | include /etc/firejail/disable-programs.inc | ||
9 | include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-passwdmgr.inc | ||
11 | |||
12 | caps.drop all | ||
13 | nogroups | ||
14 | nonewprivs | ||
15 | noroot | ||
16 | nosound | ||
17 | protocol unix,inet,inet6 | ||
18 | seccomp | ||
19 | netfilter | ||
20 | shell none | ||
21 | tracelog | ||
22 | |||
23 | # private-bin gjs gnome-weather | ||
24 | private-tmp | ||
25 | private-dev | ||
26 | # private-etc fonts | ||
diff --git a/etc/goobox.profile b/etc/goobox.profile new file mode 100644 index 000000000..8990943fc --- /dev/null +++ b/etc/goobox.profile | |||
@@ -0,0 +1,20 @@ | |||
1 | # goobox profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | nogroups | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | protocol unix | ||
12 | seccomp | ||
13 | netfilter | ||
14 | shell none | ||
15 | tracelog | ||
16 | |||
17 | # private-bin goobox | ||
18 | # private-tmp | ||
19 | # private-dev | ||
20 | # private-etc fonts | ||
diff --git a/etc/gpa.profile b/etc/gpa.profile new file mode 100644 index 000000000..7d7277190 --- /dev/null +++ b/etc/gpa.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # gpa profile | ||
2 | noblacklist ~/.gnupg | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
16 | netfilter | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | # private-bin gpa,gpg | ||
21 | private-tmp | ||
22 | private-dev | ||
23 | # private-etc none | ||
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile new file mode 100644 index 000000000..b0ebdf43c --- /dev/null +++ b/etc/gpg-agent.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # gpg-agent profile | ||
2 | noblacklist ~/.gnupg | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix | ||
15 | seccomp | ||
16 | netfilter | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | # private-bin gpg-agent,gpg | ||
21 | private-tmp | ||
22 | private-dev | ||
23 | # private-etc none | ||
diff --git a/etc/gpg.profile b/etc/gpg.profile new file mode 100644 index 000000000..31372eb90 --- /dev/null +++ b/etc/gpg.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # gpg profile | ||
2 | noblacklist ~/.gnupg | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix | ||
15 | seccomp | ||
16 | netfilter | ||
17 | net none | ||
18 | shell none | ||
19 | tracelog | ||
20 | |||
21 | # private-bin gpg,gpg-agent | ||
22 | private-tmp | ||
23 | private-dev | ||
24 | # private-etc none | ||
diff --git a/etc/highlight.profile b/etc/highlight.profile new file mode 100644 index 000000000..f95f3924a --- /dev/null +++ b/etc/highlight.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # highlight profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | nogroups | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | nosound | ||
12 | protocol unix | ||
13 | seccomp | ||
14 | netfilter | ||
15 | net none | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | private-bin highlight | ||
20 | private-tmp | ||
21 | private-dev | ||
22 | |||
23 | |||
24 | |||
diff --git a/etc/icecat.profile b/etc/icecat.profile index 2f8e2df7f..0348076da 100644 --- a/etc/icecat.profile +++ b/etc/icecat.profile | |||
@@ -1,5 +1,4 @@ | |||
1 | # Firejail profile for GNU Icecat | 1 | # Firejail profile for GNU Icecat |
2 | |||
3 | noblacklist ~/.mozilla | 2 | noblacklist ~/.mozilla |
4 | noblacklist ~/.cache/mozilla | 3 | noblacklist ~/.cache/mozilla |
5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
diff --git a/etc/img2txt.profile b/etc/img2txt.profile new file mode 100644 index 000000000..d55a31cd0 --- /dev/null +++ b/etc/img2txt.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # img2txt profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | nogroups | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | nosound | ||
