diff options
Diffstat (limited to 'etc')
36 files changed, 209 insertions, 39 deletions
diff --git a/etc/0ad.profile b/etc/0ad.profile index 674fb2c6a..88c9c453b 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.local/share/0ad | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -44,5 +45,3 @@ private-bin 0ad,pyrogenesis,sh,which | |||
44 | private-dev | 45 | private-dev |
45 | private-tmp | 46 | private-tmp |
46 | 47 | ||
47 | noexec ${HOME} | ||
48 | noexec /tmp | ||
diff --git a/etc/2048-qt.profile b/etc/2048-qt.profile index 10f354f19..2347039a6 100644 --- a/etc/2048-qt.profile +++ b/etc/2048-qt.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.config/xiaoyong | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
@@ -39,6 +40,3 @@ shell none | |||
39 | disable-mnt | 40 | disable-mnt |
40 | private-dev | 41 | private-dev |
41 | private-tmp | 42 | private-tmp |
42 | |||
43 | noexec ${HOME} | ||
44 | noexec /tmp | ||
diff --git a/etc/Builder.profile b/etc/Builder.profile new file mode 100644 index 000000000..128e0dfe3 --- /dev/null +++ b/etc/Builder.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile for gnome-builder | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | ||
6 | # Redirect | ||
7 | include gnome-builder.profile | ||
diff --git a/etc/Documents.profile b/etc/Documents.profile new file mode 100644 index 000000000..c965c55a8 --- /dev/null +++ b/etc/Documents.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile for gnome-documents | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | ||
6 | # Redirect | ||
7 | include gnome-documents.profile | ||
diff --git a/etc/Logs.profile b/etc/Logs.profile new file mode 100644 index 000000000..f82722ed4 --- /dev/null +++ b/etc/Logs.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile for gnome-logs | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | ||
6 | # Redirect | ||
7 | include gnome-logs.profile | ||
diff --git a/etc/Maps.profile b/etc/Maps.profile new file mode 100644 index 000000000..b3fc03e38 --- /dev/null +++ b/etc/Maps.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile for gnome-maps | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | ||
6 | # Redirect | ||
7 | include gnome-maps.profile | ||
diff --git a/etc/assogiate.profile b/etc/assogiate.profile index c579cc280..6a9848e83 100644 --- a/etc/assogiate.profile +++ b/etc/assogiate.profile | |||
@@ -7,6 +7,7 @@ include assogiate.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${PICTURES} | 9 | noblacklist ${PICTURES} |
10 | whitelist ${PICTURES} | ||
10 | 11 | ||
11 | include disable-common.inc | 12 | include disable-common.inc |
12 | include disable-devel.inc | 13 | include disable-devel.inc |
@@ -15,9 +16,8 @@ include disable-interpreters.inc | |||
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
17 | include disable-xdg.inc | 18 | include disable-xdg.inc |
18 | |||
19 | whitelist ${PICTURES} | ||
20 | include whitelist-common.inc | 19 | include whitelist-common.inc |
20 | include whitelist-var-common.inc | ||
21 | 21 | ||
22 | apparmor | 22 | apparmor |
23 | caps.drop all | 23 | caps.drop all |
@@ -39,7 +39,7 @@ shell none | |||
39 | tracelog | 39 | tracelog |
40 | 40 | ||
41 | disable-mnt | 41 | disable-mnt |
42 | private-bin assogiate,gtk-update-icon-cache | 42 | private-bin assogiate,gtk-update-icon-cache,update-mime-database |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-lib gnome-vfs-2.0,libattr.so.*,libacl.so.*,libfam.so.* | 45 | private-lib gnome-vfs-2.0,libattr.so.*,libacl.so.*,libfam.so.* |
diff --git a/etc/atom.profile b/etc/atom.profile index 995c5598d..1c0afb277 100644 --- a/etc/atom.profile +++ b/etc/atom.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.atom | |||
