aboutsummaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
Diffstat (limited to 'etc')
-rw-r--r--etc/7z.profile1
-rw-r--r--etc/7za.profile1
-rw-r--r--etc/7zr.profile1
-rw-r--r--etc/audio-recorder.profile51
-rw-r--r--etc/baobab.profile2
-rw-r--r--etc/brasero.profile2
-rw-r--r--etc/brave-browser-beta.profile5
-rw-r--r--etc/brave-browser-dev.profile5
-rw-r--r--etc/brave-browser-nightly.profile5
-rw-r--r--etc/brave-browser-stable.profile5
-rw-r--r--etc/brave.profile16
-rw-r--r--etc/cameramonitor.profile53
-rw-r--r--etc/ddgtk.profile54
-rw-r--r--etc/disable-common.inc6
-rw-r--r--etc/disable-programs.inc13
-rw-r--r--etc/drawio.profile51
-rw-r--r--etc/electron-mail.profile52
-rw-r--r--etc/ephemeral.profile61
-rw-r--r--etc/ffmpeg.profile4
-rw-r--r--etc/firefox-wayland.profile2
-rw-r--r--etc/firejail-default11
-rw-r--r--etc/gconf.profile2
-rw-r--r--etc/gfeeds.profile56
-rw-r--r--etc/gimp.profile4
-rw-r--r--etc/gist-paste.profile12
-rw-r--r--etc/gist.profile58
-rw-r--r--etc/gmpc.profile53
-rw-r--r--etc/gpg-agent.profile1
-rw-r--r--etc/gpg.profile1
-rw-r--r--etc/gpg2.profile13
-rw-r--r--etc/gtk-update-icon-cache.profile51
-rw-r--r--etc/gzexe.profile11
-rw-r--r--etc/ooffice.profile5
-rw-r--r--etc/ooviewdoc.profile5
-rw-r--r--etc/openoffice.org.profile5
-rw-r--r--etc/p7zip.profile2
-rw-r--r--etc/profanity.profile50
-rw-r--r--etc/seahorse-tool.profile4
-rw-r--r--etc/seahorse.profile12
-rw-r--r--etc/thunderbird-wayland.profile5
-rw-r--r--etc/thunderbird.profile4
-rw-r--r--etc/uncompress.profile11
-rw-r--r--etc/unf.profile54
-rw-r--r--etc/whitelist-usr-share-common.inc2
-rw-r--r--etc/wine.profile5
-rw-r--r--etc/zcat.profile11
-rw-r--r--etc/zcmp.profile11
-rw-r--r--etc/zdiff.profile11
-rw-r--r--etc/zegrep.profile11
-rw-r--r--etc/zfgrep.profile11
-rw-r--r--etc/zforce.profile11
-rw-r--r--etc/zgrep.profile11
-rw-r--r--etc/zless.profile11
-rw-r--r--etc/zmore.profile11
-rw-r--r--etc/znew.profile11
55 files changed, 907 insertions, 30 deletions
diff --git a/etc/7z.profile b/etc/7z.profile
index 284aa37a2..5ff02e1c0 100644
--- a/etc/7z.profile
+++ b/etc/7z.profile
@@ -1,4 +1,5 @@
1# Firejail profile for 7z 1# Firejail profile for 7z
2# Description: File archiver with high compression ratio
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3quiet 4quiet
4# Persistent local customizations 5# Persistent local customizations
diff --git a/etc/7za.profile b/etc/7za.profile
index 14188e1f0..9cd04cad1 100644
--- a/etc/7za.profile
+++ b/etc/7za.profile
@@ -1,4 +1,5 @@
1# Firejail profile for 7za 1# Firejail profile for 7za
2# Description: File archiver with high compression ratio
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3quiet 4quiet
4# Persistent local customizations 5# Persistent local customizations
diff --git a/etc/7zr.profile b/etc/7zr.profile
index 2cb42fa40..bd3842900 100644
--- a/etc/7zr.profile
+++ b/etc/7zr.profile
@@ -1,4 +1,5 @@
1# Firejail profile for 7zr 1# Firejail profile for 7zr
2# Description: File archiver with high compression ratio
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3quiet 4quiet
4# Persistent local customizations 5# Persistent local customizations
diff --git a/etc/audio-recorder.profile b/etc/audio-recorder.profile
new file mode 100644
index 000000000..afd1033de
--- /dev/null
+++ b/etc/audio-recorder.profile
@@ -0,0 +1,51 @@
1# Firejail profile for audio-recorder
2# Description: Audio Recorder Application
3# This file is overwritten after every install/update
4quiet
5# Persistent local customizations
6include audio-recorder.local
7# Persistent global definitions
8include globals.local
9
10noblacklist ${MUSIC}
11
12include disable-common.inc
13include disable-devel.inc
14include disable-exec.inc
15include disable-interpreters.inc
16include disable-passwdmgr.inc
17include disable-programs.inc
18include disable-xdg.inc
19
20whitelist ${MUSIC}
21whitelist ${DOWNLOADS}
22whitelist /usr/share/audio-recorder
23include whitelist-common.inc
24include whitelist-usr-share-common.inc
25include whitelist-var-common.inc
26
27apparmor
28caps.drop all
29ipc-namespace
30net none
31no3d
32nodvd
33nogroups
34nonewprivs
35noroot
36notv
37nou2f
38novideo
39protocol unix
40seccomp
41shell none
42tracelog
43x11 none
44
45disable-mnt
46# private-bin audio-recorder
47private-cache
48private-etc alternatives,fonts
49private-tmp
50
51# memory-deny-write-execute - breaks on Arch
diff --git a/etc/baobab.profile b/etc/baobab.profile
index c419aa202..79d4b23f9 100644
--- a/etc/baobab.profile
+++ b/etc/baobab.profile
@@ -6,7 +6,7 @@ include baobab.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9include disable-common.inc 9# include disable-common.inc
10include disable-devel.inc 10include disable-devel.inc
11include disable-exec.inc 11include disable-exec.inc
12include disable-interpreters.inc 12include disable-interpreters.inc
diff --git a/etc/brasero.profile b/etc/brasero.profile
index 058253308..67fc07afb 100644
--- a/etc/brasero.profile
+++ b/etc/brasero.profile
@@ -32,5 +32,3 @@ tracelog
32private-cache 32private-cache
33# private-dev 33# private-dev
34# private-tmp 34# private-tmp
35
36memory-deny-write-execute
diff --git a/etc/brave-browser-beta.profile b/etc/brave-browser-beta.profile
new file mode 100644
index 000000000..528a6402d
--- /dev/null
+++ b/etc/brave-browser-beta.profile
@@ -0,0 +1,5 @@
1# Firejail profile alias for brave (beta channel)
2# This file is overwritten after every install/update
3
4# Redirect
5include brave.profile
diff --git a/etc/brave-browser-dev.profile b/etc/brave-browser-dev.profile
new file mode 100644
index 000000000..4601de119
--- /dev/null
+++ b/etc/brave-browser-dev.profile
@@ -0,0 +1,5 @@
1# Firejail profile alias for brave (development channel)
2# This file is overwritten after every install/update
3
4# Redirect
5include brave.profile
diff --git a/etc/brave-browser-nightly.profile b/etc/brave-browser-nightly.profile
new file mode 100644
index 000000000..43d3cc724
--- /dev/null
+++ b/etc/brave-browser-nightly.profile
@@ -0,0 +1,5 @@
1# Firejail profile alias for brave (nightly channel)
2# This file is overwritten after every install/update
3
4# Redirect
5include brave.profile
diff --git a/etc/brave-browser-stable.profile b/etc/brave-browser-stable.profile
new file mode 100644
index 000000000..06d33dea4
--- /dev/null
+++ b/etc/brave-browser-stable.profile
@@ -0,0 +1,5 @@
1# Firejail profile alias for brave (release channel)
2# This file is overwritten after every install/update
3
4# Redirect
5include brave.profile
diff --git a/etc/brave.profile b/etc/brave.profile
index 984fab5a8..35c59f5a3 100644
--- a/etc/brave.profile
+++ b/etc/brave.profile
@@ -1,6 +1,6 @@
1# Firejail profile for brave 1# Firejail profile for brave
2# This file is overwritten after every install/update
3# Description: Web browser that blocks ads and trackers by default. 2# Description: Web browser that blocks ads and trackers by default.
