diff options
Diffstat (limited to 'etc')
129 files changed, 1883 insertions, 538 deletions
diff --git a/etc/0ad.profile b/etc/0ad.profile new file mode 100644 index 000000000..11fb45463 --- /dev/null +++ b/etc/0ad.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | # Firejail profile for 0ad. | ||
2 | noblacklist ~/.cache/0ad | ||
3 | noblacklist ~/.config/0ad | ||
4 | noblacklist ~/.local/share/0ad | ||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | include /etc/firejail/disable-programs.inc | ||
9 | |||
10 | # Whitelists | ||
11 | mkdir ~/.cache | ||
12 | mkdir ~/.cache/0ad | ||
13 | whitelist ~/.cache/0ad | ||
14 | |||
15 | mkdir ~/.config | ||
16 | mkdir ~/.config/0ad | ||
17 | whitelist ~/.config/0ad | ||
18 | |||
19 | mkdir ~/.local | ||
20 | mkdir ~/.local/share | ||
21 | mkdir ~/.local/share/0ad | ||
22 | whitelist ~/.local/share/0ad | ||
23 | |||
24 | caps.drop all | ||
25 | netfilter | ||
26 | nonewprivs | ||
27 | nogroups | ||
28 | noroot | ||
29 | protocol unix,inet,inet6 | ||
30 | seccomp | ||
31 | shell none | ||
32 | tracelog | ||
33 | |||
34 | private-dev | ||
35 | |||
diff --git a/etc/Cyberfox.profile b/etc/Cyberfox.profile new file mode 100644 index 000000000..1f74606ce --- /dev/null +++ b/etc/Cyberfox.profile | |||
@@ -0,0 +1,3 @@ | |||
1 | # Firejail profile for Cyberfox (based on Mozilla Firefox) | ||
2 | |||
3 | include /etc/firejail/cyberfox.profile | ||
diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile index 73fb0c9e0..e719f070f 100644 --- a/etc/Mathematica.profile +++ b/etc/Mathematica.profile | |||
@@ -1,15 +1,20 @@ | |||
1 | # Mathematica profile | 1 | # Mathematica profile |
2 | noblacklist ${HOME}/.Mathematica | ||
3 | noblacklist ${HOME}/.Wolfram Research | ||
4 | |||
2 | mkdir ~/.Mathematica | 5 | mkdir ~/.Mathematica |
3 | whitelist ~/.Mathematica | 6 | whitelist ~/.Mathematica |
4 | mkdir ~/.Wolfram Research | 7 | mkdir ~/.Wolfram Research |
5 | whitelist ~/.Wolfram Research | 8 | whitelist ~/.Wolfram Research |
6 | whitelist ~/Documents/Wolfram Mathematica | 9 | whitelist ~/Documents/Wolfram Mathematica |
7 | include /etc/firejail/whitelist-common.inc | 10 | include /etc/firejail/whitelist-common.inc |
8 | include /etc/firejail/disable-mgmt.inc | 11 | |
9 | include /etc/firejail/disable-secret.inc | ||
10 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-terminals.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
16 | |||
13 | caps.drop all | 17 | caps.drop all |
14 | seccomp | 18 | nonewprivs |
15 | noroot | 19 | noroot |
20 | seccomp | ||
diff --git a/etc/Telegram.profile b/etc/Telegram.profile new file mode 100644 index 000000000..2e0f97821 --- /dev/null +++ b/etc/Telegram.profile | |||
@@ -0,0 +1,2 @@ | |||
1 | # Telegram IRC profile | ||
2 | include /etc/firejail/telegram.profile | ||
diff --git a/etc/abrowser.profile b/etc/abrowser.profile new file mode 100644 index 000000000..65247e7d3 --- /dev/null +++ b/etc/abrowser.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for Abrowser | ||
2 | |||
3 | noblacklist ~/.mozilla | ||
4 | noblacklist ~/.cache/mozilla | ||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | protocol unix,inet,inet6,netlink | ||
14 | seccomp | ||
15 | tracelog | ||
16 | |||
17 | whitelist ${DOWNLOADS} | ||
18 | mkdir ~/.mozilla | ||
19 | whitelist ~/.mozilla | ||
20 | mkdir ~/.cache | ||
21 | mkdir ~/.cache/mozilla | ||
22 | mkdir ~/.cache/mozilla/abrowser | ||
23 | whitelist ~/.cache/mozilla/abrowser | ||
24 | whitelist ~/dwhelper | ||
25 | whitelist ~/.zotero | ||
26 | whitelist ~/.vimperatorrc | ||
27 | whitelist ~/.vimperator | ||
28 | whitelist ~/.pentadactylrc | ||
29 | whitelist ~/.pentadactyl | ||
30 | whitelist ~/.keysnail.js | ||
31 | whitelist ~/.config/gnome-mplayer | ||
32 | whitelist ~/.cache/gnome-mplayer/plugin | ||
33 | whitelist ~/.pki | ||
34 | |||
35 | # lastpass, keepassx | ||
36 | whitelist ~/.keepassx | ||
37 | whitelist ~/.config/keepassx | ||
38 | whitelist ~/keepassx.kdbx | ||
39 | whitelist ~/.lastpass | ||
40 | whitelist ~/.config/lastpass | ||
41 | |||
42 | |||
43 | #silverlight | ||
44 | whitelist ~/.wine-pipelight | ||
45 | whitelist ~/.wine-pipelight64 | ||
46 | whitelist ~/.config/pipelight-widevine | ||
47 | whitelist ~/.config/pipelight-silverlight5.1 | ||
48 | |||
49 | include /etc/firejail/whitelist-common.inc | ||
50 | |||
51 | # experimental features | ||
52 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | ||
diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile new file mode 100644 index 000000000..3c753e86c --- /dev/null +++ b/etc/atom-beta.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Firjail profile for Atom Beta. | ||
2 | noblacklist ~/.atom | ||
3 | noblacklist ~/.config/Atom | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nonewprivs | ||
12 | nogroups | ||
13 | noroot | ||
14 | seccomp | ||
15 | shell none | ||
16 | |||
17 | private-dev | ||
18 | nosound | ||
19 | |||
diff --git a/etc/atom.profile b/etc/atom.profile new file mode 100644 index 000000000..8304cd379 --- /dev/null +++ b/etc/atom.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # Firjail profile for Atom. | ||
2 | noblacklist ~/.atom | ||
3 | noblacklist ~/.config/Atom | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nonewprivs | ||
12 | nogroups | ||
13 | noroot | ||
14 | seccomp | ||
15 | shell none | ||
16 | |||
17 | private-dev | ||
18 | nosound | ||
diff --git a/etc/atril.profile b/etc/atril.profile index d87781c7d..bfe731bec 100644 --- a/etc/atril.profile +++ b/etc/atril.profile | |||
@@ -1,7 +1,20 @@ | |||
1 | # Atril profile | 1 | # Atril profile |
2 | noblacklist ~/.config/atril | ||
3 | noblacklist ~/.local/share | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
2 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
3 | include /etc/firejail/generic.profile | 7 | include /etc/firejail/disable-passwdmgr.inc |
4 | blacklist ${HOME}/.wine | ||
5 | 8 | ||
9 | caps.drop all | ||
10 | nonewprivs | ||
11 | nogroups | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix | ||
15 | seccomp | ||
16 | shell none | ||
6 | tracelog | 17 | tracelog |
7 | 18 | ||
19 | private-bin atril, atril-previewer, atril-thumbnailer | ||
20 | private-dev | ||
diff --git a/etc/audacious.profile b/etc/audacious.profile index b9ce11c0e..e5275213c 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile | |||
@@ -1,16 +1,11 @@ | |||
1 | # Audacious media player profile | 1 | # Audacious media player profile |
2 | include /etc/firejail/disable-mgmt.inc | ||
3 | include /etc/firejail/disable-secret.inc | ||
4 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
7 | blacklist ${HOME}/.pki/nssdb | 6 | |
8 | blacklist ${HOME}/.lastpass | ||
9 | blacklist ${HOME}/.keepassx | ||
10 | blacklist ${HOME}/.password-store | ||
11 | blacklist ${HOME}/.wine | ||
12 | caps.drop all | 7 | caps.drop all |
13 | seccomp | 8 | nonewprivs |
14 | protocol unix,inet,inet6 | ||
15 | noroot | 9 | noroot |
16 | 10 | protocol unix,inet,inet6 | |
11 | seccomp | ||
diff --git a/etc/audacity.profile b/etc/audacity.profile new file mode 100644 index 000000000..162201cb8 --- /dev/null +++ b/etc/audacity.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Audacity profile | ||
2 | noblacklist ~/.audacity-data | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-devel.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nonewprivs | ||
11 | nogroups | ||
12 | noroot | ||
13 | protocol unix | ||
14 | seccomp | ||
15 | shell none | ||
16 | tracelog | ||
17 | |||
18 | private-bin audacity | ||
19 | private-dev | ||
diff --git a/etc/aweather.profile b/etc/aweather.profile new file mode 100644 index 000000000..d617fb701 --- /dev/null +++ b/etc/aweather.profile | |||
@@ -0,0 +1,25 @@ | |||
1 | # Firejail profile for aweather. | ||
2 | noblacklist ~/.config/aweather | ||
3 | include /etc/firejail/disable-common.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | |||
8 | # Whitelist | ||
9 | mkdir ~/.config | ||
10 | mkdir ~/.config/aweather | ||
11 | whitelist ~/.config/aweather | ||
12 | |||
13 | caps.drop all | ||
14 | netfilter | ||
15 | nonewprivs | ||
16 | nogroups | ||
17 | noroot | ||
18 | nosound | ||
19 | protocol unix,inet,inet6,netlink | ||
20 | seccomp | ||
21 | shell none | ||
22 | tracelog | ||
23 | |||
24 | private-bin aweather | ||
25 | private-dev | ||
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index ca9e87818..87d2e843a 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile | |||
@@ -1,11 +1,14 @@ | |||
1 | # BitlBee instant messaging profile | 1 | # BitlBee instant messaging profile |
2 | noblacklist /sbin | 2 | noblacklist /sbin |
3 | noblacklist /usr/sbin | 3 | noblacklist /usr/sbin |
4 | include /etc/firejail/disable-mgmt.inc | ||
5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-terminals.inc | 5 | include /etc/firejail/disable-programs.inc |
7 | protocol unix,inet,inet6 | 6 | |
7 | netfilter | ||
8 | nonewprivs | ||
8 | private | 9 | private |
9 | private-dev | 10 | private-dev |
11 | protocol unix,inet,inet6 | ||
10 | seccomp | 12 | seccomp |
11 | netfilter | 13 | nosound |
14 | read-write /var/lib/bitlbee | ||
diff --git a/etc/brave.profile b/etc/brave.profile new file mode 100644 index 000000000..4c42e9faa --- /dev/null +++ b/etc/brave.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Profile for Brave browser | ||
2 | |||
3 | noblacklist ~/.config/brave | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | |||
8 | caps.drop all | ||
9 | netfilter | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | protocol unix,inet,inet6,netlink | ||
13 | seccomp | ||
14 | |||
15 | whitelist ${DOWNLOADS} | ||
16 | |||
17 | mkdir ~/.config | ||
18 | mkdir ~/.config/brave | ||
19 | whitelist ~/.config/brave | ||
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index d1e1c71d9..7b6238d98 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile | |||
@@ -1,8 +1,10 @@ | |||
1 | # cherrytree note taking application | 1 | # cherrytree note taking application |
2 | include /etc/firejail/disable-mgmt.inc | 2 | noblacklist /usr/bin/python2* |
3 | include /etc/firejail/disable-secret.inc | 3 | noblacklist /usr/lib/python3* |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | 8 | ||
7 | whitelist ${HOME}/cherrytree | 9 | whitelist ${HOME}/cherrytree |
8 | mkdir ~/.config | 10 | mkdir ~/.config |
@@ -11,11 +13,23 @@ whitelist ${HOME}/.config/cherrytree/ | |||
11 | mkdir ~/.local | 13 | mkdir ~/.local |
12 | mkdir ~/.local/share | 14 | mkdir ~/.local/share |
13 | whitelist ${HOME}/.local/share/ | 15 | whitelist ${HOME}/.local/share/ |
16 | |||
14 | caps.drop all | 17 | caps.drop all |
18 | netfilter | ||
19 | nonewprivs | ||
20 | noroot | ||
21 | nosound | ||
15 | seccomp | 22 | seccomp |
16 | protocol unix,inet,inet6,netlink | 23 | protocol unix,inet,inet6,netlink |
17 | netfilter | ||
18 | tracelog | 24 | tracelog |
19 | noroot | 25 | |
20 | include /etc/firejail/whitelist-common.inc | 26 | include /etc/firejail/whitelist-common.inc |
21 | nosound | 27 | |
28 | # no private-bin support for various reasons: | ||
29 | #10:25:34 exec 11249 (root) NEW SANDBOX: /usr/bin/firejail /usr/bin/cherrytree | ||
30 | #10:25:34 exec 11252 (netblue) /bin/bash -c "/usr/bin/cherrytree" | ||
31 | #10:25:34 exec 11252 (netblue) /usr/bin/python /usr/bin/cherrytree | ||
32 | #10:25:34 exec 11253 (netblue) sh -c /sbin/ldconfig -p 2>/dev/null | ||
33 | #10:25:34 exec 11255 (netblue) sh -c if type gcc >/dev/null 2>&1; then CC=gcc; elif type cc >/dev/null 2>&1; then CC=cc;else exit 10; fi;LANG=C LC_ALL=C $CC -Wl,-t -o /tmp/tmpiYr44S 2>&1 -llibc | ||
34 | # it requires acces to browser to show the online help | ||
35 | # it doesn't play nicely with expect | ||
diff --git a/etc/chromium.profile b/etc/chromium.profile index b58931b8d..7cf2853ca 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -1,11 +1,8 @@ | |||
1 | # Chromium browser profile | 1 | # Chromium browser profile |
2 | noblacklist ~/.config/chromium | 2 | noblacklist ~/.config/chromium |
3 | noblacklist ~/.cache/chromium | 3 | noblacklist ~/.cache/chromium |
4 | noblacklist ~/keepassx.kdbx | ||
5 | include /etc/firejail/disable-mgmt.inc | ||
6 | include /etc/firejail/disable-secret.inc | ||
7 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
8 | include /etc/firejail/disable-terminals.inc | 5 | include /etc/firejail/disable-programs.inc |
9 | 6 | ||
10 | # chromium is distributed with a perl script on Arch | 7 | # chromium is distributed with a perl script on Arch |
11 | # include /etc/firejail/disable-devel.inc | 8 | # include /etc/firejail/disable-devel.inc |
diff --git a/etc/clementine.profile b/etc/clementine.profile index 21b5a58ab..5ce085358 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile | |||
@@ -1,16 +1,11 @@ | |||
1 | # Clementine media player profile | 1 | # Clementine media player profile |
2 | include /etc/firejail/disable-mgmt.inc | ||
3 | include /etc/firejail/disable-secret.inc | ||
4 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-terminals.inc | 3 | include /etc/firejail/disable-programs.inc |
6 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
8 | blacklist ${HOME}/.pki/nssdb | 6 | |
9 | blacklist ${HOME}/.lastpass | ||
10 | blacklist ${HOME}/.keepassx | ||
11 | blacklist ${HOME}/.password-store | ||
12 | blacklist ${HOME}/.wine | ||
13 | caps.drop all | 7 | caps.drop all |
14 | seccomp | 8 | nonewprivs |
15 | protocol unix,inet,inet6 | ||
16 | noroot | 9 | noroot |
10 | protocol unix,inet,inet6 | ||
11 | seccomp | ||
diff --git a/etc/cmus.profile b/etc/cmus.profile new file mode 100644 index 000000000..2e2a6940c --- /dev/null +++ b/etc/cmus.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # cmus profile | ||
2 | noblacklist ${HOME}/.config/cmus | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | protocol unix,inet,inet6 | ||
14 | seccomp | ||
15 | |||
16 | private-bin cmus | ||
17 | private-etc group | ||
18 | shell none | ||
diff --git a/etc/conkeror.profile b/etc/conkeror.profile index 2d6323d3b..e82eeec4c 100644 --- a/etc/conkeror.profile +++ b/etc/conkeror.profile | |||
@@ -1,14 +1,15 @@ | |||
1 | # Firejail profile for Conkeror web browser profile | 1 | # Firejail profile for Conkeror web browser profile |
2 | noblacklist ${HOME}/.conkeror.mozdev.org | 2 | noblacklist ${HOME}/.conkeror.mozdev.org |
3 | include /etc/firejail/disable-mgmt.inc | ||
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-terminals.inc | 4 | include /etc/firejail/disable-programs.inc |
5 | |||
7 | caps.drop all | 6 | caps.drop all |
8 | seccomp | ||
9 | protocol unix,inet,inet6 | ||
10 | netfilter | 7 | netfilter |
8 | nonewprivs | ||
11 | noroot | 9 | noroot |
10 | protocol unix,inet,inet6 | ||
11 | seccomp | ||
12 | |||
12 | whitelist ~/.conkeror.mozdev.org | 13 | whitelist ~/.conkeror.mozdev.org |
13 | whitelist ~/Downloads | 14 | whitelist ~/Downloads |
14 | whitelist ~/dwhelper | 15 | whitelist ~/dwhelper |
@@ -20,6 +21,4 @@ whitelist ~/.vimperator | |||
20 | whitelist ~/.pentadactylrc | 21 | whitelist ~/.pentadactylrc |
21 | whitelist ~/.pentadactyl | 22 | whitelist ~/.pentadactyl |
22 | whitelist ~/.conkerorrc | 23 | whitelist ~/.conkerorrc |
