diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/apparmor/firejail-default | 2 | ||||
-rw-r--r-- | etc/inc/disable-programs.inc | 4 | ||||
-rw-r--r-- | etc/profile-a-l/audacity.profile | 3 | ||||
-rw-r--r-- | etc/profile-a-l/gdu.profile | 46 | ||||
-rw-r--r-- | etc/profile-m-z/makedeb.profile | 13 | ||||
-rw-r--r-- | etc/profile-m-z/makepkg.profile | 1 | ||||
-rw-r--r-- | etc/profile-m-z/man.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/microsoft-edge-beta.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/microsoft-edge-dev.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/microsoft-edge.profile | 17 | ||||
-rw-r--r-- | etc/profile-m-z/neomutt.profile | 20 | ||||
-rw-r--r-- | etc/profile-m-z/steam.profile | 3 | ||||
-rw-r--r-- | etc/profile-m-z/tuir.profile | 23 | ||||
-rw-r--r-- | etc/profile-m-z/vmware.profile | 2 |
14 files changed, 111 insertions, 29 deletions
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default index b4e7f642a..3cc771ed7 100644 --- a/etc/apparmor/firejail-default +++ b/etc/apparmor/firejail-default | |||
@@ -33,6 +33,7 @@ owner /{,var/}run/firejail/dbus/[0-9]*/[0-9]*-user w, | |||
33 | #ptrace, | 33 | #ptrace, |
34 | # Allow obtaining some process information, but not ptrace(2) | 34 | # Allow obtaining some process information, but not ptrace(2) |
35 | ptrace (read,readby) peer=@{profile_name}, | 35 | ptrace (read,readby) peer=@{profile_name}, |
36 | ptrace (read,readby) peer=@{profile_name}//&unconfined, | ||
36 | 37 | ||
37 | ########## | 38 | ########## |
38 | # Allow read access to whole filesystem and control it from firejail. | 39 | # Allow read access to whole filesystem and control it from firejail. |
@@ -123,6 +124,7 @@ network packet, | |||
123 | ########## | 124 | ########## |
124 | # There is no equivalent in Firejail for filtering signals. | 125 | # There is no equivalent in Firejail for filtering signals. |
125 | ########## | 126 | ########## |
127 | signal (send) peer=@{profile_name}//&unconfined, | ||
126 | signal (send) peer=@{profile_name}, | 128 | signal (send) peer=@{profile_name}, |
127 | signal (receive), | 129 | signal (receive), |
128 | 130 | ||
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 79da8d5f5..7ad491460 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -156,6 +156,7 @@ blacklist ${HOME}/.cache/liferea | |||
156 | blacklist ${HOME}/.cache/lutris | 156 | blacklist ${HOME}/.cache/lutris |
157 | blacklist ${HOME}/.cache/marker | 157 | blacklist ${HOME}/.cache/marker |
158 | blacklist ${HOME}/.cache/matrix-mirage | 158 | blacklist ${HOME}/.cache/matrix-mirage |
159 | blacklist ${HOME}/.cache/microsoft-edge | ||
159 | blacklist ${HOME}/.cache/microsoft-edge-beta | 160 | blacklist ${HOME}/.cache/microsoft-edge-beta |
160 | blacklist ${HOME}/.cache/microsoft-edge-dev | 161 | blacklist ${HOME}/.cache/microsoft-edge-dev |
161 | blacklist ${HOME}/.cache/midori | 162 | blacklist ${HOME}/.cache/midori |
@@ -522,6 +523,7 @@ blacklist ${HOME}/.config/meld | |||
522 | blacklist ${HOME}/.config/menulibre.cfg | 523 | blacklist ${HOME}/.config/menulibre.cfg |
523 | blacklist ${HOME}/.config/meteo-qt | 524 | blacklist ${HOME}/.config/meteo-qt |
524 | blacklist ${HOME}/.config/mfusion | 525 | blacklist ${HOME}/.config/mfusion |
526 | blacklist ${HOME}/.config/microsoft-edge | ||
525 | blacklist ${HOME}/.config/microsoft-edge-beta | 527 | blacklist ${HOME}/.config/microsoft-edge-beta |
526 | blacklist ${HOME}/.config/microsoft-edge-dev | 528 | blacklist ${HOME}/.config/microsoft-edge-dev |
527 | blacklist ${HOME}/.config/midori | 529 | blacklist ${HOME}/.config/midori |
@@ -622,6 +624,7 @@ blacklist ${HOME}/.config/tox | |||
622 | blacklist ${HOME}/.config/transgui | 624 | blacklist ${HOME}/.config/transgui |
623 | blacklist ${HOME}/.config/transmission | 625 | blacklist ${HOME}/.config/transmission |
624 | blacklist ${HOME}/.config/truecraft | 626 | blacklist ${HOME}/.config/truecraft |
627 | blacklist ${HOME}/.config/tuir | ||
625 | blacklist ${HOME}/.config/tuta_integration | 628 | blacklist ${HOME}/.config/tuta_integration |
626 | blacklist ${HOME}/.config/tutanota-desktop | 629 | blacklist ${HOME}/.config/tutanota-desktop |
627 | blacklist ${HOME}/.config/tvbrowser | 630 | blacklist ${HOME}/.config/tvbrowser |
@@ -995,6 +998,7 @@ blacklist ${HOME}/.local/share/telepathy | |||
995 | blacklist ${HOME}/.local/share/terasology | 998 | blacklist ${HOME}/.local/share/terasology |
996 | blacklist ${HOME}/.local/share/torbrowser | 999 | blacklist ${HOME}/.local/share/torbrowser |
997 | blacklist ${HOME}/.local/share/totem | 1000 | blacklist ${HOME}/.local/share/totem |
1001 | blacklist ${HOME}/.local/share/tuir | ||
998 | blacklist ${HOME}/.local/share/uzbl | 1002 | blacklist ${HOME}/.local/share/uzbl |
999 | blacklist ${HOME}/.local/share/vlc | 1003 | blacklist ${HOME}/.local/share/vlc |
1000 | blacklist ${HOME}/.local/share/vpltd | 1004 | blacklist ${HOME}/.local/share/vpltd |
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile index b517620db..2831fec72 100644 --- a/etc/profile-a-l/audacity.profile +++ b/etc/profile-a-l/audacity.profile | |||
@@ -20,7 +20,8 @@ include disable-xdg.inc | |||
20 | 20 | ||
21 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
22 | 22 | ||
23 | apparmor | 23 | ## Enabling App Armor appears to break some Fedora / Arch installs |
24 | #apparmor | ||
24 | caps.drop all | 25 | caps.drop all |
25 | net none | 26 | net none |
26 | no3d | 27 | no3d |
diff --git a/etc/profile-a-l/gdu.profile b/etc/profile-a-l/gdu.profile new file mode 100644 index 000000000..783183bea --- /dev/null +++ b/etc/profile-a-l/gdu.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for gdu | ||
2 | # Description: Fast disk usage analyzer with console interface | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include gdu.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | include disable-exec.inc | ||
13 | |||
14 | apparmor | ||
15 | caps.drop all | ||
16 | ipc-namespace | ||
17 | machine-id | ||
18 | net none | ||
19 | no3d | ||
20 | nodvd | ||
21 | nogroups | ||
22 | noinput | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | nosound | ||
26 | notv | ||
27 | nou2f | ||
28 | novideo | ||
29 | # block the socket syscall to simulate an be empty protocol line, see #639 | ||
30 | seccomp socket | ||
31 | seccomp.block-secondary | ||
32 | x11 none | ||
33 | |||
34 | private-dev | ||
35 | |||
36 | dbus-user none | ||
37 | dbus-system none | ||
38 | |||
39 | memory-deny-write-execute | ||
40 | |||
41 | # gdu has built-in delete (d), empty (e) dir/file support and shell spawning (b) features. | ||
42 | # Depending on workflow and use case the sandbox can be hardened by adding the | ||
43 | # lines below to your gdu.local if you don't need/want these functionalities. | ||
44 | #include disable-shell.inc | ||
45 | #private-bin gdu | ||
46 | #read-only ${HOME} | ||
diff --git a/etc/profile-m-z/makedeb.profile b/etc/profile-m-z/makedeb.profile new file mode 100644 index 000000000..f45bfca3a --- /dev/null +++ b/etc/profile-m-z/makedeb.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for makedeb | ||
2 | # Description: A utility to automate the building of Debian packages | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include makedeb.local | ||
7 | # Persistent global definitions | ||
8 | #include globals.local | ||
9 | |||
10 | ignore noblacklist /var/lib/pacman | ||
11 | |||
12 | # Redirect | ||
13 | include makepkg.profile | ||
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile index dd2f0b318..4ec6ef82e 100644 --- a/etc/profile-m-z/makepkg.profile +++ b/etc/profile-m-z/makepkg.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for makepkg | 1 | # Firejail profile for makepkg |
