diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/Cryptocat.profile | 2 | ||||
-rw-r--r-- | etc/disable-common.inc | 21 | ||||
-rw-r--r-- | etc/disable-programs.inc | 9 | ||||
-rw-r--r-- | etc/start-tor-browser.profile | 2 | ||||
-rw-r--r-- | etc/vlc.profile | 2 | ||||
-rw-r--r-- | etc/xmms.profile | 11 |
6 files changed, 39 insertions, 8 deletions
diff --git a/etc/Cryptocat.profile b/etc/Cryptocat.profile index 3db34c03c..b61b88f68 100644 --- a/etc/Cryptocat.profile +++ b/etc/Cryptocat.profile | |||
@@ -1,4 +1,4 @@ | |||
1 | # Firejail profile for | 1 | # Firejail profile for Cryptocat |
2 | noblacklist ${HOME}/.config/Cryptocat | 2 | noblacklist ${HOME}/.config/Cryptocat |
3 | 3 | ||
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 5a281a91f..de8a9bfe7 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -75,12 +75,9 @@ blacklist /etc/profile.d | |||
75 | blacklist /etc/rc.local | 75 | blacklist /etc/rc.local |
76 | blacklist /etc/anacrontab | 76 | blacklist /etc/anacrontab |
77 | 77 | ||
78 | # General startup files | 78 | # Startup files |
79 | read-only ${HOME}/.xinitrc | 79 | read-only ${HOME}/.xinitrc |
80 | read-only ${HOME}/.xserverrc | 80 | read-only ${HOME}/.xserverrc |
81 | read-only ${HOME}/.profile | ||
82 | |||
83 | # Shell startup files | ||
84 | read-only ${HOME}/.antigen | 81 | read-only ${HOME}/.antigen |
85 | read-only ${HOME}/.bash_login | 82 | read-only ${HOME}/.bash_login |
86 | read-only ${HOME}/.bashrc | 83 | read-only ${HOME}/.bashrc |
@@ -99,6 +96,11 @@ read-only ${HOME}/.tcshrc | |||
99 | read-only ${HOME}/.cshrc | 96 | read-only ${HOME}/.cshrc |
100 | read-only ${HOME}/.csh_files | 97 | read-only ${HOME}/.csh_files |
101 | read-only ${HOME}/.profile | 98 | read-only ${HOME}/.profile |
99 | read-only ${HOME}/.login | ||
100 | read-only ${HOME}/.logout | ||
101 | read-only ${HOME}/.pgpkey | ||
102 | read-only ${HOME}/.plan | ||
103 | read-only ${HOME}/.project | ||
102 | 104 | ||
103 | # Initialization files that allow arbitrary command execution | 105 | # Initialization files that allow arbitrary command execution |
104 | read-only ${HOME}/.caffrc | 106 | read-only ${HOME}/.caffrc |
@@ -124,8 +126,16 @@ read-only ${HOME}/.reportbugrc | |||
124 | read-only ${HOME}/.xmonad | 126 | read-only ${HOME}/.xmonad |
125 | read-only ${HOME}/.xscreensaver | 127 | read-only ${HOME}/.xscreensaver |
126 | 128 | ||
127 | # The user ~/bin directory can override commands such as ls | 129 | # Make directories commonly found in $PATH read-only |
128 | read-only ${HOME}/bin | 130 | read-only ${HOME}/bin |
131 | read-only ${HOME}/.gem | ||
132 | read-only ${HOME}/.luarocks | ||
133 | read-only ${HOME}/.npm-packages | ||
134 | |||
135 | # Make the contents of ~/.local read-only, | ||
136 | # except the commonly-used ~/.local/share | ||
137 | read-only ${HOME}/.local | ||
138 | read-write ${HOME}/.local/share | ||
129 | 139 | ||
130 | # top secret | 140 | # top secret |
131 | blacklist ${HOME}/.ecryptfs | 141 | blacklist ${HOME}/.ecryptfs |
@@ -133,6 +143,7 @@ blacklist ${HOME}/.Private | |||
133 | blacklist ${HOME}/.ssh | 143 | blacklist ${HOME}/.ssh |
134 | blacklist ${HOME}/.cert | 144 | blacklist ${HOME}/.cert |