23 | |||
24 | # common | ||
25 | include /etc/firejail/whitelist-common.inc | 24 | include /etc/firejail/whitelist-common.inc |
diff --git a/etc/corebird.profile b/etc/corebird.profile new file mode 100644 index 000000000..077ae30d0 --- /dev/null +++ b/etc/corebird.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail corebird profile | ||
2 | |||
3 | include /etc/firejail/disable-common.inc | ||
4 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | |||
8 | caps.drop all | ||
9 | netfilter | ||
10 | noroot | ||
11 | protocol unix,inet,inet6 | ||
12 | seccomp | ||
diff --git a/etc/cpio.profile b/etc/cpio.profile new file mode 100644 index 000000000..b4d232496 --- /dev/null +++ b/etc/cpio.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # cpio profile | ||
2 | # /sbin and /usr/sbin are visible inside the sandbox | ||
3 | # /boot is not visible and /var is heavily modified | ||
4 | |||
5 | noblacklist /sbin | ||
6 | noblacklist /usr/sbin | ||
7 | include /etc/firejail/disable-common.inc | ||
8 | include /etc/firejail/disable-programs.inc | ||
9 | include /etc/firejail/disable-passwdmgr.inc | ||
10 | |||
11 | private-dev | ||
12 | private-tmp | ||
13 | seccomp | ||
14 | caps.drop all | ||
15 | net none | ||
16 | shell none | ||
17 | tracelog | ||
18 | net none | ||
19 | nosound | ||
20 | |||
21 | |||
22 | |||
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile new file mode 100644 index 000000000..afa77d1d4 --- /dev/null +++ b/etc/cyberfox.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for Cyberfox (based on Mozilla Firefox) | ||
2 | |||
3 | noblacklist ~/.8pecxstudios | ||
4 | noblacklist ~/.cache/8pecxstudios | ||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | protocol unix,inet,inet6,netlink | ||
14 | seccomp | ||
15 | tracelog | ||
16 | |||
17 | whitelist ${DOWNLOADS} | ||
18 | mkdir ~/.8pecxstudios | ||
19 | whitelist ~/.8pecxstudios | ||
20 | mkdir ~/.cache | ||
21 | mkdir ~/.cache/8pecxstudios | ||
22 | whitelist ~/.cache/8pecxstudios | ||
23 | whitelist ~/dwhelper | ||
24 | whitelist ~/.zotero | ||
25 | whitelist ~/.vimperatorrc | ||
26 | whitelist ~/.vimperator | ||
27 | whitelist ~/.pentadactylrc | ||
28 | whitelist ~/.pentadactyl | ||
29 | whitelist ~/.keysnail.js | ||
30 | whitelist ~/.config/gnome-mplayer | ||
31 | whitelist ~/.cache/gnome-mplayer/plugin | ||
32 | whitelist ~/.pki | ||
33 | |||
34 | # lastpass, keepassx | ||
35 | whitelist ~/.keepassx | ||
36 | whitelist ~/.config/keepassx | ||
37 | whitelist ~/keepassx.kdbx | ||
38 | whitelist ~/.lastpass | ||
39 | whitelist ~/.config/lastpass | ||
40 | |||
41 | |||
42 | #silverlight | ||
43 | whitelist ~/.wine-pipelight | ||
44 | whitelist ~/.wine-pipelight64 | ||
45 | whitelist ~/.config/pipelight-widevine | ||
46 | whitelist ~/.config/pipelight-silverlight5.1 | ||
47 | |||
48 | include /etc/firejail/whitelist-common.inc | ||
49 | |||
50 | # experimental features | ||
51 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | ||
diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile index ec9fcd0f0..04abd0a92 100644 --- a/etc/deadbeef.profile +++ b/etc/deadbeef.profile | |||
@@ -1,16 +1,13 @@ | |||
1 | # DeaDBeeF media player profile | 1 | # DeaDBeeF media player profile |
2 | include /etc/firejail/disable-mgmt.inc | 2 | noblacklist ${HOME}/.config/deadbeef |
3 | include /etc/firejail/disable-secret.inc | 3 | |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
7 | blacklist ${HOME}/.pki/nssdb | 8 | |
8 | blacklist ${HOME}/.lastpass | ||
9 | blacklist ${HOME}/.keepassx | ||
10 | blacklist ${HOME}/.password-store | ||
11 | blacklist ${HOME}/.wine | ||
12 | caps.drop all | 9 | caps.drop all |
13 | seccomp | 10 | nonewprivs |
14 | protocol unix,inet,inet6 | ||
15 | noroot | 11 | noroot |
16 | 12 | protocol unix,inet,inet6 | |
13 | seccomp | ||
diff --git a/etc/default.profile b/etc/default.profile new file mode 100644 index 000000000..a2de72695 --- /dev/null +++ b/etc/default.profile | |||
@@ -0,0 +1,15 @@ | |||
1 | ################################ | ||
2 | # Generic GUI application profile | ||
3 | ################################ | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | |||
8 | #blacklist ${HOME}/.wine | ||
9 | |||
10 | caps.drop all | ||
11 | netfilter | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
diff --git a/etc/deluge.profile b/etc/deluge.profile index bcd754952..8fde9acf9 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile | |||
@@ -1,19 +1,21 @@ | |||
1 | # deluge bittorernt client profile | 1 | # deluge bittorrernt client profile |
2 | include /etc/firejail/disable-mgmt.inc | ||
3 | include /etc/firejail/disable-secret.inc | ||
4 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-devel.inc | 3 | include /etc/firejail/disable-programs.inc |
6 | include /etc/firejail/disable-terminals.inc | 4 | # deluge is using python on Debian |
7 | blacklist ${HOME}/.pki/nssdb | 5 | #include /etc/firejail/disable-devel.inc |
8 | blacklist ${HOME}/.lastpass | 6 | include /etc/firejail/disable-passwdmgr.inc |
9 | blacklist ${HOME}/.keepassx | 7 | |
10 | blacklist ${HOME}/.password-store | ||
11 | blacklist ${HOME}/.wine | ||
12 | caps.drop all | 8 | caps.drop all |
13 | seccomp | ||
14 | protocol unix,inet,inet6 | ||
15 | netfilter | 9 | netfilter |
10 | nonewprivs | ||
16 | noroot | 11 | noroot |
17 | nosound | 12 | nosound |
13 | protocol unix,inet,inet6 | ||
14 | seccomp | ||
18 | 15 | ||
16 | shell none | ||
17 | private-bin deluge,sh,python,uname | ||
18 | whitelist /tmp/.X11-unix | ||
19 | private-dev | ||
20 | nosound | ||
19 | 21 | ||
diff --git a/etc/dillo.profile b/etc/dillo.profile new file mode 100644 index 000000000..2ddd363cb --- /dev/null +++ b/etc/dillo.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # Firejail profile for Dillo web browser | ||
2 | |||
3 | noblacklist ~/.dillo | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | protocol unix,inet,inet6 | ||
14 | seccomp | ||
15 | tracelog | ||
16 | |||
17 | whitelist ${DOWNLOADS} | ||
18 | mkdir ~/.dillo | ||
19 | whitelist ~/.dillo | ||
20 | mkdir ~/.fltk | ||
21 | whitelist ~/.fltk | ||
22 | |||
23 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 88ce42976..d18ee0287 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -1,53 +1,10 @@ | |||
1 | # various programs | ||
2 | blacklist ${HOME}/.config/vlc | ||
3 | |||
4 | # History files in $HOME | 1 | # History files in $HOME |
5 | blacklist-nolog ${HOME}/.history | 2 | blacklist-nolog ${HOME}/.history |
6 | blacklist-nolog ${HOME}/.*_history | 3 | blacklist-nolog ${HOME}/.*_history |
7 | 4 | blacklist ${HOME}/.local/share/systemd | |
8 | # HTTP / FTP / Mail | ||
9 | blacklist-nolog ${HOME}/.adobe | 5 | blacklist-nolog ${HOME}/.adobe |
10 | blacklist-nolog ${HOME}/.macromedia | 6 | blacklist-nolog ${HOME}/.macromedia |
11 | blacklist ${HOME}/.icedove | 7 | read-only ${HOME}/.local/share/applications |
12 | blacklist ${HOME}/.thunderbird | ||
13 | blacklist ${HOME}/.sylpheed-2.0 | ||
14 | blacklist ${HOME}/.config/midori | ||
15 | |||
16 | blacklist ${HOME}/.mozilla | ||
17 | blacklist ${HOME}/.config/chromium | ||
18 | blacklist ${HOME}/.config/google-chrome | ||
19 | blacklist ${HOME}/.config/google-chrome-beta | ||
20 | blacklist ${HOME}/.config/google-chrome-unstable | ||
21 | blacklist ${HOME}/.config/opera | ||
22 | blacklist ${HOME}/.config/opera-beta | ||
23 | blacklist ~/.config/vivaldi | ||
24 | |||
25 | blacklist ${HOME}/.filezilla | ||
26 | blacklist ${HOME}/.config/filezilla | ||
27 | blacklist ${HOME}/.local/share/systemd | ||
28 | |||
29 | # Instant Messaging | ||
30 | blacklist ${HOME}/.config/hexchat | ||
31 | blacklist ${HOME}/.mcabber | ||
32 | blacklist ${HOME}/.purple | ||
33 | blacklist ${HOME}/.config/psi+ | ||
34 | blacklist ${HOME}/.retroshare | ||
35 | blacklist ${HOME}/.weechat | ||
36 | blacklist ${HOME}/.config/xchat | ||
37 | blacklist ${HOME}/.Skype | ||
38 | |||
39 | # Cryptocoins | ||
40 | blacklist ${HOME}/.*coin | ||
41 | blacklist ${HOME}/.electrum* | ||
42 | blacklist ${HOME}/wallet.dat | ||
43 | |||
44 | # VNC | ||
45 | blacklist ${HOME}/.remmina | ||
46 | |||
47 | # Other | ||
48 | blacklist ${HOME}/.tconn | ||
49 | blacklist ${HOME}/.FBReader | ||
50 | blacklist ${HOME}/.wine | ||
51 | 8 | ||
52 | # X11 session autostart | 9 | # X11 session autostart |
53 | blacklist ${HOME}/.xinitrc | 10 | blacklist ${HOME}/.xinitrc |
@@ -63,16 +20,21 @@ blacklist ${HOME}/.config/lxsession/LXDE/autostart | |||
63 | blacklist ${HOME}/.fluxbox/startup | 20 | blacklist ${HOME}/.fluxbox/startup |
64 | blacklist ${HOME}/.config/openbox/autostart | 21 | blacklist ${HOME}/.config/openbox/autostart |
65 | blacklist ${HOME}/.config/openbox/environment | 22 | blacklist ${HOME}/.config/openbox/environment |
23 | blacklist ${HOME}/.gnomerc | ||
24 | blacklist /etc/X11/Xsession.d/ | ||
66 | 25 | ||
67 | # VirtualBox | 26 | # VirtualBox |
68 | blacklist ${HOME}/.VirtualBox | 27 | blacklist ${HOME}/.VirtualBox |
69 | blacklist ${HOME}/VirtualBox VMs | 28 | blacklist ${HOME}/VirtualBox VMs |
70 | blacklist ${HOME}/.config/VirtualBox | 29 | blacklist ${HOME}/.config/VirtualBox |
71 | 30 | ||
72 | # git, subversion | 31 | # VeraCrypt |
73 | blacklist ${HOME}/.subversion | 32 | blacklist ${PATH}/veracrypt |
74 | blacklist ${HOME}/.gitconfig | 33 | blacklist ${PATH}/veracrypt-uninstall.sh |
75 | blacklist ${HOME}/.git-credential-cache | 34 | blacklist /usr/share/veracrypt |
35 | blacklist /usr/share/applications/veracrypt.* | ||
36 | blacklist /usr/share/pixmaps/veracrypt.* | ||
37 | blacklist ${HOME}/.VeraCrypt | ||
76 | 38 | ||
77 | # var | 39 | # var |
78 | blacklist /var/spool/cron | 40 | blacklist /var/spool/cron |
@@ -98,11 +60,15 @@ read-only ${HOME}/.xserverrc | |||
98 | read-only ${HOME}/.profile | 60 | read-only ${HOME}/.profile |
99 | 61 | ||
100 | # Shell startup files | 62 | # Shell startup files |
63 | read-only ${HOME}/.antigen | ||
101 | read-only ${HOME}/.bash_login | 64 | read-only ${HOME}/.bash_login |
102 | read-only ${HOME}/.bashrc | 65 | read-only ${HOME}/.bashrc |
103 | read-only ${HOME}/.bash_profile | 66 | read-only ${HOME}/.bash_profile |
104 | read-only ${HOME}/.bash_logout | 67 | read-only ${HOME}/.bash_logout |
68 | read-only ${HOME}/.zsh.d | ||
69 | read-only ${HOME}/.zshenv | ||
105 | read-only ${HOME}/.zshrc | 70 | read-only ${HOME}/.zshrc |
71 | read-only ${HOME}/.zshrc.local | ||
106 | read-only ${HOME}/.zlogin | 72 | read-only ${HOME}/.zlogin |
107 | read-only ${HOME}/.zprofile | 73 | read-only ${HOME}/.zprofile |
108 | read-only ${HOME}/.zlogout | 74 | read-only ${HOME}/.zlogout |
@@ -110,8 +76,12 @@ read-only ${HOME}/.zsh_files | |||
110 | read-only ${HOME}/.tcshrc | 76 | read-only ${HOME}/.tcshrc |
111 | read-only ${HOME}/.cshrc | 77 | read-only ${HOME}/.cshrc |
112 | read-only ${HOME}/.csh_files | 78 | read-only ${HOME}/.csh_files |
79 | read-only ${HOME}/.profile | ||
113 | 80 | ||
114 | # Initialization files that allow arbitrary command execution | 81 | # Initialization files that allow arbitrary command execution |
82 | read-only ${HOME}/.caffrc | ||
83 | read-only ${HOME}/.dotfiles | ||
84 | read-only ${HOME}/dotfiles | ||
115 | read-only ${HOME}/.mailcap | 85 | read-only ${HOME}/.mailcap |
116 | read-only ${HOME}/.exrc | 86 | read-only ${HOME}/.exrc |
117 | read-only ${HOME}/_exrc | 87 | read-only ${HOME}/_exrc |
@@ -121,22 +91,80 @@ read-only ${HOME}/.gvimrc | |||
121 | read-only ${HOME}/_gvimrc | 91 | read-only ${HOME}/_gvimrc |
122 | read-only ${HOME}/.vim | 92 | read-only ${HOME}/.vim |
123 | read-only ${HOME}/.emacs | 93 | read-only ${HOME}/.emacs |
94 | read-only ${HOME}/.emacs.d | ||
95 | read-only ${HOME}/.nano | ||
124 | read-only ${HOME}/.tmux.conf | 96 | read-only ${HOME}/.tmux.conf |
125 | read-only ${HOME}/.iscreenrc | 97 | read-only ${HOME}/.iscreenrc |
126 | read-only ${HOME}/.muttrc | 98 | read-only ${HOME}/.muttrc |
127 | read-only ${HOME}/.mutt/muttrc | 99 | read-only ${HOME}/.mutt/muttrc |
100 | read-only ${HOME}/.msmtprc | ||
101 | read-only ${HOME}/.reportbugrc | ||
128 | read-only ${HOME}/.xmonad | 102 | read-only ${HOME}/.xmonad |
129 | read-only ${HOME}/.xscreensaver | 103 | read-only ${HOME}/.xscreensaver |
130 | 104 | ||
131 | # The user ~/bin directory can override commands such as ls | 105 | # The user ~/bin directory can override commands such as ls |
132 | read-only ${HOME}/bin | 106 | read-only ${HOME}/bin |
133 | 107 | ||
134 | # cache | 108 | # top secret |
135 | blacklist ~/.cache/mozilla | 109 | blacklist ${HOME}/.ssh |
136 | blacklist ~/.cache/chromium | 110 | blacklist ${HOME}/.cert |
137 | blacklist ~/.cache/google-chrome | 111 | blacklist ${HOME}/.gnome2/keyrings |
138 | blacklist ~/.cache/google-chrome-beta | 112 | blacklist ${HOME}/.kde4/share/apps/kwallet |
139 | blacklist ~/.cache/google-chrome-unstable | 113 | blacklist ${HOME}/.kde/share/apps/kwallet |
140 | blacklist ~/.cache/opera | 114 | blacklist ${HOME}/.local/share/kwalletd |
141 | blacklist ~/.cache/opera-beta | 115 | blacklist ${HOME}/.config/keybase |
142 | blacklist ~/.cache/vivaldi | 116 | blacklist ${HOME}/.netrc |
117 | blacklist ${HOME}/.gnupg | ||
118 | blacklist ${HOME}/.caff | ||
119 | blacklist ${HOME}/.smbcredentials | ||
120 | blacklist ${HOME}/*.kdbx | ||
121 | blacklist ${HOME}/*.kdb | ||
122 | blacklist ${HOME}/*.key | ||
123 | blacklist /etc/shadow | ||
124 | blacklist /etc/gshadow | ||
125 | blacklist /etc/passwd- | ||
126 | blacklist /etc/group- | ||
127 | blacklist /etc/shadow- | ||
128 | blacklist /etc/gshadow- | ||
129 | blacklist /etc/passwd+ | ||
130 | blacklist /etc/group+ | ||
131 | blacklist /etc/shadow+ | ||
132 | blacklist /etc/gshadow+ | ||
133 | blacklist /etc/ssh | ||
134 | blacklist /var/backup | ||
135 | |||
136 | # system management | ||
137 | blacklist ${PATH}/umount | ||
138 | blacklist ${PATH}/mount | ||
139 | blacklist ${PATH}/fusermount | ||
140 | blacklist ${PATH}/su | ||
141 | blacklist ${PATH}/sudo | ||
142 | blacklist ${PATH}/xinput | ||
143 | blacklist ${PATH}/evtest | ||
144 | blacklist ${PATH}/xev | ||
145 | blacklist ${PATH}/strace | ||
146 | blacklist ${PATH}/nc | ||
147 | blacklist ${PATH}/ncat | ||
148 | |||
149 | # system directories | ||
150 | blacklist /sbin | ||
151 | blacklist /usr/sbin | ||
152 | blacklist /usr/local/sbin | ||
153 | |||
154 | # prevent lxterminal connecting to an existing lxterminal session | ||
155 | blacklist /tmp/.lxterminal-socket* | ||
156 | |||
157 | # disable terminals running as server | ||
158 | blacklist ${PATH}/gnome-terminal | ||
159 | blacklist ${PATH}/gnome-terminal.wrapper | ||
160 | blacklist ${PATH}/xfce4-terminal | ||
161 | blacklist ${PATH}/xfce4-terminal.wrapper | ||
162 | blacklist ${PATH}/mate-terminal | ||
163 | blacklist ${PATH}/mate-terminal.wrapper | ||
164 | blacklist ${PATH}/lilyterm | ||
165 | blacklist ${PATH}/pantheon-terminal | ||
166 | blacklist ${PATH}/roxterm | ||
167 | blacklist ${PATH}/roxterm-config | ||
168 | blacklist ${PATH}/terminix | ||
169 | blacklist ${PATH}/urxvtc | ||
170 | blacklist ${PATH}/urxvtcd | ||
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 65b31ba9b..963cf6da0 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc | |||