10 | noblacklist ${HOME}/.config/Atom | 10 | noblacklist ${HOME}/.config/Atom |
11 | noblacklist ${HOME}/.cargo/config | 11 | noblacklist ${HOME}/.cargo/config |
12 | noblacklist ${HOME}/.cargo/registry | 12 | noblacklist ${HOME}/.cargo/registry |
13 | noblacklist ${HOME}/.gitconfig | ||
13 | 14 | ||
14 | include disable-common.inc | 15 | include disable-common.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
diff --git a/etc/autokey-common.profile b/etc/autokey-common.profile new file mode 100644 index 000000000..44c0a3c15 --- /dev/null +++ b/etc/autokey-common.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for autokey | ||
2 | # Description: Desktop automation utility | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include autokey-common.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/autokey | ||
10 | noblacklist ${HOME}/.local/share/autokey | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | noblacklist ${PATH}/python2* | ||
14 | noblacklist ${PATH}/python3* | ||
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | noblacklist /usr/share/python2* | ||
20 | noblacklist /usr/share/python3* | ||
21 | |||
22 | include disable-common.inc | ||
23 | include disable-devel.inc | ||
24 | # disable-exec.inc might break scripting functionality | ||
25 | #include disable-exec.inc | ||
26 | include disable-interpreters.inc | ||
27 | include disable-passwdmgr.inc | ||
28 | include disable-programs.inc | ||
29 | include whitelist-var-common.inc | ||
30 | |||
31 | caps.drop all | ||
32 | netfilter | ||
33 | no3d | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | nou2f | ||
38 | protocol unix,inet,inet6 | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | |||
43 | private-cache | ||
44 | private-dev | ||
45 | private-tmp | ||
46 | |||
47 | # memory-deny-write-execute - Breaks on Arch | ||
diff --git a/etc/autokey-gtk.profile b/etc/autokey-gtk.profile new file mode 100644 index 000000000..86168ba0d --- /dev/null +++ b/etc/autokey-gtk.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for autokey-gtk | ||
2 | # Description: Desktop automation utility (GTK version) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include autokey-gtk.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | #Redirect | ||
11 | include autokey-common.profile | ||
diff --git a/etc/autokey-qt.profile b/etc/autokey-qt.profile new file mode 100644 index 000000000..f3877d829 --- /dev/null +++ b/etc/autokey-qt.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for autokey-qt | ||
2 | # Description: Desktop automation utility (Qt version) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include autokey-qt.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | #Redirect | ||
11 | include autokey-common.profile | ||
diff --git a/etc/autokey-run.profile b/etc/autokey-run.profile new file mode 100644 index 000000000..b70239022 --- /dev/null +++ b/etc/autokey-run.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for autokey-run | ||
2 | # Description: Desktop automation utility (CLI version) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include autokey-run.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | #Redirect | ||
11 | include autokey-common.profile | ||
diff --git a/etc/autokey-shell.profile b/etc/autokey-shell.profile new file mode 100644 index 000000000..5745fce77 --- /dev/null +++ b/etc/autokey-shell.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for autokey-shell | ||
2 | # Description: Desktop automation utility (CLI shell) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include autokey-shell.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | #Redirect | ||
11 | include autokey-common.profile | ||