3# This file is overwritten after every install/update
4# Persistent local customizations 4# Persistent local customizations
5include brave.local 5include brave.local
6# Persistent global definitions 6# Persistent global definitions
@@ -9,16 +9,24 @@ include globals.local
9# noexec /tmp is included in chromium-common.profile and breaks Brave 9# noexec /tmp is included in chromium-common.profile and breaks Brave
10ignore noexec /tmp 10ignore noexec /tmp
11 11
12noblacklist ${HOME}/.config/brave 12noblacklist ${HOME}/.cache/BraveSoftware
13noblacklist ${HOME}/.config/BraveSoftware 13noblacklist ${HOME}/.config/BraveSoftware
14noblacklist ${HOME}/.config/brave
15noblacklist ${HOME}/.config/brave-flags.conf
14# brave uses gpg for built-in password manager 16# brave uses gpg for built-in password manager
15noblacklist ${HOME}/.gnupg 17noblacklist ${HOME}/.gnupg
16 18
17mkdir ${HOME}/.config/brave 19mkdir ${HOME}/.cache/BraveSoftware
18mkdir ${HOME}/.config/BraveSoftware 20mkdir ${HOME}/.config/BraveSoftware
19whitelist ${HOME}/.config/brave 21mkdir ${HOME}/.config/brave
22whitelist ${HOME}/.cache/BraveSoftware
20whitelist ${HOME}/.config/BraveSoftware 23whitelist ${HOME}/.config/BraveSoftware
24whitelist ${HOME}/.config/brave
25whitelist ${HOME}/.config/brave-flags.conf
21whitelist ${HOME}/.gnupg 26whitelist ${HOME}/.gnupg
22 27
28# Brave sandbox needs read access to /proc/config.gz
29noblacklist /proc/config.gz
30
23# Redirect 31# Redirect
24include chromium-common.profile 32include chromium-common.profile
diff --git a/etc/cameramonitor.profile b/etc/cameramonitor.profile
new file mode 100644
index 000000000..1d7aa0f9c
--- /dev/null
+++ b/etc/cameramonitor.profile
@@ -0,0 +1,53 @@
1# Firejail profile for cameramonitor
2# Description: A little monitor to check your webcam status
3# This file is overwritten after every install/update
4quiet
5# Persistent local customizations
6include cameramonitor.local
7# Persistent global definitions
8include globals.local
9
10# Allow python (blacklisted by disable-interpreters.inc)
11include allow-python2.inc
12include allow-python3.inc
13
14include disable-common.inc
15include disable-devel.inc
16include disable-exec.inc
17include disable-interpreters.inc
18include disable-passwdmgr.inc
19include disable-programs.inc
20include disable-xdg.inc
21
22whitelist /usr/share/cameramonitor
23include whitelist-common.inc
24include whitelist-usr-share-common.inc
25include whitelist-var-common.inc
26
27apparmor
28caps.drop all
29ipc-namespace
30machine-id
31net none
32no3d
33#nodbus
34nodvd
35nogroups
36nonewprivs
37noroot
38nosound
39notv
40nou2f
41novideo
42protocol unix
43seccomp
44shell none
45tracelog
46
47disable-mnt
48private-bin cameramonitor,python*
49private-cache
50private-etc alternatives,fonts
51private-tmp
52
53# memory-deny-write-execute - breaks on Arch
diff --git a/etc/ddgtk.profile b/etc/ddgtk.profile
new file mode 100644
index 000000000..ef65046e1
--- /dev/null
+++ b/etc/ddgtk.profile
@@ -0,0 +1,54 @@
1# Firejail profile for ddgtk
2# Description: A frontend GUI to dd for making bootable USB disks
3# This file is overwritten after every install/update
4# Persistent local customizations
5include ddgtk.local
6# Persistent global definitions
7include globals.local
8
9# Allow python (blacklisted by disable-interpreters.inc)
10include allow-python2.inc
11include allow-python3.inc
12
13include disable-common.inc
14include disable-devel.inc
15include disable-exec.inc
16include disable-interpreters.inc
17include disable-passwdmgr.inc
18include disable-programs.inc
19include disable-xdg.inc
20
21whitelist ${DOWNLOADS}
22whitelist /usr/share/ddgtk
23include whitelist-common.inc
24include whitelist-usr-share-common.inc
25include whitelist-var-common.inc
26
27apparmor
28caps.drop all
29ipc-namespace
30machine-id
31net none
32no3d
33nodbus
34nodvd
35nogroups
36nonewprivs
37noroot
38nosound
39notv
40nou2f
41novideo
42protocol unix
43seccomp
44shell none
45tracelog
46x11 none
47
48disable-mnt
49private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr
50private-cache
51private-etc alternatives,fonts
52private-tmp
53
54# memory-deny-write-execute - breaks on Arch
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index b2837b443..16f231108 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -376,7 +376,10 @@ blacklist ${PATH}/crontab
376blacklist ${PATH}/evtest 376blacklist ${PATH}/evtest
377blacklist ${PATH}/expiry 377blacklist ${PATH}/expiry
378blacklist ${PATH}/fusermount 378blacklist ${PATH}/fusermount
379blacklist ${PATH}/gksu
380blacklist ${PATH}/gksudo
379blacklist ${PATH}/gpasswd 381blacklist ${PATH}/gpasswd
382blacklist ${PATH}/kdesudo
380blacklist ${PATH}/ksu 383blacklist ${PATH}/ksu
381blacklist ${PATH}/mount 384blacklist ${PATH}/mount
382blacklist ${PATH}/mount.ecryptfs_private 385blacklist ${PATH}/mount.ecryptfs_private
@@ -449,3 +452,6 @@ blacklist ${HOME}/Mail
449blacklist ${HOME}/mail 452blacklist ${HOME}/mail
450blacklist ${HOME}/postponed 453blacklist ${HOME}/postponed
451blacklist ${HOME}/sent 454blacklist ${HOME}/sent
455
456# kernel configuration
457blacklist /proc/config.gz
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index fa98825f4..b1605e757 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -132,6 +132,7 @@ blacklist ${HOME}/.config/bnox
132blacklist ${HOME}/.config/borg 132blacklist ${HOME}/.config/borg
133blacklist ${HOME}/.config/brasero 133blacklist ${HOME}/.config/brasero