2 | # Description: A utility to automate the building of Arch Linux packages | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile index bdc6e3451..b8d221dc3 100644 --- a/etc/profile-m-z/man.profile +++ b/etc/profile-m-z/man.profile | |||
@@ -56,7 +56,7 @@ disable-mnt | |||
56 | #private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim | 56 | #private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim |
57 | private-cache | 57 | private-cache |
58 | private-dev | 58 | private-dev |
59 | private-etc alternatives,fonts,groff,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg | 59 | private-etc alternatives,fonts,groff,group,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,login.defs,man_db.conf,manpath.config,passwd,selinux,sysless,xdg |
60 | #private-tmp | 60 | #private-tmp |
61 | 61 | ||
62 | dbus-user none | 62 | dbus-user none |
diff --git a/etc/profile-m-z/microsoft-edge-beta.profile b/etc/profile-m-z/microsoft-edge-beta.profile index 095038f08..63844ad70 100644 --- a/etc/profile-m-z/microsoft-edge-beta.profile +++ b/etc/profile-m-z/microsoft-edge-beta.profile | |||
@@ -14,7 +14,7 @@ mkdir ${HOME}/.config/microsoft-edge-beta | |||
14 | whitelist ${HOME}/.cache/microsoft-edge-beta | 14 | whitelist ${HOME}/.cache/microsoft-edge-beta |
15 | whitelist ${HOME}/.config/microsoft-edge-beta | 15 | whitelist ${HOME}/.config/microsoft-edge-beta |
16 | 16 | ||
17 | private-opt microsoft | 17 | whitelist /opt/microsoft/msedge-beta |
18 | 18 | ||
19 | # Redirect | 19 | # Redirect |
20 | include chromium-common.profile | 20 | include chromium-common.profile |
diff --git a/etc/profile-m-z/microsoft-edge-dev.profile b/etc/profile-m-z/microsoft-edge-dev.profile index 039cd36a8..b01fd7c25 100644 --- a/etc/profile-m-z/microsoft-edge-dev.profile +++ b/etc/profile-m-z/microsoft-edge-dev.profile | |||
@@ -14,7 +14,7 @@ mkdir ${HOME}/.config/microsoft-edge-dev | |||
14 | whitelist ${HOME}/.cache/microsoft-edge-dev | 14 | whitelist ${HOME}/.cache/microsoft-edge-dev |
15 | whitelist ${HOME}/.config/microsoft-edge-dev | 15 | whitelist ${HOME}/.config/microsoft-edge-dev |
16 | 16 | ||
17 | private-opt microsoft | 17 | whitelist /opt/microsoft/msedge-dev |
18 | 18 | ||
19 | # Redirect | 19 | # Redirect |
20 | include chromium-common.profile | 20 | include chromium-common.profile |
diff --git a/etc/profile-m-z/microsoft-edge.profile b/etc/profile-m-z/microsoft-edge.profile index f427507d1..4cd8c85a5 100644 --- a/etc/profile-m-z/microsoft-edge.profile +++ b/etc/profile-m-z/microsoft-edge.profile | |||
@@ -1,11 +1,20 @@ | |||
1 | # Firejail profile for Microsoft Edge | 1 | # Firejail profile for Microsoft Edge |
2 | # Description: Web browser from Microsoft | 2 | # Description: Web browser from Microsoft,stable channel |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include microsoft-edge.local | 5 | include microsoft-edge.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | # added by included profile | 7 | include globals.local |
8 | #include globals.local | 8 | |
9 | noblacklist ${HOME}/.cache/microsoft-edge | ||
10 | noblacklist ${HOME}/.config/microsoft-edge | ||
11 | |||
12 | mkdir ${HOME}/.cache/microsoft-edge | ||
13 | mkdir ${HOME}/.config/microsoft-edge | ||
14 | whitelist ${HOME}/.cache/microsoft-edge | ||
15 | whitelist ${HOME}/.config/microsoft-edge | ||
16 | |||
17 | whitelist /opt/microsoft/msedge | ||
9 | 18 | ||
10 | # Redirect | 19 | # Redirect |
11 | include microsoft-edge-dev.profile | 20 | include chromium-common.profile |
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile index 5d482adca..9000b7972 100644 --- a/etc/profile-m-z/neomutt.profile +++ b/etc/profile-m-z/neomutt.profile | |||
@@ -50,31 +50,11 @@ include disable-programs.inc | |||
50 | include disable-xdg.inc | 50 | include disable-xdg.inc |
51 | 51 | ||
52 | mkdir ${HOME}/.Mail | 52 | mkdir ${HOME}/.Mail |
53 | mkdir ${HOME}/.bogofilter | ||
54 | mkdir ${HOME}/.config/mutt | ||