12 | protocol unix | ||
13 | seccomp | ||
14 | netfilter | ||
15 | net none | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | #private-bin img2txt | ||
20 | private-tmp | ||
21 | private-dev | ||
22 | #private-etc none | ||
23 | |||
24 | |||
diff --git a/etc/k3b.profile b/etc/k3b.profile new file mode 100644 index 000000000..8a5fff0c6 --- /dev/null +++ b/etc/k3b.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # k3b profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | netfilter | ||
9 | nogroups | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | nosound | ||
13 | shell none | ||
14 | seccomp | ||
15 | protocol unix | ||
16 | |||
17 | # private-bin | ||
18 | # private-dev | ||
19 | # private-tmp | ||
20 | # private-etc | ||
21 | |||
diff --git a/etc/kate.profile b/etc/kate.profile new file mode 100644 index 000000000..4b07ea6cb --- /dev/null +++ b/etc/kate.profile | |||
@@ -0,0 +1,28 @@ | |||
1 | # kate profile | ||
2 | noblacklist ~/.local/share/kate | ||
3 | noblacklist ~/.config/katerc | ||
4 | noblacklist ~/.config/katepartrc | ||
5 | noblacklist ~/.config/kateschemarc | ||
6 | noblacklist ~/.config/katesyntaxhighlightingrc | ||
7 | noblacklist ~/.config/katevirc | ||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-programs.inc | ||
11 | #include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | |||
14 | caps.drop all | ||
15 | nogroups | ||
16 | nonewprivs | ||
17 | noroot | ||
18 | nosound | ||
19 | protocol unix | ||
20 | seccomp | ||
21 | netfilter | ||
22 | shell none | ||
23 | tracelog | ||
24 | |||
25 | # private-bin kate | ||
26 | private-tmp | ||
27 | private-dev | ||
28 | # private-etc fonts | ||
diff --git a/etc/keepass.profile b/etc/keepass.profile index 23f9a7b40..18a5f4ebd 100644 --- a/etc/keepass.profile +++ b/etc/keepass.profile | |||
@@ -1,5 +1,4 @@ | |||
1 | # keepass password manager profile | 1 | # keepass password manager profile |
2 | |||
3 | noblacklist ${HOME}/.config/keepass | 2 | noblacklist ${HOME}/.config/keepass |
4 | noblacklist ${HOME}/.keepass | 3 | noblacklist ${HOME}/.keepass |
5 | 4 | ||
diff --git a/etc/keepass2.profile b/etc/keepass2.profile index fd390f7ed..9daa014e3 100644 --- a/etc/keepass2.profile +++ b/etc/keepass2.profile | |||
@@ -1,5 +1,4 @@ | |||
1 | # keepass password manager profile | 1 | # keepass password manager profile |
2 | |||
3 | #noblacklist ${HOME}/.config/KeePass | 2 | #noblacklist ${HOME}/.config/KeePass |
4 | #noblacklist ${HOME}/.keepass | 3 | #noblacklist ${HOME}/.keepass |
5 | 4 | ||
diff --git a/etc/keepassx.profile b/etc/keepassx.profile index 415160df3..d8621773f 100644 --- a/etc/keepassx.profile +++ b/etc/keepassx.profile | |||
@@ -1,5 +1,4 @@ | |||
1 | # keepassx password manager profile | 1 | # keepassx password manager profile |
2 | |||
3 | noblacklist ${HOME}/.config/keepassx | 2 | noblacklist ${HOME}/.config/keepassx |
4 | noblacklist ${HOME}/.keepassx | 3 | noblacklist ${HOME}/.keepassx |
5 | noblacklist ${HOME}/keepassx.kdbx | 4 | noblacklist ${HOME}/keepassx.kdbx |
diff --git a/etc/konversation.profile b/etc/konversation.profile index e9546fd1b..c00b91c18 100644 --- a/etc/konversation.profile +++ b/etc/konversation.profile | |||
@@ -1,5 +1,4 @@ | |||
1 | # Firejail konversation profile | 1 | # Firejail konversation profile |
2 | |||
3 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
4 | include /etc/firejail/disable-programs.inc | 3 | include /etc/firejail/disable-programs.inc |
5 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/lxterminal.profile b/etc/lxterminal.profile index d1d0b8a0d..12765c299 100644 --- a/etc/lxterminal.profile +++ b/etc/lxterminal.profile | |||