diff --git a/etc/brackets.profile b/etc/brackets.profile index cead6ec24..46870e1ad 100644 --- a/etc/brackets.profile +++ b/etc/brackets.profile | |||
@@ -9,8 +9,10 @@ noblacklist ${HOME}/.config/Brackets | |||
9 | #noblacklist /opt/brackets/ | 9 | #noblacklist /opt/brackets/ |
10 | #noblacklist /opt/google/ | 10 | #noblacklist /opt/google/ |
11 | # Uncomment the the next two lines if you are developing rust. | 11 | # Uncomment the the next two lines if you are developing rust. |
12 | # or put it in your brackets.local | ||
12 | #noblacklist ${HOME}/.cargo/config | 13 | #noblacklist ${HOME}/.cargo/config |
13 | #noblacklist ${HOME}/.cargo/registry | 14 | #noblacklist ${HOME}/.cargo/registry |
15 | noblacklist ${HOME}/.gitconfig | ||
14 | 16 | ||
15 | include disable-common.inc | 17 | include disable-common.inc |
16 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
diff --git a/etc/calibre.profile b/etc/calibre.profile index 5c7d3e1e7..363e9191d 100644 --- a/etc/calibre.profile +++ b/etc/calibre.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${DOCUMENTS} | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
17 | include disable-xdg.inc | 18 | include disable-xdg.inc |
@@ -36,6 +37,3 @@ tracelog | |||
36 | 37 | ||
37 | private-dev | 38 | private-dev |
38 | private-tmp | 39 | private-tmp |
39 | |||
40 | noexec ${HOME} | ||
41 | noexec /tmp | ||
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 22bda418a..44ef12aa2 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile | |||
@@ -19,6 +19,7 @@ noblacklist /usr/local/lib/python3* | |||
19 | 19 | ||
20 | include disable-common.inc | 20 | include disable-common.inc |
21 | include disable-devel.inc | 21 | include disable-devel.inc |
22 | include disable-exec.inc | ||
22 | include disable-interpreters.inc | 23 | include disable-interpreters.inc |
23 | include disable-passwdmgr.inc | 24 | include disable-passwdmgr.inc |
24 | include disable-programs.inc | 25 | include disable-programs.inc |
@@ -44,5 +45,3 @@ private-cache | |||
44 | private-dev | 45 | private-dev |
45 | private-tmp | 46 | private-tmp |
46 | 47 | ||
47 | noexec ${HOME} | ||
48 | noexec /tmp | ||
diff --git a/etc/clocks.profile b/etc/clocks.profile new file mode 100644 index 000000000..dd234ce44 --- /dev/null +++ b/etc/clocks.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile for gnome-clocks | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | ||
6 | # Redirect | ||
7 | include gnome-clocks.profile | ||
diff --git a/etc/eom.profile b/etc/eom.profile index a6007f99c..745e650aa 100644 --- a/etc/eom.profile +++ b/etc/eom.profile | |||
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.steam | |||
13 | 13 | ||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
17 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 19 | include disable-programs.inc |
@@ -43,5 +44,3 @@ private-lib | |||
43 | private-tmp | 44 | private-tmp |
44 | 45 | ||
45 | #memory-deny-write-execute - breaks on Arch | 46 | #memory-deny-write-execute - breaks on Arch |
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
diff --git a/etc/evince.profile b/etc/evince.profile index c3c6d4be0..b1f984784 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${DOCUMENTS} | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
@@ -23,7 +24,8 @@ machine-id | |||
23 | # net none - breaks AppArmor on Ubuntu systems | 24 | # net none - breaks AppArmor on Ubuntu systems |
24 | netfilter | 25 | netfilter |
25 | no3d | 26 | no3d |
26 | nodbus # might break two-page-view on some systems | 27 | # nodbus might break two-page-view on some systems |
28 | nodbus | ||
27 | nodvd | 29 | nodvd |
28 | nogroups | 30 | nogroups |
29 | nonewprivs | 31 | nonewprivs |
@@ -45,5 +47,3 @@ private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,li | |||
