diff options
Diffstat (limited to 'etc')
96 files changed, 559 insertions, 44 deletions
diff --git a/etc/abiword.profile b/etc/abiword.profile new file mode 100644 index 000000000..748cda195 --- /dev/null +++ b/etc/abiword.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for abiword | ||
2 | # Description: flexible cross-platform word processor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include abiword.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/abiword | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | whitelist /usr/share/abiword-3.0 | ||
19 | include whitelist-usr-share-common.inc | ||
20 | include whitelist-runuser-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | machine-id | ||
26 | net none | ||
27 | no3d | ||
28 | #nodbus | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | private-bin abiword | ||
43 | private-cache | ||
44 | private-dev | ||
45 | private-etc fonts,gtk-3.0,passwd | ||
46 | private-tmp | ||
diff --git a/etc/baobab.profile b/etc/baobab.profile index d87de9d66..a2cfa6d67 100644 --- a/etc/baobab.profile +++ b/etc/baobab.profile | |||
@@ -14,6 +14,8 @@ include disable-passwdmgr.inc | |||
14 | # include disable-programs.inc | 14 | # include disable-programs.inc |
15 | # include disable-xdg.inc | 15 | # include disable-xdg.inc |
16 | 16 | ||
17 | include whitelist-runuser-common.inc | ||
18 | |||
17 | caps.drop all | 19 | caps.drop all |
18 | net none | 20 | net none |
19 | no3d | 21 | no3d |
diff --git a/etc/celluloid.profile b/etc/celluloid.profile index d099ba11e..daed19634 100644 --- a/etc/celluloid.profile +++ b/etc/celluloid.profile | |||
@@ -24,6 +24,7 @@ include disable-passwdmgr.inc | |||
24 | include disable-programs.inc | 24 | include disable-programs.inc |
25 | include disable-xdg.inc | 25 | include disable-xdg.inc |
26 | 26 | ||
27 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | 28 | include whitelist-usr-share-common.inc |
28 | include whitelist-var-common.inc | 29 | include whitelist-var-common.inc |
29 | 30 | ||
diff --git a/etc/curl.profile b/etc/curl.profile index a720aca9b..a33d084ce 100644 --- a/etc/curl.profile +++ b/etc/curl.profile | |||
@@ -10,6 +10,8 @@ include globals.local | |||
10 | noblacklist ${HOME}/.curlrc | 10 | noblacklist ${HOME}/.curlrc |
11 | 11 | ||
12 | blacklist /tmp/.X11-unix | 12 | blacklist /tmp/.X11-unix |
13 | blacklist ${RUNUSER}/wayland-* | ||
14 | blacklist ${RUNUSER} | ||
13 | 15 | ||
14 | include disable-common.inc | 16 | include disable-common.inc |
15 | include disable-exec.inc | 17 | include disable-exec.inc |
diff --git a/etc/d-feet.profile b/etc/d-feet.profile index 897bf5f5d..51df7b455 100644 --- a/etc/d-feet.profile +++ b/etc/d-feet.profile | |||
@@ -24,6 +24,7 @@ mkdir ${HOME}/.config/d-feet | |||
24 | whitelist ${HOME}/.config/d-feet | 24 | whitelist ${HOME}/.config/d-feet |
25 | whitelist /usr/share/d-feet | 25 | whitelist /usr/share/d-feet |
26 | include whitelist-common.inc | 26 | include whitelist-common.inc |
27 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | 28 | include whitelist-usr-share-common.inc |
28 | include whitelist-var-common.inc | 29 | include whitelist-var-common.inc |
29 | 30 | ||
diff --git a/etc/dconf-editor.profile b/etc/dconf-editor.profile index a9d25128f..e7cc66e32 100644 --- a/etc/dconf-editor.profile +++ b/etc/dconf-editor.profile | |||
@@ -16,6 +16,7 @@ include disable-xdg.inc | |||
16 | 16 | ||
17 | whitelist ${HOME}/.local/share/glib-2.0 | 17 | whitelist ${HOME}/.local/share/glib-2.0 |
18 | include whitelist-common.inc | 18 | include whitelist-common.inc |
19 | include whitelist-runuser-common.inc | ||
19 | include whitelist-usr-share-common.inc | 20 | include whitelist-usr-share-common.inc |
20 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
21 | 22 | ||
diff --git a/etc/dig.profile b/etc/dig.profile index e6b7e46d9..270a95c05 100644 --- a/etc/dig.profile +++ b/etc/dig.profile | |||
@@ -11,6 +11,8 @@ noblacklist ${HOME}/.digrc | |||
11 | noblacklist ${PATH}/dig | 11 | noblacklist ${PATH}/dig |
12 | 12 | ||
13 | blacklist /tmp/.X11-unix | 13 | blacklist /tmp/.X11-unix |
14 | blacklist ${RUNUSER}/wayland-* | ||
15 | blacklist ${RUNUSER} | ||
14 | 16 | ||
15 | include disable-common.inc | 17 | include disable-common.inc |
16 | # include disable-devel.inc | 18 | # include disable-devel.inc |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 815e4b13d..92c6cd2a8 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -166,6 +166,14 @@ blacklist ${HOME}/VirtualBox VMs | |||
166 | blacklist ${HOME}/.config/gnome-boxes | 166 | blacklist ${HOME}/.config/gnome-boxes |
167 | blacklist ${HOME}/.local/share/gnome-boxes | 167 | blacklist ${HOME}/.local/share/gnome-boxes |
168 | 168 | ||
169 | # libvirt | ||
170 | blacklist ${HOME}/.cache/libvirt | ||
171 | blacklist ${HOME}/.config/libvirt | ||
172 | blacklist ${RUNUSER}/libvirt | ||
173 | blacklist /var/cache/libvirt | ||
174 | blacklist /var/lib/libvirt | ||
175 | blacklist /var/log/libvirt | ||
176 | |||
169 | # VeraCrypt | 177 | # VeraCrypt |
170 | blacklist ${HOME}/.VeraCrypt | 178 | blacklist ${HOME}/.VeraCrypt |
171 | blacklist ${PATH}/veracrypt | 179 | blacklist ${PATH}/veracrypt |
@@ -453,6 +461,11 @@ blacklist ${HOME}/.local/share/flatpak/overrides | |||
453 | blacklist ${HOME}/.local/share/flatpak/repo | 461 | blacklist ${HOME}/.local/share/flatpak/repo |
454 | blacklist ${HOME}/.local/share/flatpak/runtime | 462 | blacklist ${HOME}/.local/share/flatpak/runtime |
455 | blacklist ${HOME}/.var | 463 | blacklist ${HOME}/.var |
464 | blacklist ${RUNUSER}/app | ||
465 | blacklist ${RUNUSER}/doc | ||
466 | blacklist ${RUNUSER}/.dbus-proxy | ||
467 | blacklist ${RUNUSER}/.flatpak | ||
468 | blacklist ${RUNUSER}/.flatpak-helper | ||
456 | blacklist /usr/share/flatpak | 469 | blacklist /usr/share/flatpak |
457 | blacklist /var/lib/flatpak | 470 | blacklist /var/lib/flatpak |
458 | # most of the time bwrap is SUID binary | 471 | # most of the time bwrap is SUID binary |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 5b3fe475c..5bb2f851a 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -8,6 +8,8 @@ blacklist ${HOME}/Monero/wallets | |||
8 | blacklist ${HOME}/Nextcloud/Notes | 8 | blacklist ${HOME}/Nextcloud/Notes |
9 | blacklist ${HOME}/SoftMaker | 9 | blacklist ${HOME}/SoftMaker |
10 | blacklist ${HOME}/Standard Notes Backups | 10 | blacklist ${HOME}/Standard Notes Backups |
11 | blacklist ${HOME}/TeamSpeak3-Client-linux_x86 | ||
12 | blacklist ${HOME}/TeamSpeak3-Client-linux_amd64 | ||
11 | blacklist ${HOME}/mps | 13 | blacklist ${HOME}/mps |
12 | blacklist ${HOME}/wallet.dat | 14 | blacklist ${HOME}/wallet.dat |
13 | blacklist ${HOME}/.*coin | 15 | blacklist ${HOME}/.*coin |
@@ -73,6 +75,7 @@ blacklist ${HOME}/.config/Code Industry | |||
73 | blacklist ${HOME}/.config/Cryptocat | 75 | blacklist ${HOME}/.config/Cryptocat |
74 | blacklist ${HOME}/.config/Debauchee/Barrier.conf | 76 | blacklist ${HOME}/.config/Debauchee/Barrier.conf |
75 | blacklist ${HOME}/.config/Enox | 77 | blacklist ${HOME}/.config/Enox |
78 | blacklist ${HOME}/.config/Ferdi | ||
76 | blacklist ${HOME}/.config/Franz | 79 | blacklist ${HOME}/.config/Franz |
77 | blacklist ${HOME}/.config/FreeCAD | 80 | blacklist ${HOME}/.config/FreeCAD |
78 | blacklist ${HOME}/.config/Fritzing | 81 | blacklist ${HOME}/.config/Fritzing |
@@ -116,6 +119,7 @@ blacklist ${HOME}/.config/Thunar | |||
116 | blacklist ${HOME}/.config/VirtualBox | 119 | blacklist ${HOME}/.config/VirtualBox |
117 | blacklist ${HOME}/.config/Wire | 120 | blacklist ${HOME}/.config/Wire |
118 | blacklist ${HOME}/.config/Zeal | 121 | blacklist ${HOME}/.config/Zeal |
122 | blacklist ${HOME}/.config/abiword | ||
119 | blacklist ${HOME}/.config/agenda | 123 | blacklist ${HOME}/.config/agenda |
120 | blacklist ${HOME}/.config/akonadi* | 124 | blacklist ${HOME}/.config/akonadi* |
121 | blacklist ${HOME}/.config/akregatorrc | 125 | blacklist ${HOME}/.config/akregatorrc |
@@ -330,6 +334,7 @@ blacklist ${HOME}/.config/vivaldi | |||
330 | blacklist ${HOME}/.config/vivaldi-snapshot | 334 | blacklist ${HOME}/.config/vivaldi-snapshot |
331 | blacklist ${HOME}/.config/vlc | 335 | blacklist ${HOME}/.config/vlc |
332 | blacklist ${HOME}/.config/wesnoth | 336 | blacklist ${HOME}/.config/wesnoth |
337 | blacklist ${HOME}/.config/wormux | ||