135 | blacklist ${HOME}/.gnome2/keyrings | 145 | blacklist ${HOME}/.gnome2/keyrings |
146 | blacklist ${HOME}/.local/share/keyrings | ||
136 | blacklist ${HOME}/.kde4/share/apps/kwallet | 147 | blacklist ${HOME}/.kde4/share/apps/kwallet |
137 | blacklist ${HOME}/.kde/share/apps/kwallet | 148 | blacklist ${HOME}/.kde/share/apps/kwallet |
138 | blacklist ${HOME}/.local/share/kwalletd | 149 | blacklist ${HOME}/.local/share/kwalletd |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 96bf1464b..b307978da 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -177,8 +177,17 @@ blacklist ${HOME}/.icedove | |||
177 | blacklist ${HOME}/.inkscape | 177 | blacklist ${HOME}/.inkscape |
178 | blacklist ${HOME}/.jitsi | 178 | blacklist ${HOME}/.jitsi |
179 | blacklist ${HOME}/.kde/share/apps/gwenview | 179 | blacklist ${HOME}/.kde/share/apps/gwenview |
180 | blacklist ${HOME}/.kde/share/apps/kcookiejar | ||
181 | blacklist ${HOME}/.kde/share/apps/khtml | ||
182 | blacklist ${HOME}/.kde/share/apps/konqsidebartng | ||
183 | blacklist ${HOME}/.kde/share/apps/konqueror | ||
180 | blacklist ${HOME}/.kde/share/apps/okular | 184 | blacklist ${HOME}/.kde/share/apps/okular |
181 | blacklist ${HOME}/.kde/share/config/gwenviewrc | 185 | blacklist ${HOME}/.kde/share/config/gwenviewrc |
186 | blacklist ${HOME}/.kde/share/config/kcookiejarrc | ||
187 | blacklist ${HOME}/.kde/share/config/khtmlrc | ||
188 | blacklist ${HOME}/.kde/share/config/konq_history | ||
189 | blacklist ${HOME}/.kde/share/config/konqsidebartngrc | ||
190 | blacklist ${HOME}/.kde/share/config/konquerorrc | ||
182 | blacklist ${HOME}/.kde/share/config/okularpartrc | 191 | blacklist ${HOME}/.kde/share/config/okularpartrc |
183 | blacklist ${HOME}/.kde/share/config/okularrc | 192 | blacklist ${HOME}/.kde/share/config/okularrc |
184 | blacklist ${HOME}/.killingfloor | 193 | blacklist ${HOME}/.killingfloor |
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile index ee19cee25..16ef754f6 100644 --- a/etc/start-tor-browser.profile +++ b/etc/start-tor-browser.profile | |||
@@ -14,7 +14,7 @@ seccomp | |||
14 | shell none | 14 | shell none |
15 | tracelog | 15 | tracelog |
16 | 16 | ||
17 | private-bin bash,grep,sed,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf | 17 | private-bin bash,grep,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf |
18 | private-etc fonts | 18 | private-etc fonts |
19 | private-dev | 19 | private-dev |
20 | private-tmp | 20 | private-tmp |
diff --git a/etc/vlc.profile b/etc/vlc.profile index 2fd763f25..df9fcab03 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -8,7 +8,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | netfilter | 10 | netfilter |
11 | nogroups | 11 | # nogroups |
12 | nonewprivs | 12 | nonewprivs |
13 | noroot | 13 | noroot |
14 | protocol unix,inet,inet6,netlink | 14 | protocol unix,inet,inet6,netlink |
diff --git a/etc/xmms.profile b/etc/xmms.profile new file mode 100644 index 000000000..4a482f49e --- /dev/null +++ b/etc/xmms.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # xmms media player profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | nonewprivs | ||
9 | noroot | ||
10 | protocol unix,inet,inet6 | ||
11 | seccomp | ||