diff options
Diffstat (limited to 'etc')
43 files changed, 244 insertions, 54 deletions
diff --git a/etc/QMediathekView.profile b/etc/QMediathekView.profile index b750a135e..ae863b73d 100644 --- a/etc/QMediathekView.profile +++ b/etc/QMediathekView.profile | |||
@@ -52,4 +52,4 @@ private-dev | |||
52 | # private-lib | 52 | # private-lib |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
55 | # memory-deny-write-execute - breaks on Arch | 55 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/aria2c.profile b/etc/aria2c.profile index 583250983..b952ac8a6 100644 --- a/etc/aria2c.profile +++ b/etc/aria2c.profile | |||
@@ -35,7 +35,8 @@ shell none | |||
35 | 35 | ||
36 | # disable-mnt | 36 | # disable-mnt |
37 | private-bin aria2c,gzip | 37 | private-bin aria2c,gzip |
38 | private-cache | 38 | # Uncomment the next line (or put 'private-cache' in your aria2c.local) if you don't use Lutris/winetricks (see issue #2772) |
39 | #private-cache | ||
39 | private-dev | 40 | private-dev |
40 | private-etc alternatives,ca-certificates,resolv.conf,ssl | 41 | private-etc alternatives,ca-certificates,resolv.conf,ssl |
41 | private-lib libreadline.so.* | 42 | private-lib libreadline.so.* |
diff --git a/etc/artha.profile b/etc/artha.profile index 2660c4e10..f886921cb 100644 --- a/etc/artha.profile +++ b/etc/artha.profile | |||
@@ -16,6 +16,13 @@ include disable-interpreters.inc | |||
16 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | mkdir ${HOME}/.config/artha.conf | ||
20 | mkdir ${HOME}/.config/enchant | ||
21 | whitelist ${HOME}/.config/artha.conf | ||
22 | whitelist ${HOME}/.config/enchant | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
19 | apparmor | 26 | apparmor |
20 | caps.drop all | 27 | caps.drop all |
21 | ipc-namespace | 28 | ipc-namespace |
diff --git a/etc/authenticator.profile b/etc/authenticator.profile index 39546112e..4887299ec 100644 --- a/etc/authenticator.profile +++ b/etc/authenticator.profile | |||
@@ -43,4 +43,4 @@ private-dev | |||
43 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,pki,resolv.conf,ssl | 43 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,pki,resolv.conf,ssl |
44 | private-tmp | 44 | private-tmp |
45 | 45 | ||
46 | # memory-deny-write-execute - breaks on Arch | 46 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/autokey-common.profile b/etc/autokey-common.profile index 47396fe43..bd50a2dfb 100644 --- a/etc/autokey-common.profile +++ b/etc/autokey-common.profile | |||
@@ -38,4 +38,4 @@ private-cache | |||
38 | private-dev | 38 | private-dev |
39 | private-tmp | 39 | private-tmp |
40 | 40 | ||
41 | # memory-deny-write-execute - Breaks on Arch | 41 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/baobab.profile b/etc/baobab.profile index 893865edd..d2980f75c 100644 --- a/etc/baobab.profile +++ b/etc/baobab.profile | |||
@@ -33,4 +33,4 @@ private-bin baobab | |||
33 | private-dev | 33 | private-dev |
34 | private-tmp | 34 | private-tmp |
35 | 35 | ||
36 | #memory-deny-write-execute - breaks on Arch | 36 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/bitwarden.profile b/etc/bitwarden.profile index 550830157..a5538bacc 100644 --- a/etc/bitwarden.profile +++ b/etc/bitwarden.profile | |||
@@ -51,4 +51,4 @@ private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,nsswitch.co | |||
51 | private-opt Bitwarden | 51 | private-opt Bitwarden |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
54 | #memory-deny-write-execute - breaks on Arch | 54 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/clawsker.profile b/etc/clawsker.profile index 95f15398a..f8c05a55b 100644 --- a/etc/clawsker.profile +++ b/etc/clawsker.profile | |||
@@ -47,4 +47,4 @@ private-etc alternatives,fonts | |||
47 | private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl* | 47 | private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl* |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