333 | blacklist ${HOME}/.config/Whalebird | 338 | blacklist ${HOME}/.config/Whalebird |
334 | blacklist ${HOME}/.config/wireshark | 339 | blacklist ${HOME}/.config/wireshark |
335 | blacklist ${HOME}/.config/xchat | 340 | blacklist ${HOME}/.config/xchat |
@@ -378,6 +383,7 @@ blacklist ${HOME}/.fossamail | |||
378 | blacklist ${HOME}/.freeciv | 383 | blacklist ${HOME}/.freeciv |
379 | blacklist ${HOME}/.freecol | 384 | blacklist ${HOME}/.freecol |
380 | blacklist ${HOME}/.freemind | 385 | blacklist ${HOME}/.freemind |
386 | blacklist ${HOME}/.frogatto | ||
381 | blacklist ${HOME}/.frozen-bubble | 387 | blacklist ${HOME}/.frozen-bubble |
382 | blacklist ${HOME}/.gimp* | 388 | blacklist ${HOME}/.gimp* |
383 | blacklist ${HOME}/.gist | 389 | blacklist ${HOME}/.gist |
@@ -536,11 +542,14 @@ blacklist ${HOME}/.local/share/gnome-2048 | |||
536 | blacklist ${HOME}/.local/share/gnome-chess | 542 | blacklist ${HOME}/.local/share/gnome-chess |
537 | blacklist ${HOME}/.local/share/gnome-builder | 543 | blacklist ${HOME}/.local/share/gnome-builder |
538 | blacklist ${HOME}/.local/share/gnome-latex | 544 | blacklist ${HOME}/.local/share/gnome-latex |
545 | blacklist ${HOME}/.local/share/gnome-mines | ||
539 | blacklist ${HOME}/.local/share/gnome-music | 546 | blacklist ${HOME}/.local/share/gnome-music |
547 | blacklist ${HOME}/.local/share/gnome-nibbles | ||
540 | blacklist ${HOME}/.local/share/gnome-photos | 548 | blacklist ${HOME}/.local/share/gnome-photos |
541 | blacklist ${HOME}/.local/share/gnome-pomodoro | 549 | blacklist ${HOME}/.local/share/gnome-pomodoro |
542 | blacklist ${HOME}/.local/share/gnome-recipes | 550 | blacklist ${HOME}/.local/share/gnome-recipes |
543 | blacklist ${HOME}/.local/share/gnome-ring | 551 | blacklist ${HOME}/.local/share/gnome-ring |
552 | blacklist ${HOME}/.local/share/gnome-sudoku | ||
544 | blacklist ${HOME}/.local/share/gnome-twitch | 553 | blacklist ${HOME}/.local/share/gnome-twitch |
545 | blacklist ${HOME}/.local/share/godot | 554 | blacklist ${HOME}/.local/share/godot |
546 | blacklist ${HOME}/.local/share/gradio | 555 | blacklist ${HOME}/.local/share/gradio |
@@ -610,6 +619,7 @@ blacklist ${HOME}/.local/share/vpltd | |||
610 | blacklist ${HOME}/.local/share/vulkan | 619 | blacklist ${HOME}/.local/share/vulkan |
611 | blacklist ${HOME}/.local/share/warsow-2.1 | 620 | blacklist ${HOME}/.local/share/warsow-2.1 |
612 | blacklist ${HOME}/.local/share/wesnoth | 621 | blacklist ${HOME}/.local/share/wesnoth |
622 | blacklist ${HOME}/.local/share/wormux | ||
613 | blacklist ${HOME}/.local/share/xplayer | 623 | blacklist ${HOME}/.local/share/xplayer |
614 | blacklist ${HOME}/.local/share/xreader | 624 | blacklist ${HOME}/.local/share/xreader |
615 | blacklist ${HOME}/.local/share/zathura | 625 | blacklist ${HOME}/.local/share/zathura |
@@ -706,6 +716,7 @@ blacklist ${HOME}/.widelands | |||
706 | blacklist ${HOME}/.wine | 716 | blacklist ${HOME}/.wine |
707 | blacklist ${HOME}/.wine64 | 717 | blacklist ${HOME}/.wine64 |
708 | blacklist ${HOME}/.wireshark | 718 | blacklist ${HOME}/.wireshark |
719 | blacklist ${HOME}/.wormux | ||
709 | blacklist ${HOME}/.xiphos | 720 | blacklist ${HOME}/.xiphos |
710 | blacklist ${HOME}/.xmind | 721 | blacklist ${HOME}/.xmind |
711 | blacklist ${HOME}/.xmms | 722 | blacklist ${HOME}/.xmms |
@@ -730,6 +741,7 @@ blacklist ${HOME}/.cache/BraveSoftware | |||
730 | blacklist ${HOME}/.cache/Clementine | 741 | blacklist ${HOME}/.cache/Clementine |
731 | blacklist ${HOME}/.cache/Enox | 742 | blacklist ${HOME}/.cache/Enox |
732 | blacklist ${HOME}/.cache/Enpass | 743 | blacklist ${HOME}/.cache/Enpass |
744 | blacklist ${HOME}/.cache/Ferdi | ||
733 | blacklist ${HOME}/.cache/Franz | 745 | blacklist ${HOME}/.cache/Franz |
734 | blacklist ${HOME}/.cache/INRIA | 746 | blacklist ${HOME}/.cache/INRIA |
735 | blacklist ${HOME}/.cache/MusicBrainz | 747 | blacklist ${HOME}/.cache/MusicBrainz |
diff --git a/etc/discord-common.profile b/etc/discord-common.profile index 43e8d5cd7..cbeef798f 100644 --- a/etc/discord-common.profile +++ b/etc/discord-common.profile | |||
@@ -15,6 +15,8 @@ include disable-passwdmgr.inc | |||
15 | include disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | whitelist ${DOWNLOADS} | 17 | whitelist ${DOWNLOADS} |
18 | whitelist ${HOME}/.config/BetterDiscord | ||
19 | whitelist ${HOME}/.local/share/betterdiscordctl | ||
18 | include whitelist-common.inc | 20 | include whitelist-common.inc |
19 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
20 | 22 | ||
diff --git a/etc/elinks.profile b/etc/elinks.profile index 82d1ba528..2a306d704 100644 --- a/etc/elinks.profile +++ b/etc/elinks.profile | |||
@@ -18,6 +18,8 @@ include disable-passwdmgr.inc | |||
18 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | include disable-xdg.inc | 19 | include disable-xdg.inc |
20 | 20 | ||
21 | include whitelist-runuser-common.inc | ||
22 | |||
21 | caps.drop all | 23 | caps.drop all |
22 | netfilter | 24 | netfilter |
23 | no3d | 25 | no3d |
diff --git a/etc/enchant.profile b/etc/enchant.profile index fa556c7d2..69e8b1e44 100644 --- a/etc/enchant.profile +++ b/etc/enchant.profile | |||
@@ -21,6 +21,7 @@ include disable-xdg.inc | |||
21 | mkdir ${HOME}/.config/enchant | 21 | mkdir ${HOME}/.config/enchant |
22 | whitelist ${HOME}/.config/enchant | 22 | whitelist ${HOME}/.config/enchant |
23 | include whitelist-common.inc | 23 | include whitelist-common.inc |
24 | include whitelist-runuser-common.inc | ||
24 | include whitelist-usr-share-common.inc | 25 | include whitelist-usr-share-common.inc |
25 | include whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
26 | 27 | ||
diff --git a/etc/eo-common.profile b/etc/eo-common.profile index 13f498c03..80c704c6b 100644 --- a/etc/eo-common.profile +++ b/etc/eo-common.profile | |||
@@ -18,6 +18,7 @@ include disable-interpreters.inc | |||
18 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | 20 | ||
21 | include whitelist-runuser-common.inc | ||
21 | include whitelist-usr-share-common.inc | 22 | include whitelist-usr-share-common.inc |
22 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
23 | 24 | ||
diff --git a/etc/evince.profile b/etc/evince.profile index 143a347e6..68ef5eb9a 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -21,6 +21,7 @@ whitelist /usr/share/doc | |||
21 | whitelist /usr/share/evince | 21 | whitelist /usr/share/evince |
22 | whitelist /usr/share/poppler | 22 | whitelist /usr/share/poppler |
23 | whitelist /usr/share/tracker | 23 | whitelist /usr/share/tracker |
24 | include whitelist-runuser-common.inc | ||
24 | include whitelist-usr-share-common.inc | 25 | include whitelist-usr-share-common.inc |
25 | include whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
26 | 27 | ||
diff --git a/etc/evolution.profile b/etc/evolution.profile index 71a7a5600..4740bf935 100644 --- a/etc/evolution.profile +++ b/etc/evolution.profile | |||
@@ -23,6 +23,8 @@ include disable-interpreters.inc | |||
23 | include disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
24 | include disable-programs.inc | 24 | include disable-programs.inc |
25 | 25 | ||
26 | include whitelist-runuser-common.inc | ||
27 | |||
26 | caps.drop all | 28 | caps.drop all |
27 | netfilter | 29 | netfilter |
28 | # no3d breaks under wayland | 30 | # no3d breaks under wayland |
diff --git a/etc/feedreader.profile b/etc/feedreader.profile index 5a72b60ea..7d3c7a8f4 100644 --- a/etc/feedreader.profile +++ b/etc/feedreader.profile | |||
@@ -23,6 +23,7 @@ whitelist ${HOME}/.cache/feedreader | |||
23 | whitelist ${HOME}/.local/share/feedreader | 23 | whitelist ${HOME}/.local/share/feedreader |
24 | whitelist /usr/share/feedreader | 24 | whitelist /usr/share/feedreader |
25 | include whitelist-common.inc | 25 | include whitelist-common.inc |
26 | include whitelist-runuser-common.inc | ||
26 | include whitelist-usr-share-common.inc | 27 | include whitelist-usr-share-common.inc |
27 | include whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
28 | 29 | ||
diff --git a/etc/ferdi.profile b/etc/ferdi.profile new file mode 100644 index 000000000..9b4c5f114 --- /dev/null +++ b/etc/ferdi.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for ferdi | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include ferdi.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | ignore noexec /tmp | ||
9 | |||
10 | noblacklist ${HOME}/.cache/Ferdi | ||
