diff options
Diffstat (limited to 'etc')
229 files changed, 4042 insertions, 415 deletions
diff --git a/etc/0ad.profile b/etc/0ad.profile index f8a3ce23d..1e7c06879 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile | |||
@@ -1,30 +1,31 @@ | |||
1 | # Firejail profile for 0ad. | 1 | # Firejail profile for 0ad. |
2 | noblacklist ~/.cache/0ad | ||
2 | noblacklist ~/.config/0ad | 3 | noblacklist ~/.config/0ad |
4 | noblacklist ~/.local/share/0ad | ||
3 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
4 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
5 | include /etc/firejail/disable-passwdmgr.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
6 | include /etc/firejail/disable-programs.inc | 8 | include /etc/firejail/disable-programs.inc |
7 | 9 | ||
8 | # Call these options | ||
9 | caps.drop all | ||
10 | seccomp | ||
11 | protocol unix,inet,inet6,netlink | ||
12 | netfilter | ||
13 | tracelog | ||
14 | noroot | ||
15 | |||
16 | # Whitelists | 10 | # Whitelists |
17 | noblacklist ~/.cache/0ad | ||
18 | mkdir ~/.cache | ||
19 | mkdir ~/.cache/0ad | 11 | mkdir ~/.cache/0ad |
20 | whitelist ~/.cache/0ad | 12 | whitelist ~/.cache/0ad |
21 | 13 | ||
22 | mkdir ~/.config | ||
23 | mkdir ~/.config/0ad | 14 | mkdir ~/.config/0ad |
24 | whitelist ~/.config/0ad | 15 | whitelist ~/.config/0ad |
25 | 16 | ||
26 | noblacklist ~/.local/share/0ad | ||
27 | mkdir ~/.local | ||
28 | mkdir ~/.local/share | ||
29 | mkdir ~/.local/share/0ad | 17 | mkdir ~/.local/share/0ad |
30 | whitelist ~/.local/share/0ad | 18 | whitelist ~/.local/share/0ad |
19 | |||
20 | caps.drop all | ||
21 | netfilter | ||
22 | nogroups | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | protocol unix,inet,inet6 | ||
26 | seccomp | ||
27 | shell none | ||
28 | tracelog | ||
29 | |||
30 | private-dev | ||
31 | private-tmp | ||
diff --git a/etc/7z.profile b/etc/7z.profile new file mode 100644 index 000000000..0cb72ff8d --- /dev/null +++ b/etc/7z.profile | |||
@@ -0,0 +1,9 @@ | |||
1 | # 7zip crompression tool profile | ||
2 | quiet | ||
3 | ignore noroot | ||
4 | include /etc/firejail/default.profile | ||
5 | tracelog | ||
6 | net none | ||
7 | shell none | ||
8 | private-dev | ||
9 | nosound | ||
diff --git a/etc/Cryptocat.profile b/etc/Cryptocat.profile new file mode 100644 index 000000000..3db34c03c --- /dev/null +++ b/etc/Cryptocat.profile | |||
@@ -0,0 +1,20 @@ | |||
1 | # Firejail profile for | ||
2 | noblacklist ${HOME}/.config/Cryptocat | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nogroups | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | nosound | ||
15 | protocol unix,inet,inet6,netlink | ||
16 | seccomp | ||
17 | shell none | ||
18 | |||
19 | private-dev | ||
20 | private-tmp | ||
diff --git a/etc/Cyberfox.profile b/etc/Cyberfox.profile new file mode 100644 index 000000000..1f74606ce --- /dev/null +++ b/etc/Cyberfox.profile | |||
@@ -0,0 +1,3 @@ | |||
1 | # Firejail profile for Cyberfox (based on Mozilla Firefox) | ||
2 | |||
3 | include /etc/firejail/cyberfox.profile | ||
diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile index 05131df43..e719f070f 100644 --- a/etc/Mathematica.profile +++ b/etc/Mathematica.profile | |||
@@ -15,5 +15,6 @@ include /etc/firejail/disable-devel.inc | |||
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | seccomp | 18 | nonewprivs |
19 | noroot | 19 | noroot |
20 | seccomp | ||
diff --git a/etc/Telegram.profile b/etc/Telegram.profile new file mode 100644 index 000000000..2e0f97821 --- /dev/null +++ b/etc/Telegram.profile | |||
@@ -0,0 +1,2 @@ | |||
1 | # Telegram IRC profile | ||
2 | include /etc/firejail/telegram.profile | ||
diff --git a/etc/Wire.profile b/etc/Wire.profile new file mode 100644 index 000000000..bd9645c7f --- /dev/null +++ b/etc/Wire.profile | |||
@@ -0,0 +1,3 @@ | |||
1 | # wire messenger profile | ||
2 | |||
3 | include /etc/firejail/wire.profile | ||
diff --git a/etc/abrowser.profile b/etc/abrowser.profile index 949635258..481301420 100644 --- a/etc/abrowser.profile +++ b/etc/abrowser.profile | |||
@@ -1,5 +1,4 @@ | |||
1 | # Firejail profile for Abrowser | 1 | # Firejail profile for Abrowser |
2 | |||
3 | noblacklist ~/.mozilla | 2 | noblacklist ~/.mozilla |
4 | noblacklist ~/.cache/mozilla | 3 | noblacklist ~/.cache/mozilla |
5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
@@ -7,17 +6,16 @@ include /etc/firejail/disable-programs.inc | |||
7 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
8 | 7 | ||
9 | caps.drop all | 8 | caps.drop all |
10 | seccomp | ||
11 | protocol unix,inet,inet6,netlink | ||
12 | netfilter | 9 | netfilter |
13 | tracelog | 10 | nonewprivs |
14 | noroot | 11 | noroot |
12 | protocol unix,inet,inet6,netlink | ||
13 | seccomp | ||
14 | tracelog | ||
15 | 15 | ||
16 | whitelist ${DOWNLOADS} | 16 | whitelist ${DOWNLOADS} |
17 | mkdir ~/.mozilla | 17 | mkdir ~/.mozilla |
18 | whitelist ~/.mozilla | 18 | whitelist ~/.mozilla |
19 | mkdir ~/.cache | ||
20 | mkdir ~/.cache/mozilla | ||
21 | mkdir ~/.cache/mozilla/abrowser | 19 | mkdir ~/.cache/mozilla/abrowser |
22 | whitelist ~/.cache/mozilla/abrowser | 20 | whitelist ~/.cache/mozilla/abrowser |
23 | whitelist ~/dwhelper | 21 | whitelist ~/dwhelper |
@@ -40,13 +38,12 @@ whitelist ~/.config/lastpass | |||
40 | 38 | ||
41 | 39 | ||
42 | #silverlight | 40 | #silverlight |
43 | whitelist ~/.wine-pipelight | 41 | whitelist ~/.wine-pipelight |
44 | whitelist ~/.wine-pipelight64 | 42 | whitelist ~/.wine-pipelight64 |
45 | whitelist ~/.config/pipelight-widevine | 43 | whitelist ~/.config/pipelight-widevine |
46 | whitelist ~/.config/pipelight-silverlight5.1 | 44 | whitelist ~/.config/pipelight-silverlight5.1 |
47 | 45 | ||
48 | include /etc/firejail/whitelist-common.inc | 46 | include /etc/firejail/whitelist-common.inc |
49 | 47 | ||
50 | # experimental features | 48 | # experimental features |
51 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 49 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse |
52 | |||
diff --git a/etc/amarok.profile b/etc/amarok.profile new file mode 100644 index 000000000..8d5b35d47 --- /dev/null +++ b/etc/amarok.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # amarok profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | netfilter | ||
9 | nogroups | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | shell none | ||
13 | #seccomp | ||
14 | protocol unix,inet,inet6 | ||
15 | |||
16 | #private-bin amarok | ||
17 | private-dev | ||
18 | private-tmp | ||
19 | #private-etc none | ||
diff --git a/etc/ark.profile b/etc/ark.profile new file mode 100644 index 000000000..61b4c6f60 --- /dev/null +++ b/etc/ark.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # ark profile | ||
2 | noblacklist ~/.config/arkrc | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nogroups | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | nosound | ||
15 | shell none | ||
16 | seccomp | ||
17 | protocol unix | ||
18 | |||
19 | # private-bin | ||
20 | private-dev | ||
21 | private-tmp | ||
22 | # private-etc | ||
23 | |||
diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile new file mode 100644 index 000000000..fa0b316bb --- /dev/null +++ b/etc/atom-beta.profile | |||
@@ -0,0 +1,20 @@ | |||
1 | # Firejail profile for Atom Beta. | ||
2 | noblacklist ~/.atom | ||
3 | noblacklist ~/.config/Atom | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nogroups | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | nosound | ||
15 | protocol unix,inet,inet6,netlink | ||
16 | seccomp | ||
17 | shell none | ||
18 | |||
19 | private-dev | ||
20 | private-tmp | ||
diff --git a/etc/atom.profile b/etc/atom.profile new file mode 100644 index 000000000..61930d5c1 --- /dev/null +++ b/etc/atom.profile | |||
@@ -0,0 +1,20 @@ | |||
1 | # Firejail profile for Atom. | ||
2 | noblacklist ~/.atom | ||
3 | noblacklist ~/.config/Atom | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nogroups | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | nosound | ||
15 | protocol unix,inet,inet6,netlink | ||
16 | seccomp | ||
17 | shell none | ||
18 | |||
19 | private-dev | ||
20 | private-tmp | ||
diff --git a/etc/atool.profile b/etc/atool.profile new file mode 100644 index 000000000..3fbfb9fc7 --- /dev/null +++ b/etc/atool.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # atool profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | # include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | nogroups | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | nosound | ||
12 | protocol unix | ||
13 | seccomp | ||
14 | netfilter | ||
15 | net none | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | # private-bin atool | ||
20 | private-tmp | ||
21 | private-dev | ||
22 | private-etc none | ||
23 | |||
24 | |||
diff --git a/etc/atril.profile b/etc/atril.profile index e078c1d20..fbcca0c1b 100644 --- a/etc/atril.profile +++ b/etc/atril.profile | |||
@@ -1,12 +1,21 @@ | |||
1 | # Atril profile | 1 | # Atril profile |
2 | noblacklist ~/.config/atril | ||
3 | noblacklist ~/.local/share | ||
2 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 5 | include /etc/firejail/disable-programs.inc |
4 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
5 | include /etc/firejail/disable-passwdmgr.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
6 | 8 | ||
7 | caps.drop all | 9 | caps.drop all |
8 | seccomp | 10 | nogroups |
9 | protocol unix,inet,inet6 | 11 | nonewprivs |
10 | netfilter | ||
11 | noroot | 12 | noroot |
13 | nosound | ||
14 | protocol unix | ||
15 | seccomp | ||
16 | shell none | ||
12 | tracelog | 17 | tracelog |
18 | |||
19 | private-bin atril, atril-previewer, atril-thumbnailer | ||
20 | private-dev | ||
21 | private-tmp | ||
diff --git a/etc/audacious.profile b/etc/audacious.profile index 290faa260..e5275213c 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/disable-devel.inc | |||
5 | include /etc/firejail/disable-passwdmgr.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