50 | # memory-deny-write-execute - breaks on Arch | 50 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/clipit.profile b/etc/clipit.profile index 6e4d3fbaf..44cda0665 100644 --- a/etc/clipit.profile +++ b/etc/clipit.profile | |||
@@ -17,6 +17,13 @@ include disable-passwdmgr.inc | |||
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | include disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | mkdir ${HOME}/.config/clipit | ||
21 | mkdir ${HOME}/.local/share/clipit | ||
22 | whitelist ${HOME}/.config/clipit | ||
23 | whitelist ${HOME}/.local/share/clipit | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
20 | apparmor | 27 | apparmor |
21 | caps.drop all | 28 | caps.drop all |
22 | ipc-namespace | 29 | ipc-namespace |
diff --git a/etc/d-feet.profile b/etc/d-feet.profile index 30749ab40..e06769601 100644 --- a/etc/d-feet.profile +++ b/etc/d-feet.profile | |||
@@ -49,4 +49,4 @@ private-dev | |||
49 | private-etc alternatives,dbus-1,fonts,machine-id | 49 | private-etc alternatives,dbus-1,fonts,machine-id |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
52 | # memory-deny-write-execute - Breaks on Arch | 52 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/devhelp.profile b/etc/devhelp.profile index 4e618b7ea..60bebb0c9 100644 --- a/etc/devhelp.profile +++ b/etc/devhelp.profile | |||
@@ -41,6 +41,6 @@ private-dev | |||
41 | private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl | 41 | private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl |
42 | private-tmp | 42 | private-tmp |
43 | 43 | ||
44 | # memory-deny-write-execute - Breaks on Arch | 44 | #memory-deny-write-execute - breaks on Arch (see issue 1803) |
45 | 45 | ||
46 | read-only ${HOME} | 46 | read-only ${HOME} |
diff --git a/etc/devilspie.profile b/etc/devilspie.profile index 2d100c4b0..ca617983d 100644 --- a/etc/devilspie.profile +++ b/etc/devilspie.profile | |||
@@ -16,6 +16,11 @@ include disable-passwdmgr.inc | |||
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | mkdir ${HOME}/.devilspie | ||
20 | whitelist ${HOME}/.devilspie | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
19 | apparmor | 24 | apparmor |
20 | caps.drop all | 25 | caps.drop all |
21 | ipc-namespace | 26 | ipc-namespace |
diff --git a/etc/devilspie2.profile b/etc/devilspie2.profile index 9d67ee76e..74b0dc939 100644 --- a/etc/devilspie2.profile +++ b/etc/devilspie2.profile | |||
@@ -19,6 +19,11 @@ include disable-passwdmgr.inc | |||
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | include disable-xdg.inc | 20 | include disable-xdg.inc |
21 | 21 | ||
22 | mkdir ${HOME}/.config/devilspie2 | ||
23 | whitelist ${HOME}/.config/devilspie2 | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
22 | apparmor | 27 | apparmor |
23 | caps.drop all | 28 | caps.drop all |
24 | ipc-namespace | 29 | ipc-namespace |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 356c8209c..fb7e02d0b 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -239,6 +239,7 @@ blacklist ${HOME}/.config/nano | |||
239 | blacklist ${HOME}/.config/nautilus | 239 | blacklist ${HOME}/.config/nautilus |
240 | blacklist ${HOME}/.config/nemo | 240 | blacklist ${HOME}/.config/nemo |
241 | blacklist ${HOME}/.config/netsurf | 241 | blacklist ${HOME}/.config/netsurf |
242 | blacklist ${HOME}/.config/newsbeuter | ||
242 | blacklist ${HOME}/.config/nheko | 243 | blacklist ${HOME}/.config/nheko |
243 | blacklist ${HOME}/.config/NitroShare | 244 | blacklist ${HOME}/.config/NitroShare |
244 | blacklist ${HOME}/.config/nomacs | 245 | blacklist ${HOME}/.config/nomacs |
@@ -574,6 +575,7 @@ blacklist ${HOME}/.multimc5 | |||
574 | blacklist ${HOME}/.nanorc | 575 | blacklist ${HOME}/.nanorc |
575 | blacklist ${HOME}/.netactview | 576 | blacklist ${HOME}/.netactview |
576 | blacklist ${HOME}/.neverball | 577 | blacklist ${HOME}/.neverball |
578 | blacklist ${HOME}/.newsbeuter | ||
577 | blacklist ${HOME}/.newsboat | 579 | blacklist ${HOME}/.newsboat |
