aboutsummaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
Diffstat (limited to 'etc')
-rw-r--r--etc/Cryptocat.profile2
-rw-r--r--etc/disable-common.inc21
-rw-r--r--etc/disable-programs.inc9
-rw-r--r--etc/start-tor-browser.profile2
-rw-r--r--etc/vlc.profile2
-rw-r--r--etc/xmms.profile11
6 files changed, 39 insertions, 8 deletions
diff --git a/etc/Cryptocat.profile b/etc/Cryptocat.profile
index 3db34c03c..b61b88f68 100644
--- a/etc/Cryptocat.profile
+++ b/etc/Cryptocat.profile
@@ -1,4 +1,4 @@
1# Firejail profile for 1# Firejail profile for Cryptocat
2noblacklist ${HOME}/.config/Cryptocat 2noblacklist ${HOME}/.config/Cryptocat
3 3
4include /etc/firejail/disable-common.inc 4include /etc/firejail/disable-common.inc
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 5a281a91f..de8a9bfe7 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -75,12 +75,9 @@ blacklist /etc/profile.d
75blacklist /etc/rc.local 75blacklist /etc/rc.local
76blacklist /etc/anacrontab 76blacklist /etc/anacrontab
77 77
78# General startup files 78# Startup files
79read-only ${HOME}/.xinitrc 79read-only ${HOME}/.xinitrc
80read-only ${HOME}/.xserverrc 80read-only ${HOME}/.xserverrc
81read-only ${HOME}/.profile
82
83# Shell startup files
84read-only ${HOME}/.antigen 81read-only ${HOME}/.antigen
85read-only ${HOME}/.bash_login 82read-only ${HOME}/.bash_login
86read-only ${HOME}/.bashrc 83read-only ${HOME}/.bashrc
@@ -99,6 +96,11 @@ read-only ${HOME}/.tcshrc
99read-only ${HOME}/.cshrc 96read-only ${HOME}/.cshrc
100read-only ${HOME}/.csh_files 97read-only ${HOME}/.csh_files
101read-only ${HOME}/.profile 98read-only ${HOME}/.profile
99read-only ${HOME}/.login
100read-only ${HOME}/.logout
101read-only ${HOME}/.pgpkey
102read-only ${HOME}/.plan
103read-only ${HOME}/.project
102 104
103# Initialization files that allow arbitrary command execution 105# Initialization files that allow arbitrary command execution
104read-only ${HOME}/.caffrc 106read-only ${HOME}/.caffrc
@@ -124,8 +126,16 @@ read-only ${HOME}/.reportbugrc
124read-only ${HOME}/.xmonad 126read-only ${HOME}/.xmonad
125read-only ${HOME}/.xscreensaver 127read-only ${HOME}/.xscreensaver
126 128
127# The user ~/bin directory can override commands such as ls 129# Make directories commonly found in $PATH read-only
128read-only ${HOME}/bin 130read-only ${HOME}/bin
131read-only ${HOME}/.gem
132read-only ${HOME}/.luarocks
133read-only ${HOME}/.npm-packages
134
135# Make the contents of ~/.local read-only,
136# except the commonly-used ~/.local/share
137read-only ${HOME}/.local
138read-write ${HOME}/.local/share
129 139
130# top secret 140# top secret
131blacklist ${HOME}/.ecryptfs 141blacklist ${HOME}/.ecryptfs
@@ -133,6 +143,7 @@ blacklist ${HOME}/.Private
133blacklist ${HOME}/.ssh 143blacklist ${HOME}/.ssh
134blacklist ${HOME}/.cert 144blacklist ${HOME}/.cert
135blacklist ${HOME}/.gnome2/keyrings 145blacklist ${HOME}/.gnome2/keyrings
146blacklist ${HOME}/.local/share/keyrings
136blacklist ${HOME}/.kde4/share/apps/kwallet 147blacklist ${HOME}/.kde4/share/apps/kwallet
137blacklist ${HOME}/.kde/share/apps/kwallet 148blacklist ${HOME}/.kde/share/apps/kwallet
138blacklist ${HOME}/.local/share/kwalletd 149blacklist ${HOME}/.local/share/kwalletd
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 96bf1464b..b307978da 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -177,8 +177,17 @@ blacklist ${HOME}/.icedove
177blacklist ${HOME}/.inkscape 177blacklist ${HOME}/.inkscape
178blacklist ${HOME}/.jitsi 178blacklist ${HOME}/.jitsi
179blacklist ${HOME}/.kde/share/apps/gwenview 179blacklist ${HOME}/.kde/share/apps/gwenview
180blacklist ${HOME}/.kde/share/apps/kcookiejar
181blacklist ${HOME}/.kde/share/apps/khtml
182blacklist ${HOME}/.kde/share/apps/konqsidebartng
183blacklist ${HOME}/.kde/share/apps/konqueror
180blacklist ${HOME}/.kde/share/apps/okular 184blacklist ${HOME}/.kde/share/apps/okular
181blacklist ${HOME}/.kde/share/config/gwenviewrc 185blacklist ${HOME}/.kde/share/config/gwenviewrc
186blacklist ${HOME}/.kde/share/config/kcookiejarrc
187blacklist ${HOME}/.kde/share/config/khtmlrc
188blacklist ${HOME}/.kde/share/config/konq_history
189blacklist ${HOME}/.kde/share/config/konqsidebartngrc
190blacklist ${HOME}/.kde/share/config/konquerorrc
182blacklist ${HOME}/.kde/share/config/okularpartrc 191blacklist ${HOME}/.kde/share/config/okularpartrc
183blacklist ${HOME}/.kde/share/config/okularrc 192blacklist ${HOME}/.kde/share/config/okularrc
184blacklist ${HOME}/.killingfloor 193blacklist ${HOME}/.killingfloor
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile
index ee19cee25..16ef754f6 100644
--- a/etc/start-tor-browser.profile
+++ b/etc/start-tor-browser.profile
@@ -14,7 +14,7 @@ seccomp
14shell none 14shell none
15tracelog 15tracelog
16 16
17private-bin bash,grep,sed,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf 17private-bin bash,grep,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf
18private-etc fonts 18private-etc fonts
19private-dev 19private-dev
20private-tmp 20private-tmp
diff --git a/etc/vlc.profile b/etc/vlc.profile
index 2fd763f25..df9fcab03 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -8,7 +8,7 @@ include /etc/firejail/disable-passwdmgr.inc
8 8
9caps.drop all 9caps.drop all
10netfilter 10netfilter
11nogroups 11# nogroups
12nonewprivs 12nonewprivs
13noroot 13noroot
14protocol unix,inet,inet6,netlink 14protocol unix,inet,inet6,netlink
diff --git a/etc/xmms.profile b/etc/xmms.profile
new file mode 100644
index 000000000..4a482f49e
--- /dev/null
+++ b/etc/xmms.profile
@@ -0,0 +1,11 @@
1# xmms media player profile
2include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc
4include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc
6
7caps.drop all
8nonewprivs
9noroot
10protocol unix,inet,inet6
11seccomp
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-08 03:16:36 +0000