@@ -2,13 +2,20 @@ | |||
2 | 2 | ||
3 | # GCC | 3 | # GCC |
4 | blacklist /usr/include | 4 | blacklist /usr/include |
5 | blacklist /usr/lib/gcc | ||
5 | blacklist /usr/bin/gcc* | 6 | blacklist /usr/bin/gcc* |
6 | blacklist /usr/bin/cpp* | 7 | blacklist /usr/bin/cpp* |
7 | blacklist /usr/bin/c9* | 8 | blacklist /usr/bin/c9* |
8 | blacklist /usr/bin/c8* | 9 | blacklist /usr/bin/c8* |
9 | blacklist /usr/bin/c++* | 10 | blacklist /usr/bin/c++* |
11 | blacklist /usr/bin/as | ||
10 | blacklist /usr/bin/ld | 12 | blacklist /usr/bin/ld |
11 | blacklist /usr/bin/gdb | 13 | blacklist /usr/bin/gdb |
14 | blacklist /usr/bin/g++* | ||
15 | blacklist /usr/bin/x86_64-linux-gnu-g++* | ||
16 | blacklist /usr/bin/x86_64-linux-gnu-gcc* | ||
17 | blacklist /usr/bin/x86_64-unknown-linux-gnu-g++* | ||
18 | blacklist /usr/bin/x86_64-unknown-linux-gnu-gcc* | ||
12 | 19 | ||
13 | # clang/llvm | 20 | # clang/llvm |
14 | blacklist /usr/bin/clang* | 21 | blacklist /usr/bin/clang* |
@@ -16,6 +23,11 @@ blacklist /usr/bin/llvm* | |||
16 | blacklist /usb/bin/lldb* | 23 | blacklist /usb/bin/lldb* |
17 | blacklist /usr/lib/llvm* | 24 | blacklist /usr/lib/llvm* |
18 | 25 | ||
26 | # tcc - Tiny C Compiler | ||
27 | blacklist /usr/bin/tcc | ||
28 | blacklist /usr/bin/x86_64-tcc | ||
29 | blacklist /usr/lib/tcc | ||
30 | |||
19 | # Valgrind | 31 | # Valgrind |
20 | blacklist /usr/bin/valgrind* | 32 | blacklist /usr/bin/valgrind* |
21 | blacklist /usr/lib/valgrind | 33 | blacklist /usr/lib/valgrind |
@@ -34,3 +46,18 @@ blacklist /usr/lib/php* | |||
34 | # Ruby | 46 | # Ruby |
35 | blacklist /usr/bin/ruby | 47 | blacklist /usr/bin/ruby |
36 | blacklist /usr/lib/ruby | 48 | blacklist /usr/lib/ruby |
49 | |||
50 | # Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice | ||
51 | # Python 2 | ||
52 | #blacklist /usr/bin/python2* | ||
53 | #blacklist /usr/lib/python2* | ||
54 | #blacklist /usr/local/lib/python2* | ||
55 | #blacklist /usr/include/python2* | ||
56 | #blacklist /usr/share/python2* | ||
57 | # | ||
58 | # Python 3 | ||
59 | #blacklist /usr/bin/python3* | ||
60 | #blacklist /usr/lib/python3* | ||
61 | #blacklist /usr/local/lib/python3* | ||
62 | #blacklist /usr/share/python3* | ||
63 | #blacklist /usr/include/python3* | ||
diff --git a/etc/disable-mgmt.inc b/etc/disable-mgmt.inc deleted file mode 100644 index 0a11d6728..000000000 --- a/etc/disable-mgmt.inc +++ /dev/null | |||
@@ -1,17 +0,0 @@ | |||
1 | # system directories | ||
2 | blacklist /sbin | ||
3 | blacklist /usr/sbin | ||
4 | blacklist /usr/local/sbin | ||
5 | |||
6 | # system management | ||
7 | blacklist ${PATH}/umount | ||
8 | blacklist ${PATH}/mount | ||
9 | blacklist ${PATH}/fusermount | ||
10 | blacklist ${PATH}/su | ||
11 | blacklist ${PATH}/sudo | ||
12 | blacklist ${PATH}/xinput | ||
13 | blacklist ${PATH}/evtest | ||
14 | blacklist ${PATH}/xev | ||
15 | blacklist ${PATH}/strace | ||
16 | blacklist ${PATH}/nc | ||
17 | blacklist ${PATH}/ncat | ||
diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc new file mode 100644 index 000000000..6db9073ab --- /dev/null +++ b/etc/disable-passwdmgr.inc | |||
@@ -0,0 +1,7 @@ | |||
1 | blacklist ${HOME}/.pki/nssdb | ||
2 | blacklist ${HOME}/.lastpass | ||
3 | blacklist ${HOME}/.keepassx | ||
4 | blacklist ${HOME}/.password-store | ||
5 | blacklist ${HOME}/keepassx.kdbx | ||
6 | blacklist ${HOME}/.config/keepassx | ||
7 | |||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc new file mode 100644 index 000000000..0f155351d --- /dev/null +++ b/etc/disable-programs.inc | |||
@@ -0,0 +1,129 @@ | |||
1 | # various programs | ||
2 | blacklist ${HOME}/.Atom | ||
3 | blacklist ${HOME}/.remmina | ||
4 | blacklist ${HOME}/.tconn | ||
5 | blacklist ${HOME}/.FBReader | ||
6 | blacklist ${HOME}/.wine | ||
7 | blacklist ${HOME}/.Mathematica | ||
8 | blacklist ${HOME}/.Wolfram Research | ||
9 | blacklist ${HOME}/.stellarium | ||
10 | blacklist ${HOME}/.config/Atom | ||
11 | blacklist ${HOME}/.config/gthumb | ||
12 | blacklist ${HOME}/.config/mupen64plus | ||
13 | blacklist ${HOME}/.config/transmission | ||
14 | blacklist ${HOME}/.config/uGet | ||
15 | blacklist ${HOME}/.config/Gpredict | ||
16 | blacklist ${HOME}/.config/aweather | ||
17 | blacklist ${HOME}/.config/stellarium | ||
18 | blacklist ${HOME}/.config/atril | ||
19 | blacklist ${HOME}/.config/xreader | ||
20 | blacklist ${HOME}/.config/xviewer | ||
21 | blacklist ${HOME}/.config/libreoffice | ||
22 | blacklist ${HOME}/.config/pix | ||
23 | blacklist ${HOME}/.config/mate/eom | ||
24 | blacklist ${HOME}/.kde/share/apps/okular | ||
25 | blacklist ${HOME}/.kde/share/config/okularrc | ||
26 | blacklist ${HOME}/.kde/share/config/okularpartrc | ||
27 | blacklist ${HOME}/.kde/share/apps/gwenview | ||
28 | blacklist ${HOME}/.kde/share/config/gwenviewrc | ||
29 | |||
30 | # Media players | ||
31 | blacklist ${HOME}/.config/cmus | ||
32 | blacklist ${HOME}/.config/deadbeef | ||
33 | blacklist ${HOME}/.config/spotify | ||
34 | blacklist ${HOME}/.config/vlc | ||
35 | blacklist ${HOME}/.config/mpv | ||
36 | blacklist ${HOME}/.config/totem | ||
37 | blacklist ${HOME}/.config/xplayer | ||
38 | blacklist ${HOME}/.audacity-data | ||
39 | |||
40 | # HTTP / FTP / Mail | ||
41 | blacklist ${HOME}/.icedove | ||
42 | blacklist ${HOME}/.thunderbird | ||
43 | blacklist ${HOME}/.sylpheed-2.0 | ||
44 | blacklist ${HOME}/.config/midori | ||
45 | blacklist ${HOME}/.mozilla | ||
46 | blacklist ${HOME}/.config/chromium | ||
47 | blacklist ${HOME}/.config/google-chrome | ||
48 | blacklist ${HOME}/.config/google-chrome-beta | ||
49 | blacklist ${HOME}/.config/google-chrome-unstable | ||
50 | blacklist ${HOME}/.config/opera | ||
51 | blacklist ${HOME}/.config/opera-beta | ||
52 | blacklist ${HOME}/.opera | ||
53 | blacklist ${HOME}/.config/vivaldi | ||
54 | blacklist ${HOME}/.filezilla | ||
55 | blacklist ${HOME}/.config/filezilla | ||
56 | blacklist ${HOME}/.dillo | ||
57 | blacklist ${HOME}/.conkeror.mozdev.org | ||
58 | blacklist ${HOME}/.config/epiphany | ||
59 | blacklist ${HOME}/.config/slimjet | ||
60 | blacklist ${HOME}/.config/qutebrowser | ||
61 | blacklist ${HOME}/.8pecxstudios | ||
62 | blacklist ${HOME}/.config/brave | ||
63 | |||
64 | # Instant Messaging | ||
65 | blacklist ${HOME}/.config/hexchat | ||
66 | blacklist ${HOME}/.mcabber | ||
67 | blacklist ${HOME}/.mcabberrc | ||
68 | blacklist ${HOME}/.purple | ||
69 | blacklist ${HOME}/.config/psi+ | ||
70 | blacklist ${HOME}/.retroshare | ||
71 | blacklist ${HOME}/.weechat | ||
72 | blacklist ${HOME}/.config/xchat | ||
73 | blacklist ${HOME}/.Skype | ||
74 | blacklist ${HOME}/.config/tox | ||
75 | blacklist ${HOME}/.TelegramDesktop | ||
76 | blacklist ${HOME}/.config/Gitter | ||
77 | blacklist ${HOME}/.config/Franz | ||
78 | blacklist ${HOME}/.jitsi | ||
79 | |||
80 | # Games | ||
81 | blacklist ${HOME}/.hedgewars | ||
82 | blacklist ${HOME}/.steam | ||
83 | blacklist ${HOME}/.config/wesnoth | ||
84 | blacklist ${HOME}/.config/0ad | ||
85 | blacklist ${HOME}/.warzone2100-3.1 | ||
86 | |||
87 | # Cryptocoins | ||
88 | blacklist ${HOME}/.*coin | ||
89 | blacklist ${HOME}/.electrum* | ||
90 | blacklist ${HOME}/wallet.dat | ||
91 | |||
92 | # git, subversion | ||
93 | blacklist ${HOME}/.subversion | ||
94 | blacklist ${HOME}/.gitconfig | ||
95 | blacklist ${HOME}/.git-credential-cache | ||
96 | |||
97 | # cache | ||
98 | blacklist ${HOME}/.cache/mozilla | ||
99 | blacklist ${HOME}/.cache/chromium | ||
100 | blacklist ${HOME}/.cache/google-chrome | ||
101 | blacklist ${HOME}/.cache/google-chrome-beta | ||
102 | blacklist ${HOME}/.cache/google-chrome-unstable | ||
103 | blacklist ${HOME}/.cache/opera | ||
104 | blacklist ${HOME}/.cache/opera-beta | ||
105 | blacklist ${HOME}/.cache/vivaldi | ||
106 | blacklist ${HOME}/.cache/epiphany | ||
107 | blacklist ${HOME}/.cache/slimjet | ||
108 | blacklist ${HOME}/.cache/qutebrowser | ||
109 | blacklist ${HOME}/.cache/spotify | ||
110 | blacklist ${HOME}/.cache/thunderbird | ||
111 | blacklist ${HOME}/.cache/icedove | ||
112 | blacklist ${HOME}/.cache/transmission | ||
113 | blacklist ${HOME}/.cache/wesnoth | ||
114 | blacklist ${HOME}/.cache/0ad | ||
115 | blacklist ${HOME}/.cache/8pecxstudios | ||
116 | blacklist ${HOME}/.cache/xreader | ||
117 | blacklist ${HOME}/.cache/Franz | ||
118 | |||
119 | # share | ||
120 | blacklist ${HOME}/.local/share/epiphany | ||
121 | blacklist ${HOME}/.local/share/mupen64plus | ||
122 | blacklist ${HOME}/.local/share/spotify | ||
123 | blacklist ${HOME}/.local/share/steam | ||
124 | blacklist ${HOME}/.local/share/wesnoth | ||
125 | blacklist ${HOME}/.local/share/0ad | ||
126 | blacklist ${HOME}/.local/share/xplayer | ||
127 | blacklist ${HOME}/.local/share/totem | ||
128 | blacklist ${HOME}/.local/share/psi+ | ||
129 | blacklist ${HOME}/.local/share/pix | ||
diff --git a/etc/disable-secret.inc b/etc/disable-secret.inc deleted file mode 100644 index 7d29cda31..000000000 --- a/etc/disable-secret.inc +++ /dev/null | |||
@@ -1,23 +0,0 @@ | |||
1 | # HOME directory | ||
2 | blacklist ${HOME}/.ssh | ||
3 | blacklist ${HOME}/.gnome2/keyrings | ||
4 | blacklist ${HOME}/kde4/share/apps/kwallet | ||
5 | blacklist ${HOME}/kde/share/apps/kwallet | ||
6 | blacklist ${HOME}/.local/share/kwalletd | ||
7 | blacklist ${HOME}/.netrc | ||
8 | blacklist ${HOME}/.gnupg | ||
9 | blacklist ${HOME}/*.kdbx | ||
10 | blacklist ${HOME}/*.kdb | ||
11 | blacklist ${HOME}/*.key | ||
12 | blacklist /etc/shadow | ||
13 | blacklist /etc/gshadow | ||
14 | blacklist /etc/passwd- | ||
15 | blacklist /etc/group- | ||
16 | blacklist /etc/shadow- | ||
17 | blacklist /etc/gshadow- | ||
18 | blacklist /etc/passwd+ | ||
19 | blacklist /etc/group+ | ||
20 | blacklist /etc/shadow+ | ||
21 | blacklist /etc/gshadow+ | ||
22 | blacklist /etc/ssh | ||
23 | blacklist /var/backup | ||
diff --git a/etc/disable-terminals.inc b/etc/disable-terminals.inc deleted file mode 100644 index 9631e7f62..000000000 --- a/etc/disable-terminals.inc +++ /dev/null | |||
@@ -1,6 +0,0 @@ | |||
1 | # disable terminals running as server | ||
2 | blacklist ${PATH}/lxterminal | ||
3 | blacklist ${PATH}/gnome-terminal | ||
4 | blacklist ${PATH}/gnome-terminal.wrapper | ||
5 | blacklist ${PATH}/xfce4-terminal | ||
6 | blacklist ${PATH}/xfce4-terminal.wrapper | ||
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index 0bc7ac78e..90c244e03 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile | |||
@@ -1,12 +1,13 @@ | |||
1 | # security profile for dnscrypt-proxy | 1 | # security profile for dnscrypt-proxy |
2 | noblacklist /sbin | 2 | noblacklist /sbin |
3 | noblacklist /usr/sbin | 3 | noblacklist /usr/sbin |
4 | include /etc/firejail/disable-mgmt.inc | ||
5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-secret.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | include /etc/firejail/disable-terminals.inc | 8 | |
9 | private | 9 | private |
10 | private-dev | 10 | private-dev |
11 | nosound | ||
11 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 12 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open |
12 | 13 | ||
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile new file mode 100644 index 000000000..1c01d44e4 --- /dev/null +++ b/etc/dnsmasq.profile | |||
@@ -0,0 +1,16 @@ | |||
1 | # dnsmasq profile | ||
2 | noblacklist /sbin | ||
3 | noblacklist /usr/sbin | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | |||
9 | caps | ||
10 | netfilter | ||
11 | nonewprivs | ||
12 | private | ||
13 | private-dev | ||
14 | nosound | ||
15 | protocol unix,inet,inet6,netlink | ||
16 | seccomp | ||
diff --git a/etc/dropbox.profile b/etc/dropbox.profile index 9d2c612de..71e019f8c 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile | |||
@@ -1,15 +1,22 @@ | |||
1 | # dropbox profile | 1 | # dropbox profile |
2 | include /etc/firejail/disable-mgmt.inc | 2 | noblacklist ~/.config/autostart |
3 | include /etc/firejail/disable-secret.inc | ||
4 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-terminals.inc | 4 | include /etc/firejail/disable-programs.inc |
6 | blacklist ${HOME}/.pki/nssdb | 5 | include /etc/firejail/disable-passwdmgr.inc |
7 | blacklist ${HOME}/.lastpass | 6 | |
8 | blacklist ${HOME}/.keepassx | ||
9 | blacklist ${HOME}/.password-store | ||
10 | blacklist ${HOME}/.wine | ||
11 | caps | 7 | caps |
12 | seccomp | 8 | nonewprivs |
13 | protocol unix,inet,inet6 | ||
14 | noroot | 9 | noroot |
10 | protocol unix,inet,inet6 | ||
11 | seccomp | ||
12 | |||
13 | mkdir ~/Dropbox | ||
14 | whitelist ~/Dropbox | ||
15 | mkdir ~/.dropbox | ||
16 | whitelist ~/.dropbox | ||
17 | mkdir ~/.dropbox-dist | ||
18 | whitelist ~/.dropbox-dist | ||
15 | 19 | ||
20 | mkdir ~/.config/autostart | ||
21 | mkfile ~/.config/autostart/dropbox.desktop | ||
22 | whitelist ~/.config/autostart/dropbox.desktop | ||
diff --git a/etc/empathy.profile b/etc/empathy.profile index adaf03e23..371100814 100644 --- a/etc/empathy.profile +++ b/etc/empathy.profile | |||
@@ -1,12 +1,10 @@ | |||
1 | # Empathy instant messaging profile | 1 | # Empathy instant messaging profile |
2 | include /etc/firejail/disable-mgmt.inc | ||
3 | include /etc/firejail/disable-secret.inc | ||
4 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | 5 | |
7 | blacklist ${HOME}/.wine | ||
8 | caps.drop all | 6 | caps.drop all |
9 | seccomp | ||
10 | protocol unix,inet,inet6 | ||
11 | netfilter | 7 | netfilter |
12 | 8 | nonewprivs | |
9 | protocol unix,inet,inet6 | ||
10 | seccomp | ||
diff --git a/etc/eom.profile b/etc/eom.profile new file mode 100644 index 000000000..81d993e96 --- /dev/null +++ b/etc/eom.profile | |||
@@ -0,0 +1,20 @@ | |||
1 | # Firejail profile for Eye of Mate (eom) | ||
2 | noblacklist ~/.config/mate/eom | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix | ||
15 | seccomp | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | private-bin eom | ||
20 | private-dev | ||
diff --git a/etc/epiphany.profile b/etc/epiphany.profile index c7031da71..57191429a 100644 --- a/etc/epiphany.profile +++ b/etc/epiphany.profile | |||
@@ -1,9 +1,12 @@ | |||
1 | # Epiphany browser profile | 1 | # Epiphany browser profile |
2 | include /etc/firejail/disable-mgmt.inc | 2 | noblacklist ${HOME}/.config/epiphany |
3 | include /etc/firejail/disable-secret.inc | 3 | noblacklist ${HOME}/.cache/epiphany |
4 | noblacklist ${HOME}/.local/share/epiphany | ||
5 | |||
4 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
7 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 8 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | 9 | |
7 | whitelist ${DOWNLOADS} | 10 | whitelist ${DOWNLOADS} |
8 | mkdir ${HOME}/.local | 11 | mkdir ${HOME}/.local |
9 | mkdir ${HOME}/.local/share | 12 | mkdir ${HOME}/.local/share |
@@ -16,8 +19,9 @@ mkdir ${HOME}/.cache | |||
16 | mkdir ${HOME}/.cache/epiphany | 19 | mkdir ${HOME}/.cache/epiphany |
17 | whitelist ${HOME}/.cache/epiphany | 20 | whitelist ${HOME}/.cache/epiphany |
18 | include /etc/firejail/whitelist-common.inc | 21 | include /etc/firejail/whitelist-common.inc |
22 | |||
19 | caps.drop all | 23 | caps.drop all |
20 | seccomp | ||
21 | protocol unix,inet,inet6 | ||
22 | netfilter | 24 | netfilter |
23 | 25 | nonewprivs | |
26 | protocol unix,inet,inet6 | ||
27 | seccomp | ||
diff --git a/etc/evince.profile b/etc/evince.profile index 81878462b..530ce959a 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -1,17 +1,18 @@ | |||
1 | # evince pdf reader profile | 1 | # evince pdf reader profile |
2 | include /etc/firejail/disable-mgmt.inc | ||
3 | include /etc/firejail/disable-secret.inc | ||
4 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
7 | blacklist ${HOME}/.pki/nssdb | 6 | |
8 | blacklist ${HOME}/.lastpass | ||
9 | blacklist ${HOME}/.keepassx | ||
10 | blacklist ${HOME}/.password-store | ||
11 | blacklist ${HOME}/.wine | ||
12 | caps.drop all | 7 | caps.drop all |
13 | seccomp | 8 | nonewprivs |
14 | protocol unix,inet,inet6 | 9 | nogroups |
15 | noroot | 10 | noroot |
16 | nosound | 11 | nosound |
12 | protocol unix | ||
13 | seccomp | ||
17 | 14 | ||
15 | shell none | ||
16 | private-bin evince,evince-previewer,evince-thumbnailer | ||
17 | whitelist /tmp/.X11-unix | ||
18 | private-dev | ||
diff --git a/etc/fbreader.profile b/etc/fbreader.profile index 4ed942138..de31ce8de 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile | |||
@@ -1,19 +1,21 @@ | |||
1 | # fbreader ebook reader profile | 1 | # fbreader ebook reader profile |
2 | noblacklist ${HOME}/.FBReader | 2 | noblacklist ${HOME}/.FBReader |
3 | include /etc/firejail/disable-mgmt.inc | 3 | |
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | blacklist ${HOME}/.pki/nssdb | 8 | |
9 | blacklist ${HOME}/.lastpass | ||
10 | blacklist ${HOME}/.keepassx | ||
11 | blacklist ${HOME}/.password-store | ||
12 | blacklist ${HOME}/.wine | ||
13 | caps.drop all | 9 | caps.drop all |
14 | seccomp | ||
15 | protocol unix,inet,inet6 | ||
16 | netfilter | 10 | netfilter |
11 | nonewprivs | ||
17 | noroot | 12 | noroot |
18 | nosound | 13 | nosound |
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
19 | 16 | ||
17 | shell none | ||
18 | private-bin fbreader,FBReader | ||
19 | whitelist /tmp/.X11-unix | ||
20 | private-dev | ||
21 | nosound | ||
diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 0eabf9a88..551c17a78 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile | |||
@@ -1,18 +1,22 @@ | |||
1 | # FileZilla ftp profile | 1 | # FileZilla ftp profile |
2 | noblacklist ${HOME}/.filezilla | 2 | noblacklist ${HOME}/.filezilla |
3 | noblacklist ${HOME}/.config/filezilla | 3 | noblacklist ${HOME}/.config/filezilla |
4 | include /etc/firejail/disable-mgmt.inc | 4 | |
5 | include /etc/firejail/disable-secret.inc | ||
6 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
8 | include /etc/firejail/disable-terminals.inc | 8 | |
9 | blacklist ${HOME}/.wine | ||
10 | caps.drop all | 9 | caps.drop all |
11 | seccomp | ||
12 | protocol unix,inet,inet6 | ||
13 | noroot | ||
14 | netfilter | 10 | netfilter |
11 | nonewprivs | ||
12 | noroot | ||
15 | nosound | 13 | nosound |
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
16 | 16 | ||
17 | 17 | shell none | |
18 | private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp | ||
19 | whitelist /tmp/.X11-unix | ||
20 | private-dev | ||
21 | nosound | ||
18 | 22 | ||
diff --git a/etc/firefox-esr.profile b/etc/firefox-esr.profile new file mode 100644 index 000000000..d2fde9a3f --- /dev/null +++ b/etc/firefox-esr.profile | |||
@@ -0,0 +1,2 @@ | |||
1 | # Firejail profile for Mozilla Firefox ESR | ||
2 | include /etc/firejail/firefox.profile | ||
diff --git a/etc/firefox.profile b/etc/firefox.profile index b06dfa6da..2cc4d3cd8 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -2,19 +2,17 @@ | |||
2 | 2 | ||
3 | noblacklist ~/.mozilla | 3 | noblacklist ~/.mozilla |
4 | noblacklist ~/.cache/mozilla | 4 | noblacklist ~/.cache/mozilla |
5 | noblacklist ~/keepassx.kdbx | ||
6 | include /etc/firejail/disable-mgmt.inc | ||
7 | include /etc/firejail/disable-secret.inc | ||
8 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-programs.inc | ||
9 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
10 | include /etc/firejail/disable-terminals.inc | ||
11 | 8 | ||
12 | caps.drop all | 9 | caps.drop all |
13 | seccomp | ||
14 | protocol unix,inet,inet6,netlink | ||
15 | netfilter | 10 | netfilter |
16 | tracelog | 11 | nonewprivs |
17 | noroot | 12 | noroot |
13 | protocol unix,inet,inet6,netlink | ||
14 | seccomp | ||
15 | tracelog | ||
18 | 16 | ||
19 | whitelist ${DOWNLOADS} | 17 | whitelist ${DOWNLOADS} |
20 | mkdir ~/.mozilla | 18 | mkdir ~/.mozilla |
@@ -43,14 +41,12 @@ whitelist ~/.config/lastpass | |||
43 | 41 | ||
44 | 42 | ||
45 | #silverlight | 43 | #silverlight |
46 | whitelist ~/.wine-pipelight | 44 | whitelist ~/.wine-pipelight |
47 | whitelist ~/.wine-pipelight64 | 45 | whitelist ~/.wine-pipelight64 |
48 | whitelist ~/.config/pipelight-widevine | 46 | whitelist ~/.config/pipelight-widevine |
49 | whitelist ~/.config/pipelight-silverlight5.1 | 47 | whitelist ~/.config/pipelight-silverlight5.1 |
50 | 48 | ||
51 | include /etc/firejail/whitelist-common.inc | 49 | include /etc/firejail/whitelist-common.inc |
52 | 50 | ||
53 | # experimental features | 51 | # experimental features |
54 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 52 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse |
55 | |||
56 | |||
diff --git a/etc/firejail.config b/etc/firejail.config index 19525c942..20c4d7a5f 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -3,28 +3,59 @@ | |||
3 | # Most features are enabled by default. Use 'yes' or 'no' as configuration | 3 | # Most features are enabled by default. Use 'yes' or 'no' as configuration |
4 | # values. | 4 | # values. |
5 | 5 | ||
6 | # Enable or disable seccomp support, default enabled. | 6 | # Enable or disable bind support, default enabled. |
7 | # seccomp yes | 7 | # bind yes |
8 | 8 | ||
9 | # Enable or disable chroot support, default enabled. | 9 | # Enable or disable chroot support, default enabled. |
10 | # chroot yes | 10 | # chroot yes |
11 | 11 | ||
12 | # Enable or disable bind support, default enabled. | 12 | # Enable or disable file transfer support, default enabled. |
13 | # bind yes | 13 | # file-transfer yes |
14 | |||
15 | # Force use of nonewprivs. This mitigates the possibility of | ||
16 | # a user abusing firejail's features to trick a privileged (suid | ||
17 | # or file capabilities) process into loading code or configuration | ||
18 | # that is partially under their control. Default disabled | ||
19 | # force-nonewprivs no | ||
14 | 20 | ||
15 | # Enable or disable networking features, default enabled. | 21 | # Enable or disable networking features, default enabled. |
16 | # network yes | 22 | # network yes |
17 | 23 | ||
18 | # Enable or disable restricted network support, default disabled. If enabled, | 24 | # Enable or disable restricted network support, default disabled. If enabled, |
19 | # networking features (network yes) above should also be enabled. | 25 | # networking features should also be enabled (network yes). |
26 | # Restricted networking grants access to --interface, --net=ethXXX and | ||
27 | # --netfilter only to root user. Regular users are only allowed --net=none. | ||
20 | # restricted-network no | 28 | # restricted-network no |
21 | 29 | ||
30 | # Change default netfilter configuration. When using --netfilter option without | ||
31 | # a file argument, the default filter is hardcoded (see man 1 firejail). This | ||
32 | # configuration entry allows the user to change the default by specifying | ||
33 | # a file containing the filter configuration. The filter file format is the | ||
34 | # format of iptables-save and iptable-restore commands. Example: | ||
35 | # netfilter-default /etc/iptables.iptables.rules | ||
36 | |||
37 | # Enable or disable seccomp support, default enabled. | ||
38 | # seccomp yes | ||
39 | |||
22 | # Enable or disable user namespace support, default enabled. | 40 | # Enable or disable user namespace support, default enabled. |
23 | # userns yes | 41 | # userns yes |
24 | 42 | ||
43 | # Enable or disable whitelisting support, default enabled. | ||
44 | # whitelist yes | ||
45 | |||
25 | # Enable or disable X11 sandboxing support, default enabled. | 46 | # Enable or disable X11 sandboxing support, default enabled. |
26 | # x11 yes | 47 | # x11 yes |
27 | 48 | ||
28 | # Enable or disable file transfer support, default enabled. | 49 | # Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for |
29 | # file-transfer yes | 50 | # a full list of resolutions available on your specific setup. |
51 | # xephyr-screen 640x480 | ||
52 | # xephyr-screen 800x600 | ||
53 | # xephyr-screen 1024x768 | ||
54 | # xephyr-screen 1280x1024 | ||
55 | |||
56 | # Firejail window title in Xephyr, default enabled. | ||
57 | # xephyr-window-title yes | ||
30 | 58 | ||
59 | # Xephyr command extra parameters. None by default, and the declaration is commented out. | ||
60 | # xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev | ||
61 | # xephyr-extra-params -grayscale | ||
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile new file mode 100644 index 000000000..f248c385a --- /dev/null +++ b/etc/flashpeak-slimjet.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # SlimJet browser profile | ||
2 | # This is a whitelisted profile, the internal browser sandbox | ||
3 | # is disabled because it requires sudo password. The command | ||
4 | # to run it is as follows: | ||
5 | # | ||
6 | # firejail flashpeak-slimjet --no-sandbox | ||
7 | # | ||
8 | noblacklist ~/.config/slimjet | ||
9 | noblacklist ~/.cache/slimjet | ||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-programs.inc | ||
12 | |||
13 | # chromium is distributed with a perl script on Arch | ||
14 | # include /etc/firejail/disable-devel.inc | ||
15 | # | ||
16 | |||
17 | caps.drop all | ||
18 | netfilter | ||
19 | nonewprivs | ||
20 | noroot | ||
21 | protocol unix,inet,inet6,netlink | ||
22 | seccomp | ||
23 | |||
24 | whitelist ${DOWNLOADS} | ||
25 | mkdir ~/.config | ||
26 | mkdir ~/.config/slimjet | ||
27 | whitelist ~/.config/slimjet | ||
28 | mkdir ~/.cache | ||
29 | mkdir ~/.cache/slimjet | ||
30 | whitelist ~/.cache/slimjet | ||
31 | mkdir ~/.pki | ||
32 | whitelist ~/.pki | ||
33 | |||
34 | # lastpass, keepassx | ||
35 | whitelist ~/.keepassx | ||
36 | whitelist ~/.config/keepassx | ||
37 | whitelist ~/keepassx.kdbx | ||
38 | whitelist ~/.lastpass | ||
39 | whitelist ~/.config/lastpass | ||
40 | |||
41 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/franz.profile b/etc/franz.profile new file mode 100644 index 000000000..fc4a665de --- /dev/null +++ b/etc/franz.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # Franz profile | ||
2 | noblacklist ~/.config/Franz | ||
3 | noblacklist ~/.cache/Franz | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | |||
8 | caps.drop all | ||
9 | seccomp | ||
10 | protocol unix,inet,inet6,netlink | ||
11 | netfilter | ||
12 | #tracelog | ||
13 | nonewprivs | ||
14 | noroot | ||
15 | |||
16 | whitelist ${DOWNLOADS} | ||
17 | mkdir ~/.config | ||
18 | mkdir ~/.config/Franz | ||
19 | whitelist ~/.config/Franz | ||
20 | mkdir ~/.cache | ||
21 | mkdir ~/.cache/Franz | ||
22 | whitelist ~/.cache/Franz | ||
23 | mkdir ~/.pki | ||
24 | whitelist ~/.pki | ||
25 | |||
26 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/generic.profile b/etc/generic.profile deleted file mode 100644 index 5618a555e..000000000 --- a/etc/generic.profile +++ /dev/null | |||
@@ -1,17 +0,0 @@ | |||
1 | ################################ | ||
2 | # Generic GUI application profile | ||
3 | ################################ | ||
4 | include /etc/firejail/disable-mgmt.inc | ||
5 | include /etc/firejail/disable-secret.inc | ||
6 | include /etc/firejail/disable-common.inc | ||
7 | include /etc/firejail/disable-terminals.inc | ||
8 | blacklist ${HOME}/.pki/nssdb | ||
9 | blacklist ${HOME}/.lastpass | ||
10 | blacklist ${HOME}/.keepassx | ||
11 | blacklist ${HOME}/.password-store | ||
12 | caps.drop all | ||
13 | seccomp | ||
14 | protocol unix,inet,inet6 | ||
15 | netfilter | ||
16 | noroot | ||
17 | |||
diff --git a/etc/gitter.profile b/etc/gitter.profile new file mode 100644 index 000000000..2882c59a6 --- /dev/null +++ b/etc/gitter.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # Firejail profile for Gitter | ||
2 | noblacklist ~/.config/Gitter | ||
3 | include /etc/firejail/disable-common.inc | ||
4 | include /etc/firejail/disable-passwdmgr.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | |||
8 | caps.drop all | ||
9 | netfilter | ||
10 | nonewprivs | ||
11 | nogroups | ||
12 | noroot | ||
13 | protocol unix,inet,inet6,netlink | ||
14 | seccomp | ||
15 | shell none | ||
16 | |||
17 | private-bin gitter | ||
18 | private-dev | ||
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index 8062c859a..1caea177d 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile | |||
@@ -1,15 +1,14 @@ | |||
1 | # GNOME MPlayer profile | 1 | # GNOME MPlayer profile |
2 | include /etc/firejail/disable-mgmt.inc | ||
3 | include /etc/firejail/disable-secret.inc | ||
4 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
7 | blacklist ${HOME}/.pki/nssdb | 6 | |
8 | blacklist ${HOME}/.lastpass | ||
9 | blacklist ${HOME}/.keepassx | ||
10 | blacklist ${HOME}/.password-store | ||
11 | blacklist ${HOME}/.wine | ||
12 | caps.drop all | 7 | caps.drop all |
13 | seccomp | 8 | nonewprivs |
14 | protocol unix,inet,inet6 | ||
15 | noroot | 9 | noroot |
10 | protocol unix,inet,inet6 | ||
11 | seccomp | ||
12 | |||
13 | shell none | ||
14 | private-bin gnome-mplayer | ||
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index 3396585eb..11f9f9e33 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile | |||
@@ -1,11 +1,8 @@ | |||
1 | # Google Chrome beta browser profile | 1 | # Google Chrome beta browser profile |
2 | noblacklist ~/.config/google-chrome-beta | 2 | noblacklist ~/.config/google-chrome-beta |
3 | noblacklist ~/.cache/google-chrome-beta | 3 | noblacklist ~/.cache/google-chrome-beta |
4 | noblacklist ~/keepassx.kdbx | ||
5 | include /etc/firejail/disable-mgmt.inc | ||
6 | include /etc/firejail/disable-secret.inc | ||
7 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
8 | include /etc/firejail/disable-terminals.inc | 5 | include /etc/firejail/disable-programs.inc |
9 | 6 | ||
10 | # chromium is distributed with a perl script on Arch | 7 | # chromium is distributed with a perl script on Arch |
11 | # include /etc/firejail/disable-devel.inc | 8 | # include /etc/firejail/disable-devel.inc |
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index ed4332862..f253e5a90 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile | |||
@@ -1,11 +1,8 @@ | |||
1 | # Google Chrome unstable browser profile | 1 | # Google Chrome unstable browser profile |
2 | noblacklist ~/.config/google-chrome-unstable | 2 | noblacklist ~/.config/google-chrome-unstable |
3 | noblacklist ~/.cache/google-chrome-unstable | 3 | noblacklist ~/.cache/google-chrome-unstable |
4 | noblacklist ~/keepassx.kdbx | ||
5 | include /etc/firejail/disable-mgmt.inc | ||
6 | include /etc/firejail/disable-secret.inc | ||
7 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
8 | include /etc/firejail/disable-terminals.inc | 5 | include /etc/firejail/disable-programs.inc |
9 | 6 | ||
10 | # chromium is distributed with a perl script on Arch | 7 | # chromium is distributed with a perl script on Arch |
11 | # include /etc/firejail/disable-devel.inc | 8 | # include /etc/firejail/disable-devel.inc |
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 985af38eb..5e168aae5 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile | |||
@@ -1,11 +1,8 @@ | |||
1 | # Google Chrome browser profile | 1 | # Google Chrome browser profile |
2 | noblacklist ~/.config/google-chrome | 2 | noblacklist ~/.config/google-chrome |
3 | noblacklist ~/.cache/google-chrome | 3 | noblacklist ~/.cache/google-chrome |
4 | noblacklist ~/keepassx.kdbx | ||
5 | include /etc/firejail/disable-mgmt.inc | ||
6 | include /etc/firejail/disable-secret.inc | ||
7 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
8 | include /etc/firejail/disable-terminals.inc | 5 | include /etc/firejail/disable-programs.inc |
9 | 6 | ||
10 | # chromium is distributed with a perl script on Arch | 7 | # chromium is distributed with a perl script on Arch |
11 | # include /etc/firejail/disable-devel.inc | 8 | # include /etc/firejail/disable-devel.inc |
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile new file mode 100644 index 000000000..b4cf8d9ac --- /dev/null +++ b/etc/google-play-music-desktop-player.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # Google Play Music desktop player profile | ||
2 | noblacklist ~/.config/Google Play Music Desktop Player | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | netfilter | ||
13 | protocol unix,inet,inet6,netlink | ||
14 | seccomp | ||
15 | |||
16 | #whitelist ~/.pulse | ||
17 | #whitelist ~/.config/pulse | ||
18 | whitelist ~/.config/Google Play Music Desktop Player | ||
diff --git a/etc/gpredict.profile b/etc/gpredict.profile new file mode 100644 index 000000000..02bb4d24d --- /dev/null +++ b/etc/gpredict.profile | |||
@@ -0,0 +1,25 @@ | |||
1 | # Firejail profile for gpredict. | ||
2 | noblacklist ~/.config/Gpredict | ||
3 | include /etc/firejail/disable-common.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | |||
8 | # Whitelist | ||
9 | mkdir ~/.config | ||
10 | mkdir ~/.config/Gpredict | ||
11 | whitelist ~/.config/Gpredict | ||
12 | |||
13 | caps.drop all | ||
14 | netfilter | ||
15 | nonewprivs | ||
16 | nogroups | ||
17 | noroot | ||
18 | nosound | ||
19 | protocol unix,inet,inet6,netlink | ||
20 | seccomp | ||
21 | shell none | ||
22 | tracelog | ||
23 | |||
24 | private-bin gpredict | ||
25 | private-dev | ||
diff --git a/etc/gthumb.profile b/etc/gthumb.profile new file mode 100644 index 000000000..3c02576aa --- /dev/null +++ b/etc/gthumb.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # gthumb profile | ||
2 | noblacklist ${HOME}/.config/gthumb | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nonewprivs | ||
11 | nogroups | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix | ||
15 | seccomp | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | private-bin gthumb | ||
20 | whitelist /tmp/.X11-unix | ||
21 | private-dev | ||
diff --git a/etc/gwenview.profile b/etc/gwenview.profile new file mode 100644 index 000000000..67f10c4e1 --- /dev/null +++ b/etc/gwenview.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # KDE gwenview profile | ||
2 | noblacklist ~/.kde/share/apps/gwenview | ||
3 | noblacklist ~/.kde/share/config/gwenviewrc | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | nogroups | ||
13 | private-dev | ||
14 | protocol unix | ||
15 | seccomp | ||
16 | nosound | ||
17 | |||
18 | #Experimental: | ||
19 | #shell none | ||
20 | #private-bin gwenview | ||
21 | #private-etc X11 | ||
diff --git a/etc/gzip.profile b/etc/gzip.profile new file mode 100644 index 000000000..cc19e7608 --- /dev/null +++ b/etc/gzip.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # gzip profile | ||
2 | include /etc/firejail/default.profile | ||
3 | tracelog | ||
4 | net none | ||
5 | shell none | ||
6 | private-dev | ||
7 | private-tmp | ||
8 | nosound | ||
diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile index ab0e067c7..c5d863bd5 100644 --- a/etc/hedgewars.profile +++ b/etc/hedgewars.profile | |||
@@ -1,18 +1,18 @@ | |||
1 | # whitelist profile for Hedgewars (game) | 1 | # whitelist profile for Hedgewars (game) |
2 | noblacklist ${HOME}/.hedgewars | ||
2 | 3 | ||
3 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
5 | include /etc/firejail/disable-mgmt.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
6 | include /etc/firejail/disable-secret.inc | ||
7 | include /etc/firejail/disable-terminals.inc | ||
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | nonewprivs | ||
10 | noroot | 11 | noroot |
11 | private-dev | 12 | private-dev |
12 | whitelist /tmp/.X11-unix | ||
13 | seccomp | 13 | seccomp |
14 | tracelog | 14 | tracelog |
15 | netfilter | ||
16 | 15 | ||
17 | mkdir ~/.hedgewars | 16 | mkdir ~/.hedgewars |
18 | whitelist ~/.hedgewars | 17 | whitelist ~/.hedgewars |
18 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 8f9e71b44..4e829c379 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile | |||
@@ -1,11 +1,21 @@ | |||
1 | # HexChat instant messaging profile | 1 | # HexChat instant messaging profile |
2 | noblacklist ${HOME}/.config/hexchat | 2 | noblacklist ${HOME}/.config/hexchat |
3 | include /etc/firejail/disable-mgmt.inc | 3 | noblacklist /usr/lib/python2* |
4 | include /etc/firejail/disable-secret.inc | 4 | noblacklist /usr/lib/python3* |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | 8 | |
8 | caps.drop all | 9 | caps.drop all |
9 | seccomp | 10 | nonewprivs |
10 | protocol unix,inet,inet6 | ||
11 | noroot | 11 | noroot |
12 | netfilter | ||
13 | protocol unix,inet,inet6 | ||
14 | seccomp | ||
15 | |||
16 | mkdir ~/.config | ||
17 | mkdir ~/.config/hexchat | ||
18 | whitelist ~/.config/hexchat | ||
19 | include /etc/firejail/whitelist-common.inc | ||
20 | |||
21 | # private-bin requires perl, python, etc. | ||
diff --git a/etc/icedove.profile b/etc/icedove.profile index 057e0c9ef..e9a63c8dd 100644 --- a/etc/icedove.profile +++ b/etc/icedove.profile | |||
@@ -1,3 +1,19 @@ | |||
1 | # Firejail profile for Mozilla Thunderbird (Icedove in Debian) | 1 | # Firejail profile for Mozilla Thunderbird (Icedove in Debian Stable) |
2 | include /etc/firejail/thunderbird.profile | 2 | # Users have icedove set to open a browser by clicking a link in an email |
3 | # We are not allowed to blacklist browser-specific directories | ||
4 | |||
5 | noblacklist ~/.gnupg | ||
6 | mkdir ~/.gnupg | ||
7 | whitelist ~/.gnupg | ||
8 | |||
9 | noblacklist ~/.icedove | ||
10 | mkdir ~/.icedove | ||
11 | whitelist ~/.icedove | ||
12 | |||
13 | noblacklist ~/.cache/icedove | ||
14 | mkdir ~/.cache | ||
15 | mkdir ~/.cache/icedove | ||
16 | whitelist ~/.cache/icedove | ||
17 | |||
18 | include /etc/firejail/firefox.profile | ||
3 | 19 | ||
diff --git a/etc/jitsi.profile b/etc/jitsi.profile new file mode 100644 index 000000000..8baf1ad94 --- /dev/null +++ b/etc/jitsi.profile | |||
@@ -0,0 +1,16 @@ | |||
1 | # Firejail profile for jitsi | ||
2 | noblacklist ~/.jitsi | ||
3 | include /etc/firejail/disable-common.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | |||
8 | caps.drop all | ||
9 | nonewprivs | ||
10 | nogroups | ||
11 | noroot | ||
12 | protocol unix,inet,inet6 | ||
13 | seccomp | ||
14 | shell none | ||
15 | tracelog | ||
16 | |||
diff --git a/etc/kmail.profile b/etc/kmail.profile index ca29675a0..44a53e258 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
@@ -1,20 +1,15 @@ | |||
1 | # kmail profile | 1 | # kmail profile |
2 | noblacklist ${HOME}/.gnupg | 2 | noblacklist ${HOME}/.gnupg |
3 | include /etc/firejail/disable-mgmt.inc | 3 | |
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | blacklist ${HOME}/.pki/nssdb | 8 | |
9 | blacklist ${HOME}/.lastpass | ||
10 | blacklist ${HOME}/.keepassx | ||
11 | blacklist ${HOME}/.password-store | ||
12 | blacklist ${HOME}/.wine | ||
13 | caps.drop all | 9 | caps.drop all |
14 | seccomp | ||
15 | protocol unix,inet,inet6,netlink | ||
16 | netfilter | 10 | netfilter |
11 | nonewprivs | ||
17 | noroot | 12 | noroot |
13 | protocol unix,inet,inet6,netlink | ||
14 | seccomp | ||
18 | tracelog | 15 | tracelog |
19 | |||
20 | |||
diff --git a/etc/konversation.profile b/etc/konversation.profile new file mode 100644 index 000000000..190061618 --- /dev/null +++ b/etc/konversation.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail konversation profile | ||
2 | |||
3 | include /etc/firejail/disable-common.inc | ||
4 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | |||
8 | caps.drop all | ||
9 | netfilter | ||
10 | noroot | ||
11 | seccomp | ||
12 | protocol unix,inet,inet6 | ||
diff --git a/etc/less.profile b/etc/less.profile new file mode 100644 index 000000000..0c43111d7 --- /dev/null +++ b/etc/less.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # less profile | ||
2 | include /etc/firejail/default.profile | ||
3 | tracelog | ||
4 | net none | ||
5 | shell none | ||
6 | private-dev | ||
7 | private-tmp | ||
8 | nosound | ||
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile new file mode 100644 index 000000000..77a00ebef --- /dev/null +++ b/etc/libreoffice.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Firejail profile for LibreOffice | ||
2 | noblacklist ~/.config/libreoffice | ||
3 | include /etc/firejail/disable-common.inc | ||
4 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | |||
8 | caps.drop all | ||
9 | netfilter | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | protocol unix,inet,inet6,netlink | ||
13 | seccomp | ||
14 | tracelog | ||
15 | |||
16 | private-dev | ||
17 | whitelist /tmp/.X11-unix/ | ||
18 | nosound | ||
19 | |||
diff --git a/etc/localc.profile b/etc/localc.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/localc.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | ################################ | ||
2 | # LibreOffice profile | ||
3 | ################################ | ||
4 | include /etc/firejail/libreoffice.profile | ||
5 | |||
diff --git a/etc/lodraw.profile b/etc/lodraw.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/lodraw.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | ################################ | ||
2 | # LibreOffice profile | ||
3 | ################################ | ||
4 | include /etc/firejail/libreoffice.profile | ||
5 | |||
diff --git a/etc/loffice.profile b/etc/loffice.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/loffice.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | ################################ | ||
2 | # LibreOffice profile | ||
3 | ################################ | ||
4 | include /etc/firejail/libreoffice.profile | ||
5 | |||
diff --git a/etc/lofromtemplate.profile b/etc/lofromtemplate.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/lofromtemplate.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | ################################ | ||
2 | # LibreOffice profile | ||
3 | ################################ | ||
4 | include /etc/firejail/libreoffice.profile | ||
5 | |||
diff --git a/etc/login.users b/etc/login.users index 5d5969091..bc6ac4b09 100644 --- a/etc/login.users +++ b/etc/login.users | |||
@@ -7,7 +7,7 @@ | |||
7 | # | 7 | # |
8 | # For example: | 8 | # For example: |
9 | # | 9 | # |
10 | # netblue:--debug --net=none | 10 | # netblue:--net=none --protocol=unix |
11 | # | 11 | # |
12 | # The extra arguments are inserted into program command line if firejail | 12 | # The extra arguments are inserted into program command line if firejail |
13 | # was started as a login shell. | 13 | # was started as a login shell. |
diff --git a/etc/loimpress.profile b/etc/loimpress.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/loimpress.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | ################################ | ||
2 | # LibreOffice profile | ||
3 | ################################ | ||
4 | include /etc/firejail/libreoffice.profile | ||
5 | |||
diff --git a/etc/lomath.profile b/etc/lomath.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/lomath.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | ################################ | ||
2 | # LibreOffice profile | ||
3 | ################################ | ||
4 | include /etc/firejail/libreoffice.profile | ||
5 | |||
diff --git a/etc/loweb.profile b/etc/loweb.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/loweb.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | ################################ | ||
2 | # LibreOffice profile | ||
3 | ################################ | ||
4 | include /etc/firejail/libreoffice.profile | ||
5 | |||
diff --git a/etc/lowriter.profile b/etc/lowriter.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/lowriter.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | ################################ | ||
2 | # LibreOffice profile | ||
3 | ################################ | ||
4 | include /etc/firejail/libreoffice.profile | ||
5 | |||
diff --git a/etc/lxterminal.profile b/etc/lxterminal.profile index a614a8dbf..d1d0b8a0d 100644 --- a/etc/lxterminal.profile +++ b/etc/lxterminal.profile | |||
@@ -1,19 +1,11 @@ | |||
1 | # lxterminal (LXDE) profile | 1 | # lxterminal (LXDE) profile |
2 | 2 | ||
3 | include /etc/firejail/disable-mgmt.inc | ||
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
6 | blacklist ${HOME}/.pki/nssdb | 4 | include /etc/firejail/disable-programs.inc |
7 | blacklist ${HOME}/.lastpass | 5 | include /etc/firejail/disable-passwdmgr.inc |
8 | blacklist ${HOME}/.keepassx | 6 | |
9 | blacklist ${HOME}/.password-store | ||
10 | caps.drop all | 7 | caps.drop all |
11 | seccomp | ||
12 | protocol unix,inet,inet6 | ||
13 | netfilter | 8 | netfilter |
14 | 9 | protocol unix,inet,inet6 | |
10 | seccomp | ||
15 | #noroot - somehow this breaks on Debian Jessie! | 11 | #noroot - somehow this breaks on Debian Jessie! |
16 | |||
17 | # lxterminal is a single-instence program | ||
18 | # blacklist any existing lxterminal socket in order to force a second process instance | ||
19 | blacklist /tmp/.lxterminal-socket* | ||
diff --git a/etc/mcabber.profile b/etc/mcabber.profile new file mode 100644 index 000000000..48b46dba0 --- /dev/null +++ b/etc/mcabber.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # mcabber profile | ||
2 | noblacklist ${HOME}/.mcabber | ||
3 | noblacklist ${HOME}/.mcabberrc | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | netfilter | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | protocol inet,inet6 | ||
15 | seccomp | ||
16 | |||
17 | private-bin mcabber | ||
18 | private-etc null | ||
19 | private-dev | ||
20 | shell none | ||
21 | nosound | ||
diff --git a/etc/midori.profile b/etc/midori.profile index e46a6baa2..046c45d94 100644 --- a/etc/midori.profile +++ b/etc/midori.profile | |||
@@ -1,12 +1,13 @@ | |||
1 | # Midori browser profile | 1 | # Midori browser profile |
2 | noblacklist ${HOME}/.config/midori | 2 | noblacklist ${HOME}/.config/midori |
3 | include /etc/firejail/disable-mgmt.inc | ||
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
4 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | 6 | |
8 | caps.drop all | 7 | caps.drop all |
9 | seccomp | ||
10 | protocol unix,inet,inet6 | ||
11 | netfilter | 8 | netfilter |
9 | nonewprivs | ||
10 | # noroot - noroot break midori on Ubuntu 14.04 | ||
11 | protocol unix,inet,inet6 | ||
12 | seccomp | ||
12 | 13 | ||
diff --git a/etc/mpv.profile b/etc/mpv.profile new file mode 100644 index 000000000..80f8de54a --- /dev/null +++ b/etc/mpv.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # mpv media player profile | ||
2 | noblacklist ${HOME}/.config/mpv | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | protocol unix,inet,inet6 | ||
14 | seccomp | ||
15 | |||
16 | # to test | ||
17 | shell none | ||
18 | private-bin mpv,youtube-dl,python2.7 | ||
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile index 239ab3a80..d4b442df8 100644 --- a/etc/mupen64plus.profile +++ b/etc/mupen64plus.profile | |||
@@ -1,10 +1,13 @@ | |||
1 | # mupen64plus profile | 1 | # mupen64plus profile |
2 | # manually whitelist ROM files | 2 | # manually whitelist ROM files |
3 | include /etc/firejail/disable-mgmt.inc | 3 | noblacklist ${HOME}/.config/mupen64plus |
4 | include /etc/firejail/disable-secret.inc | 4 | noblacklist ${HOME}/.local/share/mupen64plus |
5 | |||
5 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
7 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | 8 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | 9 | include /etc/firejail/disable-passwdmgr.inc |
10 | |||
8 | mkdir ${HOME}/.local | 11 | mkdir ${HOME}/.local |
9 | mkdir ${HOME}/.local/share | 12 | mkdir ${HOME}/.local/share |
10 | mkdir ${HOME}/.local/share/mupen64plus | 13 | mkdir ${HOME}/.local/share/mupen64plus |
@@ -12,7 +15,9 @@ whitelist ${HOME}/.local/share/mupen64plus/ | |||
12 | mkdir ${HOME}/.config | 15 | mkdir ${HOME}/.config |
13 | mkdir ${HOME}/.config/mupen64plus | 16 | mkdir ${HOME}/.config/mupen64plus |
14 | whitelist ${HOME}/.config/mupen64plus/ | 17 | whitelist ${HOME}/.config/mupen64plus/ |
15 | noroot | 18 | |
16 | caps.drop all | 19 | caps.drop all |
17 | seccomp | ||
18 | net none | 20 | net none |
21 | nonewprivs | ||
22 | noroot | ||
23 | seccomp | ||
diff --git a/etc/netsurf.profile b/etc/netsurf.profile new file mode 100644 index 000000000..3de6be238 --- /dev/null +++ b/etc/netsurf.profile | |||
@@ -0,0 +1,32 @@ | |||
1 | # Firejail profile for Mozilla Firefox (Iceweasel in Debian) | ||
2 | |||
3 | noblacklist ~/.config/netsurf | ||
4 | noblacklist ~/.cache/netsurf | ||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | protocol unix,inet,inet6,netlink | ||
14 | seccomp | ||
15 | tracelog | ||
16 | |||
17 | whitelist ${DOWNLOADS} | ||
18 | mkdir ~/.config | ||
19 | mkdir ~/.config/netsurf | ||
20 | whitelist ~/.config/netsurf | ||
21 | mkdir ~/.cache | ||
22 | mkdir ~/.cache/netsurf | ||
23 | whitelist ~/.cache/netsurf | ||
24 | |||
25 | # lastpass, keepassx | ||
26 | whitelist ~/.keepassx | ||
27 | whitelist ~/.config/keepassx | ||
28 | whitelist ~/keepassx.kdbx | ||
29 | whitelist ~/.lastpass | ||
30 | whitelist ~/.config/lastpass | ||
31 | |||
32 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/nolocal.net b/etc/nolocal.net index 9c0c6e125..9fa785450 100644 --- a/etc/nolocal.net +++ b/etc/nolocal.net | |||
@@ -4,7 +4,8 @@ | |||
4 | :OUTPUT ACCEPT [0:0] | 4 | :OUTPUT ACCEPT [0:0] |
5 | 5 | ||
6 | ################################################################### | 6 | ################################################################### |
7 | # Client filter rejecting local network traffic, with the exception of DNS traffic | 7 | # Client filter rejecting local network traffic, with the exception of |
8 | # DNS traffic | ||
8 | # | 9 | # |
9 | # Usage: | 10 | # Usage: |
10 | # firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox | 11 | # firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox |
diff --git a/etc/okular.profile b/etc/okular.profile new file mode 100644 index 000000000..c9c342b15 --- /dev/null +++ b/etc/okular.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # KDE okular profile | ||
2 | noblacklist ~/.kde/share/apps/okular | ||
3 | noblacklist ~/.kde/share/config/okularrc | ||
4 | noblacklist ~/.kde/share/config/okularpartrc | ||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | nonewprivs | ||
12 | nogroups | ||
13 | noroot | ||
14 | private-dev | ||
15 | protocol unix | ||
16 | seccomp | ||
17 | nosound | ||
18 | |||
19 | #Experimental: | ||
20 | #net none | ||
21 | #shell none | ||
22 | #private-bin okular,kbuildsycoca4,kbuildsycoca5 | ||
23 | #private-etc X11 | ||
diff --git a/etc/openbox.profile b/etc/openbox.profile new file mode 100644 index 000000000..f812768a1 --- /dev/null +++ b/etc/openbox.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | ####################################### | ||
2 | # OpenBox window manager profile | ||
3 | # - all applications started in OpenBox will run in this profile | ||
4 | ####################################### | ||
5 | include /etc/firejail/disable-common.inc | ||
6 | |||
7 | caps.drop all | ||
8 | netfilter | ||
9 | noroot | ||
10 | protocol unix,inet,inet6 | ||
11 | seccomp | ||
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile index 91eb10787..3d6edb286 100644 --- a/etc/opera-beta.profile +++ b/etc/opera-beta.profile | |||
@@ -1,12 +1,9 @@ | |||
1 | # Opera-beta browser profile | 1 | # Opera-beta browser profile |
2 | noblacklist ~/.config/opera-beta | 2 | noblacklist ~/.config/opera-beta |
3 | noblacklist ~/.cache/opera-beta | 3 | noblacklist ~/.cache/opera-beta |
4 | noblacklist ~/keepassx.kdbx | ||
5 | include /etc/firejail/disable-mgmt.inc | ||
6 | include /etc/firejail/disable-secret.inc | ||
7 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
9 | include /etc/firejail/disable-terminals.inc | ||
10 | 7 | ||
11 | netfilter | 8 | netfilter |
12 | 9 | ||
diff --git a/etc/opera.profile b/etc/opera.profile index 08bbd5a06..ff00eb349 100644 --- a/etc/opera.profile +++ b/etc/opera.profile | |||
@@ -1,12 +1,10 @@ | |||
1 | # Opera browser profile | 1 | # Opera browser profile |
2 | noblacklist ~/.config/opera | 2 | noblacklist ~/.config/opera |
3 | noblacklist ~/.cache/opera | 3 | noblacklist ~/.cache/opera |
4 | noblacklist ~/keepassx.kdbx | 4 | noblacklist ~/.opera |
5 | include /etc/firejail/disable-mgmt.inc | ||
6 | include /etc/firejail/disable-secret.inc | ||
7 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
9 | include /etc/firejail/disable-terminals.inc | ||
10 | 8 | ||
11 | netfilter | 9 | netfilter |
12 | 10 | ||
@@ -17,6 +15,8 @@ whitelist ~/.config/opera | |||
17 | mkdir ~/.cache | 15 | mkdir ~/.cache |
18 | mkdir ~/.cache/opera | 16 | mkdir ~/.cache/opera |
19 | whitelist ~/.cache/opera | 17 | whitelist ~/.cache/opera |
18 | mkdir ~/.opera | ||
19 | whitelist ~/.opera | ||
20 | mkdir ~/.pki | 20 | mkdir ~/.pki |
21 | whitelist ~/.pki | 21 | whitelist ~/.pki |
22 | include /etc/firejail/whitelist-common.inc | 22 | include /etc/firejail/whitelist-common.inc |
diff --git a/etc/palemoon.profile b/etc/palemoon.profile new file mode 100644 index 000000000..302c20d7d --- /dev/null +++ b/etc/palemoon.profile | |||
@@ -0,0 +1,58 @@ | |||
1 | # Firejail profile for Pale Moon | ||
2 | noblacklist ~/.moonchild productions/pale moon | ||
3 | noblacklist ~/.cache/moonchild productions/pale moon | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/whitelist-common.inc | ||
8 | |||
9 | whitelist ${DOWNLOADS} | ||
10 | mkdir ~/.moonchild productions | ||
11 | whitelist ~/.moonchild productions | ||
12 | mkdir ~/.cache | ||
13 | mkdir ~/.cache/moonchild productions | ||
14 | mkdir ~/.cache/moonchild productions/pale moon | ||
15 | whitelist ~/.cache/moonchild productions/pale moon | ||
16 | |||
17 | caps.drop all | ||
18 | netfilter | ||
19 | nogroups | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | protocol unix,inet,inet6,netlink | ||
23 | seccomp | ||
24 | shell none | ||
25 | tracelog | ||
26 | |||
27 | private-bin palemoon | ||
28 | |||
29 | # These are uncommented in the Firefox profile. If you run into trouble you may | ||
30 | # want to uncomment (some of) them. | ||
31 | #whitelist ~/dwhelper | ||
32 | #whitelist ~/.zotero | ||
33 | #whitelist ~/.vimperatorrc | ||
34 | #whitelist ~/.vimperator | ||
35 | #whitelist ~/.pentadactylrc | ||
36 | #whitelist ~/.pentadactyl | ||
37 | #whitelist ~/.keysnail.js | ||
38 | #whitelist ~/.config/gnome-mplayer | ||
39 | #whitelist ~/.cache/gnome-mplayer/plugin | ||
40 | #whitelist ~/.pki | ||
41 | |||
42 | # For silverlight | ||
43 | #whitelist ~/.wine-pipelight | ||
44 | #whitelist ~/.wine-pipelight64 | ||
45 | #whitelist ~/.config/pipelight-widevine | ||
46 | #whitelist ~/.config/pipelight-silverlight5.1 | ||
47 | |||
48 | |||
49 | # lastpass, keepassx | ||
50 | whitelist ~/.keepassx | ||
51 | whitelist ~/.config/keepassx | ||
52 | whitelist ~/keepassx.kdbx | ||
53 | whitelist ~/.lastpass | ||
54 | whitelist ~/.config/lastpass | ||
55 | |||
56 | # experimental features | ||
57 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | ||
58 | #private-dev (disabled for now as it will interfere with webcam use in palemoon) | ||
diff --git a/etc/parole.profile b/etc/parole.profile index fd49bcf07..1440a9ef7 100644 --- a/etc/parole.profile +++ b/etc/parole.profile | |||
@@ -1,18 +1,16 @@ | |||
1 | # Profile for Parole, the default XFCE4 media player | 1 | # Profile for Parole, the default XFCE4 media player |
2 | include /etc/firejail/disable-mgmt.inc | ||
3 | include /etc/firejail/disable-secret.inc | ||
4 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
6 | |||
7 | private-etc passwd,group,fonts | 7 | private-etc passwd,group,fonts |
8 | private-bin parole,dbus-launch | 8 | private-bin parole,dbus-launch |
9 | blacklist ${HOME}/.pki/nssdb | 9 | |
10 | blacklist ${HOME}/.lastpass | ||
11 | blacklist ${HOME}/.keepassx | ||
12 | blacklist ${HOME}/.password-store | ||
13 | caps.drop all | 10 | caps.drop all |
14 | seccomp | ||
15 | protocol unix,inet,inet6 | ||
16 | netfilter | 11 | netfilter |
12 | nonewprivs | ||
17 | noroot | 13 | noroot |
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
18 | shell none | 16 | shell none |
diff --git a/etc/pidgin.profile b/etc/pidgin.profile index 54bedccc8..3df2cafa6 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile | |||
@@ -1,12 +1,20 @@ | |||
1 | # Pidgin profile | 1 | # Pidgin profile |
2 | noblacklist ${HOME}/.purple | 2 | noblacklist ${HOME}/.purple |
3 | include /etc/firejail/disable-mgmt.inc | 3 | |
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | 6 | include /etc/firejail/disable-passwdmgr.inc |
8 | blacklist ${HOME}/.wine | 7 | include /etc/firejail/disable-programs.inc |
8 | |||
9 | caps.drop all | 9 | caps.drop all |
10 | seccomp | 10 | netfilter |
11 | protocol unix,inet,inet6 | 11 | nonewprivs |
12 | nogroups | ||
12 | noroot | 13 | noroot |
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | private-bin pidgin | ||
20 | private-dev | ||
diff --git a/etc/pix.profile b/etc/pix.profile new file mode 100644 index 000000000..80c05fd09 --- /dev/null +++ b/etc/pix.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # Firejail profile for pix | ||
2 | noblacklist ${HOME}/.config/pix | ||
3 | noblacklist ${HOME}/.local/share/pix | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | nonewprivs | ||
12 | nogroups | ||
13 | noroot | ||
14 | nosound | ||
15 | protocol unix | ||
16 | seccomp | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | private-bin pix | ||
21 | whitelist /tmp/.X11-unix | ||
22 | private-dev | ||
23 | |||
diff --git a/etc/polari.profile b/etc/polari.profile index 26d5ff27b..366883c83 100644 --- a/etc/polari.profile +++ b/etc/polari.profile | |||
@@ -1,9 +1,8 @@ | |||
1 | # Polari IRC profile | 1 | # Polari IRC profile |
2 | include /etc/firejail/disable-mgmt.inc | ||
3 | include /etc/firejail/disable-secret.inc | ||
4 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | 5 | |
7 | mkdir ${HOME}/.local | 6 | mkdir ${HOME}/.local |
8 | mkdir ${HOME}/.local/share/ | 7 | mkdir ${HOME}/.local/share/ |
9 | mkdir ${HOME}/.local/share/Empathy | 8 | mkdir ${HOME}/.local/share/Empathy |
@@ -21,9 +20,10 @@ whitelist ${HOME}/.cache/telepathy | |||
21 | mkdir ${HOME}/.purple | 20 | mkdir ${HOME}/.purple |
22 | whitelist ${HOME}/.purple | 21 | whitelist ${HOME}/.purple |
23 | include /etc/firejail/whitelist-common.inc | 22 | include /etc/firejail/whitelist-common.inc |
23 | |||
24 | caps.drop all | 24 | caps.drop all |
25 | seccomp | ||
26 | protocol unix,inet,inet6 | ||
27 | noroot | ||
28 | netfilter | 25 | netfilter |
29 | 26 | nonewprivs | |
27 | noroot | ||
28 | protocol unix,inet,inet6 | ||
29 | seccomp | ||
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile new file mode 100644 index 000000000..9380237be --- /dev/null +++ b/etc/psi-plus.profile | |||
@@ -0,0 +1,27 @@ | |||
1 | # Firejail profile for Psi+ | ||
2 | |||
3 | noblacklist ${HOME}/.config/psi+ | ||
4 | noblacklist ${HOME}/.local/share/psi+ | ||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | whitelist ${DOWNLOADS} | ||
10 | mkdir ~/.config | ||
11 | mkdir ~/.config/psi+ | ||
12 | whitelist ~/.config/psi+ | ||
13 | mkdir ~/.local | ||
14 | mkdir ~/.local/share | ||
15 | mkdir ~/.local/share/psi+ | ||
16 | whitelist ~/.local/share/psi+ | ||
17 | mkdir ~/.cache | ||
18 | mkdir ~/.cache/psi+ | ||
19 | whitelist ~/.cache/psi+ | ||
20 | |||
21 | include /etc/firejail/whitelist-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | netfilter | ||
25 | noroot | ||
26 | protocol unix,inet,inet6 | ||
27 | seccomp | ||
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index f067aaa99..138b6db55 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
@@ -1,19 +1,20 @@ | |||
1 | # qbittorrent bittorrent profile | 1 | # qbittorrent bittorrent profile |
2 | include /etc/firejail/disable-mgmt.inc | ||
3 | include /etc/firejail/disable-secret.inc | ||
4 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
7 | blacklist ${HOME}/.pki/nssdb | 6 | |
8 | blacklist ${HOME}/.lastpass | ||
9 | blacklist ${HOME}/.keepassx | ||
10 | blacklist ${HOME}/.password-store | ||
11 | blacklist ${HOME}/.wine | ||
12 | caps.drop all | 7 | caps.drop all |
13 | seccomp | ||
14 | protocol unix,inet,inet6 | ||
15 | netfilter | 8 | netfilter |
9 | nonewprivs | ||
16 | noroot | 10 | noroot |
17 | nosound | 11 | nosound |
12 | protocol unix,inet,inet6 | ||
13 | seccomp | ||
18 | 14 | ||
19 | 15 | # there are some problems with "Open destination folder", see bug #536 | |
16 | #shell none | ||
17 | #private-bin qbittorrent | ||
18 | whitelist /tmp/.X11-unix | ||
19 | private-dev | ||
20 | nosound | ||
diff --git a/etc/qtox.profile b/etc/qtox.profile new file mode 100644 index 000000000..0cac18573 --- /dev/null +++ b/etc/qtox.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # qTox instant messaging profile | ||
2 | noblacklist ${HOME}/.config/tox | ||
3 | include /etc/firejail/disable-common.inc | ||
4 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | |||
8 | mkdir ${HOME}/.config/tox | ||
9 | whitelist ${HOME}/.config/tox | ||
10 | whitelist ${DOWNLOADS} | ||
11 | |||
12 | caps.drop all | ||
13 | netfilter | ||
14 | nonewprivs | ||
15 | nogroups | ||
16 | noroot | ||
17 | protocol unix,inet,inet6 | ||
18 | seccomp | ||
19 | shell none | ||
20 | tracelog | ||
21 | |||
22 | private-bin qtox | ||
diff --git a/etc/quassel.profile b/etc/quassel.profile index bc8c76915..f92dfeb9f 100644 --- a/etc/quassel.profile +++ b/etc/quassel.profile | |||
@@ -1,13 +1,11 @@ | |||
1 | # Quassel IRC profile | 1 | # Quassel IRC profile |
2 | include /etc/firejail/disable-mgmt.inc | ||
3 | include /etc/firejail/disable-secret.inc | ||
4 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | 5 | |
7 | blacklist ${HOME}/.wine | ||
8 | caps.drop all | 6 | caps.drop all |
9 | seccomp | 7 | nonewprivs |
10 | protocol unix,inet,inet6 | ||
11 | noroot | 8 | noroot |
12 | netfilter | 9 | netfilter |
13 | 10 | protocol unix,inet,inet6 | |
11 | seccomp | ||
diff --git a/etc/quiterss.profile b/etc/quiterss.profile new file mode 100644 index 000000000..f2b9959f6 --- /dev/null +++ b/etc/quiterss.profile | |||
@@ -0,0 +1,32 @@ | |||
1 | include /etc/firejail/disable-common.inc | ||
2 | include /etc/firejail/disable-programs.inc | ||
3 | include /etc/firejail/disable-passwdmgr.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | |||
6 | whitelist ${HOME}/quiterssfeeds.opml | ||
7 | mkdir ~/.config | ||
8 | mkdir ~/.config/QuiteRss | ||
9 | whitelist ${HOME}/.config/QuiteRss/ | ||
10 | whitelist ${HOME}/.config/QuiteRssrc | ||
11 | mkdir ~/.local | ||
12 | mkdir ~/.local/share | ||
13 | whitelist ${HOME}/.local/share/ | ||
14 | mkdir ~/.cache | ||
15 | mkdir ~/.cache/QuiteRss | ||
16 | whitelist ${HOME}/.cache/QuiteRss | ||
17 | |||
18 | caps.drop all | ||
19 | netfilter | ||
20 | nonewprivs | ||
21 | nogroups | ||
22 | noroot | ||
23 | private-bin quiterss | ||
24 | private-dev | ||
25 | nosound | ||
26 | #private-etc X11,ssl | ||
27 | protocol unix,inet,inet6 | ||
28 | seccomp | ||
29 | shell none | ||
30 | tracelog | ||
31 | |||
32 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile new file mode 100644 index 000000000..b590f0ef1 --- /dev/null +++ b/etc/qutebrowser.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # Firejail profile for Qutebrowser (Qt5-Webkit+Python) browser | ||
2 | |||
3 | noblacklist ~/.config/qutebrowser | ||
4 | noblacklist ~/.cache/qutebrowser | ||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | protocol unix,inet,inet6,netlink | ||
14 | seccomp | ||
15 | tracelog | ||
16 | |||
17 | whitelist ${DOWNLOADS} | ||
18 | mkdir ~/.config/qutebrowser | ||
19 | whitelist ~/.config/qutebrowser | ||
20 | mkdir ~/.cache | ||
21 | mkdir ~/.cache/qutebrowser | ||
22 | whitelist ~/.cache/qutebrowser | ||
23 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index a1a20a863..9f087ea1d 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile | |||
@@ -1,17 +1,18 @@ | |||
1 | # Rhythmbox media player profile | 1 | # Rhythmbox media player profile |
2 | include /etc/firejail/disable-mgmt.inc | ||
3 | include /etc/firejail/disable-secret.inc | ||
4 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
7 | blacklist ${HOME}/.pki/nssdb | 6 | |
8 | blacklist ${HOME}/.lastpass | ||
9 | blacklist ${HOME}/.keepassx | ||
10 | blacklist ${HOME}/.password-store | ||
11 | blacklist ${HOME}/.wine | ||
12 | caps.drop all | 7 | caps.drop all |
13 | seccomp | 8 | nogroups |
14 | protocol unix,inet,inet6 | ||
15 | noroot | ||
16 | netfilter | 9 | netfilter |
10 | nonewprivs | ||
11 | noroot | ||
12 | protocol unix,inet,inet6 | ||
13 | seccomp | ||
14 | shell none | ||
15 | tracelog | ||
17 | 16 | ||
17 | private-bin rhythmbox | ||
18 | private-dev | ||
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 6041052af..15df2c374 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile | |||
@@ -1,12 +1,19 @@ | |||
1 | # rtorrent bittorrent profile | 1 | # rtorrent bittorrent profile |
2 | include /etc/firejail/disable-mgmt.inc | ||
3 | include /etc/firejail/disable-secret.inc | ||
4 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
6 | |||
7 | caps.drop all | 7 | caps.drop all |
8 | seccomp | ||
9 | protocol unix,inet,inet6 | ||
10 | netfilter | 8 | netfilter |
9 | nonewprivs | ||
11 | noroot | 10 | noroot |
12 | nosound | 11 | nosound |
12 | protocol unix,inet,inet6 | ||
13 | seccomp | ||
14 | |||
15 | shell none | ||
16 | private-bin rtorrent | ||
17 | whitelist /tmp/.X11-unix | ||
18 | private-dev | ||
19 | nosound | ||
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index b896af97a..9ce4164c1 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile | |||
@@ -1,19 +1,17 @@ | |||
1 | # Firejail profile for Seamoneky based off Mozilla Firefox | 1 | # Firejail profile for Seamoneky based off Mozilla Firefox |
2 | noblacklist ~/.mozilla | 2 | noblacklist ~/.mozilla |
3 | noblacklist ~/.cache/mozilla | 3 | noblacklist ~/.cache/mozilla |
4 | noblacklist ~/keepassx.kdbx | ||
5 | include /etc/firejail/disable-mgmt.inc | ||
6 | include /etc/firejail/disable-secret.inc | ||
7 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
9 | include /etc/firejail/disable-terminals.inc | ||
10 | 7 | ||
11 | caps.drop all | 8 | caps.drop all |
12 | seccomp | ||
13 | protocol unix,inet,inet6,netlink | ||
14 | netfilter | 9 | netfilter |
15 | tracelog | 10 | nonewprivs |
16 | noroot | 11 | noroot |
12 | protocol unix,inet,inet6,netlink | ||
13 | seccomp | ||
14 | tracelog | ||
17 | 15 | ||
18 | whitelist ${DOWNLOADS} | 16 | whitelist ${DOWNLOADS} |
19 | mkdir ~/.mozilla | 17 | mkdir ~/.mozilla |
@@ -44,13 +42,10 @@ whitelist ~/.lastpass | |||
44 | whitelist ~/.config/lastpass | 42 | whitelist ~/.config/lastpass |
45 | 43 | ||
46 | #silverlight | 44 | #silverlight |
47 | whitelist ~/.wine-pipelight | 45 | whitelist ~/.wine-pipelight |
48 | whitelist ~/.wine-pipelight64 | 46 | whitelist ~/.wine-pipelight64 |
49 | whitelist ~/.config/pipelight-widevine | 47 | whitelist ~/.config/pipelight-widevine |
50 | whitelist ~/.config/pipelight-silverlight5.1 | 48 | whitelist ~/.config/pipelight-silverlight5.1 |
51 | 49 | ||
52 | |||
53 | |||
54 | # experimental features | 50 | # experimental features |
55 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 51 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse |
56 | |||
diff --git a/etc/server.profile b/etc/server.profile index 5471aed91..88331d951 100644 --- a/etc/server.profile +++ b/etc/server.profile | |||
@@ -2,9 +2,13 @@ | |||
2 | # it allows /sbin and /usr/sbin directories - this is where servers are installed | 2 | # it allows /sbin and /usr/sbin directories - this is where servers are installed |
3 | noblacklist /sbin | 3 | noblacklist /sbin |
4 | noblacklist /usr/sbin | 4 | noblacklist /usr/sbin |
5 | include /etc/firejail/disable-mgmt.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
6 | private | 9 | private |
7 | private-dev | 10 | private-dev |
11 | nosound | ||
8 | private-tmp | 12 | private-tmp |
9 | seccomp | 13 | seccomp |
10 | 14 | ||
diff --git a/etc/skype.profile b/etc/skype.profile index a33cc339d..9cbcd5117 100644 --- a/etc/skype.profile +++ b/etc/skype.profile | |||
@@ -1,12 +1,12 @@ | |||
1 | # Skype profile | 1 | # Skype profile |
2 | noblacklist ${HOME}/.Skype | 2 | noblacklist ${HOME}/.Skype |
3 | include /etc/firejail/disable-mgmt.inc | ||
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
4 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | 6 | |
8 | caps.drop all | 7 | caps.drop all |
9 | netfilter | 8 | netfilter |
9 | nonewprivs | ||
10 | noroot | 10 | noroot |
11 | seccomp | ||
12 | protocol unix,inet,inet6 | 11 | protocol unix,inet,inet6 |
12 | seccomp | ||
diff --git a/etc/snap.profile b/etc/snap.profile new file mode 100644 index 000000000..270fdf1a5 --- /dev/null +++ b/etc/snap.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | ################################ | ||
2 | # Generic Ubuntu snap application profile | ||
3 | ################################ | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | |||
8 | whitelist ~/snap | ||
9 | whitelist ${DOWNLOADS} | ||
10 | include /etc/firejail/whitelist-common.inc | ||
11 | |||
12 | caps.keep chown,sys_admin | ||
13 | |||
14 | |||
diff --git a/etc/soffice.profile b/etc/soffice.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/soffice.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | ################################ | ||
2 | # LibreOffice profile | ||
3 | ################################ | ||
4 | include /etc/firejail/libreoffice.profile | ||
5 | |||
diff --git a/etc/spotify.profile b/etc/spotify.profile index 1986a513c..ca575970b 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile | |||
@@ -1,11 +1,14 @@ | |||
1 | # Spotify media player profile | 1 | # Spotify media player profile |
2 | include /etc/firejail/disable-mgmt.inc | 2 | noblacklist ${HOME}/.config/spotify |
3 | include /etc/firejail/disable-secret.inc | 3 | noblacklist ${HOME}/.cache/spotify |
4 | noblacklist ${HOME}/.local/share/spotify | ||
4 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
8 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | 9 | ||
7 | # Whitelist the folders needed by Spotify - This is more restrictive | 10 | # Whitelist the folders needed by Spotify - This is more restrictive |
8 | # than a blacklist though, but this is all spotify requires for | 11 | # than a blacklist though, but this is all spotify requires for |
9 | # streaming audio | 12 | # streaming audio |
10 | mkdir ${HOME}/.config | 13 | mkdir ${HOME}/.config |
11 | mkdir ${HOME}/.config/spotify | 14 | mkdir ${HOME}/.config/spotify |
@@ -20,8 +23,13 @@ whitelist ${HOME}/.cache/spotify | |||
20 | include /etc/firejail/whitelist-common.inc | 23 | include /etc/firejail/whitelist-common.inc |
21 | 24 | ||
22 | caps.drop all | 25 | caps.drop all |
23 | seccomp | ||
24 | protocol unix,inet,inet6,netlink | ||
25 | netfilter | 26 | netfilter |
27 | nogroups | ||
28 | nonewprivs | ||
26 | noroot | 29 | noroot |
30 | protocol unix,inet,inet6,netlink | ||
31 | seccomp | ||
32 | shell none | ||
27 | 33 | ||
34 | private-bin spotify | ||
35 | private-dev | ||
diff --git a/etc/ssh.profile b/etc/ssh.profile new file mode 100644 index 000000000..a6d52c5a5 --- /dev/null +++ b/etc/ssh.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # ssh client | ||
2 | noblacklist ~/.ssh | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | |||
8 | caps.drop all | ||
9 | netfilter | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | protocol unix,inet,inet6 | ||
13 | seccomp | ||
diff --git a/etc/steam.profile b/etc/steam.profile index dc17c7a0f..b15a54be9 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -1,13 +1,14 @@ | |||
1 | # Steam profile (applies to games/apps launched from Steam as well) | 1 | # Steam profile (applies to games/apps launched from Steam as well) |
2 | noblacklist ${HOME}/.steam | 2 | noblacklist ${HOME}/.steam |
3 | noblacklist ${HOME}/.local/share/steam | 3 | noblacklist ${HOME}/.local/share/steam |
4 | include /etc/firejail/disable-mgmt.inc | ||
5 | include /etc/firejail/disable-secret.inc | ||
6 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
8 | include /etc/firejail/disable-terminals.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | |||
9 | caps.drop all | 9 | caps.drop all |
10 | netfilter | 10 | netfilter |
11 | nonewprivs | ||
11 | noroot | 12 | noroot |
12 | seccomp | ||
13 | protocol unix,inet,inet6 | 13 | protocol unix,inet,inet6 |
14 | seccomp | ||
diff --git a/etc/stellarium.profile b/etc/stellarium.profile new file mode 100644 index 000000000..d0c1326b3 --- /dev/null +++ b/etc/stellarium.profile | |||
@@ -0,0 +1,29 @@ | |||
1 | # Firejail profile for Stellarium. | ||
2 | noblacklist ~/.stellarium | ||
3 | noblacklist ~/.config/stellarium | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-devel.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | |||
9 | # Whitelist | ||
10 | mkdir ~/.stellarium | ||
11 | whitelist ~/.stellarium | ||
12 | mkdir ~/.config | ||
13 | mkdir ~/.config/stellarium | ||
14 | whitelist ~/.config/stellarium | ||
15 | |||
16 | caps.drop all | ||
17 | netfilter | ||
18 | nogroups | ||
19 | nonewprivs | ||
20 | noroot | ||
21 | nosound | ||
22 | protocol unix,inet,inet6,netlink | ||
23 | seccomp | ||
24 | shell none | ||
25 | tracelog | ||
26 | |||
27 | private-bin stellarium | ||
28 | private-dev | ||
29 | |||
diff --git a/etc/strings.profile b/etc/strings.profile new file mode 100644 index 000000000..881edf4ad --- /dev/null +++ b/etc/strings.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # strings profile | ||
2 | include /etc/firejail/default.profile | ||
3 | tracelog | ||
4 | net none | ||
5 | shell none | ||
6 | private-dev | ||
7 | private-tmp | ||
8 | nosound | ||
diff --git a/etc/telegram.profile b/etc/telegram.profile index 94167675c..8e91e426b 100644 --- a/etc/telegram.profile +++ b/etc/telegram.profile | |||
@@ -1,17 +1,13 @@ | |||
1 | # Telegram IRC profile | 1 | # Telegram IRC profile |
2 | noblacklist ${HOME}/.TelegramDesktop | 2 | noblacklist ${HOME}/.TelegramDesktop |
3 | include /etc/firejail/disable-mgmt.inc | ||
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
4 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | ||
8 | 6 | ||
9 | caps.drop all | 7 | caps.drop all |
10 | seccomp | ||
11 | protocol unix,inet,inet6 | ||
12 | noroot | ||
13 | netfilter | 8 | netfilter |
9 | nonewprivs | ||
10 | noroot | ||
11 | protocol unix,inet,inet6 | ||
12 | seccomp | ||
14 | 13 | ||
15 | whitelist ~/Downloads/Telegram Desktop | ||
16 | mkdir ${HOME}/.TelegramDesktop | ||
17 | whitelist ~/.TelegramDesktop | ||
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index f608f5467..7882367b9 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile | |||
@@ -1,26 +1,19 @@ | |||
1 | # Firejail profile for Mozilla Thunderbird (Icedove in Debian) | 1 | # Firejail profile for Mozilla Thunderbird |
2 | noblacklist ${HOME}/.gnupg | ||
3 | include /etc/firejail/disable-mgmt.inc | ||
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-devel.inc | ||
6 | |||
7 | # Users have thunderbird set to open a browser by clicking a link in an email | 2 | # Users have thunderbird set to open a browser by clicking a link in an email |
8 | # We are not allowed to blacklist browser-specific directories | 3 | # We are not allowed to blacklist browser-specific directories |
9 | #include /etc/firejail/disable-common.inc thunderbird icedove | ||
10 | blacklist ${HOME}/.adobe | ||
11 | blacklist ${HOME}/.macromedia | ||
12 | blacklist ${HOME}/.filezilla | ||
13 | blacklist ${HOME}/.config/filezilla | ||
14 | blacklist ${HOME}/.purple | ||
15 | blacklist ${HOME}/.config/psi+ | ||
16 | blacklist ${HOME}/.remmina | ||
17 | blacklist ${HOME}/.tconn | ||
18 | 4 | ||
5 | noblacklist ~/.gnupg | ||
6 | mkdir ~/.gnupg | ||
7 | whitelist ~/.gnupg | ||
8 | |||
9 | noblacklist ~/.thunderbird | ||
10 | mkdir ~/.thunderbird | ||
11 | whitelist ~/.thunderbird | ||
12 | |||
13 | noblacklist ~/.cache/thunderbird | ||
14 | mkdir ~/.cache | ||
15 | mkdir ~/.cache/thunderbird | ||
16 | whitelist ~/.cache/thunderbird | ||
19 | 17 | ||
20 | caps.drop all | 18 | include /etc/firejail/firefox.profile |
21 | seccomp | ||
22 | protocol unix,inet,inet6 | ||
23 | netfilter | ||
24 | tracelog | ||
25 | noroot | ||
26 | 19 | ||
diff --git a/etc/totem.profile b/etc/totem.profile index f2485a2d0..252b46979 100644 --- a/etc/totem.profile +++ b/etc/totem.profile | |||
@@ -1,16 +1,15 @@ | |||
1 | # Totem media player profile | 1 | # Totem media player profile |
2 | include /etc/firejail/disable-mgmt.inc | 2 | noblacklist ~/.config/totem |
3 | include /etc/firejail/disable-secret.inc | 3 | noblacklist ~/.local/share/totem |
4 | |||
4 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | 8 | include /etc/firejail/disable-passwdmgr.inc |
7 | blacklist ${HOME}/.pki/nssdb | 9 | |
8 | blacklist ${HOME}/.lastpass | ||
9 | blacklist ${HOME}/.keepassx | ||
10 | blacklist ${HOME}/.password-store | ||
11 | blacklist ${HOME}/.wine | ||
12 | caps.drop all | 10 | caps.drop all |
13 | seccomp | 11 | nonewprivs |
14 | protocol unix,inet,inet6 | ||
15 | noroot | 12 | noroot |
16 | netfilter | 13 | netfilter |
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 18356a91e..fa5c3b22b 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
@@ -1,22 +1,23 @@ | |||
1 | # transmission-gtk profile | 1 | # transmission-gtk bittorrent profile |
2 | include /etc/firejail/disable-mgmt.inc | 2 | noblacklist ${HOME}/.config/transmission |
3 | include /etc/firejail/disable-secret.inc | 3 | noblacklist ${HOME}/.cache/transmission |
4 | |||
4 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | 8 | include /etc/firejail/disable-passwdmgr.inc |
7 | blacklist ${HOME}/.pki/nssdb | 9 | |
8 | blacklist ${HOME}/.lastpass | ||
9 | blacklist ${HOME}/.keepassx | ||
10 | blacklist ${HOME}/.password-store | ||
11 | blacklist ${HOME}/.wine | ||
12 | caps.drop all | 10 | caps.drop all |
13 | seccomp | ||
14 | protocol unix,inet,inet6 | ||
15 | netfilter | 11 | netfilter |
12 | nonewprivs | ||
16 | noroot | 13 | noroot |
17 | tracelog | ||
18 | nosound | 14 | nosound |
15 | protocol unix,inet,inet6 | ||
16 | seccomp | ||
17 | tracelog | ||
19 | 18 | ||
20 | 19 | shell none | |
21 | 20 | private-bin transmission-gtk | |
21 | whitelist /tmp/.X11-unix | ||
22 | private-dev | ||
22 | 23 | ||
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index cd07f35c7..754211a63 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile | |||
@@ -1,20 +1,22 @@ | |||
1 | # transmission-qt profile | 1 | # transmission-qt bittorrent profile |
2 | include /etc/firejail/disable-mgmt.inc | 2 | noblacklist ${HOME}/.config/transmission |
3 | include /etc/firejail/disable-secret.inc | 3 | noblacklist ${HOME}/.cache/transmission |
4 | |||
4 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | 8 | include /etc/firejail/disable-passwdmgr.inc |
7 | blacklist ${HOME}/.pki/nssdb | 9 | |
8 | blacklist ${HOME}/.lastpass | ||
9 | blacklist ${HOME}/.keepassx | ||
10 | blacklist ${HOME}/.password-store | ||
11 | blacklist ${HOME}/.wine | ||
12 | caps.drop all | 10 | caps.drop all |
13 | seccomp | ||
14 | protocol unix,inet,inet6 | ||
15 | netfilter | 11 | netfilter |
12 | nonewprivs | ||
16 | noroot | 13 | noroot |
17 | tracelog | ||
18 | nosound | 14 | nosound |
15 | protocol unix,inet,inet6 | ||
16 | seccomp | ||
17 | tracelog | ||
19 | 18 | ||
20 | 19 | shell none | |
20 | private-bin transmission-qt | ||
21 | whitelist /tmp/.X11-unix | ||
22 | private-dev | ||
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 3b27c00ba..269f8f0fd 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile | |||
@@ -1,16 +1,26 @@ | |||
1 | # uGet profile | 1 | # uGet profile |
2 | include /etc/firejail/disable-mgmt.inc | 2 | noblacklist ${HOME}/.config/uGet |
3 | include /etc/firejail/disable-secret.inc | 3 | |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | 7 | |
7 | caps.drop all | 8 | caps.drop all |
8 | seccomp | ||
9 | protocol unix,inet,inet6 | ||
10 | netfilter | 9 | netfilter |
10 | nonewprivs | ||
11 | noroot | 11 | noroot |
12 | protocol unix,inet,inet6 | ||
13 | seccomp | ||
14 | |||
12 | whitelist ${DOWNLOADS} | 15 | whitelist ${DOWNLOADS} |
13 | mkdir ~/.config | 16 | mkdir ~/.config |
14 | mkdir ~/.config/uGet | 17 | mkdir ~/.config/uGet |
15 | whitelist ~/.config/uGet | 18 | whitelist ~/.config/uGet |
16 | include /etc/firejail/whitelist-common.inc | 19 | include /etc/firejail/whitelist-common.inc |
20 | |||
21 | shell none | ||
22 | private-bin uget-gtk | ||
23 | whitelist /tmp/.X11-unix | ||
24 | private-dev | ||
25 | nosound | ||
26 | |||
diff --git a/etc/unbound.profile b/etc/unbound.profile index c4f009159..5e2cb5f65 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile | |||
@@ -1,12 +1,13 @@ | |||
1 | # security profile for unbound (https://unbound.net) | 1 | # security profile for unbound (https://unbound.net) |
2 | noblacklist /sbin | 2 | noblacklist /sbin |
3 | noblacklist /usr/sbin | 3 | noblacklist /usr/sbin |
4 | include /etc/firejail/disable-mgmt.inc | ||
5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-secret.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | include /etc/firejail/disable-terminals.inc | 8 | |
9 | private | 9 | private |
10 | private-dev | 10 | private-dev |
11 | nosound | ||
11 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 12 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open |
12 | 13 | ||
diff --git a/etc/uudeview.profile b/etc/uudeview.profile new file mode 100644 index 000000000..8218ac959 --- /dev/null +++ b/etc/uudeview.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # uudeview profile | ||
2 | # the default profile will disable root user, enable seccomp filter etc. | ||
3 | include /etc/firejail/default.profile | ||
4 | |||
5 | tracelog | ||
6 | net none | ||
7 | shell none | ||
8 | private-bin uudeview | ||
9 | private-dev | ||
10 | private-tmp | ||
11 | private-etc nonexisting_fakefile_for_empty_etc | ||
12 | hostname uudeview | ||
13 | nosound | ||
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile index daab0b81a..2049d2bd9 100644 --- a/etc/vivaldi.profile +++ b/etc/vivaldi.profile | |||
@@ -1,14 +1,12 @@ | |||
1 | # Vivaldi browser profile | 1 | # Vivaldi browser profile |
2 | noblacklist ~/.config/vivaldi | 2 | noblacklist ~/.config/vivaldi |
3 | noblacklist ~/.cache/vivaldi | 3 | noblacklist ~/.cache/vivaldi |
4 | noblacklist ~/keepassx.kdbx | ||
5 | include /etc/firejail/disable-mgmt.inc | ||
6 | include /etc/firejail/disable-secret.inc | ||
7 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
9 | include /etc/firejail/disable-terminals.inc | ||
10 | 7 | ||
11 | netfilter | 8 | netfilter |
9 | nonewprivs | ||
12 | 10 | ||
13 | whitelist ${DOWNLOADS} | 11 | whitelist ${DOWNLOADS} |
14 | mkdir ~/.config | 12 | mkdir ~/.config |
diff --git a/etc/vlc.profile b/etc/vlc.profile index adcfbb119..1a6e5a151 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -1,17 +1,19 @@ | |||
1 | # VLC media player profile | 1 | # VLC media player profile |
2 | noblacklist ${HOME}/.config/vlc | 2 | noblacklist ${HOME}/.config/vlc |
3 | include /etc/firejail/disable-mgmt.inc | 3 | |
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | blacklist ${HOME}/.pki/nssdb | 8 | |
9 | blacklist ${HOME}/.lastpass | ||
10 | blacklist ${HOME}/.keepassx | ||
11 | blacklist ${HOME}/.password-store | ||
12 | blacklist ${HOME}/.wine | ||
13 | caps.drop all | 9 | caps.drop all |
14 | seccomp | ||
15 | protocol unix,inet,inet6 | ||
16 | noroot | ||
17 | netfilter | 10 | netfilter |
11 | nonewprivs | ||
12 | noroot | ||
13 | protocol unix,inet,inet6 | ||
14 | seccomp | ||
15 | |||
16 | |||
17 | # to test | ||
18 | shell none | ||
19 | private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc | ||
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile new file mode 100644 index 000000000..ff37e2800 --- /dev/null +++ b/etc/warzone2100.profile | |||
@@ -0,0 +1,25 @@ | |||
1 | # Firejail profile for warzone2100 | ||
2 | # Currently supports warzone2100-3.1 | ||
3 | noblacklist ~/.warzone2100-3.1 | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-devel.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | |||
9 | # Whitelist | ||
10 | mkdir ~/.warzone2100-3.1 | ||
11 | whitelist ~/.warzone2100-3.1 | ||
12 | |||
13 | # Call these options | ||
14 | caps.drop all | ||
15 | netfilter | ||
16 | nogroups | ||
17 | nonewprivs | ||
18 | noroot | ||
19 | protocol unix,inet,inet6,netlink | ||
20 | seccomp | ||
21 | shell none | ||
22 | tracelog | ||
23 | |||
24 | private-bin warzone2100 | ||
25 | private-dev | ||
diff --git a/etc/weechat.profile b/etc/weechat.profile index 3fbce62ca..410061278 100644 --- a/etc/weechat.profile +++ b/etc/weechat.profile | |||
@@ -1,12 +1,15 @@ | |||
1 | # Weechat IRC profile | 1 | # Weechat IRC profile |
2 | noblacklist ${HOME}/.weechat | 2 | noblacklist ${HOME}/.weechat |
3 | include /etc/firejail/disable-mgmt.inc | ||
4 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-programs.inc |
6 | include /etc/firejail/disable-terminals.inc | 5 | |
7 | caps.drop all | 6 | caps.drop all |
8 | seccomp | ||
9 | protocol unix,inet,inet6 | ||
10 | netfilter | 7 | netfilter |
8 | nonewprivs | ||
11 | noroot | 9 | noroot |
12 | netfilter | 10 | protocol unix,inet,inet6 |
11 | seccomp | ||
12 | |||
13 | # no private-bin support for various reasons: | ||
14 | # Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc, | ||
15 | # logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins \ No newline at end of file | ||
diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index a5b6127df..cd0c6406f 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile | |||
@@ -1,15 +1,18 @@ | |||
1 | # Whitelist-based profile for "Battle for Wesnoth" (game). | 1 | # Whitelist-based profile for "Battle for Wesnoth" (game). |
2 | noblacklist ${HOME}/.config/wesnoth | ||
3 | noblacklist ${HOME}/.cache/wesnoth | ||
4 | noblacklist ${HOME}/.local/share/wesnoth | ||
2 | 5 | ||
3 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
7 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | 8 | include /etc/firejail/disable-devel.inc |
5 | include /etc/firejail/disable-mgmt.inc | 9 | include /etc/firejail/disable-passwdmgr.inc |
6 | include /etc/firejail/disable-secret.inc | ||
7 | include /etc/firejail/disable-terminals.inc | ||
8 | 10 | ||
9 | caps.drop all | 11 | caps.drop all |
10 | seccomp | 12 | nonewprivs |
11 | protocol unix,inet,inet6 | ||
12 | noroot | 13 | noroot |
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
13 | 16 | ||
14 | private-dev | 17 | private-dev |
15 | 18 | ||
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index 9d5ef3d96..b3a1a1d30 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc | |||
@@ -1,5 +1,6 @@ | |||
1 | # common whitelist for all profiles | 1 | # common whitelist for all profiles |
2 | 2 | ||
3 | whitelist ~/.XCompose | ||
3 | whitelist ~/.config/mimeapps.list | 4 | whitelist ~/.config/mimeapps.list |
4 | whitelist ~/.icons | 5 | whitelist ~/.icons |
5 | whitelist ~/.config/user-dirs.dirs | 6 | whitelist ~/.config/user-dirs.dirs |
diff --git a/etc/wine.profile b/etc/wine.profile index ae1f5d1b6..18e5346af 100644 --- a/etc/wine.profile +++ b/etc/wine.profile | |||
@@ -2,12 +2,13 @@ | |||
2 | noblacklist ${HOME}/.steam | 2 | noblacklist ${HOME}/.steam |
3 | noblacklist ${HOME}/.local/share/steam | 3 | noblacklist ${HOME}/.local/share/steam |
4 | noblacklist ${HOME}/.wine | 4 | noblacklist ${HOME}/.wine |
5 | include /etc/firejail/disable-mgmt.inc | 5 | |
6 | include /etc/firejail/disable-secret.inc | ||
7 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
7 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-devel.inc | 8 | include /etc/firejail/disable-devel.inc |
9 | include /etc/firejail/disable-terminals.inc | 9 | |
10 | caps.drop all | 10 | caps.drop all |
11 | netfilter | 11 | netfilter |
12 | nonewprivs | ||
12 | noroot | 13 | noroot |
13 | seccomp | 14 | seccomp |
diff --git a/etc/xchat.profile b/etc/xchat.profile index e2dcadc0e..1f2865cab 100644 --- a/etc/xchat.profile +++ b/etc/xchat.profile | |||
@@ -1,12 +1,14 @@ | |||
1 | # XChat IRC profile | 1 | # XChat IRC profile |
2 | noblacklist ${HOME}/.config/xchat | 2 | noblacklist ${HOME}/.config/xchat |
3 | include /etc/firejail/disable-mgmt.inc | 3 | |
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | 7 | |
8 | blacklist ${HOME}/.wine | ||
9 | caps.drop all | 8 | caps.drop all |
10 | seccomp | 9 | nonewprivs |
11 | protocol unix,inet,inet6 | ||
12 | noroot | 10 | noroot |
11 | protocol unix,inet,inet6 | ||
12 | seccomp | ||
13 | |||
14 | # private-bin requires perl, python, etc. | ||
diff --git a/etc/xplayer.profile b/etc/xplayer.profile new file mode 100644 index 000000000..a46b2fa06 --- /dev/null +++ b/etc/xplayer.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # Xplayer profile | ||
2 | noblacklist ~/.config/xplayer | ||
3 | noblacklist ~/.local/share/xplayer | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | netfilter | ||
12 | nonewprivs | ||
13 | nogroups | ||
14 | noroot | ||
15 | protocol unix,inet,inet6 | ||
16 | seccomp | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer | ||
21 | private-dev | ||
diff --git a/etc/xreader.profile b/etc/xreader.profile new file mode 100644 index 000000000..ac7d34022 --- /dev/null +++ b/etc/xreader.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # Xreader profile | ||
2 | noblacklist ~/.config/xreader | ||
3 | noblacklist ~/.cache/xreader | ||
4 | noblacklist ~/.local/share | ||
5 | |||
6 | include /etc/firejail/disable-common.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-devel.inc | ||
9 | include /etc/firejail/disable-passwdmgr.inc | ||
10 | |||
11 | caps.drop all | ||
12 | nogroups | ||
13 | nonewprivs | ||
14 | noroot | ||
15 | nosound | ||
16 | protocol unix | ||
17 | seccomp | ||
18 | shell none | ||
19 | tracelog | ||
20 | |||
21 | private-bin xreader, xreader-previewer, xreader-thumbnailer | ||
22 | private-dev | ||
diff --git a/etc/xviewer.profile b/etc/xviewer.profile new file mode 100644 index 000000000..7a4ae4858 --- /dev/null +++ b/etc/xviewer.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | noblacklist ~/.config/xviewer | ||
2 | |||
3 | include /etc/firejail/disable-common.inc | ||
4 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | |||
8 | caps.drop all | ||
9 | nonewprivs | ||
10 | nogroups | ||
11 | noroot | ||
12 | nosound | ||
13 | protocol unix | ||
14 | seccomp | ||
15 | shell none | ||
16 | tracelog | ||
17 | |||
18 | private-dev | ||
19 | private-bin xviewer | ||
diff --git a/etc/xz.profile b/etc/xz.profile new file mode 100644 index 000000000..709585acd --- /dev/null +++ b/etc/xz.profile | |||
@@ -0,0 +1,2 @@ | |||
1 | # xz profile | ||
2 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/xzdec.profile b/etc/xzdec.profile new file mode 100644 index 000000000..ddf2061bf --- /dev/null +++ b/etc/xzdec.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # xzdec profile | ||
2 | include /etc/firejail/default.profile | ||
3 | tracelog | ||
4 | net none | ||
5 | shell none | ||
6 | private-dev | ||
7 | private-tmp | ||
8 | nosound | ||