578 | blacklist ${HOME}/.nv | 580 | blacklist ${HOME}/.nv |
579 | blacklist ${HOME}/.nylas-mail | 581 | blacklist ${HOME}/.nylas-mail |
diff --git a/etc/enpass.profile b/etc/enpass.profile index 99d3eac85..68113e294 100644 --- a/etc/enpass.profile +++ b/etc/enpass.profile | |||
@@ -59,4 +59,4 @@ private-dev | |||
59 | private-opt Enpass | 59 | private-opt Enpass |
60 | private-tmp | 60 | private-tmp |
61 | 61 | ||
62 | #memory-deny-write-execute - breaks on Arch | 62 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/eo-common.profile b/etc/eo-common.profile index ad18e10c4..2a65de5e1 100644 --- a/etc/eo-common.profile +++ b/etc/eo-common.profile | |||
@@ -44,4 +44,4 @@ private-etc alternatives,dconf,fonts,gtk-3.0 | |||
44 | private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.* | 44 | private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.* |
45 | private-tmp | 45 | private-tmp |
46 | 46 | ||
47 | #memory-deny-write-execute - breaks on Arch | 47 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/exfalso.profile b/etc/exfalso.profile index 978629452..b5eda059f 100644 --- a/etc/exfalso.profile +++ b/etc/exfalso.profile | |||
@@ -13,6 +13,9 @@ noblacklist ${MUSIC} | |||
13 | include allow-python2.inc | 13 | include allow-python2.inc |
14 | include allow-python3.inc | 14 | include allow-python3.inc |
15 | 15 | ||
16 | whitelist ${DOWNLOADS} | ||
17 | whitelist ${MUSIC} | ||
18 | |||
16 | include disable-common.inc | 19 | include disable-common.inc |
17 | include disable-devel.inc | 20 | include disable-devel.inc |
18 | include disable-exec.inc | 21 | include disable-exec.inc |
@@ -21,6 +24,11 @@ include disable-passwdmgr.inc | |||
21 | include disable-programs.inc | 24 | include disable-programs.inc |
22 | include disable-xdg.inc | 25 | include disable-xdg.inc |
23 | 26 | ||
27 | mkdir ${HOME}/.quodlibet | ||
28 | whitelist ${HOME}/.quodlibet | ||
29 | include whitelist-common.inc | ||
30 | include whitelist-var-common.inc | ||
31 | |||
24 | caps.drop all | 32 | caps.drop all |
25 | machine-id | 33 | machine-id |
26 | netfilter | 34 | netfilter |
@@ -45,4 +53,4 @@ private-etc alternatives,fonts,group,passwd | |||
45 | private-lib libatk-1.0.so.*,libgdk-3.so.*,libgdk_pixbuf-2.0.so.*,libgirepository-1.0.so.*,libgstreamer-1.0.so.*,libgtk-3.so.*,libgtksourceview-3.0.so.*,libpango-1.0.so.*,libpython*,libreadline.so.*,libsoup-2.4.so.*,libssl.so.1.*,python2*,python3* | 53 | private-lib libatk-1.0.so.*,libgdk-3.so.*,libgdk_pixbuf-2.0.so.*,libgirepository-1.0.so.*,libgstreamer-1.0.so.*,libgtk-3.so.*,libgtksourceview-3.0.so.*,libpango-1.0.so.*,libpython*,libreadline.so.*,libsoup-2.4.so.*,libssl.so.1.*,python2*,python3* |
46 | private-tmp | 54 | private-tmp |
47 | 55 | ||
48 | # memory-deny-write-execute - Breaks on Arch | 56 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/firefox-common-addons.inc b/etc/firefox-common-addons.inc index 7d9e512b2..0b95c555b 100644 --- a/etc/firefox-common-addons.inc +++ b/etc/firefox-common-addons.inc | |||
@@ -43,8 +43,10 @@ whitelist ${HOME}/.lastpass | |||
43 | whitelist ${HOME}/.local/share/kget | 43 | whitelist ${HOME}/.local/share/kget |
44 | whitelist ${HOME}/.local/share/okular | 44 | whitelist ${HOME}/.local/share/okular |
45 | whitelist ${HOME}/.local/share/qpdfview | 45 | whitelist ${HOME}/.local/share/qpdfview |
46 | whitelist ${HOME}/.local/share/tridactyl | ||
46 | whitelist ${HOME}/.pentadactyl | 47 | whitelist ${HOME}/.pentadactyl |
47 | whitelist ${HOME}/.pentadactylrc | 48 | whitelist ${HOME}/.pentadactylrc |
49 | whitelist ${HOME}/.tridactylrc | ||
48 | whitelist ${HOME}/.vimperator | 50 | whitelist ${HOME}/.vimperator |
49 | whitelist ${HOME}/.vimperatorrc | 51 | whitelist ${HOME}/.vimperatorrc |
50 | whitelist ${HOME}/.wine-pipelight | 52 | whitelist ${HOME}/.wine-pipelight |
diff --git a/etc/font-manager.profile b/etc/font-manager.profile index a1280124a..1699e5cfc 100644 --- a/etc/font-manager.profile +++ b/etc/font-manager.profile | |||