45 | private-tmp | 47 | private-tmp |
46 | 48 | ||
47 | # memory-deny-write-execute - might break application (https://github.com/netblue30/firejail/issues/1803) | 49 | # memory-deny-write-execute - might break application (https://github.com/netblue30/firejail/issues/1803) |
48 | noexec ${HOME} | ||
49 | noexec /tmp | ||
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile index ed3b4490f..6de61840c 100644 --- a/etc/frozen-bubble.profile +++ b/etc/frozen-bubble.profile | |||
@@ -8,6 +8,13 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.frozen-bubble | 9 | noblacklist ${HOME}/.frozen-bubble |
10 | 10 | ||
11 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
12 | noblacklist ${PATH}/cpan* | ||
13 | noblacklist ${PATH}/core_perl | ||
14 | noblacklist ${PATH}/perl | ||
15 | noblacklist /usr/lib/perl* | ||
16 | noblacklist /usr/share/perl* | ||
17 | |||
11 | include disable-common.inc | 18 | include disable-common.inc |
12 | include disable-devel.inc | 19 | include disable-devel.inc |
13 | include disable-interpreters.inc | 20 | include disable-interpreters.inc |
diff --git a/etc/geany.profile b/etc/geany.profile index a21e19329..7f96449c9 100644 --- a/etc/geany.profile +++ b/etc/geany.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/geany | 9 | noblacklist ${HOME}/.config/geany |
10 | noblacklist ${HOME}/.python-history | 10 | noblacklist ${HOME}/.python-history |
11 | noblacklist ${HOME}/.gitconfig | ||
11 | 12 | ||
12 | include disable-common.inc | 13 | include disable-common.inc |
13 | include disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
diff --git a/etc/gnome-builder.profile b/etc/gnome-builder.profile index 05ebea80c..d5e3cd435 100644 --- a/etc/gnome-builder.profile +++ b/etc/gnome-builder.profile | |||
@@ -9,6 +9,7 @@ include globals.local | |||
9 | noblacklist ${HOME}/.cargo/config | 9 | noblacklist ${HOME}/.cargo/config |
10 | noblacklist ${HOME}/.cargo/registry | 10 | noblacklist ${HOME}/.cargo/registry |
11 | noblacklist ${HOME}/.python-history | 11 | noblacklist ${HOME}/.python-history |
12 | noblacklist ${HOME}/.gitconfig | ||
12 | 13 | ||
13 | include disable-common.inc | 14 | include disable-common.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile index dc5b62428..2f4626891 100644 --- a/etc/gnome-chess.profile +++ b/etc/gnome-chess.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.local/share/gnome-chess | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -37,6 +38,3 @@ private-bin fairymax,gnome-chess,hoichess,gnuchess | |||
37 | private-dev | 38 | private-dev |
38 | private-etc alternatives,fonts,gnome-chess | 39 | private-etc alternatives,fonts,gnome-chess |
39 | private-tmp | 40 | private-tmp |
40 | |||
41 | noexec ${HOME} | ||
42 | noexec /tmp | ||
diff --git a/etc/gnome-contacts.profile b/etc/gnome-contacts.profile index 2a13b3b27..ac6d82451 100644 --- a/etc/gnome-contacts.profile +++ b/etc/gnome-contacts.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${DOCUMENTS} | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -35,5 +36,3 @@ disable-mnt | |||
35 | private-dev | 36 | private-dev |
36 | private-tmp | 37 | private-tmp |
37 | 38 | ||
38 | noexec ${HOME} | ||
39 | noexec /tmp | ||
diff --git a/etc/gnome-logs.profile b/etc/gnome-logs.profile index c7cbd8388..9a12162db 100644 --- a/etc/gnome-logs.profile +++ b/etc/gnome-logs.profile | |||
@@ -26,6 +26,7 @@ nodbus | |||
26 | nodvd | 26 | nodvd |
27 | # When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html), | 27 | # When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html), |
28 | # comment both 'nogroups' and 'noroot' | 28 | # comment both 'nogroups' and 'noroot' |
29 | # or put 'ignore nogroups' and 'ignore noroot' to your gnome-logs.local. | ||
29 | nogroups | 30 | nogroups |
30 | nonewprivs | 31 | nonewprivs |
31 | noroot | 32 | noroot |
@@ -46,7 +47,5 @@ private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.s | |||
46 | private-tmp | 47 | private-tmp |
47 | writable-var-log | 48 | writable-var-log |
48 | 49 | ||
49 | memory-deny-write-execute | ||
50 | |||
51 | # comment this if you export logs to a file in your ${HOME} | 50 | # comment this if you export logs to a file in your ${HOME} |
52 | read-only ${HOME} | 51 | read-only ${HOME} |
diff --git a/etc/hexchat.profile b/etc/hexchat.profile index e8abf4b31..ee70e6655 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile | |||
@@ -19,6 +19,7 @@ noblacklist /usr/local/lib/python3* | |||
19 | 19 | ||
20 | include disable-common.inc | 20 | include disable-common.inc |
21 | include disable-devel.inc | 21 | include disable-devel.inc |
22 | include disable-exec.inc | ||
22 | include disable-interpreters.inc | 23 | include disable-interpreters.inc |
23 | include disable-passwdmgr.inc | 24 | include disable-passwdmgr.inc |
24 | include disable-programs.inc | 25 | include disable-programs.inc |
@@ -53,5 +54,3 @@ private-dev | |||
53 | private-tmp | 54 | private-tmp |
54 | 55 | ||
55 | # memory-deny-write-execute - breaks python | 56 | # memory-deny-write-execute - breaks python |
56 | noexec ${HOME} | ||
57 | noexec /tmp | ||
diff --git a/etc/leafpad.profile b/etc/leafpad.profile index 47ea5606a..56a792c8e 100644 --- a/etc/leafpad.profile +++ b/etc/leafpad.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/leafpad | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -36,5 +37,3 @@ private-dev | |||
36 | private-lib | 37 | private-lib |
37 | private-tmp | 38 | private-tmp |
38 | 39 | ||
39 | noexec ${HOME} | ||
40 | noexec /tmp | ||
diff --git a/etc/mousepad.profile b/etc/mousepad.profile index 4500f74a5..3b9807b28 100644 --- a/etc/mousepad.profile +++ b/etc/mousepad.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/Mousepad | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
diff --git a/etc/ping.profile b/etc/ping.profile index bdd29c1a1..66574bab5 100644 --- a/etc/ping.profile +++ b/etc/ping.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | include disable-common.inc | 9 | include disable-common.inc |
10 | include disable-devel.inc | 10 | include disable-devel.inc |
11 | include disable-exec.inc | ||
11 | include disable-interpreters.inc | 12 | include disable-interpreters.inc |
12 | include disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
13 | include disable-programs.inc | 14 | include disable-programs.inc |
@@ -46,5 +47,3 @@ private-tmp | |||
46 | 47 | ||
47 | # memory-deny-write-execute is built using seccomp; nonewprivs will kill it | 48 | # memory-deny-write-execute is built using seccomp; nonewprivs will kill it |
48 | #memory-deny-write-execute | 49 | #memory-deny-write-execute |
49 | noexec ${HOME} | ||
50 | noexec /tmp | ||
diff --git a/etc/pinta.profile b/etc/pinta.profile index 3dfe3cc1b..8151bc98f 100644 --- a/etc/pinta.profile +++ b/etc/pinta.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${PICTURES} | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -37,5 +38,3 @@ private-dev | |||
37 | private-cache | 38 | private-cache |
38 | private-tmp | 39 | private-tmp |
39 | 40 | ||
40 | noexec ${HOME} | ||
41 | noexec /tmp | ||
diff --git a/etc/sol.profile b/etc/sol.profile index c194eed05..ea1620b31 100644 --- a/etc/sol.profile +++ b/etc/sol.profile | |||
@@ -7,6 +7,7 @@ include globals.local | |||
7 | 7 | ||
8 | include disable-common.inc | 8 | include disable-common.inc |
9 | include disable-devel.inc | 9 | include disable-devel.inc |
10 | include disable-exec.inc | ||
10 | include disable-interpreters.inc | 11 | include disable-interpreters.inc |
11 | include disable-passwdmgr.inc | 12 | include disable-passwdmgr.inc |
12 | include disable-programs.inc | 13 | include disable-programs.inc |
@@ -40,5 +41,3 @@ private-dev | |||
40 | private-tmp | 41 | private-tmp |
41 | 42 | ||
42 | # memory-deny-write-execute | 43 | # memory-deny-write-execute |
43 | noexec ${HOME} | ||
44 | noexec /tmp | ||
diff --git a/etc/utox.profile b/etc/utox.profile new file mode 100644 index 000000000..9216a6a05 --- /dev/null +++ b/etc/utox.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for utox | ||
2 | # Description: Lightweight Tox client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include utox.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/tox | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.config/tox | ||
20 | whitelist ${DOWNLOADS} | ||
21 | whitelist ${HOME}/.config/tox | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | apparmor | ||
26 | caps.drop all | ||
27 | ipc-namespace | ||
28 | netfilter | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | notv | ||
34 | nou2f | ||
35 | protocol unix,inet,inet6 | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin utox | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-etc alternatives,fonts,resolv.conf,ld.so.cache,localtime,ca-certificates,ssl,pki,crypto-policies,machine-id,pulse,openal | ||
45 | private-tmp | ||
46 | |||
47 | memory-deny-write-execute | ||
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile index 1ef44dd5c..45f9949f3 100644 --- a/etc/virtualbox.profile +++ b/etc/virtualbox.profile | |||
@@ -14,6 +14,7 @@ noblacklist /usr/lib/virtualbox | |||
14 | noblacklist /usr/lib64/virtualbox | 14 | noblacklist /usr/lib64/virtualbox |
15 | 15 | ||
16 | include disable-common.inc | 16 | include disable-common.inc |
17 | include disable-exec.inc | ||
17 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 19 | include disable-programs.inc |
19 | 20 | ||
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile index 816f2236c..85cbc5e43 100644 --- a/etc/warzone2100.profile +++ b/etc/warzone2100.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.warzone2100-3.* | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
diff --git a/etc/wget.profile b/etc/wget.profile index c0a6f0d21..a7ef32e2c 100644 --- a/etc/wget.profile +++ b/etc/wget.profile | |||
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.wget-hsts | |||
13 | noblacklist ${HOME}/.wgetrc | 13 | noblacklist ${HOME}/.wgetrc |
14 | 14 | ||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-exec.inc | ||
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
18 | 19 | ||
@@ -38,5 +39,3 @@ private-dev | |||
38 | # private-etc alternatives,resolv.conf,ca-certificates,ssl,pki,crypto-policies | 39 | # private-etc alternatives,resolv.conf,ca-certificates,ssl,pki,crypto-policies |
39 | # private-tmp | 40 | # private-tmp |
40 | 41 | ||
41 | noexec ${HOME} | ||
42 | noexec /tmp | ||
diff --git a/etc/xcalc.profile b/etc/xcalc.profile index 1941787b1..0ad423d30 100644 --- a/etc/xcalc.profile +++ b/etc/xcalc.profile | |||
@@ -7,6 +7,7 @@ include globals.local | |||
7 | 7 | ||
8 | include disable-common.inc | 8 | include disable-common.inc |
9 | include disable-devel.inc | 9 | include disable-devel.inc |
10 | include disable-exec.inc | ||
10 | include disable-interpreters.inc | 11 | include disable-interpreters.inc |
11 | include disable-passwdmgr.inc | 12 | include disable-passwdmgr.inc |
12 | include disable-programs.inc | 13 | include disable-programs.inc |
@@ -38,5 +39,3 @@ private-dev | |||
38 | private-lib | 39 | private-lib |
39 | private-tmp | 40 | private-tmp |
40 | 41 | ||
41 | noexec ${HOME} | ||
42 | noexec /tmp | ||