diff options
Diffstat (limited to 'etc')
55 files changed, 907 insertions, 30 deletions
diff --git a/etc/7z.profile b/etc/7z.profile index 284aa37a2..5ff02e1c0 100644 --- a/etc/7z.profile +++ b/etc/7z.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for 7z | 1 | # Firejail profile for 7z |
2 | # Description: File archiver with high compression ratio | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/7za.profile b/etc/7za.profile index 14188e1f0..9cd04cad1 100644 --- a/etc/7za.profile +++ b/etc/7za.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for 7za | 1 | # Firejail profile for 7za |
2 | # Description: File archiver with high compression ratio | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/7zr.profile b/etc/7zr.profile index 2cb42fa40..bd3842900 100644 --- a/etc/7zr.profile +++ b/etc/7zr.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for 7zr | 1 | # Firejail profile for 7zr |
2 | # Description: File archiver with high compression ratio | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/audio-recorder.profile b/etc/audio-recorder.profile new file mode 100644 index 000000000..afd1033de --- /dev/null +++ b/etc/audio-recorder.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for audio-recorder | ||
2 | # Description: Audio Recorder Application | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include audio-recorder.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${MUSIC} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | whitelist ${MUSIC} | ||
21 | whitelist ${DOWNLOADS} | ||
22 | whitelist /usr/share/audio-recorder | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | net none | ||
31 | no3d | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix | ||
40 | seccomp | ||
41 | shell none | ||
42 | tracelog | ||
43 | x11 none | ||
44 | |||
45 | disable-mnt | ||
46 | # private-bin audio-recorder | ||
47 | private-cache | ||
48 | private-etc alternatives,fonts | ||
49 | private-tmp | ||
50 | |||
51 | # memory-deny-write-execute - breaks on Arch | ||
diff --git a/etc/baobab.profile b/etc/baobab.profile index c419aa202..79d4b23f9 100644 --- a/etc/baobab.profile +++ b/etc/baobab.profile | |||
@@ -6,7 +6,7 @@ include baobab.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | include disable-common.inc | 9 | # include disable-common.inc |
10 | include disable-devel.inc | 10 | include disable-devel.inc |
11 | include disable-exec.inc | 11 | include disable-exec.inc |
12 | include disable-interpreters.inc | 12 | include disable-interpreters.inc |
diff --git a/etc/brasero.profile b/etc/brasero.profile index 058253308..67fc07afb 100644 --- a/etc/brasero.profile +++ b/etc/brasero.profile | |||
@@ -32,5 +32,3 @@ tracelog | |||
32 | private-cache | 32 | private-cache |
33 | # private-dev | 33 | # private-dev |
34 | # private-tmp | 34 | # private-tmp |
35 | |||
36 | memory-deny-write-execute | ||
diff --git a/etc/brave-browser-beta.profile b/etc/brave-browser-beta.profile new file mode 100644 index 000000000..528a6402d --- /dev/null +++ b/etc/brave-browser-beta.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for brave (beta channel) | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include brave.profile | ||
diff --git a/etc/brave-browser-dev.profile b/etc/brave-browser-dev.profile new file mode 100644 index 000000000..4601de119 --- /dev/null +++ b/etc/brave-browser-dev.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for brave (development channel) | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include brave.profile | ||
diff --git a/etc/brave-browser-nightly.profile b/etc/brave-browser-nightly.profile new file mode 100644 index 000000000..43d3cc724 --- /dev/null +++ b/etc/brave-browser-nightly.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for brave (nightly channel) | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include brave.profile | ||
diff --git a/etc/brave-browser-stable.profile b/etc/brave-browser-stable.profile new file mode 100644 index 000000000..06d33dea4 --- /dev/null +++ b/etc/brave-browser-stable.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for brave (release channel) | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include brave.profile | ||
diff --git a/etc/brave.profile b/etc/brave.profile index 984fab5a8..35c59f5a3 100644 --- a/etc/brave.profile +++ b/etc/brave.profile | |||
@@ -1,6 +1,6 @@ | |||
1 | # Firejail profile for brave | 1 | # Firejail profile for brave |
2 | # This file is overwritten after every install/update | ||
3 | # Description: Web browser that blocks ads and trackers by default. | 2 | # Description: Web browser that blocks ads and trackers by default. |
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include brave.local | 5 | include brave.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
@@ -9,16 +9,24 @@ include globals.local | |||
9 | # noexec /tmp is included in chromium-common.profile and breaks Brave | 9 | # noexec /tmp is included in chromium-common.profile and breaks Brave |
10 | ignore noexec /tmp | 10 | ignore noexec /tmp |
11 | 11 | ||
12 | noblacklist ${HOME}/.config/brave | 12 | noblacklist ${HOME}/.cache/BraveSoftware |
13 | noblacklist ${HOME}/.config/BraveSoftware | 13 | noblacklist ${HOME}/.config/BraveSoftware |
14 | noblacklist ${HOME}/.config/brave | ||
15 | noblacklist ${HOME}/.config/brave-flags.conf | ||
14 | # brave uses gpg for built-in password manager | 16 | # brave uses gpg for built-in password manager |
15 | noblacklist ${HOME}/.gnupg | 17 | noblacklist ${HOME}/.gnupg |
16 | 18 | ||
17 | mkdir ${HOME}/.config/brave | 19 | mkdir ${HOME}/.cache/BraveSoftware |
18 | mkdir ${HOME}/.config/BraveSoftware | 20 | mkdir ${HOME}/.config/BraveSoftware |
19 | whitelist ${HOME}/.config/brave | 21 | mkdir ${HOME}/.config/brave |
22 | whitelist ${HOME}/.cache/BraveSoftware | ||
20 | whitelist ${HOME}/.config/BraveSoftware | 23 | whitelist ${HOME}/.config/BraveSoftware |
24 | whitelist ${HOME}/.config/brave | ||
25 | whitelist ${HOME}/.config/brave-flags.conf | ||
21 | whitelist ${HOME}/.gnupg | 26 | whitelist ${HOME}/.gnupg |
22 | 27 | ||
28 | # Brave sandbox needs read access to /proc/config.gz | ||
29 | noblacklist /proc/config.gz | ||
30 | |||
23 | # Redirect | 31 | # Redirect |
24 | include chromium-common.profile | 32 | include chromium-common.profile |
diff --git a/etc/cameramonitor.profile b/etc/cameramonitor.profile new file mode 100644 index 000000000..1d7aa0f9c --- /dev/null +++ b/etc/cameramonitor.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for cameramonitor | ||
2 | # Description: A little monitor to check your webcam status | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include cameramonitor.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | # Allow python (blacklisted by disable-interpreters.inc) | ||
11 | include allow-python2.inc | ||
12 | include allow-python3.inc | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | whitelist /usr/share/cameramonitor | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | machine-id | ||
31 | net none | ||
32 | no3d | ||
33 | #nodbus | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | nosound | ||
39 | notv | ||
40 | nou2f | ||
41 | novideo | ||
42 | protocol unix | ||
43 | seccomp | ||
44 | shell none | ||
45 | tracelog | ||
46 | |||
47 | disable-mnt | ||
48 | private-bin cameramonitor,python* | ||
49 | private-cache | ||
50 | private-etc alternatives,fonts | ||
51 | private-tmp | ||
52 | |||
53 | # memory-deny-write-execute - breaks on Arch | ||
diff --git a/etc/ddgtk.profile b/etc/ddgtk.profile new file mode 100644 index 000000000..ef65046e1 --- /dev/null +++ b/etc/ddgtk.profile | |||
@@ -0,0 +1,54 @@ | |||
1 | # Firejail profile for ddgtk | ||
2 | # Description: A frontend GUI to dd for making bootable USB disks | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include ddgtk.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Allow python (blacklisted by disable-interpreters.inc) | ||
10 | include allow-python2.inc | ||
11 | include allow-python3.inc | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | whitelist ${DOWNLOADS} | ||
22 | whitelist /usr/share/ddgtk | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | machine-id | ||
31 | net none | ||
32 | no3d | ||
33 | nodbus | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | nosound | ||
39 | notv | ||
40 | nou2f | ||
41 | novideo | ||
42 | protocol unix | ||
43 | seccomp | ||
44 | shell none | ||
45 | tracelog | ||
46 | x11 none | ||
47 | |||
48 | disable-mnt | ||
49 | private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr | ||
50 | private-cache | ||
51 | private-etc alternatives,fonts | ||
52 | private-tmp | ||
53 | |||
54 | # memory-deny-write-execute - breaks on Arch | ||
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index b2837b443..16f231108 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -376,7 +376,10 @@ blacklist ${PATH}/crontab | |||
376 | blacklist ${PATH}/evtest | 376 | blacklist ${PATH}/evtest |
377 | blacklist ${PATH}/expiry | 377 | blacklist ${PATH}/expiry |
378 | blacklist ${PATH}/fusermount | 378 | blacklist ${PATH}/fusermount |
379 | blacklist ${PATH}/gksu | ||
380 | blacklist ${PATH}/gksudo | ||
379 | blacklist ${PATH}/gpasswd | 381 | blacklist ${PATH}/gpasswd |
382 | blacklist ${PATH}/kdesudo | ||
380 | blacklist ${PATH}/ksu | 383 | blacklist ${PATH}/ksu |
381 | blacklist ${PATH}/mount | 384 | blacklist ${PATH}/mount |
382 | blacklist ${PATH}/mount.ecryptfs_private | 385 | blacklist ${PATH}/mount.ecryptfs_private |
@@ -449,3 +452,6 @@ blacklist ${HOME}/Mail | |||
449 | blacklist ${HOME}/mail | 452 | blacklist ${HOME}/mail |
450 | blacklist ${HOME}/postponed | 453 | blacklist ${HOME}/postponed |
451 | blacklist ${HOME}/sent | 454 | blacklist ${HOME}/sent |
455 | |||
456 | # kernel configuration | ||
457 | blacklist /proc/config.gz | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index fa98825f4..b1605e757 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -132,6 +132,7 @@ blacklist ${HOME}/.config/bnox | |||
132 | blacklist ${HOME}/.config/borg | 132 | blacklist ${HOME}/.config/borg |
133 | blacklist ${HOME}/.config/brasero | 133 | blacklist ${HOME}/.config/brasero |
134 | blacklist ${HOME}/.config/brave | 134 | blacklist ${HOME}/.config/brave |
135 | blacklist ${HOME}/.config/brave-flags.conf | ||
135 | blacklist ${HOME}/.config/caja | 136 | blacklist ${HOME}/.config/caja |
136 | blacklist ${HOME}/.config/calibre | 137 | blacklist ${HOME}/.config/calibre |
137 | blacklist ${HOME}/.config/cantata | 138 | blacklist ${HOME}/.config/cantata |
@@ -158,7 +159,9 @@ blacklist ${HOME}/.config/dkl | |||
158 | blacklist ${HOME}/.config/dnox | 159 | blacklist ${HOME}/.config/dnox |
159 | blacklist ${HOME}/.config/dolphinrc | 160 | blacklist ${HOME}/.config/dolphinrc |
160 | blacklist ${HOME}/.config/dragonplayerrc | 161 | blacklist ${HOME}/.config/dragonplayerrc |
162 | blacklist ${HOME}/.config/draw.io | ||
161 | blacklist ${HOME}/.config/d-feet | 163 | blacklist ${HOME}/.config/d-feet |
164 | blacklist ${HOME}/.config/electron-mail | ||
162 | blacklist ${HOME}/.config/emaildefaults | 165 | blacklist ${HOME}/.config/emaildefaults |
163 | blacklist ${HOME}/.config/emailidentities | 166 | blacklist ${HOME}/.config/emailidentities |
164 | blacklist ${HOME}/.config/enchant | 167 | blacklist ${HOME}/.config/enchant |
@@ -181,6 +184,7 @@ blacklist ${HOME}/.config/ghb | |||
181 | blacklist ${HOME}/.config/ghostwriter | 184 | blacklist ${HOME}/.config/ghostwriter |
182 | blacklist ${HOME}/.config/git | 185 | blacklist ${HOME}/.config/git |
183 | blacklist ${HOME}/.config/globaltime | 186 | blacklist ${HOME}/.config/globaltime |
187 | blacklist ${HOME}/.config/gmpc | ||
184 | blacklist ${HOME}/.config/gnome-builder | 188 | blacklist ${HOME}/.config/gnome-builder |
185 | blacklist ${HOME}/.config/gnome-latex | 189 | blacklist ${HOME}/.config/gnome-latex |
186 | blacklist ${HOME}/.config/gnome-mplayer | 190 | blacklist ${HOME}/.config/gnome-mplayer |
@@ -260,6 +264,7 @@ blacklist ${HOME}/.config/onionshare | |||
260 | blacklist ${HOME}/.config/opera | 264 | blacklist ${HOME}/.config/opera |
261 | blacklist ${HOME}/.config/opera-beta | 265 | blacklist ${HOME}/.config/opera-beta |
262 | blacklist ${HOME}/.config/orage | 266 | blacklist ${HOME}/.config/orage |
267 | blacklist ${HOME}/.config/org.gabmus.gfeeds.json | ||
263 | blacklist ${HOME}/.config/org.kde.gwenviewrc | 268 | blacklist ${HOME}/.config/org.kde.gwenviewrc |
264 | blacklist ${HOME}/.config/pavucontrol-qt | 269 | blacklist ${HOME}/.config/pavucontrol-qt |
265 | blacklist ${HOME}/.config/pavucontrol.ini | 270 | blacklist ${HOME}/.config/pavucontrol.ini |
@@ -271,6 +276,7 @@ blacklist ${HOME}/.config/pix | |||
271 | blacklist ${HOME}/.config/pluma | 276 | blacklist ${HOME}/.config/pluma |
272 | blacklist ${HOME}/.config/ppsspp | 277 | blacklist ${HOME}/.config/ppsspp |
273 | blacklist ${HOME}/.config/pragha | 278 | blacklist ${HOME}/.config/pragha |
279 | blacklist ${HOME}/.config/profanity | ||
274 | blacklist ${HOME}/.config/psi+ | 280 | blacklist ${HOME}/.config/psi+ |
275 | blacklist ${HOME}/.config/qBittorrent | 281 | blacklist ${HOME}/.config/qBittorrent |
276 | blacklist ${HOME}/.config/qBittorrentrc | 282 | blacklist ${HOME}/.config/qBittorrentrc |
@@ -360,6 +366,7 @@ blacklist ${HOME}/.freecol | |||
360 | blacklist ${HOME}/.freemind | 366 | blacklist ${HOME}/.freemind |
361 | blacklist ${HOME}/.frozen-bubble | 367 | blacklist ${HOME}/.frozen-bubble |
362 | blacklist ${HOME}/.gimp* | 368 | blacklist ${HOME}/.gimp* |
369 | blacklist ${HOME}/.gist | ||
363 | blacklist ${HOME}/.gitconfig | 370 | blacklist ${HOME}/.gitconfig |
364 | blacklist ${HOME}/.gnome/gnome-schedule | 371 | blacklist ${HOME}/.gnome/gnome-schedule |
365 | blacklist ${HOME}/.googleearth/Cache | 372 | blacklist ${HOME}/.googleearth/Cache |
@@ -557,6 +564,7 @@ blacklist ${HOME}/.local/share/orage | |||
557 | blacklist ${HOME}/.local/share/org.kde.gwenview | 564 | blacklist ${HOME}/.local/share/org.kde.gwenview |
558 | blacklist ${HOME}/.local/share/pix | 565 | blacklist ${HOME}/.local/share/pix |
559 | blacklist ${HOME}/.local/share/plasma_notes | 566 | blacklist ${HOME}/.local/share/plasma_notes |
567 | blacklist ${HOME}/.local/share/profanity | ||
560 | blacklist ${HOME}/.local/share/psi+ | 568 | blacklist ${HOME}/.local/share/psi+ |
561 | blacklist ${HOME}/.local/share/qpdfview | 569 | blacklist ${HOME}/.local/share/qpdfview |
562 | blacklist ${HOME}/.local/share/qutebrowser | 570 | blacklist ${HOME}/.local/share/qutebrowser |
@@ -689,6 +697,7 @@ blacklist /var/lib/games/Maelstrom-Scores | |||
689 | blacklist ${HOME}/.cache/0ad | 697 | blacklist ${HOME}/.cache/0ad |
690 | blacklist ${HOME}/.cache/8pecxstudios | 698 | blacklist ${HOME}/.cache/8pecxstudios |
691 | blacklist ${HOME}/.cache/Authenticator | 699 | blacklist ${HOME}/.cache/Authenticator |
700 | blacklist ${HOME}/.cache/BraveSoftware | ||
692 | blacklist ${HOME}/.cache/Clementine | 701 | blacklist ${HOME}/.cache/Clementine |
693 | blacklist ${HOME}/.cache/Enox | 702 | blacklist ${HOME}/.cache/Enox |
694 | blacklist ${HOME}/.cache/Enpass | 703 | blacklist ${HOME}/.cache/Enpass |
@@ -701,6 +710,7 @@ blacklist ${HOME}/.cache/Zeal | |||
701 | blacklist ${HOME}/.cache/akonadi* | 710 | blacklist ${HOME}/.cache/akonadi* |
702 | blacklist ${HOME}/.cache/atril | 711 | blacklist ${HOME}/.cache/atril |
703 | blacklist ${HOME}/.cache/attic | 712 | blacklist ${HOME}/.cache/attic |
713 | blacklist ${HOME}/.cache/babl | ||
704 | blacklist ${HOME}/.cache/bnox | 714 | blacklist ${HOME}/.cache/bnox |
705 | blacklist ${HOME}/.cache/borg | 715 | blacklist ${HOME}/.cache/borg |
706 | blacklist ${HOME}/.cache/calibre | 716 | blacklist ${HOME}/.cache/calibre |
@@ -713,6 +723,7 @@ blacklist ${HOME}/.cache/darktable | |||
713 | blacklist ${HOME}/.cache/discover | 723 | blacklist ${HOME}/.cache/discover |
714 | blacklist ${HOME}/.cache/dnox | 724 | blacklist ${HOME}/.cache/dnox |
715 | blacklist ${HOME}/.cache/dolphin | 725 | blacklist ${HOME}/.cache/dolphin |
726 | blacklist ${HOME}/.cache/ephemeral | ||
716 | blacklist ${HOME}/.cache/epiphany | 727 | blacklist ${HOME}/.cache/epiphany |
717 | blacklist ${HOME}/.cache/evolution | 728 | blacklist ${HOME}/.cache/evolution |
718 | blacklist ${HOME}/.cache/falkon | 729 | blacklist ${HOME}/.cache/falkon |
@@ -721,6 +732,7 @@ blacklist ${HOME}/.cache/font-manager | |||
721 | blacklist ${HOME}/.cache/fossamail | 732 | blacklist ${HOME}/.cache/fossamail |
722 | blacklist ${HOME}/.cache/freecol | 733 | blacklist ${HOME}/.cache/freecol |
723 | blacklist ${HOME}/.cache/gajim | 734 | blacklist ${HOME}/.cache/gajim |
735 | blacklist ${HOME}/.cache/gegl-0.4 | ||
724 | blacklist ${HOME}/.cache/geeqie | 736 | blacklist ${HOME}/.cache/geeqie |
725 | blacklist ${HOME}/.cache/gimp | 737 | blacklist ${HOME}/.cache/gimp |
726 | blacklist ${HOME}/.cache/godot | 738 | blacklist ${HOME}/.cache/godot |
@@ -769,6 +781,7 @@ blacklist ${HOME}/.cache/netsurf | |||
769 | blacklist ${HOME}/.cache/okular | 781 | blacklist ${HOME}/.cache/okular |
770 | blacklist ${HOME}/.cache/opera | 782 | blacklist ${HOME}/.cache/opera |
771 | blacklist ${HOME}/.cache/opera-beta | 783 | blacklist ${HOME}/.cache/opera-beta |
784 | blacklist ${HOME}/.cache/org.gabmus.gfeeds | ||
772 | blacklist ${HOME}/.cache/org.gnome.Books | 785 | blacklist ${HOME}/.cache/org.gnome.Books |
773 | blacklist ${HOME}/.cache/org.gnome.Maps | 786 | blacklist ${HOME}/.cache/org.gnome.Maps |
774 | blacklist ${HOME}/.cache/pdfmod | 787 | blacklist ${HOME}/.cache/pdfmod |
diff --git a/etc/drawio.profile b/etc/drawio.profile new file mode 100644 index 000000000..d4fd735a1 --- /dev/null +++ b/etc/drawio.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for drawio | ||
2 | # Description: Diagram drawing application built on web technology - desktop version | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include drawio.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/draw.io | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.config/draw.io | ||
20 | whitelist ${HOME}/.config/draw.io | ||
21 | whitelist ${DOWNLOADS} | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | ipc-namespace | ||
29 | machine-id | ||
30 | net none | ||
31 | nodbus | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix | ||
41 | seccomp !chroot | ||
42 | shell none | ||
43 | # tracelog - breaks on Arch | ||
44 | |||
45 | private-bin drawio | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-etc alternatives,fonts | ||
49 | private-tmp | ||
50 | |||
51 | # memory-deny-write-execute - breaks on Arch | ||
diff --git a/etc/electron-mail.profile b/etc/electron-mail.profile new file mode 100644 index 000000000..bde8978df --- /dev/null +++ b/etc/electron-mail.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for electron-mail | ||
2 | # Description: Unofficial desktop app for several E2E encrypted email providers | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include electron-mail.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/electron-mail | ||
10 | |||
11 | whitelist ${DOWNLOADS} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | mkdir ${HOME}/.config/electron-mail | ||
22 | whitelist ${HOME}/.config/electron-mail | ||
23 | |||
24 | include whitelist-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | netfilter | ||
31 | no3d | ||
32 | # nodbus - breaks tray functionality | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix,inet,inet6,netlink | ||
41 | seccomp !chroot | ||
42 | shell none | ||
43 | # tracelog - breaks on Arch | ||
44 | |||
45 | private-bin electron-mail | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-etc alternatives,fonts | ||
49 | private-opt ElectronMail | ||
50 | private-tmp | ||
51 | |||
52 | # memory-deny-write-execute - breaks on Arch | ||
diff --git a/etc/ephemeral.profile b/etc/ephemeral.profile new file mode 100644 index 000000000..fa7746da5 --- /dev/null +++ b/etc/ephemeral.profile | |||
@@ -0,0 +1,61 @@ | |||
1 | # Firejail profile for ephemeral | ||
2 | # Description: The always-incognito web browser | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include ephemeral.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # enforce private-cache | ||
10 | #noblacklist ${HOME}/.cache/ephemeral | ||
11 | |||
12 | noblacklist ${HOME}/.pki | ||
13 | noblacklist ${HOME}/.local/share/pki | ||
14 | |||
15 | # noexec ${HOME} breaks DRM binaries. | ||
16 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} | ||
17 | |||
18 | include disable-common.inc | ||
19 | include disable-devel.inc | ||
20 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | ||
22 | include disable-programs.inc | ||
23 | |||
24 | # enforce private-cache | ||
25 | #mkdir ${HOME}/.cache/ephemeral | ||
26 | mkdir ${HOME}/.pki | ||
27 | mkdir ${HOME}/.local/share/pki | ||
28 | # enforce private-cache | ||
29 | #whitelist ${HOME}/.cache/ephemeral | ||
30 | whitelist ${HOME}/.pki | ||
31 | whitelist ${HOME}/.local/share/pki | ||
32 | whitelist ${DOWNLOADS} | ||
33 | include whitelist-common.inc | ||
34 | include whitelist-usr-share-common.inc | ||
35 | include whitelist-var-common.inc | ||
36 | |||
37 | apparmor | ||
38 | caps.drop all | ||
39 | # machine-id breaks pulse audio; it should work fine in setups where sound is not required. | ||
40 | #machine-id | ||
41 | netfilter | ||
42 | # nodbus breaks preferences | ||
43 | #nodbus | ||
44 | nodvd | ||
45 | nogroups | ||
46 | nonewprivs | ||
47 | # noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506. | ||
48 | noroot | ||
49 | notv | ||
50 | ?BROWSER_DISABLE_U2F: nou2f | ||
51 | protocol unix,inet,inet6,netlink | ||
52 | seccomp | ||
53 | shell none | ||
54 | tracelog | ||
55 | |||
56 | disable-mnt | ||
57 | private-cache | ||
58 | private-dev | ||
59 | # private-etc below works fine on most distributions. There are some problems on CentOS. | ||
60 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,login.defs,machine-id,mailcap,mime.types,nsswitch.conf,os-release,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | ||
61 | private-tmp | ||
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile index 19d9a7644..67c0ed311 100644 --- a/etc/ffmpeg.profile +++ b/etc/ffmpeg.profile | |||
@@ -18,6 +18,7 @@ include disable-passwdmgr.inc | |||
18 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | include disable-xdg.inc | 19 | include disable-xdg.inc |
20 | 20 | ||
21 | whitelist /usr/share/devedeng | ||
21 | whitelist /usr/share/ffmpeg | 22 | whitelist /usr/share/ffmpeg |
22 | whitelist /usr/share/qtchooser | 23 | whitelist /usr/share/qtchooser |
23 | include whitelist-usr-share-common.inc | 24 | include whitelist-usr-share-common.inc |
@@ -38,7 +39,8 @@ notv | |||
38 | nou2f | 39 | nou2f |
39 | novideo | 40 | novideo |
40 | protocol inet,inet6 | 41 | protocol inet,inet6 |
41 | seccomp | 42 | # allow set_mempolicy, which is required to encode using libx265 |
43 | seccomp !set_mempolicy | ||
42 | shell none | 44 | shell none |
43 | tracelog | 45 | tracelog |
44 | 46 | ||
diff --git a/etc/firefox-wayland.profile b/etc/firefox-wayland.profile index 068da5ee3..17c9f059e 100644 --- a/etc/firefox-wayland.profile +++ b/etc/firefox-wayland.profile | |||
@@ -1,4 +1,4 @@ | |||
1 | # Firejail profile for firefox-wayland | 1 | # Firejail profile alias for firefox-wayland |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include firefox-wayland.local | 4 | include firefox-wayland.local |
diff --git a/etc/firejail-default b/etc/firejail-default index a012f5440..2987e538c 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
@@ -57,6 +57,9 @@ owner /{,var/}run/media/** w, | |||
57 | # Allow access to cups printing socket. | 57 | # Allow access to cups printing socket. |
58 | /{,var/}run/cups/cups.sock w, | 58 | /{,var/}run/cups/cups.sock w, |
59 | 59 | ||
60 | # Allow access to pcscd socket (smartcards) | ||
61 | /{,var/}run/pcscd/pcscd.comm w, | ||
62 | |||
60 | # Needed for firefox sandbox | 63 | # Needed for firefox sandbox |
61 | /proc/@{PID}/{uid_map,gid_map,setgroups} w, | 64 | /proc/@{PID}/{uid_map,gid_map,setgroups} w, |
62 | 65 | ||
@@ -148,14 +151,6 @@ capability setfcap, | |||
148 | #capability mac_override, | 151 | #capability mac_override, |
149 | #capability mac_admin, | 152 | #capability mac_admin, |
150 | 153 | ||
151 | ########## | ||
152 | # We let Firejail deal with mount/umount functionality. | ||
153 | ########## | ||
154 | mount, | ||
155 | remount, | ||
156 | umount, | ||
157 | pivot_root, | ||
158 | |||
159 | # Site-specific additions and overrides. See local/README for details. | 154 | # Site-specific additions and overrides. See local/README for details. |
160 | #include <local/firejail-local> | 155 | #include <local/firejail-local> |
161 | } | 156 | } |
diff --git a/etc/gconf.profile b/etc/gconf.profile index 2f930235c..25145c77d 100644 --- a/etc/gconf.profile +++ b/etc/gconf.profile | |||
@@ -52,7 +52,7 @@ private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert, | |||
52 | private-cache | 52 | private-cache |
53 | private-dev | 53 | private-dev |
54 | private-etc alternatives,fonts,gconf | 54 | private-etc alternatives,fonts,gconf |
55 | private-lib libpython*,python2* | 55 | private-lib GConf,libpython*,python2* |
56 | private-tmp | 56 | private-tmp |
57 | 57 | ||
58 | memory-deny-write-execute | 58 | memory-deny-write-execute |
diff --git a/etc/gfeeds.profile b/etc/gfeeds.profile new file mode 100644 index 000000000..dcb33bc38 --- /dev/null +++ b/etc/gfeeds.profile | |||
@@ -0,0 +1,56 @@ | |||
1 | # Firejail profile for gfeeds | ||
2 | # Description: RSS/Atom feed reader for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gfeeds.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/org.gabmus.gfeeds | ||
10 | noblacklist ${HOME}/.config/org.gabmus.gfeeds.json | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python3.inc | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | mkdir ${HOME}/.cache/org.gabmus.gfeeds | ||
24 | mkfile ${HOME}/.config/org.gabmus.gfeeds.json | ||
25 | whitelist ${HOME}/.cache/org.gabmus.gfeeds | ||
26 | whitelist ${HOME}/.config/org.gabmus.gfeeds.json | ||
27 | whitelist /usr/share/gfeeds | ||
28 | include whitelist-common.inc | ||
29 | include whitelist-usr-share-common.inc | ||
30 | include whitelist-var-common.inc | ||
31 | |||
32 | apparmor | ||
33 | caps.drop all | ||
34 | machine-id | ||
35 | netfilter | ||
36 | no3d | ||
37 | #nodbus | ||
38 | nodvd | ||
39 | nogroups | ||
40 | nonewprivs | ||
41 | noroot | ||
42 | nosound | ||
43 | notv | ||
44 | nou2f | ||
45 | novideo | ||
46 | protocol unix,inet,inet6 | ||
47 | seccomp | ||
48 | shell none | ||
49 | tracelog | ||
50 | |||
51 | disable-mnt | ||
52 | private-bin gfeeds,python3* | ||
53 | # private-cache -- feeds are stored in ~/.cache | ||
54 | private-dev | ||
55 | private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,fonts,gconf,group,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg | ||
56 | private-tmp | ||
diff --git a/etc/gimp.profile b/etc/gimp.profile index 81ae95645..5c0631eb2 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile | |||
@@ -11,6 +11,8 @@ include globals.local | |||
11 | # or put 'noexec ${HOME}' in your gimp.local | 11 | # or put 'noexec ${HOME}' in your gimp.local |
12 | ignore noexec ${HOME} | 12 | ignore noexec ${HOME} |
13 | 13 | ||
14 | noblacklist ${HOME}/.cache/babl | ||
15 | noblacklist ${HOME}/.cache/gegl-0.4 | ||
14 | noblacklist ${HOME}/.cache/gimp | 16 | noblacklist ${HOME}/.cache/gimp |
15 | noblacklist ${HOME}/.config/GIMP | 17 | noblacklist ${HOME}/.config/GIMP |
16 | noblacklist ${HOME}/.gimp* | 18 | noblacklist ${HOME}/.gimp* |
@@ -23,8 +25,10 @@ include disable-passwdmgr.inc | |||
23 | include disable-programs.inc | 25 | include disable-programs.inc |
24 | include disable-xdg.inc | 26 | include disable-xdg.inc |
25 | 27 | ||
28 | whitelist /usr/share/gegl-0.4 | ||
26 | whitelist /usr/share/gimp | 29 | whitelist /usr/share/gimp |
27 | whitelist /usr/share/mypaint-data | 30 | whitelist /usr/share/mypaint-data |
31 | whitelist /usr/share/lensfun | ||
28 | include whitelist-usr-share-common.inc | 32 | include whitelist-usr-share-common.inc |
29 | include whitelist-var-common.inc | 33 | include whitelist-var-common.inc |
30 | 34 | ||
diff --git a/etc/gist-paste.profile b/etc/gist-paste.profile new file mode 100644 index 000000000..56b3176ed --- /dev/null +++ b/etc/gist-paste.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for gist-paste | ||
2 | # Description: Potentially the best command line gister | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include gist-paste.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | # Redirect | ||
12 | include gist.profile | ||
diff --git a/etc/gist.profile b/etc/gist.profile new file mode 100644 index 000000000..7413238c8 --- /dev/null +++ b/etc/gist.profile | |||
@@ -0,0 +1,58 @@ | |||
1 | # Firejail profile for gist | ||
2 | # Description: Potentially the best command line gister | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include gist.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist /tmp/.X11-unix | ||
11 | |||
12 | noblacklist ${HOME}/.gist | ||
13 | |||
14 | # Allow ruby (blacklisted by disable-interpreters.inc) | ||
15 | include allow-ruby.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | mkdir ${HOME}/.gist | ||
26 | whitelist ${HOME}/.gist | ||
27 | whitelist ${DOWNLOADS} | ||
28 | include whitelist-common.inc | ||
29 | include whitelist-usr-share-common.inc | ||
30 | include whitelist-var-common.inc | ||
31 | |||
32 | apparmor | ||
33 | caps.drop all | ||
34 | ipc-namespace | ||
35 | machine-id | ||
36 | netfilter | ||
37 | no3d | ||
38 | nodbus | ||
39 | nodvd | ||
40 | nogroups | ||
41 | nonewprivs | ||
42 | noroot | ||
43 | nosound | ||
44 | notv | ||
45 | nou2f | ||
46 | novideo | ||
47 | protocol unix,inet,inet6 | ||
48 | seccomp | ||
49 | shell none | ||
50 | tracelog | ||
51 | |||
52 | disable-mnt | ||
53 | private-cache | ||
54 | private-dev | ||
55 | private-etc alternatives | ||
56 | private-tmp | ||
57 | |||
58 | memory-deny-write-execute | ||
diff --git a/etc/gmpc.profile b/etc/gmpc.profile new file mode 100644 index 000000000..b1546db30 --- /dev/null +++ b/etc/gmpc.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for gmpc | ||
2 | # Description: MPD client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gmpc.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/gmpc | ||
10 | noblacklist ${MUSIC} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.config/gmpc | ||
21 | whitelist ${HOME}/.config/gmpc | ||
22 | whitelist ${MUSIC} | ||
23 | whitelist /usr/share/gmpc | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | ipc-namespace | ||
31 | netfilter | ||
32 | no3d | ||
33 | #nodbus | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | notv | ||
39 | nou2f | ||
40 | novideo | ||
41 | protocol unix,inet,inet6 | ||
42 | seccomp | ||
43 | shell none | ||
44 | tracelog | ||
45 | |||
46 | disable-mnt | ||
47 | #private-bin gmpc | ||
48 | private-cache | ||
49 | private-etc alternatives,fonts | ||
50 | private-tmp | ||
51 | writable-run-user | ||
52 | |||
53 | # memory-deny-write-execute - breaks on Arch | ||
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile index 36e50370e..c11773147 100644 --- a/etc/gpg-agent.profile +++ b/etc/gpg-agent.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for gpg-agent | 1 | # Firejail profile for gpg-agent |
2 | # Description: GNU privacy guard - cryptographic agent | 2 | # Description: GNU privacy guard - cryptographic agent |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include gpg-agent.local | 6 | include gpg-agent.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/gpg.profile b/etc/gpg.profile index 1ed5e484a..5eb18a0bc 100644 --- a/etc/gpg.profile +++ b/etc/gpg.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for gpg | 1 | # Firejail profile for gpg |
2 | # Description: GNU Privacy Guard -- minimalist public key operations | 2 | # Description: GNU Privacy Guard -- minimalist public key operations |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include gpg.local | 6 | include gpg.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/gpg2.profile b/etc/gpg2.profile new file mode 100644 index 000000000..b831b0f62 --- /dev/null +++ b/etc/gpg2.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for gpg2 | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include gpg2.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # private-bin gpg2 | ||
11 | |||
12 | # Redirect | ||
13 | include gpg.profile | ||
diff --git a/etc/gtk-update-icon-cache.profile b/etc/gtk-update-icon-cache.profile new file mode 100644 index 000000000..fd35a563b --- /dev/null +++ b/etc/gtk-update-icon-cache.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for gtk-update-icon-cache | ||
2 | # Description: Icon theme caching utility | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include gtk-update-icon-cache.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | include whitelist-common.inc | ||
19 | include whitelist-usr-share-common.inc | ||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | apparmor | ||
23 | caps.drop all | ||
24 | ipc-namespace | ||
25 | machine-id | ||
26 | net none | ||
27 | no3d | ||
28 | nodbus | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | x11 none | ||
42 | |||
43 | disable-mnt | ||
44 | private-bin gtk-update-icon-cache | ||
45 | private-cache | ||
46 | private-dev | ||
47 | private-etc none | ||
48 | private-lib | ||
49 | private-tmp | ||
50 | |||
51 | memory-deny-write-execute | ||
diff --git a/etc/gzexe.profile b/etc/gzexe.profile new file mode 100644 index 000000000..bb570d553 --- /dev/null +++ b/etc/gzexe.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for gzexe | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include gzexe.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/ooffice.profile b/etc/ooffice.profile new file mode 100644 index 000000000..8348a57fe --- /dev/null +++ b/etc/ooffice.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for libreoffice | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include libreoffice.profile | ||
diff --git a/etc/ooviewdoc.profile b/etc/ooviewdoc.profile new file mode 100644 index 000000000..8348a57fe --- /dev/null +++ b/etc/ooviewdoc.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for libreoffice | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include libreoffice.profile | ||
diff --git a/etc/openoffice.org.profile b/etc/openoffice.org.profile new file mode 100644 index 000000000..8348a57fe --- /dev/null +++ b/etc/openoffice.org.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for libreoffice | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include libreoffice.profile | ||
diff --git a/etc/p7zip.profile b/etc/p7zip.profile index 7e0069afc..652fac7bd 100644 --- a/etc/p7zip.profile +++ b/etc/p7zip.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for p7zip | 1 | # Firejail profile for p7zip |
2 | # Description: 7zr file archiver with high compression ratio | 2 | # Description: File archiver with high compression ratio |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/profanity.profile b/etc/profanity.profile new file mode 100644 index 000000000..6ca9314e9 --- /dev/null +++ b/etc/profanity.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for profanity | ||
2 | # Description: profanity is an XMPP chat client for the terminal | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include profanity.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.config/profanity | ||
11 | noblacklist ${HOME}/.local/share/profanity | ||
12 | |||
13 | # Allow Python | ||
14 | include allow-python2.inc | ||
15 | include allow-python3.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | caps.drop all | ||
29 | netfilter | ||
30 | no3d | ||
31 | nodbus | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix,inet,inet6 | ||
41 | seccomp | ||
42 | shell none | ||
43 | |||
44 | private-bin profanity | ||
45 | private-cache | ||
46 | private-dev | ||
47 | private-etc alternatives,ca-certificates,crypto-policies,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl | ||
48 | private-tmp | ||
49 | |||
50 | memory-deny-write-execute | ||
diff --git a/etc/seahorse-tool.profile b/etc/seahorse-tool.profile index 4bf23c512..96ff74edf 100644 --- a/etc/seahorse-tool.profile +++ b/etc/seahorse-tool.profile | |||
@@ -7,9 +7,9 @@ include seahorse-tool.local | |||
7 | # added by included profile | 7 | # added by included profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | # private-etc workaround for: #2877 | ||
11 | private-etc firejail,login.defs,passwd | ||
10 | private-tmp | 12 | private-tmp |
11 | 13 | ||
12 | memory-deny-write-execute | ||
13 | |||
14 | # Redirect | 14 | # Redirect |
15 | include seahorse.profile | 15 | include seahorse.profile |
diff --git a/etc/seahorse.profile b/etc/seahorse.profile index 6acf8aa5d..5a742d05f 100644 --- a/etc/seahorse.profile +++ b/etc/seahorse.profile | |||
@@ -20,17 +20,19 @@ include disable-passwdmgr.inc | |||
20 | include disable-programs.inc | 20 | include disable-programs.inc |
21 | include disable-xdg.inc | 21 | include disable-xdg.inc |
22 | 22 | ||
23 | mkdir ${HOME}/.gnupg | 23 | # whitelisting in ${HOME} breaks file encryption feature of nautilus. |
24 | mkdir ${HOME}/.ssh | 24 | # once #2882 is fixed this can be uncommented and nowhitelisted in seahorse-tool.profile |
25 | whitelist ${HOME}/.gnupg | 25 | #mkdir ${HOME}/.gnupg |
26 | whitelist ${HOME}/.ssh | 26 | #mkdir ${HOME}/.ssh |
27 | #whitelist ${HOME}/.gnupg | ||
28 | #whitelist ${HOME}/.ssh | ||
27 | whitelist /tmp/ssh-* | 29 | whitelist /tmp/ssh-* |
28 | whitelist /usr/share/gnupg | 30 | whitelist /usr/share/gnupg |
29 | whitelist /usr/share/gnupg2 | 31 | whitelist /usr/share/gnupg2 |
30 | whitelist /usr/share/seahorse | 32 | whitelist /usr/share/seahorse |
31 | whitelist /usr/share/seahorse-nautilus | 33 | whitelist /usr/share/seahorse-nautilus |
34 | #include whitelist-common.inc | ||
32 | include whitelist-usr-share-common.inc | 35 | include whitelist-usr-share-common.inc |
33 | include whitelist-common.inc | ||
34 | include whitelist-var-common.inc | 36 | include whitelist-var-common.inc |
35 | 37 | ||
36 | apparmor | 38 | apparmor |
diff --git a/etc/thunderbird-wayland.profile b/etc/thunderbird-wayland.profile index 031d331e7..9fbb80d29 100644 --- a/etc/thunderbird-wayland.profile +++ b/etc/thunderbird-wayland.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for thunderbird-wayland | 1 | # Firejail profile alias for thunderbird-wayland |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include thunderbird-wayland.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include thunderbird.profile | 10 | include thunderbird.profile |
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index ea6e3855d..e30b57498 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile | |||
@@ -14,7 +14,7 @@ noblacklist ${HOME}/.gnupg | |||
14 | # noblacklist ${HOME}/.icedove | 14 | # noblacklist ${HOME}/.icedove |
15 | noblacklist ${HOME}/.thunderbird | 15 | noblacklist ${HOME}/.thunderbird |
16 | 16 | ||
17 | # Uncomment the next 4 lines or put they in your thunderbird.local to | 17 | # Uncomment the next 4 lines or put them in your thunderbird.local to |
18 | # allow Firefox to load your profile when clicking a link in an email | 18 | # allow Firefox to load your profile when clicking a link in an email |
19 | #noblacklist ${HOME}/.cache/mozilla | 19 | #noblacklist ${HOME}/.cache/mozilla |
20 | #noblacklist ${HOME}/.mozilla | 20 | #noblacklist ${HOME}/.mozilla |
@@ -39,7 +39,7 @@ whitelist ${HOME}/.thunderbird | |||
39 | 39 | ||
40 | # We need the real /tmp for data exchange when xdg-open handles email attachments on KDE | 40 | # We need the real /tmp for data exchange when xdg-open handles email attachments on KDE |
41 | ignore private-tmp | 41 | ignore private-tmp |
42 | # machine-id breaks audio in browsers; enable it when sound is not required | 42 | # machine-id breaks audio in browsers; enable or put it in your thunderbird.local when sound is not required |
43 | # machine-id | 43 | # machine-id |
44 | read-only ${HOME}/.config/mimeapps.list | 44 | read-only ${HOME}/.config/mimeapps.list |
45 | # writable-run-user and dbus are needed by enigmail | 45 | # writable-run-user and dbus are needed by enigmail |
diff --git a/etc/uncompress.profile b/etc/uncompress.profile new file mode 100644 index 000000000..f659d8e87 --- /dev/null +++ b/etc/uncompress.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for uncompress | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include uncompress.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/unf.profile b/etc/unf.profile new file mode 100644 index 000000000..1f0b2aa32 --- /dev/null +++ b/etc/unf.profile | |||
@@ -0,0 +1,54 @@ | |||
1 | # Firejail profile for unf | ||
2 | # Description: UNixize Filename -- replace annoying anti-unix characters in filenames | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include unf.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | whitelist ${DOWNLOADS} | ||
19 | include whitelist-common.inc | ||
20 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | hostname unf | ||
26 | ipc-namespace | ||
27 | machine-id | ||
28 | net none | ||
29 | no3d | ||
30 | nodbus | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | nosound | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix | ||
40 | seccomp | ||
41 | shell none | ||
42 | tracelog | ||
43 | x11 none | ||
44 | |||
45 | disable-mnt | ||
46 | private-bin unf | ||
47 | private-cache | ||
48 | ?HAS_APPIMAGE: ignore private-dev | ||
49 | private-dev | ||
50 | private-etc alternatives | ||
51 | private-lib libgcc_s.so.* | ||
52 | private-tmp | ||
53 | |||
54 | memory-deny-write-execute | ||
diff --git a/etc/whitelist-usr-share-common.inc b/etc/whitelist-usr-share-common.inc index f1b7bd960..322bdefe9 100644 --- a/etc/whitelist-usr-share-common.inc +++ b/etc/whitelist-usr-share-common.inc | |||
@@ -15,6 +15,7 @@ whitelist /usr/share/enchant | |||
15 | whitelist /usr/share/enchant-2 | 15 | whitelist /usr/share/enchant-2 |
16 | whitelist /usr/share/fontconfig | 16 | whitelist /usr/share/fontconfig |
17 | whitelist /usr/share/fonts | 17 | whitelist /usr/share/fonts |
18 | whitelist /usr/share/gir-1.0 | ||
18 | whitelist /usr/share/gjs-1.0 | 19 | whitelist /usr/share/gjs-1.0 |
19 | whitelist /usr/share/glib-2.0 | 20 | whitelist /usr/share/glib-2.0 |
20 | whitelist /usr/share/glvnd | 21 | whitelist /usr/share/glvnd |
@@ -40,6 +41,7 @@ whitelist /usr/share/p11-kit | |||
40 | whitelist /usr/share/pixmaps | 41 | whitelist /usr/share/pixmaps |
41 | whitelist /usr/share/pki | 42 | whitelist /usr/share/pki |
42 | whitelist /usr/share/plasma | 43 | whitelist /usr/share/plasma |
44 | whitelist /usr/share/publicsuffix | ||
43 | whitelist /usr/share/qt | 45 | whitelist /usr/share/qt |
44 | whitelist /usr/share/qt4 | 46 | whitelist /usr/share/qt4 |
45 | whitelist /usr/share/qt5 | 47 | whitelist /usr/share/qt5 |
diff --git a/etc/wine.profile b/etc/wine.profile index 29e79c3f5..67e3952e1 100644 --- a/etc/wine.profile +++ b/etc/wine.profile | |||
@@ -18,8 +18,9 @@ include disable-interpreters.inc | |||
18 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | 20 | ||
21 | # uncomment next line if seccomp breaks a program | 21 | # some applications don't need allow-debuggers, comment the next line |
22 | # allow-debuggers | 22 | # if it is not necessary (or put 'ignore allow-debuggers' in your wine.local) |
23 | allow-debuggers | ||
23 | caps.drop all | 24 | caps.drop all |
24 | # net none | 25 | # net none |
25 | netfilter | 26 | netfilter |
diff --git a/etc/zcat.profile b/etc/zcat.profile new file mode 100644 index 000000000..12932ea92 --- /dev/null +++ b/etc/zcat.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for zcat | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include zcat.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/zcmp.profile b/etc/zcmp.profile new file mode 100644 index 000000000..795cdae2a --- /dev/null +++ b/etc/zcmp.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for zcmp | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include zcmp.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/zdiff.profile b/etc/zdiff.profile new file mode 100644 index 000000000..1e75e38fe --- /dev/null +++ b/etc/zdiff.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for zdiff | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include zdiff.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/zegrep.profile b/etc/zegrep.profile new file mode 100644 index 000000000..54dc6b2a0 --- /dev/null +++ b/etc/zegrep.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for zegrep | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include zegrep.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/zfgrep.profile b/etc/zfgrep.profile new file mode 100644 index 000000000..73b22f2e8 --- /dev/null +++ b/etc/zfgrep.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for zfgrep | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include zfgrep.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/zforce.profile b/etc/zforce.profile new file mode 100644 index 000000000..d62e57065 --- /dev/null +++ b/etc/zforce.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for zforce | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include zforce.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/zgrep.profile b/etc/zgrep.profile new file mode 100644 index 000000000..b39a58420 --- /dev/null +++ b/etc/zgrep.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for zgrep | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include zgrep.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/zless.profile b/etc/zless.profile new file mode 100644 index 000000000..0a26cda1f --- /dev/null +++ b/etc/zless.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for zless | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include zless.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/zmore.profile b/etc/zmore.profile new file mode 100644 index 000000000..3a8f63562 --- /dev/null +++ b/etc/zmore.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for zmore | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include zmore.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/znew.profile b/etc/znew.profile new file mode 100644 index 000000000..a8593e58e --- /dev/null +++ b/etc/znew.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for znew | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include znew.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||