@@ -50,4 +50,4 @@ private-bin font-manager,python*,yelp | |||
50 | private-dev | 50 | private-dev |
51 | private-tmp | 51 | private-tmp |
52 | 52 | ||
53 | #memory-deny-write-execute - Breaks on Arch | 53 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/geekbench.profile b/etc/geekbench.profile index a4c33b46f..8d7dbd48e 100644 --- a/etc/geekbench.profile +++ b/etc/geekbench.profile | |||
@@ -46,6 +46,6 @@ private-lib libstdc++.so.* | |||
46 | private-opt none | 46 | private-opt none |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | # memory-deny-write-execute - Breaks on Arch | 49 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
50 | 50 | ||
51 | read-only ${HOME} | 51 | read-only ${HOME} |
diff --git a/etc/godot.profile b/etc/godot.profile index f2b365455..2baf09b1d 100644 --- a/etc/godot.profile +++ b/etc/godot.profile | |||
@@ -35,8 +35,8 @@ seccomp | |||
35 | shell none | 35 | shell none |
36 | tracelog | 36 | tracelog |
37 | 37 | ||
38 | disable-mnt | 38 | |
39 | private-bin godot | 39 | # private-bin godot |
40 | private-cache | 40 | private-cache |
41 | private-dev | 41 | private-dev |
42 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl | 42 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl |
diff --git a/etc/keepassxc-cli.profile b/etc/keepassxc-cli.profile new file mode 100644 index 000000000..6f657e7de --- /dev/null +++ b/etc/keepassxc-cli.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for keepassxc-cli | ||
2 | # Description: command line interface for KeePassXC | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include keepassxc-cli.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | |||
11 | # Redirect | ||
12 | include keepassxc.profile | ||
diff --git a/etc/keepassxc-proxy.profile b/etc/keepassxc-proxy.profile new file mode 100644 index 000000000..79666aee2 --- /dev/null +++ b/etc/keepassxc-proxy.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for keepassxc-cli | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include keepassxc-proxy.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | |||
10 | # Redirect | ||
11 | include keepassxc.profile | ||
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile index c1adfd516..6ef02ad47 100644 --- a/etc/keepassxc.profile +++ b/etc/keepassxc.profile | |||
@@ -37,11 +37,11 @@ nosound | |||
37 | notv | 37 | notv |
38 | nou2f | 38 | nou2f |
39 | novideo | 39 | novideo |
40 | protocol netlink,unix | 40 | protocol unix,netlink |
41 | seccomp | 41 | seccomp |
42 | shell none | 42 | shell none |
43 | 43 | ||
44 | private-bin keepassxc,keepassxc-proxy | 44 | private-bin keepassxc,keepassxc-cli,keepassxc-proxy |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,fonts,ld.so.cache,machine-id | 46 | private-etc alternatives,fonts,ld.so.cache,machine-id |
47 | private-tmp | 47 | private-tmp |
diff --git a/etc/meld.profile b/etc/meld.profile index 321b92cd5..4a9f64421 100644 --- a/etc/meld.profile +++ b/etc/meld.profile | |||
@@ -6,11 +6,11 @@ include meld.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # If you want to use meld as git-mergetool (and may some other VCS integrations) you need | 9 | # If you want to use meld as git-mergetool (and maybe some other VCS integrations) you need |
10 | # to bypass firejail, you can do this by removing the symlink or call it by its absolut path | 10 | # to bypass firejail, you can do this by removing the symlink or calling it by its absolute path |
11 | # Removing the symlink: | 11 | # Removing the symlink: |
12 | # sudo rm /usr/local/bin/meld | 12 | # sudo rm /usr/local/bin/meld |
13 | # Calling by its absolut path (example for git-mergetoll): | 13 | # Calling by its absolute path (example for git-mergetool): |
14 | # git config --global mergetool.meld.cmd /usr/bin/meld | 14 | # git config --global mergetool.meld.cmd /usr/bin/meld |
15 | 15 | ||
16 | noblacklist ${HOME}/.config/git | 16 | noblacklist ${HOME}/.config/git |