134blacklist ${HOME}/.config/brave 134blacklist ${HOME}/.config/brave
135blacklist ${HOME}/.config/brave-flags.conf
135blacklist ${HOME}/.config/caja 136blacklist ${HOME}/.config/caja
136blacklist ${HOME}/.config/calibre 137blacklist ${HOME}/.config/calibre
137blacklist ${HOME}/.config/cantata 138blacklist ${HOME}/.config/cantata
@@ -158,7 +159,9 @@ blacklist ${HOME}/.config/dkl
158blacklist ${HOME}/.config/dnox 159blacklist ${HOME}/.config/dnox
159blacklist ${HOME}/.config/dolphinrc 160blacklist ${HOME}/.config/dolphinrc
160blacklist ${HOME}/.config/dragonplayerrc 161blacklist ${HOME}/.config/dragonplayerrc
162blacklist ${HOME}/.config/draw.io
161blacklist ${HOME}/.config/d-feet 163blacklist ${HOME}/.config/d-feet
164blacklist ${HOME}/.config/electron-mail
162blacklist ${HOME}/.config/emaildefaults 165blacklist ${HOME}/.config/emaildefaults
163blacklist ${HOME}/.config/emailidentities 166blacklist ${HOME}/.config/emailidentities
164blacklist ${HOME}/.config/enchant 167blacklist ${HOME}/.config/enchant
@@ -181,6 +184,7 @@ blacklist ${HOME}/.config/ghb
181blacklist ${HOME}/.config/ghostwriter 184blacklist ${HOME}/.config/ghostwriter
182blacklist ${HOME}/.config/git 185blacklist ${HOME}/.config/git
183blacklist ${HOME}/.config/globaltime 186blacklist ${HOME}/.config/globaltime
187blacklist ${HOME}/.config/gmpc
184blacklist ${HOME}/.config/gnome-builder 188blacklist ${HOME}/.config/gnome-builder
185blacklist ${HOME}/.config/gnome-latex 189blacklist ${HOME}/.config/gnome-latex
186blacklist ${HOME}/.config/gnome-mplayer 190blacklist ${HOME}/.config/gnome-mplayer
@@ -260,6 +264,7 @@ blacklist ${HOME}/.config/onionshare
260blacklist ${HOME}/.config/opera 264blacklist ${HOME}/.config/opera
261blacklist ${HOME}/.config/opera-beta 265blacklist ${HOME}/.config/opera-beta
262blacklist ${HOME}/.config/orage 266blacklist ${HOME}/.config/orage
267blacklist ${HOME}/.config/org.gabmus.gfeeds.json
263blacklist ${HOME}/.config/org.kde.gwenviewrc 268blacklist ${HOME}/.config/org.kde.gwenviewrc
264blacklist ${HOME}/.config/pavucontrol-qt 269blacklist ${HOME}/.config/pavucontrol-qt
265blacklist ${HOME}/.config/pavucontrol.ini 270blacklist ${HOME}/.config/pavucontrol.ini
@@ -271,6 +276,7 @@ blacklist ${HOME}/.config/pix
271blacklist ${HOME}/.config/pluma 276blacklist ${HOME}/.config/pluma
272blacklist ${HOME}/.config/ppsspp 277blacklist ${HOME}/.config/ppsspp
273blacklist ${HOME}/.config/pragha 278blacklist ${HOME}/.config/pragha
279blacklist ${HOME}/.config/profanity
274blacklist ${HOME}/.config/psi+ 280blacklist ${HOME}/.config/psi+
275blacklist ${HOME}/.config/qBittorrent 281blacklist ${HOME}/.config/qBittorrent
276blacklist ${HOME}/.config/qBittorrentrc 282blacklist ${HOME}/.config/qBittorrentrc
@@ -360,6 +366,7 @@ blacklist ${HOME}/.freecol
360blacklist ${HOME}/.freemind 366blacklist ${HOME}/.freemind
361blacklist ${HOME}/.frozen-bubble 367blacklist ${HOME}/.frozen-bubble
362blacklist ${HOME}/.gimp* 368blacklist ${HOME}/.gimp*
369blacklist ${HOME}/.gist
363blacklist ${HOME}/.gitconfig 370blacklist ${HOME}/.gitconfig
364blacklist ${HOME}/.gnome/gnome-schedule 371blacklist ${HOME}/.gnome/gnome-schedule
365blacklist ${HOME}/.googleearth/Cache 372blacklist ${HOME}/.googleearth/Cache
@@ -557,6 +564,7 @@ blacklist ${HOME}/.local/share/orage
557blacklist ${HOME}/.local/share/org.kde.gwenview 564blacklist ${HOME}/.local/share/org.kde.gwenview
558blacklist ${HOME}/.local/share/pix 565blacklist ${HOME}/.local/share/pix
559blacklist ${HOME}/.local/share/plasma_notes 566blacklist ${HOME}/.local/share/plasma_notes
567blacklist ${HOME}/.local/share/profanity
560blacklist ${HOME}/.local/share/psi+ 568blacklist ${HOME}/.local/share/psi+
561blacklist ${HOME}/.local/share/qpdfview 569blacklist ${HOME}/.local/share/qpdfview
562blacklist ${HOME}/.local/share/qutebrowser 570blacklist ${HOME}/.local/share/qutebrowser
@@ -689,6 +697,7 @@ blacklist /var/lib/games/Maelstrom-Scores
689blacklist ${HOME}/.cache/0ad 697blacklist ${HOME}/.cache/0ad
690blacklist ${HOME}/.cache/8pecxstudios 698blacklist ${HOME}/.cache/8pecxstudios
691blacklist ${HOME}/.cache/Authenticator 699blacklist ${HOME}/.cache/Authenticator
700blacklist ${HOME}/.cache/BraveSoftware
692blacklist ${HOME}/.cache/Clementine 701blacklist ${HOME}/.cache/Clementine
693blacklist ${HOME}/.cache/Enox 702blacklist ${HOME}/.cache/Enox
694blacklist ${HOME}/.cache/Enpass 703blacklist ${HOME}/.cache/Enpass
@@ -701,6 +710,7 @@ blacklist ${HOME}/.cache/Zeal
701blacklist ${HOME}/.cache/akonadi* 710blacklist ${HOME}/.cache/akonadi*
702blacklist ${HOME}/.cache/atril 711blacklist ${HOME}/.cache/atril
703blacklist ${HOME}/.cache/attic 712blacklist ${HOME}/.cache/attic
713blacklist ${HOME}/.cache/babl
704blacklist ${HOME}/.cache/bnox 714blacklist ${HOME}/.cache/bnox
705blacklist ${HOME}/.cache/borg 715blacklist ${HOME}/.cache/borg
706blacklist ${HOME}/.cache/calibre 716blacklist ${HOME}/.cache/calibre
@@ -713,6 +723,7 @@ blacklist ${HOME}/.cache/darktable
713blacklist ${HOME}/.cache/discover 723blacklist ${HOME}/.cache/discover
714blacklist ${HOME}/.cache/dnox 724blacklist ${HOME}/.cache/dnox
715blacklist ${HOME}/.cache/dolphin 725blacklist ${HOME}/.cache/dolphin
726blacklist ${HOME}/.cache/ephemeral
716blacklist ${HOME}/.cache/epiphany 727blacklist ${HOME}/.cache/epiphany
717blacklist ${HOME}/.cache/evolution 728blacklist ${HOME}/.cache/evolution
718blacklist ${HOME}/.cache/falkon 729blacklist ${HOME}/.cache/falkon
