diff options
Diffstat (limited to 'etc')
200 files changed, 1134 insertions, 772 deletions
diff --git a/etc/7z.profile b/etc/7z.profile index 44ab377b3..ee2b493f8 100644 --- a/etc/7z.profile +++ b/etc/7z.profile | |||
@@ -4,23 +4,34 @@ quiet | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include 7z.local | 5 | include 7z.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | # added by included profile | 7 | include globals.local |
8 | #include globals.local | ||
9 | 8 | ||
10 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
11 | 10 | ||
12 | ignore noroot | 11 | include disable-common.inc |
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | caps.drop all | ||
19 | ipc-namespace | ||
20 | machine-id | ||
13 | net none | 21 | net none |
14 | no3d | 22 | no3d |
15 | nodbus | 23 | nodbus |
16 | nodvd | 24 | nodvd |
25 | #nogroups | ||
26 | nonewprivs | ||
27 | #noroot | ||
17 | nosound | 28 | nosound |
18 | notv | 29 | notv |
19 | nou2f | 30 | nou2f |
20 | novideo | 31 | novideo |
32 | protocol unix | ||
33 | seccomp | ||
21 | shell none | 34 | shell none |
22 | tracelog | 35 | tracelog |
23 | 36 | ||
24 | private-dev | 37 | private-dev |
25 | |||
26 | include default.profile | ||
diff --git a/etc/JDownloader.profile b/etc/JDownloader.profile index d1bd5c9b2..1435f3422 100644 --- a/etc/JDownloader.profile +++ b/etc/JDownloader.profile | |||
@@ -5,14 +5,10 @@ include JDownloader.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | |||
9 | noblacklist ${HOME}/.jd | 8 | noblacklist ${HOME}/.jd |
10 | 9 | ||
11 | # Allow access to java | 10 | # Allow java (blacklisted by disable-devel.inc) |
12 | noblacklist ${PATH}/java | 11 | include allow-java.inc |
13 | noblacklist /usr/lib/java | ||
14 | noblacklist /etc/java | ||
15 | noblacklist /usr/share/java | ||
16 | 12 | ||
17 | include disable-common.inc | 13 | include disable-common.inc |
18 | include disable-devel.inc | 14 | include disable-devel.inc |
diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile index 6aba2678b..c2734b1c1 100644 --- a/etc/Mathematica.profile +++ b/etc/Mathematica.profile | |||
@@ -16,6 +16,7 @@ include disable-programs.inc | |||
16 | 16 | ||
17 | mkdir ${HOME}/.Mathematica | 17 | mkdir ${HOME}/.Mathematica |
18 | mkdir ${HOME}/.Wolfram Research | 18 | mkdir ${HOME}/.Wolfram Research |
19 | mkdir ${HOME}/Documents/Wolfram Mathematica | ||
19 | whitelist ${HOME}/.Mathematica | 20 | whitelist ${HOME}/.Mathematica |
20 | whitelist ${HOME}/.Wolfram Research | 21 | whitelist ${HOME}/.Wolfram Research |
21 | whitelist ${HOME}/Documents/Wolfram Mathematica | 22 | whitelist ${HOME}/Documents/Wolfram Mathematica |
diff --git a/etc/Viber.profile b/etc/Viber.profile index 3f3ee8590..40358aa87 100644 --- a/etc/Viber.profile +++ b/etc/Viber.profile | |||
@@ -5,7 +5,6 @@ include Viber.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | |||
9 | noblacklist ${HOME}/.ViberPC | 8 | noblacklist ${HOME}/.ViberPC |
10 | 9 | ||
11 | include disable-common.inc | 10 | include disable-common.inc |
@@ -15,6 +14,7 @@ include disable-interpreters.inc | |||
15 | include disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 15 | include disable-programs.inc |
17 | 16 | ||
17 | mkdir ${HOME}/.ViberPC | ||
18 | whitelist ${DOWNLOADS} | 18 | whitelist ${DOWNLOADS} |
19 | whitelist ${HOME}/.ViberPC | 19 | whitelist ${HOME}/.ViberPC |
20 | include whitelist-common.inc | 20 | include whitelist-common.inc |
@@ -36,5 +36,4 @@ private-bin sh,bash,dig,awk,Viber | |||
36 | private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf,pki,ca-certificates,crypto-policies,machine-id,asound.conf | 36 | private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf,pki,ca-certificates,crypto-policies,machine-id,asound.conf |
37 | private-tmp | 37 | private-tmp |
38 | 38 | ||
39 | |||
40 | env QTWEBENGINE_DISABLE_SANDBOX=1 | 39 | env QTWEBENGINE_DISABLE_SANDBOX=1 |
diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile index d9b7f8c26..230a88472 100644 --- a/etc/Xephyr.profile +++ b/etc/Xephyr.profile | |||
@@ -7,16 +7,13 @@ include globals.local | |||
7 | 7 | ||
8 | # | 8 | # |
9 | # This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr. | 9 | # This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr. |
10 | # To enable it, create a firejail-Xephyr symlink in /usr/local/bin: | 10 | # To enable it, create a firejail-Xephyr symlink in /usr/local/bin: |
11 | # | 11 | # |
12 | # $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xephyr | 12 | # $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xephyr |
13 | # | 13 | # |
14 | # or run "sudo firecfg" | 14 | # or run "sudo firecfg" |
15 | # | 15 | # |
16 | 16 | ||
17 | |||
18 | blacklist /media | ||
19 | |||
20 | whitelist /var/lib/xkb | 17 | whitelist /var/lib/xkb |
21 | include whitelist-common.inc | 18 | include whitelist-common.inc |
22 | 19 | ||
@@ -34,10 +31,11 @@ protocol unix | |||
34 | seccomp | 31 | seccomp |
35 | shell none | 32 | shell none |
36 | 33 | ||
34 | disable-mnt | ||
37 | # using a private home directory | 35 | # using a private home directory |
38 | private | 36 | private |
39 | # private-bin Xephyr,sh,xkbcomp | 37 | # private-bin Xephyr,sh,xkbcomp |
40 | # private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls | 38 | # private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls |
41 | private-dev | 39 | private-dev |
42 | # private-etc alternatives,ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname | 40 | # private-etc alternatives,ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname |
43 | private-tmp | 41 | #private-tmp |
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile index ed07485d6..3580f8336 100644 --- a/etc/Xvfb.profile +++ b/etc/Xvfb.profile | |||
@@ -9,7 +9,7 @@ include globals.local | |||
9 | # | 9 | # |
10 | # This profile will sandbox Xvfb server itself when used with firejail --x11=xvfb. | 10 | # This profile will sandbox Xvfb server itself when used with firejail --x11=xvfb. |
11 | # The target program is sandboxed with its own profile. By default the this functionality | 11 | # The target program is sandboxed with its own profile. By default the this functionality |
12 | # is disabled. To enable it, create a firejail-Xvfb symlink in /usr/local/bin: | 12 | # is disabled. To enable it, create a firejail-Xvfb symlink in /usr/local/bin: |
13 | # | 13 | # |
14 | # $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xvfb | 14 | # $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xvfb |
15 | # | 15 | # |
@@ -17,8 +17,6 @@ include globals.local | |||
17 | # some Linux distributions. Also, older versions of Xpra use Xvfb. | 17 | # some Linux distributions. Also, older versions of Xpra use Xvfb. |
18 | # | 18 | # |
19 | 19 | ||
20 | blacklist /media | ||
21 | |||
22 | whitelist /var/lib/xkb | 20 | whitelist /var/lib/xkb |
23 | include whitelist-common.inc | 21 | include whitelist-common.inc |
24 | 22 | ||
@@ -36,6 +34,7 @@ protocol unix | |||
36 | seccomp | 34 | seccomp |
37 | shell none | 35 | shell none |
38 | 36 | ||
37 | disable-mnt | ||
39 | # using a private home directory | 38 | # using a private home directory |
40 | private | 39 | private |
41 | # private-bin Xvfb,sh,xkbcomp | 40 | # private-bin Xvfb,sh,xkbcomp |
diff --git a/etc/allow-java.inc b/etc/allow-java.inc new file mode 100644 index 000000000..c6ab3b2eb --- /dev/null +++ b/etc/allow-java.inc | |||
@@ -0,0 +1,4 @@ | |||
1 | noblacklist ${PATH}/java | ||
2 | noblacklist /usr/lib/java | ||
3 | noblacklist /etc/java | ||
4 | noblacklist /usr/share/java | ||
diff --git a/etc/allow-lua.inc b/etc/allow-lua.inc new file mode 100644 index 000000000..51d76f9b1 --- /dev/null +++ b/etc/allow-lua.inc | |||
@@ -0,0 +1,4 @@ | |||
1 | noblacklist ${PATH}/lua* | ||
2 | noblacklist /usr/include/lua* | ||
3 | noblacklist /usr/lib/lua | ||
4 | noblacklist /usr/share/lua | ||
diff --git a/etc/allow-perl.inc b/etc/allow-perl.inc new file mode 100644 index 000000000..d37328936 --- /dev/null +++ b/etc/allow-perl.inc | |||
@@ -0,0 +1,7 @@ | |||
1 | noblacklist ${PATH}/cpan* | ||
2 | noblacklist ${PATH}/core_perl | ||
3 | noblacklist ${PATH}/perl | ||
4 | noblacklist ${PATH}/site_perl | ||
5 | noblacklist ${PATH}/vendor_perl | ||
6 | noblacklist /usr/lib/perl* | ||
7 | noblacklist /usr/share/perl* | ||
diff --git a/etc/allow-python2.inc b/etc/allow-python2.inc new file mode 100644 index 000000000..8ea61648b --- /dev/null +++ b/etc/allow-python2.inc | |||
@@ -0,0 +1,5 @@ | |||
1 | noblacklist ${PATH}/python2* | ||
2 | noblacklist /usr/include/python2* | ||
3 | noblacklist /usr/lib/python2* | ||
4 | noblacklist /usr/local/lib/python2* | ||
5 | noblacklist /usr/share/python2* | ||
diff --git a/etc/allow-python3.inc b/etc/allow-python3.inc new file mode 100644 index 000000000..91c7ffca4 --- /dev/null +++ b/etc/allow-python3.inc | |||
@@ -0,0 +1,5 @@ | |||
1 | noblacklist ${PATH}/python3* | ||
2 | noblacklist /usr/include/python3* | ||
3 | noblacklist /usr/lib/python3* | ||
4 | noblacklist /usr/local/lib/python3* | ||
5 | noblacklist /usr/share/python3* | ||
diff --git a/etc/amule.profile b/etc/amule.profile index 7cb2130bb..feb4a5e7e 100644 --- a/etc/amule.profile +++ b/etc/amule.profile | |||
@@ -6,7 +6,6 @@ include amule.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | |||
10 | noblacklist ${HOME}/.aMule | 9 | noblacklist ${HOME}/.aMule |
11 | 10 | ||
12 | include disable-common.inc | 11 | include disable-common.inc |
@@ -16,6 +15,7 @@ include disable-interpreters.inc | |||
16 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 16 | include disable-programs.inc |
18 | 17 | ||
18 | mkdir ${HOME}/.aMule | ||
19 | whitelist ${DOWNLOADS} | 19 | whitelist ${DOWNLOADS} |
20 | whitelist ${HOME}/.aMule | 20 | whitelist ${HOME}/.aMule |
21 | include whitelist-common.inc | 21 | include whitelist-common.inc |
diff --git a/etc/anki.profile b/etc/anki.profile index 6ab95dd52..d50c720f7 100644 --- a/etc/anki.profile +++ b/etc/anki.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${DOCUMENTS} | |||
10 | noblacklist ${HOME}/.local/share/Anki2 | 10 | noblacklist ${HOME}/.local/share/Anki2 |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
@@ -25,6 +21,7 @@ include disable-passwdmgr.inc | |||
25 | include disable-programs.inc | 21 | include disable-programs.inc |
26 | include disable-xdg.inc | 22 | include disable-xdg.inc |
27 | 23 | ||
24 | mkdir ${HOME}/.local/share/Anki2 | ||
28 | whitelist ${DOCUMENTS} | 25 | whitelist ${DOCUMENTS} |
29 | whitelist ${HOME}/.local/share/Anki2 | 26 | whitelist ${HOME}/.local/share/Anki2 |
30 | include whitelist-common.inc | 27 | include whitelist-common.inc |
diff --git a/etc/arduino.profile b/etc/arduino.profile index 2ea8445fe..26bd3d0a7 100644 --- a/etc/arduino.profile +++ b/etc/arduino.profile | |||
@@ -11,11 +11,8 @@ noblacklist ${HOME}/.java | |||
11 | noblacklist ${HOME}/Arduino | 11 | noblacklist ${HOME}/Arduino |
12 | noblacklist ${DOCUMENTS} | 12 | noblacklist ${DOCUMENTS} |
13 | 13 | ||
14 | # Allow access to java | 14 | # Allow java (blacklisted by disable-devel.inc) |
15 | noblacklist ${PATH}/java | 15 | include allow-java.inc |
16 | noblacklist /usr/lib/java | ||
17 | noblacklist /etc/java | ||
18 | noblacklist /usr/share/java | ||
19 | 16 | ||
20 | include disable-common.inc | 17 | include disable-common.inc |
21 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/arm.profile b/etc/arm.profile index ae93e9665..dd3fa190a 100644 --- a/etc/arm.profile +++ b/etc/arm.profile | |||
@@ -9,12 +9,8 @@ include globals.local | |||
9 | noblacklist ${HOME}/.arm | 9 | noblacklist ${HOME}/.arm |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 12 | include allow-python2.inc |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/assogiate.profile b/etc/assogiate.profile index 6a9848e83..02a4798f4 100644 --- a/etc/assogiate.profile +++ b/etc/assogiate.profile | |||
@@ -7,7 +7,6 @@ include assogiate.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${PICTURES} | 9 | noblacklist ${PICTURES} |
10 | whitelist ${PICTURES} | ||
11 | 10 | ||
12 | include disable-common.inc | 11 | include disable-common.inc |
13 | include disable-devel.inc | 12 | include disable-devel.inc |
@@ -16,6 +15,8 @@ include disable-interpreters.inc | |||
16 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 16 | include disable-programs.inc |
18 | include disable-xdg.inc | 17 | include disable-xdg.inc |
18 | |||
19 | whitelist ${PICTURES} | ||
19 | include whitelist-common.inc | 20 | include whitelist-common.inc |
20 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
21 | 22 | ||
diff --git a/etc/atool.profile b/etc/atool.profile index b17498e9d..3df32baac 100644 --- a/etc/atool.profile +++ b/etc/atool.profile | |||
@@ -7,14 +7,10 @@ include atool.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | |||
12 | # Allow perl (blacklisted by disable-interpreters.inc) | 10 | # Allow perl (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/cpan* | 11 | include allow-perl.inc |
14 | noblacklist ${PATH}/core_perl | 12 | |
15 | noblacklist ${PATH}/perl | 13 | blacklist /tmp/.X11-unix |
16 | noblacklist /usr/lib/perl* | ||
17 | noblacklist /usr/share/perl* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | # include disable-devel.inc | 16 | # include disable-devel.inc |
diff --git a/etc/authenticator.profile b/etc/authenticator.profile index e08dc12eb..39546112e 100644 --- a/etc/authenticator.profile +++ b/etc/authenticator.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.cache/Authenticator | |||
10 | noblacklist ${HOME}/.config/Authenticator | 10 | noblacklist ${HOME}/.config/Authenticator |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | #noblacklist ${PATH}/python2* | 13 | #include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | #noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | #noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/autokey-common.profile b/etc/autokey-common.profile index 44c0a3c15..47396fe43 100644 --- a/etc/autokey-common.profile +++ b/etc/autokey-common.profile | |||
@@ -10,14 +10,8 @@ noblacklist ${HOME}/.config/autokey | |||
10 | noblacklist ${HOME}/.local/share/autokey | 10 | noblacklist ${HOME}/.local/share/autokey |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | noblacklist /usr/share/python2* | ||
20 | noblacklist /usr/share/python3* | ||
21 | 15 | ||
22 | include disable-common.inc | 16 | include disable-common.inc |
23 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/baobab.profile b/etc/baobab.profile index fc4e7f268..893865edd 100644 --- a/etc/baobab.profile +++ b/etc/baobab.profile | |||
@@ -33,4 +33,4 @@ private-bin baobab | |||
33 | private-dev | 33 | private-dev |
34 | private-tmp | 34 | private-tmp |
35 | 35 | ||
36 | #memory-deny-write-execute - breaks on Arch | 36 | #memory-deny-write-execute - breaks on Arch |
diff --git a/etc/basilisk.profile b/etc/basilisk.profile index 5f9fc8ef7..5bc91dc74 100644 --- a/etc/basilisk.profile +++ b/etc/basilisk.profile | |||
@@ -10,7 +10,6 @@ noblacklist ${HOME}/.moonchild productions/basilisk | |||
10 | 10 | ||
11 | mkdir ${HOME}/.cache/moonchild productions/basilisk | 11 | mkdir ${HOME}/.cache/moonchild productions/basilisk |
12 | mkdir ${HOME}/.moonchild productions | 12 | mkdir ${HOME}/.moonchild productions |
13 | whitelist ${DOWNLOADS} | ||
14 | whitelist ${HOME}/.cache/moonchild productions/basilisk | 13 | whitelist ${HOME}/.cache/moonchild productions/basilisk |
15 | whitelist ${HOME}/.moonchild productions | 14 | whitelist ${HOME}/.moonchild productions |
16 | 15 | ||
diff --git a/etc/bibletime.profile b/etc/bibletime.profile index c41aafd47..4f1b05c88 100644 --- a/etc/bibletime.profile +++ b/etc/bibletime.profile | |||
@@ -6,12 +6,12 @@ include bibletime.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${HOME}/.bashrc | ||
10 | |||
11 | noblacklist ${HOME}/.bibletime | 9 | noblacklist ${HOME}/.bibletime |
12 | noblacklist ${HOME}/.sword | 10 | noblacklist ${HOME}/.sword |
13 | noblacklist ${HOME}/.local/share/bibletime | 11 | noblacklist ${HOME}/.local/share/bibletime |
14 | 12 | ||
13 | blacklist ${HOME}/.bashrc | ||
14 | |||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | 17 | include disable-exec.inc |
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index 2c2f88ed5..287e5f52e 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile | |||
@@ -33,6 +33,6 @@ private | |||
33 | private-cache | 33 | private-cache |
34 | private-dev | 34 | private-dev |
35 | private-tmp | 35 | private-tmp |
36 | read-write /var/lib/bitlbee | ||
37 | 36 | ||
38 | noexec /tmp | 37 | noexec /tmp |
38 | read-write /var/lib/bitlbee | ||
diff --git a/etc/bitwarden.profile b/etc/bitwarden.profile index 2a6fe9d42..609543e14 100644 --- a/etc/bitwarden.profile +++ b/etc/bitwarden.profile | |||
@@ -6,9 +6,10 @@ include bitwarden.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/Bitwarden | ||
10 | ignore noexec /tmp | 9 | ignore noexec /tmp |
11 | 10 | ||
11 | noblacklist ${HOME}/.config/Bitwarden | ||
12 | |||
12 | include disable-common.inc | 13 | include disable-common.inc |
13 | include disable-devel.inc | 14 | include disable-devel.inc |
14 | include disable-exec.inc | 15 | include disable-exec.inc |
@@ -17,11 +18,11 @@ include disable-passwdmgr.inc | |||
17 | include disable-programs.inc | 18 | include disable-programs.inc |
18 | include disable-xdg.inc | 19 | include disable-xdg.inc |
19 | 20 | ||
20 | include whitelist-common.inc | 21 | mkdir ${HOME}/.config/Bitwarden |
21 | include whitelist-var-common.inc | ||
22 | |||
23 | whitelist ${HOME}/.config/Bitwarden | 22 | whitelist ${HOME}/.config/Bitwarden |
24 | whitelist ${DOWNLOADS} | 23 | whitelist ${DOWNLOADS} |
24 | include whitelist-common.inc | ||
25 | include whitelist-var-common.inc | ||
25 | 26 | ||
26 | apparmor | 27 | apparmor |
27 | caps.drop all | 28 | caps.drop all |
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile index cbc8c25d6..47c0cfa48 100644 --- a/etc/bleachbit.profile +++ b/etc/bleachbit.profile | |||
@@ -7,12 +7,8 @@ include bleachbit.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Allow python (blacklisted by disable-interpreters.inc) | 9 | # Allow python (blacklisted by disable-interpreters.inc) |
10 | noblacklist ${PATH}/python2* | 10 | include allow-python2.inc |
11 | noblacklist ${PATH}/python3* | 11 | include allow-python3.inc |
12 | noblacklist /usr/lib/python2* | ||
13 | noblacklist /usr/lib/python3* | ||
14 | noblacklist /usr/local/lib/python2* | ||
15 | noblacklist /usr/local/lib/python3* | ||
16 | 12 | ||
17 | include disable-common.inc | 13 | include disable-common.inc |
18 | include disable-devel.inc | 14 | include disable-devel.inc |
diff --git a/etc/blender.profile b/etc/blender.profile index bfe906408..6a72fb602 100644 --- a/etc/blender.profile +++ b/etc/blender.profile | |||
@@ -9,12 +9,8 @@ include globals.local | |||
9 | noblacklist ${HOME}/.config/blender | 9 | noblacklist ${HOME}/.config/blender |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 12 | include allow-python2.inc |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/brackets.profile b/etc/brackets.profile index fa0d7e592..3e157d841 100644 --- a/etc/brackets.profile +++ b/etc/brackets.profile | |||
@@ -8,7 +8,7 @@ include globals.local | |||
8 | noblacklist ${HOME}/.config/Brackets | 8 | noblacklist ${HOME}/.config/Brackets |
9 | #noblacklist /opt/brackets/ | 9 | #noblacklist /opt/brackets/ |
10 | #noblacklist /opt/google/ | 10 | #noblacklist /opt/google/ |
11 | # Uncomment the the next two lines if you are developing rust. | 11 | # Uncomment the next two lines if you are developing rust. |
12 | # or put it in your brackets.local | 12 | # or put it in your brackets.local |
13 | #noblacklist ${HOME}/.cargo/config | 13 | #noblacklist ${HOME}/.cargo/config |
14 | #noblacklist ${HOME}/.cargo/registry | 14 | #noblacklist ${HOME}/.cargo/registry |
diff --git a/etc/brave-browser.profile b/etc/brave-browser.profile index 6d9d162fd..e223ecf87 100644 --- a/etc/brave-browser.profile +++ b/etc/brave-browser.profile | |||
@@ -1,6 +1,5 @@ | |||
1 | # Firejail profile alias for brave | 1 | # Firejail profile alias for brave |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | |||
5 | # Redirect | 4 | # Redirect |
6 | include brave.profile | 5 | include brave.profile |
diff --git a/etc/brave.profile b/etc/brave.profile index cc003d49a..984fab5a8 100644 --- a/etc/brave.profile +++ b/etc/brave.profile | |||
@@ -6,6 +6,9 @@ include brave.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # noexec /tmp is included in chromium-common.profile and breaks Brave | ||
10 | ignore noexec /tmp | ||
11 | |||
9 | noblacklist ${HOME}/.config/brave | 12 | noblacklist ${HOME}/.config/brave |
10 | noblacklist ${HOME}/.config/BraveSoftware | 13 | noblacklist ${HOME}/.config/BraveSoftware |
11 | # brave uses gpg for built-in password manager | 14 | # brave uses gpg for built-in password manager |
@@ -17,8 +20,5 @@ whitelist ${HOME}/.config/brave | |||
17 | whitelist ${HOME}/.config/BraveSoftware | 20 | whitelist ${HOME}/.config/BraveSoftware |
18 | whitelist ${HOME}/.gnupg | 21 | whitelist ${HOME}/.gnupg |
19 | 22 | ||
20 | # noexec /tmp is included in chromium-common.profile and breaks Brave | ||
21 | ignore noexec /tmp | ||
22 | |||
23 | # Redirect | 23 | # Redirect |
24 | include chromium-common.profile | 24 | include chromium-common.profile |
diff --git a/etc/caja.profile b/etc/caja.profile index f38110dc9..2a95649af 100644 --- a/etc/caja.profile +++ b/etc/caja.profile | |||
@@ -14,12 +14,8 @@ noblacklist ${HOME}/.local/share/Trash | |||
14 | # noblacklist ${HOME}/.local/share/caja-python | 14 | # noblacklist ${HOME}/.local/share/caja-python |
15 | 15 | ||
16 | # Allow python (blacklisted by disable-interpreters.inc) | 16 | # Allow python (blacklisted by disable-interpreters.inc) |
17 | noblacklist ${PATH}/python2* | 17 | include allow-python2.inc |
18 | noblacklist ${PATH}/python3* | 18 | include allow-python3.inc |
19 | noblacklist /usr/lib/python2* | ||
20 | noblacklist /usr/lib/python3* | ||
21 | noblacklist /usr/local/lib/python2* | ||
22 | noblacklist /usr/local/lib/python3* | ||
23 | 19 | ||
24 | include disable-common.inc | 20 | include disable-common.inc |
25 | include disable-devel.inc | 21 | include disable-devel.inc |
diff --git a/etc/cantata.profile b/etc/cantata.profile index e4a4de9c1..19abbfea2 100644 --- a/etc/cantata.profile +++ b/etc/cantata.profile | |||
@@ -11,9 +11,8 @@ noblacklist ${HOME}/.config/cantata | |||
11 | noblacklist ${HOME}/.local/share/cantata | 11 | noblacklist ${HOME}/.local/share/cantata |
12 | noblacklist ${MUSIC} | 12 | noblacklist ${MUSIC} |
13 | 13 | ||
14 | noblacklist ${PATH}/perl | 14 | # Allow perl (blacklisted by disable-interpreters.inc) |
15 | noblacklist /usr/lib/perl* | 15 | include allow-perl.inc |