11 | noblacklist ${HOME}/.config/Ferdi | ||
12 | noblacklist ${HOME}/.pki | ||
13 | noblacklist ${HOME}/.local/share/pki | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-programs.inc | ||
20 | |||
21 | mkdir ${HOME}/.cache/Ferdi | ||
22 | mkdir ${HOME}/.config/Ferdi | ||
23 | mkdir ${HOME}/.pki | ||
24 | mkdir ${HOME}/.local/share/pki | ||
25 | whitelist ${DOWNLOADS} | ||
26 | whitelist ${HOME}/.cache/Ferdi | ||
27 | whitelist ${HOME}/.config/Ferdi | ||
28 | whitelist ${HOME}/.pki | ||
29 | whitelist ${HOME}/.local/share/pki | ||
30 | include whitelist-common.inc | ||
31 | |||
32 | caps.drop all | ||
33 | netfilter | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | notv | ||
39 | nou2f | ||
40 | protocol unix,inet,inet6,netlink | ||
41 | seccomp !chroot | ||
42 | shell none | ||
43 | |||
44 | disable-mnt | ||
45 | private-dev | ||
46 | private-tmp | ||
diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 9d84f07de..70dd030ee 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile | |||
@@ -14,6 +14,7 @@ include disable-passwdmgr.inc | |||
14 | include disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | whitelist /usr/share/file-roller | 16 | whitelist /usr/share/file-roller |
17 | include whitelist-runuser-common.inc | ||
17 | include whitelist-usr-share-common.inc | 18 | include whitelist-usr-share-common.inc |
18 | include whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
19 | 20 | ||
diff --git a/etc/file.profile b/etc/file.profile index 82b161d48..854586354 100644 --- a/etc/file.profile +++ b/etc/file.profile | |||
@@ -8,6 +8,7 @@ include file.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | 10 | blacklist ${RUNUSER}/wayland-* |
11 | blacklist ${RUNUSER} | ||
11 | 12 | ||
12 | include disable-common.inc | 13 | include disable-common.inc |
13 | include disable-exec.inc | 14 | include disable-exec.inc |
diff --git a/etc/filezilla.profile b/etc/filezilla.profile index d8d4c1746..6c7ab8f0d 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile | |||
@@ -17,6 +17,8 @@ include disable-common.inc | |||
17 | include disable-devel.inc | 17 | include disable-devel.inc |
18 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | |||
21 | include whitelist-runuser-common.inc | ||
20 | include whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
21 | 23 | ||
22 | caps.drop all | 24 | caps.drop all |
diff --git a/etc/flameshot.profile b/etc/flameshot.profile index 3aad9723b..9a3df98f4 100644 --- a/etc/flameshot.profile +++ b/etc/flameshot.profile | |||
@@ -17,6 +17,8 @@ include disable-passwdmgr.inc | |||
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | include disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | include whitelist-runuser-common.inc | ||
21 | |||
20 | caps.drop all | 22 | caps.drop all |
21 | ipc-namespace | 23 | ipc-namespace |
22 | netfilter | 24 | netfilter |
diff --git a/etc/four-in-a-row.profile b/etc/four-in-a-row.profile new file mode 100644 index 000000000..b468c3435 --- /dev/null +++ b/etc/four-in-a-row.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # Firejail profile for four-in-a-row | ||
2 | # Description: Sliding tile puzzle game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include four-in-a-row.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | ignore machine-id | ||
10 | ignore nosound | ||
11 | |||
12 | whitelist /usr/share/four-in-a-row | ||
13 | |||
14 | private-bin four-in-a-row | ||
15 | |||
16 | # Redirect | ||
17 | include gnome_games-common.profile | ||
diff --git a/etc/frogatto.profile b/etc/frogatto.profile new file mode 100644 index 000000000..fd7c5fc16 --- /dev/null +++ b/etc/frogatto.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for frogatto | ||
2 | # Description: 2D platformer game starring a quixotic frog | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include frogatto.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.frogatto | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.frogatto | ||
20 | whitelist ${HOME}/.frogatto | ||
21 | whitelist /usr/share/frogatto | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | net none | ||
29 | nodbus | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | disable-mnt | ||
43 | private-bin frogatto,sh | ||
44 | private-cache | ||
45 | private-dev | ||
46 | private-etc machine-id | ||
47 | private-tmp | ||
diff --git a/etc/gedit.profile b/etc/gedit.profile index a4471077a..148b98c99 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile | |||
@@ -19,6 +19,7 @@ include disable-exec.inc | |||
19 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
20 | include disable-programs.inc | 20 | include disable-programs.inc |
21 | 21 | ||
22 | include whitelist-runuser-common.inc | ||
22 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
23 | 24 | ||
24 | # apparmor - makes settings immutable | 25 | # apparmor - makes settings immutable |
diff --git a/etc/gfeeds.profile b/etc/gfeeds.profile index d332c1bbe..7de762e0d 100644 --- a/etc/gfeeds.profile +++ b/etc/gfeeds.profile | |||
@@ -29,6 +29,7 @@ whitelist ${HOME}/.cache/org.gabmus.gfeeds | |||
29 | whitelist ${HOME}/.config/org.gabmus.gfeeds.json | 29 | whitelist ${HOME}/.config/org.gabmus.gfeeds.json |
30 | whitelist /usr/share/gfeeds | 30 | whitelist /usr/share/gfeeds |
31 | include whitelist-common.inc | 31 | include whitelist-common.inc |
32 | include whitelist-runuser-common.inc | ||
32 | include whitelist-usr-share-common.inc | 33 | include whitelist-usr-share-common.inc |
33 | include whitelist-var-common.inc | 34 | include whitelist-var-common.inc |
34 | 35 | ||
diff --git a/etc/gitg.profile b/etc/gitg.profile index 3c6f9d72f..68f38c3ce 100644 --- a/etc/gitg.profile +++ b/etc/gitg.profile | |||
@@ -28,6 +28,7 @@ include disable-programs.inc | |||
28 | #include whitelist-common.inc | 28 | #include whitelist-common.inc |
29 | 29 | ||
30 | whitelist /usr/share/gitg | 30 | whitelist /usr/share/gitg |
31 | include whitelist-runuser-common.inc | ||
31 | include whitelist-usr-share-common.inc | 32 | include whitelist-usr-share-common.inc |
32 | include whitelist-var-common.inc | 33 | include whitelist-var-common.inc |
33 | 34 | ||
diff --git a/etc/gjs.profile b/etc/gjs.profile index 85dd57f29..9c8848b8a 100644 --- a/etc/gjs.profile +++ b/etc/gjs.profile | |||
@@ -22,6 +22,7 @@ include disable-interpreters.inc | |||
22 | include disable-passwdmgr.inc | 22 | include disable-passwdmgr.inc |
23 | include disable-programs.inc | 23 | include disable-programs.inc |
24 | 24 | ||
25 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | 26 | include whitelist-usr-share-common.inc |
26 | include whitelist-var-common.inc | 27 | include whitelist-var-common.inc |
27 | 28 | ||
diff --git a/etc/gnome-2048.profile b/etc/gnome-2048.profile index 6fa23c92e..978a13244 100644 --- a/etc/gnome-2048.profile +++ b/etc/gnome-2048.profile | |||
@@ -8,32 +8,10 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.local/share/gnome-2048 | 9 | noblacklist ${HOME}/.local/share/gnome-2048 |
10 | 10 | ||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | include whitelist-var-common.inc | ||
19 | |||
20 | mkdir ${HOME}/.local/share/gnome-2048 | 11 | mkdir ${HOME}/.local/share/gnome-2048 |
21 | whitelist ${HOME}/.local/share/gnome-2048 | 12 | whitelist ${HOME}/.local/share/gnome-2048 |
22 | include whitelist-common.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | netfilter | ||
27 | nodvd | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix,inet,inet6 | ||
34 | seccomp | ||
35 | 13 | ||
36 | disable-mnt | 14 | private-bin gnome-2048 |
37 | private-dev | ||
38 | private-tmp | ||
39 | 15 | ||
16 | # Redirect | ||
17 | include gnome_games-common.profile | ||
diff --git a/etc/gnome-builder.profile b/etc/gnome-builder.profile index eaf48931d..7a684dd59 100644 --- a/etc/gnome-builder.profile +++ b/etc/gnome-builder.profile | |||
@@ -17,6 +17,8 @@ include disable-common.inc | |||
17 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | 19 | ||
20 | include whitelist-runuser-common.inc | ||
21 | |||
20 | caps.drop all | 22 | caps.drop all |
21 | ipc-namespace | 23 | ipc-namespace |
22 | netfilter | 24 | netfilter |
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index 6709a331e..627ae368a 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile | |||
@@ -16,6 +16,7 @@ include disable-programs.inc | |||