diff --git a/etc/mpDris2.profile b/etc/mpDris2.profile index db2bb6a93..eb49b52ab 100644 --- a/etc/mpDris2.profile +++ b/etc/mpDris2.profile | |||
@@ -12,6 +12,8 @@ noblacklist ${HOME}/.config/mpDris2 | |||
12 | include allow-python2.inc | 12 | include allow-python2.inc |
13 | include allow-python3.inc | 13 | include allow-python3.inc |
14 | 14 | ||
15 | noblacklist ${MUSIC} | ||
16 | |||
15 | include disable-common.inc | 17 | include disable-common.inc |
16 | include disable-devel.inc | 18 | include disable-devel.inc |
17 | include disable-exec.inc | 19 | include disable-exec.inc |
@@ -20,6 +22,12 @@ include disable-passwdmgr.inc | |||
20 | include disable-programs.inc | 22 | include disable-programs.inc |
21 | include disable-xdg.inc | 23 | include disable-xdg.inc |
22 | 24 | ||
25 | whitelist ${MUSIC} | ||
26 | |||
27 | mkdir ${HOME}/.config/mpDris2 | ||
28 | whitelist ${HOME}/.config/mpDris2 | ||
29 | include whitelist-var-common.inc | ||
30 | |||
23 | caps.drop all | 31 | caps.drop all |
24 | machine-id | 32 | machine-id |
25 | netfilter | 33 | netfilter |
@@ -43,6 +51,6 @@ private-etc alternatives,hosts,nsswitch.conf | |||
43 | private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3* | 51 | private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3* |
44 | private-tmp | 52 | private-tmp |
45 | 53 | ||
46 | # memory-deny-write-execute - Breaks on Arch | 54 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
47 | 55 | ||
48 | read-only ${HOME} | 56 | read-only ${HOME} |
diff --git a/etc/mpsyt.profile b/etc/mpsyt.profile index d87241070..f0309da9a 100644 --- a/etc/mpsyt.profile +++ b/etc/mpsyt.profile | |||
@@ -6,18 +6,19 @@ include mpsyt.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/mps-youtube | ||
9 | noblacklist ${HOME}/.config/mpv | 10 | noblacklist ${HOME}/.config/mpv |
10 | noblacklist ${HOME}/.mplayer | 11 | noblacklist ${HOME}/.mplayer |
11 | noblacklist ${HOME}/.config/mps-youtube | ||
12 | noblacklist ${HOME}/.netrc | 12 | noblacklist ${HOME}/.netrc |
13 | noblacklist ${HOME}/mps | 13 | noblacklist ${HOME}/mps |
14 | noblacklist ${MUSIC} | ||
15 | noblacklist ${VIDEOS} | ||
16 | 14 | ||
17 | # Allow python (blacklisted by disable-interpreters.inc) | 15 | # Allow python (blacklisted by disable-interpreters.inc) |
18 | include allow-python2.inc | 16 | include allow-python2.inc |
19 | include allow-python3.inc | 17 | include allow-python3.inc |
20 | 18 | ||
19 | noblacklist ${MUSIC} | ||
20 | noblacklist ${VIDEOS} | ||
21 | |||
21 | include disable-common.inc | 22 | include disable-common.inc |
22 | include disable-devel.inc | 23 | include disable-devel.inc |
23 | include disable-exec.inc | 24 | include disable-exec.inc |
@@ -27,14 +28,17 @@ include disable-programs.inc | |||
27 | include disable-xdg.inc | 28 | include disable-xdg.inc |
28 | 29 | ||
29 | mkdir ${HOME}/.config/mps-youtube | 30 | mkdir ${HOME}/.config/mps-youtube |
31 | mkdir ${HOME}/.config/mpv | ||
32 | mkdir ${HOME}/.mplayer | ||
33 | mkdir ${HOME}/mps | ||
34 | whitelist ${HOME}/.config/mps-youtube | ||
30 | whitelist ${HOME}/.config/mpv | 35 | whitelist ${HOME}/.config/mpv |
31 | whitelist ${HOME}/.mplayer | 36 | whitelist ${HOME}/.mplayer |
32 | whitelist ${HOME}/.config/mps-youtube | ||
33 | whitelist ${HOME}/.netrc | 37 | whitelist ${HOME}/.netrc |
34 | whitelist ${HOME}/mps | 38 | whitelist ${HOME}/mps |
39 | whitelist ${DOWNLOADS} | ||
35 | whitelist ${MUSIC} | 40 | whitelist ${MUSIC} |
36 | whitelist ${VIDEOS} | 41 | whitelist ${VIDEOS} |
37 | whitelist ${DOWNLOADS} | ||
38 | include whitelist-common.inc | 42 | include whitelist-common.inc |
39 | include whitelist-var-common.inc | 43 | include whitelist-var-common.inc |
40 | 44 | ||
diff --git a/etc/mpv.profile b/etc/mpv.profile index 5aa9e7e74..07a6ba42b 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile | |||
@@ -9,13 +9,14 @@ include globals.local | |||
9 | 9 | ||