55 | mkdir ${HOME}/.config/nano | ||
56 | mkdir ${HOME}/.config/neomutt | ||
57 | mkdir ${HOME}/.elinks | ||
58 | mkdir ${HOME}/.emacs.d | ||
59 | mkdir ${HOME}/.gnupg | ||
60 | mkdir ${HOME}/.mail | 53 | mkdir ${HOME}/.mail |
61 | mkdir ${HOME}/.mutt | ||
62 | mkdir ${HOME}/.neomutt | ||
63 | mkdir ${HOME}/.vim | ||
64 | mkdir ${HOME}/.w3m | ||
65 | mkdir ${HOME}/Mail | 54 | mkdir ${HOME}/Mail |
66 | mkdir ${HOME}/mail | 55 | mkdir ${HOME}/mail |
67 | mkdir ${HOME}/postponed | 56 | mkdir ${HOME}/postponed |
68 | mkdir ${HOME}/sent | 57 | mkdir ${HOME}/sent |
69 | mkfile ${HOME}/.emacs | ||
70 | mkfile ${HOME}/.mailcap | ||
71 | mkfile ${HOME}/.msmtprc | ||
72 | mkfile ${HOME}/.muttrc | ||
73 | mkfile ${HOME}/.nanorc | ||
74 | mkfile ${HOME}/.neomuttrc | ||
75 | mkfile ${HOME}/.signature | ||
76 | mkfile ${HOME}/.viminfo | ||
77 | mkfile ${HOME}/.vimrc | ||
78 | whitelist ${DOCUMENTS} | 58 | whitelist ${DOCUMENTS} |
79 | whitelist ${DOWNLOADS} | 59 | whitelist ${DOWNLOADS} |
80 | whitelist ${HOME}/.Mail | 60 | whitelist ${HOME}/.Mail |
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index 30f9aafcb..5e5a8e9bb 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile | |||
@@ -156,7 +156,10 @@ protocol unix,inet,inet6,netlink | |||
156 | # seccomp sometimes causes issues (see #2951, #3267). | 156 | # seccomp sometimes causes issues (see #2951, #3267). |
157 | # Add 'ignore seccomp' to your steam.local if you experience this. | 157 | # Add 'ignore seccomp' to your steam.local if you experience this. |
158 | # mount, name_to_handle_at, pivot_root and umount2 are used by Proton >= 5.13 | 158 | # mount, name_to_handle_at, pivot_root and umount2 are used by Proton >= 5.13 |
159 | # (see #4366). | ||
159 | seccomp !chroot,!mount,!name_to_handle_at,!pivot_root,!ptrace,!umount2 | 160 | seccomp !chroot,!mount,!name_to_handle_at,!pivot_root,!ptrace,!umount2 |
161 | # process_vm_readv is used by GE-Proton7-18 (see #5185). | ||
162 | seccomp.32 !process_vm_readv | ||
160 | # tracelog breaks integrated browser | 163 | # tracelog breaks integrated browser |
161 | #tracelog | 164 | #tracelog |
162 | 165 | ||
diff --git a/etc/profile-m-z/tuir.profile b/etc/profile-m-z/tuir.profile new file mode 100644 index 000000000..b441503c6 --- /dev/null +++ b/etc/profile-m-z/tuir.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # Firejail profile for tuir | ||
2 | # Description: Browse Reddit from your terminal (rtv fork) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include tuir.local | ||
6 | # Persistent global definitions | ||
7 | #include globals.local | ||
8 | |||
9 | ignore mkdir ${HOME}/.config/rtv | ||
10 | ignore mkdir ${HOME}/.local/share/rtv | ||
11 | |||
12 | noblacklist ${HOME}/.config/tuir | ||
13 | noblacklist ${HOME}/.local/share/tuir | ||
14 | |||
15 | mkdir ${HOME}/.config/tuir | ||
16 | mkdir ${HOME}/.local/share/tuir | ||
17 | whitelist ${HOME}/.config/tuir | ||
18 | whitelist ${HOME}/.local/share/tuir | ||
19 | |||
20 | private-bin tuir | ||
21 | |||
22 | # Redirect | ||
23 | include rtv.profile | ||
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile index 627bb57a8..74c951fe6 100644 --- a/etc/profile-m-z/vmware.profile +++ b/etc/profile-m-z/vmware.profile | |||
@@ -38,6 +38,6 @@ tracelog | |||
38 | #disable-mnt | 38 | #disable-mnt |
39 | # Add the next line to your vmware.local to enable private-bin. | 39 | # Add the next line to your vmware.local to enable private-bin. |
40 | #private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-* | 40 | #private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-* |
41 | private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix | 41 | private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mtab,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix |
42 | dbus-user none | 42 | dbus-user none |
43 | dbus-system none | 43 | dbus-system none |