@@ -1,5 +1,4 @@ | |||
1 | # lxterminal (LXDE) profile | 1 | # lxterminal (LXDE) profile |
2 | |||
3 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
4 | include /etc/firejail/disable-programs.inc | 3 | include /etc/firejail/disable-programs.inc |
5 | include /etc/firejail/disable-passwdmgr.inc | 4 | include /etc/firejail/disable-passwdmgr.inc |
diff --git a/etc/lynx.profile b/etc/lynx.profile new file mode 100644 index 000000000..6e150f62e --- /dev/null +++ b/etc/lynx.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # lynx profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | nogroups | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | nosound | ||
12 | protocol unix,inet,inet6 | ||
13 | seccomp | ||
14 | netfilter | ||
15 | shell none | ||
16 | tracelog | ||
17 | |||
18 | # private-bin lynx | ||
19 | private-tmp | ||
20 | private-dev | ||
21 | # private-etc none | ||
22 | |||
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile new file mode 100644 index 000000000..c07a9a9e8 --- /dev/null +++ b/etc/mediainfo.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # mediainfo profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | nogroups | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | nosound | ||
12 | protocol unix | ||
13 | seccomp | ||
14 | netfilter | ||
15 | net none | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | private-bin mediainfo | ||
20 | private-tmp | ||
21 | private-dev | ||
22 | private-etc none | ||
23 | |||
24 | |||
25 | |||
26 | |||
diff --git a/etc/mupdf.profile b/etc/mupdf.profile index dc23d5840..7f9261d8b 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile | |||
@@ -16,9 +16,6 @@ net none | |||
16 | shell none | 16 | shell none |
17 | tracelog | 17 | tracelog |
18 | 18 | ||
19 | #seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev | ||
20 | |||
21 | private-bin mupdf | ||
22 | private-tmp | 19 | private-tmp |
23 | private-dev | 20 | private-dev |
24 | private-etc fonts | 21 | private-etc fonts |
@@ -26,3 +23,8 @@ private-etc fonts | |||
26 | # mupdf will never write anything | 23 | # mupdf will never write anything |
27 | read-only ${HOME} | 24 | read-only ${HOME} |
28 | 25 | ||
26 | # | ||
27 | # Experimental: | ||
28 | # | ||
29 | #seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev | ||
30 | # private-bin mupdf,sh,tempfile,rm | ||
diff --git a/etc/mutt.profile b/etc/mutt.profile index 54cf828b1..2718421c5 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile | |||
@@ -1,5 +1,4 @@ | |||
1 | # mutt email client profile | 1 | # mutt email client profile |
2 | |||
3 | noblacklist ~/.muttrc | 2 | noblacklist ~/.muttrc |
4 | noblacklist ~/.mutt | 3 | noblacklist ~/.mutt |
5 | noblacklist ~/.mutt/muttrc | 4 | noblacklist ~/.mutt/muttrc |
diff --git a/etc/nautilus.profile b/etc/nautilus.profile new file mode 100644 index 000000000..264ee0b9d --- /dev/null +++ b/etc/nautilus.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # nautilus profile | ||
2 | |||
3 | # Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there is already a nautilus process running on gnome desktops firejail will have no effect. | ||
4 | |||
5 | noblacklist ~/.config/nautilus | ||
6 | |||
7 | include /etc/firejail/disable-common.inc | ||
8 | # nautilus needs to be able to start arbitrary applications so we cannot blacklist their files | ||
9 | #include /etc/firejail/disable-programs.inc | ||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | |||
13 | caps.drop all | ||
14 | nogroups | ||
15 | nonewprivs | ||
16 | noroot | ||
17 | protocol unix | ||
18 | seccomp | ||
19 | netfilter | ||
20 | shell none | ||
21 | tracelog | ||
22 | |||