10 | noblacklist ${HOME}/.config/mpv | 10 | noblacklist ${HOME}/.config/mpv |
11 | noblacklist ${HOME}/.netrc | 11 | noblacklist ${HOME}/.netrc |
12 | noblacklist ${MUSIC} | ||
13 | noblacklist ${VIDEOS} | ||
14 | 12 | ||
15 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
16 | include allow-python2.inc | 14 | include allow-python2.inc |
17 | include allow-python3.inc | 15 | include allow-python3.inc |
18 | 16 | ||
17 | noblacklist ${MUSIC} | ||
18 | noblacklist ${VIDEOS} | ||
19 | |||
19 | include disable-common.inc | 20 | include disable-common.inc |
20 | include disable-devel.inc | 21 | include disable-devel.inc |
21 | include disable-exec.inc | 22 | include disable-exec.inc |
diff --git a/etc/newsbeuter.profile b/etc/newsbeuter.profile new file mode 100644 index 000000000..059c2156d --- /dev/null +++ b/etc/newsbeuter.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # Firejail profile for Newsboat | ||
2 | # Description: Text based Atom/RSS feed reader | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include newsbeuter.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.config/newsbeuter | ||
11 | noblacklist ${HOME}/.newsbeuter | ||
12 | |||
13 | mkdir ${HOME}/.config/newsbeuter | ||
14 | mkdir ${HOME}/.newsbeuter | ||
15 | whitelist ${HOME}/.config/newsbeuter | ||
16 | whitelist ${HOME}/.newsbeuter | ||
17 | |||
18 | private-bin newsbeuter | ||
19 | |||
20 | # Redirect | ||
21 | include newsboat.profile | ||
diff --git a/etc/ocenaudio.profile b/etc/ocenaudio.profile index b2249f63b..ea89a259f 100644 --- a/etc/ocenaudio.profile +++ b/etc/ocenaudio.profile | |||
@@ -45,4 +45,4 @@ private-dev | |||
45 | private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse | 45 | private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | # memory-deny-write-execute - breaks on Arch | 48 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/pavucontrol.profile b/etc/pavucontrol.profile index 18b9b7fc6..3fd4f3668 100644 --- a/etc/pavucontrol.profile +++ b/etc/pavucontrol.profile | |||
@@ -16,6 +16,9 @@ include disable-passwdmgr.inc | |||
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | mkdir ${HOME}/.config/pavucontrol.ini | ||
20 | whitelist ${HOME}/.config/pavucontrol.ini | ||
21 | include whitelist-common.inc | ||
19 | include whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
20 | 23 | ||
21 | apparmor | 24 | apparmor |
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile index 85e28372e..87d7a87f1 100644 --- a/etc/pdftotext.profile +++ b/etc/pdftotext.profile | |||
@@ -16,6 +16,8 @@ include disable-passwdmgr.inc | |||
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | whitelist ${DOCUMENTS} | ||
20 | whitelist ${DOWNLOADS} | ||
19 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
20 | 22 | ||
21 | caps.drop all | 23 | caps.drop all |
diff --git a/etc/qtox.profile b/etc/qtox.profile index 4a731b45a..c3e8fb95c 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile | |||
@@ -45,4 +45,4 @@ private-dev | |||
45 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl | 45 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | memory-deny-write-execute | 48 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/redshift.profile b/etc/redshift.profile index e60877172..0f6d34ed0 100644 --- a/etc/redshift.profile +++ b/etc/redshift.profile | |||
@@ -18,6 +18,9 @@ include disable-interpreters.inc | |||
18 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | include disable-xdg.inc | 19 | include disable-xdg.inc |
20 | 20 | ||
21 | mkdir ${HOME}/.config/redshift | ||
22 | whitelist ${HOME}/.config/redshift | ||
23 | whitelist ${HOME}/.config/redshift.conf | ||
21 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
22 | 25 | ||
23 | apparmor | 26 | apparmor |
diff --git a/etc/seahorse.profile b/etc/seahorse.profile index 7baae2603..be63f9382 100644 --- a/etc/seahorse.profile +++ b/etc/seahorse.profile | |||