16 | include disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | include whitelist-common.inc | 18 | include whitelist-common.inc |
19 | include whitelist-runuser-common.inc | ||
19 | include whitelist-usr-share-common.inc | 20 | include whitelist-usr-share-common.inc |
20 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
21 | 22 | ||
diff --git a/etc/gnome-characters.profile b/etc/gnome-characters.profile index f02fe13f6..77b0c3c15 100644 --- a/etc/gnome-characters.profile +++ b/etc/gnome-characters.profile | |||
@@ -19,6 +19,7 @@ include disable-xdg.inc | |||
19 | 19 | ||
20 | whitelist /usr/share/org.gnome.Characters | 20 | whitelist /usr/share/org.gnome.Characters |
21 | include whitelist-common.inc | 21 | include whitelist-common.inc |
22 | include whitelist-runuser-common.inc | ||
22 | include whitelist-usr-share-common.inc | 23 | include whitelist-usr-share-common.inc |
23 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
24 | 25 | ||
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile index e657293ac..a80e1ca6d 100644 --- a/etc/gnome-chess.profile +++ b/etc/gnome-chess.profile | |||
@@ -16,6 +16,10 @@ include disable-passwdmgr.inc | |||
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | whitelist /usr/share/gnuchess | ||
20 | whitelist /usr/share/gnome-chess | ||
21 | include whitelist-runuser-common.inc | ||
22 | include whitelist-usr-share-common.inc | ||
19 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
20 | 24 | ||
21 | apparmor | 25 | apparmor |
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile index 025335a23..b865423c5 100644 --- a/etc/gnome-clocks.profile +++ b/etc/gnome-clocks.profile | |||
@@ -17,6 +17,7 @@ include disable-xdg.inc | |||
17 | whitelist /usr/share/gnome-clocks | 17 | whitelist /usr/share/gnome-clocks |
18 | whitelist /usr/share/libgweather | 18 | whitelist /usr/share/libgweather |
19 | include whitelist-common.inc | 19 | include whitelist-common.inc |
20 | include whitelist-runuser-common.inc | ||
20 | include whitelist-usr-share-common.inc | 21 | include whitelist-usr-share-common.inc |
21 | include whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
22 | 23 | ||
diff --git a/etc/gnome-contacts.profile b/etc/gnome-contacts.profile index ac6d82451..7c1e4bb58 100644 --- a/etc/gnome-contacts.profile +++ b/etc/gnome-contacts.profile | |||
@@ -17,6 +17,7 @@ include disable-programs.inc | |||
17 | include disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | include whitelist-common.inc | 19 | include whitelist-common.inc |
20 | include whitelist-runuser-common.inc | ||
20 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
21 | 22 | ||
22 | caps.drop all | 23 | caps.drop all |
diff --git a/etc/gnome-hexgl.profile b/etc/gnome-hexgl.profile index 386c33d7f..a06ccc9c1 100644 --- a/etc/gnome-hexgl.profile +++ b/etc/gnome-hexgl.profile | |||
@@ -15,9 +15,8 @@ include disable-programs.inc | |||
15 | include disable-xdg.inc | 15 | include disable-xdg.inc |
16 | 16 | ||
17 | mkdir ${HOME}/.cache/mesa_shader_cache | 17 | mkdir ${HOME}/.cache/mesa_shader_cache |
18 | whitelist ${RUNUSER}/pulse | ||
19 | whitelist ${RUNUSER}/wayland-0 | ||
20 | whitelist /usr/share/gnome-hexgl | 18 | whitelist /usr/share/gnome-hexgl |
19 | include whitelist-runuser-common.inc | ||
21 | include whitelist-usr-share-common.inc | 20 | include whitelist-usr-share-common.inc |
22 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
23 | 22 | ||
diff --git a/etc/gnome-latex.profile b/etc/gnome-latex.profile index 1bf48c6ab..ea4151137 100644 --- a/etc/gnome-latex.profile +++ b/etc/gnome-latex.profile | |||
@@ -22,6 +22,7 @@ include disable-programs.inc | |||
22 | whitelist /usr/share/gnome-latex | 22 | whitelist /usr/share/gnome-latex |
23 | whitelist /usr/share/perl5 | 23 | whitelist /usr/share/perl5 |
24 | whitelist /usr/share/texlive | 24 | whitelist /usr/share/texlive |
25 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | 26 | include whitelist-usr-share-common.inc |
26 | # May cause issues. | 27 | # May cause issues. |
27 | #include whitelist-var-common.inc | 28 | #include whitelist-var-common.inc |
diff --git a/etc/gnome-logs.profile b/etc/gnome-logs.profile index 0c5bec144..31b7cfb4f 100644 --- a/etc/gnome-logs.profile +++ b/etc/gnome-logs.profile | |||
@@ -15,6 +15,7 @@ include disable-programs.inc | |||
15 | include disable-xdg.inc | 15 | include disable-xdg.inc |
16 | 16 | ||
17 | whitelist /var/log/journal | 17 | whitelist /var/log/journal |
18 | include whitelist-runuser-common.inc | ||
18 | include whitelist-usr-share-common.inc | 19 | include whitelist-usr-share-common.inc |
19 | include whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
20 | 21 | ||
diff --git a/etc/gnome-mahjongg.profile b/etc/gnome-mahjongg.profile new file mode 100644 index 000000000..653c5f949 --- /dev/null +++ b/etc/gnome-mahjongg.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for gnome-mahjongg | ||
2 | # Description: Sliding tile puzzle game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-mahjongg.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | whitelist /usr/share/gnome-mahjongg | ||
10 | |||
11 | private-bin gnome-mahjongg | ||
12 | |||
13 | # Redirect | ||
14 | include gnome_games-common.profile | ||
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile index 12415a937..bf263efa9 100644 --- a/etc/gnome-maps.profile +++ b/etc/gnome-maps.profile | |||
@@ -35,6 +35,7 @@ whitelist ${PICTURES} | |||
35 | whitelist /usr/share/gnome-maps | 35 | whitelist /usr/share/gnome-maps |
36 | whitelist /usr/share/libgweather | 36 | whitelist /usr/share/libgweather |
37 | include whitelist-common.inc | 37 | include whitelist-common.inc |
38 | include whitelist-runuser-common.inc | ||
38 | include whitelist-usr-share-common.inc | 39 | include whitelist-usr-share-common.inc |
39 | include whitelist-var-common.inc | 40 | include whitelist-var-common.inc |
40 | 41 | ||
diff --git a/etc/gnome-mines.profile b/etc/gnome-mines.profile new file mode 100644 index 000000000..9cae75524 --- /dev/null +++ b/etc/gnome-mines.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # Firejail profile for gnome-mines | ||
2 | # Description: Sliding tile puzzle game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-mines.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/gnome-mines | ||
10 | |||
11 | mkdir ${HOME}/.local/share/gnome-mines | ||
12 | whitelist ${HOME}/.local/share/gnome-mines | ||
13 | whitelist /usr/share/gnome-mines | ||
14 | |||
15 | private-bin gnome-mines | ||
16 | |||
17 | # Redirect | ||
18 | include gnome_games-common.profile | ||
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile index 9c3131162..36b46897c 100644 --- a/etc/gnome-music.profile +++ b/etc/gnome-music.profile | |||
@@ -21,6 +21,7 @@ include disable-passwdmgr.inc | |||
21 | include disable-programs.inc | 21 | include disable-programs.inc |
22 | include disable-xdg.inc | 22 | include disable-xdg.inc |
23 | 23 | ||
24 | include whitelist-runuser-common.inc | ||
24 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
25 | 26 | ||
26 | apparmor | 27 | apparmor |
diff --git a/etc/gnome-nettool.profile b/etc/gnome-nettool.profile index d15299890..649473679 100644 --- a/etc/gnome-nettool.profile +++ b/etc/gnome-nettool.profile | |||
@@ -16,6 +16,7 @@ include disable-xdg.inc | |||
16 | 16 | ||
17 | whitelist /usr/share/gnome-nettool | 17 | whitelist /usr/share/gnome-nettool |
18 | #include whitelist-common.inc -- see #903 | 18 | #include whitelist-common.inc -- see #903 |
19 | include whitelist-runuser-common.inc | ||
19 | include whitelist-usr-share-common.inc | 20 | include whitelist-usr-share-common.inc |
20 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
21 | 22 | ||
diff --git a/etc/gnome-nibbles.profile b/etc/gnome-nibbles.profile new file mode 100644 index 000000000..4e42b6b15 --- /dev/null +++ b/etc/gnome-nibbles.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # Firejail profile for gnome-nibbles | ||
2 | # Description: Sliding tile puzzle game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-nibbles.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | ignore machine-id | ||
10 | ignore nosound | ||
11 | |||
12 | noblacklist ${HOME}/.local/share/gnome-nibbles | ||
13 | |||
14 | mkdir ${HOME}/.local/share/gnome-nibbles | ||
15 | whitelist ${HOME}/.local/share/gnome-nibbles | ||
16 | whitelist /usr/share/gnome-nibbles | ||
17 | |||
18 | private-bin gnome-nibbles | ||
19 | |||
20 | # Redirect | ||
21 | include gnome_games-common.profile | ||
diff --git a/etc/gnome-passwordsafe.profile b/etc/gnome-passwordsafe.profile index de8f6ad7d..555a59d93 100644 --- a/etc/gnome-passwordsafe.profile +++ b/etc/gnome-passwordsafe.profile | |||
@@ -21,13 +21,9 @@ include disable-passwdmgr.inc | |||
21 | include disable-programs.inc | 21 | include disable-programs.inc |
22 | include disable-xdg.inc | 22 | include disable-xdg.inc |
23 | 23 | ||
24 | whitelist ${RUNUSER}/bus | ||
25 | # If you have a second wayland compositor, whitelist its socket here. | ||
26 | whitelist ${RUNUSER}/wayland-0 | ||
27 | whitelist ${RUNUSER}/gdm/Xauthority | ||
28 | |||
29 | whitelist /usr/share/cracklib | 24 | whitelist /usr/share/cracklib |
30 | whitelist /usr/share/passwordsafe | 25 | whitelist /usr/share/passwordsafe |
26 | include whitelist-runuser-common.inc | ||
31 | include whitelist-usr-share-common.inc | 27 | include whitelist-usr-share-common.inc |
32 | include whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
33 | 29 | ||
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile index c28217efb..2af406af9 100644 --- a/etc/gnome-photos.profile +++ b/etc/gnome-photos.profile | |||
@@ -17,6 +17,7 @@ include disable-interpreters.inc | |||
17 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | 19 | ||
20 | include whitelist-runuser-common.inc | ||
20 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
21 | 22 | ||
22 | apparmor | 23 | apparmor |
diff --git a/etc/gnome-robots.profile b/etc/gnome-robots.profile new file mode 100644 index 000000000..888324a5c --- /dev/null +++ b/etc/gnome-robots.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # Firejail profile for gnome-robots | ||
2 | # Description: Sliding tile puzzle game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-robots.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | ignore machine-id | ||
10 | ignore nosound | ||
11 | |||
12 | whitelist /usr/share/gnome-robots | ||
13 | |||
14 | private-bin gnome-robots | ||
15 | |||
16 | # Redirect | ||
17 | include gnome_games-common.profile | ||
diff --git a/etc/gnome-schedule.profile b/etc/gnome-schedule.profile index c8dd8ead7..55913a2d7 100644 --- a/etc/gnome-schedule.profile +++ b/etc/gnome-schedule.profile | |||
@@ -39,6 +39,7 @@ whitelist /usr/share/gnome-schedule | |||
39 | whitelist /var/spool/atd | 39 | whitelist /var/spool/atd |
40 | whitelist /var/spool/cron | 40 | whitelist /var/spool/cron |
41 | include whitelist-common.inc | 41 | include whitelist-common.inc |
42 | include whitelist-runuser-common.inc | ||
42 | include whitelist-usr-share-common.inc | 43 | include whitelist-usr-share-common.inc |
43 | include whitelist-var-common.inc | 44 | include whitelist-var-common.inc |
44 | 45 | ||
diff --git a/etc/gnome-screenshot.profile b/etc/gnome-screenshot.profile index c00aefdb7..cc5efb161 100644 --- a/etc/gnome-screenshot.profile +++ b/etc/gnome-screenshot.profile | |||
@@ -17,11 +17,8 @@ include disable-passwdmgr.inc | |||
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | include disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | whitelist ${RUNUSER}/bus | ||
21 | whitelist ${RUNUSER}/pulse | ||
22 | whitelist ${RUNUSER}/gdm/Xauthority | ||
23 | whitelist ${RUNUSER}/wayland-0 | ||
24 | include whitelist-usr-share-common.inc | 20 | include whitelist-usr-share-common.inc |
21 | include whitelist-runuser-common.inc | ||
25 | include whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
26 | 23 | ||
27 | apparmor | 24 | apparmor |
diff --git a/etc/gnome-sudoku.profile b/etc/gnome-sudoku.profile new file mode 100644 index 000000000..b41bccd1e --- /dev/null +++ b/etc/gnome-sudoku.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # Firejail profile for gnome-sudoku | ||
2 | # Description: Sliding tile puzzle game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-sudoku.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/gnome-sudoku | ||
10 | |||
11 | mkdir ${HOME}/.local/share/gnome-sudoku | ||
12 | whitelist ${HOME}/.local/share/gnome-sudoku | ||
13 | |||
14 | private-bin gnome-sudoku | ||
15 | |||
16 | # Redirect | ||
17 | include gnome_games-common.profile | ||
diff --git a/etc/gnome-taquin.profile b/etc/gnome-taquin.profile new file mode 100644 index 000000000..efd64d455 --- /dev/null +++ b/etc/gnome-taquin.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # Firejail profile for gnome-taquin | ||
2 | # Description: Sliding tile puzzle game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-taquin.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | ignore machine-id | ||
10 | ignore nosound | ||
11 | |||
12 | whitelist /usr/share/gnome-taquin | ||
13 | |||
14 | private-bin gnome-taquin | ||
15 | |||
16 | # Redirect | ||
17 | include gnome_games-common.profile | ||
diff --git a/etc/gnome-tetravex.profile b/etc/gnome-tetravex.profile new file mode 100644 index 000000000..e9622539c --- /dev/null +++ b/etc/gnome-tetravex.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for gnome-tetravex | ||
2 | # Description: Sliding tile puzzle game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-tetravex.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | private-bin gnome-tetravex | ||
10 | |||
11 | # Redirect | ||
12 | include gnome_games-common.profile | ||
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile index 10db6296b..a181f1b9e 100644 --- a/etc/gnome-weather.profile +++ b/etc/gnome-weather.profile | |||
@@ -21,6 +21,7 @@ include disable-passwdmgr.inc | |||
21 | include disable-programs.inc | 21 | include disable-programs.inc |
22 | include disable-xdg.inc | 22 | include disable-xdg.inc |
23 | 23 | ||
24 | include whitelist-runuser-common.inc | ||
24 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
25 | 26 | ||
26 | caps.drop all | 27 | caps.drop all |
diff --git a/etc/gnome_games-common.profile b/etc/gnome_games-common.profile new file mode 100644 index 000000000..0b75c5e92 --- /dev/null +++ b/etc/gnome_games-common.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for gnome_games-common | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include gnome_games-common.local | ||
5 | # Persistent global definitions | ||
6 | # added by caller profile | ||
7 | #include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | include whitelist-common.inc | ||
18 | include whitelist-runuser-common.inc | ||
19 | include whitelist-usr-share-common.inc | ||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | apparmor | ||
23 | caps.drop all | ||
24 | machine-id | ||
25 | net none | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | disable-mnt | ||
40 | private-cache | ||
41 | private-dev | ||
42 | private-etc dconf,fonts,gconf,gtk-2.0,gtk-3.0,machine-id,pango,X11 | ||
43 | private-tmp | ||
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile index 16bda186e..adc8957e6 100644 --- a/etc/gpg-agent.profile +++ b/etc/gpg-agent.profile | |||
@@ -21,9 +21,12 @@ include disable-xdg.inc | |||
21 | 21 | ||
22 | mkdir ${HOME}/.gnupg | 22 | mkdir ${HOME}/.gnupg |
23 | whitelist ${HOME}/.gnupg | 23 | whitelist ${HOME}/.gnupg |
24 | whitelist ${RUNUSER}/gnupg | ||
25 | whitelist ${RUNUSER}/keyring | ||
24 | whitelist /usr/share/gnupg | 26 | whitelist /usr/share/gnupg |
25 | whitelist /usr/share/gnupg2 | 27 | whitelist /usr/share/gnupg2 |
26 | include whitelist-common.inc | 28 | include whitelist-common.inc |
29 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | 30 | include whitelist-usr-share-common.inc |
28 | include whitelist-var-common.inc | 31 | include whitelist-var-common.inc |
29 | 32 | ||
diff --git a/etc/gpg.profile b/etc/gpg.profile index b408a0123..787f35f9e 100644 --- a/etc/gpg.profile +++ b/etc/gpg.profile | |||
@@ -18,9 +18,12 @@ include disable-interpreters.inc | |||
18 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | 20 | ||
21 | whitelist ${RUNUSER}/gnupg | ||
22 | whitelist ${RUNUSER}/keyring | ||
21 | whitelist /usr/share/gnupg | 23 | whitelist /usr/share/gnupg |
22 | whitelist /usr/share/gnupg2 | 24 | whitelist /usr/share/gnupg2 |
23 | whitelist /usr/share/pacman/keyrings | 25 | whitelist /usr/share/pacman/keyrings |
26 | include whitelist-runuser-common.inc | ||
24 | include whitelist-usr-share-common.inc | 27 | include whitelist-usr-share-common.inc |
25 | include whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
26 | 29 | ||
diff --git a/etc/gucharmap.profile b/etc/gucharmap.profile index b3aa58d29..f3e3ab14d 100644 --- a/etc/gucharmap.profile +++ b/etc/gucharmap.profile | |||
@@ -15,6 +15,7 @@ include disable-programs.inc | |||
15 | include disable-xdg.inc | 15 | include disable-xdg.inc |
16 | 16 | ||
17 | include whitelist-common.inc | 17 | include whitelist-common.inc |
18 | include whitelist-runuser-common.inc | ||
18 | include whitelist-usr-share-common.inc | 19 | include whitelist-usr-share-common.inc |
19 | include whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
20 | 21 | ||
diff --git a/etc/highlight.profile b/etc/highlight.profile index 036de8d99..fc8b2f65a 100644 --- a/etc/highlight.profile +++ b/etc/highlight.profile | |||
@@ -7,6 +7,7 @@ include highlight.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${RUNUSER}/wayland-* | 9 | blacklist ${RUNUSER}/wayland-* |
10 | blacklist ${RUNUSER} | ||
10 | 11 | ||
11 | include disable-common.inc | 12 | include disable-common.inc |
12 | include disable-devel.inc | 13 | include disable-devel.inc |
diff --git a/etc/latex-common.profile b/etc/latex-common.profile index 712ada722..84901e8ef 100644 --- a/etc/latex-common.profile +++ b/etc/latex-common.profile | |||
@@ -14,6 +14,7 @@ include disable-passwdmgr.inc | |||
14 | include disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | whitelist /var/lib | 16 | whitelist /var/lib |
17 | include whitelist-runuser-common.inc | ||
17 | include whitelist-var-common.inc | 18 | include whitelist-var-common.inc |
18 | 19 | ||
19 | caps.drop all | 20 | caps.drop all |
diff --git a/etc/less.profile b/etc/less.profile index 00624e0f1..27e24c852 100644 --- a/etc/less.profile +++ b/etc/less.profile | |||
@@ -8,6 +8,7 @@ include less.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | 10 | blacklist ${RUNUSER}/wayland-* |
11 | blacklist ${RUNUSER} | ||
11 | 12 | ||
12 | noblacklist ${HOME}/.lesshst | 13 | noblacklist ${HOME}/.lesshst |
13 | 14 | ||
diff --git a/etc/lightsoff.profile b/etc/lightsoff.profile new file mode 100644 index 000000000..65c8bd78d --- /dev/null +++ b/etc/lightsoff.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for lightsoff | ||
2 | # Description: Sliding tile puzzle game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include lightsoff.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | whitelist /usr/share/lightsoff | ||
10 | |||
11 | private-bin lightsoff | ||
12 | |||
13 | # Redirect | ||
14 | include gnome_games-common.profile | ||
diff --git a/etc/links.profile b/etc/links.profile index a31001c87..b2f94d3cf 100644 --- a/etc/links.profile +++ b/etc/links.profile | |||
@@ -24,6 +24,7 @@ include disable-xdg.inc | |||
24 | mkdir ${HOME}/.links | 24 | mkdir ${HOME}/.links |
25 | whitelist ${HOME}/.links | 25 | whitelist ${HOME}/.links |
26 | whitelist ${DOWNLOADS} | 26 | whitelist ${DOWNLOADS} |
27 | include whitelist-runuser-common.inc | ||
27 | include whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
28 | 29 | ||
29 | caps.drop all | 30 | caps.drop all |
diff --git a/etc/lynx.profile b/etc/lynx.profile index fb6fe94ec..dbd0a61e5 100644 --- a/etc/lynx.profile +++ b/etc/lynx.profile | |||
@@ -16,6 +16,8 @@ include disable-passwdmgr.inc | |||
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | include whitelist-runuser-common.inc | ||
20 | |||
19 | caps.drop all | 21 | caps.drop all |
20 | netfilter | 22 | netfilter |
21 | no3d | 23 | no3d |
diff --git a/etc/meld.profile b/etc/meld.profile index 9a320c13d..be13e9643 100644 --- a/etc/meld.profile +++ b/etc/meld.profile | |||
@@ -36,6 +36,8 @@ include disable-passwdmgr.inc | |||
36 | # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-programs.inc. | 36 | # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-programs.inc. |
37 | #include disable-programs.inc | 37 | #include disable-programs.inc |
38 | 38 | ||
39 | include whitelist-runuser-common.inc | ||
40 | |||
39 | # Uncomment the next lines (or put it into your meld.local) if you don't need to compare files in /usr/share. | 41 | # Uncomment the next lines (or put it into your meld.local) if you don't need to compare files in /usr/share. |
40 | #whitelist /usr/share/meld | 42 | #whitelist /usr/share/meld |
41 | #include whitelist-usr-share-common.inc | 43 | #include whitelist-usr-share-common.inc |
diff --git a/etc/mutt.profile b/etc/mutt.profile index 1fc412955..8ff547b52 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile | |||
@@ -40,6 +40,8 @@ include disable-interpreters.inc | |||
40 | include disable-passwdmgr.inc | 40 | include disable-passwdmgr.inc |
41 | include disable-programs.inc | 41 | include disable-programs.inc |
42 | 42 | ||
43 | include whitelist-runuser-common.inc | ||
44 | |||
43 | caps.drop all | 45 | caps.drop all |
44 | netfilter | 46 | netfilter |
45 | no3d | 47 | no3d |
diff --git a/etc/newsboat.profile b/etc/newsboat.profile index e063abe53..eabd17b4b 100644 --- a/etc/newsboat.profile +++ b/etc/newsboat.profile | |||
@@ -19,6 +19,7 @@ include disable-xdg.inc | |||
19 | mkdir ${HOME}/.newsboat | 19 | mkdir ${HOME}/.newsboat |
20 | whitelist ${HOME}/.newsboat | 20 | whitelist ${HOME}/.newsboat |
21 | include whitelist-common.inc | 21 | include whitelist-common.inc |
22 | include whitelist-runuser-common.inc | ||
22 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
23 | 24 | ||
24 | caps.drop all | 25 | caps.drop all |
diff --git a/etc/nslookup.profile b/etc/nslookup.profile index 40cb3b6d8..4aa1cfcbf 100644 --- a/etc/nslookup.profile +++ b/etc/nslookup.profile | |||
@@ -7,6 +7,10 @@ include nslookup.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | blacklist ${RUNUSER}/wayland-* | ||
12 | blacklist ${RUNUSER} | ||
13 | |||
10 | noblacklist ${PATH}/nslookup | 14 | noblacklist ${PATH}/nslookup |
11 | 15 | ||
12 | include disable-common.inc | 16 | include disable-common.inc |
diff --git a/etc/pandoc.profile b/etc/pandoc.profile index 9a8d82a96..9117b0c07 100644 --- a/etc/pandoc.profile +++ b/etc/pandoc.profile | |||
@@ -8,6 +8,7 @@ include pandoc.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | 10 | blacklist ${RUNUSER}/wayland-* |
11 | blacklist ${RUNUSER} | ||
11 | 12 | ||
12 | noblacklist ${DOCUMENTS} | 13 | noblacklist ${DOCUMENTS} |
13 | 14 | ||
diff --git a/etc/patch.profile b/etc/patch.profile index 4a3365378..95c92a3f5 100644 --- a/etc/patch.profile +++ b/etc/patch.profile | |||
@@ -8,6 +8,7 @@ include patch.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | 10 | blacklist ${RUNUSER}/wayland-* |
11 | blacklist ${RUNUSER} | ||
11 | 12 | ||
12 | noblacklist ${DOCUMENTS} | 13 | noblacklist ${DOCUMENTS} |
13 | 14 | ||
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile index 73ebf4615..a7112f1e8 100644 --- a/etc/pdftotext.profile +++ b/etc/pdftotext.profile | |||
@@ -7,6 +7,7 @@ include pdftotext.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${RUNUSER}/wayland-* | 9 | blacklist ${RUNUSER}/wayland-* |
10 | blacklist ${RUNUSER} | ||
10 | 11 | ||
11 | noblacklist ${DOCUMENTS} | 12 | noblacklist ${DOCUMENTS} |
12 | 13 | ||
diff --git a/etc/ping.profile b/etc/ping.profile index 75ad0ee31..3ef8ad64a 100644 --- a/etc/ping.profile +++ b/etc/ping.profile | |||
@@ -7,6 +7,10 @@ include ping.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | blacklist ${RUNUSER}/wayland-* | ||
12 | blacklist ${RUNUSER} | ||
13 | |||
10 | include disable-common.inc | 14 | include disable-common.inc |
11 | include disable-devel.inc | 15 | include disable-devel.inc |
12 | include disable-exec.inc | 16 | include disable-exec.inc |
diff --git a/etc/pitivi.profile b/etc/pitivi.profile index 71032f2ee..c722e29b4 100644 --- a/etc/pitivi.profile +++ b/etc/pitivi.profile | |||
@@ -6,7 +6,6 @@ include pitivi.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | |||
10 | noblacklist ${HOME}/.config/pitivi | 9 | noblacklist ${HOME}/.config/pitivi |
11 | 10 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
@@ -20,6 +19,7 @@ include disable-interpreters.inc | |||
20 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
21 | include disable-programs.inc | 20 | include disable-programs.inc |
22 | 21 | ||
22 | include whitelist-runuser-common.inc | ||
23 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
24 | 24 | ||
25 | apparmor | 25 | apparmor |
diff --git a/etc/pngquant.profile b/etc/pngquant.profile index f9ce43c4c..4695eee71 100644 --- a/etc/pngquant.profile +++ b/etc/pngquant.profile | |||
@@ -16,6 +16,8 @@ include disable-interpreters.inc | |||
16 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | include whitelist-runuser-common.inc | ||
20 | include whitelist-usr-share-common.inc | ||
19 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
20 | 22 | ||
21 | apparmor | 23 | apparmor |
diff --git a/etc/polari.profile b/etc/polari.profile index 939e2537e..87a53775f 100644 --- a/etc/polari.profile +++ b/etc/polari.profile | |||
@@ -28,6 +28,7 @@ whitelist ${HOME}/.local/share/TpLogger | |||
28 | whitelist ${HOME}/.local/share/telepathy | 28 | whitelist ${HOME}/.local/share/telepathy |
29 | whitelist ${HOME}/.purple | 29 | whitelist ${HOME}/.purple |
30 | include whitelist-common.inc | 30 | include whitelist-common.inc |
31 | include whitelist-runuser-common.inc | ||
31 | 32 | ||
32 | caps.drop all | 33 | caps.drop all |
33 | netfilter | 34 | netfilter |
diff --git a/etc/remmina.profile b/etc/remmina.profile index e85ceca13..6311c91df 100644 --- a/etc/remmina.profile +++ b/etc/remmina.profile | |||
@@ -19,6 +19,7 @@ include disable-passwdmgr.inc | |||
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | include disable-xdg.inc | 20 | include disable-xdg.inc |
21 | 21 | ||
22 | include whitelist-runuser-common.inc | ||
22 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
23 | 24 | ||
24 | caps.drop all | 25 | caps.drop all |
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index aff8b08e3..689fbe626 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile | |||
@@ -25,6 +25,7 @@ include disable-xdg.inc | |||
25 | whitelist /usr/share/rhythmbox | 25 | whitelist /usr/share/rhythmbox |
26 | whitelist /usr/share/lua | 26 | whitelist /usr/share/lua |
27 | whitelist /usr/share/libquvi-scripts | 27 | whitelist /usr/share/libquvi-scripts |
28 | include whitelist-runuser-common.inc | ||
28 | include whitelist-usr-share-common.inc | 29 | include whitelist-usr-share-common.inc |
29 | include whitelist-var-common.inc | 30 | include whitelist-var-common.inc |
30 | 31 | ||
diff --git a/etc/rsync-download_only.profile b/etc/rsync-download_only.profile index 84147f0a5..500656a4b 100644 --- a/etc/rsync-download_only.profile +++ b/etc/rsync-download_only.profile | |||
@@ -14,6 +14,7 @@ include globals.local | |||
14 | 14 | ||
15 | blacklist /tmp/.X11-unix | 15 | blacklist /tmp/.X11-unix |
16 | blacklist ${RUNUSER}/wayland-* | 16 | blacklist ${RUNUSER}/wayland-* |
17 | blacklist ${RUNUSER} | ||
17 | 18 | ||
18 | include disable-common.inc | 19 | include disable-common.inc |
19 | include disable-devel.inc | 20 | include disable-devel.inc |
diff --git a/etc/seahorse.profile b/etc/seahorse.profile index 5a742d05f..3a69086b5 100644 --- a/etc/seahorse.profile +++ b/etc/seahorse.profile | |||
@@ -31,7 +31,10 @@ whitelist /usr/share/gnupg | |||
31 | whitelist /usr/share/gnupg2 | 31 | whitelist /usr/share/gnupg2 |
32 | whitelist /usr/share/seahorse | 32 | whitelist /usr/share/seahorse |
33 | whitelist /usr/share/seahorse-nautilus | 33 | whitelist /usr/share/seahorse-nautilus |
34 | whitelist ${RUNUSER}/gnupg | ||
35 | whitelist ${RUNUSER}/keyring | ||
34 | #include whitelist-common.inc | 36 | #include whitelist-common.inc |
37 | include whitelist-runuser-common.inc | ||
35 | include whitelist-usr-share-common.inc | 38 | include whitelist-usr-share-common.inc |
36 | include whitelist-var-common.inc | 39 | include whitelist-var-common.inc |
37 | 40 | ||
diff --git a/etc/shellcheck.profile b/etc/shellcheck.profile index 7b4041222..fb43c61e4 100644 --- a/etc/shellcheck.profile +++ b/etc/shellcheck.profile | |||
@@ -8,6 +8,7 @@ include shellcheck.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | 10 | blacklist ${RUNUSER}/wayland-* |
11 | blacklist ${RUNUSER} | ||
11 | 12 | ||
12 | noblacklist ${DOCUMENTS} | 13 | noblacklist ${DOCUMENTS} |
13 | 14 | ||
diff --git a/etc/ssh.profile b/etc/ssh.profile index 1551c3fb6..cbd59c6e0 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile | |||
@@ -18,7 +18,10 @@ include disable-exec.inc | |||
18 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | 20 | ||
21 | whitelist ${RUNUSER}/keyring/ssh | ||
22 | whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh | ||
21 | include whitelist-usr-share-common.inc | 23 | include whitelist-usr-share-common.inc |
24 | include whitelist-runuser-common.inc | ||
22 | 25 | ||
23 | caps.drop all | 26 | caps.drop all |
24 | ipc-namespace | 27 | ipc-namespace |
diff --git a/etc/strings.profile b/etc/strings.profile index 7dc453b1f..7d2d035a4 100644 --- a/etc/strings.profile +++ b/etc/strings.profile | |||
@@ -8,6 +8,7 @@ include strings.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | 10 | blacklist ${RUNUSER}/wayland-* |
11 | blacklist ${RUNUSER} | ||
11 | 12 | ||
12 | #include disable-common.inc | 13 | #include disable-common.inc |
13 | include disable-devel.inc | 14 | include disable-devel.inc |
diff --git a/etc/teams.profile b/etc/teams.profile index 8b60a941e..0e5a42be7 100644 --- a/etc/teams.profile +++ b/etc/teams.profile | |||
@@ -9,6 +9,8 @@ include teams.local | |||
9 | # added by included profile | 9 | # added by included profile |
10 | #include globals.local | 10 | #include globals.local |
11 | 11 | ||
12 | ignore nodbus | ||
13 | |||
12 | noblacklist ${HOME}/.config/teams | 14 | noblacklist ${HOME}/.config/teams |
13 | noblacklist ${HOME}/.config/Microsoft | 15 | noblacklist ${HOME}/.config/Microsoft |
14 | 16 | ||
@@ -30,7 +32,6 @@ tracelog | |||
30 | disable-mnt | 32 | disable-mnt |
31 | private-cache | 33 | private-cache |
32 | private-dev | 34 | private-dev |
33 | private-tmp | ||
34 | 35 | ||
35 | # Redirect | 36 | # Redirect |
36 | include electron.profile | 37 | include electron.profile |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 0362b82af..4cb40027c 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -27,6 +27,7 @@ | |||
27 | # ALLOW INCLUDES | 27 | # ALLOW INCLUDES |
28 | # BLACKLISTS | 28 | # BLACKLISTS |
29 | # DISABLE INCLUDES | 29 | # DISABLE INCLUDES |
30 | # NOWHITELISTS | ||
30 | # MKDIRS | 31 | # MKDIRS |
31 | # WHITELISTS | 32 | # WHITELISTS |
32 | # WHITELIST INCLUDES | 33 | # WHITELIST INCLUDES |
@@ -62,6 +63,8 @@ include globals.local | |||
62 | #blacklist /tmp/.X11-unix | 63 | #blacklist /tmp/.X11-unix |
63 | # Disable Wayland | 64 | # Disable Wayland |
64 | #blacklist ${RUNUSER}/wayland-* | 65 | #blacklist ${RUNUSER}/wayland-* |
66 | # Disable RUNUSER (cli only) | ||
67 | #blacklist ${RUNUSER} | ||
65 | 68 | ||
66 | # It is common practice to add files/dirs containing program-specific configuration | 69 | # It is common practice to add files/dirs containing program-specific configuration |
67 | # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc | 70 | # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc |
@@ -116,6 +119,7 @@ include globals.local | |||
116 | ##mkfile PATH | 119 | ##mkfile PATH |
117 | #whitelist PATH | 120 | #whitelist PATH |
118 | #include whitelist-common.inc | 121 | #include whitelist-common.inc |
122 | #GTK3 only: include whitelist-runuser-common.inc | ||
119 | #include whitelist-usr-share-common.inc | 123 | #include whitelist-usr-share-common.inc |
120 | #include whitelist-var-common.inc | 124 | #include whitelist-var-common.inc |
121 | 125 | ||
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index f6efcf1a4..4193ef963 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile | |||
@@ -17,12 +17,12 @@ writable-run-user | |||
17 | #whitelist /var/spool/mail | 17 | #whitelist /var/spool/mail |
18 | #writable-var | 18 | #writable-var |
19 | 19 | ||
20 | # Uncomment the next 4 lines or put them in your thunderbird.local to | 20 | # These lines are needed to allow Firefox to load your profile when clicking a link in an email |
21 | # allow Firefox to load your profile when clicking a link in an email | 21 | noblacklist ${HOME}/.cache/mozilla |
22 | #noblacklist ${HOME}/.cache/mozilla | 22 | noblacklist ${HOME}/.mozilla |
23 | #noblacklist ${HOME}/.mozilla | 23 | whitelist ${HOME}/.cache/mozilla/firefox |
24 | #whitelist ${HOME}/.cache/mozilla/firefox | 24 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
25 | #whitelist ${HOME}/.mozilla | 25 | read-only ${HOME}/.mozilla/firefox/profiles.ini |
26 | 26 | ||
27 | noblacklist ${HOME}/.cache/thunderbird | 27 | noblacklist ${HOME}/.cache/thunderbird |
28 | noblacklist ${HOME}/.gnupg | 28 | noblacklist ${HOME}/.gnupg |
diff --git a/etc/tracker.profile b/etc/tracker.profile index d47185b1d..9030b1e01 100644 --- a/etc/tracker.profile +++ b/etc/tracker.profile | |||
@@ -17,6 +17,8 @@ include disable-interpreters.inc | |||
17 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | 19 | ||
20 | include whitelist-runuser-common.inc | ||
21 | |||
20 | caps.drop all | 22 | caps.drop all |
21 | netfilter | 23 | netfilter |
22 | no3d | 24 | no3d |
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 01bdeb4ef..baa970307 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
@@ -7,6 +7,8 @@ include transmission-gtk.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | include whitelist-runuser-common.inc | ||
11 | |||
10 | private-bin transmission-gtk | 12 | private-bin transmission-gtk |
11 | 13 | ||
12 | ignore memory-deny-write-execute | 14 | ignore memory-deny-write-execute |
diff --git a/etc/ts3client_runscript.sh.profile b/etc/ts3client_runscript.sh.profile new file mode 100644 index 000000000..8d4675454 --- /dev/null +++ b/etc/ts3client_runscript.sh.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Firejail profile alias for teamspeak3 | ||
2 | # Description: TeamSpeak is software for quality voice communication via the Internet | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include ts3client_runscript.sh.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | ignore noexec ${HOME} | ||
11 | |||
12 | noblacklist ${HOME}/TeamSpeak3-Client-linux_x86 | ||
13 | noblacklist ${HOME}/TeamSpeak3-Client-linux_amd64 | ||
14 | |||
15 | whitelist ${HOME}/TeamSpeak3-Client-linux_x86 | ||
16 | whitelist ${HOME}/TeamSpeak3-Client-linux_amd64 | ||
17 | |||
18 | # Redirect | ||
19 | include teamspeak3.profile | ||
diff --git a/etc/tshark.profile b/etc/tshark.profile index 211f59f29..684a9491d 100644 --- a/etc/tshark.profile +++ b/etc/tshark.profile | |||
@@ -16,6 +16,7 @@ include disable-xdg.inc | |||
16 | 16 | ||
17 | whitelist /usr/share/wireshark | 17 | whitelist /usr/share/wireshark |
18 | include whitelist-common.inc | 18 | include whitelist-common.inc |
19 | include whitelist-runuser-common.inc | ||
19 | include whitelist-usr-share-common.inc | 20 | include whitelist-usr-share-common.inc |
20 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
21 | 22 | ||
diff --git a/etc/vim.profile b/etc/vim.profile index d27a9a633..e9a474239 100644 --- a/etc/vim.profile +++ b/etc/vim.profile | |||
@@ -17,6 +17,8 @@ include disable-common.inc | |||
17 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | 19 | ||
20 | include whitelist-runuser-common.inc | ||
21 | |||
20 | caps.drop all | 22 | caps.drop all |
21 | netfilter | 23 | netfilter |
22 | nodvd | 24 | nodvd |
diff --git a/etc/w3m.profile b/etc/w3m.profile index 97465baa1..5215ee6f5 100644 --- a/etc/w3m.profile +++ b/etc/w3m.profile | |||
@@ -20,6 +20,8 @@ include disable-passwdmgr.inc | |||
20 | include disable-programs.inc | 20 | include disable-programs.inc |
21 | include disable-xdg.inc | 21 | include disable-xdg.inc |
22 | 22 | ||
23 | include whitelist-runuser-common.inc | ||
24 | |||
23 | caps.drop all | 25 | caps.drop all |
24 | netfilter | 26 | netfilter |
25 | no3d | 27 | no3d |
diff --git a/etc/warmux.profile b/etc/warmux.profile new file mode 100644 index 000000000..df7af49c4 --- /dev/null +++ b/etc/warmux.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for warmux | ||
2 | # Description: a convivial mass murder game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include warmux.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/wormux | ||
10 | noblacklist ${HOME}/.local/share/wormux | ||
11 | noblacklist ${HOME}/.wormux | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | mkdir ${HOME}/.config/wormux | ||
22 | mkdir ${HOME}/.local/share/wormux | ||
23 | mkdir ${HOME}/.wormux | ||
24 | whitelist ${HOME}/.config/wormux | ||
25 | whitelist ${HOME}/.local/share/wormux | ||
26 | whitelist ${HOME}/.wormux | ||
27 | whitelist /usr/share/warmux | ||
28 | include whitelist-common.inc | ||
29 | include whitelist-usr-share-common.inc | ||
30 | include whitelist-var-common.inc | ||
31 | |||
32 | apparmor | ||
33 | caps.drop all | ||
34 | netfilter | ||
35 | nodbus | ||
36 | nodvd | ||
37 | nogroups | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix,inet,inet6 | ||
44 | seccomp | ||
45 | shell none | ||
46 | tracelog | ||
47 | |||
48 | disable-mnt | ||
49 | private-bin warmux | ||
50 | private-cache | ||
51 | private-dev | ||
52 | private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl | ||
53 | private-tmp | ||
diff --git a/etc/wget.profile b/etc/wget.profile index d402316e9..ad7a14c41 100644 --- a/etc/wget.profile +++ b/etc/wget.profile | |||
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.wgetrc | |||
13 | 13 | ||
14 | blacklist /tmp/.X11-unix | 14 | blacklist /tmp/.X11-unix |
15 | blacklist ${RUNUSER}/wayland-* | 15 | blacklist ${RUNUSER}/wayland-* |
16 | blacklist ${RUNUSER} | ||
16 | 17 | ||
17 | include disable-common.inc | 18 | include disable-common.inc |
18 | include disable-devel.inc | 19 | include disable-devel.inc |
diff --git a/etc/whitelist-runuser-common.inc b/etc/whitelist-runuser-common.inc new file mode 100644 index 000000000..de59d03d3 --- /dev/null +++ b/etc/whitelist-runuser-common.inc | |||
@@ -0,0 +1,10 @@ | |||
1 | # Local customizations come here | ||
2 | include whitelist-runuser-common.local | ||
3 | |||
4 | # common ${RUNUSER} (=/run/user/$UID) whitelist for all profiles | ||
5 | |||
6 | whitelist ${RUNUSER}/bus | ||
7 | whitelist ${RUNUSER}/dconf | ||
8 | whitelist ${RUNUSER}/gdm/Xauthority | ||
9 | whitelist ${RUNUSER}/pulse/native | ||
10 | whitelist ${RUNUSER}/wayland-0 | ||
diff --git a/etc/whitelist-usr-share-common.inc b/etc/whitelist-usr-share-common.inc index a9d4cadb8..8a0f6774a 100644 --- a/etc/whitelist-usr-share-common.inc +++ b/etc/whitelist-usr-share-common.inc | |||
@@ -22,6 +22,7 @@ whitelist /usr/share/glib-2.0 | |||
22 | whitelist /usr/share/glvnd | 22 | whitelist /usr/share/glvnd |
23 | whitelist /usr/share/gtk-2.0 | 23 | whitelist /usr/share/gtk-2.0 |
24 | whitelist /usr/share/gtk-3.0 | 24 | whitelist /usr/share/gtk-3.0 |
25 | whitelist /usr/share/gtk-engines | ||
25 | whitelist /usr/share/gtksourceview-3.0 | 26 | whitelist /usr/share/gtksourceview-3.0 |
26 | whitelist /usr/share/gtksourceview-4 | 27 | whitelist /usr/share/gtksourceview-4 |
27 | whitelist /usr/share/hunspell | 28 | whitelist /usr/share/hunspell |
diff --git a/etc/whois.profile b/etc/whois.profile index 9af6d6843..5fea610d8 100644 --- a/etc/whois.profile +++ b/etc/whois.profile | |||
@@ -9,6 +9,7 @@ include globals.local | |||
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
11 | blacklist ${RUNUSER}/wayland-* | 11 | blacklist ${RUNUSER}/wayland-* |
12 | blacklist ${RUNUSER} | ||
12 | 13 | ||
13 | include disable-common.inc | 14 | include disable-common.inc |
14 | include disable-devel.inc | 15 | include disable-devel.inc |
diff --git a/etc/yelp.profile b/etc/yelp.profile index acd483209..7053f98e8 100644 --- a/etc/yelp.profile +++ b/etc/yelp.profile | |||
@@ -23,6 +23,7 @@ whitelist /usr/share/help | |||
23 | whitelist /usr/share/yelp | 23 | whitelist /usr/share/yelp |
24 | whitelist /usr/share/yelp-xsl | 24 | whitelist /usr/share/yelp-xsl |
25 | include whitelist-common.inc | 25 | include whitelist-common.inc |
26 | include whitelist-runuser-common.inc | ||
26 | include whitelist-usr-share-common.inc | 27 | include whitelist-usr-share-common.inc |
27 | include whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
28 | 29 | ||
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index 19effef47..6066313a3 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile | |||
@@ -22,6 +22,7 @@ include allow-python3.inc | |||
22 | 22 | ||
23 | blacklist /tmp/.X11-unix | 23 | blacklist /tmp/.X11-unix |
24 | blacklist ${RUNUSER}/wayland-* | 24 | blacklist ${RUNUSER}/wayland-* |
25 | blacklist ${RUNUSER} | ||
25 | 26 | ||
26 | include disable-common.inc | 27 | include disable-common.inc |
27 | include disable-devel.inc | 28 | include disable-devel.inc |