16 | noblacklist /usr/share/perl* | ||
17 | 16 | ||
18 | include disable-common.inc | 17 | include disable-common.inc |
19 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/catfish.profile b/etc/catfish.profile index 341348ff9..f615b5323 100644 --- a/etc/catfish.profile +++ b/etc/catfish.profile | |||
@@ -12,12 +12,8 @@ include globals.local | |||
12 | noblacklist ${HOME}/.config/catfish | 12 | noblacklist ${HOME}/.config/catfish |
13 | 13 | ||
14 | # Allow python (blacklisted by disable-interpreters.inc) | 14 | # Allow python (blacklisted by disable-interpreters.inc) |
15 | noblacklist ${PATH}/python2* | 15 | include allow-python2.inc |
16 | noblacklist ${PATH}/python3* | 16 | include allow-python3.inc |
17 | noblacklist /usr/lib/python2* | ||
18 | noblacklist /usr/lib/python3* | ||
19 | noblacklist /usr/local/lib/python2* | ||
20 | noblacklist /usr/local/lib/python3* | ||
21 | 17 | ||
22 | include disable-common.inc | 18 | include disable-common.inc |
23 | # include disable-devel.inc | 19 | # include disable-devel.inc |
diff --git a/etc/celluloid.profile b/etc/celluloid.profile index 5604a16b9..190a49588 100644 --- a/etc/celluloid.profile +++ b/etc/celluloid.profile | |||
@@ -12,12 +12,8 @@ noblacklist ${MUSIC} | |||
12 | noblacklist ${VIDEOS} | 12 | noblacklist ${VIDEOS} |
13 | 13 | ||
14 | # Allow python (blacklisted by disable-interpreters.inc) | 14 | # Allow python (blacklisted by disable-interpreters.inc) |
15 | noblacklist ${PATH}/python2* | 15 | include allow-python2.inc |
16 | noblacklist ${PATH}/python3* | 16 | include allow-python3.inc |
17 | noblacklist /usr/lib/python2* | ||
18 | noblacklist /usr/lib/python3* | ||
19 | noblacklist /usr/local/lib/python2* | ||
20 | noblacklist /usr/local/lib/python3* | ||
21 | 17 | ||
22 | include disable-common.inc | 18 | include disable-common.inc |
23 | include disable-devel.inc | 19 | include disable-devel.inc |
diff --git a/etc/checkbashisms.profile b/etc/checkbashisms.profile index 5afbf2d56..1bb9b1860 100644 --- a/etc/checkbashisms.profile +++ b/etc/checkbashisms.profile | |||
@@ -10,11 +10,7 @@ include globals.local | |||
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | 11 | ||
12 | # Allow perl (blacklisted by disable-interpreters.inc) | 12 | # Allow perl (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/cpan* | 13 | include allow-perl.inc |
14 | noblacklist ${PATH}/core_perl | ||
15 | noblacklist ${PATH}/perl | ||
16 | noblacklist /usr/lib/perl* | ||
17 | noblacklist /usr/share/perl* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 44ef12aa2..70dea5bd9 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/cherrytree | |||
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/chromium.profile b/etc/chromium.profile index dab9ce449..1c977a8ba 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.config/chromium-flags.conf | |||
12 | 12 | ||
13 | mkdir ${HOME}/.cache/chromium | 13 | mkdir ${HOME}/.cache/chromium |
14 | mkdir ${HOME}/.config/chromium | 14 | mkdir ${HOME}/.config/chromium |
15 | mkfile ${HOME}/.config/chromium-flags.conf | ||
15 | whitelist ${HOME}/.cache/chromium | 16 | whitelist ${HOME}/.cache/chromium |
16 | whitelist ${HOME}/.config/chromium | 17 | whitelist ${HOME}/.config/chromium |
17 | whitelist ${HOME}/.config/chromium-flags.conf | 18 | whitelist ${HOME}/.config/chromium-flags.conf |
diff --git a/etc/clawsker.profile b/etc/clawsker.profile index c519ecedb..95f15398a 100644 --- a/etc/clawsker.profile +++ b/etc/clawsker.profile | |||
@@ -9,11 +9,7 @@ include globals.local | |||
9 | noblacklist ${HOME}/.claws-mail | 9 | noblacklist ${HOME}/.claws-mail |
10 | 10 | ||
11 | # Allow perl (blacklisted by disable-interpreters.inc) | 11 | # Allow perl (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/cpan* | 12 | include allow-perl.inc |
13 | noblacklist ${PATH}/core_perl | ||
14 | noblacklist ${PATH}/perl | ||
15 | noblacklist /usr/lib/perl* | ||
16 | noblacklist /usr/share/perl* | ||
17 | 13 | ||
18 | include disable-common.inc | 14 | include disable-common.inc |
19 | include disable-devel.inc | 15 | include disable-devel.inc |
diff --git a/etc/conkeror.profile b/etc/conkeror.profile index 21bef48a4..38edf0d21 100644 --- a/etc/conkeror.profile +++ b/etc/conkeror.profile | |||
@@ -10,9 +10,10 @@ noblacklist ${HOME}/.conkeror.mozdev.org | |||
10 | include disable-common.inc | 10 | include disable-common.inc |
11 | include disable-programs.inc | 11 | include disable-programs.inc |
12 | 12 | ||
13 | mkdir ${HOME}/.conkeror.mozdev.org | ||
14 | mkfile ${HOME}/.conkerorrc | ||
13 | whitelist ${HOME}/.conkeror.mozdev.org | 15 | whitelist ${HOME}/.conkeror.mozdev.org |
14 | whitelist ${HOME}/.conkerorrc | 16 | whitelist ${HOME}/.conkerorrc |
15 | whitelist ${HOME}/.gtkrc-2.0 | ||
16 | whitelist ${HOME}/.lastpass | 17 | whitelist ${HOME}/.lastpass |
17 | whitelist ${HOME}/.pentadactyl | 18 | whitelist ${HOME}/.pentadactyl |
18 | whitelist ${HOME}/.pentadactylrc | 19 | whitelist ${HOME}/.pentadactylrc |
diff --git a/etc/cower.profile b/etc/cower.profile index bc1eeedc0..69575cea4 100644 --- a/etc/cower.profile +++ b/etc/cower.profile | |||
@@ -1,20 +1,13 @@ | |||
1 | # Firejail profile for cower | 1 | # Firejail profile for cower |
2 | # Description: a simple AUR agent with a pretentious name | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | |||
4 | # This profile could be significantly strengthened by adding the following to cower.local | ||
5 | # whitelist ${HOME}/<Your Build Folder> | ||
6 | # whitelist ${HOME}/.config/cower/ | ||
7 | |||
8 | quiet | 4 | quiet |
9 | |||
10 | # Persistent local customizations | 5 | # Persistent local customizations |
11 | include cower.local | 6 | include cower.local |
12 | # Persistent global definitions | 7 | # Persistent global definitions |
13 | include globals.local | 8 | include globals.local |
14 | 9 | ||
15 | noblacklist ${HOME}/.config/cower/config | 10 | noblacklist ${HOME}/.config/cower |
16 | read-only ${HOME}/.config/cower/config | ||
17 | |||
18 | noblacklist /var/lib/pacman | 11 | noblacklist /var/lib/pacman |
19 | 12 | ||
20 | include disable-common.inc | 13 | include disable-common.inc |
@@ -23,6 +16,11 @@ include disable-exec.inc | |||
23 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
24 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
25 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | include disable-xdg.inc | ||
20 | |||
21 | # This profile could be significantly strengthened by adding the following to cower.local | ||
22 | # whitelist ${HOME}/<Your Build Folder> | ||
23 | # whitelist ${HOME}/.config/cower | ||
26 | 24 | ||
27 | caps.drop all | 25 | caps.drop all |
28 | ipc-namespace | 26 | ipc-namespace |
@@ -42,7 +40,9 @@ shell none | |||
42 | 40 | ||
43 | disable-mnt | 41 | disable-mnt |
44 | private-bin cower | 42 | private-bin cower |
43 | private-cache | ||
45 | private-dev | 44 | private-dev |
46 | private-tmp | 45 | private-tmp |
47 | 46 | ||
48 | memory-deny-write-execute | 47 | memory-deny-write-execute |
48 | read-only ${HOME}/.config/cower/config | ||
diff --git a/etc/cpio.profile b/etc/cpio.profile index b6f7e7f9f..0bb45f5cd 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile | |||
@@ -7,11 +7,11 @@ include cpio.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | |||
12 | noblacklist /sbin | 10 | noblacklist /sbin |
13 | noblacklist /usr/sbin | 11 | noblacklist /usr/sbin |
14 | 12 | ||
13 | blacklist /tmp/.X11-unix | ||
14 | |||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | # include disable-devel.inc | 16 | # include disable-devel.inc |
17 | include disable-exec.inc | 17 | include disable-exec.inc |
diff --git a/etc/curl.profile b/etc/curl.profile index 2703c6fe8..b8b91d278 100644 --- a/etc/curl.profile +++ b/etc/curl.profile | |||
@@ -7,10 +7,10 @@ include curl.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | |||
12 | noblacklist ${HOME}/.curlrc | 10 | noblacklist ${HOME}/.curlrc |
13 | 11 | ||
12 | blacklist /tmp/.X11-unix | ||
13 | |||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-exec.inc | 15 | include disable-exec.inc |
16 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
diff --git a/etc/d-feet.profile b/etc/d-feet.profile index 9475bdd2a..30749ab40 100644 --- a/etc/d-feet.profile +++ b/etc/d-feet.profile | |||
@@ -9,12 +9,8 @@ include globals.local | |||
9 | noblacklist ${HOME}/.config/d-feet | 9 | noblacklist ${HOME}/.config/d-feet |
10 | 10 | ||
11 | # Allow python (disabled by disable-interpreters.inc) | 11 | # Allow python (disabled by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 12 | include allow-python2.inc |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/dconf-editor.profile b/etc/dconf-editor.profile index 6b7f8f112..7cd39ca6a 100644 --- a/etc/dconf-editor.profile +++ b/etc/dconf-editor.profile | |||
@@ -6,8 +6,6 @@ include dconf-editor.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | whitelist ${HOME}/.local/share/glib-2.0 | ||
10 | |||
11 | include disable-common.inc | 9 | include disable-common.inc |
12 | include disable-devel.inc | 10 | include disable-devel.inc |
13 | include disable-exec.inc | 11 | include disable-exec.inc |
@@ -16,6 +14,7 @@ include disable-passwdmgr.inc | |||
16 | include disable-programs.inc | 14 | include disable-programs.inc |
17 | include disable-xdg.inc | 15 | include disable-xdg.inc |
18 | 16 | ||
17 | whitelist ${HOME}/.local/share/glib-2.0 | ||
19 | include whitelist-common.inc | 18 | include whitelist-common.inc |
20 | 19 | ||
21 | apparmor | 20 | apparmor |
@@ -39,7 +38,7 @@ disable-mnt | |||
39 | private-bin dconf-editor | 38 | private-bin dconf-editor |
40 | private-cache | 39 | private-cache |
41 | private-dev | 40 | private-dev |
42 | private-etc alternatives,fonts,machine-id | 41 | private-etc alternatives,dconf,fonts,gtk-3.0,machine-id |
43 | private-lib | 42 | private-lib |
44 | private-tmp | 43 | private-tmp |
45 | 44 | ||
diff --git a/etc/dconf.profile b/etc/dconf.profile index 6ffcddaf5..cf8b4ab43 100644 --- a/etc/dconf.profile +++ b/etc/dconf.profile | |||
@@ -6,8 +6,6 @@ include dconf.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | whitelist ${HOME}/.local/share/glib-2.0 | ||
10 | |||
11 | include disable-common.inc | 9 | include disable-common.inc |
12 | include disable-devel.inc | 10 | include disable-devel.inc |
13 | include disable-exec.inc | 11 | include disable-exec.inc |
@@ -16,6 +14,7 @@ include disable-passwdmgr.inc | |||
16 | include disable-programs.inc | 14 | include disable-programs.inc |
17 | include disable-xdg.inc | 15 | include disable-xdg.inc |
18 | 16 | ||
17 | whitelist ${HOME}/.local/share/glib-2.0 | ||
19 | # dconf paths are whitelisted by the following | 18 | # dconf paths are whitelisted by the following |
20 | include whitelist-common.inc | 19 | include whitelist-common.inc |
21 | 20 | ||
diff --git a/etc/deluge.profile b/etc/deluge.profile index e86c84272..e86255d22 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile | |||
@@ -9,12 +9,8 @@ include globals.local | |||
9 | noblacklist ${HOME}/.config/deluge | 9 | noblacklist ${HOME}/.config/deluge |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 12 | include allow-python2.inc |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | # include disable-devel.inc | 16 | # include disable-devel.inc |
diff --git a/etc/devilspie2.profile b/etc/devilspie2.profile index 2f599366b..9d67ee76e 100644 --- a/etc/devilspie2.profile +++ b/etc/devilspie2.profile | |||
@@ -8,6 +8,9 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/devilspie2 | 9 | noblacklist ${HOME}/.config/devilspie2 |
10 | 10 | ||
11 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
12 | include allow-lua.inc | ||
13 | |||
11 | include disable-common.inc | 14 | include disable-common.inc |
12 | include disable-devel.inc | 15 | include disable-devel.inc |
13 | include disable-exec.inc | 16 | include disable-exec.inc |
diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile index 06a6be3aa..a6fed6c78 100644 --- a/etc/dex2jar.profile +++ b/etc/dex2jar.profile | |||
@@ -6,11 +6,8 @@ include dex2jar.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Allow access to java | 9 | # Allow java (blacklisted by disable-devel.inc) |
10 | noblacklist ${PATH}/java | 10 | include allow-java.inc |
11 | noblacklist /usr/lib/java | ||
12 | noblacklist /etc/java | ||
13 | noblacklist /usr/share/java | ||
14 | 11 | ||
15 | include disable-common.inc | 12 | include disable-common.inc |
16 | include disable-devel.inc | 13 | include disable-devel.inc |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 9d7a34bc5..9d9be1426 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -242,6 +242,7 @@ read-only ${HOME}/.ssh/authorized_keys | |||
242 | 242 | ||
243 | # Initialization files that allow arbitrary command execution | 243 | # Initialization files that allow arbitrary command execution |
244 | read-only ${HOME}/.caffrc | 244 | read-only ${HOME}/.caffrc |
245 | read-only ${HOME}/.cargo/env | ||
245 | read-only ${HOME}/.dotfiles | 246 | read-only ${HOME}/.dotfiles |
246 | read-only ${HOME}/.emacs | 247 | read-only ${HOME}/.emacs |
247 | read-only ${HOME}/.emacs.d | 248 | read-only ${HOME}/.emacs.d |
@@ -275,7 +276,6 @@ read-only ${HOME}/bin | |||
275 | read-only ${HOME}/.bin | 276 | read-only ${HOME}/.bin |
276 | read-only ${HOME}/.local/bin | 277 | read-only ${HOME}/.local/bin |
277 | read-only ${HOME}/.cargo/bin | 278 | read-only ${HOME}/.cargo/bin |
278 | read-only ${HOME}/.cargo/env | ||
279 | blacklist ${HOME}/.cargo/registry | 279 | blacklist ${HOME}/.cargo/registry |
280 | blacklist ${HOME}/.cargo/config | 280 | blacklist ${HOME}/.cargo/config |
281 | 281 | ||
@@ -414,3 +414,12 @@ blacklist /usr/share/flatpak | |||
414 | blacklist /var/lib/flatpak | 414 | blacklist /var/lib/flatpak |
415 | # most of the time bwrap is SUID binary | 415 | # most of the time bwrap is SUID binary |
416 | blacklist ${PATH}/bwrap | 416 | blacklist ${PATH}/bwrap |
417 | |||
418 | # mail directories used by mutt | ||
419 | blacklist ${HOME}/.Mail | ||
420 | blacklist ${HOME}/.mail | ||
421 | blacklist ${HOME}/.signature | ||
422 | blacklist ${HOME}/Mail | ||
423 | blacklist ${HOME}/mail | ||
424 | blacklist ${HOME}/postponed | ||
425 | blacklist ${HOME}/sent | ||
diff --git a/etc/disable-interpreters.inc b/etc/disable-interpreters.inc index 22f58bb85..4c4eed25d 100644 --- a/etc/disable-interpreters.inc +++ b/etc/disable-interpreters.inc | |||
@@ -19,6 +19,8 @@ blacklist ${HOME}/.nvm | |||
19 | blacklist ${PATH}/cpan* | 19 | blacklist ${PATH}/cpan* |
20 | blacklist ${PATH}/core_perl | 20 | blacklist ${PATH}/core_perl |
21 | blacklist ${PATH}/perl | 21 | blacklist ${PATH}/perl |
22 | blacklist ${PATH}/site_perl | ||
23 | blacklist ${PATH}/vendor_perl | ||
22 | blacklist /usr/lib/perl* | 24 | blacklist /usr/lib/perl* |
23 | blacklist /usr/share/perl* | 25 | blacklist /usr/share/perl* |
24 | 26 | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index aa1205549..b1e5a9e64 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -7,6 +7,7 @@ blacklist ${HOME}/Monero/wallets | |||
7 | blacklist ${HOME}/Nextcloud/Notes | 7 | blacklist ${HOME}/Nextcloud/Notes |
8 | blacklist ${HOME}/SoftMaker | 8 | blacklist ${HOME}/SoftMaker |
9 | blacklist ${HOME}/Standard Notes Backups | 9 | blacklist ${HOME}/Standard Notes Backups |
10 | blacklist ${HOME}/mps | ||
10 | blacklist ${HOME}/wallet.dat | 11 | blacklist ${HOME}/wallet.dat |
11 | blacklist ${HOME}/.*coin | 12 | blacklist ${HOME}/.*coin |
12 | blacklist ${HOME}/.8pecxstudios | 13 | blacklist ${HOME}/.8pecxstudios |
@@ -94,6 +95,7 @@ blacklist ${HOME}/.config/Nathan Osman | |||
94 | blacklist ${HOME}/.config/Nylas Mail | 95 | blacklist ${HOME}/.config/Nylas Mail |
95 | blacklist ${HOME}/.config/PBE | 96 | blacklist ${HOME}/.config/PBE |
96 | blacklist ${HOME}/.config/Qlipper | 97 | blacklist ${HOME}/.config/Qlipper |
98 | blacklist ${HOME}/.config/QGIS | ||
97 | blacklist ${HOME}/.config/QMediathekView | 99 | blacklist ${HOME}/.config/QMediathekView |
98 | blacklist ${HOME}/.config/QuiteRss | 100 | blacklist ${HOME}/.config/QuiteRss |
99 | blacklist ${HOME}/.config/QuiteRssrc | 101 | blacklist ${HOME}/.config/QuiteRssrc |
@@ -117,6 +119,7 @@ blacklist ${HOME}/.config/artha.conf | |||
117 | blacklist ${HOME}/.config/asunder | 119 | blacklist ${HOME}/.config/asunder |
118 | blacklist ${HOME}/.config/atril | 120 | blacklist ${HOME}/.config/atril |
119 | blacklist ${HOME}/.config/audacious | 121 | blacklist ${HOME}/.config/audacious |
122 | blacklist ${HOME}/.config/autokey | ||
120 | blacklist ${HOME}/.config/aweather | 123 | blacklist ${HOME}/.config/aweather |
121 | blacklist ${HOME}/.config/baloofilerc | 124 | blacklist ${HOME}/.config/baloofilerc |
122 | blacklist ${HOME}/.config/baloorc | 125 | blacklist ${HOME}/.config/baloorc |
@@ -139,6 +142,7 @@ blacklist ${HOME}/.config/clipit | |||
139 | blacklist ${HOME}/.config/cliqz | 142 | blacklist ${HOME}/.config/cliqz |
140 | blacklist ${HOME}/.config/cmus | 143 | blacklist ${HOME}/.config/cmus |
141 | blacklist ${HOME}/.config/corebird | 144 | blacklist ${HOME}/.config/corebird |
145 | blacklist ${HOME}/.config/cower | ||
142 | blacklist ${HOME}/.config/darktable | 146 | blacklist ${HOME}/.config/darktable |
143 | blacklist ${HOME}/.config/deadbeef | 147 | blacklist ${HOME}/.config/deadbeef |
144 | blacklist ${HOME}/.config/deluge | 148 | blacklist ${HOME}/.config/deluge |
@@ -196,6 +200,7 @@ blacklist ${HOME}/.config/katerc | |||
196 | blacklist ${HOME}/.config/kateschemarc | 200 | blacklist ${HOME}/.config/kateschemarc |
197 | blacklist ${HOME}/.config/katesyntaxhighlightingrc | 201 | blacklist ${HOME}/.config/katesyntaxhighlightingrc |
198 | blacklist ${HOME}/.config/katevirc | 202 | blacklist ${HOME}/.config/katevirc |
203 | blacklist ${HOME}/.config/kdeconnect | ||
199 | blacklist ${HOME}/.config/kdenliverc | 204 | blacklist ${HOME}/.config/kdenliverc |
200 | blacklist ${HOME}/.config/kgetrc | 205 | blacklist ${HOME}/.config/kgetrc |
201 | blacklist ${HOME}/.config/kid3rc | 206 | blacklist ${HOME}/.config/kid3rc |
@@ -203,12 +208,12 @@ blacklist ${HOME}/.config/klavaro | |||
203 | blacklist ${HOME}/.config/klipperrc | 208 | blacklist ${HOME}/.config/klipperrc |
204 | blacklist ${HOME}/.config/kmail2rc | 209 | blacklist ${HOME}/.config/kmail2rc |
205 | blacklist ${HOME}/.config/kmailsearchindexingrc | 210 | blacklist ${HOME}/.config/kmailsearchindexingrc |
206 | blacklist ${HOME}/.config/kritarc | ||
207 | blacklist ${HOME}/.config/kwriterc | ||
208 | blacklist ${HOME}/.config/kdeconnect | ||
209 | blacklist ${HOME}/.config/knotesrc | 211 | blacklist ${HOME}/.config/knotesrc |
210 | blacklist ${HOME}/.config/konversationrc | 212 | blacklist ${HOME}/.config/konversationrc |
213 | blacklist ${HOME}/.config/kritarc | ||
211 | blacklist ${HOME}/.config/ktorrentrc | 214 | blacklist ${HOME}/.config/ktorrentrc |
215 | blacklist ${HOME}/.config/ktouch2rc | ||
216 | blacklist ${HOME}/.config/kwriterc | ||
212 | blacklist ${HOME}/.config/leafpad | 217 | blacklist ${HOME}/.config/leafpad |
213 | blacklist ${HOME}/.config/libreoffice | 218 | blacklist ${HOME}/.config/libreoffice |
214 | blacklist ${HOME}/.config/liferea | 219 | blacklist ${HOME}/.config/liferea |
@@ -265,6 +270,7 @@ blacklist ${HOME}/.config/redshift.conf | |||
265 | blacklist ${HOME}/.config/remmina | 270 | blacklist ${HOME}/.config/remmina |
266 | blacklist ${HOME}/.config/ristretto | 271 | blacklist ${HOME}/.config/ristretto |
267 | blacklist ${HOME}/.config/scribus | 272 | blacklist ${HOME}/.config/scribus |
273 | blacklist ${HOME}/.config/scribusrc | ||
268 | blacklist ${HOME}/.config/sinew.in | 274 | blacklist ${HOME}/.config/sinew.in |
269 | blacklist ${HOME}/.config/skypeforlinux | 275 | blacklist ${HOME}/.config/skypeforlinux |
270 | blacklist ${HOME}/.config/slimjet | 276 | blacklist ${HOME}/.config/slimjet |
@@ -273,17 +279,17 @@ blacklist ${HOME}/.config/smtube | |||
273 | blacklist ${HOME}/.config/snox | 279 | blacklist ${HOME}/.config/snox |
274 | blacklist ${HOME}/.config/specialmailcollectionsrc | 280 | blacklist ${HOME}/.config/specialmailcollectionsrc |
275 | blacklist ${HOME}/.config/spotify | 281 | blacklist ${HOME}/.config/spotify |
276 | blacklist ${HOME}/.config/supertuxkart | ||
277 | blacklist ${HOME}/.config/sqlitebrowser | 282 | blacklist ${HOME}/.config/sqlitebrowser |
278 | blacklist ${HOME}/.config/stellarium | 283 | blacklist ${HOME}/.config/stellarium |
284 | blacklist ${HOME}/.config/supertuxkart | ||
279 | blacklist ${HOME}/.config/synfig | 285 | blacklist ${HOME}/.config/synfig |
280 | blacklist ${HOME}/.config/telepathy-account-widgets | 286 | blacklist ${HOME}/.config/telepathy-account-widgets |
281 | blacklist ${HOME}/.config/torbrowser | 287 | blacklist ${HOME}/.config/torbrowser |
282 | blacklist ${HOME}/.config/totem | 288 | blacklist ${HOME}/.config/totem |
283 | blacklist ${HOME}/.config/tox | 289 | blacklist ${HOME}/.config/tox |
284 | blacklist ${HOME}/.config/transgui | 290 | blacklist ${HOME}/.config/transgui |
285 | blacklist ${HOME}/.config/truecraft | ||
286 | blacklist ${HOME}/.config/transmission | 291 | blacklist ${HOME}/.config/transmission |
292 | blacklist ${HOME}/.config/truecraft | ||
287 | blacklist ${HOME}/.config/uGet | 293 | blacklist ${HOME}/.config/uGet |
288 | blacklist ${HOME}/.config/uzbl | 294 | blacklist ${HOME}/.config/uzbl |
289 | blacklist ${HOME}/.config/viewnior | 295 | blacklist ${HOME}/.config/viewnior |
@@ -307,6 +313,7 @@ blacklist ${HOME}/.config/xreader | |||
307 | blacklist ${HOME}/.config/xviewer | 313 | blacklist ${HOME}/.config/xviewer |
308 | blacklist ${HOME}/.config/yandex-browser | 314 | blacklist ${HOME}/.config/yandex-browser |
309 | blacklist ${HOME}/.config/yandex-browser-beta | 315 | blacklist ${HOME}/.config/yandex-browser-beta |
316 | blacklist ${HOME}/.config/yelp | ||
310 | blacklist ${HOME}/.config/zathura | 317 | blacklist ${HOME}/.config/zathura |
311 | blacklist ${HOME}/.config/zoomus.conf | 318 | blacklist ${HOME}/.config/zoomus.conf |
312 | blacklist ${HOME}/.conkeror.mozdev.org | 319 | blacklist ${HOME}/.conkeror.mozdev.org |
@@ -325,7 +332,6 @@ blacklist ${HOME}/.electron-cache | |||
325 | blacklist ${HOME}/.electrum* | 332 | blacklist ${HOME}/.electrum* |
326 | blacklist ${HOME}/.elinks | 333 | blacklist ${HOME}/.elinks |
327 | blacklist ${HOME}/.emacs | 334 | blacklist ${HOME}/.emacs |
328 | blacklist ${HOME}/.emacs | ||
329 | blacklist ${HOME}/.emacs.d | 335 | blacklist ${HOME}/.emacs.d |
330 | blacklist ${HOME}/.ethereum | 336 | blacklist ${HOME}/.ethereum |
331 | blacklist ${HOME}/.etr | 337 | blacklist ${HOME}/.etr |
@@ -367,10 +373,10 @@ blacklist ${HOME}/.kde/share/apps/kaffeine | |||