@@ -6,24 +6,10 @@ include seahorse.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # dconf | ||
10 | noblacklist ${HOME}/.config/dconf | 9 | noblacklist ${HOME}/.config/dconf |
11 | whitelist ${HOME}/.config/dconf | ||
12 | |||
13 | # gpg | ||
14 | mkdir ${HOME}/.gnupg | ||
15 | noblacklist ${HOME}/.gnupg | 10 | noblacklist ${HOME}/.gnupg |
16 | whitelist ${HOME}/.gnupg | ||
17 | |||
18 | # ssh | ||
19 | whitelist /etc/ld.so.preload | ||
20 | noblacklist /etc/ssh | ||
21 | whitelist /etc/ssh | ||
22 | noblacklist /tmp/ssh-* | ||
23 | whitelist /tmp/ssh-* | ||
24 | mkdir ${HOME}/.ssh | ||
25 | noblacklist ${HOME}/.ssh | 11 | noblacklist ${HOME}/.ssh |
26 | whitelist ${HOME}/.ssh | 12 | noblacklist /tmp/ssh-* |
27 | 13 | ||
28 | include disable-common.inc | 14 | include disable-common.inc |
29 | include disable-devel.inc | 15 | include disable-devel.inc |
@@ -33,6 +19,13 @@ include disable-passwdmgr.inc | |||
33 | include disable-programs.inc | 19 | include disable-programs.inc |
34 | include disable-xdg.inc | 20 | include disable-xdg.inc |
35 | 21 | ||
22 | mkdir ${HOME}/.config/dconf | ||
23 | mkdir ${HOME}/.gnupg | ||
24 | mkdir ${HOME}/.ssh | ||
25 | whitelist ${HOME}/.config/dconf | ||
26 | whitelist ${HOME}/.gnupg | ||
27 | whitelist ${HOME}/.ssh | ||
28 | whitelist /tmp/ssh-* | ||
36 | include whitelist-common.inc | 29 | include whitelist-common.inc |
37 | include whitelist-var-common.inc | 30 | include whitelist-var-common.inc |
38 | 31 | ||
@@ -57,5 +50,6 @@ tracelog | |||
57 | disable-mnt | 50 | disable-mnt |
58 | private-cache | 51 | private-cache |
59 | private-dev | 52 | private-dev |
53 | private-etc ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,hostname,host.conf,hosts,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11 | ||
60 | 54 | ||
61 | writable-run-user | 55 | writable-run-user |
diff --git a/etc/smplayer.profile b/etc/smplayer.profile index 9b824604a..f83caee8a 100644 --- a/etc/smplayer.profile +++ b/etc/smplayer.profile | |||
@@ -8,13 +8,14 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/smplayer | 9 | noblacklist ${HOME}/.config/smplayer |
10 | noblacklist ${HOME}/.mplayer | 10 | noblacklist ${HOME}/.mplayer |
11 | noblacklist ${MUSIC} | ||
12 | noblacklist ${VIDEOS} | ||
13 | 11 | ||
14 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
15 | include allow-python2.inc | 13 | include allow-python2.inc |
16 | include allow-python3.inc | 14 | include allow-python3.inc |
17 | 15 | ||
16 | noblacklist ${MUSIC} | ||
17 | noblacklist ${VIDEOS} | ||
18 | |||
18 | include disable-common.inc | 19 | include disable-common.inc |
19 | include disable-devel.inc | 20 | include disable-devel.inc |
20 | include disable-exec.inc | 21 | include disable-exec.inc |
diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile index d875146de..efd600eb2 100644 --- a/etc/soundconverter.profile +++ b/etc/soundconverter.profile | |||
@@ -6,12 +6,12 @@ include soundconverter.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${MUSIC} | ||
10 | |||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 9 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | include allow-python2.inc | 10 | include allow-python2.inc |
13 | include allow-python3.inc | 11 | include allow-python3.inc |
14 | 12 | ||
13 | noblacklist ${MUSIC} | ||
14 | |||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | 17 | include disable-exec.inc |
@@ -20,6 +20,9 @@ include disable-passwdmgr.inc | |||
20 | include disable-programs.inc | 20 | include disable-programs.inc |
21 | include disable-xdg.inc | 21 | include disable-xdg.inc |
22 | 22 | ||
23 | whitelist ${DOWNLOADS} | ||
24 | whitelist ${MUSIC} | ||
25 | include whitelist-common.inc | ||
23 | include whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
24 | 27 | ||
25 | apparmor | 28 | apparmor |
diff --git a/etc/subdownloader.profile b/etc/subdownloader.profile index b55300c88..d0176a657 100644 --- a/etc/subdownloader.profile +++ b/etc/subdownloader.profile | |||