6 | 6 | ||
7 | caps.drop all | 7 | caps.drop all |
8 | seccomp | 8 | nonewprivs |
9 | protocol unix,inet,inet6 | ||
10 | noroot | 9 | noroot |
10 | protocol unix,inet,inet6 | ||
11 | seccomp | ||
diff --git a/etc/audacity.profile b/etc/audacity.profile new file mode 100644 index 000000000..827fa4301 --- /dev/null +++ b/etc/audacity.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # Audacity profile | ||
2 | noblacklist ~/.audacity-data | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-devel.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nogroups | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | protocol unix | ||
15 | seccomp | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | private-bin audacity | ||
20 | private-dev | ||
21 | private-tmp | ||
diff --git a/etc/aweather.profile b/etc/aweather.profile new file mode 100644 index 000000000..fa8654f1e --- /dev/null +++ b/etc/aweather.profile | |||
@@ -0,0 +1,25 @@ | |||
1 | # Firejail profile for aweather. | ||
2 | noblacklist ~/.config/aweather | ||
3 | include /etc/firejail/disable-common.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | |||
8 | # Whitelist | ||
9 | mkdir ~/.config/aweather | ||
10 | whitelist ~/.config/aweather | ||
11 | |||
12 | caps.drop all | ||
13 | netfilter | ||
14 | nogroups | ||
15 | nonewprivs | ||
16 | noroot | ||
17 | nosound | ||
18 | protocol unix,inet,inet6 | ||
19 | seccomp | ||
20 | shell none | ||
21 | tracelog | ||
22 | |||
23 | private-bin aweather | ||
24 | private-dev | ||
25 | private-tmp | ||
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index fb84c260a..87d2e843a 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile | |||
@@ -4,8 +4,11 @@ noblacklist /usr/sbin | |||
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | 5 | include /etc/firejail/disable-programs.inc |
6 | 6 | ||
7 | protocol unix,inet,inet6 | 7 | netfilter |
8 | nonewprivs | ||
8 | private | 9 | private |
9 | private-dev | 10 | private-dev |
11 | protocol unix,inet,inet6 | ||
10 | seccomp | 12 | seccomp |
11 | netfilter | 13 | nosound |
14 | read-write /var/lib/bitlbee | ||
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile new file mode 100644 index 000000000..0a71db9f0 --- /dev/null +++ b/etc/bleachbit.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # bleachbit profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | # include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | netfilter | ||
9 | nogroups | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | nosound | ||
13 | shell none | ||
14 | seccomp | ||
15 | protocol unix | ||
16 | |||
17 | # private-bin | ||
18 | # private-dev | ||
19 | # private-tmp | ||
20 | # private-etc | ||
21 | |||
diff --git a/etc/bless.profile b/etc/bless.profile new file mode 100644 index 000000000..752edadf7 --- /dev/null +++ b/etc/bless.profile | |||
@@ -0,0 +1,20 @@ | |||
1 | # | ||
2 | #Profile for bless | ||
3 | # | ||
4 | |||
5 | #No Blacklist Paths | ||
6 | noblacklist ${HOME}/.config/bless | ||
7 | |||
8 | #Blacklist Paths | ||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | |||
14 | #Options | ||
15 | caps.drop all | ||
16 | netfilter | ||
17 | nonewprivs | ||
18 | noroot | ||
19 | protocol unix,inet,inet6 | ||
20 | seccomp | ||
diff --git a/etc/brasero.profile b/etc/brasero.profile new file mode 100644 index 000000000..66de6fa50 --- /dev/null +++ b/etc/brasero.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # brasero profile | ||
2 | noblacklist ~/.config/brasero | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix | ||
15 | seccomp | ||
16 | netfilter | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | # private-bin brasero | ||
21 | # private-tmp | ||
22 | # private-dev | ||
23 | # private-etc fonts | ||
diff --git a/etc/brave.profile b/etc/brave.profile new file mode 100644 index 000000000..21ea7f908 --- /dev/null +++ b/etc/brave.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # Profile for Brave browser | ||
2 | noblacklist ~/.config/brave | ||
3 | include /etc/firejail/disable-common.inc | ||
4 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | ||
6 | |||
7 | caps.drop all | ||
8 | netfilter | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | protocol unix,inet,inet6,netlink | ||
12 | seccomp | ||
13 | |||
14 | whitelist ${DOWNLOADS} | ||
15 | |||
16 | mkdir ~/.config/brave | ||
17 | whitelist ~/.config/brave | ||
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 7bcc61e98..139dec8ec 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile | |||
@@ -1,22 +1,18 @@ | |||
1 | # cherrytree note taking application | 1 | # cherrytree note taking application |
2 | noblacklist /usr/bin/python2* | ||
3 | noblacklist /usr/lib/python3* | ||
4 | noblacklist ${HOME}/.config/cherrytree | ||
2 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 6 | include /etc/firejail/disable-programs.inc |
4 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
5 | include /etc/firejail/disable-passwdmgr.inc | 8 | include /etc/firejail/disable-passwdmgr.inc |
6 | 9 | ||
7 | whitelist ${HOME}/cherrytree | ||
8 | mkdir ~/.config | ||
9 | mkdir ~/.config/cherrytree | ||
10 | whitelist ${HOME}/.config/cherrytree/ | ||
11 | mkdir ~/.local | ||
12 | mkdir ~/.local/share | ||
13 | whitelist ${HOME}/.local/share/ | ||
14 | |||
15 | caps.drop all | 10 | caps.drop all |
16 | seccomp | ||
17 | protocol unix,inet,inet6,netlink | ||
18 | netfilter | 11 | netfilter |
19 | tracelog | 12 | nogroups |
13 | nonewprivs | ||
20 | noroot | 14 | noroot |
21 | include /etc/firejail/whitelist-common.inc | ||
22 | nosound | 15 | nosound |
16 | seccomp | ||
17 | protocol unix,inet,inet6,netlink | ||
18 | tracelog | ||
diff --git a/etc/chromium.profile b/etc/chromium.profile index 7cf2853ca..4109af9a4 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -11,10 +11,8 @@ include /etc/firejail/disable-programs.inc | |||
11 | netfilter | 11 | netfilter |
12 | 12 | ||
13 | whitelist ${DOWNLOADS} | 13 | whitelist ${DOWNLOADS} |
14 | mkdir ~/.config | ||
15 | mkdir ~/.config/chromium | 14 | mkdir ~/.config/chromium |
16 | whitelist ~/.config/chromium | 15 | whitelist ~/.config/chromium |
17 | mkdir ~/.cache | ||
18 | mkdir ~/.cache/chromium | 16 | mkdir ~/.cache/chromium |
19 | whitelist ~/.cache/chromium | 17 | whitelist ~/.cache/chromium |
20 | mkdir ~/.pki | 18 | mkdir ~/.pki |
@@ -27,4 +25,7 @@ whitelist ~/keepassx.kdbx | |||
27 | whitelist ~/.lastpass | 25 | whitelist ~/.lastpass |
28 | whitelist ~/.config/lastpass | 26 | whitelist ~/.config/lastpass |
29 | 27 | ||
28 | # specific to Arch | ||
29 | whitelist ~/.config/chromium-flags.conf | ||
30 | |||
30 | include /etc/firejail/whitelist-common.inc | 31 | include /etc/firejail/whitelist-common.inc |
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile new file mode 100644 index 000000000..8921bb25e --- /dev/null +++ b/etc/claws-mail.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # claws-mail profile | ||
2 | noblacklist ~/.claws-mail | ||
3 | noblacklist ~/.signature | ||
4 | noblacklist ~/.gnupg | ||
5 | |||
6 | include /etc/firejail/disable-common.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-devel.inc | ||
9 | include /etc/firejail/disable-passwdmgr.inc | ||
10 | |||
11 | caps.drop all | ||
12 | netfilter | ||
13 | nonewprivs | ||
14 | noroot | ||
15 | nogroups | ||
16 | nosound | ||
17 | protocol unix,inet,inet6 | ||
18 | seccomp | ||
19 | shell none | ||
20 | |||
21 | private-dev | ||
22 | private-tmp | ||
23 | |||
diff --git a/etc/clementine.profile b/etc/clementine.profile index c6271e6e3..5ce085358 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/disable-devel.inc | |||
5 | include /etc/firejail/disable-passwdmgr.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
6 | 6 | ||
7 | caps.drop all | 7 | caps.drop all |
8 | seccomp | 8 | nonewprivs |
9 | protocol unix,inet,inet6 | ||
10 | noroot | 9 | noroot |
10 | protocol unix,inet,inet6 | ||
11 | seccomp | ||
diff --git a/etc/cmus.profile b/etc/cmus.profile index 72b43a70f..2e2a6940c 100644 --- a/etc/cmus.profile +++ b/etc/cmus.profile | |||
@@ -7,10 +7,11 @@ include /etc/firejail/disable-devel.inc | |||
7 | include /etc/firejail/disable-passwdmgr.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | seccomp | ||
11 | protocol unix,inet,inet6 | ||
12 | netfilter | 10 | netfilter |
11 | nonewprivs | ||
13 | noroot | 12 | noroot |
13 | protocol unix,inet,inet6 | ||
14 | seccomp | ||
14 | 15 | ||
15 | private-bin cmus | 16 | private-bin cmus |
16 | private-etc group | 17 | private-etc group |
diff --git a/etc/conkeror.profile b/etc/conkeror.profile index 007eef663..e82eeec4c 100644 --- a/etc/conkeror.profile +++ b/etc/conkeror.profile | |||
@@ -4,10 +4,11 @@ include /etc/firejail/disable-common.inc | |||
4 | include /etc/firejail/disable-programs.inc | 4 | include /etc/firejail/disable-programs.inc |
5 | 5 | ||
6 | caps.drop all | 6 | caps.drop all |
7 | seccomp | ||
8 | protocol unix,inet,inet6 | ||
9 | netfilter | 7 | netfilter |
8 | nonewprivs | ||
10 | noroot | 9 | noroot |
10 | protocol unix,inet,inet6 | ||
11 | seccomp | ||
11 | 12 | ||
12 | whitelist ~/.conkeror.mozdev.org | 13 | whitelist ~/.conkeror.mozdev.org |
13 | whitelist ~/Downloads | 14 | whitelist ~/Downloads |
diff --git a/etc/corebird.profile b/etc/corebird.profile new file mode 100644 index 000000000..6fb8219e8 --- /dev/null +++ b/etc/corebird.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail corebird profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | netfilter | ||
9 | noroot | ||
10 | protocol unix,inet,inet6 | ||
11 | seccomp | ||
diff --git a/etc/cpio.profile b/etc/cpio.profile new file mode 100644 index 000000000..519bd244c --- /dev/null +++ b/etc/cpio.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # cpio profile | ||
2 | # /sbin and /usr/sbin are visible inside the sandbox | ||
3 | # /boot is not visible and /var is heavily modified | ||
4 | quiet | ||
5 | noblacklist /sbin | ||
6 | noblacklist /usr/sbin | ||
7 | include /etc/firejail/disable-common.inc | ||
8 | include /etc/firejail/disable-programs.inc | ||
9 | include /etc/firejail/disable-passwdmgr.inc | ||
10 | |||
11 | private-dev | ||
12 | seccomp | ||
13 | caps.drop all | ||
14 | net none | ||
15 | shell none | ||
16 | tracelog | ||
17 | net none | ||
18 | nosound | ||
19 | |||
20 | |||
21 | |||
diff --git a/etc/cryptocat.profile b/etc/cryptocat.profile new file mode 100644 index 000000000..0d392b272 --- /dev/null +++ b/etc/cryptocat.profile | |||
@@ -0,0 +1 @@ | |||
include /etc/Cryptocat.profile | |||
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile new file mode 100644 index 000000000..84021dab3 --- /dev/null +++ b/etc/cyberfox.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for Cyberfox (based on Mozilla Firefox) | ||
2 | noblacklist ~/.8pecxstudios | ||
3 | noblacklist ~/.cache/8pecxstudios | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | |||
8 | caps.drop all | ||
9 | netfilter | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | protocol unix,inet,inet6,netlink | ||
13 | seccomp | ||
14 | tracelog | ||
15 | |||
16 | whitelist ${DOWNLOADS} | ||
17 | mkdir ~/.8pecxstudios | ||
18 | whitelist ~/.8pecxstudios | ||
19 | mkdir ~/.cache/8pecxstudios | ||
20 | whitelist ~/.cache/8pecxstudios | ||
21 | whitelist ~/dwhelper | ||
22 | whitelist ~/.zotero | ||
23 | whitelist ~/.vimperatorrc | ||
24 | whitelist ~/.vimperator | ||
25 | whitelist ~/.pentadactylrc | ||
26 | whitelist ~/.pentadactyl | ||
27 | whitelist ~/.keysnail.js | ||
28 | whitelist ~/.config/gnome-mplayer | ||
29 | whitelist ~/.cache/gnome-mplayer/plugin | ||
30 | whitelist ~/.pki | ||
31 | |||
32 | # lastpass, keepassx | ||
33 | whitelist ~/.keepassx | ||
34 | whitelist ~/.config/keepassx | ||
35 | whitelist ~/keepassx.kdbx | ||
36 | whitelist ~/.lastpass | ||
37 | whitelist ~/.config/lastpass | ||
38 | |||
39 | |||
40 | #silverlight | ||
41 | whitelist ~/.wine-pipelight | ||
42 | whitelist ~/.wine-pipelight64 | ||
43 | whitelist ~/.config/pipelight-widevine | ||
44 | whitelist ~/.config/pipelight-silverlight5.1 | ||
45 | |||
46 | include /etc/firejail/whitelist-common.inc | ||
47 | |||
48 | # experimental features | ||
49 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | ||
diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile index 2810e5323..04abd0a92 100644 --- a/etc/deadbeef.profile +++ b/etc/deadbeef.profile | |||
@@ -7,6 +7,7 @@ include /etc/firejail/disable-devel.inc | |||
7 | include /etc/firejail/disable-passwdmgr.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | seccomp | 10 | nonewprivs |
11 | protocol unix,inet,inet6 | ||
12 | noroot | 11 | noroot |
12 | protocol unix,inet,inet6 | ||
13 | seccomp | ||
diff --git a/etc/default.profile b/etc/default.profile new file mode 100644 index 000000000..603321316 --- /dev/null +++ b/etc/default.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | ################################ | ||
2 | # Generic GUI application profile | ||
3 | ################################ | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | |||
8 | caps.drop all | ||
9 | netfilter | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | protocol unix,inet,inet6 | ||
13 | seccomp | ||
14 | |||
15 | # | ||
16 | # depending on you usage, you can enable some of the commands below: | ||
17 | # | ||
18 | # nogroups | ||
19 | # shell none | ||
20 | # private-bin program | ||
21 | # private-etc none | ||
22 | # private-dev | ||
23 | # private-tmp | ||
24 | |||
diff --git a/etc/deluge.profile b/etc/deluge.profile index 4043f58f5..c6ddec3ec 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile | |||
@@ -1,4 +1,4 @@ | |||
1 | # deluge bittorernt client profile | 1 | # deluge bittorrernt client profile |
2 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 3 | include /etc/firejail/disable-programs.inc |
4 | # deluge is using python on Debian | 4 | # deluge is using python on Debian |
@@ -6,8 +6,15 @@ include /etc/firejail/disable-programs.inc | |||
6 | include /etc/firejail/disable-passwdmgr.inc | 6 | include /etc/firejail/disable-passwdmgr.inc |
7 | 7 | ||
8 | caps.drop all | 8 | caps.drop all |
9 | seccomp | ||
10 | protocol unix,inet,inet6 | ||
11 | netfilter | 9 | netfilter |
10 | nonewprivs | ||
12 | noroot | 11 | noroot |
13 | nosound | 12 | nosound |
13 | protocol unix,inet,inet6 | ||
14 | seccomp | ||
15 | |||
16 | shell none | ||
17 | #private-bin deluge,sh,python,uname | ||
18 | private-dev | ||
19 | private-tmp | ||
20 | |||
diff --git a/etc/dillo.profile b/etc/dillo.profile index 49c33fb7a..108787920 100644 --- a/etc/dillo.profile +++ b/etc/dillo.profile | |||
@@ -1,5 +1,4 @@ | |||
1 | # Firejail profile for Dillo web browser | 1 | # Firejail profile for Dillo web browser |
2 | |||
3 | noblacklist ~/.dillo | 2 | noblacklist ~/.dillo |
4 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | 4 | include /etc/firejail/disable-programs.inc |
@@ -7,11 +6,12 @@ include /etc/firejail/disable-devel.inc | |||
7 | include /etc/firejail/disable-passwdmgr.inc | 6 | include /etc/firejail/disable-passwdmgr.inc |
8 | 7 | ||
9 | caps.drop all | 8 | caps.drop all |
10 | seccomp | ||
11 | protocol unix,inet,inet6 | ||
12 | netfilter | 9 | netfilter |
13 | tracelog | 10 | nonewprivs |
14 | noroot | 11 | noroot |
12 | protocol unix,inet,inet6 | ||
13 | seccomp | ||
14 | tracelog | ||
15 | 15 | ||
16 | whitelist ${DOWNLOADS} | 16 | whitelist ${DOWNLOADS} |
17 | mkdir ~/.dillo | 17 | mkdir ~/.dillo |
@@ -20,6 +20,3 @@ mkdir ~/.fltk | |||
20 | whitelist ~/.fltk | 20 | whitelist ~/.fltk |
21 | 21 | ||
22 | include /etc/firejail/whitelist-common.inc | 22 | include /etc/firejail/whitelist-common.inc |
23 | |||
24 | |||
25 | |||
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index b1133f28f..b86c6f998 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -1,6 +1,7 @@ | |||
1 | # History files in $HOME | 1 | # History files in $HOME |
2 | blacklist-nolog ${HOME}/.history | 2 | blacklist-nolog ${HOME}/.history |
3 | blacklist-nolog ${HOME}/.*_history | 3 | blacklist-nolog ${HOME}/.*_history |
4 | blacklist-nolog ${HOME}/.bash_history | ||
4 | blacklist ${HOME}/.local/share/systemd | 5 | blacklist ${HOME}/.local/share/systemd |
5 | blacklist-nolog ${HOME}/.adobe | 6 | blacklist-nolog ${HOME}/.adobe |
6 | blacklist-nolog ${HOME}/.macromedia | 7 | blacklist-nolog ${HOME}/.macromedia |
@@ -14,21 +15,48 @@ blacklist /etc/xdg/autostart | |||
14 | blacklist ${HOME}/.kde4/Autostart | 15 | blacklist ${HOME}/.kde4/Autostart |
15 | blacklist ${HOME}/.kde4/share/autostart | 16 | blacklist ${HOME}/.kde4/share/autostart |
16 | blacklist ${HOME}/.kde/Autostart | 17 | blacklist ${HOME}/.kde/Autostart |
18 | blacklist ${HOME}/.kde/share/autostart | ||
17 | blacklist ${HOME}/.config/plasma-workspace/shutdown | 19 | blacklist ${HOME}/.config/plasma-workspace/shutdown |
18 | blacklist ${HOME}/.config/plasma-workspace/env | 20 | blacklist ${HOME}/.config/plasma-workspace/env |
19 | blacklist ${HOME}/.config/lxsession/LXDE/autostart | 21 | blacklist ${HOME}/.config/lxsession/LXDE/autostart |
20 | blacklist ${HOME}/.fluxbox/startup | 22 | blacklist ${HOME}/.fluxbox/startup |
21 | blacklist ${HOME}/.config/openbox/autostart | 23 | blacklist ${HOME}/.config/openbox/autostart |
22 | blacklist ${HOME}/.config/openbox/environment | 24 | blacklist ${HOME}/.config/openbox/environment |
25 | blacklist ${HOME}/.gnomerc | ||
26 | blacklist /etc/X11/Xsession.d/ | ||
27 | # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs | ||
23 | 28 | ||
24 | # VirtualBox | 29 | # VirtualBox |
25 | blacklist ${HOME}/.VirtualBox | 30 | blacklist ${HOME}/.VirtualBox |
26 | blacklist ${HOME}/VirtualBox VMs | 31 | blacklist ${HOME}/VirtualBox VMs |
27 | blacklist ${HOME}/.config/VirtualBox | 32 | blacklist ${HOME}/.config/VirtualBox |
28 | 33 | ||
34 | # VeraCrypt | ||
35 | blacklist ${PATH}/veracrypt | ||
36 | blacklist ${PATH}/veracrypt-uninstall.sh | ||
37 | blacklist /usr/share/veracrypt | ||
38 | blacklist /usr/share/applications/veracrypt.* | ||
39 | blacklist /usr/share/pixmaps/veracrypt.* | ||
40 | blacklist ${HOME}/.VeraCrypt | ||
41 | |||
42 | # TrueCrypt | ||
43 | blacklist ${PATH}/truecrypt | ||
44 | blacklist ${PATH}/truecrypt-uninstall.sh | ||
45 | blacklist /usr/share/truecrypt | ||
46 | blacklist /usr/share/applications/truecrypt.* | ||
47 | blacklist /usr/share/pixmaps/truecrypt.* | ||
48 | blacklist ${HOME}/.TrueCrypt | ||
49 | |||
50 | # zuluCrypt | ||
51 | blacklist ${HOME}/.zuluCrypt | ||
52 | blacklist ${HOME}/.zuluCrypt-socket | ||
53 | blacklist ${PATH}/zuluCrypt-cli | ||
54 | blacklist ${PATH}/zuluMount-cli | ||
55 | |||
29 | # var | 56 | # var |
30 | blacklist /var/spool/cron | 57 | blacklist /var/spool/cron |
31 | blacklist /var/spool/anacron | 58 | blacklist /var/spool/anacron |
59 | blacklist /var/mail | ||
32 | blacklist /var/run/acpid.socket | 60 | blacklist /var/run/acpid.socket |
33 | blacklist /var/run/minissdpd.sock | 61 | blacklist /var/run/minissdpd.sock |
34 | blacklist /var/run/rpcbind.sock | 62 | blacklist /var/run/rpcbind.sock |
@@ -39,7 +67,7 @@ blacklist /var/lib/mysql/mysql.sock | |||
39 | blacklist /var/run/docker.sock | 67 | blacklist /var/run/docker.sock |
40 | 68 | ||
41 | # etc | 69 | # etc |
42 | blacklist /etc/cron.* | 70 | blacklist /etc/cron* |
43 | blacklist /etc/profile.d | 71 | blacklist /etc/profile.d |
44 | blacklist /etc/rc.local | 72 | blacklist /etc/rc.local |
45 | blacklist /etc/anacrontab | 73 | blacklist /etc/anacrontab |
@@ -50,11 +78,15 @@ read-only ${HOME}/.xserverrc | |||
50 | read-only ${HOME}/.profile | 78 | read-only ${HOME}/.profile |
51 | 79 | ||
52 | # Shell startup files | 80 | # Shell startup files |
81 | read-only ${HOME}/.antigen | ||
53 | read-only ${HOME}/.bash_login | 82 | read-only ${HOME}/.bash_login |
54 | read-only ${HOME}/.bashrc | 83 | read-only ${HOME}/.bashrc |
55 | read-only ${HOME}/.bash_profile | 84 | read-only ${HOME}/.bash_profile |
56 | read-only ${HOME}/.bash_logout | 85 | read-only ${HOME}/.bash_logout |
86 | read-only ${HOME}/.zsh.d | ||
87 | read-only ${HOME}/.zshenv | ||
57 | read-only ${HOME}/.zshrc | 88 | read-only ${HOME}/.zshrc |
89 | read-only ${HOME}/.zshrc.local | ||
58 | read-only ${HOME}/.zlogin | 90 | read-only ${HOME}/.zlogin |
59 | read-only ${HOME}/.zprofile | 91 | read-only ${HOME}/.zprofile |
60 | read-only ${HOME}/.zlogout | 92 | read-only ${HOME}/.zlogout |
@@ -62,8 +94,12 @@ read-only ${HOME}/.zsh_files | |||
62 | read-only ${HOME}/.tcshrc | 94 | read-only ${HOME}/.tcshrc |
63 | read-only ${HOME}/.cshrc | 95 | read-only ${HOME}/.cshrc |
64 | read-only ${HOME}/.csh_files | 96 | read-only ${HOME}/.csh_files |
97 | read-only ${HOME}/.profile | ||
65 | 98 | ||
66 | # Initialization files that allow arbitrary command execution | 99 | # Initialization files that allow arbitrary command execution |
100 | read-only ${HOME}/.caffrc | ||
101 | read-only ${HOME}/.dotfiles | ||
102 | read-only ${HOME}/dotfiles | ||
67 | read-only ${HOME}/.mailcap | 103 | read-only ${HOME}/.mailcap |
68 | read-only ${HOME}/.exrc | 104 | read-only ${HOME}/.exrc |
69 | read-only ${HOME}/_exrc | 105 | read-only ${HOME}/_exrc |
@@ -73,10 +109,11 @@ read-only ${HOME}/.gvimrc | |||
73 | read-only ${HOME}/_gvimrc | 109 | read-only ${HOME}/_gvimrc |
74 | read-only ${HOME}/.vim | 110 | read-only ${HOME}/.vim |
75 | read-only ${HOME}/.emacs | 111 | read-only ${HOME}/.emacs |
112 | read-only ${HOME}/.emacs.d | ||
113 | read-only ${HOME}/.nano | ||
76 | read-only ${HOME}/.tmux.conf | 114 | read-only ${HOME}/.tmux.conf |
77 | read-only ${HOME}/.iscreenrc | 115 | read-only ${HOME}/.iscreenrc |
78 | read-only ${HOME}/.muttrc | 116 | read-only ${HOME}/.reportbugrc |
79 | read-only ${HOME}/.mutt/muttrc | ||
80 | read-only ${HOME}/.xmonad | 117 | read-only ${HOME}/.xmonad |
81 | read-only ${HOME}/.xscreensaver | 118 | read-only ${HOME}/.xscreensaver |
82 | 119 | ||
@@ -84,16 +121,25 @@ read-only ${HOME}/.xscreensaver | |||
84 | read-only ${HOME}/bin | 121 | read-only ${HOME}/bin |
85 | 122 | ||
86 | # top secret | 123 | # top secret |
124 | blacklist ${HOME}/.ecryptfs | ||
125 | blacklist ${HOME}/.Private | ||
87 | blacklist ${HOME}/.ssh | 126 | blacklist ${HOME}/.ssh |
127 | blacklist ${HOME}/.cert | ||
88 | blacklist ${HOME}/.gnome2/keyrings | 128 | blacklist ${HOME}/.gnome2/keyrings |
89 | blacklist ${HOME}/kde4/share/apps/kwallet | 129 | blacklist ${HOME}/.kde4/share/apps/kwallet |
90 | blacklist ${HOME}/kde/share/apps/kwallet | 130 | blacklist ${HOME}/.kde/share/apps/kwallet |
91 | blacklist ${HOME}/.local/share/kwalletd | 131 | blacklist ${HOME}/.local/share/kwalletd |
132 | blacklist ${HOME}/.config/keybase | ||
92 | blacklist ${HOME}/.netrc | 133 | blacklist ${HOME}/.netrc |
93 | blacklist ${HOME}/.gnupg | 134 | blacklist ${HOME}/.gnupg |
135 | blacklist ${HOME}/.caff | ||
136 | blacklist ${HOME}/.smbcredentials | ||
94 | blacklist ${HOME}/*.kdbx | 137 | blacklist ${HOME}/*.kdbx |
95 | blacklist ${HOME}/*.kdb | 138 | blacklist ${HOME}/*.kdb |
96 | blacklist ${HOME}/*.key | 139 | blacklist ${HOME}/*.key |
140 | blacklist ${HOME}/.muttrc | ||
141 | blacklist ${HOME}/.mutt/muttrc | ||
142 | blacklist ${HOME}/.msmtprc | ||
97 | blacklist /etc/shadow | 143 | blacklist /etc/shadow |
98 | blacklist /etc/gshadow | 144 | blacklist /etc/gshadow |
99 | blacklist /etc/passwd- | 145 | blacklist /etc/passwd- |
@@ -106,11 +152,19 @@ blacklist /etc/shadow+ | |||
106 | blacklist /etc/gshadow+ | 152 | blacklist /etc/gshadow+ |
107 | blacklist /etc/ssh | 153 | blacklist /etc/ssh |
108 | blacklist /var/backup | 154 | blacklist /var/backup |
155 | blacklist /home/.ecryptfs | ||
156 | |||
157 | # system directories | ||
158 | blacklist /sbin | ||
159 | blacklist /usr/sbin | ||
160 | blacklist /usr/local/sbin | ||
109 | 161 | ||
110 | # system management | 162 | # system management |
111 | blacklist ${PATH}/umount | 163 | blacklist ${PATH}/umount |
112 | blacklist ${PATH}/mount | 164 | blacklist ${PATH}/mount |
113 | blacklist ${PATH}/fusermount | 165 | blacklist ${PATH}/fusermount |
166 | blacklist ${PATH}/ntfs-3g | ||
167 | blacklist ${PATH}/at | ||
114 | blacklist ${PATH}/su | 168 | blacklist ${PATH}/su |
115 | blacklist ${PATH}/sudo | 169 | blacklist ${PATH}/sudo |
116 | blacklist ${PATH}/xinput | 170 | blacklist ${PATH}/xinput |
@@ -119,17 +173,45 @@ blacklist ${PATH}/xev | |||
119 | blacklist ${PATH}/strace | 173 | blacklist ${PATH}/strace |
120 | blacklist ${PATH}/nc | 174 | blacklist ${PATH}/nc |
121 | blacklist ${PATH}/ncat | 175 | blacklist ${PATH}/ncat |
176 | blacklist ${PATH}/gpasswd | ||
177 | blacklist ${PATH}/newgidmap | ||
178 | blacklist ${PATH}/newgrp | ||
179 | blacklist ${PATH}/newuidmap | ||
180 | blacklist ${PATH}/pkexec | ||
181 | blacklist ${PATH}/sg | ||
182 | blacklist ${PATH}/crontab | ||
183 | blacklist ${PATH}/ksu | ||
184 | blacklist ${PATH}/chsh | ||
185 | blacklist ${PATH}/chfn | ||
186 | blacklist ${PATH}/chage | ||
187 | blacklist ${PATH}/expiry | ||
188 | blacklist ${PATH}/unix_chkpwd | ||
189 | blacklist ${PATH}/procmail | ||
190 | blacklist ${PATH}/mount.ecryptfs_private | ||
122 | 191 | ||
123 | # system directories | 192 | # other SUID binaries |
124 | blacklist /sbin | 193 | blacklist /usr/lib/virtualbox |
125 | blacklist /usr/sbin | ||
126 | blacklist /usr/local/sbin | ||
127 | 194 | ||
128 | # prevent lxterminal connecting to an existing lxterminal session | 195 | # prevent lxterminal connecting to an existing lxterminal session |
129 | blacklist /tmp/.lxterminal-socket* | 196 | blacklist /tmp/.lxterminal-socket* |
130 | 197 | ||
131 | # disable terminals running as server | 198 | # disable terminals running as server resulting in sandbox escape |
132 | blacklist ${PATH}/gnome-terminal | 199 | blacklist ${PATH}/gnome-terminal |
133 | blacklist ${PATH}/gnome-terminal.wrapper | 200 | blacklist ${PATH}/gnome-terminal.wrapper |
134 | blacklist ${PATH}/xfce4-terminal | 201 | blacklist ${PATH}/xfce4-terminal |
135 | blacklist ${PATH}/xfce4-terminal.wrapper | 202 | blacklist ${PATH}/xfce4-terminal.wrapper |
203 | blacklist ${PATH}/mate-terminal | ||
204 | blacklist ${PATH}/mate-terminal.wrapper | ||
205 | blacklist ${PATH}/lilyterm | ||
206 | blacklist ${PATH}/pantheon-terminal | ||
207 | blacklist ${PATH}/roxterm | ||
208 | blacklist ${PATH}/roxterm-config | ||
209 | blacklist ${PATH}/terminix | ||
210 | blacklist ${PATH}/urxvtc | ||
211 | blacklist ${PATH}/urxvtcd | ||
212 | #konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 | ||
213 | #blacklist ${PATH}/konsole | ||
214 | |||
215 | # kernel files | ||
216 | blacklist /vmlinuz* | ||
217 | blacklist /initrd* | ||
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index fa77ed8d1..2ac367f37 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc | |||
@@ -2,20 +2,32 @@ | |||
2 | 2 | ||
3 | # GCC | 3 | # GCC |
4 | blacklist /usr/include | 4 | blacklist /usr/include |
5 | #blacklist /usr/lib/gcc - seems to create problems on Gentoo | ||
5 | blacklist /usr/bin/gcc* | 6 | blacklist /usr/bin/gcc* |
6 | blacklist /usr/bin/cpp* | 7 | blacklist /usr/bin/cpp* |
7 | blacklist /usr/bin/c9* | 8 | blacklist /usr/bin/c9* |
8 | blacklist /usr/bin/c8* | 9 | blacklist /usr/bin/c8* |
9 | blacklist /usr/bin/c++* | 10 | blacklist /usr/bin/c++* |
11 | blacklist /usr/bin/as | ||
10 | blacklist /usr/bin/ld | 12 | blacklist /usr/bin/ld |
11 | blacklist /usr/bin/gdb | 13 | blacklist /usr/bin/gdb |
14 | blacklist /usr/bin/g++* | ||
15 | blacklist /usr/bin/x86_64-linux-gnu-g++* | ||
16 | blacklist /usr/bin/x86_64-linux-gnu-gcc* | ||
17 | blacklist /usr/bin/x86_64-unknown-linux-gnu-g++* | ||
18 | blacklist /usr/bin/x86_64-unknown-linux-gnu-gcc* | ||
12 | 19 | ||
13 | # clang/llvm | 20 | # clang/llvm |
14 | blacklist /usr/bin/clang* | 21 | blacklist /usr/bin/clang* |
15 | blacklist /usr/bin/llvm* | 22 | blacklist /usr/bin/llvm* |
16 | blacklist /usb/bin/lldb* | 23 | blacklist /usr/bin/lldb* |
17 | blacklist /usr/lib/llvm* | 24 | blacklist /usr/lib/llvm* |
18 | 25 | ||
26 | # tcc - Tiny C Compiler | ||
27 | blacklist /usr/bin/tcc | ||
28 | blacklist /usr/bin/x86_64-tcc | ||
29 | blacklist /usr/lib/tcc | ||
30 | |||
19 | # Valgrind | 31 | # Valgrind |
20 | blacklist /usr/bin/valgrind* | 32 | blacklist /usr/bin/valgrind* |
21 | blacklist /usr/lib/valgrind | 33 | blacklist /usr/lib/valgrind |
@@ -35,17 +47,17 @@ blacklist /usr/lib/php* | |||
35 | blacklist /usr/bin/ruby | 47 | blacklist /usr/bin/ruby |
36 | blacklist /usr/lib/ruby | 48 | blacklist /usr/lib/ruby |
37 | 49 | ||
50 | # Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice | ||
38 | # Python 2 | 51 | # Python 2 |
39 | blacklist /usr/bin/python2* | 52 | #blacklist /usr/bin/python2* |
40 | blacklist /usr/lib/python2* | 53 | #blacklist /usr/lib/python2* |
41 | blacklist /usr/local/lib/python2* | 54 | #blacklist /usr/local/lib/python2* |
42 | blacklist /usr/include/python2* | 55 | #blacklist /usr/include/python2* |
43 | blacklist /usr/share/python2* | 56 | #blacklist /usr/share/python2* |
44 | 57 | # | |
45 | # Python 3 | 58 | # Python 3 |
46 | blacklist /usr/bin/python3* | 59 | #blacklist /usr/bin/python3* |
47 | blacklist /usr/lib/python3* | 60 | #blacklist /usr/lib/python3* |
48 | blacklist /usr/local/lib/python3* | 61 | #blacklist /usr/local/lib/python3* |
49 | blacklist /usr/share/python3* | 62 | #blacklist /usr/share/python3* |
50 | blacklist /usr/include/python3* | 63 | #blacklist /usr/include/python3* |
51 | |||
diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc index c1e68d1ec..045b4d92b 100644 --- a/etc/disable-passwdmgr.inc +++ b/etc/disable-passwdmgr.inc | |||
@@ -1,6 +1,10 @@ | |||
1 | blacklist ${HOME}/.pki/nssdb | 1 | blacklist ${HOME}/.pki/nssdb |
2 | blacklist ${HOME}/.lastpass | 2 | blacklist ${HOME}/.lastpass |
3 | blacklist ${HOME}/.keepassx | 3 | blacklist ${HOME}/.keepassx |
4 | blacklist ${HOME}/.keepass | ||
4 | blacklist ${HOME}/.password-store | 5 | blacklist ${HOME}/.password-store |
5 | blacklist ${HOME}/keepassx.kdbx | 6 | blacklist ${HOME}/keepassx.kdbx |
7 | blacklist ${HOME}/.config/keepassx | ||
8 | blacklist ${HOME}/.config/keepass | ||
9 | blacklist ${HOME}/.config/KeePass | ||
6 | 10 | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index f4e66dc66..a9ca487c5 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -1,168 +1,269 @@ | |||
1 | # various programs | 1 | blacklist ${HOME}/.*coin |
2 | blacklist ${HOME}/.8pecxstudios | ||
2 | blacklist ${HOME}/.Atom | 3 | blacklist ${HOME}/.Atom |
3 | blacklist ${HOME}/.remmina | ||
4 | blacklist ${HOME}/.tconn | ||
5 | blacklist ${HOME}/.FBReader | 4 | blacklist ${HOME}/.FBReader |
6 | blacklist ${HOME}/.wine | 5 | blacklist ${HOME}/.LuminanceHDR |
7 | blacklist ${HOME}/.Mathematica | 6 | blacklist ${HOME}/.Mathematica |
7 | blacklist ${HOME}/.Natron | ||
8 | blacklist ${HOME}/.Skype | ||
9 | blacklist ${HOME}/.TelegramDesktop | ||
10 | blacklist ${HOME}/.VirtualBox | ||
8 | blacklist ${HOME}/.Wolfram Research | 11 | blacklist ${HOME}/.Wolfram Research |
9 | blacklist ${HOME}/.stellarium | 12 | blacklist ${HOME}/.arduino15 |
10 | blacklist ${HOME}/.sword | 13 | blacklist ${HOME}/.atom |
11 | blacklist ${HOME}/.xiphos | 14 | blacklist ${HOME}/.audacity-data |
15 | blacklist ${HOME}/.bcast5 | ||
16 | blacklist ${HOME}/.cache/0ad | ||
17 | blacklist ${HOME}/.cache/8pecxstudios | ||
18 | blacklist ${HOME}/.cache/Franz | ||
19 | blacklist ${HOME}/.cache/INRIA | ||
20 | blacklist ${HOME}/.cache/QuiteRss | ||
21 | blacklist ${HOME}/.cache/champlain | ||
22 | blacklist ${HOME}/.cache/chromium | ||
23 | blacklist ${HOME}/.cache/chromium-dev | ||
24 | blacklist ${HOME}/.cache/darktable | ||
25 | blacklist ${HOME}/.cache/epiphany | ||
26 | blacklist ${HOME}/.cache/evolution | ||
27 | blacklist ${HOME}/.cache/gajim | ||
28 | blacklist ${HOME}/.cache/google-chrome | ||
29 | blacklist ${HOME}/.cache/google-chrome-beta | ||
30 | blacklist ${HOME}/.cache/google-chrome-unstable | ||
31 | blacklist ${HOME}/.cache/icedove | ||
32 | blacklist ${HOME}/.cache/inox | ||
33 | blacklist ${HOME}/.cache/libgweather | ||
34 | blacklist ${HOME}/.cache/midori | ||
35 | blacklist ${HOME}/.cache/mozilla | ||
36 | blacklist ${HOME}/.cache/mutt | ||
37 | blacklist ${HOME}/.cache/netsurf | ||
38 | blacklist ${HOME}/.cache/opera | ||
39 | blacklist ${HOME}/.cache/opera-beta | ||
40 | blacklist ${HOME}/.cache/org.gnome.Books | ||
41 | blacklist ${HOME}/.cache/qutebrowser | ||
42 | blacklist ${HOME}/.cache/simple-scan | ||
43 | blacklist ${HOME}/.cache/slimjet | ||
44 | blacklist ${HOME}/.cache/spotify | ||
45 | blacklist ${HOME}/.cache/telepathy | ||
46 | blacklist ${HOME}/.cache/thunderbird | ||
47 | blacklist ${HOME}/.cache/torbrowser | ||
48 | blacklist ${HOME}/.cache/transmission | ||
49 | blacklist ${HOME}/.cache/vivaldi | ||
50 | blacklist ${HOME}/.cache/wesnoth | ||
51 | blacklist ${HOME}/.cache/xreader | ||
52 | blacklist ${HOME}/.claws-mail | ||
53 | blacklist ${HOME}/.config/0ad | ||
12 | blacklist ${HOME}/.config/Atom | 54 | blacklist ${HOME}/.config/Atom |
13 | blacklist ${HOME}/.config/gthumb | 55 | blacklist ${HOME}/.config/Brackets |
14 | blacklist ${HOME}/.config/mupen64plus | 56 | blacklist ${HOME}/.config/Cryptocat |
15 | blacklist ${HOME}/.config/transmission | 57 | blacklist ${HOME}/.config/Franz |
16 | blacklist ${HOME}/.config/uGet | 58 | blacklist ${HOME}/.config/Gitter |
59 | blacklist ${HOME}/.config/Google | ||
17 | blacklist ${HOME}/.config/Gpredict | 60 | blacklist ${HOME}/.config/Gpredict |
18 | blacklist ${HOME}/.config/aweather | 61 | blacklist ${HOME}/.config/INRIA |
19 | blacklist ${HOME}/.config/stellarium | ||
20 | blacklist ${HOME}/.config/atril | ||
21 | blacklist ${HOME}/.config/xreader | ||
22 | blacklist ${HOME}/.config/xviewer | ||
23 | blacklist ${HOME}/.config/libreoffice | ||
24 | blacklist ${HOME}/.config/pix | ||
25 | blacklist ${HOME}/.config/mate/eom | ||
26 | blacklist ${HOME}/.kde/share/apps/okular | ||
27 | blacklist ${HOME}/.kde/share/config/okularrc | ||
28 | blacklist ${HOME}/.kde/share/config/okularpartrc | ||
29 | blacklist ${HOME}/.kde/share/apps/gwenview | ||
30 | blacklist ${HOME}/.kde/share/config/gwenviewrc | ||
31 | blacklist ${HOME}/.config/qpdfview | ||
32 | blacklist ${HOME}/.config/Luminance | 62 | blacklist ${HOME}/.config/Luminance |
33 | blacklist ${HOME}/.config/synfig | 63 | blacklist ${HOME}/.config/Meltytech |
34 | blacklist ${HOME}/.synfig | 64 | blacklist ${HOME}/.config/Mumble |
35 | blacklist ${HOME}/.inkscape | 65 | blacklist ${HOME}/.config/QuiteRss |
36 | blacklist ${HOME}/.gimp* | 66 | blacklist ${HOME}/.config/QuiteRssrc |
37 | blacklist ${HOME}/.config/zathura | 67 | blacklist ${HOME}/.config/Slack |
68 | blacklist ${HOME}/.config/VirtualBox | ||
69 | blacklist ${HOME}/.config/Wire | ||
70 | blacklist ${HOME}/.config/ardour4 | ||
71 | blacklist ${HOME}/.config/ardour5 | ||
72 | blacklist ${HOME}/.config/arkrc | ||
73 | blacklist ${HOME}/.config/atril | ||
74 | blacklist ${HOME}/.config/autostart | ||
75 | blacklist ${HOME}/.config/autostart/dropbox.desktop | ||
76 | blacklist ${HOME}/.config/aweather | ||
77 | blacklist ${HOME}/.config/blender | ||
78 | blacklist ${HOME}/.config/bless | ||
79 | blacklist ${HOME}/.config/brasero | ||
80 | blacklist ${HOME}/.config/brave | ||
38 | blacklist ${HOME}/.config/cherrytree | 81 | blacklist ${HOME}/.config/cherrytree |
39 | blacklist ${HOME}/.xpdfrc | 82 | blacklist ${HOME}/.config/chromium |
40 | blacklist ${HOME}/.openshot | 83 | blacklist ${HOME}/.config/chromium-dev |
41 | blacklist ${HOME}/.openshot_qt | 84 | blacklist ${HOME}/.config/chromium-flags.conf |
42 | blacklist ${HOME}/.flowblade | ||
43 | blacklist ${HOME}/.config/flowblade | ||
44 | blacklist ${HOME}/.config/eog | ||
45 | |||
46 | |||
47 | # Media players | ||
48 | blacklist ${HOME}/.config/cmus | 85 | blacklist ${HOME}/.config/cmus |
86 | blacklist ${HOME}/.config/darktable | ||
49 | blacklist ${HOME}/.config/deadbeef | 87 | blacklist ${HOME}/.config/deadbeef |
50 | blacklist ${HOME}/.config/spotify | 88 | blacklist ${HOME}/.config/dolphinrc |
51 | blacklist ${HOME}/.config/vlc | 89 | blacklist ${HOME}/.config/dragonplayerrc |
52 | blacklist ${HOME}/.config/mpv | 90 | blacklist ${HOME}/.config/enchant |
53 | blacklist ${HOME}/.config/totem | 91 | blacklist ${HOME}/.config/eog |
54 | blacklist ${HOME}/.config/xplayer | 92 | blacklist ${HOME}/.config/epiphany |
55 | blacklist ${HOME}/.audacity-data | 93 | blacklist ${HOME}/.config/evince |
56 | blacklist ${HOME}/.guayadeque | 94 | blacklist ${HOME}/.config/evolution |
57 | 95 | blacklist ${HOME}/.config/filezilla | |
58 | # HTTP / FTP / Mail | 96 | blacklist ${HOME}/.config/flowblade |
59 | blacklist ${HOME}/.icedove | 97 | blacklist ${HOME}/.config/gajim |
60 | blacklist ${HOME}/.thunderbird | 98 | blacklist ${HOME}/.config/gedit |
61 | blacklist ${HOME}/.sylpheed-2.0 | ||
62 | blacklist ${HOME}/.config/midori | ||
63 | blacklist ${HOME}/.mozilla | ||
64 | blacklist ${HOME}/.config/chromium | ||
65 | blacklist ${HOME}/.config/google-chrome | 99 | blacklist ${HOME}/.config/google-chrome |
66 | blacklist ${HOME}/.config/google-chrome-beta | 100 | blacklist ${HOME}/.config/google-chrome-beta |
67 | blacklist ${HOME}/.config/google-chrome-unstable | 101 | blacklist ${HOME}/.config/google-chrome-unstable |
102 | blacklist ${HOME}/.config/gthumb | ||
103 | blacklist ${HOME}/.config/hexchat | ||
104 | blacklist ${HOME}/.config/inox | ||
105 | blacklist ${HOME}/.config/jd-gui.cfg | ||
106 | blacklist ${HOME}/.config/katepartrc | ||
107 | blacklist ${HOME}/.config/katerc | ||
108 | blacklist ${HOME}/.config/kateschemarc | ||
109 | blacklist ${HOME}/.config/katesyntaxhighlightingrc | ||
110 | blacklist ${HOME}/.config/katevirc | ||
111 | blacklist ${HOME}/.config/libreoffice | ||
112 | blacklist ${HOME}/.config/mate/eom | ||
113 | blacklist ${HOME}/.config/midori | ||
114 | blacklist ${HOME}/.config/mpv | ||
115 | blacklist ${HOME}/.config/mupen64plus | ||
116 | blacklist ${HOME}/.config/nautilus | ||
117 | blacklist ${HOME}/.config/netsurf | ||
68 | blacklist ${HOME}/.config/opera | 118 | blacklist ${HOME}/.config/opera |
69 | blacklist ${HOME}/.config/opera-beta | 119 | blacklist ${HOME}/.config/opera-beta |
70 | blacklist ${HOME}/.opera | 120 | blacklist ${HOME}/.config/pix |
71 | blacklist ${HOME}/.config/vivaldi | 121 | blacklist ${HOME}/.config/pluma |
72 | blacklist ${HOME}/.filezilla | ||
73 | blacklist ${HOME}/.config/filezilla | ||
74 | blacklist ${HOME}/.dillo | ||
75 | blacklist ${HOME}/.conkeror.mozdev.org | ||
76 | blacklist ${HOME}/.config/epiphany | ||
77 | blacklist ${HOME}/.config/slimjet | ||
78 | blacklist ${HOME}/.config/qutebrowser | ||
79 | blacklist ${HOME}/.8pecxstudios | ||
80 | blacklist ${HOME}/.config/brave | ||
81 | blacklist ${HOME}/.config/inox | ||
82 | blacklist ${HOME}/.muttrc | ||
83 | blacklist ${HOME}/.mutt | ||
84 | blacklist ${HOME}/.mutt/muttrc | ||
85 | blacklist ${HOME}/.msmtprc | ||
86 | blacklist ${HOME}/.config/evolution | ||
87 | blacklist ${HOME}/.local/share/evolution | ||
88 | blacklist ${HOME}/.cache/evolution | ||
89 | |||
90 | # Instant Messaging | ||
91 | blacklist ${HOME}/.config/hexchat | ||
92 | blacklist ${HOME}/.mcabber | ||
93 | blacklist ${HOME}/.mcabberrc | ||
94 | blacklist ${HOME}/.purple | ||
95 | blacklist ${HOME}/.config/psi+ | 122 | blacklist ${HOME}/.config/psi+ |
96 | blacklist ${HOME}/.retroshare | 123 | blacklist ${HOME}/.config/qpdfview |
97 | blacklist ${HOME}/.weechat | 124 | blacklist ${HOME}/.config/qutebrowser |
98 | blacklist ${HOME}/.config/xchat | 125 | blacklist ${HOME}/.config/ranger |
99 | blacklist ${HOME}/.Skype | 126 | blacklist ${HOME}/.config/redshift.conf |
100 | blacklist ${HOME}/.config/skypeforlinux | 127 | blacklist ${HOME}/.config/skypeforlinux |
128 | blacklist ${HOME}/.config/slimjet | ||
129 | blacklist ${HOME}/.config/spotify | ||
130 | blacklist ${HOME}/.config/stellarium | ||
131 | blacklist ${HOME}/.config/synfig | ||
132 | blacklist ${HOME}/.config/telepathy-account-widgets | ||
133 | blacklist ${HOME}/.config/torbrowser | ||
134 | blacklist ${HOME}/.config/totem | ||
101 | blacklist ${HOME}/.config/tox | 135 | blacklist ${HOME}/.config/tox |
102 | blacklist ${HOME}/.TelegramDesktop | 136 | blacklist ${HOME}/.config/transmission |
103 | blacklist ${HOME}/.config/Gitter | 137 | blacklist ${HOME}/.config/uGet |
104 | blacklist ${HOME}/.config/Franz | 138 | blacklist ${HOME}/.config/vivaldi |
105 | blacklist ${HOME}/.jitsi | 139 | blacklist ${HOME}/.config/vlc |
106 | blacklist ${HOME}/.config/Slack | ||
107 | blacklist ${HOME}/.cache/gajim | ||
108 | blacklist ${HOME}/.local/share/gajim | ||
109 | blacklist ${HOME}/.config/gajim | ||
110 | blacklist ${HOME}/.config/Wire | ||
111 | |||
112 | # Games | ||
113 | blacklist ${HOME}/.hedgewars | ||
114 | blacklist ${HOME}/.steam | ||
115 | blacklist ${HOME}/.config/wesnoth | 140 | blacklist ${HOME}/.config/wesnoth |
116 | blacklist ${HOME}/.config/0ad | 141 | blacklist ${HOME}/.config/wire |
117 | blacklist ${HOME}/.warzone2100-3.1 | 142 | blacklist ${HOME}/.config/wireshark |
143 | blacklist ${HOME}/.config/xchat | ||
144 | blacklist ${HOME}/.config/xed | ||
145 | blacklist ${HOME}/.config/xfburn | ||
146 | blacklist ${HOME}/.config/xplayer | ||
147 | blacklist ${HOME}/.config/xreader | ||
148 | blacklist ${HOME}/.config/xviewer | ||
149 | blacklist ${HOME}/.config/zathura | ||
150 | blacklist ${HOME}/.config/zoomus.conf | ||
151 | blacklist ${HOME}/.conkeror.mozdev.org | ||
152 | blacklist ${HOME}/.dillo | ||
118 | blacklist ${HOME}/.dosbox | 153 | blacklist ${HOME}/.dosbox |
119 | 154 | blacklist ${HOME}/.dropbox-dist | |
120 | # Cryptocoins | ||
121 | blacklist ${HOME}/.*coin | ||
122 | blacklist ${HOME}/.electrum* | 155 | blacklist ${HOME}/.electrum* |
123 | blacklist ${HOME}/wallet.dat | 156 | blacklist ${HOME}/.elinks |
124 | 157 | blacklist ${HOME}/.emacs | |
125 | # git, subversion | 158 | blacklist ${HOME}/.emacs.d |
126 | blacklist ${HOME}/.subversion | 159 | blacklist ${HOME}/.filezilla |
127 | blacklist ${HOME}/.gitconfig | 160 | blacklist ${HOME}/.flowblade |
161 | blacklist ${HOME}/.fltk | ||
162 | blacklist ${HOME}/.gimp* | ||
128 | blacklist ${HOME}/.git-credential-cache | 163 | blacklist ${HOME}/.git-credential-cache |
129 | 164 | blacklist ${HOME}/.gitconfig | |
130 | # cache | 165 | blacklist ${HOME}/.googleearth/Cache/ |
131 | blacklist ${HOME}/.cache/mozilla | 166 | blacklist ${HOME}/.googleearth/Temp/ |
132 | blacklist ${HOME}/.cache/chromium | 167 | blacklist ${HOME}/.googleearth/myplaces.backup.kml |
133 | blacklist ${HOME}/.cache/google-chrome | 168 | blacklist ${HOME}/.googleearth/myplaces.kml |
134 | blacklist ${HOME}/.cache/google-chrome-beta | 169 | blacklist ${HOME}/.guayadeque |
135 | blacklist ${HOME}/.cache/google-chrome-unstable | 170 | blacklist ${HOME}/.hedgewars |
136 | blacklist ${HOME}/.cache/opera | 171 | blacklist ${HOME}/.icedove |
137 | blacklist ${HOME}/.cache/opera-beta | 172 | blacklist ${HOME}/.inkscape |
138 | blacklist ${HOME}/.cache/vivaldi | 173 | blacklist ${HOME}/.jitsi |
139 | blacklist ${HOME}/.cache/epiphany | 174 | blacklist ${HOME}/.kde/share/apps/gwenview |
140 | blacklist ${HOME}/.cache/slimjet | 175 | blacklist ${HOME}/.kde/share/apps/okular |
141 | blacklist ${HOME}/.cache/qutebrowser | 176 | blacklist ${HOME}/.kde/share/config/gwenviewrc |
142 | blacklist ${HOME}/.cache/spotify | 177 | blacklist ${HOME}/.kde/share/config/okularpartrc |
143 | blacklist ${HOME}/.cache/thunderbird | 178 | blacklist ${HOME}/.kde/share/config/okularrc |
144 | blacklist ${HOME}/.cache/icedove | 179 | blacklist ${HOME}/.killingfloor |
145 | blacklist ${HOME}/.cache/transmission | 180 | blacklist ${HOME}/.linphone-history.db |
146 | blacklist ${HOME}/.cache/wesnoth | 181 | blacklist ${HOME}/.linphonerc |
147 | blacklist ${HOME}/.cache/0ad | 182 | blacklist ${HOME}/.lmmsrc.xml |
148 | blacklist ${HOME}/.cache/8pecxstudios | 183 | blacklist ${HOME}/.local/.share/maps-places.json |
149 | blacklist ${HOME}/.cache/xreader | 184 | blacklist ${HOME}/.local/lib/python2.7/site-packages |
150 | blacklist ${HOME}/.cache/Franz | 185 | blacklist ${HOME}/.local/share/0ad |
151 | 186 | blacklist ${HOME}/.local/share/3909/PapersPlease | |
152 | # share | 187 | blacklist ${HOME}/.local/share/Empathy |
188 | blacklist ${HOME}/.local/share/Mumble | ||
189 | blacklist ${HOME}/.local/share/QuiteRss | ||
190 | blacklist ${HOME}/.local/share/Ricochet | ||
191 | blacklist ${HOME}/.local/share/Steam | ||
192 | blacklist ${HOME}/.local/share/SuperHexagon | ||
193 | blacklist ${HOME}/.local/share/Terraria | ||
194 | blacklist ${HOME}/.local/share/TpLogger | ||
195 | blacklist ${HOME}/.local/share/aspyr-media | ||
196 | blacklist ${HOME}/.local/share/cdprojektred | ||
197 | blacklist ${HOME}/.local/share/data/Mumble | ||
198 | blacklist ${HOME}/.local/share/dolphin | ||
153 | blacklist ${HOME}/.local/share/epiphany | 199 | blacklist ${HOME}/.local/share/epiphany |
200 | blacklist ${HOME}/.local/share/evolution | ||
201 | blacklist ${HOME}/.local/share/feral-interactive | ||
202 | blacklist ${HOME}/.local/share/gajim | ||
203 | blacklist ${HOME}/.local/share/gnome-2048 | ||
204 | blacklist ${HOME}/.local/share/gnome-chess | ||
205 | blacklist ${HOME}/.local/share/gnome-music | ||
206 | blacklist ${HOME}/.local/share/gnome-photos | ||
207 | blacklist ${HOME}/.local/share/kate | ||
208 | blacklist ${HOME}/.local/share/lollypop | ||
209 | blacklist ${HOME}/.local/share/multimc5 | ||
154 | blacklist ${HOME}/.local/share/mupen64plus | 210 | blacklist ${HOME}/.local/share/mupen64plus |
211 | blacklist ${HOME}/.local/share/pix | ||
212 | blacklist ${HOME}/.local/share/psi+ | ||
213 | blacklist ${HOME}/.local/share/qpdfview | ||
155 | blacklist ${HOME}/.local/share/spotify | 214 | blacklist ${HOME}/.local/share/spotify |
156 | blacklist ${HOME}/.local/share/steam | 215 | blacklist ${HOME}/.local/share/steam |
216 | blacklist ${HOME}/.local/share/telepathy | ||
217 | blacklist ${HOME}/.local/share/torbrowser | ||
218 | blacklist ${HOME}/.local/share/totem | ||
219 | blacklist ${HOME}/.local/share/vpltd | ||
220 | blacklist ${HOME}/.local/share/vulkan | ||
157 | blacklist ${HOME}/.local/share/wesnoth | 221 | blacklist ${HOME}/.local/share/wesnoth |
158 | blacklist ${HOME}/.local/share/0ad | ||
159 | blacklist ${HOME}/.local/share/xplayer | 222 | blacklist ${HOME}/.local/share/xplayer |
160 | blacklist ${HOME}/.local/share/totem | 223 | blacklist ${HOME}/.local/share/xreader |
161 | blacklist ${HOME}/.local/share/psi+ | ||
162 | blacklist ${HOME}/.local/share/pix | ||
163 | blacklist ${HOME}/.local/share/gnome-chess | ||
164 | blacklist ${HOME}/.local/share/qpdfview | ||
165 | blacklist ${HOME}/.local/share/zathura | 224 | blacklist ${HOME}/.local/share/zathura |
166 | 225 | blacklist ${HOME}/.lv2 | |
167 | # ssh | 226 | blacklist ${HOME}/.mcabber |
227 | blacklist ${HOME}/.mcabberrc | ||
228 | blacklist ${HOME}/.mozilla | ||
229 | blacklist ${HOME}/.mozilla/seamonkey | ||
230 | blacklist ${HOME}/.mpdconf | ||
231 | blacklist ${HOME}/.msmtprc | ||
232 | blacklist ${HOME}/.multimc5 | ||
233 | blacklist ${HOME}/.mutt | ||
234 | blacklist ${HOME}/.mutt/muttrc | ||
235 | blacklist ${HOME}/.muttrc | ||
236 | blacklist ${HOME}/.nv | ||
237 | blacklist ${HOME}/.openshot | ||
238 | blacklist ${HOME}/.openshot_qt | ||
239 | blacklist ${HOME}/.opera | ||
240 | blacklist ${HOME}/.opera-beta | ||
241 | blacklist ${HOME}/.pki | ||
242 | blacklist ${HOME}/.purple | ||
243 | blacklist ${HOME}/.qemu-launcher | ||
244 | blacklist ${HOME}/.remmina | ||
245 | blacklist ${HOME}/.retroshare | ||
246 | blacklist ${HOME}/.scribus | ||
247 | blacklist ${HOME}/.steam | ||
248 | blacklist ${HOME}/.steampath | ||
249 | blacklist ${HOME}/.steampid | ||
250 | blacklist ${HOME}/.stellarium | ||
251 | blacklist ${HOME}/.subversion | ||
252 | blacklist ${HOME}/.sword | ||
253 | blacklist ${HOME}/.sylpheed-2.0 | ||
254 | blacklist ${HOME}/.synfig | ||
255 | blacklist ${HOME}/.tconn | ||
256 | blacklist ${HOME}/.thunderbird | ||
257 | blacklist ${HOME}/.ts3client | ||
258 | blacklist ${HOME}/.vst | ||
259 | blacklist ${HOME}/.w3m | ||
260 | blacklist ${HOME}/.warzone2100-3.1 | ||
261 | blacklist ${HOME}/.weechat | ||
262 | blacklist ${HOME}/.wine | ||
263 | blacklist ${HOME}/.wine64 | ||
264 | blacklist ${HOME}/.xiphos | ||
265 | blacklist ${HOME}/.xonotic | ||
266 | blacklist ${HOME}/.xpdfrc | ||
267 | blacklist ${HOME}/.zoom | ||
268 | blacklist ${HOME}/wallet.dat | ||
168 | blacklist /tmp/ssh-* | 269 | blacklist /tmp/ssh-* |
diff --git a/etc/display.profile b/etc/display.profile new file mode 100644 index 000000000..ec041bff7 --- /dev/null +++ b/etc/display.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # display (ImageMagick tool) image viewer profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | seccomp | ||
9 | protocol unix | ||
10 | netfilter | ||
11 | net none | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | nogroups | ||
15 | nosound | ||
16 | shell none | ||
17 | x11 xorg | ||
18 | |||
19 | private-bin display | ||
20 | private-tmp | ||
21 | private-dev | ||
22 | private-etc none | ||
23 | |||
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index bd7e19dc2..926b8bfcc 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile | |||
@@ -8,5 +8,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
8 | 8 | ||
9 | private | 9 | private |
10 | private-dev | 10 | private-dev |
11 | nosound | ||
12 | no3d | ||
11 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 13 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open |
12 | 14 | ||
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index 474bc5aca..3bd43f144 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile | |||
@@ -5,9 +5,13 @@ include /etc/firejail/disable-common.inc | |||
5 | include /etc/firejail/disable-programs.inc | 5 | include /etc/firejail/disable-programs.inc |
6 | include /etc/firejail/disable-passwdmgr.inc | 6 | include /etc/firejail/disable-passwdmgr.inc |
7 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
8 | |||
8 | caps | 9 | caps |
9 | seccomp | ||
10 | protocol unix,inet,inet6,netlink | ||
11 | netfilter | 10 | netfilter |
11 | nonewprivs | ||
12 | private | 12 | private |
13 | private-dev | 13 | private-dev |
14 | nosound | ||
15 | no3d | ||
16 | protocol unix,inet,inet6,netlink | ||
17 | seccomp | ||
diff --git a/etc/dolphin.profile b/etc/dolphin.profile new file mode 100644 index 000000000..09a86f811 --- /dev/null +++ b/etc/dolphin.profile | |||
@@ -0,0 +1,27 @@ | |||
1 | # dolphin profile | ||
2 | |||
3 | # warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5 | ||
4 | |||
5 | noblacklist ~/.config/dolphinrc | ||
6 | noblacklist ~/.local/share/dolphin | ||
7 | |||
8 | include /etc/firejail/disable-common.inc | ||
9 | # dolphin needs to be able to start arbitrary applications so we cannot blacklist their files | ||
10 | #include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | |||
14 | caps.drop all | ||
15 | netfilter | ||
16 | nogroups | ||
17 | nonewprivs | ||
18 | noroot | ||
19 | shell none | ||
20 | seccomp | ||
21 | protocol unix | ||
22 | |||
23 | # private-bin | ||
24 | # private-dev | ||
25 | # private-tmp | ||
26 | # private-etc | ||
27 | |||
diff --git a/etc/dosbox.profile b/etc/dosbox.profile new file mode 100644 index 000000000..45fbb712a --- /dev/null +++ b/etc/dosbox.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # Firejail profile for dosbox | ||
2 | noblacklist ~/.dosbox | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nogroups | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | private-bin dosbox | ||
20 | private-dev | ||
21 | private-tmp | ||
diff --git a/etc/dragon.profile b/etc/dragon.profile new file mode 100644 index 000000000..09cb73802 --- /dev/null +++ b/etc/dragon.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # dragon player profile | ||
2 | noblacklist ~/.config/dragonplayerrc | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nogroups | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | shell none | ||
15 | seccomp | ||
16 | protocol unix,inet,inet6 | ||
17 | |||
18 | private-bin dragon | ||
19 | private-dev | ||
20 | private-tmp | ||
21 | # private-etc | ||
22 | |||
diff --git a/etc/dropbox.profile b/etc/dropbox.profile index a0a944dce..40efd62b2 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile | |||
@@ -1,9 +1,21 @@ | |||
1 | # dropbox profile | 1 | # dropbox profile |
2 | noblacklist ~/.config/autostart | ||
2 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 4 | include /etc/firejail/disable-programs.inc |
4 | include /etc/firejail/disable-passwdmgr.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
5 | 6 | ||
6 | caps | 7 | caps |
7 | seccomp | 8 | nonewprivs |
8 | protocol unix,inet,inet6 | ||
9 | noroot | 9 | noroot |
10 | protocol unix,inet,inet6 | ||
11 | seccomp | ||
12 | |||
13 | mkdir ~/Dropbox | ||
14 | whitelist ~/Dropbox | ||
15 | mkdir ~/.dropbox | ||
16 | whitelist ~/.dropbox | ||
17 | mkdir ~/.dropbox-dist | ||
18 | whitelist ~/.dropbox-dist | ||
19 | |||
20 | mkfile ~/.config/autostart/dropbox.desktop | ||
21 | whitelist ~/.config/autostart/dropbox.desktop | ||
diff --git a/etc/elinks.profile b/etc/elinks.profile new file mode 100644 index 000000000..df817ea56 --- /dev/null +++ b/etc/elinks.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # elinks profile | ||
2 | noblacklist ~/.elinks | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
16 | netfilter | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | # private-bin elinks | ||
21 | private-tmp | ||
22 | private-dev | ||
23 | # private-etc none | ||
24 | |||
diff --git a/etc/emacs.profile b/etc/emacs.profile new file mode 100644 index 000000000..2b9c5805c --- /dev/null +++ b/etc/emacs.profile | |||
@@ -0,0 +1,16 @@ | |||
1 | # emacs profile | ||
2 | noblacklist ~/.emacs | ||
3 | noblacklist ~/.emacs.d | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | |||
10 | caps.drop all | ||
11 | netfilter | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | nogroups | ||
15 | protocol unix,inet,inet6 | ||
16 | seccomp | ||
diff --git a/etc/empathy.profile b/etc/empathy.profile index 789bdda08..2a0a6389c 100644 --- a/etc/empathy.profile +++ b/etc/empathy.profile | |||
@@ -4,6 +4,9 @@ include /etc/firejail/disable-programs.inc | |||
4 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
5 | 5 | ||
6 | caps.drop all | 6 | caps.drop all |
7 | seccomp | ||
8 | protocol unix,inet,inet6 | ||
9 | netfilter | 7 | netfilter |
8 | nonewprivs | ||
9 | nogroups | ||
10 | noroot | ||
11 | protocol unix,inet,inet6 | ||
12 | seccomp | ||
diff --git a/etc/enchant.profile b/etc/enchant.profile new file mode 100644 index 000000000..cf8288919 --- /dev/null +++ b/etc/enchant.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # enchant profile | ||
2 | noblacklist ~/.config/enchant | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix | ||
15 | seccomp | ||
16 | netfilter | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | # private-bin enchant | ||
21 | # private-tmp | ||
22 | # private-dev | ||
23 | # private-etc fonts | ||
diff --git a/etc/eog.profile b/etc/eog.profile new file mode 100644 index 000000000..d463f3a97 --- /dev/null +++ b/etc/eog.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # eog (gnome image viewer) profile | ||
2 | noblacklist ~/.config/eog | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nogroups | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | nosound | ||
15 | protocol unix | ||
16 | seccomp | ||
17 | shell none | ||
18 | |||
19 | private-bin eog | ||
20 | private-dev | ||
21 | private-etc fonts | ||
22 | private-tmp | ||
diff --git a/etc/eom.profile b/etc/eom.profile new file mode 100644 index 000000000..dfcea82c1 --- /dev/null +++ b/etc/eom.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # Firejail profile for Eye of Mate (eom) | ||
2 | noblacklist ~/.config/mate/eom | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix | ||
15 | seccomp | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | private-bin eom | ||
20 | private-dev | ||
21 | private-tmp | ||
diff --git a/etc/epiphany.profile b/etc/epiphany.profile index 95a673bf9..0e898f02b 100644 --- a/etc/epiphany.profile +++ b/etc/epiphany.profile | |||
@@ -8,19 +8,16 @@ include /etc/firejail/disable-programs.inc | |||
8 | include /etc/firejail/disable-devel.inc | 8 | include /etc/firejail/disable-devel.inc |
9 | 9 | ||
10 | whitelist ${DOWNLOADS} | 10 | whitelist ${DOWNLOADS} |
11 | mkdir ${HOME}/.local | ||
12 | mkdir ${HOME}/.local/share | ||
13 | mkdir ${HOME}/.local/share/epiphany | 11 | mkdir ${HOME}/.local/share/epiphany |
14 | whitelist ${HOME}/.local/share/epiphany | 12 | whitelist ${HOME}/.local/share/epiphany |
15 | mkdir ${HOME}/.config | ||
16 | mkdir ${HOME}/.config/epiphany | 13 | mkdir ${HOME}/.config/epiphany |
17 | whitelist ${HOME}/.config/epiphany | 14 | whitelist ${HOME}/.config/epiphany |
18 | mkdir ${HOME}/.cache | ||
19 | mkdir ${HOME}/.cache/epiphany | 15 | mkdir ${HOME}/.cache/epiphany |
20 | whitelist ${HOME}/.cache/epiphany | 16 | whitelist ${HOME}/.cache/epiphany |
21 | include /etc/firejail/whitelist-common.inc | 17 | include /etc/firejail/whitelist-common.inc |
18 | |||
22 | caps.drop all | 19 | caps.drop all |
23 | seccomp | ||
24 | protocol unix,inet,inet6 | ||
25 | netfilter | 20 | netfilter |
26 | 21 | nonewprivs | |
22 | protocol unix,inet,inet6 | ||
23 | seccomp | ||
diff --git a/etc/evince.profile b/etc/evince.profile index c390dcaf3..1ec384947 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -1,11 +1,25 @@ | |||
1 | # evince pdf reader profile | 1 | # evince pdf reader profile |
2 | noblacklist ~/.config/evince | ||
3 | |||
2 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 5 | include /etc/firejail/disable-programs.inc |
4 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
5 | include /etc/firejail/disable-passwdmgr.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
6 | 8 | ||
7 | caps.drop all | 9 | caps.drop all |
8 | seccomp | 10 | netfilter |
9 | protocol unix,inet,inet6 | 11 | #net none - creates some problems on some distributions |
12 | nogroups | ||
13 | nonewprivs | ||
10 | noroot | 14 | noroot |
11 | nosound | 15 | nosound |
16 | protocol unix | ||
17 | seccomp | ||
18 | shell none | ||
19 | tracelog | ||
20 | |||
21 | private-bin evince,evince-previewer,evince-thumbnailer | ||
22 | private-dev | ||
23 | private-etc fonts | ||
24 | # evince needs access to /tmp/mozilla* to work in firefox | ||
25 | # private-tmp | ||
diff --git a/etc/evolution.profile b/etc/evolution.profile new file mode 100644 index 000000000..ab6dd7a4a --- /dev/null +++ b/etc/evolution.profile | |||
@@ -0,0 +1,25 @@ | |||
1 | # evolution profile | ||
2 | noblacklist ~/.config/evolution | ||
3 | noblacklist ~/.local/share/evolution | ||
4 | noblacklist ~/.cache/evolution | ||
5 | noblacklist ~/.pki | ||
6 | noblacklist ~/.pki/nssdb | ||
7 | noblacklist ~/.gnupg | ||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | |||
14 | caps.drop all | ||
15 | netfilter | ||
16 | nogroups | ||
17 | nonewprivs | ||
18 | noroot | ||
19 | nosound | ||
20 | protocol unix,inet,inet6 | ||
21 | seccomp | ||
22 | shell none | ||
23 | |||
24 | private-dev | ||
25 | private-tmp | ||
diff --git a/etc/exiftool.profile b/etc/exiftool.profile new file mode 100644 index 000000000..384695473 --- /dev/null +++ b/etc/exiftool.profile | |||
@@ -0,0 +1,28 @@ | |||