367 | blacklist ${HOME}/.kde/share/apps/kcookiejar | 373 | blacklist ${HOME}/.kde/share/apps/kcookiejar |
368 | blacklist ${HOME}/.kde/share/apps/kget | 374 | blacklist ${HOME}/.kde/share/apps/kget |
369 | blacklist ${HOME}/.kde/share/apps/khtml | 375 | blacklist ${HOME}/.kde/share/apps/khtml |
376 | blacklist ${HOME}/.kde/share/apps/klatexformula | ||
370 | blacklist ${HOME}/.kde/share/apps/konqsidebartng | 377 | blacklist ${HOME}/.kde/share/apps/konqsidebartng |
371 | blacklist ${HOME}/.kde/share/apps/konqueror | 378 | blacklist ${HOME}/.kde/share/apps/konqueror |
372 | blacklist ${HOME}/.kde/share/apps/kopete | 379 | blacklist ${HOME}/.kde/share/apps/kopete |
373 | blacklist ${HOME}/.kde/share/apps/khtml | ||
374 | blacklist ${HOME}/.kde/share/apps/ktorrent | 380 | blacklist ${HOME}/.kde/share/apps/ktorrent |
375 | blacklist ${HOME}/.kde/share/apps/okular | 381 | blacklist ${HOME}/.kde/share/apps/okular |
376 | blacklist ${HOME}/.kde/share/config/baloofilerc | 382 | blacklist ${HOME}/.kde/share/config/baloofilerc |
@@ -423,10 +429,12 @@ blacklist ${HOME}/.kde4/share/config/okularrc | |||
423 | blacklist ${HOME}/.killingfloor | 429 | blacklist ${HOME}/.killingfloor |
424 | blacklist ${HOME}/.kino-history | 430 | blacklist ${HOME}/.kino-history |
425 | blacklist ${HOME}/.kinorc | 431 | blacklist ${HOME}/.kinorc |
432 | blacklist ${HOME}/.klatexformula | ||
426 | blacklist ${HOME}/.kodi | 433 | blacklist ${HOME}/.kodi |
427 | blacklist ${HOME}/.lincity-ng | 434 | blacklist ${HOME}/.lincity-ng |
428 | blacklist ${HOME}/.linphone-history.db | 435 | blacklist ${HOME}/.linphone-history.db |
429 | blacklist ${HOME}/.linphonerc | 436 | blacklist ${HOME}/.linphonerc |
437 | blacklist ${HOME}/.links | ||
430 | blacklist ${HOME}/.lmmsrc.xml | 438 | blacklist ${HOME}/.lmmsrc.xml |
431 | blacklist ${HOME}/.local/lib/vivaldi | 439 | blacklist ${HOME}/.local/lib/vivaldi |
432 | blacklist ${HOME}/.local/share/0ad | 440 | blacklist ${HOME}/.local/share/0ad |
@@ -438,6 +446,7 @@ blacklist ${HOME}/.local/share/JetBrains | |||
438 | blacklist ${HOME}/.local/share/Mendeley Ltd. | 446 | blacklist ${HOME}/.local/share/Mendeley Ltd. |
439 | blacklist ${HOME}/.local/share/Mumble | 447 | blacklist ${HOME}/.local/share/Mumble |
440 | blacklist ${HOME}/.local/share/PBE | 448 | blacklist ${HOME}/.local/share/PBE |
449 | blacklist ${HOME}/.local/share/QGIS | ||
441 | blacklist ${HOME}/.local/share/QMediathekView | 450 | blacklist ${HOME}/.local/share/QMediathekView |
442 | blacklist ${HOME}/.local/share/QuiteRss | 451 | blacklist ${HOME}/.local/share/QuiteRss |
443 | blacklist ${HOME}/.local/share/Ricochet | 452 | blacklist ${HOME}/.local/share/Ricochet |
@@ -450,6 +459,7 @@ blacklist ${HOME}/.local/share/akonadi* | |||
450 | blacklist ${HOME}/.local/share/akregator | 459 | blacklist ${HOME}/.local/share/akregator |
451 | blacklist ${HOME}/.local/share/apps/korganizer | 460 | blacklist ${HOME}/.local/share/apps/korganizer |
452 | blacklist ${HOME}/.local/share/aspyr-media | 461 | blacklist ${HOME}/.local/share/aspyr-media |
462 | blacklist ${HOME}/.local/share/autokey | ||
453 | blacklist ${HOME}/.local/share/baloo | 463 | blacklist ${HOME}/.local/share/baloo |
454 | blacklist ${HOME}/.local/share/bibletime | 464 | blacklist ${HOME}/.local/share/bibletime |
455 | blacklist ${HOME}/.local/share/caja-python | 465 | blacklist ${HOME}/.local/share/caja-python |
@@ -492,8 +502,9 @@ blacklist ${HOME}/.local/share/klavaro | |||
492 | blacklist ${HOME}/.local/share/kmail2 | 502 | blacklist ${HOME}/.local/share/kmail2 |
493 | blacklist ${HOME}/.local/share/knotes | 503 | blacklist ${HOME}/.local/share/knotes |
494 | blacklist ${HOME}/.local/share/krita | 504 | blacklist ${HOME}/.local/share/krita |
495 | blacklist ${HOME}/.local/share/ktorrentrc | ||
496 | blacklist ${HOME}/.local/share/ktorrent | 505 | blacklist ${HOME}/.local/share/ktorrent |
506 | blacklist ${HOME}/.local/share/ktorrentrc | ||
507 | blacklist ${HOME}/.local/share/ktouch | ||
497 | blacklist ${HOME}/.local/share/kwrite | 508 | blacklist ${HOME}/.local/share/kwrite |
498 | blacklist ${HOME}/.local/share/liferea | 509 | blacklist ${HOME}/.local/share/liferea |
499 | blacklist ${HOME}/.local/share/local-mail | 510 | blacklist ${HOME}/.local/share/local-mail |
@@ -517,13 +528,13 @@ blacklist ${HOME}/.local/share/ocenaudio | |||
517 | blacklist ${HOME}/.local/share/okular | 528 | blacklist ${HOME}/.local/share/okular |
518 | blacklist ${HOME}/.local/share/orage | 529 | blacklist ${HOME}/.local/share/orage |
519 | blacklist ${HOME}/.local/share/org.kde.gwenview | 530 | blacklist ${HOME}/.local/share/org.kde.gwenview |
520 | blacklist ${HOME}/.local/share/rhythmbox | ||
521 | blacklist ${HOME}/.local/share/pix | 531 | blacklist ${HOME}/.local/share/pix |
522 | blacklist ${HOME}/.local/share/plasma_notes | 532 | blacklist ${HOME}/.local/share/plasma_notes |
523 | blacklist ${HOME}/.local/share/psi+ | 533 | blacklist ${HOME}/.local/share/psi+ |
524 | blacklist ${HOME}/.local/share/qpdfview | 534 | blacklist ${HOME}/.local/share/qpdfview |
525 | blacklist ${HOME}/.local/share/qutebrowser | 535 | blacklist ${HOME}/.local/share/qutebrowser |
526 | blacklist ${HOME}/.local/share/remmina | 536 | blacklist ${HOME}/.local/share/remmina |
537 | blacklist ${HOME}/.local/share/rhythmbox | ||
527 | blacklist ${HOME}/.local/share/scribus | 538 | blacklist ${HOME}/.local/share/scribus |
528 | blacklist ${HOME}/.local/share/spotify | 539 | blacklist ${HOME}/.local/share/spotify |
529 | blacklist ${HOME}/.local/share/steam | 540 | blacklist ${HOME}/.local/share/steam |
@@ -576,6 +587,7 @@ blacklist ${HOME}/.pingus | |||
576 | blacklist ${HOME}/.pioneer | 587 | blacklist ${HOME}/.pioneer |
577 | blacklist ${HOME}/.purple | 588 | blacklist ${HOME}/.purple |
578 | blacklist ${HOME}/.qemu-launcher | 589 | blacklist ${HOME}/.qemu-launcher |
590 | blacklist ${HOME}/.qgis2 | ||
579 | blacklist ${HOME}/.qmmp | 591 | blacklist ${HOME}/.qmmp |
580 | blacklist ${HOME}/.quodlibet | 592 | blacklist ${HOME}/.quodlibet |
581 | blacklist ${HOME}/.redeclipse | 593 | blacklist ${HOME}/.redeclipse |
@@ -624,8 +636,8 @@ blacklist ${HOME}/.wget-hsts | |||
624 | blacklist ${HOME}/.wgetrc | 636 | blacklist ${HOME}/.wgetrc |
625 | blacklist ${HOME}/.widelands | 637 | blacklist ${HOME}/.widelands |
626 | blacklist ${HOME}/.wine | 638 | blacklist ${HOME}/.wine |
627 | blacklist ${HOME}/.wireshark | ||
628 | blacklist ${HOME}/.wine64 | 639 | blacklist ${HOME}/.wine64 |
640 | blacklist ${HOME}/.wireshark | ||
629 | blacklist ${HOME}/.xiphos | 641 | blacklist ${HOME}/.xiphos |
630 | blacklist ${HOME}/.xmind | 642 | blacklist ${HOME}/.xmind |
631 | blacklist ${HOME}/.xmms | 643 | blacklist ${HOME}/.xmms |
diff --git a/etc/display.profile b/etc/display.profile index 0bab32db1..0b9d685e8 100644 --- a/etc/display.profile +++ b/etc/display.profile | |||
@@ -8,12 +8,8 @@ include globals.local | |||
8 | noblacklist ${PICTURES} | 8 | noblacklist ${PICTURES} |
9 | 9 | ||
10 | # Allow python (blacklisted by disable-interpreters.inc) | 10 | # Allow python (blacklisted by disable-interpreters.inc) |
11 | noblacklist ${PATH}/python2* | 11 | include allow-python2.inc |
12 | noblacklist ${PATH}/python3* | 12 | include allow-python3.inc |
13 | noblacklist /usr/lib/python2* | ||
14 | noblacklist /usr/lib/python3* | ||
15 | noblacklist /usr/local/lib/python2* | ||
16 | noblacklist /usr/local/lib/python3* | ||
17 | 13 | ||
18 | include disable-common.inc | 14 | include disable-common.inc |
19 | include disable-devel.inc | 15 | include disable-devel.inc |
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index 0dc0cc793..ffced747b 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile | |||
@@ -6,11 +6,11 @@ include dnscrypt-proxy.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist /sbin | 9 | noblacklist /sbin |
12 | noblacklist /usr/sbin | 10 | noblacklist /usr/sbin |
13 | 11 | ||
12 | blacklist /tmp/.X11-unix | ||
13 | |||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index bb41b71d1..daf4795c3 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile | |||
@@ -6,11 +6,11 @@ include dnsmasq.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist /sbin | 9 | noblacklist /sbin |
12 | noblacklist /usr/sbin | 10 | noblacklist /usr/sbin |
13 | 11 | ||
12 | blacklist /tmp/.X11-unix | ||
13 | |||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
diff --git a/etc/dooble.profile b/etc/dooble.profile index 80bcce463..bc197b223 100644 --- a/etc/dooble.profile +++ b/etc/dooble.profile | |||
@@ -1,11 +1,12 @@ | |||
1 | # Firejail profile for dooble | 1 | # Firejail profile for dooble |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include dooble.local | ||
5 | # Backward compatibility | ||
4 | include dooble-qt4.local | 6 | include dooble-qt4.local |
5 | # Persistent global definitions | 7 | # Persistent global definitions |
6 | include globals.local | 8 | include globals.local |
7 | 9 | ||
8 | |||
9 | noblacklist ${HOME}/.dooble | 10 | noblacklist ${HOME}/.dooble |
10 | 11 | ||
11 | include disable-common.inc | 12 | include disable-common.inc |
diff --git a/etc/electrum.profile b/etc/electrum.profile index ffa0fb5f6..ab554b21f 100644 --- a/etc/electrum.profile +++ b/etc/electrum.profile | |||
@@ -9,12 +9,8 @@ include globals.local | |||
9 | noblacklist ${HOME}/.electrum | 9 | noblacklist ${HOME}/.electrum |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 12 | include allow-python2.inc |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/elinks.profile b/etc/elinks.profile index 842a0db04..980fa7617 100644 --- a/etc/elinks.profile +++ b/etc/elinks.profile | |||
@@ -6,10 +6,10 @@ include elinks.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist ${HOME}/.elinks | 9 | noblacklist ${HOME}/.elinks |
12 | 10 | ||
11 | blacklist /tmp/.X11-unix | ||
12 | |||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
diff --git a/etc/enpass.profile b/etc/enpass.profile index b337c721d..4ac35bbd6 100644 --- a/etc/enpass.profile +++ b/etc/enpass.profile | |||
@@ -20,12 +20,16 @@ include disable-passwdmgr.inc | |||
20 | include disable-programs.inc | 20 | include disable-programs.inc |
21 | include disable-xdg.inc | 21 | include disable-xdg.inc |
22 | 22 | ||
23 | mkdir ${HOME}/.cache/Enpass | ||
24 | mkfile ${HOME}/.config/sinew.in | ||
25 | mkdir ${HOME}/.config/Sinew Software Systems | ||
26 | mkdir ${HOME}/.local/share/Enpass | ||
23 | whitelist ${HOME}/.cache/Enpass | 27 | whitelist ${HOME}/.cache/Enpass |
24 | whitelist ${HOME}/.config/sinew.in | 28 | whitelist ${HOME}/.config/sinew.in |
25 | whitelist ${HOME}/.config/Sinew Software Systems | 29 | whitelist ${HOME}/.config/Sinew Software Systems |
26 | whitelist ${HOME}/.local/share/Enpass | 30 | whitelist ${HOME}/.local/share/Enpass |
27 | whitelist ${DOCUMENTS} | 31 | whitelist ${DOCUMENTS} |
28 | 32 | include whitelist-common.inc | |
29 | include whitelist-var-common.inc | 33 | include whitelist-var-common.inc |
30 | 34 | ||
31 | # machine-id and nosound break audio notification functionality | 35 | # machine-id and nosound break audio notification functionality |
diff --git a/etc/exfalso.profile b/etc/exfalso.profile index 6146a8952..978629452 100644 --- a/etc/exfalso.profile +++ b/etc/exfalso.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.quodlibet | |||
10 | noblacklist ${MUSIC} | 10 | noblacklist ${MUSIC} |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/exiftool.profile b/etc/exiftool.profile index 2ee4aae6f..52e090b89 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile | |||
@@ -6,12 +6,10 @@ include exiftool.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | 9 | # Allow perl (blacklisted by disable-interpreters.inc) |
10 | include allow-perl.inc | ||
10 | 11 | ||
11 | # Allow access to perl | 12 | blacklist /tmp/.X11-unix |
12 | noblacklist ${PATH}/perl | ||
13 | noblacklist /usr/lib/perl* | ||
14 | noblacklist /usr/share/perl* | ||
15 | 13 | ||
16 | include disable-common.inc | 14 | include disable-common.inc |
17 | include disable-devel.inc | 15 | include disable-devel.inc |
@@ -41,7 +39,7 @@ shell none | |||
41 | tracelog | 39 | tracelog |
42 | 40 | ||
43 | # To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool to /usr/bin/exiftool and uncomment the below. | 41 | # To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool to /usr/bin/exiftool and uncomment the below. |
44 | # Users on non-Arch Linux distributions can safely uncomment the below to enable extra hardening. | 42 | # Users on non-Arch Linux distributions can safely uncomment (or put in exiftool.local) the line below to enable extra hardening. |
45 | #private-bin exiftool,perl | 43 | #private-bin exiftool,perl |
46 | private-cache | 44 | private-cache |
47 | private-dev | 45 | private-dev |
diff --git a/etc/falkon.profile b/etc/falkon.profile index af6aaa1a7..cabf5aeba 100644 --- a/etc/falkon.profile +++ b/etc/falkon.profile | |||
@@ -16,6 +16,8 @@ include disable-interpreters.inc | |||
16 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | mkdir ${HOME}/.cache/falkon | ||
20 | mkdir ${HOME}/.config/falkon | ||
19 | whitelist ${DOWNLOADS} | 21 | whitelist ${DOWNLOADS} |
20 | whitelist ${HOME}/.cache/falkon | 22 | whitelist ${HOME}/.cache/falkon |
21 | whitelist ${HOME}/.config/falkon | 23 | whitelist ${HOME}/.config/falkon |
diff --git a/etc/filezilla.profile b/etc/filezilla.profile index d1bebafb5..af535880d 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/filezilla | |||
10 | noblacklist ${HOME}/.filezilla | 10 | noblacklist ${HOME}/.filezilla |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/firefox-common-addons.inc b/etc/firefox-common-addons.inc index 7a0c3e99f..7d9e512b2 100644 --- a/etc/firefox-common-addons.inc +++ b/etc/firefox-common-addons.inc | |||
@@ -56,8 +56,7 @@ whitelist ${HOME}/dwhelper | |||
56 | noblacklist ${HOME}/.local/share/gnome-shell | 56 | noblacklist ${HOME}/.local/share/gnome-shell |
57 | whitelist ${HOME}/.local/share/gnome-shell | 57 | whitelist ${HOME}/.local/share/gnome-shell |
58 | ignore nodbus | 58 | ignore nodbus |
59 | noblacklist ${PATH}/python3* | 59 | include allow-python3.inc |
60 | noblacklist /usr/lib/python3* | ||
61 | 60 | ||
62 | # Flash plugin | 61 | # Flash plugin |
63 | # private-etc must first be enabled in firefox-common.profile and in profiles including it. | 62 | # private-etc must first be enabled in firefox-common.profile and in profiles including it. |
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index 080d9e81a..bccbb3412 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile | |||
@@ -9,7 +9,7 @@ include firefox-common.local | |||
9 | # noexec ${HOME} breaks DRM binaries. | 9 | # noexec ${HOME} breaks DRM binaries. |
10 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} | 10 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} |
11 | 11 | ||
12 | # Uncomment the following line to allow access to common programs/addons/plugins. | 12 | # Uncomment the following line (or put it in your firefox-common.local) to allow access to common programs/addons/plugins. |
13 | #include firefox-common-addons.inc | 13 | #include firefox-common-addons.inc |
14 | 14 | ||
15 | noblacklist ${HOME}/.pki | 15 | noblacklist ${HOME}/.pki |
diff --git a/etc/firejail.config b/etc/firejail.config index 497d9633e..92df8ad1a 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -32,7 +32,7 @@ | |||
32 | 32 | ||
33 | # Disable /mnt, /media, /run/mount and /run/media access. By default access | 33 | # Disable /mnt, /media, /run/mount and /run/media access. By default access |
34 | # to these directories is enabled. Unlike --disable-mnt profile option this | 34 | # to these directories is enabled. Unlike --disable-mnt profile option this |
35 | # cannot be overridden by --noblacklist. | 35 | # cannot be overridden by --noblacklist or --ignore. |
36 | # disable-mnt no | 36 | # disable-mnt no |
37 | 37 | ||
38 | # Enable or disable file transfer support, default enabled. | 38 | # Enable or disable file transfer support, default enabled. |
diff --git a/etc/flowblade.profile b/etc/flowblade.profile index 1e84d4ca6..40472ab93 100644 --- a/etc/flowblade.profile +++ b/etc/flowblade.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/flowblade | |||
10 | noblacklist ${HOME}/.flowblade | 10 | noblacklist ${HOME}/.flowblade |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/font-manager.profile b/etc/font-manager.profile index 98952e1cc..a1280124a 100644 --- a/etc/font-manager.profile +++ b/etc/font-manager.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.cache/font-manager | |||
10 | noblacklist ${HOME}/.config/font-manager | 10 | noblacklist ${HOME}/.config/font-manager |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/fontforge.profile b/etc/fontforge.profile index f98ad9983..6d305e2af 100644 --- a/etc/fontforge.profile +++ b/etc/fontforge.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.FontForge | |||
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/franz.profile b/etc/franz.profile index d6445ff8e..e917e5517 100644 --- a/etc/franz.profile +++ b/etc/franz.profile | |||
@@ -5,6 +5,8 @@ include franz.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | ignore noexec /tmp | ||
9 | |||
8 | noblacklist ${HOME}/.cache/Franz | 10 | noblacklist ${HOME}/.cache/Franz |
9 | noblacklist ${HOME}/.config/Franz | 11 | noblacklist ${HOME}/.config/Franz |
10 | noblacklist ${HOME}/.pki | 12 | noblacklist ${HOME}/.pki |
@@ -12,6 +14,7 @@ noblacklist ${HOME}/.local/share/pki | |||
12 | 14 | ||
13 | include disable-common.inc | 15 | include disable-common.inc |
14 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
16 | include disable-programs.inc | 19 | include disable-programs.inc |
17 | 20 | ||
@@ -41,5 +44,3 @@ shell none | |||
41 | disable-mnt | 44 | disable-mnt |
42 | private-dev | 45 | private-dev |
43 | private-tmp | 46 | private-tmp |
44 | |||
45 | noexec ${HOME} | ||
diff --git a/etc/freecol.profile b/etc/freecol.profile index 7987cc076..2d2853c9c 100644 --- a/etc/freecol.profile +++ b/etc/freecol.profile | |||
@@ -12,11 +12,8 @@ noblacklist ${HOME}/.cache/freecol | |||
12 | noblacklist ${HOME}/.config/freecol | 12 | noblacklist ${HOME}/.config/freecol |
13 | noblacklist ${HOME}/.local/share/freecol | 13 | noblacklist ${HOME}/.local/share/freecol |
14 | 14 | ||
15 | # Allow access to java | 15 | # Allow java (blacklisted by disable-devel.inc) |
16 | noblacklist ${PATH}/java | 16 | include allow-java.inc |
17 | noblacklist /usr/lib/java | ||
18 | noblacklist /etc/java | ||
19 | noblacklist /usr/share/java | ||
20 | 17 | ||
21 | include disable-common.inc | 18 | include disable-common.inc |
22 | include disable-devel.inc | 19 | include disable-devel.inc |
diff --git a/etc/freemind.profile b/etc/freemind.profile index 507bd564d..7ab4ae129 100644 --- a/etc/freemind.profile +++ b/etc/freemind.profile | |||
@@ -7,12 +7,11 @@ include freemind.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${DOCUMENTS} | 9 | noblacklist ${DOCUMENTS} |
10 | noblacklist ${PATH}/java | ||
11 | noblacklist /etc/java | ||
12 | noblacklist /usr/lib/java | ||
13 | noblacklist /usr/share/java | ||
14 | noblacklist ${HOME}/.freemind | 10 | noblacklist ${HOME}/.freemind |
15 | 11 | ||
12 | # Allow java (blacklisted by disable-devel.inc) | ||
13 | include allow-java.inc | ||
14 | |||
16 | include disable-common.inc | 15 | include disable-common.inc |
17 | include disable-devel.inc | 16 | include disable-devel.inc |
18 | include disable-exec.inc | 17 | include disable-exec.inc |
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile index 6de61840c..9596bc610 100644 --- a/etc/frozen-bubble.profile +++ b/etc/frozen-bubble.profile | |||
@@ -9,11 +9,7 @@ include globals.local | |||
9 | noblacklist ${HOME}/.frozen-bubble | 9 | noblacklist ${HOME}/.frozen-bubble |
10 | 10 | ||
11 | # Allow perl (blacklisted by disable-interpreters.inc) | 11 | # Allow perl (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/cpan* | 12 | include allow-perl.inc |
13 | noblacklist ${PATH}/core_perl | ||
14 | noblacklist ${PATH}/perl | ||
15 | noblacklist /usr/lib/perl* | ||
16 | noblacklist /usr/share/perl* | ||
17 | 13 | ||
18 | include disable-common.inc | 14 | include disable-common.inc |
19 | include disable-devel.inc | 15 | include disable-devel.inc |
diff --git a/etc/gajim.profile b/etc/gajim.profile index 238b4fca9..75d2f0774 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile | |||
@@ -11,12 +11,8 @@ noblacklist ${HOME}/.config/gajim | |||
11 | noblacklist ${HOME}/.local/share/gajim | 11 | noblacklist ${HOME}/.local/share/gajim |
12 | 12 | ||
13 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
14 | #noblacklist ${PATH}/python2* | 14 | #include allow-python2.inc |
15 | noblacklist ${PATH}/python3* | 15 | include allow-python3.inc |
16 | #noblacklist /usr/lib/python2* | ||
17 | noblacklist /usr/lib/python3* | ||
18 | #noblacklist /usr/local/lib/python2* | ||
19 | noblacklist /usr/local/lib/python3* | ||
20 | 16 | ||
21 | include disable-common.inc | 17 | include disable-common.inc |
22 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/gconf.profile b/etc/gconf.profile index 5cc6b87a0..a795afa17 100644 --- a/etc/gconf.profile +++ b/etc/gconf.profile | |||
@@ -9,12 +9,8 @@ include globals.local | |||
9 | noblacklist ${HOME}/.config/gconf | 9 | noblacklist ${HOME}/.config/gconf |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 12 | include allow-python2.inc |
13 | #noblacklist ${PATH}/python3* | 13 | #include allow-python3.inc |
14 | noblacklist /usr/lib/python2* | ||
15 | #noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | #noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/geary.profile b/etc/geary.profile index a21eed9f1..a446c81d0 100644 --- a/etc/geary.profile +++ b/etc/geary.profile | |||
@@ -4,27 +4,25 @@ | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include geary.local | 5 | include geary.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | # added by included profile |
8 | #include globals.local | ||
8 | 9 | ||
9 | # Users have Geary set to open a browser by clicking a link in an email | 10 | # Users have Geary set to open a browser by clicking a link in an email |
10 | # We are not allowed to blacklist browser-specific directories | 11 | # We are not allowed to blacklist browser-specific directories |
11 | 12 | ||
13 | ignore nodbus | ||
14 | ignore private-tmp | ||
15 | |||
12 | noblacklist ${HOME}/.gnupg | 16 | noblacklist ${HOME}/.gnupg |
13 | noblacklist ${HOME}/.local/share/geary | 17 | noblacklist ${HOME}/.local/share/geary |
14 | 18 | ||
15 | mkdir ${HOME}/.gnupg | 19 | mkdir ${HOME}/.gnupg |
16 | mkdir ${HOME}/.config/geary | 20 | mkdir ${HOME}/.config/geary |
17 | mkdir ${HOME}/.local/share/geary | 21 | mkdir ${HOME}/.local/share/geary |
18 | |||
19 | whitelist ${HOME}/.gnupg | 22 | whitelist ${HOME}/.gnupg |
20 | whitelist ${HOME}/.config/geary | 23 | whitelist ${HOME}/.config/geary |
21 | whitelist ${HOME}/.local/share/geary | 24 | whitelist ${HOME}/.local/share/geary |
22 | 25 | ||
23 | include whitelist-common.inc | ||
24 | |||
25 | ignore nodbus | ||
26 | ignore private-tmp | ||
27 | |||
28 | read-only ${HOME}/.config/mimeapps.list | 26 | read-only ${HOME}/.config/mimeapps.list |
29 | 27 | ||
30 | # allow browsers | 28 | # allow browsers |
diff --git a/etc/gimp.profile b/etc/gimp.profile index 91001cd30..762e743c8 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile | |||
@@ -7,7 +7,8 @@ include gimp.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory | 9 | # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory |
10 | # if you are not using external plugins, you can disable ignore noexec statement below | 10 | # if you are not using external plugins, you can comment 'ignore noexec' statement below |
11 | # or put 'ignore ignore noexec ${HOME}' in your gimp.local | ||
11 | ignore noexec ${HOME} | 12 | ignore noexec ${HOME} |
12 | 13 | ||
13 | noblacklist ${HOME}/.config/GIMP | 14 | noblacklist ${HOME}/.config/GIMP |
diff --git a/etc/git.profile b/etc/git.profile index 0eb69faed..f7c812e65 100644 --- a/etc/git.profile +++ b/etc/git.profile | |||
@@ -7,8 +7,6 @@ include git.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | |||
12 | noblacklist ${HOME}/.config/git | 10 | noblacklist ${HOME}/.config/git |
13 | noblacklist ${HOME}/.config/nano | 11 | noblacklist ${HOME}/.config/nano |
14 | noblacklist ${HOME}/.emacs | 12 | noblacklist ${HOME}/.emacs |
@@ -22,6 +20,8 @@ noblacklist ${HOME}/.ssh | |||
22 | noblacklist ${HOME}/.vim | 20 | noblacklist ${HOME}/.vim |
23 | noblacklist ${HOME}/.viminfo | 21 | noblacklist ${HOME}/.viminfo |
24 | 22 | ||
23 | blacklist /tmp/.X11-unix | ||
24 | |||
25 | include disable-common.inc | 25 | include disable-common.inc |
26 | include disable-exec.inc | 26 | include disable-exec.inc |
27 | include disable-passwdmgr.inc | 27 | include disable-passwdmgr.inc |
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile index 2f4626891..04409a5e4 100644 --- a/etc/gnome-chess.profile +++ b/etc/gnome-chess.profile | |||
@@ -18,7 +18,10 @@ include disable-xdg.inc | |||
18 | 18 | ||
19 | include whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
20 | 20 | ||
21 | apparmor | ||
21 | caps.drop all | 22 | caps.drop all |
23 | machine-id | ||
24 | net none | ||
22 | no3d | 25 | no3d |
23 | nodvd | 26 | nodvd |
24 | nogroups | 27 | nogroups |
@@ -35,6 +38,7 @@ tracelog | |||
35 | 38 | ||
36 | disable-mnt | 39 | disable-mnt |
37 | private-bin fairymax,gnome-chess,hoichess,gnuchess | 40 | private-bin fairymax,gnome-chess,hoichess,gnuchess |
41 | private-cache | ||
38 | private-dev | 42 | private-dev |
39 | private-etc alternatives,fonts,gnome-chess | 43 | private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0 |
40 | private-tmp | 44 | private-tmp |
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile index 6bebeb526..f843452c9 100644 --- a/etc/gnome-music.profile +++ b/etc/gnome-music.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.local/share/gnome-music | |||
10 | noblacklist ${MUSIC} | 10 | noblacklist ${MUSIC} |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/gnome-schedule.profile b/etc/gnome-schedule.profile index 931efbbab..08256f3a5 100644 --- a/etc/gnome-schedule.profile +++ b/etc/gnome-schedule.profile | |||
@@ -36,12 +36,8 @@ noblacklist ${PATH}/xfce4-terminal | |||
36 | noblacklist ${PATH}/xfce4-terminal.wrapper | 36 | noblacklist ${PATH}/xfce4-terminal.wrapper |
37 | 37 | ||
38 | # Allow python (blacklisted by disable-interpreters.inc) | 38 | # Allow python (blacklisted by disable-interpreters.inc) |
39 | noblacklist ${PATH}/python2* | 39 | include allow-python2.inc |
40 | noblacklist ${PATH}/python3* | 40 | include allow-python3.inc |
41 | noblacklist /usr/lib/python2* | ||
42 | noblacklist /usr/lib/python3* | ||
43 | noblacklist /usr/local/lib/python2* | ||
44 | noblacklist /usr/local/lib/python3* | ||
45 | 41 | ||
46 | include disable-common.inc | 42 | include disable-common.inc |
47 | include disable-devel.inc | 43 | include disable-devel.inc |
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile index 4932c9e42..daa385234 100644 --- a/etc/google-play-music-desktop-player.profile +++ b/etc/google-play-music-desktop-player.profile | |||
@@ -5,14 +5,19 @@ include google-play-music-desktop-player.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # noexec /tmp breaks mpris support | ||
9 | ignore noexec /tmp | ||
10 | |||
8 | noblacklist ${HOME}/.config/Google Play Music Desktop Player | 11 | noblacklist ${HOME}/.config/Google Play Music Desktop Player |
9 | 12 | ||
10 | include disable-common.inc | 13 | include disable-common.inc |
11 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
13 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 18 | include disable-programs.inc |
15 | 19 | ||
20 | mkdir ${HOME}/.config/Google Play Music Desktop Player | ||
16 | # whitelist ${HOME}/.config/pulse | 21 | # whitelist ${HOME}/.config/pulse |
17 | # whitelist ${HOME}/.pulse | 22 | # whitelist ${HOME}/.pulse |
18 | whitelist ${HOME}/.config/Google Play Music Desktop Player | 23 | whitelist ${HOME}/.config/Google Play Music Desktop Player |
@@ -35,7 +40,3 @@ shell none | |||
35 | disable-mnt | 40 | disable-mnt |
36 | private-dev | 41 | private-dev |
37 | private-tmp | 42 | private-tmp |
38 | |||
39 | noexec ${HOME} | ||
40 | # noexec /tmp breaks mpris support | ||
41 | #noexec /tmp | ||
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile index 7181837d5..61b485df5 100644 --- a/etc/gpg-agent.profile +++ b/etc/gpg-agent.profile | |||
@@ -6,10 +6,10 @@ include gpg-agent.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist ${HOME}/.gnupg | 9 | noblacklist ${HOME}/.gnupg |
12 | 10 | ||
11 | blacklist /tmp/.X11-unix | ||
12 | |||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
diff --git a/etc/gpg.profile b/etc/gpg.profile index 47e6e5265..99ad1b888 100644 --- a/etc/gpg.profile +++ b/etc/gpg.profile | |||
@@ -6,10 +6,10 @@ include gpg.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist ${HOME}/.gnupg | 9 | noblacklist ${HOME}/.gnupg |
12 | 10 | ||
11 | blacklist /tmp/.X11-unix | ||
12 | |||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
@@ -29,8 +29,7 @@ nou2f | |||
29 | novideo | 29 | novideo |
30 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
31 | seccomp | 31 | seccomp |
32 | # Causes gpg to hang | 32 | shell none |
33 | #shell none | ||
34 | tracelog | 33 | tracelog |
35 | 34 | ||
36 | # private-bin gpg,gpg-agent | 35 | # private-bin gpg,gpg-agent |
diff --git a/etc/gpredict.profile b/etc/gpredict.profile index be3742fe3..e6d37ee27 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile | |||
@@ -15,6 +15,7 @@ include disable-interpreters.inc | |||
15 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | mkdir ${HOME}/.config/Gpredict | ||
18 | whitelist ${HOME}/.config/Gpredict | 19 | whitelist ${HOME}/.config/Gpredict |
19 | include whitelist-common.inc | 20 | include whitelist-common.inc |
20 | 21 | ||
diff --git a/etc/gramps.profile b/etc/gramps.profile index 764c14b60..54b154964 100644 --- a/etc/gramps.profile +++ b/etc/gramps.profile | |||
@@ -9,12 +9,8 @@ include globals.local | |||
9 | noblacklist ${HOME}/.gramps | 9 | noblacklist ${HOME}/.gramps |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | #noblacklist ${PATH}/python2* | 12 | #include allow-python2.inc |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | #noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | #noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/gzip.profile b/etc/gzip.profile index 27e262f87..810684eae 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile | |||
@@ -9,12 +9,15 @@ include globals.local | |||
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
11 | 11 | ||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
12 | include disable-exec.inc | 14 | include disable-exec.inc |
13 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
14 | 16 | include disable-passwdmgr.inc | |
15 | ignore noroot | 17 | include disable-programs.inc |
16 | 18 | ||
17 | apparmor | 19 | apparmor |
20 | caps.drop all | ||
18 | hostname gzip | 21 | hostname gzip |
19 | ipc-namespace | 22 | ipc-namespace |
20 | machine-id | 23 | machine-id |
@@ -23,10 +26,14 @@ no3d | |||
23 | nodbus | 26 | nodbus |
24 | nodvd | 27 | nodvd |
25 | nogroups | 28 | nogroups |
29 | nonewprivs | ||
30 | #noroot | ||
26 | nosound | 31 | nosound |
27 | notv | 32 | notv |
28 | nou2f | 33 | nou2f |
29 | novideo | 34 | novideo |
35 | protocol unix | ||
36 | seccomp | ||
30 | shell none | 37 | shell none |
31 | tracelog | 38 | tracelog |
32 | 39 | ||
@@ -34,5 +41,3 @@ private-cache | |||
34 | private-dev | 41 | private-dev |
35 | 42 | ||
36 | memory-deny-write-execute | 43 | memory-deny-write-execute |
37 | |||
38 | include default.profile | ||
diff --git a/etc/hexchat.profile b/etc/hexchat.profile index ee70e6655..d032c93e6 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/hexchat | |||
10 | noblacklist /usr/share/perl* | 10 | noblacklist /usr/share/perl* |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/imagej.profile b/etc/imagej.profile index 9d0ab43a0..be656bafa 100644 --- a/etc/imagej.profile +++ b/etc/imagej.profile | |||
@@ -8,11 +8,8 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.imagej | 9 | noblacklist ${HOME}/.imagej |
10 | 10 | ||
11 | # Allow access to java | 11 | # Allow java (blacklisted by disable-devel.inc) |
12 | noblacklist ${PATH}/java | 12 | include allow-java.inc |
13 | noblacklist /usr/lib/java | ||
14 | noblacklist /etc/java | ||
15 | noblacklist /usr/share/java | ||
16 | 13 | ||
17 | include disable-common.inc | 14 | include disable-common.inc |
18 | include disable-devel.inc | 15 | include disable-devel.inc |
diff --git a/etc/inkscape.profile b/etc/inkscape.profile index ecc5e5d35..bc0377e53 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile | |||
@@ -13,12 +13,8 @@ noblacklist ${DOCUMENTS} | |||
13 | noblacklist ${PICTURES} | 13 | noblacklist ${PICTURES} |
14 | 14 | ||
15 | # Allow python (blacklisted by disable-interpreters.inc) | 15 | # Allow python (blacklisted by disable-interpreters.inc) |
16 | noblacklist ${PATH}/python2* | 16 | include allow-python2.inc |
17 | noblacklist ${PATH}/python3* | 17 | include allow-python3.inc |
18 | noblacklist /usr/lib/python2* | ||
19 | noblacklist /usr/lib/python3* | ||
20 | noblacklist /usr/local/lib/python2* | ||
21 | noblacklist /usr/local/lib/python3* | ||
22 | 18 | ||
23 | include disable-common.inc | 19 | include disable-common.inc |
24 | include disable-devel.inc | 20 | include disable-devel.inc |
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index dce44e5d4..8442c6ed7 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile | |||
@@ -8,11 +8,8 @@ include globals.local | |||
8 | noblacklist ${HOME}/.config/jd-gui.cfg | 8 | noblacklist ${HOME}/.config/jd-gui.cfg |
9 | noblacklist ${HOME}/.java | 9 | noblacklist ${HOME}/.java |
10 | 10 | ||
11 | # Allow access to java | 11 | # Allow java (blacklisted by disable-devel.inc) |
12 | noblacklist ${PATH}/java | 12 | include allow-java.inc |
13 | noblacklist /usr/lib/java | ||
14 | noblacklist /etc/java | ||
15 | noblacklist /usr/share/java | ||
16 | 13 | ||
17 | include disable-common.inc | 14 | include disable-common.inc |
18 | include disable-devel.inc | 15 | include disable-devel.inc |
diff --git a/etc/jitsi.profile b/etc/jitsi.profile index 5a575bb71..223c360b8 100644 --- a/etc/jitsi.profile +++ b/etc/jitsi.profile | |||
@@ -7,11 +7,8 @@ include globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.jitsi | 8 | noblacklist ${HOME}/.jitsi |
9 | 9 | ||
10 | # Allow access to java | 10 | # Allow java (blacklisted by disable-devel.inc) |
11 | noblacklist ${PATH}/java | 11 | include allow-java.inc |
12 | noblacklist /usr/lib/java | ||
13 | noblacklist /etc/java | ||
14 | noblacklist /usr/share/java | ||
15 | 12 | ||
16 | include disable-common.inc | 13 | include disable-common.inc |
17 | include disable-devel.inc | 14 | include disable-devel.inc |
diff --git a/etc/klatexformula.profile b/etc/klatexformula.profile new file mode 100644 index 000000000..d584f6a56 --- /dev/null +++ b/etc/klatexformula.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for klatexformula | ||
2 | # Description: generating images from LaTeX equations | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include klatexformula.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.kde/share/apps/klatexformula | ||
10 | noblacklist ${HOME}/.klatexformula | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python2.inc | ||
14 | include allow-python3.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | machine-id | ||
26 | net none | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | nosound | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix | ||
37 | seccomp | ||
38 | shell none | ||
39 | tracelog | ||
40 | |||
41 | private-cache | ||
42 | private-dev | ||
43 | private-tmp | ||
diff --git a/etc/klatexformula_cmdl.profile b/etc/klatexformula_cmdl.profile new file mode 100644 index 000000000..9137963c4 --- /dev/null +++ b/etc/klatexformula_cmdl.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for klatexformula_cmdl | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include klatexformula.profile | ||
diff --git a/etc/kodi.profile b/etc/kodi.profile index dad085967..86afe46b5 100644 --- a/etc/kodi.profile +++ b/etc/kodi.profile | |||
@@ -15,12 +15,8 @@ noblacklist ${PICTURES} | |||
15 | noblacklist ${VIDEOS} | 15 | noblacklist ${VIDEOS} |
16 | 16 | ||
17 | # Allow python (blacklisted by disable-interpreters.inc) | 17 | # Allow python (blacklisted by disable-interpreters.inc) |
18 | noblacklist ${PATH}/python2* | 18 | include allow-python2.inc |
19 | noblacklist ${PATH}/python3* | 19 | include allow-python3.inc |
20 | noblacklist /usr/lib/python2* | ||
21 | noblacklist /usr/lib/python3* | ||
22 | noblacklist /usr/local/lib/python2* | ||
23 | noblacklist /usr/local/lib/python3* | ||
24 | 20 | ||
25 | include disable-common.inc | 21 | include disable-common.inc |
26 | include disable-devel.inc | 22 | include disable-devel.inc |
diff --git a/etc/krita.profile b/etc/krita.profile index 8f275f8df..49c36274a 100644 --- a/etc/krita.profile +++ b/etc/krita.profile | |||
@@ -15,12 +15,8 @@ noblacklist ${DOCUMENTS} | |||
15 | noblacklist ${PICTURES} | 15 | noblacklist ${PICTURES} |
16 | 16 | ||
17 | # Allow python (blacklisted by disable-interpreters.inc) | 17 | # Allow python (blacklisted by disable-interpreters.inc) |
18 | noblacklist ${PATH}/python2* | 18 | include allow-python2.inc |
19 | noblacklist ${PATH}/python3* | 19 | include allow-python3.inc |
20 | noblacklist /usr/lib/python2* | ||
21 | noblacklist /usr/lib/python3* | ||
22 | noblacklist /usr/local/lib/python2* | ||
23 | noblacklist /usr/local/lib/python3* | ||
24 | 20 | ||
25 | include disable-common.inc | 21 | include disable-common.inc |
26 | include disable-devel.inc | 22 | include disable-devel.inc |
diff --git a/etc/ktouch.profile b/etc/ktouch.profile new file mode 100644 index 000000000..446bc50ee --- /dev/null +++ b/etc/ktouch.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for KTouch | ||
2 | # Description: a typing tutor by KDE | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include ktouch.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/ktouch2rc | ||
10 | noblacklist ${HOME}/.local/share/ktouch | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkfile ${HOME}/.config/ktouch2rc | ||
21 | mkdir ${HOME}/.local/share/ktouch | ||
22 | whitelist ${HOME}/.config/ktouch2rc | ||
23 | whitelist ${HOME}/.local/share/ktouch | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | machine-id | ||
30 | net none | ||
31 | nodbus | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix,netlink | ||
41 | seccomp | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | disable-mnt | ||
46 | private-bin ktouch | ||
47 | private-cache | ||
48 | private-dev | ||
49 | private-etc alternatives,fonts,kde5rc,machine-id | ||
50 | private-tmp | ||
diff --git a/etc/less.profile b/etc/less.profile index 5ad7cb959..bc85e5ad5 100644 --- a/etc/less.profile +++ b/etc/less.profile | |||
@@ -5,24 +5,33 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include less.local | 6 | include less.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included profile | 8 | include globals.local |
9 | #include globals.local | ||
10 | 9 | ||
11 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
12 | include disable-exec.inc | 14 | include disable-exec.inc |
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
13 | 18 | ||
14 | ignore noroot | ||
15 | apparmor | 19 | apparmor |
20 | caps.drop all | ||
16 | ipc-namespace | 21 | ipc-namespace |
17 | machine-id | 22 | machine-id |
18 | net none | 23 | net none |
19 | no3d | 24 | no3d |
20 | nodbus | 25 | nodbus |
21 | nodvd | 26 | nodvd |
27 | nonewprivs | ||
28 | #noroot | ||
22 | nosound | 29 | nosound |
23 | notv | 30 | notv |
24 | nou2f | 31 | nou2f |
25 | novideo | 32 | novideo |
33 | protocol unix | ||
34 | seccomp | ||
26 | shell none | 35 | shell none |
27 | tracelog | 36 | tracelog |
28 | writable-var-log | 37 | writable-var-log |
@@ -35,5 +44,3 @@ private-cache | |||
35 | private-dev | 44 | private-dev |
36 | 45 | ||
37 | memory-deny-write-execute | 46 | memory-deny-write-execute |
38 | |||
39 | include default.profile | ||
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 6e77cd741..05dfd4ca6 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile | |||
@@ -10,12 +10,10 @@ noblacklist ${HOME}/.java | |||
10 | noblacklist /usr/local/sbin | 10 | noblacklist /usr/local/sbin |
11 | noblacklist ${HOME}/.config/libreoffice | 11 | noblacklist ${HOME}/.config/libreoffice |
12 | 12 | ||
13 | # libreoffice uses java; if you don't care about java functionality, | 13 | # libreoffice uses java for some certain operations |
14 | # comment the next four lines | 14 | # comment if you don't care about java functionality |
15 | noblacklist ${PATH}/java | 15 | # Allow java (blacklisted by disable-devel.inc) |
16 | noblacklist /usr/lib/java | 16 | include allow-java.inc |
17 | noblacklist /etc/java | ||
18 | noblacklist /usr/share/java | ||
19 | 17 | ||
20 | include disable-common.inc | 18 | include disable-common.inc |
21 | include disable-devel.inc | 19 | include disable-devel.inc |
@@ -29,9 +27,7 @@ include whitelist-var-common.inc | |||
29 | # comment the next line to use the ubuntu profile instead of firejail's apparmor profile | 27 | # comment the next line to use the ubuntu profile instead of firejail's apparmor profile |
30 | apparmor | 28 | apparmor |
31 | caps.drop all | 29 | caps.drop all |
32 | #machine-id | ||
33 | netfilter | 30 | netfilter |
34 | #nodbus | ||
35 | nodvd | 31 | nodvd |
36 | nogroups | 32 | nogroups |
37 | # comment nonewprivs when using the ubuntu 18.04/debian 10 apparmor profile | 33 | # comment nonewprivs when using the ubuntu 18.04/debian 10 apparmor profile |
@@ -50,5 +46,4 @@ tracelog | |||
50 | private-dev | 46 | private-dev |
51 | private-tmp | 47 | private-tmp |
52 | 48 | ||
53 | |||
54 | join-or-start libreoffice | 49 | join-or-start libreoffice |
diff --git a/etc/liferea.profile b/etc/liferea.profile index e778d7b55..70d317199 100644 --- a/etc/liferea.profile +++ b/etc/liferea.profile | |||
@@ -11,12 +11,8 @@ noblacklist ${HOME}/.config/liferea | |||
11 | noblacklist ${HOME}/.local/share/liferea | 11 | noblacklist ${HOME}/.local/share/liferea |
12 | 12 | ||
13 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
14 | noblacklist ${PATH}/python2* | 14 | include allow-python2.inc |
15 | noblacklist ${PATH}/python3* | 15 | include allow-python3.inc |
16 | noblacklist /usr/lib/python2* | ||
17 | noblacklist /usr/lib/python3* | ||
18 | noblacklist /usr/local/lib/python2* | ||
19 | noblacklist /usr/local/lib/python3* | ||
20 | 16 | ||
21 | include disable-common.inc | 17 | include disable-common.inc |
22 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/links.profile b/etc/links.profile new file mode 100644 index 000000000..bd0b0cc92 --- /dev/null +++ b/etc/links.profile | |||
@@ -0,0 +1,64 @@ | |||
1 | # Firejail profile for links | ||
2 | # Description: Text WWW browser | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include links.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.links | ||
10 | |||
11 | blacklist /tmp/.X11-unix | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | # you may want to noblacklist files/directories blacklisted in | ||
19 | # disable-programs.inc and used as associated programs | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | mkdir ${HOME}/.links | ||
24 | whitelist ${HOME}/.links | ||
25 | whitelist ${DOWNLOADS} | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | # comment machine-id (or put 'ignore machine-id' in your links.local) if you want | ||
31 | # to allow access only to user-configured associated media player | ||
32 | machine-id | ||
33 | netfilter | ||
34 | # comment no3d (or put 'ignore no3d' in your links.local) if you want | ||
35 | # to allow access only to user-configured associated media player | ||
36 | no3d | ||
37 | nodvd | ||
38 | nogroups | ||
39 | nonewprivs | ||
40 | noroot | ||
41 | # comment nosound (or put 'ignore nosound' in your links.local) if you want | ||
42 | # to allow access only to user-configured associated media player | ||
43 | nosound | ||
44 | notv | ||
45 | nou2f | ||
46 | novideo | ||
47 | protocol unix,inet,inet6 | ||
48 | seccomp | ||
49 | shell none | ||
50 | tracelog | ||
51 | |||
52 | disable-mnt | ||
53 | # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' to your links.local | ||
54 | # or append 'PROGRAM1,PROGRAM2' to this private-bin line | ||
55 | private-bin links,sh | ||
56 | private-cache | ||
57 | private-dev | ||
58 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | ||
59 | # Uncomment the following line (or put it in your links.local) allow external | ||
60 | # media players | ||
61 | # private-etc alsa,asound.conf,machine-id,openal,pulse | ||
62 | private-tmp | ||
63 | |||
64 | memory-deny-write-execute | ||
diff --git a/etc/lollypop.profile b/etc/lollypop.profile index 76b8ed75c..6667815b9 100644 --- a/etc/lollypop.profile +++ b/etc/lollypop.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.local/share/lollypop | |||
10 | noblacklist ${MUSIC} | 10 | noblacklist ${MUSIC} |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile index 7d42f2bfe..f7a059f50 100644 --- a/etc/macrofusion.profile +++ b/etc/macrofusion.profile | |||
@@ -9,12 +9,8 @@ noblacklist ${HOME}/.config/mfusion | |||
9 | noblacklist ${PICTURES} | 9 | noblacklist ${PICTURES} |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 12 | include allow-python2.inc |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/masterpdfeditor.profile b/etc/masterpdfeditor.profile index ce6486115..e4da0c66a 100644 --- a/etc/masterpdfeditor.profile +++ b/etc/masterpdfeditor.profile | |||
@@ -20,9 +20,7 @@ include whitelist-var-common.inc | |||
20 | 20 | ||
21 | apparmor | 21 | apparmor |
22 | caps.drop all | 22 | caps.drop all |
23 | ipc-namespace | ||
24 | machine-id | 23 | machine-id |
25 | no3d | ||
26 | nodvd | 24 | nodvd |
27 | nogroups | 25 | nogroups |
28 | nonewprivs | 26 | nonewprivs |
@@ -36,7 +34,6 @@ seccomp | |||
36 | shell none | 34 | shell none |
37 | tracelog | 35 | tracelog |
38 | 36 | ||
39 | private-bin masterpdfedito* | ||
40 | private-cache | 37 | private-cache |
41 | private-dev | 38 | private-dev |
42 | private-etc alternatives,fonts | 39 | private-etc alternatives,fonts |
diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile index ac5577b4c..2f6020ad3 100644 --- a/etc/mate-calc.profile +++ b/etc/mate-calc.profile | |||
@@ -15,12 +15,13 @@ include disable-interpreters.inc | |||
15 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | mkdir ${HOME}/.cache/mate-calc | ||
19 | mkdir ${HOME}/.config/caja | ||
20 | mkdir ${HOME}/.config/mate-menu | ||
18 | whitelist ${HOME}/.cache/mate-calc | 21 | whitelist ${HOME}/.cache/mate-calc |
19 | whitelist ${HOME}/.config/caja | 22 | whitelist ${HOME}/.config/caja |
20 | whitelist ${HOME}/.config/gtk-3.0 | ||
21 | whitelist ${HOME}/.config/dconf | ||
22 | whitelist ${HOME}/.config/mate-menu | 23 | whitelist ${HOME}/.config/mate-menu |
23 | whitelist ${HOME}/.themes | 24 | include whitelist-common.inc |
24 | 25 | ||
25 | caps.drop all | 26 | caps.drop all |
26 | net none | 27 | net none |
@@ -40,7 +41,7 @@ shell none | |||
40 | 41 | ||
41 | disable-mnt | 42 | disable-mnt |
42 | private-bin mate-calc,mate-calculator | 43 | private-bin mate-calc,mate-calculator |
43 | private-etc alternatives,fonts | 44 | private-etc alternatives,dconf,fonts,gtk-3.0 |
44 | private-dev | 45 | private-dev |
45 | private-opt none | 46 | private-opt none |
46 | private-tmp | 47 | private-tmp |
diff --git a/etc/mate-color-select.profile b/etc/mate-color-select.profile index bd3631445..f1a7ca18f 100644 --- a/etc/mate-color-select.profile +++ b/etc/mate-color-select.profile | |||
@@ -5,7 +5,6 @@ include mate-color-select.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | |||
9 | include disable-common.inc | 8 | include disable-common.inc |
10 | include disable-devel.inc | 9 | include disable-devel.inc |
11 | include disable-exec.inc | 10 | include disable-exec.inc |
@@ -13,10 +12,7 @@ include disable-interpreters.inc | |||
13 | include disable-passwdmgr.inc | 12 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 13 | include disable-programs.inc |
15 | 14 | ||
16 | whitelist ${HOME}/.config/gtk-3.0 | 15 | include whitelist-common.inc |
17 | whitelist ${HOME}/.fonts | ||
18 | whitelist ${HOME}/.icons | ||
19 | whitelist ${HOME}/.themes | ||
20 | 16 | ||
21 | caps.drop all | 17 | caps.drop all |
22 | netfilter | 18 | netfilter |
diff --git a/etc/mate-dictionary.profile b/etc/mate-dictionary.profile index 1217910a0..d1dc76260 100644 --- a/etc/mate-dictionary.profile +++ b/etc/mate-dictionary.profile | |||
@@ -14,11 +14,9 @@ include disable-interpreters.inc | |||
14 | include disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | mkdir ${HOME}/.config/mate/mate-dictionary | ||
17 | whitelist ${HOME}/.config/mate/mate-dictionary | 18 | whitelist ${HOME}/.config/mate/mate-dictionary |
18 | whitelist ${HOME}/.config/gtk-3.0 | 19 | include whitelist-common.inc |
19 | whitelist ${HOME}/.fonts | ||
20 | whitelist ${HOME}/.icons | ||
21 | whitelist ${HOME}/.themes | ||
22 | 20 | ||
23 | caps.drop all | 21 | caps.drop all |
24 | netfilter | 22 | netfilter |
diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile index 497014dab..4ebb5429a 100644 --- a/etc/mediathekview.profile +++ b/etc/mediathekview.profile | |||
@@ -18,11 +18,8 @@ noblacklist ${HOME}/.mediathek3 | |||
18 | noblacklist ${HOME}/.mplayer | 18 | noblacklist ${HOME}/.mplayer |
19 | noblacklist ${VIDEOS} | 19 | noblacklist ${VIDEOS} |
20 | 20 | ||
21 | # Allow access to java | 21 | # Allow java (blacklisted by disable-devel.inc) |
22 | noblacklist ${PATH}/java | 22 | include allow-java.inc |
23 | noblacklist /usr/lib/java | ||
24 | noblacklist /etc/java | ||
25 | noblacklist /usr/share/java | ||
26 | 23 | ||
27 | include disable-common.inc | 24 | include disable-common.inc |
28 | include disable-devel.inc | 25 | include disable-devel.inc |
diff --git a/etc/meld.profile b/etc/meld.profile index 14e0f238d..34b1f22de 100644 --- a/etc/meld.profile +++ b/etc/meld.profile | |||
@@ -6,22 +6,17 @@ include meld.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.local/share/meld | ||
10 | |||
11 | # Allow python (blacklisted by disable-interpreters.inc) | ||
12 | noblacklist ${PATH}/python2* | ||
13 | noblacklist ${PATH}/python3* | ||
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | |||
19 | noblacklist ${HOME}/.config/git | 9 | noblacklist ${HOME}/.config/git |
20 | noblacklist ${HOME}/.gitconfig | 10 | noblacklist ${HOME}/.gitconfig |
21 | noblacklist ${HOME}/.git-credentials | 11 | noblacklist ${HOME}/.git-credentials |
12 | noblacklist ${HOME}/.local/share/meld | ||
22 | noblacklist ${HOME}/.ssh | 13 | noblacklist ${HOME}/.ssh |
23 | noblacklist ${HOME}/.subversion | 14 | noblacklist ${HOME}/.subversion |
24 | 15 | ||
16 | # Allow python (blacklisted by disable-interpreters.inc) | ||
17 | include allow-python2.inc | ||
18 | include allow-python3.inc | ||
19 | |||
25 | # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-common.inc. | 20 | # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-common.inc. |
26 | #include disable-common.inc | 21 | #include disable-common.inc |
27 | include disable-devel.inc | 22 | include disable-devel.inc |
@@ -59,3 +54,4 @@ private-dev | |||
59 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion | 54 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion |
60 | private-tmp | 55 | private-tmp |
61 | 56 | ||
57 | read-only ${HOME}/.ssh | ||
diff --git a/etc/mendeleydesktop.profile b/etc/mendeleydesktop.profile index d54371371..ed6cc3ae0 100644 --- a/etc/mendeleydesktop.profile +++ b/etc/mendeleydesktop.profile | |||
@@ -15,12 +15,8 @@ noblacklist ${HOME}/.pki | |||
15 | noblacklist ${HOME}/.local/share/pki | 15 | noblacklist ${HOME}/.local/share/pki |
16 | 16 | ||
17 | # Allow python (blacklisted by disable-interpreters.inc) | 17 | # Allow python (blacklisted by disable-interpreters.inc) |
18 | noblacklist ${PATH}/python2* | 18 | include allow-python2.inc |
19 | noblacklist ${PATH}/python3* | 19 | include allow-python3.inc |
20 | noblacklist /usr/lib/python2* | ||
21 | noblacklist /usr/lib/python3* | ||
22 | noblacklist /usr/local/lib/python2* | ||
23 | noblacklist /usr/local/lib/python3* | ||
24 | 20 | ||
25 | include disable-common.inc | 21 | include disable-common.inc |
26 | include disable-devel.inc | 22 | include disable-devel.inc |
diff --git a/etc/meteo-qt.profile b/etc/meteo-qt.profile index a769a97ec..4437d86ea 100644 --- a/etc/meteo-qt.profile +++ b/etc/meteo-qt.profile | |||
@@ -10,9 +10,7 @@ noblacklist ${HOME}/.config/autostart | |||
10 | noblacklist ${HOME}/.config/meteo-qt | 10 | noblacklist ${HOME}/.config/meteo-qt |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | noblacklist /usr/lib/python3* | ||
15 | noblacklist /usr/local/lib/python3* | ||
16 | 14 | ||
17 | include disable-common.inc | 15 | include disable-common.inc |
18 | include disable-devel.inc | 16 | include disable-devel.inc |
@@ -22,8 +20,8 @@ include disable-passwdmgr.inc | |||
22 | include disable-programs.inc | 20 | include disable-programs.inc |
23 | include disable-xdg.inc | 21 | include disable-xdg.inc |
24 | 22 | ||
25 | whitelist ${HOME}/.config/autostart | ||
26 | mkdir ${HOME}/.config/meteo-qt | 23 | mkdir ${HOME}/.config/meteo-qt |
24 | whitelist ${HOME}/.config/autostart | ||
27 | whitelist ${HOME}/.config/meteo-qt | 25 | whitelist ${HOME}/.config/meteo-qt |
28 | include whitelist-common.inc | 26 | include whitelist-common.inc |
29 | include whitelist-var-common.inc | 27 | include whitelist-var-common.inc |
diff --git a/etc/midori.profile b/etc/midori.profile index e4d39cd70..ffae4919f 100644 --- a/etc/midori.profile +++ b/etc/midori.profile | |||
@@ -6,6 +6,9 @@ include midori.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # noexec ${HOME} breaks DRM binaries. | ||
10 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} | ||
11 | |||
9 | noblacklist ${HOME}/.config/midori | 12 | noblacklist ${HOME}/.config/midori |
10 | noblacklist ${HOME}/.local/share/midori | 13 | noblacklist ${HOME}/.local/share/midori |
11 | # noblacklist ${HOME}/.local/share/webkit | 14 | # noblacklist ${HOME}/.local/share/webkit |
@@ -13,9 +16,6 @@ noblacklist ${HOME}/.local/share/midori | |||
13 | noblacklist ${HOME}/.pki | 16 | noblacklist ${HOME}/.pki |
14 | noblacklist ${HOME}/.local/share/pki | 17 | noblacklist ${HOME}/.local/share/pki |
15 | 18 | ||
16 | # noexec ${HOME} breaks DRM binaries. | ||
17 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} | ||
18 | |||
19 | include disable-common.inc | 19 | include disable-common.inc |
20 | include disable-devel.inc | 20 | include disable-devel.inc |
21 | include disable-exec.inc | 21 | include disable-exec.inc |
diff --git a/etc/mpDris2.profile b/etc/mpDris2.profile index 81bf88b8b..db2bb6a93 100644 --- a/etc/mpDris2.profile +++ b/etc/mpDris2.profile | |||
@@ -9,12 +9,8 @@ include globals.local | |||
9 | noblacklist ${HOME}/.config/mpDris2 | 9 | noblacklist ${HOME}/.config/mpDris2 |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 12 | include allow-python2.inc |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/mpsyt.profile b/etc/mpsyt.profile index 0808c5a1a..775e137bc 100644 --- a/etc/mpsyt.profile +++ b/etc/mpsyt.profile | |||
@@ -6,14 +6,6 @@ include mpsyt.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Allow python (blacklisted by disable-interpreters.inc) | ||
10 | noblacklist ${PATH}/python2* | ||
11 | noblacklist ${PATH}/python3* | ||
12 | noblacklist /usr/lib/python2* | ||
13 | noblacklist /usr/lib/python3* | ||
14 | noblacklist /usr/local/lib/python2* | ||
15 | noblacklist /usr/local/lib/python3* | ||
16 | |||
17 | noblacklist ${HOME}/.config/mpv | 9 | noblacklist ${HOME}/.config/mpv |
18 | noblacklist ${HOME}/.mplayer | 10 | noblacklist ${HOME}/.mplayer |
19 | noblacklist ${HOME}/.config/mps-youtube | 11 | noblacklist ${HOME}/.config/mps-youtube |
@@ -22,6 +14,10 @@ noblacklist ${HOME}/mps | |||
22 | noblacklist ${MUSIC} | 14 | noblacklist ${MUSIC} |
23 | noblacklist ${VIDEOS} | 15 | noblacklist ${VIDEOS} |
24 | 16 | ||
17 | # Allow python (blacklisted by disable-interpreters.inc) | ||
18 | include allow-python2.inc | ||
19 | include allow-python3.inc | ||
20 | |||
25 | include disable-common.inc | 21 | include disable-common.inc |
26 | include disable-devel.inc | 22 | include disable-devel.inc |
27 | include disable-exec.inc | 23 | include disable-exec.inc |
diff --git a/etc/mpv.profile b/etc/mpv.profile index 34542b11b..aa2335516 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile | |||
@@ -13,12 +13,8 @@ noblacklist ${MUSIC} | |||
13 | noblacklist ${VIDEOS} | 13 | noblacklist ${VIDEOS} |
14 | 14 | ||
15 | # Allow python (blacklisted by disable-interpreters.inc) | 15 | # Allow python (blacklisted by disable-interpreters.inc) |
16 | noblacklist ${PATH}/python2* | 16 | include allow-python2.inc |
17 | noblacklist ${PATH}/python3* | 17 | include allow-python3.inc |
18 | noblacklist /usr/lib/python2* | ||
19 | noblacklist /usr/lib/python3* | ||
20 | noblacklist /usr/local/lib/python2* | ||
21 | noblacklist /usr/local/lib/python3* | ||
22 | 18 | ||
23 | include disable-common.inc | 19 | include disable-common.inc |
24 | include disable-devel.inc | 20 | include disable-devel.inc |
diff --git a/etc/ms-office.profile b/etc/ms-office.profile index f8e75379e..25b097d72 100644 --- a/etc/ms-office.profile +++ b/etc/ms-office.profile | |||
@@ -9,12 +9,8 @@ noblacklist ${HOME}/.cache/ms-office-online | |||
9 | noblacklist ${HOME}/.jak | 9 | noblacklist ${HOME}/.jak |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 12 | include allow-python2.inc |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/ms-skype.profile b/etc/ms-skype.profile index 02084d923..df1618361 100644 --- a/etc/ms-skype.profile +++ b/etc/ms-skype.profile | |||
@@ -3,10 +3,13 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include ms-skype.local | 4 | include ms-skype.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | # added by included profile |
7 | #include globals.local | ||
7 | 8 | ||
8 | noblacklist ${HOME}/.cache/ms-skype-online | ||
9 | ignore novideo | 9 | ignore novideo |
10 | |||
11 | noblacklist ${HOME}/.cache/ms-skype-online | ||
12 | |||
10 | private-bin ms-skype | 13 | private-bin ms-skype |
11 | 14 | ||
12 | # Redirect | 15 | # Redirect |
diff --git a/etc/multimc5.profile b/etc/multimc5.profile index b6407c4f9..98edf273e 100644 --- a/etc/multimc5.profile +++ b/etc/multimc5.profile | |||
@@ -10,11 +10,8 @@ noblacklist ${HOME}/.local/share/multimc | |||
10 | noblacklist ${HOME}/.local/share/multimc5 | 10 | noblacklist ${HOME}/.local/share/multimc5 |
11 | noblacklist ${HOME}/.multimc5 | 11 | noblacklist ${HOME}/.multimc5 |
12 | 12 | ||
13 | # Allow access to java | 13 | # Allow java (blacklisted by disable-devel.inc) |
14 | noblacklist ${PATH}/java | 14 | include allow-java.inc |
15 | noblacklist /usr/lib/java | ||
16 | noblacklist /etc/java | ||
17 | noblacklist /usr/share/java | ||
18 | 15 | ||
19 | include disable-common.inc | 16 | include disable-common.inc |
20 | include disable-devel.inc | 17 | include disable-devel.inc |
@@ -24,6 +21,8 @@ include disable-passwdmgr.inc | |||
24 | include disable-programs.inc | 21 | include disable-programs.inc |
25 | 22 | ||
26 | mkdir ${HOME}/.local/share/multimc | 23 | mkdir ${HOME}/.local/share/multimc |
24 | mkdir ${HOME}/.local/share/multimc5 | ||
25 | mkdir ${HOME}/.multimc5 | ||
27 | whitelist ${HOME}/.local/share/multimc | 26 | whitelist ${HOME}/.local/share/multimc |
28 | whitelist ${HOME}/.local/share/multimc5 | 27 | whitelist ${HOME}/.local/share/multimc5 |
29 | whitelist ${HOME}/.multimc5 | 28 | whitelist ${HOME}/.multimc5 |
diff --git a/etc/mutt.profile b/etc/mutt.profile index cc3a323e0..419e17e95 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile | |||
@@ -6,8 +6,6 @@ include mutt.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist /var/mail | 9 | noblacklist /var/mail |
12 | noblacklist /var/spool/mail | 10 | noblacklist /var/spool/mail |
13 | noblacklist ${HOME}/.Mail | 11 | noblacklist ${HOME}/.Mail |
@@ -34,6 +32,8 @@ noblacklist ${HOME}/mail | |||
34 | noblacklist ${HOME}/postponed | 32 | noblacklist ${HOME}/postponed |
35 | noblacklist ${HOME}/sent | 33 | noblacklist ${HOME}/sent |
36 | 34 | ||
35 | blacklist /tmp/.X11-unix | ||
36 | |||
37 | include disable-common.inc | 37 | include disable-common.inc |
38 | include disable-devel.inc | 38 | include disable-devel.inc |
39 | include disable-interpreters.inc | 39 | include disable-interpreters.inc |
diff --git a/etc/mypaint.profile b/etc/mypaint.profile index 615bb60d1..19643e749 100644 --- a/etc/mypaint.profile +++ b/etc/mypaint.profile | |||
@@ -9,10 +9,12 @@ include globals.local | |||
9 | noblacklist ${HOME}/.cache/mypaint | 9 | noblacklist ${HOME}/.cache/mypaint |
10 | noblacklist ${HOME}/.config/mypaint | 10 | noblacklist ${HOME}/.config/mypaint |
11 | noblacklist ${HOME}/.local/share/mypaint | 11 | noblacklist ${HOME}/.local/share/mypaint |
12 | noblacklist ${PATH}/python2* | ||
13 | noblacklist /usr/lib/python2* | ||
14 | noblacklist ${PICTURES} | 12 | noblacklist ${PICTURES} |
15 | 13 | ||
14 | # Allow python (blacklisted by disable-interpreters.inc) | ||
15 | include allow-python2.inc | ||
16 | include allow-python3.inc | ||
17 | |||
16 | include disable-common.inc | 18 | include disable-common.inc |
17 | include disable-devel.inc | 19 | include disable-devel.inc |
18 | include disable-exec.inc | 20 | include disable-exec.inc |
diff --git a/etc/natron.profile b/etc/natron.profile index 3f997a7a0..7ad217b72 100644 --- a/etc/natron.profile +++ b/etc/natron.profile | |||
@@ -5,18 +5,13 @@ include natron.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Allow python (blacklisted by disable-interpreters.inc) | ||
9 | noblacklist ${PATH}/python2* | ||
10 | noblacklist ${PATH}/python3* | ||
11 | noblacklist /usr/lib/python2* | ||
12 | noblacklist /usr/lib/python3* | ||
13 | noblacklist /usr/local/lib/python2* | ||
14 | noblacklist /usr/local/lib/python3* | ||
15 | |||
16 | noblacklist ${HOME}/.Natron | 8 | noblacklist ${HOME}/.Natron |
17 | noblacklist ${HOME}/.cache/INRIA/Natron | 9 | noblacklist ${HOME}/.cache/INRIA/Natron |
18 | noblacklist ${HOME}/.config/INRIA | 10 | noblacklist ${HOME}/.config/INRIA |
19 | noblacklist /opt/natron | 11 | |
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python2.inc | ||
14 | include allow-python3.inc | ||
20 | 15 | ||
21 | include disable-common.inc | 16 | include disable-common.inc |
22 | include disable-devel.inc | 17 | include disable-devel.inc |
@@ -33,9 +28,9 @@ nogroups | |||
33 | nonewprivs | 28 | nonewprivs |
34 | noroot | 29 | noroot |
35 | notv | 30 | notv |
36 | protocol unix,inet,inet6 | 31 | nou2f |
32 | protocol unix | ||
37 | seccomp | 33 | seccomp |
38 | shell none | 34 | shell none |
39 | 35 | ||
40 | private-bin natron,Natron,NatronRenderer | 36 | private-bin natron,Natron,NatronRenderer |
41 | |||
diff --git a/etc/nautilus.profile b/etc/nautilus.profile index 1d68ef8e3..b81313b6a 100644 --- a/etc/nautilus.profile +++ b/etc/nautilus.profile | |||
@@ -15,12 +15,8 @@ noblacklist ${HOME}/.local/share/nautilus | |||
15 | noblacklist ${HOME}/.local/share/nautilus-python | 15 | noblacklist ${HOME}/.local/share/nautilus-python |
16 | 16 | ||
17 | # Allow python (blacklisted by disable-interpreters.inc) | 17 | # Allow python (blacklisted by disable-interpreters.inc) |
18 | noblacklist ${PATH}/python2* | 18 | include allow-python2.inc |
19 | noblacklist ${PATH}/python3* | 19 | include allow-python3.inc |
20 | noblacklist /usr/lib/python2* | ||
21 | noblacklist /usr/lib/python3* | ||
22 | noblacklist /usr/local/lib/python2* | ||
23 | noblacklist /usr/local/lib/python3* | ||
24 | 20 | ||
25 | include disable-common.inc | 21 | include disable-common.inc |
26 | include disable-devel.inc | 22 | include disable-devel.inc |
diff --git a/etc/nemo.profile b/etc/nemo.profile index a23ba1700..26cfedb66 100644 --- a/etc/nemo.profile +++ b/etc/nemo.profile | |||
@@ -12,12 +12,8 @@ noblacklist ${HOME}/.local/share/nemo | |||
12 | noblacklist ${HOME}/.local/share/nemo-python | 12 | noblacklist ${HOME}/.local/share/nemo-python |
13 | 13 | ||
14 | # Allow python (blacklisted by disable-interpreters.inc) | 14 | # Allow python (blacklisted by disable-interpreters.inc) |
15 | noblacklist ${PATH}/python2* | 15 | include allow-python2.inc |
16 | noblacklist ${PATH}/python3* | 16 | include allow-python3.inc |
17 | noblacklist /usr/lib/python2* | ||
18 | noblacklist /usr/lib/python3* | ||
19 | noblacklist /usr/local/lib/python2* | ||
20 | noblacklist /usr/local/lib/python3* | ||
21 | 17 | ||
22 | include disable-common.inc | 18 | include disable-common.inc |
23 | include disable-devel.inc | 19 | include disable-devel.inc |
diff --git a/etc/nethack-vultures.profile b/etc/nethack-vultures.profile index 2c23a4868..e1294153b 100644 --- a/etc/nethack-vultures.profile +++ b/etc/nethack-vultures.profile | |||
@@ -6,7 +6,6 @@ include nethack.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | |||
10 | noblacklist ${HOME}/.vultures | 9 | noblacklist ${HOME}/.vultures |
11 | noblacklist /var/log | 10 | noblacklist /var/log |
12 | 11 | ||
@@ -43,4 +42,3 @@ private-cache | |||
43 | private-dev | 42 | private-dev |
44 | private-tmp | 43 | private-tmp |
45 | writable-var | 44 | writable-var |
46 | |||
diff --git a/etc/nethack.profile b/etc/nethack.profile index 5375d2f4f..3df632451 100644 --- a/etc/nethack.profile +++ b/etc/nethack.profile | |||
@@ -6,7 +6,6 @@ include nethack.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | |||
10 | noblacklist /var/games/nethack | 9 | noblacklist /var/games/nethack |
11 | 10 | ||
12 | include disable-common.inc | 11 | include disable-common.inc |
diff --git a/etc/nheko.profile b/etc/nheko.profile index 2dfddf872..119b30239 100644 --- a/etc/nheko.profile +++ b/etc/nheko.profile | |||
@@ -18,11 +18,9 @@ include disable-programs.inc | |||
18 | 18 | ||
19 | mkdir ${HOME}/.config/nheko | 19 | mkdir ${HOME}/.config/nheko |
20 | mkdir ${HOME}/.cache/nheko/nheko | 20 | mkdir ${HOME}/.cache/nheko/nheko |
21 | |||
22 | whitelist ${HOME}/.config/nheko | 21 | whitelist ${HOME}/.config/nheko |
23 | whitelist ${HOME}/.cache/nheko/nheko | 22 | whitelist ${HOME}/.cache/nheko/nheko |
24 | whitelist ${DOWNLOADS} | 23 | whitelist ${DOWNLOADS} |
25 | |||
26 | include whitelist-common.inc | 24 | include whitelist-common.inc |
27 | 25 | ||
28 | caps.drop all | 26 | caps.drop all |
diff --git a/etc/nitroshare.profile b/etc/nitroshare.profile index 7aba69490..19b6615ef 100644 --- a/etc/nitroshare.profile +++ b/etc/nitroshare.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/Nathan Osman | |||
10 | noblacklist ${HOME}/.config/NitroShare | 10 | noblacklist ${HOME}/.config/NitroShare |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/nylas.profile b/etc/nylas.profile index 263e09198..c959eb991 100644 --- a/etc/nylas.profile +++ b/etc/nylas.profile | |||
@@ -14,6 +14,8 @@ include disable-interpreters.inc | |||
14 | include disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | mkdir ${HOME}/.config/Nylas Mail | ||
18 | mkdir ${HOME}/.nylas-mail | ||
17 | whitelist ${DOWNLOADS} | 19 | whitelist ${DOWNLOADS} |
18 | whitelist ${HOME}/.config/Nylas Mail | 20 | whitelist ${HOME}/.config/Nylas Mail |
19 | whitelist ${HOME}/.nylas-mail | 21 | whitelist ${HOME}/.nylas-mail |
diff --git a/etc/nyx.profile b/etc/nyx.profile index ed39283b2..1ea33ac4d 100644 --- a/etc/nyx.profile +++ b/etc/nyx.profile | |||
@@ -6,14 +6,11 @@ include nyx.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${PATH}/python2* | 9 | # Allow python (blacklisted by disable-interpreters.inc) |
10 | noblacklist ${PATH}/python3* | 10 | include allow-python2.inc |
11 | noblacklist /usr/lib/python2* | 11 | include allow-python3.inc |
12 | noblacklist /usr/lib/python3* | ||
13 | 12 | ||
14 | noblacklist ${HOME}/.nyx | 13 | noblacklist ${HOME}/.nyx |
15 | mkdir ${HOME}/.nyx | ||
16 | whitelist ${HOME}/.nyx | ||
17 | 14 | ||
18 | include disable-common.inc | 15 | include disable-common.inc |
19 | include disable-devel.inc | 16 | include disable-devel.inc |
@@ -23,6 +20,11 @@ include disable-passwdmgr.inc | |||
23 | include disable-programs.inc | 20 | include disable-programs.inc |
24 | include disable-xdg.inc | 21 | include disable-xdg.inc |
25 | 22 | ||
23 | mkdir ${HOME}/.nyx | ||
24 | whitelist ${HOME}/.nyx | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
26 | caps.drop all | 28 | caps.drop all |
27 | netfilter | 29 | netfilter |
28 | no3d | 30 | no3d |
diff --git a/etc/obs.profile b/etc/obs.profile index 1f02efc7f..038242cae 100644 --- a/etc/obs.profile +++ b/etc/obs.profile | |||
@@ -11,12 +11,8 @@ noblacklist ${PICTURES} | |||
11 | noblacklist ${VIDEOS} | 11 | noblacklist ${VIDEOS} |
12 | 12 | ||
13 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
14 | noblacklist ${PATH}/python2* | 14 | include allow-python2.inc |
15 | noblacklist ${PATH}/python3* | 15 | include allow-python3.inc |
16 | noblacklist /usr/lib/python2* | ||
17 | noblacklist /usr/lib/python3* | ||
18 | noblacklist /usr/local/lib/python2* | ||
19 | noblacklist /usr/local/lib/python3* | ||
20 | 16 | ||
21 | include disable-common.inc | 17 | include disable-common.inc |
22 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/ocenaudio.profile b/etc/ocenaudio.profile index ceeb59384..b2249f63b 100644 --- a/etc/ocenaudio.profile +++ b/etc/ocenaudio.profile | |||
@@ -24,7 +24,7 @@ ipc-namespace | |||
24 | # net none breaks AppArmor on Ubuntu systems | 24 | # net none breaks AppArmor on Ubuntu systems |
25 | netfilter | 25 | netfilter |
26 | no3d | 26 | no3d |
27 | # nodbus - breaks preferences, comment when needed | 27 | # nodbus - breaks preferences, comment (or put 'ignore nodbus' in your oceanaudio.local) when needed |
28 | nodbus | 28 | nodbus |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
@@ -39,12 +39,10 @@ shell none | |||
39 | tracelog | 39 | tracelog |
40 | 40 | ||
41 | # disable-mnt | 41 | # disable-mnt |
42 | # private | ||
43 | private-bin ocenaudio | 42 | private-bin ocenaudio |
44 | private-cache | 43 | private-cache |
45 | private-dev | 44 | private-dev |
46 | private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse | 45 | private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse |
47 | # private-lib | ||
48 | private-tmp | 46 | private-tmp |
49 | 47 | ||
50 | # memory-deny-write-execute - breaks on Arch | 48 | # memory-deny-write-execute - breaks on Arch |
diff --git a/etc/onionshare-gui.profile b/etc/onionshare-gui.profile index 3ee78c59d..5bfcd0527 100644 --- a/etc/onionshare-gui.profile +++ b/etc/onionshare-gui.profile | |||
@@ -8,9 +8,7 @@ include globals.local | |||
8 | noblacklist ${HOME}/.config/onionshare | 8 | noblacklist ${HOME}/.config/onionshare |
9 | 9 | ||
10 | # Allow python (blacklisted by disable-interpreters.inc) | 10 | # Allow python (blacklisted by disable-interpreters.inc) |
11 | noblacklist ${PATH}/python3* | 11 | include allow-python3.inc |
12 | noblacklist /usr/lib/python3* | ||
13 | noblacklist /usr/local/lib/python3* | ||
14 | 12 | ||
15 | include disable-common.inc | 13 | include disable-common.inc |
16 | include disable-devel.inc | 14 | include disable-devel.inc |
diff --git a/etc/openshot.profile b/etc/openshot.profile index cfda1d0ce..0222243ed 100644 --- a/etc/openshot.profile +++ b/etc/openshot.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.openshot | |||
10 | noblacklist ${HOME}/.openshot_qt | 10 | noblacklist ${HOME}/.openshot_qt |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/orage.profile b/etc/orage.profile index 2c55ab909..4e12892d6 100644 --- a/etc/orage.profile +++ b/etc/orage.profile | |||
@@ -24,7 +24,7 @@ nodvd | |||
24 | nogroups | 24 | nogroups |
25 | nonewprivs | 25 | nonewprivs |
26 | noroot | 26 | noroot |
27 | nosound | 27 | # nosound - calendar application, It must be able to play sound to wake you up. |
28 | notv | 28 | notv |
29 | nou2f | 29 | nou2f |
30 | novideo | 30 | novideo |
diff --git a/etc/pandoc.profile b/etc/pandoc.profile new file mode 100644 index 000000000..687a31cc2 --- /dev/null +++ b/etc/pandoc.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for pandoc | ||
2 | # Description: general markup converter | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include pandoc.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${DOCUMENTS} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | # breaks pdf output | ||
21 | #include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | machine-id | ||
27 | net none | ||
28 | no3d | ||
29 | nodbus | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | |||
43 | disable-mnt | ||
44 | private-bin context,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf | ||
45 | private-cache | ||
46 | private-dev | ||
47 | private-tmp | ||
48 | |||
49 | memory-deny-write-execute | ||
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index 98dcce0b7..bd3592f48 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile | |||
@@ -9,11 +9,8 @@ include globals.local | |||
9 | noblacklist ${HOME}/.java | 9 | noblacklist ${HOME}/.java |
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | 11 | ||
12 | # Allow access to java | 12 | # Allow java (blacklisted by disable-devel.inc) |
13 | noblacklist ${PATH}/java | 13 | include allow-java.inc |
14 | noblacklist /usr/lib/java | ||
15 | noblacklist /etc/java | ||
16 | noblacklist /usr/share/java | ||
17 | 14 | ||
18 | include disable-common.inc | 15 | include disable-common.inc |
19 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/picard.profile b/etc/picard.profile index b756ed629..15fc7a454 100644 --- a/etc/picard.profile +++ b/etc/picard.profile | |||
@@ -11,12 +11,8 @@ noblacklist ${HOME}/.config/MusicBrainz | |||
11 | noblacklist ${MUSIC} | 11 | noblacklist ${MUSIC} |
12 | 12 | ||
13 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
14 | noblacklist ${PATH}/python2* | 14 | include allow-python2.inc |
15 | noblacklist ${PATH}/python3* | 15 | include allow-python3.inc |
16 | noblacklist /usr/lib/python2* | ||
17 | noblacklist /usr/lib/python3* | ||
18 | noblacklist /usr/local/lib/python2* | ||
19 | noblacklist /usr/local/lib/python3* | ||
20 | 16 | ||
21 | include disable-common.inc | 17 | include disable-common.inc |
22 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/pidgin.profile b/etc/pidgin.profile index bdd5404f5..299f807af 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile | |||
@@ -6,11 +6,11 @@ include pidgin.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.purple | ||
10 | |||
11 | ignore noexec ${RUNUSER} | 9 | ignore noexec ${RUNUSER} |
12 | ignore noexec /dev/shm | 10 | ignore noexec /dev/shm |
13 | 11 | ||
12 | noblacklist ${HOME}/.purple | ||
13 | |||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-exec.inc | 16 | include disable-exec.inc |
diff --git a/etc/pithos.profile b/etc/pithos.profile index d6a0a7822..62050eb55 100644 --- a/etc/pithos.profile +++ b/etc/pithos.profile | |||
@@ -7,12 +7,8 @@ include pithos.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Allow python (blacklisted by disable-interpreters.inc) | 9 | # Allow python (blacklisted by disable-interpreters.inc) |
10 | noblacklist ${PATH}/python2* | 10 | include allow-python2.inc |
11 | noblacklist ${PATH}/python3* | 11 | include allow-python3.inc |
12 | noblacklist /usr/lib/python2* | ||
13 | noblacklist /usr/lib/python3* | ||
14 | noblacklist /usr/local/lib/python2* | ||
15 | noblacklist /usr/local/lib/python3* | ||
16 | 12 | ||
17 | include disable-common.inc | 13 | include disable-common.inc |
18 | include disable-devel.inc | 14 | include disable-devel.inc |
diff --git a/etc/pitivi.profile b/etc/pitivi.profile index 83f5ccbb9..89a6a020b 100644 --- a/etc/pitivi.profile +++ b/etc/pitivi.profile | |||
@@ -10,12 +10,8 @@ include globals.local | |||
10 | noblacklist ${HOME}/.config/pitivi | 10 | noblacklist ${HOME}/.config/pitivi |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/playonlinux.profile b/etc/playonlinux.profile index 2f287223b..03091af6d 100644 --- a/etc/playonlinux.profile +++ b/etc/playonlinux.profile | |||
@@ -16,19 +16,11 @@ noblacklist ${HOME}/.PlayOnLinux | |||
16 | noblacklist ${PATH}/nc | 16 | noblacklist ${PATH}/nc |
17 | 17 | ||
18 | # Allow python (blacklisted by disable-interpreters.inc) | 18 | # Allow python (blacklisted by disable-interpreters.inc) |
19 | noblacklist ${PATH}/python2* | 19 | include allow-python2.inc |
20 | noblacklist ${PATH}/python3* | 20 | include allow-python3.inc |
21 | noblacklist /usr/lib/python2* | ||
22 | noblacklist /usr/lib/python3* | ||
23 | noblacklist /usr/local/lib/python2* | ||
24 | noblacklist /usr/local/lib/python3* | ||
25 | 21 | ||
26 | # Allow perl (blacklisted by disable-interpreters.inc) | 22 | # Allow perl (blacklisted by disable-interpreters.inc) |
27 | noblacklist ${PATH}/cpan* | 23 | include allow-perl.inc |
28 | noblacklist ${PATH}/core_perl | ||
29 | noblacklist ${PATH}/perl | ||
30 | noblacklist /usr/lib/perl* | ||
31 | noblacklist /usr/share/perl* | ||
32 | 24 | ||
33 | include disable-common.inc | 25 | include disable-common.inc |
34 | include disable-devel.inc | 26 | include disable-devel.inc |
diff --git a/etc/pybitmessage.profile b/etc/pybitmessage.profile index 28ab8caa6..3bce425d9 100644 --- a/etc/pybitmessage.profile +++ b/etc/pybitmessage.profile | |||
@@ -10,12 +10,8 @@ noblacklist /usr/local/sbin | |||
10 | noblacklist /usr/sbin | 10 | noblacklist /usr/sbin |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/pycharm-community.profile b/etc/pycharm-community.profile index 1a6f171c8..0531aee4a 100644 --- a/etc/pycharm-community.profile +++ b/etc/pycharm-community.profile | |||
@@ -10,11 +10,8 @@ noblacklist ${HOME}/.python-history | |||
10 | noblacklist ${HOME}/.pythonrc.py | 10 | noblacklist ${HOME}/.pythonrc.py |
11 | noblacklist ${HOME}/.java | 11 | noblacklist ${HOME}/.java |
12 | 12 | ||
13 | # Allow access to java | 13 | # Allow java (blacklisted by disable-devel.inc) |
14 | noblacklist ${PATH}/java | 14 | include allow-java.inc |
15 | noblacklist /usr/lib/java | ||
16 | noblacklist /etc/java | ||
17 | noblacklist /usr/share/java | ||
18 | 15 | ||
19 | include disable-common.inc | 16 | include disable-common.inc |
20 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index b0a6a0016..82e237d54 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
@@ -12,12 +12,8 @@ noblacklist ${HOME}/.config/qBittorrentrc | |||
12 | noblacklist ${HOME}/.local/share/data/qBittorrent | 12 | noblacklist ${HOME}/.local/share/data/qBittorrent |
13 | 13 | ||
14 | # Allow python (blacklisted by disable-interpreters.inc) | 14 | # Allow python (blacklisted by disable-interpreters.inc) |
15 | noblacklist ${PATH}/python2* | 15 | include allow-python2.inc |
16 | noblacklist ${PATH}/python3* | 16 | include allow-python3.inc |
17 | noblacklist /usr/lib/python2* | ||
18 | noblacklist /usr/lib/python3* | ||
19 | noblacklist /usr/local/lib/python2* | ||
20 | noblacklist /usr/local/lib/python3* | ||
21 | 17 | ||
22 | include disable-common.inc | 18 | include disable-common.inc |
23 | include disable-devel.inc | 19 | include disable-devel.inc |
@@ -61,4 +57,4 @@ private-dev | |||
61 | # private-lib - problems on Arch | 57 | # private-lib - problems on Arch |
62 | private-tmp | 58 | private-tmp |
63 | 59 | ||
64 | # memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo | 60 | # memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo |
diff --git a/etc/qgis.profile b/etc/qgis.profile new file mode 100644 index 000000000..70788b207 --- /dev/null +++ b/etc/qgis.profile | |||
@@ -0,0 +1,57 @@ | |||
1 | # Firejail profile for qgis | ||
2 | # Description: GIS application | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include qgis.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/QGIS | ||
10 | noblacklist ${HOME}/.local/share/QGIS | ||
11 | noblacklist ${HOME}/.qgis2 | ||
12 | noblacklist ${DOCUMENTS} | ||
13 | |||
14 | # Allow python (blacklisted by disable-interpreters.inc) | ||
15 | include allow-python3.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | mkdir ${HOME}/.local/share/QGIS | ||
26 | mkdir ${HOME}/.qgis2 | ||
27 | mkdir ${HOME}/.config/QGIS | ||
28 | whitelist ${HOME}/.local/share/QGIS | ||
29 | whitelist ${HOME}/.qgis2 | ||
30 | whitelist ${HOME}/.config/QGIS | ||
31 | whitelist ${DOCUMENTS} | ||
32 | include whitelist-common.inc | ||
33 | include whitelist-var-common.inc | ||
34 | |||
35 | caps.drop all | ||
36 | netfilter | ||
37 | machine-id | ||
38 | nodbus | ||
39 | nodvd | ||
40 | nogroups | ||
41 | nonewprivs | ||
42 | noroot | ||
43 | nosound | ||
44 | notv | ||
45 | nou2f | ||
46 | novideo | ||
47 | # blacklisting of mbind system calls breaks old version | ||
48 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,set_mempolicy,migrate_pages,move_pages,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,vmsplice,umount,userfaultfd,mincore | ||
49 | protocol unix,inet,inet6,netlink | ||
50 | shell none | ||
51 | tracelog | ||
52 | |||
53 | disable-mnt | ||
54 | private-cache | ||
55 | private-dev | ||
56 | private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl,QGIS,QGIS.conf,Trolltech.conf | ||
57 | private-tmp | ||
diff --git a/etc/quiterss.profile b/etc/quiterss.profile index 41c84425b..e2a3c9c23 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile | |||
@@ -22,6 +22,8 @@ mkdir ${HOME}/.cache/QuiteRss | |||
22 | mkdir ${HOME}/.config/QuiteRss | 22 | mkdir ${HOME}/.config/QuiteRss |
23 | mkdir ${HOME}/.local/share/data | 23 | mkdir ${HOME}/.local/share/data |
24 | mkdir ${HOME}/.local/share/data/QuiteRss | 24 | mkdir ${HOME}/.local/share/data/QuiteRss |
25 | mkdir ${HOME}/.local/share/QuiteRss | ||
26 | mkfile ${HOME}/quiterssfeeds.opml | ||
25 | whitelist ${HOME}/.cache/QuiteRss | 27 | whitelist ${HOME}/.cache/QuiteRss |
26 | whitelist ${HOME}/.config/QuiteRss/ | 28 | whitelist ${HOME}/.config/QuiteRss/ |
27 | whitelist ${HOME}/.config/QuiteRssrc | 29 | whitelist ${HOME}/.config/QuiteRssrc |
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile index 1b23b2baf..954b1a3b4 100644 --- a/etc/qupzilla.profile +++ b/etc/qupzilla.profile | |||
@@ -15,6 +15,8 @@ include disable-interpreters.inc | |||
15 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | mkdir ${HOME}/.cache/qupzilla | ||
19 | mkdir ${HOME}/.config/qupzilla | ||
18 | whitelist ${DOWNLOADS} | 20 | whitelist ${DOWNLOADS} |
19 | whitelist ${HOME}/.cache/qupzilla | 21 | whitelist ${HOME}/.cache/qupzilla |
20 | whitelist ${HOME}/.config/qupzilla | 22 | whitelist ${HOME}/.config/qupzilla |
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index 9e3853a09..e556ecf1f 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile | |||
@@ -9,18 +9,13 @@ include globals.local | |||
9 | noblacklist ${HOME}/.cache/qutebrowser | 9 | noblacklist ${HOME}/.cache/qutebrowser |
10 | noblacklist ${HOME}/.config/qutebrowser | 10 | noblacklist ${HOME}/.config/qutebrowser |
11 | noblacklist ${HOME}/.local/share/qutebrowser | 11 | noblacklist ${HOME}/.local/share/qutebrowser |
12 | |||
13 | # Allow python (blacklisted by disable-interpreters.inc) | ||
14 | noblacklist ${PATH}/python2* | ||
15 | noblacklist ${PATH}/python3* | ||
16 | noblacklist /usr/lib/python2* | ||
17 | noblacklist /usr/lib/python3* | ||
18 | noblacklist /usr/local/lib/python2* | ||
19 | noblacklist /usr/local/lib/python3* | ||
20 | |||
21 | # with >=llvm-4 mesa drivers need llvm stuff | 12 | # with >=llvm-4 mesa drivers need llvm stuff |
22 | noblacklist /usr/lib/llvm* | 13 | noblacklist /usr/lib/llvm* |
23 | 14 | ||
15 | # Allow python (blacklisted by disable-interpreters.inc) | ||
16 | include allow-python2.inc | ||
17 | include allow-python3.inc | ||
18 | |||
24 | include disable-common.inc | 19 | include disable-common.inc |
25 | include disable-devel.inc | 20 | include disable-devel.inc |
26 | include disable-interpreters.inc | 21 | include disable-interpreters.inc |
diff --git a/etc/ranger.profile b/etc/ranger.profile index 1e50ca9fa..13e8911ea 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile | |||
@@ -11,18 +11,11 @@ noblacklist ${HOME}/.config/ranger | |||
11 | noblacklist ${HOME}/.nanorc | 11 | noblacklist ${HOME}/.nanorc |
12 | 12 | ||
13 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
14 | noblacklist ${PATH}/python2* | 14 | include allow-python2.inc |
15 | noblacklist ${PATH}/python3* | 15 | include allow-python3.inc |
16 | noblacklist /usr/lib/python2* | ||
17 | noblacklist /usr/lib/python3* | ||
18 | noblacklist /usr/local/lib/python2* | ||
19 | noblacklist /usr/local/lib/python3* | ||
20 | 16 | ||
21 | # Allow perl | 17 | # Allow perl |
22 | # noblacklist ${PATH}/cpan* | 18 | include allow-perl.inc |
23 | noblacklist ${PATH}/perl | ||
24 | noblacklist /usr/lib/perl* | ||
25 | noblacklist /usr/share/perl* | ||
26 | 19 | ||
27 | include disable-common.inc | 20 | include disable-common.inc |
28 | include disable-devel.inc | 21 | include disable-devel.inc |
diff --git a/etc/ricochet.profile b/etc/ricochet.profile index 3cb30c459..fc770d62d 100644 --- a/etc/ricochet.profile +++ b/etc/ricochet.profile | |||
@@ -5,7 +5,6 @@ include ricochet.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/Ricochet | 8 | noblacklist ${HOME}/.local/share/Ricochet |
10 | 9 | ||
11 | include disable-common.inc | 10 | include disable-common.inc |
@@ -15,6 +14,7 @@ include disable-interpreters.inc | |||
15 | include disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 15 | include disable-programs.inc |
17 | 16 | ||
17 | mkdir ${HOME}/.local/share/Ricochet | ||
18 | whitelist ${DOWNLOADS} | 18 | whitelist ${DOWNLOADS} |
19 | whitelist ${HOME}/.local/share/Ricochet | 19 | whitelist ${HOME}/.local/share/Ricochet |
20 | include whitelist-common.inc | 20 | include whitelist-common.inc |
diff --git a/etc/rocketchat.profile b/etc/rocketchat.profile index c95bc3c3d..8170c62e7 100644 --- a/etc/rocketchat.profile +++ b/etc/rocketchat.profile | |||
@@ -7,6 +7,7 @@ include globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.config/Rocket.Chat | 8 | noblacklist ${HOME}/.config/Rocket.Chat |
9 | 9 | ||
10 | mkdir ${HOME}/.config/Rocket.Chat | ||
10 | whitelist ${HOME}/.config/Rocket.Chat | 11 | whitelist ${HOME}/.config/Rocket.Chat |
11 | include whitelist-common.inc | 12 | include whitelist-common.inc |
12 | 13 | ||
diff --git a/etc/scribus.profile b/etc/scribus.profile index d8dc7b0e0..c50e0861c 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile | |||
@@ -27,12 +27,8 @@ noblacklist ${DOCUMENTS} | |||
27 | noblacklist ${PICTURES} | 27 | noblacklist ${PICTURES} |
28 | 28 | ||
29 | # Allow python (blacklisted by disable-interpreters.inc) | 29 | # Allow python (blacklisted by disable-interpreters.inc) |
30 | noblacklist ${PATH}/python2* | 30 | include allow-python2.inc |
31 | noblacklist ${PATH}/python3* | 31 | include allow-python3.inc |
32 | noblacklist /usr/lib/python2* | ||
33 | noblacklist /usr/lib/python3* | ||
34 | noblacklist /usr/local/lib/python2* | ||
35 | noblacklist /usr/local/lib/python3* | ||
36 | 32 | ||
37 | include disable-common.inc | 33 | include disable-common.inc |
38 | include disable-devel.inc | 34 | include disable-devel.inc |
diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile index 485326fcc..176842c44 100644 --- a/etc/sdat2img.profile +++ b/etc/sdat2img.profile | |||
@@ -7,12 +7,8 @@ include sdat2img.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Allow python (blacklisted by disable-interpreters.inc) | 9 | # Allow python (blacklisted by disable-interpreters.inc) |
10 | noblacklist ${PATH}/python2* | 10 | include allow-python2.inc |
11 | noblacklist ${PATH}/python3* | 11 | include allow-python3.inc |
12 | noblacklist /usr/lib/python2* | ||
13 | noblacklist /usr/lib/python3* | ||
14 | noblacklist /usr/local/lib/python2* | ||
15 | noblacklist /usr/local/lib/python3* | ||
16 | 12 | ||
17 | include disable-common.inc | 13 | include disable-common.inc |
18 | include disable-devel.inc | 14 | include disable-devel.inc |
diff --git a/etc/seahorse.profile b/etc/seahorse.profile index cd9f6c767..7baae2603 100644 --- a/etc/seahorse.profile +++ b/etc/seahorse.profile | |||
@@ -32,6 +32,7 @@ include disable-interpreters.inc | |||
32 | include disable-passwdmgr.inc | 32 | include disable-passwdmgr.inc |
33 | include disable-programs.inc | 33 | include disable-programs.inc |
34 | include disable-xdg.inc | 34 | include disable-xdg.inc |
35 | |||
35 | include whitelist-common.inc | 36 | include whitelist-common.inc |
36 | include whitelist-var-common.inc | 37 | include whitelist-var-common.inc |
37 | 38 | ||
@@ -50,7 +51,7 @@ nou2f | |||
50 | novideo | 51 | novideo |
51 | protocol unix,inet,inet6 | 52 | protocol unix,inet,inet6 |
52 | seccomp | 53 | seccomp |
53 | # shell none - causes gpg to hang | 54 | shell none |
54 | tracelog | 55 | tracelog |
55 | 56 | ||
56 | disable-mnt | 57 | disable-mnt |
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index d92c62a52..ca74efe68 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile | |||
@@ -18,6 +18,8 @@ include disable-programs.inc | |||
18 | 18 | ||
19 | mkdir ${HOME}/.cache/mozilla | 19 | mkdir ${HOME}/.cache/mozilla |
20 | mkdir ${HOME}/.mozilla | 20 | mkdir ${HOME}/.mozilla |
21 | mkdir ${HOME}/.pki | ||
22 | mkdir ${HOME}/.local/share/pki | ||
21 | whitelist ${DOWNLOADS} | 23 | whitelist ${DOWNLOADS} |
22 | whitelist ${HOME}/.cache/gnome-mplayer/plugin | 24 | whitelist ${HOME}/.cache/gnome-mplayer/plugin |
23 | whitelist ${HOME}/.cache/mozilla | 25 | whitelist ${HOME}/.cache/mozilla |
diff --git a/etc/server.profile b/etc/server.profile index 686268a18..6e077ff84 100644 --- a/etc/server.profile +++ b/etc/server.profile | |||
@@ -9,12 +9,12 @@ include globals.local | |||
9 | # it allows /sbin and /usr/sbin directories - this is where servers are installed | 9 | # it allows /sbin and /usr/sbin directories - this is where servers are installed |
10 | # depending on your usage, you can enable some of the commands below: | 10 | # depending on your usage, you can enable some of the commands below: |
11 | 11 | ||
12 | blacklist /tmp/.X11-unix | ||
13 | |||
14 | noblacklist /sbin | 12 | noblacklist /sbin |
15 | noblacklist /usr/sbin | 13 | noblacklist /usr/sbin |
16 | # noblacklist /var/opt | 14 | # noblacklist /var/opt |
17 | 15 | ||
16 | blacklist /tmp/.X11-unix | ||
17 | |||
18 | include disable-common.inc | 18 | include disable-common.inc |
19 | # include disable-devel.inc | 19 | # include disable-devel.inc |
20 | # include disable-exec.inc | 20 | # include disable-exec.inc |
diff --git a/etc/signal-desktop.profile b/etc/signal-desktop.profile index 008cd218e..04696a918 100644 --- a/etc/signal-desktop.profile +++ b/etc/signal-desktop.profile | |||
@@ -5,10 +5,13 @@ include signal-desktop.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | ignore noexec /tmp | ||
9 | |||
8 | noblacklist ${HOME}/.config/Signal | 10 | noblacklist ${HOME}/.config/Signal |
9 | 11 | ||
10 | include disable-common.inc | 12 | include disable-common.inc |
11 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
13 | include disable-programs.inc | 16 | include disable-programs.inc |
14 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
@@ -34,5 +37,3 @@ shell none | |||
34 | disable-mnt | 37 | disable-mnt |
35 | private-dev | 38 | private-dev |
36 | private-tmp | 39 | private-tmp |
37 | |||
38 | noexec ${HOME} | ||
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile index ad200be37..eae7dada0 100644 --- a/etc/skypeforlinux.profile +++ b/etc/skypeforlinux.profile | |||
@@ -5,10 +5,14 @@ include skypeforlinux.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # breaks Skype | ||
9 | ignore noexec /tmp | ||
10 | |||
8 | noblacklist ${HOME}/.config/skypeforlinux | 11 | noblacklist ${HOME}/.config/skypeforlinux |
9 | 12 | ||
10 | include disable-common.inc | 13 | include disable-common.inc |
11 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
13 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -28,6 +32,3 @@ disable-mnt | |||
28 | private-cache | 32 | private-cache |
29 | # private-dev - needs /dev/disk | 33 | # private-dev - needs /dev/disk |
30 | private-tmp | 34 | private-tmp |
31 | |||
32 | noexec ${HOME} | ||
33 | # noexec /tmp - breaks Skype | ||
diff --git a/etc/slack.profile b/etc/slack.profile index ed76be373..53baf5f40 100644 --- a/etc/slack.profile +++ b/etc/slack.profile | |||
@@ -13,7 +13,6 @@ include disable-interpreters.inc | |||
13 | include disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | mkdir ${HOME}/.config | ||
17 | mkdir ${HOME}/.config/Slack | 16 | mkdir ${HOME}/.config/Slack |
18 | whitelist ${HOME}/.config/Slack | 17 | whitelist ${HOME}/.config/Slack |
19 | whitelist ${DOWNLOADS} | 18 | whitelist ${DOWNLOADS} |
diff --git a/etc/slashem.profile b/etc/slashem.profile index 011698e1f..8c84180d7 100644 --- a/etc/slashem.profile +++ b/etc/slashem.profile | |||
@@ -6,7 +6,6 @@ include slashem.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | |||
10 | noblacklist /var/games/slashem | 9 | noblacklist /var/games/slashem |
11 | 10 | ||
12 | include disable-common.inc | 11 | include disable-common.inc |
diff --git a/etc/smplayer.profile b/etc/smplayer.profile index 5ae498ab2..0363a2475 100644 --- a/etc/smplayer.profile +++ b/etc/smplayer.profile | |||
@@ -12,12 +12,8 @@ noblacklist ${MUSIC} | |||
12 | noblacklist ${VIDEOS} | 12 | noblacklist ${VIDEOS} |
13 | 13 | ||
14 | # Allow python (blacklisted by disable-interpreters.inc) | 14 | # Allow python (blacklisted by disable-interpreters.inc) |
15 | noblacklist ${PATH}/python2* | 15 | include allow-python2.inc |
16 | noblacklist ${PATH}/python3* | 16 | include allow-python3.inc |
17 | noblacklist /usr/lib/python2* | ||
18 | noblacklist /usr/lib/python3* | ||
19 | noblacklist /usr/local/lib/python2* | ||
20 | noblacklist /usr/local/lib/python3* | ||
21 | 17 | ||
22 | include disable-common.inc | 18 | include disable-common.inc |
23 | include disable-devel.inc | 19 | include disable-devel.inc |
diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile index 4d6e80840..d875146de 100644 --- a/etc/soundconverter.profile +++ b/etc/soundconverter.profile | |||
@@ -9,12 +9,8 @@ include globals.local | |||
9 | noblacklist ${MUSIC} | 9 | noblacklist ${MUSIC} |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 12 | include allow-python2.inc |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/spectre-meltdown-checker.profile b/etc/spectre-meltdown-checker.profile index 74582dd2f..edbe0e772 100644 --- a/etc/spectre-meltdown-checker.profile +++ b/etc/spectre-meltdown-checker.profile | |||
@@ -11,12 +11,8 @@ include globals.local | |||
11 | noblacklist ${PATH}/mount | 11 | noblacklist ${PATH}/mount |
12 | noblacklist ${PATH}/umount | 12 | noblacklist ${PATH}/umount |
13 | 13 | ||
14 | # Allow access to perl | 14 | # Allow perl (blacklisted by disable-interpreters.inc) |
15 | noblacklist ${PATH}/cpan* | 15 | include allow-perl.inc |
16 | noblacklist ${PATH}/core_perl | ||
17 | noblacklist ${PATH}/perl | ||
18 | noblacklist /usr/lib/perl* | ||
19 | noblacklist /usr/share/perl* | ||
20 | 16 | ||
21 | include disable-common.inc | 17 | include disable-common.inc |
22 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/spotify.profile b/etc/spotify.profile index 6f7f6ec85..2d5c4a48f 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile | |||
@@ -5,15 +5,12 @@ include spotify.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | blacklist ${HOME}/.bashrc | ||
9 | blacklist /lost+found | ||
10 | blacklist /sbin | ||
11 | blacklist /srv | ||
12 | |||
13 | noblacklist ${HOME}/.cache/spotify | 8 | noblacklist ${HOME}/.cache/spotify |
14 | noblacklist ${HOME}/.config/spotify | 9 | noblacklist ${HOME}/.config/spotify |
15 | noblacklist ${HOME}/.local/share/spotify | 10 | noblacklist ${HOME}/.local/share/spotify |
16 | 11 | ||
12 | blacklist ${HOME}/.bashrc | ||
13 | |||
17 | include disable-common.inc | 14 | include disable-common.inc |
18 | include disable-devel.inc | 15 | include disable-devel.inc |
19 | include disable-exec.inc | 16 | include disable-exec.inc |
@@ -49,5 +46,6 @@ private-bin spotify,bash,sh,zenity | |||
49 | private-dev | 46 | private-dev |
50 | private-etc alternatives,fonts,group,ld.so.cache,machine-id,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies | 47 | private-etc alternatives,fonts,group,ld.so.cache,machine-id,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies |
51 | private-opt spotify | 48 | private-opt spotify |
49 | private-srv none | ||
52 | private-tmp | 50 | private-tmp |
53 | 51 | ||
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile index 8aafca8aa..9af747b62 100644 --- a/etc/ssh-agent.profile +++ b/etc/ssh-agent.profile | |||
@@ -6,12 +6,12 @@ include ssh-agent.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist /etc/ssh | 9 | noblacklist /etc/ssh |
12 | noblacklist /tmp/ssh-* | 10 | noblacklist /tmp/ssh-* |
13 | noblacklist ${HOME}/.ssh | 11 | noblacklist ${HOME}/.ssh |
14 | 12 | ||
13 | blacklist /tmp/.X11-unix | ||
14 | |||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 17 | include disable-programs.inc |
diff --git a/etc/start-tor-browser.desktop.profile b/etc/start-tor-browser.desktop.profile index a61038157..d5d7a17e4 100644 --- a/etc/start-tor-browser.desktop.profile +++ b/etc/start-tor-browser.desktop.profile | |||
@@ -3,7 +3,6 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include start-tor-browser.desktop.local | 4 | include start-tor-browser.desktop.local |
5 | 5 | ||
6 | |||
7 | noblacklist ${HOME}/.tor-browser-* | 6 | noblacklist ${HOME}/.tor-browser-* |
8 | noblacklist ${HOME}/.tor-browser_* | 7 | noblacklist ${HOME}/.tor-browser_* |
9 | 8 | ||
diff --git a/etc/steam.profile b/etc/steam.profile index 8f08b18f0..5ab600bfb 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -25,19 +25,12 @@ noblacklist /usr/lib/llvm* | |||
25 | # needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work | 25 | # needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work |
26 | noblacklist /sbin | 26 | noblacklist /sbin |
27 | 27 | ||
28 | # Allow access to java | 28 | # Allow java (blacklisted by disable-devel.inc) |
29 | noblacklist ${PATH}/java | 29 | include allow-java.inc |
30 | noblacklist /usr/lib/java | ||
31 | noblacklist /etc/java | ||
32 | noblacklist /usr/share/java | ||
33 | 30 | ||
34 | # Allow python (blacklisted by disable-interpreters.inc) | 31 | # Allow python (blacklisted by disable-interpreters.inc) |
35 | noblacklist ${PATH}/python2* | 32 | include allow-python2.inc |
36 | noblacklist ${PATH}/python3* | 33 | include allow-python3.inc |
37 | noblacklist /usr/lib/python2* | ||
38 | noblacklist /usr/lib/python3* | ||
39 | noblacklist /usr/local/lib/python2* | ||
40 | noblacklist /usr/local/lib/python3* | ||
41 | 34 | ||
42 | include disable-common.inc | 35 | include disable-common.inc |
43 | include disable-devel.inc | 36 | include disable-devel.inc |
diff --git a/etc/strings.profile b/etc/strings.profile index 0caecdf7b..ace0d9351 100644 --- a/etc/strings.profile +++ b/etc/strings.profile | |||
@@ -4,30 +4,43 @@ quiet | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include strings.local | 5 | include strings.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | # added by included profile | 7 | include globals.local |
8 | #include globals.local | ||
9 | 8 | ||
10 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
11 | include disable-exec.inc | 13 | include disable-exec.inc |
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
12 | 17 | ||
13 | ignore noroot | 18 | apparmor |
19 | caps.drop all | ||
20 | ipc-namespace | ||
21 | machine-id | ||
14 | net none | 22 | net none |
15 | no3d | 23 | no3d |
16 | nodbus | 24 | nodbus |
17 | nodvd | 25 | nodvd |
26 | nogroups | ||
27 | nonewprivs | ||
28 | #noroot | ||
18 | nosound | 29 | nosound |
19 | notv | 30 | notv |
20 | nou2f | 31 | nou2f |
21 | novideo | 32 | novideo |
33 | protocol unix | ||
34 | seccomp | ||
22 | shell none | 35 | shell none |
23 | tracelog | 36 | tracelog |
24 | 37 | ||
38 | #private | ||
25 | private-bin strings | 39 | private-bin strings |
26 | private-cache | 40 | private-cache |
27 | private-dev | 41 | private-dev |
28 | private-etc alternatives | 42 | private-etc alternatives |
29 | private-lib libfakeroot | 43 | private-lib libfakeroot |
44 | private-tmp | ||
30 | 45 | ||
31 | memory-deny-write-execute | 46 | memory-deny-write-execute |
32 | |||
33 | include default.profile | ||
diff --git a/etc/subdownloader.profile b/etc/subdownloader.profile index c07131893..b55300c88 100644 --- a/etc/subdownloader.profile +++ b/etc/subdownloader.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/SubDownloader | |||
10 | noblacklist ${VIDEOS} | 10 | noblacklist ${VIDEOS} |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/surf.profile b/etc/surf.profile index 0504b5fe5..5f116fd0c 100644 --- a/etc/surf.profile +++ b/etc/surf.profile | |||
@@ -15,6 +15,7 @@ include disable-passwdmgr.inc | |||
15 | include disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | mkdir ${HOME}/.surf | 17 | mkdir ${HOME}/.surf |
18 | whitelist ${HOME}/.surf | ||
18 | whitelist ${DOWNLOADS} | 19 | whitelist ${DOWNLOADS} |
19 | include whitelist-common.inc | 20 | include whitelist-common.inc |
20 | 21 | ||
diff --git a/etc/sysprof.profile b/etc/sysprof.profile index 3cfea5c5e..e978e03f2 100644 --- a/etc/sysprof.profile +++ b/etc/sysprof.profile | |||
@@ -24,7 +24,7 @@ no3d | |||
24 | nodvd | 24 | nodvd |
25 | nogroups | 25 | nogroups |
26 | nonewprivs | 26 | nonewprivs |
27 | # Ubuntu 16.04 version needs root privileges - uncomment if you don't use that | 27 | # Ubuntu 16.04 version needs root privileges - uncomment or put in sysprof.local if you don't use that |
28 | #noroot | 28 | #noroot |
29 | nosound | 29 | nosound |
30 | notv | 30 | notv |
diff --git a/etc/tar.profile b/etc/tar.profile index 14fc00d21..b6a874217 100644 --- a/etc/tar.profile +++ b/etc/tar.profile | |||
@@ -5,17 +5,19 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include tar.local | 6 | include tar.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included profile | 8 | include globals.local |
9 | #include globals.local | ||
10 | 9 | ||
11 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
12 | 11 | ||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
13 | include disable-exec.inc | 14 | include disable-exec.inc |
14 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
15 | 16 | include disable-passwdmgr.inc | |
16 | ignore noroot | 17 | include disable-programs.inc |
17 | 18 | ||
18 | apparmor | 19 | apparmor |
20 | caps.drop all | ||
19 | hostname tar | 21 | hostname tar |
20 | ipc-namespace | 22 | ipc-namespace |
21 | machine-id | 23 | machine-id |
@@ -24,10 +26,14 @@ no3d | |||
24 | nodbus | 26 | nodbus |
25 | nodvd | 27 | nodvd |
26 | nogroups | 28 | nogroups |
29 | nonewprivs | ||
30 | #noroot | ||
27 | nosound | 31 | nosound |
28 | notv | 32 | notv |
29 | nou2f | 33 | nou2f |
30 | novideo | 34 | novideo |
35 | protocol unix | ||
36 | seccomp | ||
31 | shell none | 37 | shell none |
32 | tracelog | 38 | tracelog |
33 | 39 | ||
@@ -39,8 +45,5 @@ private-etc alternatives,passwd,group,localtime | |||
39 | private-lib libfakeroot | 45 | private-lib libfakeroot |
40 | 46 | ||
41 | memory-deny-write-execute | 47 | memory-deny-write-execute |
42 | |||
43 | # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) | 48 | # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) |
44 | writable-var | 49 | writable-var |
45 | |||
46 | include default.profile | ||
diff --git a/etc/templates/profile.template b/etc/templates/profile.template new file mode 100644 index 000000000..16bf05cec --- /dev/null +++ b/etc/templates/profile.template | |||
@@ -0,0 +1,139 @@ | |||
1 | # Firejail profile for PROGRAM_NAME | ||
2 | # Description: DESCRIPTION | ||
3 | # This file is overwritten after every install/update | ||
4 | # --- CUT HERE --- | ||
5 | # This is a generic template to help you with creation of profiles | ||
6 | # for new programs. PRs welcome at https://github.com/netblue30/firejail/ | ||
7 | # | ||
8 | # Rules to follow: | ||
9 | # - lines with one # are often used in profiles | ||
10 | # - lines with two ## are only needed in special situations | ||
11 | # - make the profile as restrictive as possible while still keeping the program useful | ||
12 | # (e. g. a program that is unable to save user's work is considered a bad practice) | ||
13 | # - dedicate some time (based on how complex the application is) to profile testing before raising | ||
14 | # a pull request | ||
15 | # - keep the sections structure, use a single empty line as a separator | ||
16 | # - entries within sections are alphabetically sorted | ||
17 | # - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware | ||
18 | # to not do this for essential utilities as this may *break* your OS! (related discussion: | ||
19 | # https://github.com/netblue30/firejail/issues/2507) | ||
20 | # - remove this comment section and any generic comment past 'Persistent global definitions' | ||
21 | # | ||
22 | # Sections structure | ||
23 | # HEADER | ||
24 | # COMMENTS | ||
25 | # IGNORES | ||
26 | # NOBLACKLISTS | ||
27 | # ALLOW INCLUDES | ||
28 | # BLACKLISTS | ||
29 | # DISABLE INCLUDES | ||
30 | # MKDIRS | ||
31 | # WHITELISTS | ||
32 | # WHITELIST INCLUDES | ||
33 | # OPTIONS (no*) | ||
34 | # PRIVATE OPTIONS (disable-mnt, private-*) | ||
35 | # SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start) | ||
36 | # REDIRECT INCLUDES | ||
37 | # | ||
38 | # --- CUT HERE --- | ||
39 | ##quiet | ||
40 | # Persistent local customizations | ||
41 | #include PROFILE.local | ||
42 | # Persistent global definitions | ||
43 | #include globals.local | ||
44 | |||
45 | ##ignore noexec ${HOME} | ||
46 | |||
47 | ##blacklist PATH | ||
48 | |||
49 | # It is common practice to add files/dirs containing program-specific configuration | ||
50 | # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc | ||
51 | # (keep list sorted) and then disable blacklisting below. | ||
52 | # One way to retrieve the files a program uses is: | ||
53 | # - launch binary with --private naming a sandbox | ||
54 | # `firejail --name=test --ignore=private-bin [--profile=PROFILE] --private BINARY` | ||
55 | # - work with the program, do some configuration changes and save them, open new documents, | ||
56 | # install plugins if they exists, etc | ||
57 | # - join the sandbox with bash: | ||
58 | # `firejail --join=test bash` | ||
59 | # - look what has changed and use that information to populate blacklist and whitelist sections | ||
60 | # `ls -aR` | ||
61 | #noblacklist PATH | ||
62 | |||
63 | # Allow python (blacklisted by disable-interpreters.inc) | ||
64 | #include allow-python2.inc | ||
65 | #include allow-python3.inc | ||
66 | |||
67 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
68 | #include allow-perl.inc | ||
69 | |||
70 | # Allow java (blacklisted by disable-devel.inc) | ||
71 | #include allow-java.inc | ||
72 | |||
73 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
74 | include allow-lua.inc | ||
75 | |||
76 | #include disable-common.inc | ||
77 | #include disable-devel.inc | ||
78 | #include disable-exec.inc | ||
79 | #include disable-interpreters.inc | ||
80 | #include disable-passwdmgr.inc | ||
81 | #include disable-programs.inc | ||
82 | #include disable-xdg.inc | ||
83 | |||
84 | # This section often mirrors noblacklist section above. The idea is | ||
85 | # that if a user feels too restricted (he's unable to save files into | ||
86 | # home directory for instance) he/she may disable whitelist (nowhitelist) | ||
87 | # in PROFILE.local but still be protected by BLACKLISTS section | ||
88 | # (further explanation at https://github.com/netblue30/firejail/issues/1569) | ||
89 | #mkdir PATH | ||
90 | #mkfile PATH | ||
91 | #whitelist PATH | ||
92 | #include whitelist-common.inc | ||
93 | #include whitelist-var-common.inc | ||
94 | |||
95 | #apparmor | ||
96 | #caps.drop all | ||
97 | # CLI only | ||
98 | ##ipc-namespace | ||
99 | #machine-id | ||
100 | # 'net none' or 'netfilter' | ||
101 | #net none | ||
102 | #netfilter | ||
103 | #no3d | ||
104 | #nodbus | ||
105 | #nodvd | ||
106 | #nogroups | ||
107 | #nonewprivs | ||
108 | #noroot | ||
109 | #nosound | ||
110 | #notv | ||
111 | #nou2f | ||
112 | #novideo | ||
113 | #protocol unix,inet,inet6,netlink | ||
114 | #seccomp | ||
115 | ##seccomp.drop SYSCALLS | ||
116 | #shell none | ||
117 | #tracelog | ||
118 | |||
119 | #disable-mnt | ||
120 | ##private | ||
121 | #private-bin PROGRAMS | ||
122 | #private-cache | ||
123 | #private-dev | ||
124 | #private-etc FILES | ||
125 | # private-etc templates (see also #1734) | ||
126 | # Internet: ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | ||
127 | # Sound: alsa,asound.conf,machine-id,openal,pulse | ||
128 | # GTK: dconf,fonts,gtk-2.0,gtk-3.0,pango,xdg | ||
129 | # KDE/QT: fonts,kde4rc,kde5rc,ld.so.cache,machine-id,Trolltech.conf,xdg | ||
130 | # GUIs: fonts | ||
131 | # Alternatives: alternatives | ||
132 | ##private-lib LIBS | ||
133 | ##private-opt NAME | ||
134 | #private-tmp | ||
135 | |||
136 | ##env VAR=VALUE | ||
137 | #memory-deny-write-execute | ||
138 | ##read-only ${HOME} | ||
139 | ##join-or-start NAME | ||
diff --git a/etc/templates/redirect_alias-profile.template b/etc/templates/redirect_alias-profile.template new file mode 100644 index 000000000..0a0788e96 --- /dev/null +++ b/etc/templates/redirect_alias-profile.template | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for PROGRAM_NAME | ||
2 | # Description: DESCRIPTION | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include PROFILE.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | #NOTE: let include globals.local commented | ||
10 | |||
11 | # For more informations see profile.template | ||
12 | |||
13 | # Ignore something that is in the included profile | ||
14 | #ignore net none | ||
15 | #ignore private-bin | ||
16 | #ignore seccomp | ||
17 | #... | ||
18 | |||
19 | # Additional noblacklisting (if needed) | ||
20 | #noblacklist PATH | ||
21 | |||
22 | # Additional allow includes (if needed) | ||
23 | |||
24 | # Additional blacklisting (if needed) | ||
25 | #blacklist PATH | ||
26 | |||
27 | # Additional whitelisting (if needed) | ||
28 | #mkdir PATH | ||
29 | ##mkfile PATH | ||
30 | #whitelist PATH | ||
31 | |||
32 | # Additional options (if needed) | ||
33 | |||
34 | # Additional private-options (if needed) | ||
35 | # Add programs to private-bin (if needed) | ||
36 | #private-bin PROGRAMS | ||
37 | # Add files to private-etc (if needed) | ||
38 | #private-etc FILES | ||
39 | |||
40 | # Additional special options (if needed) | ||
41 | |||
42 | # Redirect | ||
43 | include PROFILE.profile | ||
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt new file mode 100644 index 000000000..2464df9ee --- /dev/null +++ b/etc/templates/syscalls.txt | |||
@@ -0,0 +1,43 @@ | |||
1 | Hints for writing seccomp.drop lines | ||
2 | ==================================== | ||
3 | |||
4 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime | ||
5 | @module=delete_module,finit_module,init_module | ||
6 | @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write | ||
7 | @reboot=kexec_file_load,kexec_load,reboot | ||
8 | @swap=swapoff,swapon | ||
9 | |||
10 | @privileged=@clock,@module,@raw-io,@reboot,@swap,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup | ||
11 | |||
12 | @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old | ||
13 | @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext | ||
14 | @obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver | ||
15 | @resources=mbind,migrate_pages,move_pages,set_mempolicy | ||
16 | |||
17 | @default=@cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,ioprio_set,io_setup,io_submit,kcmp,keyctl,mincore,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | ||
18 | |||
19 | @default-nodebuggers=@default,personality,process_vm_readv,ptrace | ||
20 | |||
21 | @default-keep=execve,prctl | ||
22 | |||
23 | |||
24 | +---------+----------------+---------------+ | ||
25 | | @clock | @cpu-emulation | @default-keep | | ||
26 | | @module | @debug | | | ||
27 | | @raw-io | @obsolete | | | ||
28 | | @reboot | @resources | | | ||
29 | | @swap | | | | ||
30 | +---------+----------------+---------------+ | ||
31 | : : | ||
32 | +-------------+ : | ||
33 | | @privileged | : | ||
34 | +-------------+ : | ||
35 | : : | ||
36 | +----------+ : | ||
37 | | @default |........: | ||
38 | +----------+ | ||
39 | : | ||
40 | +----------------------+ | ||
41 | | @default-nodebuggers | | ||
42 | +----------------------+ | ||
43 | |||
diff --git a/etc/terasology.profile b/etc/terasology.profile index 43865b6fb..2a7212395 100644 --- a/etc/terasology.profile +++ b/etc/terasology.profile | |||
@@ -5,17 +5,17 @@ include terasology.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | ignore noexec /tmp | ||
9 | |||
8 | noblacklist ${HOME}/.java | 10 | noblacklist ${HOME}/.java |
9 | noblacklist ${HOME}/.local/share/terasology | 11 | noblacklist ${HOME}/.local/share/terasology |
10 | 12 | ||
11 | # Allow access to java | 13 | # Allow java (blacklisted by disable-devel.inc) |
12 | noblacklist ${PATH}/java | 14 | include allow-java.inc |