23 | # private-bin nautilus | ||
24 | # private-tmp | ||
25 | # private-dev | ||
26 | # private-etc fonts | ||
diff --git a/etc/netsurf.profile b/etc/netsurf.profile index 1ed2163c2..2071e5519 100644 --- a/etc/netsurf.profile +++ b/etc/netsurf.profile | |||
@@ -1,5 +1,4 @@ | |||
1 | # Firejail profile for Mozilla Firefox (Iceweasel in Debian) | 1 | # Firejail profile for Mozilla Firefox (Iceweasel in Debian) |
2 | |||
3 | noblacklist ~/.config/netsurf | 2 | noblacklist ~/.config/netsurf |
4 | noblacklist ~/.cache/netsurf | 3 | noblacklist ~/.cache/netsurf |
5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile new file mode 100644 index 000000000..329275022 --- /dev/null +++ b/etc/odt2txt.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # odt2txt profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | nogroups | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | nosound | ||
12 | protocol unix | ||
13 | seccomp | ||
14 | netfilter | ||
15 | net none | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | private-bin odt2txt | ||
20 | private-tmp | ||
21 | private-dev | ||
22 | private-etc none | ||
23 | |||
24 | read-only ${HOME} | ||
diff --git a/etc/okular.profile b/etc/okular.profile index b43a5fbea..22e223cea 100644 --- a/etc/okular.profile +++ b/etc/okular.profile | |||
@@ -9,17 +9,17 @@ include /etc/firejail/disable-devel.inc | |||
9 | include /etc/firejail/disable-passwdmgr.inc | 9 | include /etc/firejail/disable-passwdmgr.inc |
10 | 10 | ||
11 | caps.drop all | 11 | caps.drop all |
12 | nogroups | 12 | netfilter |
13 | nonewprivs | 13 | nonewprivs |
14 | nogroups | ||
14 | noroot | 15 | noroot |
16 | nosound | ||
15 | protocol unix | 17 | protocol unix |
16 | seccomp | 18 | seccomp |
17 | nosound | 19 | shell none |
20 | tracelog | ||
18 | 21 | ||
22 | # private-bin okular,kbuildsycoca4,kbuildsycoca5 | ||
23 | # private-etc X11 | ||
19 | private-dev | 24 | private-dev |
20 | 25 | private-tmp | |
21 | #Experimental: | ||
22 | #net none | ||
23 | #shell none | ||
24 | #private-bin okular,kbuildsycoca4,kbuildsycoca5 | ||
25 | #private-etc X11 | ||
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile new file mode 100644 index 000000000..632c9d15e --- /dev/null +++ b/etc/pdftotext.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # pdftotext profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | nogroups | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | nosound | ||
12 | protocol unix | ||
13 | seccomp | ||
14 | netfilter | ||
15 | net none | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | private-bin pdftotext | ||
20 | private-tmp | ||
21 | private-dev | ||
22 | private-etc none | ||
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile index a9323448b..e4e69b9f6 100644 --- a/etc/psi-plus.profile +++ b/etc/psi-plus.profile | |||
@@ -1,5 +1,4 @@ | |||
1 | # Firejail profile for Psi+ | 1 | # Firejail profile for Psi+ |
2 | |||
3 | noblacklist ${HOME}/.config/psi+ | 2 | noblacklist ${HOME}/.config/psi+ |
4 | noblacklist ${HOME}/.local/share/psi+ | 3 | noblacklist ${HOME}/.local/share/psi+ |
5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
diff --git a/etc/qemu-launcher.profile b/etc/qemu-launcher.profile index 9fa8a91d4..f9c8e6345 100644 --- a/etc/qemu-launcher.profile +++ b/etc/qemu-launcher.profile | |||
@@ -1,5 +1,4 @@ | |||
1 | # qemu-launcher profile | 1 | # qemu-launcher profile |
2 | |||
3 | noblacklist ~/.qemu-launcher | 2 | noblacklist ~/.qemu-launcher |
4 | 3 | ||
5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
diff --git a/etc/qemu-system-x86_64.profile b/etc/qemu-system-x86_64.profile index 3d4587fb1..65e1e44ea 100644 --- a/etc/qemu-system-x86_64.profile +++ b/etc/qemu-system-x86_64.profile | |||
@@ -1,5 +1,4 @@ | |||
1 | # qemu profile | 1 | # qemu profile |
2 | |||
3 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
4 | include /etc/firejail/disable-programs.inc | 3 | include /etc/firejail/disable-programs.inc |
5 | include /etc/firejail/disable-passwdmgr.inc | 4 | include /etc/firejail/disable-passwdmgr.inc |
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index 0efb7b629..eabbe0f3e 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile | |||
@@ -1,5 +1,4 @@ | |||
1 | # Firejail profile for Qutebrowser (Qt5-Webkit+Python) browser | 1 | # Firejail profile for Qutebrowser (Qt5-Webkit+Python) browser |
2 | |||
3 | noblacklist ~/.config/qutebrowser | 2 | noblacklist ~/.config/qutebrowser |
4 | noblacklist ~/.cache/qutebrowser | 3 | noblacklist ~/.cache/qutebrowser |
5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile new file mode 100644 index 000000000..03089482b --- /dev/null +++ b/etc/simple-scan.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # simple-scan profile | ||
2 | noblacklist ~/.cache/simple-scan | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix,inet,inet6 | ||
15 | #seccomp | ||
16 | netfilter | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | # private-bin simple-scan | ||
21 | # private-tmp | ||
22 | # private-dev | ||
23 | # private-etc fonts | ||
diff --git a/etc/skanlite.profile b/etc/skanlite.profile new file mode 100644 index 000000000..4dcfa64d9 --- /dev/null +++ b/etc/skanlite.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # skanlite profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | netfilter | ||
9 | nogroups | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | nosound | ||
13 | shell none | ||
14 | #seccomp | ||
15 | protocol unix,inet,inet6 | ||
16 | |||
17 | private-bin skanlite | ||
18 | # private-dev | ||
19 | # private-tmp | ||
20 | # private-etc | ||
21 | |||
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile new file mode 100644 index 000000000..485bd8f3b --- /dev/null +++ b/etc/ssh-agent.profile | |||
@@ -0,0 +1,15 @@ | |||
1 | # ssh-agent | ||
2 | quiet | ||
3 | noblacklist ~/.ssh | ||
4 | noblacklist /tmp/ssh-* | ||
5 | |||
6 | include /etc/firejail/disable-common.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | netfilter | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
diff --git a/etc/tracker.profile b/etc/tracker.profile new file mode 100644 index 000000000..217631216 --- /dev/null +++ b/etc/tracker.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # tracker profile | ||
2 | |||
3 | # Tracker is started by systemd on most systems. Therefore it is not firejailed by default | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | nogroups | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | nosound | ||
15 | protocol unix | ||
16 | seccomp | ||
17 | netfilter | ||
18 | shell none | ||
19 | tracelog | ||
20 | |||
21 | # private-bin tracker | ||
22 | # private-tmp | ||
23 | # private-dev | ||
24 | # private-etc fonts | ||
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile new file mode 100644 index 000000000..88ded649c --- /dev/null +++ b/etc/transmission-cli.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # transmission-cli bittorrent profile | ||
2 | noblacklist ${HOME}/.config/transmission | ||
3 | noblacklist ${HOME}/.cache/transmission | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | netfilter | ||
12 | net none | ||
13 | nonewprivs | ||
14 | noroot | ||
15 | nosound | ||
16 | protocol unix | ||
17 | seccomp | ||
18 | shell none | ||
19 | tracelog | ||
20 | |||
21 | #private-bin transmission-cli | ||
22 | private-tmp | ||
23 | private-dev | ||
24 | private-etc none | ||
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile new file mode 100644 index 000000000..5e5284b34 --- /dev/null +++ b/etc/transmission-show.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # transmission-show profile | ||
2 | noblacklist ${HOME}/.config/transmission | ||
3 | noblacklist ${HOME}/.cache/transmission | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | netfilter | ||
12 | net none | ||
13 | nonewprivs | ||
14 | noroot | ||
15 | nosound | ||
16 | protocol unix | ||
17 | seccomp | ||
18 | shell none | ||
19 | tracelog | ||
20 | |||
21 | # private-bin | ||
22 | private-tmp | ||
23 | private-dev | ||
24 | private-etc none | ||
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile index 49f8f8b24..36a1e0704 100644 --- a/etc/virtualbox.profile +++ b/etc/virtualbox.profile | |||
@@ -1,5 +1,4 @@ | |||
1 | # VirtualBox profile | 1 | # VirtualBox profile |
2 | |||
3 | noblacklist ${HOME}/.VirtualBox | 2 | noblacklist ${HOME}/.VirtualBox |
4 | noblacklist ${HOME}/VirtualBox VMs | 3 | noblacklist ${HOME}/VirtualBox VMs |
5 | noblacklist ${HOME}/.config/VirtualBox | 4 | noblacklist ${HOME}/.config/VirtualBox |
diff --git a/etc/w3m.profile b/etc/w3m.profile new file mode 100644 index 000000000..d765217cf --- /dev/null +++ b/etc/w3m.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # w3m profile | ||
2 | noblacklist ~/.w3m | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
16 | netfilter | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | # private-bin w3m | ||
21 | private-tmp | ||
22 | private-dev | ||
23 | private-etc none | ||
diff --git a/etc/wire.profile b/etc/wire.profile index c84b4cc28..ec8ed8771 100644 --- a/etc/wire.profile +++ b/etc/wire.profile | |||
@@ -1,5 +1,4 @@ | |||
1 | # wire messenger profile | 1 | # wire messenger profile |
2 | |||
3 | noblacklist ~/.config/Wire | 2 | noblacklist ~/.config/Wire |
4 | noblacklist ~/.config/wire | 3 | noblacklist ~/.config/wire |
5 | 4 | ||
diff --git a/etc/xfburn.profile b/etc/xfburn.profile new file mode 100644 index 000000000..1dd24aa61 --- /dev/null +++ b/etc/xfburn.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # xfburn profile | ||
2 | noblacklist ~/.config/xfburn | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix | ||
15 | seccomp | ||
16 | netfilter | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | # private-bin xfburn | ||
21 | # private-tmp | ||
22 | # private-dev | ||
23 | # private-etc fonts | ||
diff --git a/etc/xpra.profile b/etc/xpra.profile new file mode 100644 index 000000000..8584e4e5b --- /dev/null +++ b/etc/xpra.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # xpra profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | netfilter | ||
9 | nogroups | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | nosound | ||
13 | shell none | ||
14 | seccomp | ||
15 | protocol unix,inet,inet6 | ||
16 | |||
17 | # private-bin | ||
18 | private-dev | ||
19 | private-tmp | ||
20 | # private-etc | ||
21 | |||
diff --git a/etc/xviewer.profile b/etc/xviewer.profile index cbb59d16e..ca380b4c7 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile | |||
@@ -1,3 +1,4 @@ | |||
1 | # xviewer profile | ||
1 | noblacklist ~/.config/xviewer | 2 | noblacklist ~/.config/xviewer |
2 | 3 | ||
3 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
diff --git a/etc/zoom.profile b/etc/zoom.profile index f5831dd88..4c08868cf 100644 --- a/etc/zoom.profile +++ b/etc/zoom.profile | |||
@@ -1,5 +1,4 @@ | |||
1 | # Firejail profile for zoom.us | 1 | # Firejail profile for zoom.us |
2 | |||
3 | noblacklist ~/.config/zoomus.conf | 2 | noblacklist ~/.config/zoomus.conf |
4 | 3 | ||
5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |