diff options
Diffstat (limited to 'etc')
43 files changed, 989 insertions, 8 deletions
diff --git a/etc/amarok.profile b/etc/amarok.profile new file mode 100644 index 000000000..962865790 --- /dev/null +++ b/etc/amarok.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # amorak profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | netfilter | ||
9 | nogroups | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | shell none | ||
13 | #seccomp | ||
14 | protocol unix,inet,inet6 | ||
15 | |||
16 | #private-bin amorak | ||
17 | private-dev | ||
18 | private-tmp | ||
19 | #private-etc none | ||
diff --git a/etc/ark.profile b/etc/ark.profile new file mode 100644 index 000000000..61b4c6f60 --- /dev/null +++ b/etc/ark.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # ark profile | ||
2 | noblacklist ~/.config/arkrc | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nogroups | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | nosound | ||
15 | shell none | ||
16 | seccomp | ||
17 | protocol unix | ||
18 | |||
19 | # private-bin | ||
20 | private-dev | ||
21 | private-tmp | ||
22 | # private-etc | ||
23 | |||
diff --git a/etc/atool.profile b/etc/atool.profile new file mode 100644 index 000000000..3fbfb9fc7 --- /dev/null +++ b/etc/atool.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # atool profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | # include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | nogroups | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | nosound | ||
12 | protocol unix | ||
13 | seccomp | ||
14 | netfilter | ||
15 | net none | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | # private-bin atool | ||
20 | private-tmp | ||
21 | private-dev | ||
22 | private-etc none | ||
23 | |||
24 | |||
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile new file mode 100644 index 000000000..0a71db9f0 --- /dev/null +++ b/etc/bleachbit.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # bleachbit profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | # include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | netfilter | ||
9 | nogroups | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | nosound | ||
13 | shell none | ||
14 | seccomp | ||
15 | protocol unix | ||
16 | |||
17 | # private-bin | ||
18 | # private-dev | ||
19 | # private-tmp | ||
20 | # private-etc | ||
21 | |||
diff --git a/etc/brasero.profile b/etc/brasero.profile new file mode 100644 index 000000000..66de6fa50 --- /dev/null +++ b/etc/brasero.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # brasero profile | ||
2 | noblacklist ~/.config/brasero | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix | ||
15 | seccomp | ||
16 | netfilter | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | # private-bin brasero | ||
21 | # private-tmp | ||
22 | # private-dev | ||
23 | # private-etc fonts | ||
diff --git a/etc/dolphin.profile b/etc/dolphin.profile new file mode 100644 index 000000000..1a6abb71d --- /dev/null +++ b/etc/dolphin.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # dolphin profile | ||
2 | noblacklist ~/.config/dolphinrc | ||
3 | noblacklist ~/.local/share/dolphin | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | netfilter | ||
12 | nogroups | ||
13 | nonewprivs | ||
14 | noroot | ||
15 | shell none | ||
16 | seccomp | ||
17 | protocol unix | ||
18 | |||
19 | # private-bin | ||
20 | # private-dev | ||
21 | # private-tmp | ||
22 | # private-etc | ||
23 | |||
diff --git a/etc/dragon.profile b/etc/dragon.profile new file mode 100644 index 000000000..09cb73802 --- /dev/null +++ b/etc/dragon.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # dragon player profile | ||
2 | noblacklist ~/.config/dragonplayerrc | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nogroups | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | shell none | ||
15 | seccomp | ||
16 | protocol unix,inet,inet6 | ||
17 | |||
18 | private-bin dragon | ||
19 | private-dev | ||
20 | private-tmp | ||
21 | # private-etc | ||
22 | |||
diff --git a/etc/elinks.profile b/etc/elinks.profile new file mode 100644 index 000000000..df817ea56 --- /dev/null +++ b/etc/elinks.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # elinks profile | ||
2 | noblacklist ~/.elinks | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
16 | netfilter | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | # private-bin elinks | ||
21 | private-tmp | ||
22 | private-dev | ||
23 | # private-etc none | ||
24 | |||
diff --git a/etc/enchant.profile b/etc/enchant.profile new file mode 100644 index 000000000..cf8288919 --- /dev/null +++ b/etc/enchant.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # enchant profile | ||
2 | noblacklist ~/.config/enchant | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix | ||
15 | seccomp | ||
16 | netfilter | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | # private-bin enchant | ||
21 | # private-tmp | ||
22 | # private-dev | ||
23 | # private-etc fonts | ||
diff --git a/etc/exiftool.profile b/etc/exiftool.profile new file mode 100644 index 000000000..384695473 --- /dev/null +++ b/etc/exiftool.profile | |||
@@ -0,0 +1,28 @@ | |||
1 | # exiftool profile | ||
2 | noblacklist /usr/bin/perl | ||
3 | noblacklist /usr/share/perl* | ||
4 | noblacklist /usr/lib/perl* | ||
5 | |||
6 | include /etc/firejail/disable-common.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-devel.inc | ||
9 | include /etc/firejail/disable-passwdmgr.inc | ||
10 | |||
11 | caps.drop all | ||
12 | nogroups | ||
13 | nonewprivs | ||
14 | noroot | ||
15 | nosound | ||
16 | protocol unix | ||
17 | seccomp | ||
18 | netfilter | ||
19 | net none | ||
20 | shell none | ||
21 | tracelog | ||
22 | |||
23 | # private-bin exiftool,perl | ||
24 | private-tmp | ||
25 | private-dev | ||
26 | private-etc none | ||
27 | |||
28 | |||
diff --git a/etc/file-roller.profile b/etc/file-roller.profile new file mode 100644 index 000000000..6116389db --- /dev/null +++ b/etc/file-roller.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # file-roller profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | nogroups | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | nosound | ||
12 | protocol unix | ||
13 | seccomp | ||
14 | netfilter | ||
15 | shell none | ||
16 | tracelog | ||
17 | |||
18 | # private-bin file-roller | ||
19 | # private-tmp | ||
20 | private-dev | ||
21 | # private-etc fonts | ||
diff --git a/etc/gedit.profile b/etc/gedit.profile new file mode 100644 index 000000000..a25286bfa --- /dev/null +++ b/etc/gedit.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # gedit profile | ||
2 | |||
3 | # when gedit is started via gnome-shell, firejail is not applied because systemd will start it | ||
4 | |||
5 | noblacklist ~/.config/gedit | ||
6 | |||
7 | include /etc/firejail/disable-common.inc | ||
8 | include /etc/firejail/disable-programs.inc | ||
9 | #include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-passwdmgr.inc | ||
11 | |||
12 | caps.drop all | ||
13 | nogroups | ||
14 | nonewprivs | ||
15 | noroot | ||
16 | nosound | ||
17 | protocol unix | ||
18 | seccomp | ||
19 | netfilter | ||
20 | shell none | ||
21 | tracelog | ||
22 | |||
23 | # private-bin gedit | ||
24 | private-tmp | ||
25 | private-dev | ||
26 | # private-etc fonts | ||
diff --git a/etc/gjs.profile b/etc/gjs.profile new file mode 100644 index 000000000..8d71728a2 --- /dev/null +++ b/etc/gjs.profile | |||
@@ -0,0 +1,28 @@ | |||
1 | # gjs (gnome javascript bindings) profile | ||
2 | |||
3 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
4 | |||
5 | noblacklist ~/.cache/org.gnome.Books | ||
6 | noblacklist ~/.config/libreoffice | ||
7 | noblacklist ~/.local/share/gnome-photos | ||
8 | noblacklist ~/.cache/libgweather | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-programs.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | |||
15 | caps.drop all | ||
16 | nogroups | ||
17 | nonewprivs | ||
18 | noroot | ||
19 | protocol unix,inet,inet6 | ||
20 | seccomp | ||
21 | netfilter | ||
22 | shell none | ||
23 | tracelog | ||
24 | |||
25 | # private-bin gjs,gnome-books,gnome-documents,gnome-photos,gnome-maps,gnome-weather | ||
26 | private-tmp | ||
27 | private-dev | ||
28 | # private-etc fonts | ||
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile new file mode 100644 index 000000000..10b06e173 --- /dev/null +++ b/etc/gnome-books.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # gnome-books profile | ||
2 | |||
3 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
4 | |||
5 | noblacklist ~/.cache/org.gnome.Books | ||
6 | |||
7 | include /etc/firejail/disable-common.inc | ||
8 | include /etc/firejail/disable-programs.inc | ||
9 | include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-passwdmgr.inc | ||
11 | |||
12 | caps.drop all | ||
13 | nogroups | ||
14 | nonewprivs | ||
15 | noroot | ||
16 | nosound | ||
17 | protocol unix | ||
18 | seccomp | ||
19 | netfilter | ||
20 | shell none | ||
21 | tracelog | ||
22 | |||
23 | # private-bin gjs gnome-books | ||
24 | private-tmp | ||
25 | private-dev | ||
26 | private-etc fonts | ||
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile new file mode 100644 index 000000000..30adadda1 --- /dev/null +++ b/etc/gnome-clocks.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # gnome-clocks profile | ||
2 | |||
3 | include /etc/firejail/disable-common.inc | ||
4 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | |||
8 | caps.drop all | ||
9 | nogroups | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | nosound | ||
13 | protocol unix,inet,inet6 | ||
14 | seccomp | ||
15 | netfilter | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | # private-bin gnome-clocks | ||
20 | private-tmp | ||
21 | private-dev | ||
22 | # private-etc fonts | ||
diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile new file mode 100644 index 000000000..c5def7aff --- /dev/null +++ b/etc/gnome-documents.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # gnome-documents profile | ||
2 | |||
3 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
4 | |||
5 | noblacklist ~/.config/libreoffice | ||
6 | |||
7 | include /etc/firejail/disable-common.inc | ||
8 | include /etc/firejail/disable-programs.inc | ||
9 | include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-passwdmgr.inc | ||
11 | |||
12 | caps.drop all | ||
13 | nogroups | ||
14 | nonewprivs | ||
15 | noroot | ||
16 | nosound | ||
17 | protocol unix | ||
18 | seccomp | ||
19 | netfilter | ||
20 | shell none | ||
21 | tracelog | ||
22 | |||
23 | private-tmp | ||
24 | private-dev | ||
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile new file mode 100644 index 000000000..f1451506e --- /dev/null +++ b/etc/gnome-maps.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # gnome-maps profile | ||
2 | |||
3 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | nogroups | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | nosound | ||
15 | protocol unix,inet,inet6 | ||
16 | seccomp | ||
17 | netfilter | ||
18 | shell none | ||
19 | tracelog | ||
20 | |||
21 | # private-bin gjs gnome-maps | ||
22 | private-tmp | ||
23 | private-dev | ||
24 | # private-etc fonts | ||
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile new file mode 100644 index 000000000..4a8adeb22 --- /dev/null +++ b/etc/gnome-music.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # gnome-music profile | ||
2 | noblacklist ~/.local/share/gnome-music | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | protocol unix | ||
14 | seccomp | ||
15 | netfilter | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | # private-bin gnome-music,python3 | ||
20 | private-tmp | ||
21 | private-dev | ||
22 | # private-etc fonts | ||
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile new file mode 100644 index 000000000..8f9d60cb5 --- /dev/null +++ b/etc/gnome-photos.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # gnome-photos profile | ||
2 | |||
3 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
4 | |||
5 | noblacklist ~/.local/share/gnome-photos | ||
6 | |||
7 | include /etc/firejail/disable-common.inc | ||
8 | include /etc/firejail/disable-programs.inc | ||
9 | include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-passwdmgr.inc | ||
11 | |||
12 | caps.drop all | ||
13 | nogroups | ||
14 | nonewprivs | ||
15 | noroot | ||
16 | nosound | ||
17 | protocol unix | ||
18 | seccomp | ||
19 | netfilter | ||
20 | shell none | ||
21 | tracelog | ||
22 | |||
23 | # private-bin gjs gnome-photos | ||
24 | private-tmp | ||
25 | private-dev | ||
26 | # private-etc fonts | ||
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile new file mode 100644 index 000000000..9f93b8f15 --- /dev/null +++ b/etc/gnome-weather.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # gnome-weather profile | ||
2 | |||
3 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
4 | |||
5 | noblacklist ~/.cache/libgweather | ||
6 | |||
7 | include /etc/firejail/disable-common.inc | ||
8 | include /etc/firejail/disable-programs.inc | ||
9 | include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-passwdmgr.inc | ||
11 | |||
12 | caps.drop all | ||
13 | nogroups | ||
14 | nonewprivs | ||
15 | noroot | ||
16 | nosound | ||
17 | protocol unix,inet,inet6 | ||
18 | seccomp | ||
19 | netfilter | ||
20 | shell none | ||
21 | tracelog | ||
22 | |||
23 | # private-bin gjs gnome-weather | ||
24 | private-tmp | ||
25 | private-dev | ||
26 | # private-etc fonts | ||
diff --git a/etc/goobox.profile b/etc/goobox.profile new file mode 100644 index 000000000..8990943fc --- /dev/null +++ b/etc/goobox.profile | |||
@@ -0,0 +1,20 @@ | |||
1 | # goobox profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | nogroups | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | protocol unix | ||
12 | seccomp | ||
13 | netfilter | ||
14 | shell none | ||
15 | tracelog | ||
16 | |||
17 | # private-bin goobox | ||
18 | # private-tmp | ||
19 | # private-dev | ||
20 | # private-etc fonts | ||
diff --git a/etc/gpa.profile b/etc/gpa.profile new file mode 100644 index 000000000..7d7277190 --- /dev/null +++ b/etc/gpa.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # gpa profile | ||
2 | noblacklist ~/.gnupg | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
16 | netfilter | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | # private-bin gpa,gpg | ||
21 | private-tmp | ||
22 | private-dev | ||
23 | # private-etc none | ||
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile new file mode 100644 index 000000000..31ed8812e --- /dev/null +++ b/etc/gpg-agent.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # gpg-agent profile | ||
2 | |||
3 | noblacklist ~/.gnupg | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | nogroups | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | nosound | ||
15 | protocol unix | ||
16 | seccomp | ||
17 | netfilter | ||
18 | shell none | ||
19 | tracelog | ||
20 | |||
21 | # private-bin gpg-agent,gpg | ||
22 | private-tmp | ||
23 | private-dev | ||
24 | # private-etc none | ||
diff --git a/etc/gpg.profile b/etc/gpg.profile new file mode 100644 index 000000000..31372eb90 --- /dev/null +++ b/etc/gpg.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # gpg profile | ||
2 | noblacklist ~/.gnupg | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix | ||
15 | seccomp | ||
16 | netfilter | ||
17 | net none | ||
18 | shell none | ||
19 | tracelog | ||
20 | |||
21 | # private-bin gpg,gpg-agent | ||
22 | private-tmp | ||
23 | private-dev | ||
24 | # private-etc none | ||
diff --git a/etc/highlight.profile b/etc/highlight.profile new file mode 100644 index 000000000..f95f3924a --- /dev/null +++ b/etc/highlight.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # highlight profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | nogroups | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | nosound | ||
12 | protocol unix | ||
13 | seccomp | ||
14 | netfilter | ||
15 | net none | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | private-bin highlight | ||
20 | private-tmp | ||
21 | private-dev | ||
22 | |||
23 | |||
24 | |||
diff --git a/etc/img2txt.profile b/etc/img2txt.profile new file mode 100644 index 000000000..d55a31cd0 --- /dev/null +++ b/etc/img2txt.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # img2txt profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | nogroups | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | nosound | ||
12 | protocol unix | ||
13 | seccomp | ||
14 | netfilter | ||
15 | net none | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | #private-bin img2txt | ||
20 | private-tmp | ||
21 | private-dev | ||
22 | #private-etc none | ||
23 | |||
24 | |||
diff --git a/etc/k3b.profile b/etc/k3b.profile new file mode 100644 index 000000000..6e16d233c --- /dev/null +++ b/etc/k3b.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # k3b profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | netfilter | ||
9 | nogroups | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | nosound | ||
13 | shell none | ||
14 | seccomp | ||
15 | protocol unix | ||
16 | |||
17 | # private-bin | ||
18 | private-dev | ||
19 | private-tmp | ||
20 | # private-etc | ||
21 | |||
diff --git a/etc/kate.profile b/etc/kate.profile new file mode 100644 index 000000000..4b07ea6cb --- /dev/null +++ b/etc/kate.profile | |||
@@ -0,0 +1,28 @@ | |||
1 | # kate profile | ||
2 | noblacklist ~/.local/share/kate | ||
3 | noblacklist ~/.config/katerc | ||
4 | noblacklist ~/.config/katepartrc | ||
5 | noblacklist ~/.config/kateschemarc | ||
6 | noblacklist ~/.config/katesyntaxhighlightingrc | ||
7 | noblacklist ~/.config/katevirc | ||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-programs.inc | ||
11 | #include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | |||
14 | caps.drop all | ||
15 | nogroups | ||
16 | nonewprivs | ||
17 | noroot | ||
18 | nosound | ||
19 | protocol unix | ||
20 | seccomp | ||
21 | netfilter | ||
22 | shell none | ||
23 | tracelog | ||
24 | |||
25 | # private-bin kate | ||
26 | private-tmp | ||
27 | private-dev | ||
28 | # private-etc fonts | ||
diff --git a/etc/lynx.profile b/etc/lynx.profile new file mode 100644 index 000000000..6e150f62e --- /dev/null +++ b/etc/lynx.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # lynx profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | nogroups | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | nosound | ||
12 | protocol unix,inet,inet6 | ||
13 | seccomp | ||
14 | netfilter | ||
15 | shell none | ||
16 | tracelog | ||
17 | |||
18 | # private-bin lynx | ||
19 | private-tmp | ||
20 | private-dev | ||
21 | # private-etc none | ||
22 | |||
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile new file mode 100644 index 000000000..c07a9a9e8 --- /dev/null +++ b/etc/mediainfo.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # mediainfo profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | nogroups | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | nosound | ||
12 | protocol unix | ||
13 | seccomp | ||
14 | netfilter | ||
15 | net none | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | private-bin mediainfo | ||
20 | private-tmp | ||
21 | private-dev | ||
22 | private-etc none | ||
23 | |||
24 | |||
25 | |||
26 | |||
diff --git a/etc/nautilus.profile b/etc/nautilus.profile new file mode 100644 index 000000000..264ee0b9d --- /dev/null +++ b/etc/nautilus.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # nautilus profile | ||
2 | |||
3 | # Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there is already a nautilus process running on gnome desktops firejail will have no effect. | ||
4 | |||
5 | noblacklist ~/.config/nautilus | ||
6 | |||
7 | include /etc/firejail/disable-common.inc | ||
8 | # nautilus needs to be able to start arbitrary applications so we cannot blacklist their files | ||
9 | #include /etc/firejail/disable-programs.inc | ||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | |||
13 | caps.drop all | ||
14 | nogroups | ||
15 | nonewprivs | ||
16 | noroot | ||
17 | protocol unix | ||
18 | seccomp | ||
19 | netfilter | ||
20 | shell none | ||
21 | tracelog | ||
22 | |||
23 | # private-bin nautilus | ||
24 | # private-tmp | ||
25 | # private-dev | ||
26 | # private-etc fonts | ||
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile new file mode 100644 index 000000000..329275022 --- /dev/null +++ b/etc/odt2txt.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # odt2txt profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | nogroups | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | nosound | ||
12 | protocol unix | ||
13 | seccomp | ||
14 | netfilter | ||
15 | net none | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | private-bin odt2txt | ||
20 | private-tmp | ||
21 | private-dev | ||
22 | private-etc none | ||
23 | |||
24 | read-only ${HOME} | ||
diff --git a/etc/okular.profile b/etc/okular.profile index b43a5fbea..22e223cea 100644 --- a/etc/okular.profile +++ b/etc/okular.profile | |||
@@ -9,17 +9,17 @@ include /etc/firejail/disable-devel.inc | |||
9 | include /etc/firejail/disable-passwdmgr.inc | 9 | include /etc/firejail/disable-passwdmgr.inc |
10 | 10 | ||
11 | caps.drop all | 11 | caps.drop all |
12 | nogroups | 12 | netfilter |
13 | nonewprivs | 13 | nonewprivs |
14 | nogroups | ||
14 | noroot | 15 | noroot |
16 | nosound | ||
15 | protocol unix | 17 | protocol unix |
16 | seccomp | 18 | seccomp |
17 | nosound | 19 | shell none |
20 | tracelog | ||
18 | 21 | ||
22 | # private-bin okular,kbuildsycoca4,kbuildsycoca5 | ||
23 | # private-etc X11 | ||
19 | private-dev | 24 | private-dev |
20 | 25 | private-tmp | |
21 | #Experimental: | ||
22 | #net none | ||
23 | #shell none | ||
24 | #private-bin okular,kbuildsycoca4,kbuildsycoca5 | ||
25 | #private-etc X11 | ||
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile new file mode 100644 index 000000000..632c9d15e --- /dev/null +++ b/etc/pdftotext.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # pdftotext profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | nogroups | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | nosound | ||
12 | protocol unix | ||
13 | seccomp | ||
14 | netfilter | ||
15 | net none | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | private-bin pdftotext | ||
20 | private-tmp | ||
21 | private-dev | ||
22 | private-etc none | ||
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile new file mode 100644 index 000000000..03089482b --- /dev/null +++ b/etc/simple-scan.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # simple-scan profile | ||
2 | noblacklist ~/.cache/simple-scan | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix,inet,inet6 | ||
15 | #seccomp | ||
16 | netfilter | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | # private-bin simple-scan | ||
21 | # private-tmp | ||
22 | # private-dev | ||
23 | # private-etc fonts | ||
diff --git a/etc/skanlite.profile b/etc/skanlite.profile new file mode 100644 index 000000000..6e8face75 --- /dev/null +++ b/etc/skanlite.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # skanlite profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | netfilter | ||
9 | nogroups | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | nosound | ||
13 | shell none | ||
14 | #seccomp | ||
15 | protocol unix | ||
16 | |||
17 | private-bin skanlite | ||
18 | # private-dev | ||
19 | # private-tmp | ||
20 | # private-etc | ||
21 | |||
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile new file mode 100644 index 000000000..485bd8f3b --- /dev/null +++ b/etc/ssh-agent.profile | |||
@@ -0,0 +1,15 @@ | |||
1 | # ssh-agent | ||
2 | quiet | ||
3 | noblacklist ~/.ssh | ||
4 | noblacklist /tmp/ssh-* | ||
5 | |||
6 | include /etc/firejail/disable-common.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | netfilter | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
diff --git a/etc/tracker.profile b/etc/tracker.profile new file mode 100644 index 000000000..217631216 --- /dev/null +++ b/etc/tracker.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # tracker profile | ||
2 | |||
3 | # Tracker is started by systemd on most systems. Therefore it is not firejailed by default | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | nogroups | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | nosound | ||
15 | protocol unix | ||
16 | seccomp | ||
17 | netfilter | ||
18 | shell none | ||
19 | tracelog | ||
20 | |||
21 | # private-bin tracker | ||
22 | # private-tmp | ||
23 | # private-dev | ||
24 | # private-etc fonts | ||
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile new file mode 100644 index 000000000..88ded649c --- /dev/null +++ b/etc/transmission-cli.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # transmission-cli bittorrent profile | ||
2 | noblacklist ${HOME}/.config/transmission | ||
3 | noblacklist ${HOME}/.cache/transmission | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | netfilter | ||
12 | net none | ||
13 | nonewprivs | ||
14 | noroot | ||
15 | nosound | ||
16 | protocol unix | ||
17 | seccomp | ||
18 | shell none | ||
19 | tracelog | ||
20 | |||
21 | #private-bin transmission-cli | ||
22 | private-tmp | ||
23 | private-dev | ||
24 | private-etc none | ||
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile new file mode 100644 index 000000000..5e5284b34 --- /dev/null +++ b/etc/transmission-show.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # transmission-show profile | ||
2 | noblacklist ${HOME}/.config/transmission | ||
3 | noblacklist ${HOME}/.cache/transmission | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | netfilter | ||
12 | net none | ||
13 | nonewprivs | ||
14 | noroot | ||
15 | nosound | ||
16 | protocol unix | ||
17 | seccomp | ||
18 | shell none | ||
19 | tracelog | ||
20 | |||
21 | # private-bin | ||
22 | private-tmp | ||
23 | private-dev | ||
24 | private-etc none | ||
diff --git a/etc/w3m.profile b/etc/w3m.profile new file mode 100644 index 000000000..d765217cf --- /dev/null +++ b/etc/w3m.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # w3m profile | ||
2 | noblacklist ~/.w3m | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
16 | netfilter | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | # private-bin w3m | ||
21 | private-tmp | ||
22 | private-dev | ||
23 | private-etc none | ||
diff --git a/etc/xfburn.profile b/etc/xfburn.profile new file mode 100644 index 000000000..1dd24aa61 --- /dev/null +++ b/etc/xfburn.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # xfburn profile | ||
2 | noblacklist ~/.config/xfburn | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix | ||
15 | seccomp | ||
16 | netfilter | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | # private-bin xfburn | ||
21 | # private-tmp | ||
22 | # private-dev | ||
23 | # private-etc fonts | ||
diff --git a/etc/xpra.profile b/etc/xpra.profile new file mode 100644 index 000000000..8584e4e5b --- /dev/null +++ b/etc/xpra.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # xpra profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | netfilter | ||
9 | nogroups | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | nosound | ||
13 | shell none | ||
14 | seccomp | ||
15 | protocol unix,inet,inet6 | ||
16 | |||
17 | # private-bin | ||
18 | private-dev | ||
19 | private-tmp | ||
20 | # private-etc | ||
21 | |||