13 | noblacklist /usr/lib/java | ||
14 | noblacklist /etc/java | ||
15 | noblacklist /usr/share/java | ||
16 | 15 | ||
17 | include disable-common.inc | 16 | include disable-common.inc |
18 | include disable-devel.inc | 17 | include disable-devel.inc |
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | 19 | include disable-interpreters.inc |
20 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
21 | include disable-programs.inc | 21 | include disable-programs.inc |
@@ -46,5 +46,3 @@ disable-mnt | |||
46 | private-dev | 46 | private-dev |
47 | private-etc alternatives,asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,java-8-openjdk,java-7-openjdk,pki,crypto-policies | 47 | private-etc alternatives,asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,java-8-openjdk,java-7-openjdk,pki,crypto-policies |
48 | private-tmp | 48 | private-tmp |
49 | |||
50 | noexec ${HOME} | ||
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile index c7c810cda..ff4a85871 100644 --- a/etc/torbrowser-launcher.profile +++ b/etc/torbrowser-launcher.profile | |||
@@ -12,12 +12,8 @@ noblacklist ${HOME}/.config/torbrowser | |||
12 | noblacklist ${HOME}/.local/share/torbrowser | 12 | noblacklist ${HOME}/.local/share/torbrowser |
13 | 13 | ||
14 | # Allow python (blacklisted by disable-interpreters.inc) | 14 | # Allow python (blacklisted by disable-interpreters.inc) |
15 | noblacklist ${PATH}/python2* | 15 | include allow-python2.inc |
16 | noblacklist ${PATH}/python3* | 16 | include allow-python3.inc |
17 | noblacklist /usr/lib/python2* | ||
18 | noblacklist /usr/lib/python3* | ||
19 | noblacklist /usr/local/lib/python2* | ||
20 | noblacklist /usr/local/lib/python3* | ||
21 | 17 | ||
22 | include disable-common.inc | 18 | include disable-common.inc |
23 | include disable-devel.inc | 19 | include disable-devel.inc |
diff --git a/etc/transgui.profile b/etc/transgui.profile index 8043bfa01..0d09cef87 100644 --- a/etc/transgui.profile +++ b/etc/transgui.profile | |||
@@ -2,7 +2,7 @@ | |||
2 | # Description: Cross-platform Transmission BitTorrent client | 2 | # Description: Cross-platform Transmission BitTorrent client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/transgui.local | 5 | include transgui.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
diff --git a/etc/transmission-daemon.profile b/etc/transmission-daemon.profile index c67200826..9a6052ada 100644 --- a/etc/transmission-daemon.profile +++ b/etc/transmission-daemon.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for transmission-daemon | 1 | # Firejail profile for transmission-daemon |
2 | # Description: Fast, easy and free BitTorrent client (daemon) | 2 | # Description: Fast, easy and free BitTorrent client (daemon) |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/transmission-remote-cli.profile b/etc/transmission-remote-cli.profile index 3e3ad1a07..7b7a47f14 100644 --- a/etc/transmission-remote-cli.profile +++ b/etc/transmission-remote-cli.profile | |||
@@ -8,12 +8,8 @@ include transmission-remote-cli.local | |||
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | # Allow python (blacklisted by disable-interpreters.inc) | 10 | # Allow python (blacklisted by disable-interpreters.inc) |
11 | noblacklist ${PATH}/python2* | 11 | include allow-python2.inc |
12 | noblacklist ${PATH}/python3* | 12 | include allow-python3.inc |
13 | noblacklist /usr/lib/python2* | ||
14 | noblacklist /usr/lib/python3* | ||
15 | noblacklist /usr/local/lib/python2* | ||
16 | noblacklist /usr/local/lib/python3* | ||
17 | 13 | ||
18 | mkdir ${HOME}/.cache/transmission | 14 | mkdir ${HOME}/.cache/transmission |
19 | mkdir ${HOME}/.config/transmission | 15 | mkdir ${HOME}/.config/transmission |
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile index 1b657d083..3111a1e22 100644 --- a/etc/tuxguitar.profile +++ b/etc/tuxguitar.profile | |||
@@ -11,11 +11,8 @@ noblacklist ${HOME}/.tuxguitar* | |||
11 | noblacklist ${DOCUMENTS} | 11 | noblacklist ${DOCUMENTS} |
12 | noblacklist ${MUSIC} | 12 | noblacklist ${MUSIC} |
13 | 13 | ||
14 | # Allow access to java | 14 | # Allow java (blacklisted by disable-devel.inc) |
15 | noblacklist ${PATH}/java | 15 | include allow-java.inc |
16 | noblacklist /usr/lib/java | ||
17 | noblacklist /etc/java | ||
18 | noblacklist /usr/share/java | ||
19 | 16 | ||
20 | include disable-common.inc | 17 | include disable-common.inc |
21 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/unbound.profile b/etc/unbound.profile index 6e4b5ed1c..8e7a4a8a8 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile | |||
@@ -6,11 +6,11 @@ include unbound.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist /sbin | 9 | noblacklist /sbin |
12 | noblacklist /usr/sbin | 10 | noblacklist /usr/sbin |
13 | 11 | ||
12 | blacklist /tmp/.X11-unix | ||
13 | |||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
diff --git a/etc/unrar.profile b/etc/unrar.profile index 7fe37f061..5b55f30d2 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile | |||
@@ -5,21 +5,34 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include unrar.local | 6 | include unrar.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included profile | 8 | include globals.local |
9 | #include globals.local | ||
10 | 9 | ||
11 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
12 | 11 | ||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | caps.drop all | ||
13 | hostname unrar | 20 | hostname unrar |
14 | ignore noroot | 21 | ipc-namespace |
22 | machine-id | ||
15 | net none | 23 | net none |
16 | no3d | 24 | no3d |
17 | nodbus | 25 | nodbus |
18 | nodvd | 26 | nodvd |
27 | #nogroups | ||
28 | nonewprivs | ||
29 | #noroot | ||
19 | nosound | 30 | nosound |
20 | notv | 31 | notv |
21 | nou2f | 32 | nou2f |
22 | novideo | 33 | novideo |
34 | protocol unix | ||
35 | seccomp | ||
23 | shell none | 36 | shell none |
24 | tracelog | 37 | tracelog |
25 | 38 | ||
@@ -27,5 +40,3 @@ private-bin unrar | |||
27 | private-dev | 40 | private-dev |
28 | private-etc alternatives,passwd,group,localtime | 41 | private-etc alternatives,passwd,group,localtime |
29 | private-tmp | 42 | private-tmp |
30 | |||
31 | include default.profile | ||
diff --git a/etc/unzip.profile b/etc/unzip.profile index be6b6c321..79b41f9d8 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile | |||
@@ -5,29 +5,41 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include unzip.local | 6 | include unzip.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included profile | 8 | include globals.local |
9 | #include globals.local | 9 | |
10 | # GNOME Shell integration (chrome-gnome-shell) | ||
11 | noblacklist ${HOME}/.local/share/gnome-shell | ||
10 | 12 | ||
11 | blacklist /tmp/.X11-unix | 13 | blacklist /tmp/.X11-unix |
12 | 14 | ||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | |||
22 | caps.drop all | ||
13 | hostname unzip | 23 | hostname unzip |
14 | ignore noroot | 24 | ipc-namespace |
25 | machine-id | ||
15 | net none | 26 | net none |
16 | no3d | 27 | no3d |
17 | nodbus | 28 | nodbus |
18 | nodvd | 29 | nodvd |
30 | #nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
19 | nosound | 33 | nosound |
20 | notv | 34 | notv |
21 | nou2f | 35 | nou2f |
22 | novideo | 36 | novideo |
37 | protocol unix | ||
38 | seccomp | ||
23 | shell none | 39 | shell none |
24 | tracelog | 40 | tracelog |
25 | 41 | ||
26 | private-bin unzip | 42 | private-bin unzip |
43 | private-cache | ||
27 | private-dev | 44 | private-dev |
28 | private-etc alternatives,passwd,group,localtime | 45 | private-etc alternatives,passwd,group,localtime |
29 | |||
30 | # GNOME Shell integration (chrome-gnome-shell) | ||
31 | noblacklist ${HOME}/.local/share/gnome-shell | ||
32 | |||
33 | include default.profile | ||
diff --git a/etc/uudeview.profile b/etc/uudeview.profile index 859656fa5..53fad0ba5 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile | |||
@@ -5,18 +5,31 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include uudeview.local | 6 | include uudeview.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included profile | 8 | include globals.local |
9 | #include globals.local | ||
10 | 9 | ||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | |||
17 | caps.drop all | ||
11 | hostname uudeview | 18 | hostname uudeview |
12 | ignore noroot | 19 | ipc-namespace |
20 | machine-id | ||
13 | net none | 21 | net none |
14 | nodbus | 22 | nodbus |
15 | nodvd | 23 | nodvd |
24 | #nogroups | ||
25 | nonewprivs | ||
26 | #noroot | ||
16 | nosound | 27 | nosound |
17 | notv | 28 | notv |
18 | nou2f | 29 | nou2f |
19 | novideo | 30 | novideo |
31 | protocol unix | ||
32 | seccomp | ||
20 | shell none | 33 | shell none |
21 | tracelog | 34 | tracelog |
22 | 35 | ||
@@ -24,5 +37,3 @@ private-bin uudeview | |||
24 | private-cache | 37 | private-cache |
25 | private-dev | 38 | private-dev |
26 | private-etc alternatives,ld.so.preload | 39 | private-etc alternatives,ld.so.preload |
27 | |||
28 | include default.profile | ||
diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile index dbee819cd..d4e54235b 100644 --- a/etc/uzbl-browser.profile +++ b/etc/uzbl-browser.profile | |||
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.gnupg | |||
10 | noblacklist ${HOME}/.local/share/uzbl | 10 | noblacklist ${HOME}/.local/share/uzbl |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | noblacklist ${PATH}/python2* | 13 | include allow-python2.inc |
14 | noblacklist ${PATH}/python3* | 14 | include allow-python3.inc |
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | 15 | ||
20 | include disable-common.inc | 16 | include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/viewnior.profile b/etc/viewnior.profile index f9fb1cefe..943719e75 100644 --- a/etc/viewnior.profile +++ b/etc/viewnior.profile | |||
@@ -6,12 +6,12 @@ include viewnior.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${HOME}/.bashrc | ||
10 | |||
11 | noblacklist ${HOME}/.Steam | 9 | noblacklist ${HOME}/.Steam |
12 | noblacklist ${HOME}/.config/viewnior | 10 | noblacklist ${HOME}/.config/viewnior |
13 | noblacklist ${HOME}/.steam | 11 | noblacklist ${HOME}/.steam |
14 | 12 | ||
13 | blacklist ${HOME}/.bashrc | ||
14 | |||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | 17 | include disable-exec.inc |
diff --git a/etc/w3m.profile b/etc/w3m.profile index 143ac4f63..d577932e3 100644 --- a/etc/w3m.profile +++ b/etc/w3m.profile | |||
@@ -6,10 +6,10 @@ include w3m.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist ${HOME}/.w3m | 9 | noblacklist ${HOME}/.w3m |
12 | 10 | ||
11 | blacklist /tmp/.X11-unix | ||
12 | |||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
diff --git a/etc/wget.profile b/etc/wget.profile index a7ef32e2c..ff10b2316 100644 --- a/etc/wget.profile +++ b/etc/wget.profile | |||
@@ -7,11 +7,11 @@ include wget.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | |||
12 | noblacklist ${HOME}/.wget-hsts | 10 | noblacklist ${HOME}/.wget-hsts |
13 | noblacklist ${HOME}/.wgetrc | 11 | noblacklist ${HOME}/.wgetrc |
14 | 12 | ||
13 | blacklist /tmp/.X11-unix | ||
14 | |||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-exec.inc | 16 | include disable-exec.inc |
17 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
diff --git a/etc/wire-desktop.profile b/etc/wire-desktop.profile index 3953de614..7c545d08f 100644 --- a/etc/wire-desktop.profile +++ b/etc/wire-desktop.profile | |||
@@ -16,7 +16,6 @@ include disable-programs.inc | |||
16 | mkdir ${HOME}/.config/Wire | 16 | mkdir ${HOME}/.config/Wire |
17 | whitelist ${HOME}/.config/Wire | 17 | whitelist ${HOME}/.config/Wire |
18 | whitelist ${DOWNLOADS} | 18 | whitelist ${DOWNLOADS} |
19 | |||
20 | include whitelist-common.inc | 19 | include whitelist-common.inc |
21 | 20 | ||
22 | caps.drop all | 21 | caps.drop all |
diff --git a/etc/wireshark.profile b/etc/wireshark.profile index 9b9757cd5..b44eae128 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile | |||
@@ -10,11 +10,8 @@ noblacklist ${HOME}/.config/wireshark | |||
10 | noblacklist ${HOME}/.wireshark | 10 | noblacklist ${HOME}/.wireshark |
11 | noblacklist ${DOCUMENTS} | 11 | noblacklist ${DOCUMENTS} |
12 | 12 | ||
13 | # Wireshark can use Lua for scripting | 13 | # Allow lua (blacklisted by disable-interpreters.inc) |
14 | noblacklist ${PATH}/lua* | 14 | include allow-lua.inc |
15 | noblacklist /usr/lib/lua | ||
16 | noblacklist /usr/include/lua* | ||
17 | noblacklist /usr/share/lua | ||
18 | 15 | ||
19 | include disable-common.inc | 16 | include disable-common.inc |
20 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/xed.profile b/etc/xed.profile index cce0432a4..9a7806b19 100644 --- a/etc/xed.profile +++ b/etc/xed.profile | |||
@@ -9,12 +9,8 @@ noblacklist ${HOME}/.config/xed | |||
9 | noblacklist ${HOME}/.pythonrc.py | 9 | noblacklist ${HOME}/.pythonrc.py |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 12 | include allow-python2.inc |
13 | noblacklist ${PATH}/python3* | 13 | include allow-python3.inc |
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/xiphos.profile b/etc/xiphos.profile index 33056395e..043e513bd 100644 --- a/etc/xiphos.profile +++ b/etc/xiphos.profile | |||
@@ -6,11 +6,11 @@ include xiphos.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${HOME}/.bashrc | ||
10 | |||
11 | noblacklist ${HOME}/.sword | 9 | noblacklist ${HOME}/.sword |
12 | noblacklist ${HOME}/.xiphos | 10 | noblacklist ${HOME}/.xiphos |
13 | 11 | ||
12 | blacklist ${HOME}/.bashrc | ||
13 | |||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-exec.inc | 16 | include disable-exec.inc |
@@ -18,6 +18,8 @@ include disable-interpreters.inc | |||
18 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | 20 | ||
21 | mkdir ${HOME}/.sword | ||
22 | mkdir ${HOME}/.xiphos | ||
21 | whitelist ${HOME}/.sword | 23 | whitelist ${HOME}/.sword |
22 | whitelist ${HOME}/.xiphos | 24 | whitelist ${HOME}/.xiphos |
23 | include whitelist-common.inc | 25 | include whitelist-common.inc |
diff --git a/etc/xlinks.profile b/etc/xlinks.profile new file mode 100644 index 000000000..ad1511791 --- /dev/null +++ b/etc/xlinks.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # Firejail profile for xlinks | ||
2 | # Description: Text WWW browser (X11) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include xlinks.local | ||
6 | |||
7 | noblacklist /tmp/.X11-unix | ||
8 | noblacklist ${HOME}/.links | ||
9 | |||
10 | include whitelist-common.inc | ||
11 | |||
12 | # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' | ||
13 | # to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line | ||
14 | private-bin xlinks | ||
15 | private-etc fonts | ||
16 | |||
17 | # Redirect | ||
18 | include links.profile | ||
diff --git a/etc/xplayer.profile b/etc/xplayer.profile index b4932c99e..5f4e3bf4c 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile | |||
@@ -11,12 +11,8 @@ noblacklist ${MUSIC} | |||
11 | noblacklist ${VIDEOS} | 11 | noblacklist ${VIDEOS} |
12 | 12 | ||
13 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
14 | noblacklist ${PATH}/python2* | 14 | include allow-python2.inc |
15 | noblacklist ${PATH}/python3* | 15 | include allow-python3.inc |
16 | noblacklist /usr/lib/python2* | ||
17 | noblacklist /usr/lib/python3* | ||
18 | noblacklist /usr/local/lib/python2* | ||
19 | noblacklist /usr/local/lib/python3* | ||
20 | 16 | ||
21 | include disable-common.inc | 17 | include disable-common.inc |
22 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/xpra.profile b/etc/xpra.profile index d967c1da2..dc8d7a665 100644 --- a/etc/xpra.profile +++ b/etc/xpra.profile | |||
@@ -8,21 +8,15 @@ include globals.local | |||
8 | 8 | ||
9 | # | 9 | # |
10 | # This profile will sandbox Xpra server itself when used with firejail --x11=xpra. | 10 | # This profile will sandbox Xpra server itself when used with firejail --x11=xpra. |
11 | # To enable it, create a firejail-xpra symlink in /usr/local/bin: | 11 | # To enable it, create a firejail-xpra symlink in /usr/local/bin: |
12 | # | 12 | # |
13 | # $ sudo ln -s /usr/bin/firejail /usr/local/bin/xpra | 13 | # $ sudo ln -s /usr/bin/firejail /usr/local/bin/xpra |
14 | # | 14 | # |
15 | # or run "sudo firecfg" | 15 | # or run "sudo firecfg" |
16 | 16 | ||
17 | blacklist /media | ||
18 | |||
19 | # Allow python (blacklisted by disable-interpreters.inc) | 17 | # Allow python (blacklisted by disable-interpreters.inc) |
20 | noblacklist ${PATH}/python2* | 18 | include allow-python2.inc |
21 | noblacklist ${PATH}/python3* | 19 | include allow-python3.inc |
22 | noblacklist /usr/lib/python2* | ||
23 | noblacklist /usr/lib/python3* | ||
24 | noblacklist /usr/local/lib/python2* | ||
25 | noblacklist /usr/local/lib/python3* | ||
26 | 20 | ||
27 | include disable-common.inc | 21 | include disable-common.inc |
28 | include disable-devel.inc | 22 | include disable-devel.inc |
@@ -49,6 +43,7 @@ protocol unix | |||
49 | seccomp | 43 | seccomp |
50 | shell none | 44 | shell none |
51 | 45 | ||
46 | disable-mnt | ||
52 | # private home directory doesn't work on some distros, so we go for a regular home | 47 | # private home directory doesn't work on some distros, so we go for a regular home |
53 | # private | 48 | # private |
54 | # older Xpra versions also use Xvfb | 49 | # older Xpra versions also use Xvfb |
diff --git a/etc/xzdec.profile b/etc/xzdec.profile index a1f265c1e..3adaa557c 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile | |||
@@ -5,23 +5,34 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include xzdec.local | 6 | include xzdec.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included profile | 8 | include globals.local |
9 | #include globals.local | ||
10 | 9 | ||
11 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
12 | 11 | ||
13 | ignore noroot | 12 | include disable-common.inc |
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | caps.drop all | ||
20 | ipc-namespace | ||
21 | machine-id | ||
14 | net none | 22 | net none |
15 | no3d | 23 | no3d |
16 | nodbus | 24 | nodbus |
17 | nodvd | 25 | nodvd |
26 | #nogroups | ||
27 | nonewprivs | ||
28 | #noroot | ||
18 | nosound | 29 | nosound |
19 | notv | 30 | notv |
20 | nou2f | 31 | nou2f |
21 | novideo | 32 | novideo |
33 | protocol unix | ||
34 | seccomp | ||
22 | shell none | 35 | shell none |
23 | tracelog | 36 | tracelog |
24 | 37 | ||
25 | private-dev | 38 | private-dev |
26 | |||
27 | include default.profile | ||
diff --git a/etc/yelp.profile b/etc/yelp.profile new file mode 100644 index 000000000..66f094e1d --- /dev/null +++ b/etc/yelp.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for yelp | ||
2 | # Description: Help browser for the GNOME desktop | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include yelp.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/yelp | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.config/yelp | ||
20 | whitelist ${HOME}/.config/yelp | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | net none | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | disable-mnt | ||
40 | private-bin yelp | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,gtk-3.0,machine-id,openal,os-release,pulse,sgml,xml | ||
44 | private-tmp | ||
45 | |||
46 | # read-only ${HOME} breaks some not necesarry featrues, comment it if | ||
47 | # you need them or put 'ignore read-only ${HOME}' into your yelp.local. | ||
48 | # broken features: | ||
49 | # 1. yelp --editor-mode | ||
50 | # 2. saving the window geometry | ||
51 | read-only ${HOME} | ||
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index 621ffb2b0..1c2bad51c 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile | |||
@@ -7,20 +7,16 @@ include youtube-dl.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | # breaks when installed via pip | ||
11 | ignore noexec ${HOME} | ||
12 | |||
10 | noblacklist ${HOME}/.netrc | 13 | noblacklist ${HOME}/.netrc |
11 | noblacklist ${MUSIC} | 14 | noblacklist ${MUSIC} |
12 | noblacklist ${VIDEOS} | 15 | noblacklist ${VIDEOS} |
13 | 16 | ||
14 | # Allow python (blacklisted by disable-interpreters.inc) | 17 | # Allow python (blacklisted by disable-interpreters.inc) |
15 | noblacklist ${PATH}/python2* | 18 | include allow-python2.inc |
16 | noblacklist ${PATH}/python3* | 19 | include allow-python3.inc |
17 | noblacklist /usr/lib/python2* | ||
18 | noblacklist /usr/lib/python3* | ||
19 | noblacklist /usr/local/lib/python2* | ||
20 | noblacklist /usr/local/lib/python3* | ||
21 | |||
22 | # breaks when installed via pip | ||
23 | ignore noexec ${HOME} | ||
24 | 20 | ||
25 | include disable-common.inc | 21 | include disable-common.inc |
26 | include disable-devel.inc | 22 | include disable-devel.inc |
diff --git a/etc/zaproxy.profile b/etc/zaproxy.profile index dc3164da1..0598ea18d 100644 --- a/etc/zaproxy.profile +++ b/etc/zaproxy.profile | |||
@@ -9,11 +9,8 @@ include globals.local | |||
9 | noblacklist ${HOME}/.java | 9 | noblacklist ${HOME}/.java |
10 | noblacklist ${HOME}/.ZAP | 10 | noblacklist ${HOME}/.ZAP |
11 | 11 | ||
12 | # Allow access to java | 12 | # Allow java (blacklisted by disable-devel.inc) |
13 | noblacklist ${PATH}/java | 13 | include allow-java.inc |
14 | noblacklist /usr/lib/java | ||
15 | noblacklist /etc/java | ||
16 | noblacklist /usr/share/java | ||
17 | 14 | ||
18 | include disable-common.inc | 15 | include disable-common.inc |
19 | include disable-devel.inc | 16 | include disable-devel.inc |
@@ -22,6 +19,7 @@ include disable-interpreters.inc | |||
22 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
23 | include disable-programs.inc | 20 | include disable-programs.inc |
24 | 21 | ||
22 | mkdir ${HOME}/.java | ||
25 | mkdir ${HOME}/.ZAP | 23 | mkdir ${HOME}/.ZAP |
26 | whitelist ${HOME}/.java | 24 | whitelist ${HOME}/.java |
27 | whitelist ${HOME}/.ZAP | 25 | whitelist ${HOME}/.ZAP |
diff --git a/etc/zoom.profile b/etc/zoom.profile index 456b197f3..6d312aff6 100644 --- a/etc/zoom.profile +++ b/etc/zoom.profile | |||
@@ -13,6 +13,8 @@ include disable-devel.inc | |||
13 | include disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | mkdir ${HOME}/.cache/zoom | ||
17 | mkfile ${HOME}/.config/zoomus.conf | ||
16 | mkdir ${HOME}/.zoom | 18 | mkdir ${HOME}/.zoom |
17 | whitelist ${HOME}/.cache/zoom | 19 | whitelist ${HOME}/.cache/zoom |
18 | whitelist ${HOME}/.config/zoomus.conf | 20 | whitelist ${HOME}/.config/zoomus.conf |
diff --git a/etc/zpaq.profile b/etc/zpaq.profile index 6d4501e4f..6bf3605eb 100644 --- a/etc/zpaq.profile +++ b/etc/zpaq.profile | |||
@@ -10,6 +10,5 @@ include zpaq.local | |||
10 | # mdwx breaks 'list' functionality | 10 | # mdwx breaks 'list' functionality |
11 | ignore memory-deny-write-execute | 11 | ignore memory-deny-write-execute |
12 | 12 | ||
13 | |||
14 | # Redirect | 13 | # Redirect |
15 | include cpio.profile | 14 | include cpio.profile |