@@ -40,4 +40,4 @@ private-dev | |||
40 | private-etc alternatives,fonts | 40 | private-etc alternatives,fonts |
41 | private-tmp | 41 | private-tmp |
42 | 42 | ||
43 | # memory-deny-write-execute - Breaks on Arch | 43 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/tcpdump.profile b/etc/tcpdump.profile new file mode 100644 index 000000000..7713ac6c0 --- /dev/null +++ b/etc/tcpdump.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for tcpdump | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include tcpdump.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist /sbin | ||
10 | noblacklist /usr/sbin | ||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | include whitelist-common.inc | ||
19 | |||
20 | caps.keep net_raw | ||
21 | ipc-namespace | ||
22 | #net tun0 | ||
23 | netfilter | ||
24 | no3d | ||
25 | nodvd | ||
26 | #nogroups | ||
27 | nonewprivs | ||
28 | #noroot | ||
29 | nosound | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | |||
34 | protocol unix,inet,inet6,netlink,packet | ||
35 | seccomp | ||
36 | |||
37 | disable-mnt | ||
38 | #private | ||
39 | #private-bin tcpdump | ||
40 | private-dev | ||
41 | #private-etc | ||
42 | private-tmp | ||
43 | |||
44 | memory-deny-write-execute | ||
diff --git a/etc/totem.profile b/etc/totem.profile index f541d3cc2..9e6684824 100644 --- a/etc/totem.profile +++ b/etc/totem.profile | |||
@@ -6,6 +6,9 @@ include totem.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Allow lua (required for youtube video) | ||
10 | include allow-lua.inc | ||
11 | |||
9 | noblacklist ${HOME}/.config/totem | 12 | noblacklist ${HOME}/.config/totem |
10 | noblacklist ${HOME}/.local/share/totem | 13 | noblacklist ${HOME}/.local/share/totem |
11 | noblacklist ${MUSIC} | 14 | noblacklist ${MUSIC} |
diff --git a/etc/tshark.profile b/etc/tshark.profile new file mode 100644 index 000000000..52ee228a3 --- /dev/null +++ b/etc/tshark.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for tshark | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include tshark.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | include whitelist-common.inc | ||
17 | |||
18 | #caps.keep net_raw | ||
19 | caps.keep dac_override,net_admin,net_raw | ||
20 | ipc-namespace | ||
21 | #net tun0 | ||
22 | netfilter | ||
23 | no3d | ||
24 | nodvd | ||
25 | # nogroups - breaks network traffic capture for unprivileged users | ||
26 | # nonewprivs - breaks network traffic capture for unprivileged users | ||
27 | # noroot | ||
28 | nosound | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | |||
33 | #protocol unix,inet,inet6,netlink,packet | ||
34 | #seccomp | ||
35 | |||
36 | disable-mnt | ||
37 | #private | ||
38 | private-cache | ||
39 | #private-bin tshark | ||
40 | private-dev | ||
41 | #private-etc | ||
42 | private-tmp | ||
43 | |||
44 | # memory-deny-write-execute | ||
diff --git a/etc/viewnior.profile b/etc/viewnior.profile index 943719e75..e238db8ce 100644 --- a/etc/viewnior.profile +++ b/etc/viewnior.profile | |||
@@ -43,5 +43,4 @@ private-dev | |||
43 | private-etc alternatives,fonts,machine-id | 43 | private-etc alternatives,fonts,machine-id |
44 | private-tmp | 44 | private-tmp |
45 | 45 | ||
46 | # memory-deny-write-executes breaks on Arch - see issue #1808 | 46 | #memory-deny-write-execute - breaks on Arch (see issues #1803 and #1808) |
47 | #memory-deny-write-execute | ||
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index 190c972c0..28b5f2376 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile | |||
@@ -55,4 +55,4 @@ private-dev | |||
55 | private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,mime.types,pki,resolv.conf,ssl,youtube-dl.conf | 55 | private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,mime.types,pki,resolv.conf,ssl,youtube-dl.conf |
56 | private-tmp | 56 | private-tmp |
57 | 57 | ||
58 | # memory-deny-write-execute - breaks on Arch | 58 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |