diff options
Diffstat (limited to 'etc')
64 files changed, 585 insertions, 719 deletions
diff --git a/etc/abrowser.profile b/etc/abrowser.profile index 5c964bad1..d757d6f49 100644 --- a/etc/abrowser.profile +++ b/etc/abrowser.profile | |||
@@ -7,42 +7,15 @@ include /etc/firejail/globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/mozilla | 8 | noblacklist ${HOME}/.cache/mozilla |
9 | noblacklist ${HOME}/.mozilla | 9 | noblacklist ${HOME}/.mozilla |
10 | noblacklist ${HOME}/.pki | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-devel.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | 10 | ||
16 | mkdir ${HOME}/.cache/mozilla/abrowser | 11 | mkdir ${HOME}/.cache/mozilla/abrowser |
17 | mkdir ${HOME}/.mozilla | 12 | mkdir ${HOME}/.mozilla |
18 | whitelist ${DOWNLOADS} | ||
19 | whitelist ${HOME}/.cache/gnome-mplayer/plugin | ||
20 | whitelist ${HOME}/.cache/mozilla/abrowser | 13 | whitelist ${HOME}/.cache/mozilla/abrowser |
21 | whitelist ${HOME}/.config/gnome-mplayer | ||
22 | whitelist ${HOME}/.config/pipelight-silverlight5.1 | ||
23 | whitelist ${HOME}/.config/pipelight-widevine | ||
24 | whitelist ${HOME}/.keysnail.js | ||
25 | whitelist ${HOME}/.lastpass | ||
26 | whitelist ${HOME}/.mozilla | 14 | whitelist ${HOME}/.mozilla |
27 | whitelist ${HOME}/.pentadactyl | ||
28 | whitelist ${HOME}/.pentadactylrc | ||
29 | whitelist ${HOME}/.pki | ||
30 | whitelist ${HOME}/.vimperator | ||
31 | whitelist ${HOME}/.vimperatorrc | ||
32 | whitelist ${HOME}/.wine-pipelight | ||
33 | whitelist ${HOME}/.wine-pipelight64 | ||
34 | whitelist ${HOME}/.zotero | ||
35 | whitelist ${HOME}/dwhelper | ||
36 | include /etc/firejail/whitelist-common.inc | ||
37 | 15 | ||
38 | caps.drop all | 16 | # private-etc must first be enabled in firefox-common.profile |
39 | netfilter | 17 | #private-etc abrowser |
40 | nodvd | 18 | |
41 | nonewprivs | ||
42 | noroot | ||
43 | notv | ||
44 | protocol unix,inet,inet6,netlink | ||
45 | seccomp | ||
46 | tracelog | ||
47 | 19 | ||
48 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 20 | # Redirect |
21 | include /etc/firejail/firefox-common.profile | ||
diff --git a/etc/akregator.profile b/etc/akregator.profile index f2e5ea341..2c49ef9f0 100644 --- a/etc/akregator.profile +++ b/etc/akregator.profile | |||
@@ -17,6 +17,7 @@ mkfile ${HOME}/.config/akregatorrc | |||
17 | mkdir ${HOME}/.local/share/akregator | 17 | mkdir ${HOME}/.local/share/akregator |
18 | whitelist ${HOME}/.config/akregatorrc | 18 | whitelist ${HOME}/.config/akregatorrc |
19 | whitelist ${HOME}/.local/share/akregator | 19 | whitelist ${HOME}/.local/share/akregator |
20 | whitelist ${HOME}/.local/share/kssl | ||
20 | include /etc/firejail/whitelist-common.inc | 21 | include /etc/firejail/whitelist-common.inc |
21 | 22 | ||
22 | include /etc/firejail/whitelist-var-common.inc | 23 | include /etc/firejail/whitelist-var-common.inc |
diff --git a/etc/audacity.profile b/etc/audacity.profile index e173fa65a..ea1d38132 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile | |||
@@ -17,7 +17,7 @@ include /etc/firejail/disable-programs.inc | |||
17 | include /etc/firejail/whitelist-var-common.inc | 17 | include /etc/firejail/whitelist-var-common.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | net none | 20 | #net none |
21 | no3d | 21 | no3d |
22 | nodvd | 22 | nodvd |
23 | nogroups | 23 | nogroups |
diff --git a/etc/bnox.profile b/etc/bnox.profile index 4270755c8..3207a2923 100644 --- a/etc/bnox.profile +++ b/etc/bnox.profile | |||
@@ -7,30 +7,11 @@ include /etc/firejail/globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/bnox | 8 | noblacklist ${HOME}/.cache/bnox |
9 | noblacklist ${HOME}/.config/bnox | 9 | noblacklist ${HOME}/.config/bnox |
10 | noblacklist ${HOME}/.pki | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | 10 | ||
15 | mkdir ${HOME}/.cache/bnox | 11 | mkdir ${HOME}/.cache/bnox |
16 | mkdir ${HOME}/.config/bnox | 12 | mkdir ${HOME}/.config/bnox |
17 | mkdir ${HOME}/.pki | ||
18 | whitelist ${DOWNLOADS} | ||
19 | whitelist ${HOME}/.cache/bnox | 13 | whitelist ${HOME}/.cache/bnox |
20 | whitelist ${HOME}/.config/bnox | 14 | whitelist ${HOME}/.config/bnox |
21 | whitelist ${HOME}/.pki | ||
22 | include /etc/firejail/whitelist-common.inc | ||
23 | include /etc/firejail/whitelist-var-common.inc | ||
24 | |||
25 | caps.keep sys_chroot,sys_admin | ||
26 | netfilter | ||
27 | nodvd | ||
28 | nogroups | ||
29 | notv | ||
30 | shell none | ||
31 | |||
32 | private-dev | ||
33 | # private-tmp - problems with multiple browser sessions | ||
34 | 15 | ||
35 | noexec ${HOME} | 16 | # Redirect |
36 | noexec /tmp | 17 | include /etc/firejail/chromium-common.profile |
diff --git a/etc/brave.profile b/etc/brave.profile index 668e8a244..f37ac2a05 100644 --- a/etc/brave.profile +++ b/etc/brave.profile | |||
@@ -8,31 +8,10 @@ include /etc/firejail/globals.local | |||
8 | noblacklist ${HOME}/.config/brave | 8 | noblacklist ${HOME}/.config/brave |
9 | # brave uses gpg for built-in password manager | 9 | # brave uses gpg for built-in password manager |
10 | noblacklist ${HOME}/.gnupg | 10 | noblacklist ${HOME}/.gnupg |
11 | noblacklist ${HOME}/.pki | ||
12 | |||
13 | include /etc/firejail/disable-common.inc | ||
14 | include /etc/firejail/disable-devel.inc | ||
15 | include /etc/firejail/disable-programs.inc | ||
16 | 11 | ||
17 | mkdir ${HOME}/.config/brave | 12 | mkdir ${HOME}/.config/brave |
18 | mkdir ${HOME}/.pki | ||
19 | whitelist ${DOWNLOADS} | ||
20 | whitelist ${HOME}/.config/KeePass | ||
21 | whitelist ${HOME}/.config/brave | 13 | whitelist ${HOME}/.config/brave |
22 | whitelist ${HOME}/.config/keepass | 14 | whitelist ${HOME}/.gnupg |
23 | whitelist ${HOME}/.config/lastpass | ||
24 | whitelist ${HOME}/.keepass | ||
25 | whitelist ${HOME}/.lastpass | ||
26 | whitelist ${HOME}/.pki | ||
27 | include /etc/firejail/whitelist-common.inc | ||
28 | |||
29 | # caps.drop all | ||
30 | netfilter | ||
31 | # nonewprivs | ||
32 | # noroot | ||
33 | nodvd | ||
34 | notv | ||
35 | # protocol unix,inet,inet6,netlink | ||
36 | # seccomp | ||
37 | 15 | ||
38 | disable-mnt | 16 | # Redirect |
17 | include /etc/firejail/chromium-common.profile | ||
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile new file mode 100644 index 000000000..5c5215309 --- /dev/null +++ b/etc/chromium-common.profile | |||
@@ -0,0 +1,32 @@ | |||
1 | # Firejail profile for chromium-common | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/chromium-common.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.pki | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | mkdir ${HOME}/.pki | ||
15 | whitelist ${DOWNLOADS} | ||
16 | whitelist ${HOME}/.pki | ||
17 | include /etc/firejail/whitelist-common.inc | ||
18 | include /etc/firejail/whitelist-var-common.inc | ||
19 | |||
20 | caps.keep sys_chroot,sys_admin | ||
21 | netfilter | ||
22 | nodvd | ||
23 | nogroups | ||
24 | notv | ||
25 | shell none | ||
26 | |||
27 | disable-mnt | ||
28 | private-dev | ||
29 | # private-tmp - problems with multiple browser sessions | ||
30 | |||
31 | noexec ${HOME} | ||
32 | noexec /tmp | ||
diff --git a/etc/chromium.profile b/etc/chromium.profile index 64d790121..ad9f9af33 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -8,34 +8,14 @@ include /etc/firejail/globals.local | |||
8 | noblacklist ${HOME}/.cache/chromium | 8 | noblacklist ${HOME}/.cache/chromium |
9 | noblacklist ${HOME}/.config/chromium | 9 | noblacklist ${HOME}/.config/chromium |
10 | noblacklist ${HOME}/.config/chromium-flags.conf | 10 | noblacklist ${HOME}/.config/chromium-flags.conf |
11 | noblacklist ${HOME}/.pki | ||
12 | |||
13 | include /etc/firejail/disable-common.inc | ||
14 | include /etc/firejail/disable-devel.inc | ||
15 | include /etc/firejail/disable-programs.inc | ||
16 | 11 | ||
17 | mkdir ${HOME}/.cache/chromium | 12 | mkdir ${HOME}/.cache/chromium |
18 | mkdir ${HOME}/.config/chromium | 13 | mkdir ${HOME}/.config/chromium |
19 | mkdir ${HOME}/.pki | ||
20 | whitelist ${DOWNLOADS} | ||
21 | whitelist ${HOME}/.cache/chromium | 14 | whitelist ${HOME}/.cache/chromium |
22 | whitelist ${HOME}/.config/chromium | 15 | whitelist ${HOME}/.config/chromium |
23 | whitelist ${HOME}/.config/chromium-flags.conf | 16 | whitelist ${HOME}/.config/chromium-flags.conf |
24 | whitelist ${HOME}/.pki | ||
25 | include /etc/firejail/whitelist-common.inc | ||
26 | include /etc/firejail/whitelist-var-common.inc | ||
27 | |||
28 | caps.keep sys_chroot,sys_admin | ||
29 | netfilter | ||
30 | nodvd | ||
31 | nogroups | ||
32 | notv | ||
33 | shell none | ||
34 | 17 | ||
35 | disable-mnt | ||
36 | # private-bin chromium,chromium-browser,chromedriver | 18 | # private-bin chromium,chromium-browser,chromedriver |
37 | private-dev | ||
38 | # private-tmp - problems with multiple browser sessions | ||
39 | 19 | ||
40 | noexec ${HOME} | 20 | # Redirect |
41 | noexec /tmp | 21 | include /etc/firejail/chromium-common.profile |
diff --git a/etc/clementine.profile b/etc/clementine.profile index a736f7bf9..ccf6f9c97 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/clementine.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/Clementine | ||
8 | noblacklist ${HOME}/.config/Clementine | 9 | noblacklist ${HOME}/.config/Clementine |
9 | 10 | ||
10 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
diff --git a/etc/cliqz.profile b/etc/cliqz.profile index 086dfa233..4ff96311d 100644 --- a/etc/cliqz.profile +++ b/etc/cliqz.profile | |||
@@ -7,77 +7,14 @@ include /etc/firejail/globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/cliqz | 8 | noblacklist ${HOME}/.cache/cliqz |
9 | noblacklist ${HOME}/.config/cliqz | 9 | noblacklist ${HOME}/.config/cliqz |
10 | noblacklist ${HOME}/.config/okularpartrc | ||
11 | noblacklist ${HOME}/.config/okularrc | ||
12 | noblacklist ${HOME}/.config/qpdfview | ||
13 | noblacklist ${HOME}/.kde/share/apps/okular | ||
14 | noblacklist ${HOME}/.kde/share/config/okularpartrc | ||
15 | noblacklist ${HOME}/.kde/share/config/okularrc | ||
16 | noblacklist ${HOME}/.kde4/share/apps/okular | ||
17 | noblacklist ${HOME}/.kde4/share/config/okularpartrc | ||
18 | noblacklist ${HOME}/.kde4/share/config/okularrc | ||
19 | # noblacklist ${HOME}/.local/share/gnome-shell/extensions | ||
20 | noblacklist ${HOME}/.local/share/okular | ||
21 | noblacklist ${HOME}/.local/share/qpdfview | ||
22 | 10 | ||
23 | noblacklist ${HOME}/.pki | 11 | mkdir ${HOME}/.cache/cliqz |
12 | mkdir ${HOME}/.config/cliqz | ||
13 | whitelist ${HOME}/.cache/cliqz | ||
14 | whitelist ${HOME}/.config/cliqz | ||
24 | 15 | ||
25 | include /etc/firejail/disable-common.inc | 16 | # private-etc must first be enabled in firefox-common.profile |
26 | include /etc/firejail/disable-devel.inc | 17 | #private-etc cliqz |
27 | include /etc/firejail/disable-programs.inc | ||
28 | 18 | ||
29 | mkdir ${HOME}/.cache/mozilla/firefox | 19 | # Redirect |
30 | mkdir ${HOME}/.mozilla | 20 | include /etc/firejail/firefox-common.profile |
31 | mkdir ${HOME}/.pki | ||
32 | whitelist ${DOWNLOADS} | ||
33 | whitelist ${HOME}/.cache/gnome-mplayer/plugin | ||
34 | whitelist ${HOME}/.cache/mozilla/firefox | ||
35 | whitelist ${HOME}/.config/gnome-mplayer | ||
36 | whitelist ${HOME}/.config/okularpartrc | ||
37 | whitelist ${HOME}/.config/okularrc | ||
38 | whitelist ${HOME}/.config/pipelight-silverlight5.1 | ||
39 | whitelist ${HOME}/.config/pipelight-widevine | ||
40 | whitelist ${HOME}/.config/qpdfview | ||
41 | whitelist ${HOME}/.kde/share/apps/okular | ||
42 | whitelist ${HOME}/.kde/share/config/okularpartrc | ||
43 | whitelist ${HOME}/.kde/share/config/okularrc | ||
44 | whitelist ${HOME}/.kde4/share/apps/okular | ||
45 | whitelist ${HOME}/.kde4/share/config/okularpartrc | ||
46 | whitelist ${HOME}/.kde4/share/config/okularrc | ||
47 | whitelist ${HOME}/.keysnail.js | ||
48 | whitelist ${HOME}/.lastpass | ||
49 | whitelist ${HOME}/.local/share/gnome-shell/extensions | ||
50 | whitelist ${HOME}/.local/share/okular | ||
51 | whitelist ${HOME}/.local/share/qpdfview | ||
52 | whitelist ${HOME}/.mozilla | ||
53 | whitelist ${HOME}/.pentadactyl | ||
54 | whitelist ${HOME}/.pentadactylrc | ||
55 | whitelist ${HOME}/.pki | ||
56 | whitelist ${HOME}/.vimperator | ||
57 | whitelist ${HOME}/.vimperatorrc | ||
58 | whitelist ${HOME}/.wine-pipelight | ||
59 | whitelist ${HOME}/.wine-pipelight64 | ||
60 | whitelist ${HOME}/.zotero | ||
61 | whitelist ${HOME}/dwhelper | ||
62 | include /etc/firejail/whitelist-common.inc | ||
63 | include /etc/firejail/whitelist-var-common.inc | ||
64 | |||
65 | caps.drop all | ||
66 | netfilter | ||
67 | nodvd | ||
68 | nogroups | ||
69 | nonewprivs | ||
70 | noroot | ||
71 | notv | ||
72 | protocol unix,inet,inet6,netlink | ||
73 | seccomp | ||
74 | shell none | ||
75 | tracelog | ||
76 | |||
77 | # private-bin firefox,which,sh,dbus-launch,dbus-send,env | ||
78 | private-dev | ||
79 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse | ||
80 | private-tmp | ||
81 | |||
82 | noexec ${HOME} | ||
83 | noexec /tmp | ||
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile index 66cd27461..ce51906ba 100644 --- a/etc/cyberfox.profile +++ b/etc/cyberfox.profile | |||
@@ -7,67 +7,15 @@ include /etc/firejail/globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.8pecxstudios | 8 | noblacklist ${HOME}/.8pecxstudios |
9 | noblacklist ${HOME}/.cache/8pecxstudios | 9 | noblacklist ${HOME}/.cache/8pecxstudios |
10 | noblacklist ${HOME}/.config/okularpartrc | ||
11 | noblacklist ${HOME}/.config/okularrc | ||
12 | noblacklist ${HOME}/.config/qpdfview | ||
13 | noblacklist ${HOME}/.kde/share/apps/okular | ||
14 | noblacklist ${HOME}/.kde4/share/apps/okular | ||
15 | noblacklist ${HOME}/.local/share/okular | ||
16 | noblacklist ${HOME}/.local/share/qpdfview | ||
17 | noblacklist ${HOME}/.pki | ||
18 | |||
19 | include /etc/firejail/disable-common.inc | ||
20 | include /etc/firejail/disable-devel.inc | ||
21 | include /etc/firejail/disable-programs.inc | ||
22 | 10 | ||
23 | mkdir ${HOME}/.8pecxstudios | 11 | mkdir ${HOME}/.8pecxstudios |
24 | mkdir ${HOME}/.cache/8pecxstudios | 12 | mkdir ${HOME}/.cache/8pecxstudios |
25 | mkdir ${HOME}/.pki | ||
26 | whitelist ${DOWNLOADS} | ||
27 | whitelist ${HOME}/.8pecxstudios | 13 | whitelist ${HOME}/.8pecxstudios |
28 | whitelist ${HOME}/.cache/8pecxstudios | 14 | whitelist ${HOME}/.cache/8pecxstudios |
29 | whitelist ${HOME}/.cache/gnome-mplayer/plugin | ||
30 | whitelist ${HOME}/.config/gnome-mplayer | ||
31 | whitelist ${HOME}/.config/okularpartrc | ||
32 | whitelist ${HOME}/.config/okularrc | ||
33 | whitelist ${HOME}/.config/pipelight-silverlight5.1 | ||
34 | whitelist ${HOME}/.config/pipelight-widevine | ||
35 | whitelist ${HOME}/.config/qpdfview | ||
36 | whitelist ${HOME}/.kde/share/apps/okular | ||
37 | whitelist ${HOME}/.kde4/share/apps/okular | ||
38 | whitelist ${HOME}/.keysnail.js | ||
39 | whitelist ${HOME}/.lastpass | ||
40 | whitelist ${HOME}/.local/share/okular | ||
41 | whitelist ${HOME}/.local/share/qpdfview | ||
42 | whitelist ${HOME}/.pentadactyl | ||
43 | whitelist ${HOME}/.pentadactylrc | ||
44 | whitelist ${HOME}/.pki | ||
45 | whitelist ${HOME}/.vimperator | ||
46 | whitelist ${HOME}/.vimperatorrc | ||
47 | whitelist ${HOME}/.wine-pipelight | ||
48 | whitelist ${HOME}/.wine-pipelight64 | ||
49 | whitelist ${HOME}/.zotero | ||
50 | whitelist ${HOME}/dwhelper | ||
51 | include /etc/firejail/whitelist-common.inc | ||
52 | |||
53 | caps.drop all | ||
54 | netfilter | ||
55 | nodvd | ||
56 | nogroups | ||
57 | nonewprivs | ||
58 | noroot | ||
59 | notv | ||
60 | protocol unix,inet,inet6,netlink | ||
61 | seccomp | ||
62 | shell none | ||
63 | tracelog | ||
64 | 15 | ||
65 | disable-mnt | ||
66 | # private-bin cyberfox,which,sh,dbus-launch,dbus-send,env | 16 | # private-bin cyberfox,which,sh,dbus-launch,dbus-send,env |
67 | private-dev | 17 | # private-etc must first be enabled in firefox-common.profile |
68 | private-dev | 18 | #private-etc cyberfox |
69 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,cyberfox,mime.types,mailcap,asound.conf,pulse | ||
70 | private-tmp | ||
71 | 19 | ||
72 | noexec ${HOME} | 20 | # Redirect |
73 | noexec /tmp | 21 | include /etc/firejail/firefox-common.profile |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 91c554f2e..54a292bc2 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -7,7 +7,10 @@ blacklist-nolog ${HOME}/.*_history | |||
7 | blacklist-nolog ${HOME}/.adobe | 7 | blacklist-nolog ${HOME}/.adobe |
8 | blacklist-nolog ${HOME}/.cache/greenclip* | 8 | blacklist-nolog ${HOME}/.cache/greenclip* |
9 | blacklist-nolog ${HOME}/.history | 9 | blacklist-nolog ${HOME}/.history |
10 | blacklist-nolog ${HOME}/.kde/share/apps/klipper | ||
11 | blacklist-nolog ${HOME}/.kde4/share/apps/klipper | ||
10 | blacklist-nolog ${HOME}/.local/share/fish/fish_history | 12 | blacklist-nolog ${HOME}/.local/share/fish/fish_history |
13 | blacklist-nolog ${HOME}/.local/share/klipper | ||
11 | blacklist-nolog ${HOME}/.macromedia | 14 | blacklist-nolog ${HOME}/.macromedia |
12 | blacklist-nolog /tmp/clipmenu* | 15 | blacklist-nolog /tmp/clipmenu* |
13 | 16 | ||
@@ -42,20 +45,21 @@ blacklist /etc/X11/Xsession.d | |||
42 | blacklist /etc/xdg/autostart | 45 | blacklist /etc/xdg/autostart |
43 | 46 | ||
44 | # KDE config | 47 | # KDE config |
45 | blacklist ${HOME}/.config/*.notifyrc | ||
46 | blacklist ${HOME}/.config/khotkeysrc | 48 | blacklist ${HOME}/.config/khotkeysrc |
47 | blacklist ${HOME}/.config/krunnerrc | 49 | blacklist ${HOME}/.config/krunnerrc |
50 | blacklist ${HOME}/.config/ksslcertificatemanager | ||
48 | blacklist ${HOME}/.config/kwinrc | 51 | blacklist ${HOME}/.config/kwinrc |
49 | blacklist ${HOME}/.config/kwinrulesrc | 52 | blacklist ${HOME}/.config/kwinrulesrc |
50 | blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc | 53 | blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc |
54 | blacklist ${HOME}/.config/plasmashellrc | ||
51 | blacklist ${HOME}/.config/plasmavaultrc | 55 | blacklist ${HOME}/.config/plasmavaultrc |
52 | blacklist ${HOME}/.kde/share/apps/konsole | 56 | blacklist ${HOME}/.kde/share/apps/konsole |
53 | blacklist ${HOME}/.kde/share/apps/kwin | 57 | blacklist ${HOME}/.kde/share/apps/kwin |
54 | blacklist ${HOME}/.kde/share/apps/plasma | 58 | blacklist ${HOME}/.kde/share/apps/plasma |
55 | blacklist ${HOME}/.kde/share/apps/solid | 59 | blacklist ${HOME}/.kde/share/apps/solid |
56 | blacklist ${HOME}/.kde/share/config/*.notifyrc | ||
57 | blacklist ${HOME}/.kde/share/config/khotkeysrc | 60 | blacklist ${HOME}/.kde/share/config/khotkeysrc |
58 | blacklist ${HOME}/.kde/share/config/krunnerrc | 61 | blacklist ${HOME}/.kde/share/config/krunnerrc |
62 | blacklist ${HOME}/.kde/share/config/ksslcertificatemanager | ||
59 | blacklist ${HOME}/.kde/share/config/kwinrc | 63 | blacklist ${HOME}/.kde/share/config/kwinrc |
60 | blacklist ${HOME}/.kde/share/config/kwinrulesrc | 64 | blacklist ${HOME}/.kde/share/config/kwinrulesrc |
61 | blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc | 65 | blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc |
@@ -63,9 +67,9 @@ blacklist ${HOME}/.kde4/share/apps/konsole | |||
63 | blacklist ${HOME}/.kde4/share/apps/kwin | 67 | blacklist ${HOME}/.kde4/share/apps/kwin |
64 | blacklist ${HOME}/.kde4/share/apps/plasma | 68 | blacklist ${HOME}/.kde4/share/apps/plasma |
65 | blacklist ${HOME}/.kde4/share/apps/solid | 69 | blacklist ${HOME}/.kde4/share/apps/solid |
66 | blacklist ${HOME}/.kde4/share/config/*.notifyrc | ||
67 | blacklist ${HOME}/.kde4/share/config/khotkeysrc | 70 | blacklist ${HOME}/.kde4/share/config/khotkeysrc |
68 | blacklist ${HOME}/.kde4/share/config/krunnerrc | 71 | blacklist ${HOME}/.kde4/share/config/krunnerrc |
72 | blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager | ||
69 | blacklist ${HOME}/.kde4/share/config/kwinrc | 73 | blacklist ${HOME}/.kde4/share/config/kwinrc |
70 | blacklist ${HOME}/.kde4/share/config/kwinrulesrc | 74 | blacklist ${HOME}/.kde4/share/config/kwinrulesrc |
71 | blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc | 75 | blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc |
@@ -74,15 +78,29 @@ blacklist ${HOME}/.local/share/konsole | |||
74 | blacklist ${HOME}/.local/share/kwin | 78 | blacklist ${HOME}/.local/share/kwin |
75 | blacklist ${HOME}/.local/share/plasma | 79 | blacklist ${HOME}/.local/share/plasma |
76 | blacklist ${HOME}/.local/share/solid | 80 | blacklist ${HOME}/.local/share/solid |
81 | read-only ${HOME}/.cache/ksycoca5_* | ||
82 | read-only ${HOME}/.config/*notifyrc | ||
77 | read-only ${HOME}/.config/kdeglobals | 83 | read-only ${HOME}/.config/kdeglobals |
84 | read-only ${HOME}/.config/kio_httprc | ||
85 | read-only ${HOME}/.config/kiorc | ||
78 | read-only ${HOME}/.config/kioslaverc | 86 | read-only ${HOME}/.config/kioslaverc |
87 | read-only ${HOME}/.config/ksslcablacklist | ||
88 | read-only ${HOME}/.kde/share/apps/kssl | ||
89 | read-only ${HOME}/.kde/share/config/*notifyrc | ||
79 | read-only ${HOME}/.kde/share/config/kdeglobals | 90 | read-only ${HOME}/.kde/share/config/kdeglobals |
91 | read-only ${HOME}/.kde/share/config/kio_httprc | ||
80 | read-only ${HOME}/.kde/share/config/kioslaverc | 92 | read-only ${HOME}/.kde/share/config/kioslaverc |
93 | read-only ${HOME}/.kde/share/config/ksslcablacklist | ||
81 | read-only ${HOME}/.kde/share/kde4/services | 94 | read-only ${HOME}/.kde/share/kde4/services |
95 | read-only ${HOME}/.kde4/share/apps/kssl | ||
96 | read-only ${HOME}/.kde4/share/config/*notifyrc | ||
82 | read-only ${HOME}/.kde4/share/config/kdeglobals | 97 | read-only ${HOME}/.kde4/share/config/kdeglobals |
98 | read-only ${HOME}/.kde4/share/config/kio_httprc | ||
83 | read-only ${HOME}/.kde4/share/config/kioslaverc | 99 | read-only ${HOME}/.kde4/share/config/kioslaverc |
100 | read-only ${HOME}/.kde4/share/config/ksslcablacklist | ||
84 | read-only ${HOME}/.kde4/share/kde4/services | 101 | read-only ${HOME}/.kde4/share/kde4/services |
85 | read-only ${HOME}/.local/share/kservices5 | 102 | read-only ${HOME}/.local/share/kservices5 |
103 | read-only ${HOME}/.local/share/kssl | ||
86 | 104 | ||
87 | # kdeinit socket | 105 | # kdeinit socket |
88 | blacklist /run/user/*/kdeinit5__* | 106 | blacklist /run/user/*/kdeinit5__* |
@@ -236,6 +254,7 @@ read-only ${HOME}/bin | |||
236 | blacklist ${HOME}/.local/share/Trash | 254 | blacklist ${HOME}/.local/share/Trash |
237 | 255 | ||
238 | # Write-protection for desktop entries | 256 | # Write-protection for desktop entries |
257 | read-only ${HOME}/.config/menus | ||
239 | read-only ${HOME}/.local/share/applications | 258 | read-only ${HOME}/.local/share/applications |
240 | 259 | ||
241 | # top secret | 260 | # top secret |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 8cfcaa838..8e72dc47e 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -129,11 +129,15 @@ blacklist ${HOME}/.config/iridium | |||
129 | blacklist ${HOME}/.config/itch | 129 | blacklist ${HOME}/.config/itch |
130 | blacklist ${HOME}/.config/jd-gui.cfg | 130 | blacklist ${HOME}/.config/jd-gui.cfg |
131 | blacklist ${HOME}/.config/k3brc | 131 | blacklist ${HOME}/.config/k3brc |
132 | blacklist ${HOME}/.config/kaffeinerc | ||
132 | blacklist ${HOME}/.config/katepartrc | 133 | blacklist ${HOME}/.config/katepartrc |
133 | blacklist ${HOME}/.config/katerc | 134 | blacklist ${HOME}/.config/katerc |
134 | blacklist ${HOME}/.config/kateschemarc | 135 | blacklist ${HOME}/.config/kateschemarc |
135 | blacklist ${HOME}/.config/katesyntaxhighlightingrc | 136 | blacklist ${HOME}/.config/katesyntaxhighlightingrc |
136 | blacklist ${HOME}/.config/katevirc | 137 | blacklist ${HOME}/.config/katevirc |
138 | blacklist ${HOME}/.config/kdenliverc | ||
139 | blacklist ${HOME}/.config/kgetrc | ||
140 | blacklist ${HOME}/.config/klipperrc | ||
137 | blacklist ${HOME}/.config/kritarc | 141 | blacklist ${HOME}/.config/kritarc |
138 | blacklist ${HOME}/.config/kwriterc | 142 | blacklist ${HOME}/.config/kwriterc |
139 | blacklist ${HOME}/.config/kdeconnect | 143 | blacklist ${HOME}/.config/kdeconnect |
@@ -258,6 +262,7 @@ blacklist ${HOME}/.java | |||
258 | blacklist ${HOME}/.jitsi | 262 | blacklist ${HOME}/.jitsi |
259 | blacklist ${HOME}/.kde/share/apps/digikam | 263 | blacklist ${HOME}/.kde/share/apps/digikam |
260 | blacklist ${HOME}/.kde/share/apps/gwenview | 264 | blacklist ${HOME}/.kde/share/apps/gwenview |
265 | blacklist ${HOME}/.kde/share/apps/kaffeine | ||
261 | blacklist ${HOME}/.kde/share/apps/kcookiejar | 266 | blacklist ${HOME}/.kde/share/apps/kcookiejar |
262 | blacklist ${HOME}/.kde/share/apps/kget | 267 | blacklist ${HOME}/.kde/share/apps/kget |
263 | blacklist ${HOME}/.kde/share/apps/khtml | 268 | blacklist ${HOME}/.kde/share/apps/khtml |
@@ -272,9 +277,11 @@ blacklist ${HOME}/.kde/share/config/baloorc | |||
272 | blacklist ${HOME}/.kde/share/config/digikam | 277 | blacklist ${HOME}/.kde/share/config/digikam |
273 | blacklist ${HOME}/.kde/share/config/gwenviewrc | 278 | blacklist ${HOME}/.kde/share/config/gwenviewrc |
274 | blacklist ${HOME}/.kde/share/config/k3brc | 279 | blacklist ${HOME}/.kde/share/config/k3brc |
280 | blacklist ${HOME}/.kde/share/config/kaffeinerc | ||
275 | blacklist ${HOME}/.kde/share/config/kcookiejarrc | 281 | blacklist ${HOME}/.kde/share/config/kcookiejarrc |
276 | blacklist ${HOME}/.kde/share/config/kgetrc | 282 | blacklist ${HOME}/.kde/share/config/kgetrc |
277 | blacklist ${HOME}/.kde/share/config/khtmlrc | 283 | blacklist ${HOME}/.kde/share/config/khtmlrc |
284 | blacklist ${HOME}/.kde/share/config/klipperrc | ||
278 | blacklist ${HOME}/.kde/share/config/konq_history | 285 | blacklist ${HOME}/.kde/share/config/konq_history |
279 | blacklist ${HOME}/.kde/share/config/konqsidebartngrc | 286 | blacklist ${HOME}/.kde/share/config/konqsidebartngrc |
280 | blacklist ${HOME}/.kde/share/config/konquerorrc | 287 | blacklist ${HOME}/.kde/share/config/konquerorrc |
@@ -285,6 +292,7 @@ blacklist ${HOME}/.kde/share/config/okularpartrc | |||
285 | blacklist ${HOME}/.kde/share/config/okularrc | 292 | blacklist ${HOME}/.kde/share/config/okularrc |
286 | blacklist ${HOME}/.kde4/share/apps/digikam | 293 | blacklist ${HOME}/.kde4/share/apps/digikam |
287 | blacklist ${HOME}/.kde4/share/apps/gwenview | 294 | blacklist ${HOME}/.kde4/share/apps/gwenview |
295 | blacklist ${HOME}/.kde4/share/apps/kaffeine | ||
288 | blacklist ${HOME}/.kde4/share/apps/kcookiejar | 296 | blacklist ${HOME}/.kde4/share/apps/kcookiejar |
289 | blacklist ${HOME}/.kde4/share/apps/kget | 297 | blacklist ${HOME}/.kde4/share/apps/kget |
290 | blacklist ${HOME}/.kde4/share/apps/khtml | 298 | blacklist ${HOME}/.kde4/share/apps/khtml |
@@ -298,9 +306,11 @@ blacklist ${HOME}/.kde4/share/config/baloofilerc | |||
298 | blacklist ${HOME}/.kde4/share/config/digikam | 306 | blacklist ${HOME}/.kde4/share/config/digikam |
299 | blacklist ${HOME}/.kde4/share/config/gwenviewrc | 307 | blacklist ${HOME}/.kde4/share/config/gwenviewrc |
300 | blacklist ${HOME}/.kde4/share/config/k3brc | 308 | blacklist ${HOME}/.kde4/share/config/k3brc |
309 | blacklist ${HOME}/.kde4/share/config/kaffeinerc | ||
301 | blacklist ${HOME}/.kde4/share/config/kcookiejarrc | 310 | blacklist ${HOME}/.kde4/share/config/kcookiejarrc |
302 | blacklist ${HOME}/.kde4/share/config/kgetrc | 311 | blacklist ${HOME}/.kde4/share/config/kgetrc |
303 | blacklist ${HOME}/.kde4/share/config/khtmlrc | 312 | blacklist ${HOME}/.kde4/share/config/khtmlrc |
313 | blacklist ${HOME}/.kde4/share/config/klipperrc | ||
304 | blacklist ${HOME}/.kde4/share/config/konq_history | 314 | blacklist ${HOME}/.kde4/share/config/konq_history |
305 | blacklist ${HOME}/.kde4/share/config/konqsidebartngrc | 315 | blacklist ${HOME}/.kde4/share/config/konqsidebartngrc |
306 | blacklist ${HOME}/.kde4/share/config/konquerorrc | 316 | blacklist ${HOME}/.kde4/share/config/konquerorrc |
@@ -338,6 +348,7 @@ blacklist ${HOME}/.local/share/clipit | |||
338 | blacklist ${HOME}/.local/share/data/Mumble | 348 | blacklist ${HOME}/.local/share/data/Mumble |
339 | blacklist ${HOME}/.local/share/data/MusE | 349 | blacklist ${HOME}/.local/share/data/MusE |
340 | blacklist ${HOME}/.local/share/data/MuseScore | 350 | blacklist ${HOME}/.local/share/data/MuseScore |
351 | blacklist ${HOME}/.local/share/data/qBittorrent | ||
341 | blacklist ${HOME}/.local/share/dino | 352 | blacklist ${HOME}/.local/share/dino |
342 | blacklist ${HOME}/.local/share/dolphin | 353 | blacklist ${HOME}/.local/share/dolphin |
343 | blacklist ${HOME}/.local/share/epiphany | 354 | blacklist ${HOME}/.local/share/epiphany |
@@ -354,7 +365,11 @@ blacklist ${HOME}/.local/share/gnome-photos | |||
354 | blacklist ${HOME}/.local/share/gnome-ring | 365 | blacklist ${HOME}/.local/share/gnome-ring |
355 | blacklist ${HOME}/.local/share/gnome-twitch | 366 | blacklist ${HOME}/.local/share/gnome-twitch |
356 | blacklist ${HOME}/.local/share/gwenview | 367 | blacklist ${HOME}/.local/share/gwenview |
368 | blacklist ${HOME}/.local/share/kaffeine | ||
357 | blacklist ${HOME}/.local/share/kate | 369 | blacklist ${HOME}/.local/share/kate |
370 | blacklist ${HOME}/.local/share/kdenlive | ||
371 | blacklist ${HOME}/.local/share/kget | ||
372 | blacklist ${HOME}/.local/share/krita | ||
358 | blacklist ${HOME}/.local/share/ktorrentrc | 373 | blacklist ${HOME}/.local/share/ktorrentrc |
359 | blacklist ${HOME}/.local/share/ktorrent | 374 | blacklist ${HOME}/.local/share/ktorrent |
360 | blacklist ${HOME}/.local/share/kwrite | 375 | blacklist ${HOME}/.local/share/kwrite |
@@ -416,6 +431,7 @@ blacklist ${HOME}/.passwd-s3fs | |||
416 | blacklist ${HOME}/.pingus | 431 | blacklist ${HOME}/.pingus |
417 | blacklist ${HOME}/.purple | 432 | blacklist ${HOME}/.purple |
418 | blacklist ${HOME}/.qemu-launcher | 433 | blacklist ${HOME}/.qemu-launcher |
434 | blacklist ${HOME}/.redeclipse | ||
419 | blacklist ${HOME}/.remmina | 435 | blacklist ${HOME}/.remmina |
420 | blacklist ${HOME}/.repo_.gitconfig.json | 436 | blacklist ${HOME}/.repo_.gitconfig.json |
421 | blacklist ${HOME}/.repoconfig | 437 | blacklist ${HOME}/.repoconfig |
@@ -435,6 +451,7 @@ blacklist ${HOME}/.sylpheed-2.0 | |||
435 | blacklist ${HOME}/.synfig | 451 | blacklist ${HOME}/.synfig |
436 | blacklist ${HOME}/.tconn | 452 | blacklist ${HOME}/.tconn |
437 | blacklist ${HOME}/.thunderbird | 453 | blacklist ${HOME}/.thunderbird |
454 | blacklist ${HOME}/.tilp | ||
438 | blacklist ${HOME}/.tooling | 455 | blacklist ${HOME}/.tooling |
439 | blacklist ${HOME}/.tor-browser-* | 456 | blacklist ${HOME}/.tor-browser-* |
440 | blacklist ${HOME}/.ts3client | 457 | blacklist ${HOME}/.ts3client |
@@ -453,6 +470,7 @@ blacklist ${HOME}/.wireshark | |||
453 | blacklist ${HOME}/.wine64 | 470 | blacklist ${HOME}/.wine64 |
454 | blacklist ${HOME}/.xiphos | 471 | blacklist ${HOME}/.xiphos |
455 | blacklist ${HOME}/.xmms | 472 | blacklist ${HOME}/.xmms |
473 | blacklist ${HOME}/.xmr-stak | ||
456 | blacklist ${HOME}/.xonotic | 474 | blacklist ${HOME}/.xonotic |
457 | blacklist ${HOME}/.xpdfrc | 475 | blacklist ${HOME}/.xpdfrc |
458 | blacklist ${HOME}/.zoom | 476 | blacklist ${HOME}/.zoom |
@@ -463,6 +481,7 @@ blacklist /tmp/ssh-* | |||
463 | # ~/.cache directory | 481 | # ~/.cache directory |
464 | blacklist ${HOME}/.cache/0ad | 482 | blacklist ${HOME}/.cache/0ad |
465 | blacklist ${HOME}/.cache/8pecxstudios | 483 | blacklist ${HOME}/.cache/8pecxstudios |
484 | blacklist ${HOME}/.cache/Clementine | ||
466 | blacklist ${HOME}/.cache/Franz | 485 | blacklist ${HOME}/.cache/Franz |
467 | blacklist ${HOME}/.cache/INRIA | 486 | blacklist ${HOME}/.cache/INRIA |
468 | blacklist ${HOME}/.cache/MusicBrainz | 487 | blacklist ${HOME}/.cache/MusicBrainz |
@@ -475,6 +494,8 @@ blacklist ${HOME}/.cache/chromium | |||
475 | blacklist ${HOME}/.cache/chromium-dev | 494 | blacklist ${HOME}/.cache/chromium-dev |
476 | blacklist ${HOME}/.cache/cliqz | 495 | blacklist ${HOME}/.cache/cliqz |
477 | blacklist ${HOME}/.cache/darktable | 496 | blacklist ${HOME}/.cache/darktable |
497 | blacklist ${HOME}/.cache/discover | ||
498 | blacklist ${HOME}/.cache/dolphin | ||
478 | blacklist ${HOME}/.cache/epiphany | 499 | blacklist ${HOME}/.cache/epiphany |
479 | blacklist ${HOME}/.cache/evolution | 500 | blacklist ${HOME}/.cache/evolution |
480 | blacklist ${HOME}/.cache/fossamail | 501 | blacklist ${HOME}/.cache/fossamail |
@@ -488,6 +509,13 @@ blacklist ${HOME}/.cache/icedove | |||
488 | blacklist ${HOME}/.cache/INRIA/Natron | 509 | blacklist ${HOME}/.cache/INRIA/Natron |
489 | blacklist ${HOME}/.cache/inox | 510 | blacklist ${HOME}/.cache/inox |
490 | blacklist ${HOME}/.cache/iridium | 511 | blacklist ${HOME}/.cache/iridium |
512 | blacklist ${HOME}/.cache/kdenlive | ||
513 | blacklist ${HOME}/.cache/kinfocenter | ||
514 | blacklist ${HOME}/.cache/krunner | ||
515 | blacklist ${HOME}/.cache/kscreenlocker_greet | ||
516 | blacklist ${HOME}/.cache/ksmserver-logout-greeter | ||
517 | blacklist ${HOME}/.cache/ksplashqml | ||
518 | blacklist ${HOME}/.cache/kwin | ||
491 | blacklist ${HOME}/.cache/libgweather | 519 | blacklist ${HOME}/.cache/libgweather |
492 | blacklist ${HOME}/.cache/liferea | 520 | blacklist ${HOME}/.cache/liferea |
493 | blacklist ${HOME}/.cache/midori | 521 | blacklist ${HOME}/.cache/midori |
@@ -496,17 +524,20 @@ blacklist ${HOME}/.cache/mozilla | |||
496 | blacklist ${HOME}/.cache/mutt | 524 | blacklist ${HOME}/.cache/mutt |
497 | blacklist ${HOME}/.cache/nheko/nheko | 525 | blacklist ${HOME}/.cache/nheko/nheko |
498 | blacklist ${HOME}/.cache/netsurf | 526 | blacklist ${HOME}/.cache/netsurf |
527 | blacklist ${HOME}/.cache/okular | ||
499 | blacklist ${HOME}/.cache/opera | 528 | blacklist ${HOME}/.cache/opera |
500 | blacklist ${HOME}/.cache/opera-beta | 529 | blacklist ${HOME}/.cache/opera-beta |
501 | blacklist ${HOME}/.cache/org.gnome.Books | 530 | blacklist ${HOME}/.cache/org.gnome.Books |
502 | blacklist ${HOME}/.cache/pdfmod | 531 | blacklist ${HOME}/.cache/pdfmod |
503 | blacklist ${HOME}/.cache/peek | 532 | blacklist ${HOME}/.cache/peek |
533 | blacklist ${HOME}/.cache/plasmashell | ||
504 | blacklist ${HOME}/.cache/qBittorrent | 534 | blacklist ${HOME}/.cache/qBittorrent |
505 | blacklist ${HOME}/.cache/qupzilla | 535 | blacklist ${HOME}/.cache/qupzilla |
506 | blacklist ${HOME}/.cache/qutebrowser | 536 | blacklist ${HOME}/.cache/qutebrowser |
507 | blacklist ${HOME}/.cache/simple-scan | 537 | blacklist ${HOME}/.cache/simple-scan |
508 | blacklist ${HOME}/.cache/slimjet | 538 | blacklist ${HOME}/.cache/slimjet |
509 | blacklist ${HOME}/.cache/spotify | 539 | blacklist ${HOME}/.cache/spotify |
540 | blacklist ${HOME}/.cache/systemsettings | ||
510 | blacklist ${HOME}/.cache/telepathy | 541 | blacklist ${HOME}/.cache/telepathy |
511 | blacklist ${HOME}/.cache/thunderbird | 542 | blacklist ${HOME}/.cache/thunderbird |
512 | blacklist ${HOME}/.cache/torbrowser | 543 | blacklist ${HOME}/.cache/torbrowser |
diff --git a/etc/dnox.profile b/etc/dnox.profile index d6626c048..505884ca6 100644 --- a/etc/dnox.profile +++ b/etc/dnox.profile | |||
@@ -7,30 +7,11 @@ include /etc/firejail/globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/dnox | 8 | noblacklist ${HOME}/.cache/dnox |
9 | noblacklist ${HOME}/.config/dnox | 9 | noblacklist ${HOME}/.config/dnox |
10 | noblacklist ${HOME}/.pki | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | 10 | ||
15 | mkdir ${HOME}/.cache/dnox | 11 | mkdir ${HOME}/.cache/dnox |
16 | mkdir ${HOME}/.config/dnox | 12 | mkdir ${HOME}/.config/dnox |
17 | mkdir ${HOME}/.pki | ||
18 | whitelist ${DOWNLOADS} | ||
19 | whitelist ${HOME}/.cache/dnox | 13 | whitelist ${HOME}/.cache/dnox |
20 | whitelist ${HOME}/.config/dnox | 14 | whitelist ${HOME}/.config/dnox |
21 | whitelist ${HOME}/.pki | ||
22 | include /etc/firejail/whitelist-common.inc | ||
23 | include /etc/firejail/whitelist-var-common.inc | ||
24 | |||
25 | caps.keep sys_chroot,sys_admin | ||
26 | netfilter | ||
27 | nodvd | ||
28 | nogroups | ||
29 | notv | ||
30 | shell none | ||
31 | |||
32 | private-dev | ||
33 | # private-tmp - problems with multiple browser sessions | ||
34 | 15 | ||
35 | noexec ${HOME} | 16 | # Redirect |
36 | noexec /tmp | 17 | include /etc/firejail/chromium-common.profile |
diff --git a/etc/dolphin.profile b/etc/dolphin.profile index c1604826e..ce167b7a7 100644 --- a/etc/dolphin.profile +++ b/etc/dolphin.profile | |||
@@ -8,7 +8,8 @@ include /etc/firejail/globals.local | |||
8 | # warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5 | 8 | # warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5 |
9 | 9 | ||
10 | noblacklist ${HOME}/.local/share/Trash | 10 | noblacklist ${HOME}/.local/share/Trash |
11 | # noblacklist ${HOME}/.config/dolphinrc - diable-programs.inc is disabled, see below | 11 | # noblacklist ${HOME}/.cache/dolphin - disable-programs.inc is disabled, see below |
12 | # noblacklist ${HOME}/.config/dolphinrc | ||
12 | # noblacklist ${HOME}/.local/share/dolphin | 13 | # noblacklist ${HOME}/.local/share/dolphin |
13 | 14 | ||
14 | include /etc/firejail/disable-common.inc | 15 | include /etc/firejail/disable-common.inc |
diff --git a/etc/dragon.profile b/etc/dragon.profile index 76544010f..6fa6ec65e 100644 --- a/etc/dragon.profile +++ b/etc/dragon.profile | |||
@@ -16,7 +16,6 @@ include /etc/firejail/whitelist-var-common.inc | |||
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | netfilter | 18 | netfilter |
19 | nodvd | ||
20 | nogroups | 19 | nogroups |
21 | nonewprivs | 20 | nonewprivs |
22 | noroot | 21 | noroot |
diff --git a/etc/enox.profile b/etc/enox.profile new file mode 100644 index 000000000..cc5403719 --- /dev/null +++ b/etc/enox.profile | |||
@@ -0,0 +1,36 @@ | |||
1 | # Firejail profile for dnox | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/enox.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.cache/Enox | ||
9 | noblacklist ${HOME}/.config/Enox | ||
10 | noblacklist ${HOME}/.pki | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | mkdir ${HOME}/.cache/dnox | ||
16 | mkdir ${HOME}/.config/dnox | ||
17 | mkdir ${HOME}/.pki | ||
18 | whitelist ${DOWNLOADS} | ||
19 | whitelist ${HOME}/.cache/Enox | ||
20 | whitelist ${HOME}/.config/Enox | ||
21 | whitelist ${HOME}/.pki | ||
22 | include /etc/firejail/whitelist-common.inc | ||
23 | include /etc/firejail/whitelist-var-common.inc | ||
24 | |||
25 | caps.keep sys_chroot,sys_admin | ||
26 | netfilter | ||
27 | nodvd | ||
28 | nogroups | ||
29 | notv | ||
30 | shell none | ||
31 | |||
32 | private-dev | ||
33 | # private-tmp - problems with multiple browser sessions | ||
34 | |||
35 | noexec ${HOME} | ||
36 | noexec /tmp | ||
diff --git a/etc/firefox-common-addons.inc b/etc/firefox-common-addons.inc new file mode 100644 index 000000000..b237c3c05 --- /dev/null +++ b/etc/firefox-common-addons.inc | |||
@@ -0,0 +1,55 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/firefox-common-addons.local | ||
4 | |||
5 | noblacklist ${HOME}/.config/kgetrc | ||
6 | noblacklist ${HOME}/.config/okularpartrc | ||
7 | noblacklist ${HOME}/.config/okularrc | ||
8 | noblacklist ${HOME}/.config/qpdfview | ||
9 | noblacklist ${HOME}/.kde/share/apps/kget | ||
10 | noblacklist ${HOME}/.kde/share/apps/okular | ||
11 | noblacklist ${HOME}/.kde/share/config/kgetrc | ||
12 | noblacklist ${HOME}/.kde/share/config/okularpartrc | ||
13 | noblacklist ${HOME}/.kde/share/config/okularrc | ||
14 | noblacklist ${HOME}/.kde4/share/apps/kget | ||
15 | noblacklist ${HOME}/.kde4/share/apps/okular | ||
16 | noblacklist ${HOME}/.kde4/share/config/kgetrc | ||
17 | noblacklist ${HOME}/.kde4/share/config/okularpartrc | ||
18 | noblacklist ${HOME}/.kde4/share/config/okularrc | ||
19 | # noblacklist ${HOME}/.local/share/gnome-shell/extensions | ||
20 | noblacklist ${HOME}/.local/share/kget | ||
21 | noblacklist ${HOME}/.local/share/okular | ||
22 | noblacklist ${HOME}/.local/share/qpdfview | ||
23 | |||
24 | whitelist ${HOME}/.cache/gnome-mplayer/plugin | ||
25 | whitelist ${HOME}/.config/gnome-mplayer | ||
26 | whitelist ${HOME}/.config/kgetrc | ||
27 | whitelist ${HOME}/.config/okularpartrc | ||
28 | whitelist ${HOME}/.config/okularrc | ||
29 | whitelist ${HOME}/.config/pipelight-silverlight5.1 | ||
30 | whitelist ${HOME}/.config/pipelight-widevine | ||
31 | whitelist ${HOME}/.config/qpdfview | ||
32 | whitelist ${HOME}/.kde/share/apps/kget | ||
33 | whitelist ${HOME}/.kde/share/apps/okular | ||
34 | whitelist ${HOME}/.kde/share/config/kgetrc | ||
35 | whitelist ${HOME}/.kde/share/config/okularpartrc | ||
36 | whitelist ${HOME}/.kde/share/config/okularrc | ||
37 | whitelist ${HOME}/.kde4/share/apps/kget | ||
38 | whitelist ${HOME}/.kde4/share/apps/okular | ||
39 | whitelist ${HOME}/.kde4/share/config/kgetrc | ||
40 | whitelist ${HOME}/.kde4/share/config/okularpartrc | ||
41 | whitelist ${HOME}/.kde4/share/config/okularrc | ||
42 | whitelist ${HOME}/.keysnail.js | ||
43 | whitelist ${HOME}/.lastpass | ||
44 | whitelist ${HOME}/.local/share/gnome-shell/extensions | ||
45 | whitelist ${HOME}/.local/share/kget | ||
46 | whitelist ${HOME}/.local/share/okular | ||
47 | whitelist ${HOME}/.local/share/qpdfview | ||
48 | whitelist ${HOME}/.pentadactyl | ||
49 | whitelist ${HOME}/.pentadactylrc | ||
50 | whitelist ${HOME}/.vimperator | ||
51 | whitelist ${HOME}/.vimperatorrc | ||
52 | whitelist ${HOME}/.wine-pipelight | ||
53 | whitelist ${HOME}/.wine-pipelight64 | ||
54 | whitelist ${HOME}/.zotero | ||
55 | whitelist ${HOME}/dwhelper | ||
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile new file mode 100644 index 000000000..0c4271edc --- /dev/null +++ b/etc/firefox-common.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for firefox-common | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/firefox-common.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | # uncomment the following line to allow access to common programs/addons/plugins | ||
9 | #include /etc/firejail/firefox-common-addons.inc | ||
10 | |||
11 | noblacklist ${HOME}/.pki | ||
12 | |||
13 | include /etc/firejail/disable-common.inc | ||
14 | include /etc/firejail/disable-devel.inc | ||
15 | include /etc/firejail/disable-programs.inc | ||
16 | |||
17 | mkdir ${HOME}/.pki | ||
18 | whitelist ${DOWNLOADS} | ||
19 | whitelist ${HOME}/.pki | ||
20 | include /etc/firejail/whitelist-common.inc | ||
21 | include /etc/firejail/whitelist-var-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | # machine-id breaks pulse audio; it should work fine in setups where sound is not required | ||
25 | #machine-id | ||
26 | netfilter | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | notv | ||
32 | protocol unix,inet,inet6,netlink | ||
33 | seccomp | ||
34 | shell none | ||
35 | tracelog | ||
36 | |||
37 | disable-mnt | ||
38 | private-dev | ||
39 | # private-etc below works fine on most distributions. There are some problems on CentOS. | ||
40 | #private-etc ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies | ||
41 | private-tmp | ||
42 | |||
43 | noexec ${HOME} | ||
44 | noexec /tmp | ||
diff --git a/etc/firefox.profile b/etc/firefox.profile index 079cb1536..0ab6a6141 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -6,90 +6,17 @@ include /etc/firejail/firefox.local | |||
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/mozilla | 8 | noblacklist ${HOME}/.cache/mozilla |
9 | noblacklist ${HOME}/.config/okularpartrc | ||
10 | noblacklist ${HOME}/.config/okularrc | ||
11 | noblacklist ${HOME}/.config/qpdfview | ||
12 | noblacklist ${HOME}/.kde/share/apps/kget | ||
13 | noblacklist ${HOME}/.kde/share/apps/okular | ||
14 | noblacklist ${HOME}/.kde/share/config/kgetrc | ||
15 | noblacklist ${HOME}/.kde/share/config/okularpartrc | ||
16 | noblacklist ${HOME}/.kde/share/config/okularrc | ||
17 | noblacklist ${HOME}/.kde4/share/apps/kget | ||
18 | noblacklist ${HOME}/.kde4/share/apps/okular | ||
19 | noblacklist ${HOME}/.kde4/share/config/kgetrc | ||
20 | noblacklist ${HOME}/.kde4/share/config/okularpartrc | ||
21 | noblacklist ${HOME}/.kde4/share/config/okularrc | ||
22 | # noblacklist ${HOME}/.local/share/gnome-shell/extensions | ||
23 | noblacklist ${HOME}/.local/share/okular | ||
24 | noblacklist ${HOME}/.local/share/qpdfview | ||
25 | noblacklist ${HOME}/.mozilla | 9 | noblacklist ${HOME}/.mozilla |
26 | noblacklist ${HOME}/.pki | ||
27 | |||
28 | include /etc/firejail/disable-common.inc | ||
29 | include /etc/firejail/disable-devel.inc | ||
30 | include /etc/firejail/disable-programs.inc | ||
31 | 10 | ||
32 | mkdir ${HOME}/.cache/mozilla/firefox | 11 | mkdir ${HOME}/.cache/mozilla/firefox |
33 | mkdir ${HOME}/.mozilla | 12 | mkdir ${HOME}/.mozilla |
34 | mkdir ${HOME}/.pki | ||
35 | whitelist ${DOWNLOADS} | ||
36 | whitelist ${HOME}/.cache/gnome-mplayer/plugin | ||
37 | whitelist ${HOME}/.cache/mozilla/firefox | 13 | whitelist ${HOME}/.cache/mozilla/firefox |
38 | whitelist ${HOME}/.config/gnome-mplayer | ||
39 | whitelist ${HOME}/.config/okularpartrc | ||
40 | whitelist ${HOME}/.config/okularrc | ||
41 | whitelist ${HOME}/.config/pipelight-silverlight5.1 | ||
42 | whitelist ${HOME}/.config/pipelight-widevine | ||
43 | whitelist ${HOME}/.config/qpdfview | ||
44 | whitelist ${HOME}/.kde/share/apps/kget | ||
45 | whitelist ${HOME}/.kde/share/apps/okular | ||
46 | whitelist ${HOME}/.kde/share/config/kgetrc | ||
47 | whitelist ${HOME}/.kde/share/config/okularpartrc | ||
48 | whitelist ${HOME}/.kde/share/config/okularrc | ||
49 | whitelist ${HOME}/.kde4/share/apps/kget | ||
50 | whitelist ${HOME}/.kde4/share/apps/okular | ||
51 | whitelist ${HOME}/.kde4/share/config/kgetrc | ||
52 | whitelist ${HOME}/.kde4/share/config/okularpartrc | ||
53 | whitelist ${HOME}/.kde4/share/config/okularrc | ||
54 | whitelist ${HOME}/.keysnail.js | ||
55 | whitelist ${HOME}/.lastpass | ||
56 | whitelist ${HOME}/.local/share/gnome-shell/extensions | ||
57 | whitelist ${HOME}/.local/share/okular | ||
58 | whitelist ${HOME}/.local/share/qpdfview | ||
59 | whitelist ${HOME}/.mozilla | 14 | whitelist ${HOME}/.mozilla |
60 | whitelist ${HOME}/.pentadactyl | ||
61 | whitelist ${HOME}/.pentadactylrc | ||
62 | whitelist ${HOME}/.pki | ||
63 | whitelist ${HOME}/.vimperator | ||
64 | whitelist ${HOME}/.vimperatorrc | ||
65 | whitelist ${HOME}/.wine-pipelight | ||
66 | whitelist ${HOME}/.wine-pipelight64 | ||
67 | whitelist ${HOME}/.zotero | ||
68 | whitelist ${HOME}/dwhelper | ||
69 | include /etc/firejail/whitelist-common.inc | ||
70 | include /etc/firejail/whitelist-var-common.inc | ||
71 | |||
72 | caps.drop all | ||
73 | # machine-id breaks pulse audio; it should work fine in setups where sound is not required | ||
74 | #machine-id | ||
75 | netfilter | ||
76 | nodvd | ||
77 | nogroups | ||
78 | nonewprivs | ||
79 | noroot | ||
80 | notv | ||
81 | protocol unix,inet,inet6,netlink | ||
82 | seccomp | ||
83 | shell none | ||
84 | tracelog | ||
85 | 15 | ||
86 | disable-mnt | ||
87 | # firefox requires a shell to launch on Arch. | 16 | # firefox requires a shell to launch on Arch. |
88 | # private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash | 17 | #private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash |
89 | private-dev | 18 | # private-etc must first be enabled in firefox-common.profile |
90 | # private-etc below works fine on most distributions. There are some problems on CentOS. | 19 | #private-etc firefox |
91 | # private-etc iceweasel,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies | ||
92 | private-tmp | ||
93 | 20 | ||
94 | noexec ${HOME} | 21 | # Redirect |
95 | noexec /tmp | 22 | include /etc/firejail/firefox-common.profile |
diff --git a/etc/firejail-default b/etc/firejail-default index eb50d6c65..859f8683a 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
@@ -8,38 +8,66 @@ | |||
8 | # We don't know if this definition is available outside Debian and Ubuntu, so | 8 | # We don't know if this definition is available outside Debian and Ubuntu, so |
9 | # we declare our own here. | 9 | # we declare our own here. |
10 | ########## | 10 | ########## |
11 | @{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]} | 11 | @{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]} |
12 | 12 | ||
13 | profile firejail-default flags=(attach_disconnected,mediate_deleted) { | 13 | profile firejail-default flags=(attach_disconnected,mediate_deleted) { |
14 | 14 | ||
15 | ########## | 15 | ########## |
16 | # D-Bus is a huge security hole. Uncomment this line if you need D-Bus | 16 | # D-Bus is a huge security hole. Uncomment those lines if you need D-Bus |
17 | # functionality. | 17 | # functionality. |
18 | ########## | 18 | ########## |
19 | ##include <abstractions/dbus-strict> | ||
20 | ##include <abstractions/dbus-session-strict> | ||
19 | #dbus, | 21 | #dbus, |
20 | 22 | ||
21 | ########## | 23 | ########## |
22 | # Mask /proc and /sys information leakage. The configuration here is barely | 24 | # Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes |
23 | # enough to run "top" or "ps aux". | ||
24 | ########## | 25 | ########## |
25 | / r, | 26 | / r, |
26 | /{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk, | 27 | /{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk, |
28 | /run/firejail/mnt/oroot/{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk, | ||
29 | |||
27 | /{,var/}run/ r, | 30 | /{,var/}run/ r, |
28 | /{,var/}run/** r, | 31 | /{,var/}run/** r, |
29 | /{,var/}run/user/**/dconf/ rw, | 32 | /run/firejail/mnt/oroot/{,var/}run/ r, |
30 | /{,var/}run/user/**/dconf/user rw, | 33 | /run/firejail/mnt/oroot/{,var/}run/** r, |
31 | /{,var/}run/user/**/pulse/ rw, | 34 | |
32 | /{,var/}run/user/**/pulse/** rw, | 35 | owner /{,var/}run/user/**/dconf/ rw, |
33 | /{,var/}run/user/**/*.slave-socket rwl, | 36 | owner /{,var/}run/user/**/dconf/user rw, |
34 | /{,var/}run/user/**/#@{PID} rw, | 37 | owner /{,var/}run/user/**/pulse/ rw, |
35 | /{,var/}run/user/**/orcexec.* rwkm, | 38 | owner /{,var/}run/user/**/pulse/** rw, |
39 | owner /{,var/}run/user/**/*.slave-socket rwl, | ||
40 | owner /{,var/}run/user/**/#@{PID} rw, | ||
41 | owner /{,var/}run/user/**/orcexec.* rwkm, | ||
42 | owner /run/firejail/mnt/oroot/{,var/}run/user/**/dconf/ rw, | ||
43 | owner /run/firejail/mnt/oroot/{,var/}run/user/**/dconf/user rw, | ||
44 | owner /run/firejail/mnt/oroot/{,var/}run/user/**/pulse/ rw, | ||
45 | owner /run/firejail/mnt/oroot/{,var/}run/user/**/pulse/** rw, | ||
46 | owner /run/firejail/mnt/oroot/{,var/}run/user/**/*.slave-socket rwl, | ||
47 | owner /run/firejail/mnt/oroot/{,var/}run/user/**/#@{PID} rw, | ||
48 | owner /run/firejail/mnt/oroot/{,var/}run/user/**/orcexec.* rwkm, | ||
49 | |||
36 | /{,var/}run/firejail/mnt/fslogger r, | 50 | /{,var/}run/firejail/mnt/fslogger r, |
37 | /{,var/}run/firejail/appimage r, | 51 | /{,var/}run/firejail/appimage r, |
38 | /{,var/}run/firejail/appimage/** r, | 52 | /{,var/}run/firejail/appimage/** r, |
39 | /{,var/}run/firejail/appimage/** ix, | 53 | /{,var/}run/firejail/appimage/** ix, |
54 | /run/firejail/mnt/oroot/{,var/}run/firejail/mnt/fslogger r, | ||
55 | /run/firejail/mnt/oroot/{,var/}run/firejail/appimage r, | ||
56 | /run/firejail/mnt/oroot/{,var/}run/firejail/appimage/** r, | ||
57 | /run/firejail/mnt/oroot/{,var/}run/firejail/appimage/** ix, | ||
58 | |||
40 | /{run,dev}/shm/ r, | 59 | /{run,dev}/shm/ r, |
41 | /{run,dev}/shm/** rmwk, | 60 | owner /{run,dev}/shm/** rmwk, |
61 | /run/firejail/mnt/oroot/{run,dev}/shm/ r, | ||
62 | owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | ||
42 | 63 | ||
64 | # Needed for wine | ||
65 | /{,var/}run/firejail/profile/@{PID} w, | ||
66 | |||
67 | ########## | ||
68 | # Mask /proc and /sys information leakage. The configuration here is barely | ||
69 | # enough to run "top" or "ps aux". | ||
70 | ########## | ||
43 | /proc/ r, | 71 | /proc/ r, |
44 | /proc/meminfo r, | 72 | /proc/meminfo r, |
45 | /proc/cpuinfo r, | 73 | /proc/cpuinfo r, |
@@ -49,6 +77,7 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) { | |||
49 | /proc/stat r, | 77 | /proc/stat r, |
50 | /proc/sys/kernel/pid_max r, | 78 | /proc/sys/kernel/pid_max r, |
51 | /proc/sys/kernel/shmmax r, | 79 | /proc/sys/kernel/shmmax r, |
80 | /proc/sys/kernel/yama/ptrace_scope r, | ||
52 | /proc/sys/vm/overcommit_memory r, | 81 | /proc/sys/vm/overcommit_memory r, |
53 | /proc/sys/vm/overcommit_ratio r, | 82 | /proc/sys/vm/overcommit_ratio r, |
54 | /proc/sys/kernel/random/uuid r, | 83 | /proc/sys/kernel/random/uuid r, |
@@ -70,15 +99,22 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) { | |||
70 | /proc/@{PID}/statm r, | 99 | /proc/@{PID}/statm r, |
71 | /proc/@{PID}/status r, | 100 | /proc/@{PID}/status r, |
72 | /proc/@{PID}/task/@{PID}/stat r, | 101 | /proc/@{PID}/task/@{PID}/stat r, |
102 | /proc/@{PID}/task/@{PID}/status r, | ||
73 | /proc/@{PID}/maps r, | 103 | /proc/@{PID}/maps r, |
104 | /proc/@{PID}/mem r, | ||
74 | /proc/@{PID}/mounts r, | 105 | /proc/@{PID}/mounts r, |
75 | /proc/@{PID}/mountinfo r, | 106 | /proc/@{PID}/mountinfo r, |
107 | deny /proc/@{PID}/oom_adj w, | ||
76 | /proc/@{PID}/oom_score_adj r, | 108 | /proc/@{PID}/oom_score_adj r, |
109 | deny /proc/@{PID}/oom_score_adj w, | ||
77 | /proc/@{PID}/auxv r, | 110 | /proc/@{PID}/auxv r, |
78 | /proc/@{PID}/net/dev r, | 111 | /proc/@{PID}/net/dev r, |
79 | /proc/@{PID}/loginuid r, | 112 | /proc/@{PID}/loginuid r, |
80 | /proc/@{PID}/environ r, | 113 | /proc/@{PID}/environ r, |
81 | 114 | ||
115 | # Needed by chromium crash handler. Uncomment if you need it. | ||
116 | #ptrace (trace tracedby), | ||
117 | |||
82 | ########## | 118 | ########## |
83 | # Allow running programs only from well-known system directories. If you need | 119 | # Allow running programs only from well-known system directories. If you need |
84 | # to run programs from your home directory, uncomment /home line. | 120 | # to run programs from your home directory, uncomment /home line. |
@@ -96,6 +132,23 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) { | |||
96 | /opt/** r, | 132 | /opt/** r, |
97 | /opt/** ix, | 133 | /opt/** ix, |
98 | #/home/** ix, | 134 | #/home/** ix, |
135 | /run/firejail/mnt/oroot/lib/** ix, | ||
136 | /run/firejail/mnt/oroot/lib64/** ix, | ||
137 | /run/firejail/mnt/oroot/bin/** ix, | ||
138 | /run/firejail/mnt/oroot/sbin/** ix, | ||
139 | /run/firejail/mnt/oroot/usr/bin/** ix, | ||
140 | /run/firejail/mnt/oroot/usr/sbin/** ix, | ||
141 | /run/firejail/mnt/oroot/usr/local/** ix, | ||
142 | /run/firejail/mnt/oroot/usr/lib/** ix, | ||
143 | /run/firejail/mnt/oroot/usr/games/** ix, | ||
144 | /run/firejail/mnt/oroot/opt/ r, | ||
145 | /run/firejail/mnt/oroot/opt/** r, | ||
146 | /run/firejail/mnt/oroot/opt/** ix, | ||
147 | |||
148 | ########## | ||
149 | # Allow acces to cups printing socket | ||
150 | ########## | ||
151 | /run/cups/cups.sock w, | ||
99 | 152 | ||
100 | ########## | 153 | ########## |
101 | # Allow all networking functionality, and control it from Firejail. | 154 | # Allow all networking functionality, and control it from Firejail. |
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile index d9be8b9c5..63f9d19a9 100644 --- a/etc/flashpeak-slimjet.profile +++ b/etc/flashpeak-slimjet.profile | |||
@@ -5,35 +5,13 @@ include /etc/firejail/flashpeak-slimjet.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # This is a whitelisted profile, the internal browser sandbox | ||
9 | # is disabled because it requires sudo password. The command | ||
10 | # to run it is as follows: | ||
11 | # firejail flashpeak-slimjet --no-sandbox | ||
12 | |||
13 | noblacklist ${HOME}/.cache/slimjet | 8 | noblacklist ${HOME}/.cache/slimjet |
14 | noblacklist ${HOME}/.config/slimjet | 9 | noblacklist ${HOME}/.config/slimjet |
15 | noblacklist ${HOME}/.pki | ||
16 | |||
17 | include /etc/firejail/disable-common.inc | ||
18 | include /etc/firejail/disable-devel.inc | ||
19 | include /etc/firejail/disable-programs.inc | ||
20 | 10 | ||
21 | mkdir ${HOME}/.cache/slimjet | 11 | mkdir ${HOME}/.cache/slimjet |
22 | mkdir ${HOME}/.config/slimjet | 12 | mkdir ${HOME}/.config/slimjet |
23 | mkdir ${HOME}/.pki | ||
24 | whitelist ${DOWNLOADS} | ||
25 | whitelist ${HOME}/.cache/slimjet | 13 | whitelist ${HOME}/.cache/slimjet |
26 | whitelist ${HOME}/.config/slimjet | 14 | whitelist ${HOME}/.config/slimjet |
27 | whitelist ${HOME}/.pki | ||
28 | include /etc/firejail/whitelist-common.inc | ||
29 | |||
30 | caps.drop all | ||
31 | netfilter | ||
32 | nodvd | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | notv | ||
36 | protocol unix,inet,inet6,netlink | ||
37 | seccomp | ||
38 | 15 | ||
39 | disable-mnt | 16 | # Redirect |
17 | include /etc/firejail/chromium-common.profile | ||
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index 9c7306b85..ab16558ea 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile | |||
@@ -7,30 +7,11 @@ include /etc/firejail/globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/google-chrome-beta | 8 | noblacklist ${HOME}/.cache/google-chrome-beta |
9 | noblacklist ${HOME}/.config/google-chrome-beta | 9 | noblacklist ${HOME}/.config/google-chrome-beta |
10 | noblacklist ${HOME}/.pki | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-devel.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | 10 | ||
16 | mkdir ${HOME}/.cache/google-chrome-beta | 11 | mkdir ${HOME}/.cache/google-chrome-beta |
17 | mkdir ${HOME}/.config/google-chrome-beta | 12 | mkdir ${HOME}/.config/google-chrome-beta |
18 | mkdir ${HOME}/.pki | ||
19 | whitelist ${DOWNLOADS} | ||
20 | whitelist ${HOME}/.cache/google-chrome-beta | 13 | whitelist ${HOME}/.cache/google-chrome-beta |
21 | whitelist ${HOME}/.config/google-chrome-beta | 14 | whitelist ${HOME}/.config/google-chrome-beta |
22 | whitelist ${HOME}/.pki | ||
23 | include /etc/firejail/whitelist-common.inc | ||
24 | |||
25 | caps.keep sys_chroot,sys_admin | ||
26 | netfilter | ||
27 | nodvd | ||
28 | nogroups | ||
29 | notv | ||
30 | shell none | ||
31 | |||
32 | private-dev | ||
33 | # private-tmp - problems with multiple browser sessions | ||
34 | 15 | ||
35 | noexec ${HOME} | 16 | # Redirect |
36 | noexec /tmp | 17 | include /etc/firejail/chromium-common.profile |
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index bb05b3e99..b7d0eccf3 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile | |||
@@ -7,30 +7,11 @@ include /etc/firejail/globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/google-chrome-unstable | 8 | noblacklist ${HOME}/.cache/google-chrome-unstable |
9 | noblacklist ${HOME}/.config/google-chrome-unstable | 9 | noblacklist ${HOME}/.config/google-chrome-unstable |
10 | noblacklist ${HOME}/.pki | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-devel.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | 10 | ||
16 | mkdir ${HOME}/.cache/google-chrome-unstable | 11 | mkdir ${HOME}/.cache/google-chrome-unstable |
17 | mkdir ${HOME}/.config/google-chrome-unstable | 12 | mkdir ${HOME}/.config/google-chrome-unstable |
18 | mkdir ${HOME}/.pki | ||
19 | whitelist ${DOWNLOADS} | ||
20 | whitelist ${HOME}/.cache/google-chrome-unstable | 13 | whitelist ${HOME}/.cache/google-chrome-unstable |
21 | whitelist ${HOME}/.config/google-chrome-unstable | 14 | whitelist ${HOME}/.config/google-chrome-unstable |
22 | whitelist ${HOME}/.pki | ||
23 | include /etc/firejail/whitelist-common.inc | ||
24 | |||
25 | caps.keep sys_chroot,sys_admin | ||
26 | netfilter | ||
27 | nodvd | ||
28 | nogroups | ||
29 | notv | ||
30 | shell none | ||
31 | |||
32 | private-dev | ||
33 | # private-tmp - problems with multiple browser sessions | ||
34 | 15 | ||
35 | noexec ${HOME} | 16 | # Redirect |
36 | noexec /tmp | 17 | include /etc/firejail/chromium-common.profile |
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 19ebfa974..6e44190ae 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile | |||
@@ -7,32 +7,11 @@ include /etc/firejail/globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/google-chrome | 8 | noblacklist ${HOME}/.cache/google-chrome |
9 | noblacklist ${HOME}/.config/google-chrome | 9 | noblacklist ${HOME}/.config/google-chrome |
10 | noblacklist ${HOME}/.pki | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-devel.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | 10 | ||
16 | mkdir ${HOME}/.cache/google-chrome | 11 | mkdir ${HOME}/.cache/google-chrome |
17 | mkdir ${HOME}/.config/google-chrome | 12 | mkdir ${HOME}/.config/google-chrome |
18 | mkdir ${HOME}/.pki | ||
19 | whitelist ${DOWNLOADS} | ||
20 | whitelist ${HOME}/.cache/google-chrome | 13 | whitelist ${HOME}/.cache/google-chrome |
21 | whitelist ${HOME}/.config/google-chrome | 14 | whitelist ${HOME}/.config/google-chrome |
22 | whitelist ${HOME}/.pki | ||
23 | include /etc/firejail/whitelist-common.inc | ||
24 | include /etc/firejail/whitelist-var-common.inc | ||
25 | |||
26 | caps.keep sys_chroot,sys_admin | ||
27 | netfilter | ||
28 | nodvd | ||
29 | nogroups | ||
30 | notv | ||
31 | shell none | ||
32 | |||
33 | disable-mnt | ||
34 | private-dev | ||
35 | # private-tmp - problems with multiple browser sessions | ||
36 | 15 | ||
37 | noexec ${HOME} | 16 | # Redirect |
38 | noexec /tmp | 17 | include /etc/firejail/chromium-common.profile |
diff --git a/etc/gwenview.profile b/etc/gwenview.profile index 8ad3ac5f3..58e059087 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile | |||
@@ -39,7 +39,7 @@ tracelog | |||
39 | 39 | ||
40 | private-bin gwenview,gimp*,kbuildsycoca4,kdeinit4 | 40 | private-bin gwenview,gimp*,kbuildsycoca4,kdeinit4 |
41 | private-dev | 41 | private-dev |
42 | # private-etc X11 | 42 | private-etc fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,xdg |
43 | 43 | ||
44 | # memory-deny-write-execute | 44 | # memory-deny-write-execute |
45 | noexec ${HOME} | 45 | noexec ${HOME} |
diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 634ced575..02f8e9eeb 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile | |||
@@ -6,6 +6,7 @@ include /etc/firejail/hexchat.local | |||
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/hexchat | 8 | noblacklist ${HOME}/.config/hexchat |
9 | noblacklist /usr/share/perl* | ||
9 | # noblacklist /usr/lib/python2* | 10 | # noblacklist /usr/lib/python2* |
10 | # noblacklist /usr/lib/python3* | 11 | # noblacklist /usr/lib/python3* |
11 | 12 | ||
diff --git a/etc/icecat.profile b/etc/icecat.profile index 9e5526c95..42e762c21 100644 --- a/etc/icecat.profile +++ b/etc/icecat.profile | |||
@@ -7,46 +7,14 @@ include /etc/firejail/globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/mozilla | 8 | noblacklist ${HOME}/.cache/mozilla |
9 | noblacklist ${HOME}/.mozilla | 9 | noblacklist ${HOME}/.mozilla |
10 | noblacklist ${HOME}/.pki | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-devel.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | 10 | ||
16 | mkdir ${HOME}/.cache/mozilla/icecat | 11 | mkdir ${HOME}/.cache/mozilla/icecat |
17 | mkdir ${HOME}/.mozilla | 12 | mkdir ${HOME}/.mozilla |
18 | whitelist ${DOWNLOADS} | ||
19 | whitelist ${HOME}/.cache/gnome-mplayer/plugin | ||
20 | whitelist ${HOME}/.cache/mozilla/icecat | 13 | whitelist ${HOME}/.cache/mozilla/icecat |
21 | whitelist ${HOME}/.config/gnome-mplayer | ||
22 | whitelist ${HOME}/.config/pipelight-silverlight5.1 | ||
23 | whitelist ${HOME}/.config/pipelight-widevine | ||
24 | whitelist ${HOME}/.keysnail.js | ||
25 | whitelist ${HOME}/.lastpass | ||
26 | whitelist ${HOME}/.mozilla | 14 | whitelist ${HOME}/.mozilla |
27 | whitelist ${HOME}/.pentadactyl | ||
28 | whitelist ${HOME}/.pentadactylrc | ||
29 | whitelist ${HOME}/.pki | ||
30 | whitelist ${HOME}/.vimperator | ||
31 | whitelist ${HOME}/.vimperatorrc | ||
32 | whitelist ${HOME}/.wine-pipelight | ||
33 | whitelist ${HOME}/.wine-pipelight64 | ||
34 | whitelist ${HOME}/.zotero | ||
35 | whitelist ${HOME}/dwhelper | ||
36 | include /etc/firejail/whitelist-common.inc | ||
37 | |||
38 | caps.drop all | ||
39 | netfilter | ||
40 | nodvd | ||
41 | nonewprivs | ||
42 | noroot | ||
43 | notv | ||
44 | protocol unix,inet,inet6,netlink | ||
45 | seccomp | ||
46 | tracelog | ||
47 | 15 | ||
48 | disable-mnt | 16 | # private-etc must first be enabled in firefox-common.profile |
49 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 17 | #private-etc icecat |
50 | 18 | ||
51 | noexec ${HOME} | 19 | # Redirect |
52 | noexec /tmp | 20 | include /etc/firejail/firefox-common.profile |
diff --git a/etc/iceweasel.profile b/etc/iceweasel.profile index f6b57dde0..51f15aa1b 100644 --- a/etc/iceweasel.profile +++ b/etc/iceweasel.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/iceweasel.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # private-etc must first be enabled in firefox-common.profile | ||
9 | #private-etc iceweasel | ||
8 | 10 | ||
9 | # Redirect | 11 | # Redirect |
10 | include /etc/firejail/firefox.profile | 12 | include /etc/firejail/firefox.profile |
diff --git a/etc/idea.profile b/etc/idea.profile new file mode 100644 index 000000000..623d71734 --- /dev/null +++ b/etc/idea.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for idea | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/idea.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | # Redirect | ||
10 | include /etc/firejail/idea.sh.profile | ||
diff --git a/etc/inox.profile b/etc/inox.profile index fbc654434..652761c54 100644 --- a/etc/inox.profile +++ b/etc/inox.profile | |||
@@ -7,30 +7,11 @@ include /etc/firejail/globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/inox | 8 | noblacklist ${HOME}/.cache/inox |
9 | noblacklist ${HOME}/.config/inox | 9 | noblacklist ${HOME}/.config/inox |
10 | noblacklist ${HOME}/.pki | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | 10 | ||
15 | mkdir ${HOME}/.cache/inox | 11 | mkdir ${HOME}/.cache/inox |
16 | mkdir ${HOME}/.config/inox | 12 | mkdir ${HOME}/.config/inox |
17 | mkdir ${HOME}/.pki | ||
18 | whitelist ${DOWNLOADS} | ||
19 | whitelist ${HOME}/.cache/inox | 13 | whitelist ${HOME}/.cache/inox |
20 | whitelist ${HOME}/.config/inox | 14 | whitelist ${HOME}/.config/inox |
21 | whitelist ${HOME}/.pki | ||
22 | include /etc/firejail/whitelist-common.inc | ||
23 | include /etc/firejail/whitelist-var-common.inc | ||
24 | |||
25 | caps.keep sys_chroot,sys_admin | ||
26 | netfilter | ||
27 | nodvd | ||
28 | nogroups | ||
29 | notv | ||
30 | shell none | ||
31 | |||
32 | private-dev | ||
33 | # private-tmp - problems with multiple browser sessions | ||
34 | 15 | ||
35 | noexec ${HOME} | 16 | # Redirect |
36 | noexec /tmp | 17 | include /etc/firejail/chromium-common.profile |
diff --git a/etc/iridium.profile b/etc/iridium.profile index 76026722f..2869c3070 100644 --- a/etc/iridium.profile +++ b/etc/iridium.profile | |||
@@ -8,30 +8,10 @@ include /etc/firejail/globals.local | |||
8 | noblacklist ${HOME}/.cache/iridium | 8 | noblacklist ${HOME}/.cache/iridium |
9 | noblacklist ${HOME}/.config/iridium | 9 | noblacklist ${HOME}/.config/iridium |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | ||
12 | # chromium/iridium is distributed with a perl script on Arch | ||
13 | # include /etc/firejail/disable-devel.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | mkdir ${HOME}/.cache/iridium | 11 | mkdir ${HOME}/.cache/iridium |
17 | mkdir ${HOME}/.config/iridium | 12 | mkdir ${HOME}/.config/iridium |
18 | mkdir ${HOME}/.pki | ||
19 | whitelist ${DOWNLOADS} | ||
20 | whitelist ${HOME}/.cache/iridium | 13 | whitelist ${HOME}/.cache/iridium |
21 | whitelist ${HOME}/.config/iridium | 14 | whitelist ${HOME}/.config/iridium |
22 | whitelist ${HOME}/.pki | ||
23 | include /etc/firejail/whitelist-common.inc | ||
24 | include /etc/firejail/whitelist-var-common.inc | ||
25 | |||
26 | caps.keep sys_chroot,sys_admin | ||
27 | netfilter | ||
28 | nodvd | ||
29 | nogroups | ||
30 | notv | ||
31 | shell none | ||
32 | |||
33 | private-dev | ||
34 | # private-tmp - problems with multiple browser sessions | ||
35 | 15 | ||
36 | noexec ${HOME} | 16 | # Redirect |
37 | noexec /tmp | 17 | include /etc/firejail/chromium-common.profile |
diff --git a/etc/kaffeine.profile b/etc/kaffeine.profile new file mode 100644 index 000000000..07280ab6d --- /dev/null +++ b/etc/kaffeine.profile | |||
@@ -0,0 +1,37 @@ | |||
1 | # Firejail profile for kaffeine | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/kaffeine.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/kaffeinerc | ||
9 | noblacklist ${HOME}/.kde/share/apps/kaffeine | ||
10 | noblacklist ${HOME}/.kde/share/config/kaffeinerc | ||
11 | noblacklist ${HOME}/.kde4/share/apps/kaffeine | ||
12 | noblacklist ${HOME}/.kde4/share/config/kaffeinerc | ||
13 | noblacklist ${HOME}/.local/share/kaffeine | ||
14 | |||
15 | include /etc/firejail/disable-common.inc | ||
16 | include /etc/firejail/disable-devel.inc | ||
17 | include /etc/firejail/disable-passwdmgr.inc | ||
18 | include /etc/firejail/disable-programs.inc | ||
19 | |||
20 | include /etc/firejail/whitelist-var-common.inc | ||
21 | |||
22 | caps.drop all | ||
23 | netfilter | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | novideo | ||
28 | protocol unix,inet,inet6 | ||
29 | seccomp | ||
30 | shell none | ||
31 | |||
32 | # private-bin kaffeine | ||
33 | private-dev | ||
34 | private-tmp | ||
35 | |||
36 | noexec ${HOME} | ||
37 | noexec /tmp | ||
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index 871706b02..b6d48356d 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile | |||
@@ -6,6 +6,9 @@ include /etc/firejail/kdenlive.local | |||
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # blacklist /run/user/*/bus | 8 | # blacklist /run/user/*/bus |
9 | noblacklist ${HOME}/.cache/kdenlive | ||
10 | noblacklist ${HOME}/.config/kdenliverc | ||
11 | noblacklist ${HOME}/.local/share/kdenlive | ||
9 | 12 | ||
10 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
@@ -25,7 +28,7 @@ shell none | |||
25 | 28 | ||
26 | private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper | 29 | private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper |
27 | private-dev | 30 | private-dev |
28 | # private-etc fonts,alternatives,X11,pulse,passwd | 31 | # private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,xdg,X11 |
29 | 32 | ||
30 | # noexec ${HOME} | 33 | # noexec ${HOME} |
31 | noexec /tmp | 34 | noexec /tmp |
diff --git a/etc/kget.profile b/etc/kget.profile index 25c66e044..c4e073c2b 100644 --- a/etc/kget.profile +++ b/etc/kget.profile | |||
@@ -5,10 +5,12 @@ include /etc/firejail/kget.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/kgetrc | ||
8 | noblacklist ${HOME}/.kde/share/apps/kget | 9 | noblacklist ${HOME}/.kde/share/apps/kget |
9 | noblacklist ${HOME}/.kde/share/config/kgetrc | 10 | noblacklist ${HOME}/.kde/share/config/kgetrc |
10 | noblacklist ${HOME}/.kde4/share/apps/kget | 11 | noblacklist ${HOME}/.kde4/share/apps/kget |
11 | noblacklist ${HOME}/.kde4/share/config/kgetrc | 12 | noblacklist ${HOME}/.kde4/share/config/kgetrc |
13 | noblacklist ${HOME}/.local/share/kget | ||
12 | 14 | ||
13 | include /etc/firejail/disable-common.inc | 15 | include /etc/firejail/disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 16 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/kmail.profile b/etc/kmail.profile index 7aad57987..ca774f4ec 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
@@ -25,6 +25,8 @@ protocol unix,inet,inet6,netlink | |||
25 | # blacklisting of chroot system calls breaks kmail | 25 | # blacklisting of chroot system calls breaks kmail |
26 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 26 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
27 | # tracelog | 27 | # tracelog |
28 | # writable-run-user is needed for signing and encrypting emails | ||
29 | writable-run-user | ||
28 | 30 | ||
29 | private-dev | 31 | private-dev |
30 | # private-tmp | 32 | # private-tmp - breaks akonadi and opening of email attachments |
diff --git a/etc/krita.profile b/etc/krita.profile index 0d2b62c5d..c621e2c72 100644 --- a/etc/krita.profile +++ b/etc/krita.profile | |||
@@ -7,6 +7,7 @@ include /etc/firejail/globals.local | |||
7 | 7 | ||
8 | # blacklist /run/user/*/bus | 8 | # blacklist /run/user/*/bus |
9 | noblacklist ${HOME}/.config/kritarc | 9 | noblacklist ${HOME}/.config/kritarc |
10 | noblacklist ${HOME}/.local/share/krita | ||
10 | 11 | ||
11 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/krunner.profile b/etc/krunner.profile index 606b67677..1e97f4290 100644 --- a/etc/krunner.profile +++ b/etc/krunner.profile | |||
@@ -5,12 +5,15 @@ include /etc/firejail/krunner.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # start a program in krunner: program will run with this generic profile | 8 | # - programs started in krunner run with this generic profile. |
9 | # open a file in krunner: file viewer will run with its own profile (if firejailed automatically) | 9 | # - when a file is opened in krunner, the file viewer runs in its own sandbox |
10 | # with its own profile, if it is sandboxed automatically. | ||
10 | 11 | ||
12 | # noblacklist ${HOME}/.cache/krunner | ||
11 | noblacklist ${HOME}/.config/krunnerrc | 13 | noblacklist ${HOME}/.config/krunnerrc |
12 | noblacklist ${HOME}/.kde/share/config/krunnerrc | 14 | noblacklist ${HOME}/.kde/share/config/krunnerrc |
13 | noblacklist ${HOME}/.kde4/share/config/krunnerrc | 15 | noblacklist ${HOME}/.kde4/share/config/krunnerrc |
16 | # noblacklist ${HOME}/.local/share/baloo | ||
14 | 17 | ||
15 | include /etc/firejail/disable-common.inc | 18 | include /etc/firejail/disable-common.inc |
16 | # include /etc/firejail/disable-devel.inc | 19 | # include /etc/firejail/disable-devel.inc |
@@ -21,6 +24,7 @@ include /etc/firejail/whitelist-var-common.inc | |||
21 | 24 | ||
22 | caps.drop all | 25 | caps.drop all |
23 | netfilter | 26 | netfilter |
27 | nogroups | ||
24 | nonewprivs | 28 | nonewprivs |
25 | noroot | 29 | noroot |
26 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
diff --git a/etc/kwin_x11.profile b/etc/kwin_x11.profile index 91bb62efc..534e7cd51 100644 --- a/etc/kwin_x11.profile +++ b/etc/kwin_x11.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/kwin_x11.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/kwin | ||
8 | noblacklist ${HOME}/.config/kwinrc | 9 | noblacklist ${HOME}/.config/kwinrc |
9 | noblacklist ${HOME}/.config/kwinrulesrc | 10 | noblacklist ${HOME}/.config/kwinrulesrc |
10 | noblacklist ${HOME}/.local/share/kwin | 11 | noblacklist ${HOME}/.local/share/kwin |
@@ -33,7 +34,7 @@ tracelog | |||
33 | disable-mnt | 34 | disable-mnt |
34 | private-bin kwin_x11 | 35 | private-bin kwin_x11 |
35 | private-dev | 36 | private-dev |
36 | private-etc drirc,fonts,ld.so.cache,machine-id,xdg | 37 | private-etc drirc,fonts,kde5rc,ld.so.cache,machine-id,xdg |
37 | private-tmp | 38 | private-tmp |
38 | 39 | ||
39 | noexec ${HOME} | 40 | noexec ${HOME} |
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 3548a75ad..220e0f02c 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile | |||
@@ -34,3 +34,5 @@ private-tmp | |||
34 | 34 | ||
35 | noexec ${HOME} | 35 | noexec ${HOME} |
36 | noexec /tmp | 36 | noexec /tmp |
37 | |||
38 | join-or-start libreoffice | ||
diff --git a/etc/okular.profile b/etc/okular.profile index 31b773852..d98d4792f 100644 --- a/etc/okular.profile +++ b/etc/okular.profile | |||
@@ -7,6 +7,7 @@ include /etc/firejail/globals.local | |||
7 | 7 | ||
8 | # blacklist /run/user/*/bus | 8 | # blacklist /run/user/*/bus |
9 | 9 | ||
10 | noblacklist ${HOME}/.cache/okular | ||
10 | noblacklist ${HOME}/.config/okularpartrc | 11 | noblacklist ${HOME}/.config/okularpartrc |
11 | noblacklist ${HOME}/.config/okularrc | 12 | noblacklist ${HOME}/.config/okularrc |
12 | noblacklist ${HOME}/.kde/share/apps/okular | 13 | noblacklist ${HOME}/.kde/share/apps/okular |
@@ -42,7 +43,7 @@ tracelog | |||
42 | 43 | ||
43 | private-bin okular,kbuildsycoca4,kdeinit4,lpr | 44 | private-bin okular,kbuildsycoca4,kdeinit4,lpr |
44 | private-dev | 45 | private-dev |
45 | private-etc alternatives,cups,fonts,ld.so.cache,machine-id | 46 | private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg |
46 | # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients | 47 | # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients |
47 | 48 | ||
48 | # memory-deny-write-execute | 49 | # memory-deny-write-execute |
diff --git a/etc/onionshare-gui.profile b/etc/onionshare-gui.profile index 7220f7e1c..8cbe5be7f 100644 --- a/etc/onionshare-gui.profile +++ b/etc/onionshare-gui.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | ipc-namespace | 18 | ipc-namespace |
17 | netfilter | 19 | netfilter |
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile index 3fe86d26c..38a3152d2 100644 --- a/etc/opera-beta.profile +++ b/etc/opera-beta.profile | |||
@@ -5,24 +5,13 @@ include /etc/firejail/opera-beta.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/opera | ||
8 | noblacklist ${HOME}/.config/opera-beta | 9 | noblacklist ${HOME}/.config/opera-beta |
9 | noblacklist ${HOME}/.pki | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | 10 | ||
15 | mkdir ${HOME}/.cache/opera | 11 | mkdir ${HOME}/.cache/opera |
16 | mkdir ${HOME}/.config/opera-beta | 12 | mkdir ${HOME}/.config/opera-beta |
17 | mkdir ${HOME}/.pki | ||
18 | whitelist ${DOWNLOADS} | ||
19 | whitelist ${HOME}/.cache/opera | 13 | whitelist ${HOME}/.cache/opera |
20 | whitelist ${HOME}/.config/opera-beta | 14 | whitelist ${HOME}/.config/opera-beta |
21 | whitelist ${HOME}/.pki | ||
22 | include /etc/firejail/whitelist-common.inc | ||
23 | |||
24 | netfilter | ||
25 | nodvd | ||
26 | notv | ||
27 | 15 | ||
28 | disable-mnt | 16 | # Redirect |
17 | include /etc/firejail/chromium-common.profile | ||
diff --git a/etc/opera.profile b/etc/opera.profile index fed7564b2..c0138c555 100644 --- a/etc/opera.profile +++ b/etc/opera.profile | |||
@@ -8,25 +8,13 @@ include /etc/firejail/globals.local | |||
8 | noblacklist ${HOME}/.cache/opera | 8 | noblacklist ${HOME}/.cache/opera |
9 | noblacklist ${HOME}/.config/opera | 9 | noblacklist ${HOME}/.config/opera |
10 | noblacklist ${HOME}/.opera | 10 | noblacklist ${HOME}/.opera |
11 | noblacklist ${HOME}/.pki | ||
12 | |||
13 | include /etc/firejail/disable-common.inc | ||
14 | include /etc/firejail/disable-devel.inc | ||
15 | include /etc/firejail/disable-programs.inc | ||
16 | 11 | ||
17 | mkdir ${HOME}/.cache/opera | 12 | mkdir ${HOME}/.cache/opera |
18 | mkdir ${HOME}/.config/opera | 13 | mkdir ${HOME}/.config/opera |
19 | mkdir ${HOME}/.opera | 14 | mkdir ${HOME}/.opera |
20 | mkdir ${HOME}/.pki | ||
21 | whitelist ${DOWNLOADS} | ||
22 | whitelist ${HOME}/.cache/opera | 15 | whitelist ${HOME}/.cache/opera |
23 | whitelist ${HOME}/.config/opera | 16 | whitelist ${HOME}/.config/opera |
24 | whitelist ${HOME}/.opera | 17 | whitelist ${HOME}/.opera |
25 | whitelist ${HOME}/.pki | ||
26 | include /etc/firejail/whitelist-common.inc | ||
27 | |||
28 | netfilter | ||
29 | nodvd | ||
30 | notv | ||
31 | 18 | ||
32 | disable-mnt | 19 | # Redirect |
20 | include /etc/firejail/chromium-common.profile | ||
diff --git a/etc/palemoon.profile b/etc/palemoon.profile index 1112a9bb7..ff7087e55 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile | |||
@@ -8,53 +8,15 @@ include /etc/firejail/globals.local | |||
8 | noblacklist ${HOME}/.cache/moonchild productions/pale moon | 8 | noblacklist ${HOME}/.cache/moonchild productions/pale moon |
9 | noblacklist ${HOME}/.moonchild productions/pale moon | 9 | noblacklist ${HOME}/.moonchild productions/pale moon |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | # These are uncommented in the Firefox profile. If you run into trouble you may | ||
16 | # want to uncomment (some of) them. | ||
17 | #whitelist ${HOME}/dwhelper | ||
18 | #whitelist ${HOME}/.zotero | ||
19 | #whitelist ${HOME}/.vimperatorrc | ||
20 | #whitelist ${HOME}/.vimperator | ||
21 | #whitelist ${HOME}/.pentadactylrc | ||
22 | #whitelist ${HOME}/.pentadactyl | ||
23 | #whitelist ${HOME}/.keysnail.js | ||
24 | #whitelist ${HOME}/.config/gnome-mplayer | ||
25 | #whitelist ${HOME}/.cache/gnome-mplayer/plugin | ||
26 | #whitelist ${HOME}/.pki | ||
27 | #whitelist ${HOME}/.lastpass | ||
28 | |||
29 | # For silverlight | ||
30 | #whitelist ${HOME}/.wine-pipelight | ||
31 | #whitelist ${HOME}/.wine-pipelight64 | ||
32 | #whitelist ${HOME}/.config/pipelight-widevine | ||
33 | #whitelist ${HOME}/.config/pipelight-silverlight5.1 | ||
34 | |||
35 | mkdir ${HOME}/.cache/moonchild productions/pale moon | 11 | mkdir ${HOME}/.cache/moonchild productions/pale moon |
36 | mkdir ${HOME}/.moonchild productions | 12 | mkdir ${HOME}/.moonchild productions |
37 | whitelist ${DOWNLOADS} | ||
38 | whitelist ${HOME}/.cache/moonchild productions/pale moon | 13 | whitelist ${HOME}/.cache/moonchild productions/pale moon |
39 | whitelist ${HOME}/.moonchild productions | 14 | whitelist ${HOME}/.moonchild productions |
40 | include /etc/firejail/whitelist-common.inc | ||
41 | |||
42 | caps.drop all | ||
43 | netfilter | ||
44 | nodvd | ||
45 | nogroups | ||
46 | nonewprivs | ||
47 | noroot | ||
48 | notv | ||
49 | protocol unix,inet,inet6,netlink | ||
50 | seccomp | ||
51 | shell none | ||
52 | tracelog | ||
53 | 15 | ||
54 | # private-bin palemoon | 16 | #private-bin palemoon |
55 | # private-dev (disabled for now as it will interfere with webcam use in palemoon) | 17 | # private-etc must first be enabled in firefox-common.profile |
56 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 18 | #private-etc palemoon |
57 | # private-opt palemoon | 19 | #private-opt palemoon |
58 | private-tmp | ||
59 | 20 | ||
60 | disable-mnt | 21 | # Redirect |
22 | include /etc/firejail/firefox-common.profile | ||
diff --git a/etc/xmr-stak-cpu.profile b/etc/pdfchain.profile index 9cc6e0c1f..d43c0911e 100644..100755 --- a/etc/xmr-stak-cpu.profile +++ b/etc/pdfchain.profile | |||
@@ -1,40 +1,37 @@ | |||
1 | # Firejail profile for xmr-stak-cpu | 1 | # Firejail profile for pdfchain |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/xmr-stak-cpu.local | 4 | include /etc/firejail/pdfchain.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | 8 | ||
9 | blacklist /run/user/*/bus | ||
10 | |||
9 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
10 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
11 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | 15 | ||
14 | include /etc/firejail/whitelist-var-common.inc | 16 | include /etc/firejail/whitelist-var-common.inc |
15 | 17 | ||
16 | caps.drop all | 18 | caps.drop all |
17 | ipc-namespace | 19 | ipc-namespace |
18 | netfilter | 20 | net none |
19 | no3d | 21 | no3d |
20 | nodvd | ||
21 | nogroups | 22 | nogroups |
22 | nonewprivs | 23 | nonewprivs |
23 | noroot | 24 | noroot |
24 | nosound | 25 | nosound |
25 | notv | 26 | notv |
26 | novideo | 27 | novideo |
27 | protocol unix,inet,inet6 | 28 | protocol unix |
28 | seccomp | 29 | seccomp |
29 | shell none | 30 | shell none |
30 | 31 | ||
31 | disable-mnt | 32 | private-bin pdfchain,pdftk,sh |
32 | private | ||
33 | private-bin xmr-stak-cpu | ||
34 | private-dev | 33 | private-dev |
35 | private-etc xmr-stak-cpu.json | 34 | private-etc dconf,fonts,gtk-3.0,xdg |
36 | private-lib | ||
37 | private-opt none | ||
38 | private-tmp | 35 | private-tmp |
39 | 36 | ||
40 | memory-deny-write-execute | 37 | memory-deny-write-execute |
diff --git a/etc/pitivi.profile b/etc/pitivi.profile index f2640ed66..6df03e042 100644 --- a/etc/pitivi.profile +++ b/etc/pitivi.profile | |||
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc | |||
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | include /etc/firejail/whitelist-var-common.inc | ||
17 | |||
16 | caps.drop all | 18 | caps.drop all |
17 | ipc-namespace | 19 | ipc-namespace |
18 | netfilter | 20 | netfilter |
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index a01b1e9a8..da870ab76 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
@@ -8,6 +8,7 @@ include /etc/firejail/globals.local | |||
8 | noblacklist ${HOME}/.cache/qBittorrent | 8 | noblacklist ${HOME}/.cache/qBittorrent |
9 | noblacklist ${HOME}/.config/qBittorrent | 9 | noblacklist ${HOME}/.config/qBittorrent |
10 | noblacklist ${HOME}/.config/qBittorrentrc | 10 | noblacklist ${HOME}/.config/qBittorrentrc |
11 | noblacklist ${HOME}/.local/share/data/qBittorrent | ||
11 | 12 | ||
12 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/qtox.profile b/etc/qtox.profile index a8d980a18..648282db4 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile | |||
@@ -33,7 +33,7 @@ tracelog | |||
33 | 33 | ||
34 | disable-mnt | 34 | disable-mnt |
35 | private-bin qtox | 35 | private-bin qtox |
36 | private-etc fonts,resolv.conf,ld.so.cache | 36 | private-etc fonts,resolv.conf,ld.so.cache,localtime |
37 | private-dev | 37 | private-dev |
38 | private-tmp | 38 | private-tmp |
39 | 39 | ||
diff --git a/etc/redeclipse.profile b/etc/redeclipse.profile new file mode 100644 index 000000000..f0a993c54 --- /dev/null +++ b/etc/redeclipse.profile | |||
@@ -0,0 +1,37 @@ | |||
1 | # Firejail profile for redeclipse | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/redeclipse.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.redeclipse | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | mkdir ${HOME}/.redeclipse | ||
16 | whitelist ${HOME}/.redeclipse | ||
17 | include /etc/firejail/whitelist-common.inc | ||
18 | include /etc/firejail/whitelist-var-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | netfilter | ||
22 | nodvd | ||
23 | nogroups | ||
24 | nonewprivs | ||
25 | noroot | ||
26 | notv | ||
27 | novideo | ||
28 | protocol unix,inet,inet6 | ||
29 | seccomp | ||
30 | shell none | ||
31 | |||
32 | disable-mnt | ||
33 | private-dev | ||
34 | private-tmp | ||
35 | |||
36 | noexec ${HOME} | ||
37 | noexec /tmp | ||
diff --git a/etc/remmina.profile b/etc/remmina.profile index 3bb6aa0b1..cc209b84a 100644 --- a/etc/remmina.profile +++ b/etc/remmina.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/remmina.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.remmina | ||
8 | noblacklist ${HOME}/.config/remmina | 9 | noblacklist ${HOME}/.config/remmina |
9 | noblacklist ${HOME}/.local/share/remmina | 10 | noblacklist ${HOME}/.local/share/remmina |
10 | noblacklist ${HOME}/.ssh | 11 | noblacklist ${HOME}/.ssh |
@@ -23,6 +24,7 @@ notv | |||
23 | novideo | 24 | novideo |
24 | protocol unix,inet,inet6 | 25 | protocol unix,inet,inet6 |
25 | seccomp | 26 | seccomp |
27 | # seccomp.keep access,arch_prctl,brk,chmod,clock_getres,clock_gettime,clone,close,connect,dup3,eventfd2,execve,fadvise64,fallocate,fcntl,flock,fstat,fstatfs,fsync,ftruncate,futex,getdents,getegid,geteuid,getgid,getpeername,getpid,getrandom,getresgid,getresuid,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,memfd_create,mmap,mprotect,mremap,munmap,nanosleep,open,openat,pipe,pipe2,poll,prctl,prlimit64,pwrite64,read,readlink,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,sendmmsg,sendmsg,sendto,set_robust_list,setsockopt,set_tid_address,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,tgkill,uname,utimensat,write,writev | ||
26 | shell none | 28 | shell none |
27 | 29 | ||
28 | private-dev | 30 | private-dev |
diff --git a/etc/scribus.profile b/etc/scribus.profile index 001b91387..8ce63fbf0 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile | |||
@@ -8,6 +8,7 @@ include /etc/firejail/globals.local | |||
8 | blacklist /run/user/*/bus | 8 | blacklist /run/user/*/bus |
9 | 9 | ||
10 | # Support for PDF readers comes with Scribus 1.5 and higher | 10 | # Support for PDF readers comes with Scribus 1.5 and higher |
11 | noblacklist ${HOME}/.cache/okular | ||
11 | noblacklist ${HOME}/.config/okularpartrc | 12 | noblacklist ${HOME}/.config/okularpartrc |
12 | noblacklist ${HOME}/.config/okularrc | 13 | noblacklist ${HOME}/.config/okularrc |
13 | noblacklist ${HOME}/.config/scribus | 14 | noblacklist ${HOME}/.config/scribus |
diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile index c27fb3819..1f64567ef 100644 --- a/etc/soundconverter.profile +++ b/etc/soundconverter.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/soundconverter.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | 8 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 9 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 10 | include /etc/firejail/disable-passwdmgr.inc |
diff --git a/etc/spotify.profile b/etc/spotify.profile index 736bd3520..fcd0ab92e 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile | |||
@@ -42,7 +42,7 @@ shell none | |||
42 | tracelog | 42 | tracelog |
43 | 43 | ||
44 | disable-mnt | 44 | disable-mnt |
45 | private-bin spotify,bash,sh | 45 | private-bin spotify,bash,sh,zenity |
46 | private-dev | 46 | private-dev |
47 | private-etc fonts,machine-id,pulse,resolv.conf | 47 | private-etc fonts,machine-id,pulse,resolv.conf |
48 | private-opt spotify | 48 | private-opt spotify |
diff --git a/etc/steam.profile b/etc/steam.profile index 1e0fd57d1..4965d3a54 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -29,6 +29,8 @@ include /etc/firejail/disable-devel.inc | |||
29 | include /etc/firejail/disable-passwdmgr.inc | 29 | include /etc/firejail/disable-passwdmgr.inc |
30 | include /etc/firejail/disable-programs.inc | 30 | include /etc/firejail/disable-programs.inc |
31 | 31 | ||
32 | include /etc/firejail/whitelist-var-common.inc | ||
33 | |||
32 | caps.drop all | 34 | caps.drop all |
33 | netfilter | 35 | netfilter |
34 | nodvd | 36 | nodvd |
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index 226781332..6045d6d17 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile | |||
@@ -21,14 +21,14 @@ whitelist ${HOME}/.cache/thunderbird | |||
21 | whitelist ${HOME}/.gnupg | 21 | whitelist ${HOME}/.gnupg |
22 | # whitelist ${HOME}/.icedove | 22 | # whitelist ${HOME}/.icedove |
23 | whitelist ${HOME}/.thunderbird | 23 | whitelist ${HOME}/.thunderbird |
24 | include /etc/firejail/whitelist-common.inc | ||
25 | include /etc/firejail/whitelist-var-common.inc | ||
26 | 24 | ||
27 | # We need the real /tmp for data exchange when xdg-open handles email attachments on KDE | 25 | # We need the real /tmp for data exchange when xdg-open handles email attachments on KDE |
28 | ignore private-tmp | 26 | ignore private-tmp |
29 | # machine-id breaks pulse audio; it should work fine in setups where sound is not required | 27 | # machine-id breaks audio in browsers; enable it when sound is not required |
30 | #machine-id | 28 | # machine-id |
31 | read-only ${HOME}/.config/mimeapps.list | 29 | read-only ${HOME}/.config/mimeapps.list |
30 | # writable-run-user is needed for signing and encrypting emails | ||
31 | writable-run-user | ||
32 | 32 | ||
33 | # allow browsers | 33 | # allow browsers |
34 | # Redirect | 34 | # Redirect |
diff --git a/etc/tilp.profile b/etc/tilp.profile new file mode 100644 index 000000000..a6165fbfe --- /dev/null +++ b/etc/tilp.profile | |||
@@ -0,0 +1,34 @@ | |||
1 | # Firejail profile for tilp | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/tilp.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.tilp | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | caps.drop all | ||
16 | net none | ||
17 | nodvd | ||
18 | nogroups | ||
19 | nonewprivs | ||
20 | noroot | ||
21 | notv | ||
22 | novideo | ||
23 | protocol unix,netlink | ||
24 | seccomp | ||
25 | shell none | ||
26 | tracelog | ||
27 | |||
28 | disable-mnt | ||
29 | private-bin tilp | ||
30 | private-etc fonts | ||
31 | private-tmp | ||
32 | |||
33 | noexec ${HOME} | ||
34 | noexec /tmp | ||
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile index b802478a2..02ef57cce 100644 --- a/etc/torbrowser-launcher.profile +++ b/etc/torbrowser-launcher.profile | |||
@@ -13,9 +13,12 @@ include /etc/firejail/disable-devel.inc | |||
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | mkdir ${HOME}/.config/torbrowser | ||
17 | mkdir ${HOME}/.local/share/torbrowser | ||
16 | whitelist ${HOME}/.config/torbrowser | 18 | whitelist ${HOME}/.config/torbrowser |
17 | whitelist ${HOME}/.local/share/torbrowser | 19 | whitelist ${HOME}/.local/share/torbrowser |