@@ -721,6 +732,7 @@ blacklist ${HOME}/.cache/font-manager
721blacklist ${HOME}/.cache/fossamail 732blacklist ${HOME}/.cache/fossamail
722blacklist ${HOME}/.cache/freecol 733blacklist ${HOME}/.cache/freecol
723blacklist ${HOME}/.cache/gajim 734blacklist ${HOME}/.cache/gajim
735blacklist ${HOME}/.cache/gegl-0.4
724blacklist ${HOME}/.cache/geeqie 736blacklist ${HOME}/.cache/geeqie
725blacklist ${HOME}/.cache/gimp 737blacklist ${HOME}/.cache/gimp
726blacklist ${HOME}/.cache/godot 738blacklist ${HOME}/.cache/godot
@@ -769,6 +781,7 @@ blacklist ${HOME}/.cache/netsurf
769blacklist ${HOME}/.cache/okular 781blacklist ${HOME}/.cache/okular
770blacklist ${HOME}/.cache/opera 782blacklist ${HOME}/.cache/opera
771blacklist ${HOME}/.cache/opera-beta 783blacklist ${HOME}/.cache/opera-beta
784blacklist ${HOME}/.cache/org.gabmus.gfeeds
772blacklist ${HOME}/.cache/org.gnome.Books 785blacklist ${HOME}/.cache/org.gnome.Books
773blacklist ${HOME}/.cache/org.gnome.Maps 786blacklist ${HOME}/.cache/org.gnome.Maps
774blacklist ${HOME}/.cache/pdfmod 787blacklist ${HOME}/.cache/pdfmod
diff --git a/etc/drawio.profile b/etc/drawio.profile
new file mode 100644
index 000000000..d4fd735a1
--- /dev/null
+++ b/etc/drawio.profile
@@ -0,0 +1,51 @@
1# Firejail profile for drawio
2# Description: Diagram drawing application built on web technology - desktop version
3# This file is overwritten after every install/update
4# Persistent local customizations
5include drawio.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.config/draw.io
10
11include disable-common.inc
12include disable-devel.inc
13include disable-exec.inc
14include disable-interpreters.inc
15include disable-passwdmgr.inc
16include disable-programs.inc
17include disable-xdg.inc
18
19mkdir ${HOME}/.config/draw.io
20whitelist ${HOME}/.config/draw.io
21whitelist ${DOWNLOADS}
22include whitelist-common.inc
23include whitelist-usr-share-common.inc
24include whitelist-var-common.inc
25
26apparmor
27caps.drop all
28ipc-namespace
29machine-id
30net none
31nodbus
32nodvd
33nogroups
34nonewprivs
35noroot
36nosound
37notv
38nou2f
39novideo
40protocol unix
41seccomp !chroot
42shell none
43# tracelog - breaks on Arch
44
45private-bin drawio
46private-cache
47private-dev
48private-etc alternatives,fonts
49private-tmp
50
51# memory-deny-write-execute - breaks on Arch
diff --git a/etc/electron-mail.profile b/etc/electron-mail.profile
new file mode 100644
index 000000000..bde8978df
--- /dev/null
+++ b/etc/electron-mail.profile
@@ -0,0 +1,52 @@
1# Firejail profile for electron-mail
2# Description: Unofficial desktop app for several E2E encrypted email providers
3# This file is overwritten after every install/update
4# Persistent local customizations
5include electron-mail.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.config/electron-mail
10
11whitelist ${DOWNLOADS}
12
13include disable-common.inc
14include disable-devel.inc
15include disable-exec.inc
16include disable-interpreters.inc
17include disable-passwdmgr.inc
18include disable-programs.inc
19include disable-xdg.inc
20
21mkdir ${HOME}/.config/electron-mail
22whitelist ${HOME}/.config/electron-mail
23
24include whitelist-common.inc
25include whitelist-usr-share-common.inc
26include whitelist-var-common.inc
27
28apparmor
29caps.drop all
30netfilter
31no3d
32# nodbus - breaks tray functionality
33nodvd
34nogroups
35nonewprivs
36noroot
37notv
38nou2f
39novideo
40protocol unix,inet,inet6,netlink
41seccomp !chroot
42shell none
43# tracelog - breaks on Arch
44
45private-bin electron-mail
46private-cache
47private-dev
48private-etc alternatives,fonts
49private-opt ElectronMail
50private-tmp
51
52# memory-deny-write-execute - breaks on Arch
diff --git a/etc/ephemeral.profile b/etc/ephemeral.profile
new file mode 100644
index 000000000..fa7746da5
--- /dev/null
+++ b/etc/ephemeral.profile
@@ -0,0 +1,61 @@
1# Firejail profile for ephemeral
2# Description: The always-incognito web browser
3# This file is overwritten after every install/update
4# Persistent local customizations
5include ephemeral.local
6# Persistent global definitions
7include globals.local
8
9# enforce private-cache
10#noblacklist ${HOME}/.cache/ephemeral
11
12noblacklist ${HOME}/.pki
13noblacklist ${HOME}/.local/share/pki
14
15# noexec ${HOME} breaks DRM binaries.
16?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
17
18include disable-common.inc
19include disable-devel.inc
20include disable-exec.inc
21include disable-interpreters.inc
22include disable-programs.inc
23
24# enforce private-cache
25#mkdir ${HOME}/.cache/ephemeral
26mkdir ${HOME}/.pki
27mkdir ${HOME}/.local/share/pki
28# enforce private-cache
29#whitelist ${HOME}/.cache/ephemeral
30whitelist ${HOME}/.pki
31whitelist ${HOME}/.local/share/pki
32whitelist ${DOWNLOADS}
33include whitelist-common.inc
34include whitelist-usr-share-common.inc
35include whitelist-var-common.inc
36
37apparmor
38caps.drop all
39# machine-id breaks pulse audio; it should work fine in setups where sound is not required.
40#machine-id
41netfilter
42# nodbus breaks preferences
43#nodbus
44nodvd
45nogroups
46nonewprivs
47# noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506.
48noroot
49notv
50?BROWSER_DISABLE_U2F: nou2f
51protocol unix,inet,inet6,netlink
52seccomp
53shell none
54tracelog
55
56disable-mnt
57private-cache
58private-dev
59# private-etc below works fine on most distributions. There are some problems on CentOS.
60#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,login.defs,machine-id,mailcap,mime.types,nsswitch.conf,os-release,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
61private-tmp
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile
index 19d9a7644..67c0ed311 100644
--- a/etc/ffmpeg.profile
+++ b/etc/ffmpeg.profile
@@ -18,6 +18,7 @@ include disable-passwdmgr.inc
18include disable-programs.inc 18include disable-programs.inc
19include disable-xdg.inc 19include disable-xdg.inc
20 20
21whitelist /usr/share/devedeng
21whitelist /usr/share/ffmpeg 22whitelist /usr/share/ffmpeg
22whitelist /usr/share/qtchooser 23whitelist /usr/share/qtchooser
23include whitelist-usr-share-common.inc 24include whitelist-usr-share-common.inc
@@ -38,7 +39,8 @@ notv
38nou2f 39nou2f
39novideo 40novideo
40protocol inet,inet6 41protocol inet,inet6
41seccomp 42# allow set_mempolicy, which is required to encode using libx265
43seccomp !set_mempolicy
42shell none 44shell none
43tracelog 45tracelog
44 46
diff --git a/etc/firefox-wayland.profile b/etc/firefox-wayland.profile
index 068da5ee3..17c9f059e 100644
--- a/etc/firefox-wayland.profile
+++ b/etc/firefox-wayland.profile
@@ -1,4 +1,4 @@
1# Firejail profile for firefox-wayland 1# Firejail profile alias for firefox-wayland
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations 3# Persistent local customizations
4include firefox-wayland.local 4include firefox-wayland.local
diff --git a/etc/firejail-default b/etc/firejail-default
index a012f5440..2987e538c 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -57,6 +57,9 @@ owner /{,var/}run/media/** w,
57# Allow access to cups printing socket. 57# Allow access to cups printing socket.
58/{,var/}run/cups/cups.sock w, 58/{,var/}run/cups/cups.sock w,
59 59
60# Allow access to pcscd socket (smartcards)
61/{,var/}run/pcscd/pcscd.comm w,
62
60# Needed for firefox sandbox 63# Needed for firefox sandbox
61/proc/@{PID}/{uid_map,gid_map,setgroups} w, 64/proc/@{PID}/{uid_map,gid_map,setgroups} w,
62 65
@@ -148,14 +151,6 @@ capability setfcap,
148#capability mac_override, 151#capability mac_override,
149#capability mac_admin, 152#capability mac_admin,
150 153
151##########
152# We let Firejail deal with mount/umount functionality.
153##########
154mount,
155remount,
156umount,
157pivot_root,
158
159# Site-specific additions and overrides. See local/README for details. 154# Site-specific additions and overrides. See local/README for details.
160#include <local/firejail-local> 155#include <local/firejail-local>
161} 156}
diff --git a/etc/gconf.profile b/etc/gconf.profile
index 2f930235c..25145c77d 100644
--- a/etc/gconf.profile
+++ b/etc/gconf.profile
@@ -52,7 +52,7 @@ private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,
52private-cache 52private-cache
53private-dev 53private-dev
54private-etc alternatives,fonts,gconf 54private-etc alternatives,fonts,gconf
55private-lib libpython*,python2* 55private-lib GConf,libpython*,python2*
56private-tmp 56private-tmp
57 57
58memory-deny-write-execute 58memory-deny-write-execute
diff --git a/etc/gfeeds.profile b/etc/gfeeds.profile
new file mode 100644
index 000000000..dcb33bc38
--- /dev/null
+++ b/etc/gfeeds.profile
@@ -0,0 +1,56 @@
1# Firejail profile for gfeeds
2# Description: RSS/Atom feed reader for GNOME
3# This file is overwritten after every install/update
4# Persistent local customizations
5include gfeeds.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.cache/org.gabmus.gfeeds
10noblacklist ${HOME}/.config/org.gabmus.gfeeds.json
11
12# Allow python (blacklisted by disable-interpreters.inc)
13include allow-python3.inc
14
15include disable-common.inc
16include disable-devel.inc
17include disable-exec.inc
18include disable-interpreters.inc
19include disable-passwdmgr.inc
20include disable-programs.inc
21include disable-xdg.inc
22
23mkdir ${HOME}/.cache/org.gabmus.gfeeds
24mkfile ${HOME}/.config/org.gabmus.gfeeds.json
25whitelist ${HOME}/.cache/org.gabmus.gfeeds
26whitelist ${HOME}/.config/org.gabmus.gfeeds.json
27whitelist /usr/share/gfeeds
28include whitelist-common.inc
29include whitelist-usr-share-common.inc
30include whitelist-var-common.inc
31
32apparmor
33caps.drop all
34machine-id
35netfilter
36no3d
37#nodbus
38nodvd
39nogroups
40nonewprivs
41noroot
42nosound
43notv
44nou2f
45novideo
46protocol unix,inet,inet6
47seccomp
48shell none
49tracelog
50
51disable-mnt
52private-bin gfeeds,python3*
53# private-cache -- feeds are stored in ~/.cache
54private-dev
55private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,fonts,gconf,group,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg
56private-tmp
diff --git a/etc/gimp.profile b/etc/gimp.profile
index 81ae95645..5c0631eb2 100644
--- a/etc/gimp.profile
+++ b/etc/gimp.profile
@@ -11,6 +11,8 @@ include globals.local
11# or put 'noexec ${HOME}' in your gimp.local 11# or put 'noexec ${HOME}' in your gimp.local
12ignore noexec ${HOME} 12ignore noexec ${HOME}
13 13
14noblacklist ${HOME}/.cache/babl
15noblacklist ${HOME}/.cache/gegl-0.4
14noblacklist ${HOME}/.cache/gimp 16noblacklist ${HOME}/.cache/gimp
15noblacklist ${HOME}/.config/GIMP 17noblacklist ${HOME}/.config/GIMP
16noblacklist ${HOME}/.gimp* 18noblacklist ${HOME}/.gimp*
@@ -23,8 +25,10 @@ include disable-passwdmgr.inc
23include disable-programs.inc 25include disable-programs.inc
24include disable-xdg.inc 26include disable-xdg.inc
25 27
28whitelist /usr/share/gegl-0.4
26whitelist /usr/share/gimp 29whitelist /usr/share/gimp
27whitelist /usr/share/mypaint-data 30whitelist /usr/share/mypaint-data
31whitelist /usr/share/lensfun
28include whitelist-usr-share-common.inc 32include whitelist-usr-share-common.inc
29include whitelist-var-common.inc 33include whitelist-var-common.inc
30 34
diff --git a/etc/gist-paste.profile b/etc/gist-paste.profile
new file mode 100644
index 000000000..56b3176ed
--- /dev/null
+++ b/etc/gist-paste.profile
@@ -0,0 +1,12 @@
1# Firejail profile for gist-paste
2# Description: Potentially the best command line gister
3# This file is overwritten after every install/update
4quiet
5# Persistent local customizations
6include gist-paste.local
7# Persistent global definitions
8# added by included profile
9#include globals.local
10
11# Redirect
12include gist.profile
diff --git a/etc/gist.profile b/etc/gist.profile
new file mode 100644
index 000000000..7413238c8
--- /dev/null
+++ b/etc/gist.profile
@@ -0,0 +1,58 @@
1# Firejail profile for gist
2# Description: Potentially the best command line gister
3# This file is overwritten after every install/update
4quiet
5# Persistent local customizations
6include gist.local
7# Persistent global definitions
8include globals.local
9
10blacklist /tmp/.X11-unix
11
12noblacklist ${HOME}/.gist
13
14# Allow ruby (blacklisted by disable-interpreters.inc)
15include allow-ruby.inc
16
17include disable-common.inc
18include disable-devel.inc
19include disable-exec.inc
20include disable-interpreters.inc
21include disable-passwdmgr.inc
22include disable-programs.inc
23include disable-xdg.inc
24
25mkdir ${HOME}/.gist
26whitelist ${HOME}/.gist
27whitelist ${DOWNLOADS}
28include whitelist-common.inc
29include whitelist-usr-share-common.inc
30include whitelist-var-common.inc
31
32apparmor
33caps.drop all
34ipc-namespace
35machine-id
36netfilter
37no3d
38nodbus
39nodvd
40nogroups
41nonewprivs
42noroot
43nosound
44notv
45nou2f
46novideo
47protocol unix,inet,inet6
48seccomp
49shell none
50tracelog
51
52disable-mnt
53private-cache
54private-dev
55private-etc alternatives
56private-tmp
57
58memory-deny-write-execute
diff --git a/etc/gmpc.profile b/etc/gmpc.profile
new file mode 100644
index 000000000..b1546db30
--- /dev/null
+++ b/etc/gmpc.profile
@@ -0,0 +1,53 @@
1# Firejail profile for gmpc
2# Description: MPD client
3# This file is overwritten after every install/update
4# Persistent local customizations
5include gmpc.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.config/gmpc
10noblacklist ${MUSIC}
11
12include disable-common.inc
13include disable-devel.inc
14include disable-exec.inc
15include disable-interpreters.inc
16include disable-passwdmgr.inc
17include disable-programs.inc
18include disable-xdg.inc
19
20mkdir ${HOME}/.config/gmpc
21whitelist ${HOME}/.config/gmpc
22whitelist ${MUSIC}
23whitelist /usr/share/gmpc
24include whitelist-common.inc
25include whitelist-usr-share-common.inc
26include whitelist-var-common.inc
27
28apparmor
29caps.drop all
30ipc-namespace
31netfilter
32no3d
33#nodbus
34nodvd
35nogroups
36nonewprivs
37noroot
38notv
39nou2f
40novideo
41protocol unix,inet,inet6
42seccomp
43shell none
44tracelog
45
46disable-mnt
47#private-bin gmpc
48private-cache
49private-etc alternatives,fonts
50private-tmp
51writable-run-user
52
53# memory-deny-write-execute - breaks on Arch
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile
index 36e50370e..c11773147 100644
--- a/etc/gpg-agent.profile
+++ b/etc/gpg-agent.profile
@@ -1,6 +1,7 @@
1# Firejail profile for gpg-agent 1# Firejail profile for gpg-agent
2# Description: GNU privacy guard - cryptographic agent 2# Description: GNU privacy guard - cryptographic agent
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet
4# Persistent local customizations 5# Persistent local customizations
5include gpg-agent.local 6include gpg-agent.local
6# Persistent global definitions 7# Persistent global definitions
diff --git a/etc/gpg.profile b/etc/gpg.profile
index 1ed5e484a..5eb18a0bc 100644
--- a/etc/gpg.profile
+++ b/etc/gpg.profile
@@ -1,6 +1,7 @@
1# Firejail profile for gpg 1# Firejail profile for gpg
2# Description: GNU Privacy Guard -- minimalist public key operations 2# Description: GNU Privacy Guard -- minimalist public key operations
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet
4# Persistent local customizations 5# Persistent local customizations
5include gpg.local 6include gpg.local
6# Persistent global definitions 7# Persistent global definitions
diff --git a/etc/gpg2.profile b/etc/gpg2.profile
new file mode 100644
index 000000000..b831b0f62
--- /dev/null
+++ b/etc/gpg2.profile
@@ -0,0 +1,13 @@
1# Firejail profile for gpg2
2# This file is overwritten after every install/update
3quiet
4# Persistent local customizations
5include gpg2.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
9
10# private-bin gpg2
11
12# Redirect
13include gpg.profile
diff --git a/etc/gtk-update-icon-cache.profile b/etc/gtk-update-icon-cache.profile
new file mode 100644
index 000000000..fd35a563b
--- /dev/null
+++ b/etc/gtk-update-icon-cache.profile
@@ -0,0 +1,51 @@
1# Firejail profile for gtk-update-icon-cache
2# Description: Icon theme caching utility
3# This file is overwritten after every install/update
4quiet
5# Persistent local customizations
6include gtk-update-icon-cache.local
7# Persistent global definitions
8include globals.local
9
10include disable-common.inc
11include disable-devel.inc
12include disable-exec.inc
13include disable-interpreters.inc
14include disable-passwdmgr.inc
15include disable-programs.inc
16include disable-xdg.inc
17
18include whitelist-common.inc
19include whitelist-usr-share-common.inc
20include whitelist-var-common.inc
21
22apparmor
23caps.drop all
24ipc-namespace
25machine-id
26net none
27no3d
28nodbus
29nodvd
30nogroups
31nonewprivs
32noroot
33nosound
34notv
35nou2f
36novideo
37protocol unix
38seccomp
39shell none
40tracelog
41x11 none
42
43disable-mnt
44private-bin gtk-update-icon-cache
45private-cache
46private-dev
47private-etc none
48private-lib
49private-tmp
50
51memory-deny-write-execute
diff --git a/etc/gzexe.profile b/etc/gzexe.profile
new file mode 100644
index 000000000..bb570d553
--- /dev/null
+++ b/etc/gzexe.profile
@@ -0,0 +1,11 @@
1# Firejail profile for gzexe
2# This file is overwritten after every install/update
3quiet
4# Persistent local customizations
5include gzexe.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
9
10# Redirect
11include gzip.profile
diff --git a/etc/ooffice.profile b/etc/ooffice.profile
new file mode 100644
index 000000000..8348a57fe
--- /dev/null
+++ b/etc/ooffice.profile
@@ -0,0 +1,5 @@
1# Firejail profile alias for libreoffice
2# This file is overwritten after every install/update
3
4# Redirect
5include libreoffice.profile
diff --git a/etc/ooviewdoc.profile b/etc/ooviewdoc.profile
new file mode 100644
index 000000000..8348a57fe
--- /dev/null
+++ b/etc/ooviewdoc.profile
@@ -0,0 +1,5 @@
1# Firejail profile alias for libreoffice
2# This file is overwritten after every install/update
3
4# Redirect
5include libreoffice.profile
diff --git a/etc/openoffice.org.profile b/etc/openoffice.org.profile
new file mode 100644
index 000000000..8348a57fe
--- /dev/null
+++ b/etc/openoffice.org.profile
@@ -0,0 +1,5 @@
1# Firejail profile alias for libreoffice
2# This file is overwritten after every install/update
3
4# Redirect
5include libreoffice.profile
diff --git a/etc/p7zip.profile b/etc/p7zip.profile
index 7e0069afc..652fac7bd 100644
--- a/etc/p7zip.profile
+++ b/etc/p7zip.profile
@@ -1,5 +1,5 @@
1# Firejail profile for p7zip 1# Firejail profile for p7zip
2# Description: 7zr file archiver with high compression ratio 2# Description: File archiver with high compression ratio
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet 4quiet
5# Persistent local customizations 5# Persistent local customizations
diff --git a/etc/profanity.profile b/etc/profanity.profile
new file mode 100644
index 000000000..6ca9314e9
--- /dev/null
+++ b/etc/profanity.profile
@@ -0,0 +1,50 @@
1# Firejail profile for profanity
2# Description: profanity is an XMPP chat client for the terminal
3# This file is overwritten after every install/update
4quiet
5# Persistent local customizations
6include profanity.local
7# Persistent global definitions
8include globals.local
9
10noblacklist ${HOME}/.config/profanity
11noblacklist ${HOME}/.local/share/profanity
12
13# Allow Python
14include allow-python2.inc
15include allow-python3.inc
16
17include disable-common.inc
18include disable-devel.inc
19include disable-exec.inc
20include disable-interpreters.inc
21include disable-passwdmgr.inc
22include disable-programs.inc
23include disable-xdg.inc
24
25include whitelist-usr-share-common.inc
26include whitelist-var-common.inc
27
28caps.drop all
29netfilter
30no3d
31nodbus
32nodvd
33nogroups
34nonewprivs
35noroot
36nosound
37notv
38nou2f
39novideo
40protocol unix,inet,inet6
41seccomp
42shell none
43
44private-bin profanity
45private-cache
46private-dev
47private-etc alternatives,ca-certificates,crypto-policies,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl
48private-tmp
49
50memory-deny-write-execute
diff --git a/etc/seahorse-tool.profile b/etc/seahorse-tool.profile
index 4bf23c512..96ff74edf 100644
--- a/etc/seahorse-tool.profile
+++ b/etc/seahorse-tool.profile
@@ -7,9 +7,9 @@ include seahorse-tool.local
7# added by included profile 7# added by included profile
8#include globals.local 8#include globals.local
9 9
10# private-etc workaround for: #2877
11private-etc firejail,login.defs,passwd
10private-tmp 12private-tmp
11 13
12memory-deny-write-execute
13
14# Redirect 14# Redirect
15include seahorse.profile 15include seahorse.profile
diff --git a/etc/seahorse.profile b/etc/seahorse.profile
index 6acf8aa5d..5a742d05f 100644
--- a/etc/seahorse.profile
+++ b/etc/seahorse.profile
@@ -20,17 +20,19 @@ include disable-passwdmgr.inc
20include disable-programs.inc 20include disable-programs.inc
21include disable-xdg.inc 21include disable-xdg.inc
22 22
23mkdir ${HOME}/.gnupg 23# whitelisting in ${HOME} breaks file encryption feature of nautilus.
24mkdir ${HOME}/.ssh 24# once #2882 is fixed this can be uncommented and nowhitelisted in seahorse-tool.profile
25whitelist ${HOME}/.gnupg 25#mkdir ${HOME}/.gnupg
26whitelist ${HOME}/.ssh 26#mkdir ${HOME}/.ssh
27#whitelist ${HOME}/.gnupg
28#whitelist ${HOME}/.ssh
27whitelist /tmp/ssh-* 29whitelist /tmp/ssh-*
28whitelist /usr/share/gnupg 30whitelist /usr/share/gnupg
29whitelist /usr/share/gnupg2 31whitelist /usr/share/gnupg2
30whitelist /usr/share/seahorse 32whitelist /usr/share/seahorse
31whitelist /usr/share/seahorse-nautilus 33whitelist /usr/share/seahorse-nautilus
34#include whitelist-common.inc
32include whitelist-usr-share-common.inc 35include whitelist-usr-share-common.inc
33include whitelist-common.inc
34include whitelist-var-common.inc 36include whitelist-var-common.inc
35 37
36apparmor 38apparmor
diff --git a/etc/thunderbird-wayland.profile b/etc/thunderbird-wayland.profile
index 031d331e7..9fbb80d29 100644
--- a/etc/thunderbird-wayland.profile
+++ b/etc/thunderbird-wayland.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for thunderbird-wayland 1# Firejail profile alias for thunderbird-wayland
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include thunderbird-wayland.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include thunderbird.profile 10include thunderbird.profile
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
index ea6e3855d..e30b57498 100644
--- a/etc/thunderbird.profile
+++ b/etc/thunderbird.profile
@@ -14,7 +14,7 @@ noblacklist ${HOME}/.gnupg
14# noblacklist ${HOME}/.icedove 14# noblacklist ${HOME}/.icedove
15noblacklist ${HOME}/.thunderbird 15noblacklist ${HOME}/.thunderbird
16 16
17# Uncomment the next 4 lines or put they in your thunderbird.local to 17# Uncomment the next 4 lines or put them in your thunderbird.local to
18# allow Firefox to load your profile when clicking a link in an email 18# allow Firefox to load your profile when clicking a link in an email
19#noblacklist ${HOME}/.cache/mozilla 19#noblacklist ${HOME}/.cache/mozilla
20#noblacklist ${HOME}/.mozilla 20#noblacklist ${HOME}/.mozilla
@@ -39,7 +39,7 @@ whitelist ${HOME}/.thunderbird
39 39
40# We need the real /tmp for data exchange when xdg-open handles email attachments on KDE 40# We need the real /tmp for data exchange when xdg-open handles email attachments on KDE
41ignore private-tmp 41ignore private-tmp
42# machine-id breaks audio in browsers; enable it when sound is not required 42# machine-id breaks audio in browsers; enable or put it in your thunderbird.local when sound is not required
43# machine-id 43# machine-id
44read-only ${HOME}/.config/mimeapps.list 44read-only ${HOME}/.config/mimeapps.list
45# writable-run-user and dbus are needed by enigmail 45# writable-run-user and dbus are needed by enigmail
diff --git a/etc/uncompress.profile b/etc/uncompress.profile
new file mode 100644
index 000000000..f659d8e87
--- /dev/null
+++ b/etc/uncompress.profile
@@ -0,0 +1,11 @@
1# Firejail profile for uncompress
2# This file is overwritten after every install/update
3quiet
4# Persistent local customizations
5include uncompress.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
9
10# Redirect
11include gzip.profile
diff --git a/etc/unf.profile b/etc/unf.profile
new file mode 100644
index 000000000..1f0b2aa32
--- /dev/null
+++ b/etc/unf.profile
@@ -0,0 +1,54 @@
1# Firejail profile for unf
2# Description: UNixize Filename -- replace annoying anti-unix characters in filenames
3# This file is overwritten after every install/update
4quiet
5# Persistent local customizations
6include unf.local
7# Persistent global definitions
8include globals.local
9
10include disable-common.inc
11include disable-devel.inc
12include disable-exec.inc
13include disable-interpreters.inc
14include disable-passwdmgr.inc
15include disable-programs.inc
16include disable-xdg.inc
17
18whitelist ${DOWNLOADS}
19include whitelist-common.inc
20include whitelist-usr-share-common.inc
21include whitelist-var-common.inc
22
23apparmor
24caps.drop all
25hostname unf
26ipc-namespace
27machine-id
28net none
29no3d
30nodbus
31nodvd
32nogroups
33nonewprivs
34noroot
35nosound
36notv
37nou2f
38novideo
39protocol unix
40seccomp
41shell none
42tracelog
43x11 none
44
45disable-mnt
46private-bin unf
47private-cache
48?HAS_APPIMAGE: ignore private-dev
49private-dev
50private-etc alternatives
51private-lib libgcc_s.so.*
52private-tmp
53
54memory-deny-write-execute
diff --git a/etc/whitelist-usr-share-common.inc b/etc/whitelist-usr-share-common.inc
index f1b7bd960..322bdefe9 100644
--- a/etc/whitelist-usr-share-common.inc
+++ b/etc/whitelist-usr-share-common.inc
@@ -15,6 +15,7 @@ whitelist /usr/share/enchant
15whitelist /usr/share/enchant-2 15whitelist /usr/share/enchant-2
16whitelist /usr/share/fontconfig 16whitelist /usr/share/fontconfig
17whitelist /usr/share/fonts 17whitelist /usr/share/fonts
18whitelist /usr/share/gir-1.0
18whitelist /usr/share/gjs-1.0 19whitelist /usr/share/gjs-1.0
19whitelist /usr/share/glib-2.0 20whitelist /usr/share/glib-2.0
20whitelist /usr/share/glvnd 21whitelist /usr/share/glvnd
@@ -40,6 +41,7 @@ whitelist /usr/share/p11-kit
40whitelist /usr/share/pixmaps 41whitelist /usr/share/pixmaps
41whitelist /usr/share/pki 42whitelist /usr/share/pki
42whitelist /usr/share/plasma 43whitelist /usr/share/plasma
44whitelist /usr/share/publicsuffix
43whitelist /usr/share/qt 45whitelist /usr/share/qt
44whitelist /usr/share/qt4 46whitelist /usr/share/qt4
45whitelist /usr/share/qt5 47whitelist /usr/share/qt5
diff --git a/etc/wine.profile b/etc/wine.profile
index 29e79c3f5..67e3952e1 100644
--- a/etc/wine.profile
+++ b/etc/wine.profile
@@ -18,8 +18,9 @@ include disable-interpreters.inc
18include disable-passwdmgr.inc 18include disable-passwdmgr.inc
19include disable-programs.inc 19include disable-programs.inc
20 20
21# uncomment next line if seccomp breaks a program 21# some applications don't need allow-debuggers, comment the next line
22# allow-debuggers 22# if it is not necessary (or put 'ignore allow-debuggers' in your wine.local)
23allow-debuggers
23caps.drop all 24caps.drop all
24# net none 25# net none
25netfilter 26netfilter
diff --git a/etc/zcat.profile b/etc/zcat.profile
new file mode 100644
index 000000000..12932ea92
--- /dev/null
+++ b/etc/zcat.profile
@@ -0,0 +1,11 @@
1# Firejail profile for zcat
2# This file is overwritten after every install/update
3quiet
4# Persistent local customizations
5include zcat.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
9
10# Redirect
11include gzip.profile
diff --git a/etc/zcmp.profile b/etc/zcmp.profile
new file mode 100644
index 000000000..795cdae2a
--- /dev/null
+++ b/etc/zcmp.profile
@@ -0,0 +1,11 @@
1# Firejail profile for zcmp
2# This file is overwritten after every install/update
3quiet
4# Persistent local customizations
5include zcmp.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
9
10# Redirect
11include gzip.profile
diff --git a/etc/zdiff.profile b/etc/zdiff.profile
new file mode 100644
index 000000000..1e75e38fe
--- /dev/null
+++ b/etc/zdiff.profile
@@ -0,0 +1,11 @@
1# Firejail profile for zdiff
2# This file is overwritten after every install/update
3quiet
4# Persistent local customizations
5include zdiff.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
9
10# Redirect
11include gzip.profile
diff --git a/etc/zegrep.profile b/etc/zegrep.profile
new file mode 100644
index 000000000..54dc6b2a0
--- /dev/null
+++ b/etc/zegrep.profile
@@ -0,0 +1,11 @@
1# Firejail profile for zegrep
2# This file is overwritten after every install/update
3quiet
4# Persistent local customizations
5include zegrep.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
9
10# Redirect
11include gzip.profile
diff --git a/etc/zfgrep.profile b/etc/zfgrep.profile
new file mode 100644
index 000000000..73b22f2e8
--- /dev/null
+++ b/etc/zfgrep.profile
@@ -0,0 +1,11 @@
1# Firejail profile for zfgrep
2# This file is overwritten after every install/update
3quiet
4# Persistent local customizations
5include zfgrep.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
9
10# Redirect
11include gzip.profile
diff --git a/etc/zforce.profile b/etc/zforce.profile
new file mode 100644
index 000000000..d62e57065
--- /dev/null
+++ b/etc/zforce.profile
@@ -0,0 +1,11 @@
1# Firejail profile for zforce
2# This file is overwritten after every install/update
3quiet
4# Persistent local customizations
5include zforce.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
9
10# Redirect
11include gzip.profile
diff --git a/etc/zgrep.profile b/etc/zgrep.profile
new file mode 100644
index 000000000..b39a58420
--- /dev/null
+++ b/etc/zgrep.profile
@@ -0,0 +1,11 @@
1# Firejail profile for zgrep
2# This file is overwritten after every install/update
3quiet
4# Persistent local customizations
5include zgrep.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
9
10# Redirect
11include gzip.profile
diff --git a/etc/zless.profile b/etc/zless.profile
new file mode 100644
index 000000000..0a26cda1f
--- /dev/null
+++ b/etc/zless.profile
@@ -0,0 +1,11 @@
1# Firejail profile for zless
2# This file is overwritten after every install/update
3quiet
4# Persistent local customizations
5include zless.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
9
10# Redirect
11include gzip.profile
diff --git a/etc/zmore.profile b/etc/zmore.profile
new file mode 100644
index 000000000..3a8f63562
--- /dev/null
+++ b/etc/zmore.profile
@@ -0,0 +1,11 @@
1# Firejail profile for zmore
2# This file is overwritten after every install/update
3quiet
4# Persistent local customizations
5include zmore.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
9
10# Redirect
11include gzip.profile
diff --git a/etc/znew.profile b/etc/znew.profile
new file mode 100644
index 000000000..a8593e58e
--- /dev/null
+++ b/etc/znew.profile
@@ -0,0 +1,11 @@
1# Firejail profile for znew
2# This file is overwritten after every install/update
3quiet
4# Persistent local customizations
5include znew.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
9
10# Redirect
11include gzip.profile
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-19 23:52:32 +0000