18 | include /etc/firejail/whitelist-common.inc | 20 | include /etc/firejail/whitelist-common.inc |
21 | include /etc/firejail/whitelist-var-common.inc | ||
19 | 22 | ||
20 | caps.drop all | 23 | caps.drop all |
21 | netfilter | 24 | netfilter |
@@ -33,7 +36,7 @@ tracelog | |||
33 | disable-mnt | 36 | disable-mnt |
34 | private-bin bash,cp,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python*,readlink,rm,sed,sh,tail,test,tor-browser-en,torbrowser-launcher | 37 | private-bin bash,cp,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python*,readlink,rm,sed,sh,tail,test,tor-browser-en,torbrowser-launcher |
35 | private-dev | 38 | private-dev |
36 | private-etc fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies | 39 | private-etc fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id |
37 | private-tmp | 40 | private-tmp |
38 | 41 | ||
39 | noexec /tmp | 42 | noexec /tmp |
diff --git a/etc/unbound.profile b/etc/unbound.profile index c03a25752..233e7464f 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile | |||
@@ -15,6 +15,9 @@ include /etc/firejail/disable-devel.inc | |||
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include /etc/firejail/disable-programs.inc |
17 | 17 | ||
18 | whitelist /var/lib/unbound | ||
19 | whitelist /var/run | ||
20 | |||
18 | caps.keep net_bind_service,setgid,setuid,sys_chroot,sys_resource | 21 | caps.keep net_bind_service,setgid,setuid,sys_chroot,sys_resource |
19 | no3d | 22 | no3d |
20 | nodvd | 23 | nodvd |
@@ -23,6 +26,7 @@ nosound | |||
23 | notv | 26 | notv |
24 | novideo | 27 | novideo |
25 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 28 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open |
29 | writable-var | ||
26 | 30 | ||
27 | disable-mnt | 31 | disable-mnt |
28 | private | 32 | private |
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile index 3a1f72f23..aeef58292 100644 --- a/etc/vivaldi.profile +++ b/etc/vivaldi.profile | |||
@@ -8,28 +8,10 @@ include /etc/firejail/globals.local | |||
8 | noblacklist ${HOME}/.cache/vivaldi | 8 | noblacklist ${HOME}/.cache/vivaldi |
9 | noblacklist ${HOME}/.config/vivaldi | 9 | noblacklist ${HOME}/.config/vivaldi |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | mkdir ${HOME}/.cache/vivaldi | 11 | mkdir ${HOME}/.cache/vivaldi |
16 | mkdir ${HOME}/.config/vivaldi | 12 | mkdir ${HOME}/.config/vivaldi |
17 | whitelist ${DOWNLOADS} | ||
18 | whitelist ${HOME}/.cache/vivaldi | 13 | whitelist ${HOME}/.cache/vivaldi |
19 | whitelist ${HOME}/.config/vivaldi | 14 | whitelist ${HOME}/.config/vivaldi |
20 | include /etc/firejail/whitelist-common.inc | ||
21 | include /etc/firejail/whitelist-var-common.inc | ||
22 | |||
23 | caps.keep sys_chroot,sys_admin | ||
24 | netfilter | ||
25 | nodvd | ||
26 | nogroups | ||
27 | notv | ||
28 | shell none | ||
29 | |||
30 | disable-mnt | ||
31 | private-dev | ||
32 | # private-tmp - problems with multiple browser sessions | ||
33 | 15 | ||
34 | noexec ${HOME} | 16 | # Redirect |
35 | noexec /tmp | 17 | include /etc/firejail/chromium-common.profile |
diff --git a/etc/waterfox.profile b/etc/waterfox.profile index b2abb3a5f..fdd299bbf 100644 --- a/etc/waterfox.profile +++ b/etc/waterfox.profile | |||
@@ -7,83 +7,22 @@ include /etc/firejail/globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/mozilla | 8 | noblacklist ${HOME}/.cache/mozilla |
9 | noblacklist ${HOME}/.cache/waterfox | 9 | noblacklist ${HOME}/.cache/waterfox |
10 | noblacklist ${HOME}/.config/okularpartrc | ||
11 | noblacklist ${HOME}/.config/okularrc | ||
12 | noblacklist ${HOME}/.config/qpdfview | ||
13 | noblacklist ${HOME}/.kde/share/apps/okular | ||
14 | noblacklist ${HOME}/.kde/share/config/okularpartrc | ||
15 | noblacklist ${HOME}/.kde/share/config/okularrc | ||
16 | noblacklist ${HOME}/.kde4/share/apps/okular | ||
17 | noblacklist ${HOME}/.kde4/share/config/okularpartrc | ||
18 | noblacklist ${HOME}/.kde4/share/config/okularrc | ||
19 | # noblacklist ${HOME}/.local/share/gnome-shell/extensions | ||
20 | noblacklist ${HOME}/.local/share/okular | ||
21 | noblacklist ${HOME}/.local/share/qpdfview | ||
22 | noblacklist ${HOME}/.mozilla | 10 | noblacklist ${HOME}/.mozilla |
23 | noblacklist ${HOME}/.waterfox | 11 | noblacklist ${HOME}/.waterfox |
24 | noblacklist ${HOME}/.pki | ||
25 | |||
26 | include /etc/firejail/disable-common.inc | ||
27 | include /etc/firejail/disable-devel.inc | ||
28 | include /etc/firejail/disable-programs.inc | ||
29 | 12 | ||
30 | mkdir ${HOME}/.cache/mozilla/firefox | 13 | mkdir ${HOME}/.cache/mozilla/firefox |
31 | mkdir ${HOME}/.mozilla | 14 | mkdir ${HOME}/.mozilla |
32 | mkdir ${HOME}/.cache/waterfox | 15 | mkdir ${HOME}/.cache/waterfox |
33 | mkdir ${HOME}/.waterfox | 16 | mkdir ${HOME}/.waterfox |
34 | mkdir ${HOME}/.pki | ||
35 | whitelist ${DOWNLOADS} | ||
36 | whitelist ${HOME}/.cache/gnome-mplayer/plugin | ||
37 | whitelist ${HOME}/.cache/mozilla/firefox | 17 | whitelist ${HOME}/.cache/mozilla/firefox |
38 | whitelist ${HOME}/.cache/waterfox | 18 | whitelist ${HOME}/.cache/waterfox |
39 | whitelist ${HOME}/.config/gnome-mplayer | ||
40 | whitelist ${HOME}/.config/okularpartrc | ||
41 | whitelist ${HOME}/.config/okularrc | ||
42 | whitelist ${HOME}/.config/pipelight-silverlight5.1 | ||
43 | whitelist ${HOME}/.config/pipelight-widevine | ||
44 | whitelist ${HOME}/.config/qpdfview | ||
45 | whitelist ${HOME}/.kde/share/apps/okular | ||
46 | whitelist ${HOME}/.kde/share/config/okularpartrc | ||
47 | whitelist ${HOME}/.kde/share/config/okularrc | ||
48 | whitelist ${HOME}/.kde4/share/apps/okular | ||
49 | whitelist ${HOME}/.kde4/share/config/okularpartrc | ||
50 | whitelist ${HOME}/.kde4/share/config/okularrc | ||
51 | whitelist ${HOME}/.keysnail.js | ||
52 | whitelist ${HOME}/.lastpass | ||
53 | whitelist ${HOME}/.local/share/gnome-shell/extensions | ||
54 | whitelist ${HOME}/.local/share/okular | ||
55 | whitelist ${HOME}/.local/share/qpdfview | ||
56 | whitelist ${HOME}/.mozilla | 19 | whitelist ${HOME}/.mozilla |
57 | whitelist ${HOME}/.waterfox | 20 | whitelist ${HOME}/.waterfox |
58 | whitelist ${HOME}/.pentadactyl | ||
59 | whitelist ${HOME}/.pentadactylrc | ||
60 | whitelist ${HOME}/.pki | ||
61 | whitelist ${HOME}/.vimperator | ||
62 | whitelist ${HOME}/.vimperatorrc | ||
63 | whitelist ${HOME}/.wine-pipelight | ||
64 | whitelist ${HOME}/.wine-pipelight64 | ||
65 | whitelist ${HOME}/.zotero | ||
66 | whitelist ${HOME}/dwhelper | ||
67 | include /etc/firejail/whitelist-common.inc | ||
68 | include /etc/firejail/whitelist-var-common.inc | ||
69 | |||
70 | caps.drop all | ||
71 | netfilter | ||
72 | nodvd | ||
73 | nogroups | ||
74 | nonewprivs | ||
75 | noroot | ||
76 | notv | ||
77 | protocol unix,inet,inet6,netlink | ||
78 | seccomp | ||
79 | shell none | ||
80 | tracelog | ||
81 | 21 | ||
82 | # waterfox requires a shell to launch on Arch. We can possibly remove sh though. | 22 | # waterfox requires a shell to launch on Arch. We can possibly remove sh though. |
83 | # private-bin waterfox,which,sh,dbus-launch,dbus-send,env,bash | 23 | #private-bin waterfox,which,sh,dbus-launch,dbus-send,env,bash |
84 | private-dev | 24 | # private-etc must first be enabled in firefox-common.profile |
85 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse | 25 | #private-etc waterfox |
86 | private-tmp | ||
87 | 26 | ||
88 | noexec ${HOME} | 27 | # Redirect |
89 | noexec /tmp | 28 | include /etc/firejail/firefox-common.profile |
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index 3beb11bfb..c664d5a53 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc | |||
@@ -55,14 +55,20 @@ whitelist ${HOME}/.config/dconf | |||
55 | whitelist ${HOME}/.config/Kvantum | 55 | whitelist ${HOME}/.config/Kvantum |
56 | whitelist ${HOME}/.config/Trolltech.conf | 56 | whitelist ${HOME}/.config/Trolltech.conf |
57 | whitelist ${HOME}/.config/kdeglobals | 57 | whitelist ${HOME}/.config/kdeglobals |
58 | whitelist ${HOME}/.config/kio_httprc | ||
58 | whitelist ${HOME}/.config/kioslaverc | 59 | whitelist ${HOME}/.config/kioslaverc |
60 | whitelist ${HOME}/.config/ksslcablacklist | ||
59 | whitelist ${HOME}/.config/qt5ct | 61 | whitelist ${HOME}/.config/qt5ct |
60 | whitelist ${HOME}/.kde/share/config/kdeglobals | 62 | whitelist ${HOME}/.kde/share/config/kdeglobals |
63 | whitelist ${HOME}/.kde/share/config/kio_httprc | ||
61 | whitelist ${HOME}/.kde/share/config/kioslaverc | 64 | whitelist ${HOME}/.kde/share/config/kioslaverc |
65 | whitelist ${HOME}/.kde/share/config/ksslcablacklist | ||
62 | whitelist ${HOME}/.kde/share/config/oxygenrc | 66 | whitelist ${HOME}/.kde/share/config/oxygenrc |
63 | whitelist ${HOME}/.kde/share/icons | 67 | whitelist ${HOME}/.kde/share/icons |
64 | whitelist ${HOME}/.kde4/share/config/kdeglobals | 68 | whitelist ${HOME}/.kde4/share/config/kdeglobals |
69 | whitelist ${HOME}/.kde4/share/config/kio_httprc | ||
65 | whitelist ${HOME}/.kde4/share/config/kioslaverc | 70 | whitelist ${HOME}/.kde4/share/config/kioslaverc |
71 | whitelist ${HOME}/.kde4/share/config/ksslcablacklist | ||
66 | whitelist ${HOME}/.kde4/share/config/oxygenrc | 72 | whitelist ${HOME}/.kde4/share/config/oxygenrc |
67 | whitelist ${HOME}/.kde4/share/icons | 73 | whitelist ${HOME}/.kde4/share/icons |
68 | whitelist ${HOME}/.local/share/qt5ct | 74 | whitelist ${HOME}/.local/share/qt5ct |
diff --git a/etc/xmr-stak.profile b/etc/xmr-stak.profile new file mode 100644 index 000000000..151a4c694 --- /dev/null +++ b/etc/xmr-stak.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for xmr-stak | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/xmr-stak.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.xmr-stak | ||
9 | noblacklist /usr/lib/llvm* | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | mkdir ${HOME}/.xmr-stak | ||
17 | include /etc/firejail/whitelist-var-common.inc | ||
18 | |||
19 | caps.drop all | ||
20 | ipc-namespace | ||
21 | netfilter | ||
22 | nodvd | ||
23 | nogroups | ||
24 | nonewprivs | ||
25 | noroot | ||
26 | nosound | ||
27 | notv | ||
28 | novideo | ||
29 | protocol unix,inet,inet6 | ||
30 | seccomp | ||
31 | shell none | ||
32 | |||
33 | disable-mnt | ||
34 | private ${HOME}/.xmr-stak | ||
35 | private-bin xmr-stak | ||
36 | private-dev | ||
37 | private-etc ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | ||
38 | #private-lib libxmrstak_opencl_backend,libxmrstak_cuda_backend | ||
39 | private-opt cuda | ||
40 | private-tmp | ||
41 | |||
42 | memory-deny-write-execute | ||
43 | noexec ${HOME} | ||
44 | noexec /tmp | ||
diff --git a/etc/xonotic.profile b/etc/xonotic.profile index d17d2b612..7a466db9b 100644 --- a/etc/xonotic.profile +++ b/etc/xonotic.profile | |||
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc | |||
15 | mkdir ${HOME}/.xonotic | 15 | mkdir ${HOME}/.xonotic |
16 | whitelist ${HOME}/.xonotic | 16 | whitelist ${HOME}/.xonotic |
17 | include /etc/firejail/whitelist-common.inc | 17 | include /etc/firejail/whitelist-common.inc |
18 | include /etc/firejail/whitelist-var-common.inc | ||
18 | 19 | ||
19 | caps.drop all | 20 | caps.drop all |
20 | netfilter | 21 | netfilter |
diff --git a/etc/yandex-browser.profile b/etc/yandex-browser.profile index 1c7769727..fdb7694a5 100644 --- a/etc/yandex-browser.profile +++ b/etc/yandex-browser.profile | |||
@@ -9,35 +9,15 @@ noblacklist ${HOME}/.cache/yandex-browser | |||
9 | noblacklist ${HOME}/.cache/yandex-browser-beta | 9 | noblacklist ${HOME}/.cache/yandex-browser-beta |
10 | noblacklist ${HOME}/.config/yandex-browser | 10 | noblacklist ${HOME}/.config/yandex-browser |
11 | noblacklist ${HOME}/.config/yandex-browser-beta | 11 | noblacklist ${HOME}/.config/yandex-browser-beta |
12 | noblacklist ${HOME}/.pki | ||
13 | |||
14 | include /etc/firejail/disable-common.inc | ||
15 | include /etc/firejail/disable-devel.inc | ||
16 | include /etc/firejail/disable-programs.inc | ||
17 | 12 | ||
18 | mkdir ${HOME}/.cache/yandex-browser | 13 | mkdir ${HOME}/.cache/yandex-browser |
19 | mkdir ${HOME}/.cache/yandex-browser-beta | 14 | mkdir ${HOME}/.cache/yandex-browser-beta |
20 | mkdir ${HOME}/.config/yandex-browser | 15 | mkdir ${HOME}/.config/yandex-browser |
21 | mkdir ${HOME}/.config/yandex-browser-beta | 16 | mkdir ${HOME}/.config/yandex-browser-beta |
22 | mkdir ${HOME}/.pki | ||
23 | whitelist ${DOWNLOADS} | ||
24 | whitelist ${HOME}/.cache/yandex-browser | 17 | whitelist ${HOME}/.cache/yandex-browser |
25 | whitelist ${HOME}/.cache/yandex-browser-beta | 18 | whitelist ${HOME}/.cache/yandex-browser-beta |
26 | whitelist ${HOME}/.config/yandex-browser | 19 | whitelist ${HOME}/.config/yandex-browser |
27 | whitelist ${HOME}/.config/yandex-browser-beta | 20 | whitelist ${HOME}/.config/yandex-browser-beta |
28 | whitelist ${HOME}/.pki | ||
29 | include /etc/firejail/whitelist-common.inc | ||
30 | |||
31 | caps.keep sys_chroot,sys_admin | ||
32 | netfilter | ||
33 | nodvd | ||
34 | nogroups | ||
35 | notv | ||
36 | shell none | ||
37 | |||
38 | disable-mnt | ||
39 | private-dev | ||
40 | # private-tmp - problems with multiple browser sessions | ||
41 | 21 | ||
42 | noexec ${HOME} | 22 | # Redirect |
43 | noexec /tmp | 23 | include /etc/firejail/chromium-common.profile |