1 | # exiftool profile | ||
2 | noblacklist /usr/bin/perl | ||
3 | noblacklist /usr/share/perl* | ||
4 | noblacklist /usr/lib/perl* | ||
5 | |||
6 | include /etc/firejail/disable-common.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-devel.inc | ||
9 | include /etc/firejail/disable-passwdmgr.inc | ||
10 | |||
11 | caps.drop all | ||
12 | nogroups | ||
13 | nonewprivs | ||
14 | noroot | ||
15 | nosound | ||
16 | protocol unix | ||
17 | seccomp | ||
18 | netfilter | ||
19 | net none | ||
20 | shell none | ||
21 | tracelog | ||
22 | |||
23 | # private-bin exiftool,perl | ||
24 | private-tmp | ||
25 | private-dev | ||
26 | private-etc none | ||
27 | |||
28 | |||
diff --git a/etc/fbreader.profile b/etc/fbreader.profile index cfbae1c74..ec098d5fe 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile | |||
@@ -7,8 +7,14 @@ include /etc/firejail/disable-devel.inc | |||
7 | include /etc/firejail/disable-passwdmgr.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | seccomp | ||
11 | protocol unix,inet,inet6 | ||
12 | netfilter | 10 | netfilter |
11 | nonewprivs | ||
13 | noroot | 12 | noroot |
14 | nosound | 13 | nosound |
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
16 | |||
17 | shell none | ||
18 | private-bin fbreader,FBReader | ||
19 | private-dev | ||
20 | private-tmp | ||
diff --git a/etc/feh.profile b/etc/feh.profile new file mode 100644 index 000000000..2812effc9 --- /dev/null +++ b/etc/feh.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # feh image viewer profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | netfilter | ||
9 | net none | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix | ||
15 | seccomp | ||
16 | shell none | ||
17 | |||
18 | private-bin feh | ||
19 | private-dev | ||
20 | private-etc feh | ||
21 | private-tmp \ No newline at end of file | ||
diff --git a/etc/file-roller.profile b/etc/file-roller.profile new file mode 100644 index 000000000..6116389db --- /dev/null +++ b/etc/file-roller.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # file-roller profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | nogroups | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | nosound | ||
12 | protocol unix | ||
13 | seccomp | ||
14 | netfilter | ||
15 | shell none | ||
16 | tracelog | ||
17 | |||
18 | # private-bin file-roller | ||
19 | # private-tmp | ||
20 | private-dev | ||
21 | # private-etc fonts | ||
diff --git a/etc/file.profile b/etc/file.profile new file mode 100644 index 000000000..d145fe12a --- /dev/null +++ b/etc/file.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # file profile | ||
2 | quiet | ||
3 | include /etc/firejail/disable-common.inc | ||
4 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | hostname file | ||
9 | netfilter | ||
10 | net none | ||
11 | no3d | ||
12 | nogroups | ||
13 | nonewprivs | ||
14 | #noroot | ||
15 | nosound | ||
16 | protocol unix | ||
17 | seccomp | ||
18 | shell none | ||
19 | tracelog | ||
20 | x11 none | ||
21 | |||
22 | blacklist /tmp/.X11-unix | ||
23 | |||
24 | private-dev | ||
25 | private-bin file | ||
26 | private-etc magic.mgc,magic,localtime | ||
diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 8542de284..a40fceec1 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile | |||
@@ -7,8 +7,14 @@ include /etc/firejail/disable-programs.inc | |||
7 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | seccomp | ||
11 | protocol unix,inet,inet6 | ||
12 | noroot | ||
13 | netfilter | 10 | netfilter |
11 | nonewprivs | ||
12 | noroot | ||
14 | nosound | 13 | nosound |
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
16 | shell none | ||
17 | |||
18 | private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp | ||
19 | private-dev | ||
20 | private-tmp | ||
diff --git a/etc/firefox-esr.profile b/etc/firefox-esr.profile new file mode 100644 index 000000000..d2fde9a3f --- /dev/null +++ b/etc/firefox-esr.profile | |||
@@ -0,0 +1,2 @@ | |||
1 | # Firejail profile for Mozilla Firefox ESR | ||
2 | include /etc/firejail/firefox.profile | ||
diff --git a/etc/firefox.profile b/etc/firefox.profile index 1ea94a2c7..4f971f330 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -1,23 +1,24 @@ | |||
1 | # Firejail profile for Mozilla Firefox (Iceweasel in Debian) | 1 | # Firejail profile for Mozilla Firefox (Iceweasel in Debian) |
2 | |||
3 | noblacklist ~/.mozilla | 2 | noblacklist ~/.mozilla |
4 | noblacklist ~/.cache/mozilla | 3 | noblacklist ~/.cache/mozilla |
4 | noblacklist ~/.config/qpdfview | ||
5 | noblacklist ~/.local/share/qpdfview | ||
6 | noblacklist ~/.kde/share/apps/okular | ||
5 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-programs.inc | 8 | include /etc/firejail/disable-programs.inc |
7 | include /etc/firejail/disable-devel.inc | 9 | include /etc/firejail/disable-devel.inc |
8 | 10 | ||
9 | caps.drop all | 11 | caps.drop all |
10 | seccomp | ||
11 | protocol unix,inet,inet6,netlink | ||
12 | netfilter | 12 | netfilter |
13 | tracelog | 13 | nonewprivs |
14 | noroot | 14 | noroot |
15 | protocol unix,inet,inet6,netlink | ||
16 | seccomp | ||
17 | tracelog | ||
15 | 18 | ||
16 | whitelist ${DOWNLOADS} | 19 | whitelist ${DOWNLOADS} |
17 | mkdir ~/.mozilla | 20 | mkdir ~/.mozilla |
18 | whitelist ~/.mozilla | 21 | whitelist ~/.mozilla |
19 | mkdir ~/.cache | ||
20 | mkdir ~/.cache/mozilla | ||
21 | mkdir ~/.cache/mozilla/firefox | 22 | mkdir ~/.cache/mozilla/firefox |
22 | whitelist ~/.cache/mozilla/firefox | 23 | whitelist ~/.cache/mozilla/firefox |
23 | whitelist ~/dwhelper | 24 | whitelist ~/dwhelper |
@@ -30,6 +31,9 @@ whitelist ~/.keysnail.js | |||
30 | whitelist ~/.config/gnome-mplayer | 31 | whitelist ~/.config/gnome-mplayer |
31 | whitelist ~/.cache/gnome-mplayer/plugin | 32 | whitelist ~/.cache/gnome-mplayer/plugin |
32 | whitelist ~/.pki | 33 | whitelist ~/.pki |
34 | whitelist ~/.config/qpdfview | ||
35 | whitelist ~/.local/share/qpdfview | ||
36 | whitelist ~/.kde/share/apps/okular | ||
33 | 37 | ||
34 | # lastpass, keepassx | 38 | # lastpass, keepassx |
35 | whitelist ~/.keepassx | 39 | whitelist ~/.keepassx |
@@ -40,14 +44,15 @@ whitelist ~/.config/lastpass | |||
40 | 44 | ||
41 | 45 | ||
42 | #silverlight | 46 | #silverlight |
43 | whitelist ~/.wine-pipelight | 47 | whitelist ~/.wine-pipelight |
44 | whitelist ~/.wine-pipelight64 | 48 | whitelist ~/.wine-pipelight64 |
45 | whitelist ~/.config/pipelight-widevine | 49 | whitelist ~/.config/pipelight-widevine |
46 | whitelist ~/.config/pipelight-silverlight5.1 | 50 | whitelist ~/.config/pipelight-silverlight5.1 |
47 | 51 | ||
48 | include /etc/firejail/whitelist-common.inc | 52 | include /etc/firejail/whitelist-common.inc |
49 | 53 | ||
50 | # experimental features | 54 | # experimental features |
51 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 55 | #private-bin firefox,which,sh,dbus-launch,dbus-send,env |
52 | 56 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse | |
53 | 57 | private-dev | |
58 | private-tmp | ||
diff --git a/etc/firejail-default b/etc/firejail-default new file mode 100644 index 000000000..1b0eb7658 --- /dev/null +++ b/etc/firejail-default | |||
@@ -0,0 +1,154 @@ | |||
1 | ######################################### | ||
2 | # Generic Firejail AppArmor profile | ||
3 | ######################################### | ||
4 | |||
5 | ########## | ||
6 | # A simple PID declaration based on Ubuntu's @{pid} | ||
7 | # Ubuntu keeps it under tunables/kernelvars and include it via tunables/global. | ||
8 | # We don't know if this definition is available outside Debian and Ubuntu, so | ||
9 | # we declare our own here. | ||
10 | ########## | ||
11 | @{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]} | ||
12 | |||
13 | profile firejail-default { | ||
14 | |||
15 | ########## | ||
16 | # D-Bus is a huge security hole. Uncomment this line if you need D-Bus | ||
17 | # functionality. | ||
18 | ########## | ||
19 | #dbus, | ||
20 | |||
21 | ########## | ||
22 | # Mask /proc and /sys information leakage. The configuration here is barely | ||
23 | # enough to run "top" or "ps aux". | ||
24 | ########## | ||
25 | / r, | ||
26 | /[^proc,^sys]** mrwlk, | ||
27 | /{,var/}run/ r, | ||
28 | /{,var/}run/** r, | ||
29 | /{,var/}run/user/**/dconf/ rw, | ||
30 | /{,var/}run/user/**/dconf/user rw, | ||
31 | /{,var/}run/user/**/pulse/ rw, | ||
32 | /{,var/}run/user/**/pulse/** rw, | ||
33 | /{,var/}run/firejail/mnt/fslogger r, | ||
34 | /{,var/}run/firejail/appimage r, | ||
35 | /{,var/}run/firejail/appimage/** r, | ||
36 | /{,var/}run/firejail/appimage/** ix, | ||
37 | /{run,dev}/shm/ r, | ||
38 | /{run,dev}/shm/** rmwk, | ||
39 | |||
40 | /proc/ r, | ||
41 | /proc/meminfo r, | ||
42 | /proc/cpuinfo r, | ||
43 | /proc/filesystems r, | ||
44 | /proc/uptime r, | ||
45 | /proc/loadavg r, | ||
46 | /proc/stat r, | ||
47 | |||
48 | /proc/@{PID}/ r, | ||
49 | /proc/@{PID}/fd/ r, | ||
50 | /proc/@{PID}/task/ r, | ||
51 | /proc/@{PID}/cmdline r, | ||
52 | /proc/@{PID}/comm r, | ||
53 | /proc/@{PID}/stat r, | ||
54 | /proc/@{PID}/statm r, | ||
55 | /proc/@{PID}/status r, | ||
56 | /proc/@{PID}/task/@{PID}/stat r, | ||
57 | /proc/sys/kernel/pid_max r, | ||
58 | /proc/sys/kernel/shmmax r, | ||
59 | /proc/sys/vm/overcommit_memory r, | ||
60 | /proc/sys/vm/overcommit_ratio r, | ||
61 | |||
62 | /sys/ r, | ||
63 | /sys/bus/ r, | ||
64 | /sys/bus/** r, | ||
65 | /sys/class/ r, | ||
66 | /sys/class/** r, | ||
67 | /sys/devices/ r, | ||
68 | /sys/devices/** r, | ||
69 | |||
70 | /proc/@{PID}/maps r, | ||
71 | /proc/@{PID}/mounts r, | ||
72 | /proc/@{PID}/mountinfo r, | ||
73 | /proc/@{PID}/oom_score_adj r, | ||
74 | |||
75 | ########## | ||
76 | # Allow running programs only from well-known system directories. If you need | ||
77 | # to run programs from your home directory, uncomment /home line. | ||
78 | ########## | ||
79 | /lib/** ix, | ||
80 | /lib64/** ix, | ||
81 | /bin/** ix, | ||
82 | /sbin/** ix, | ||
83 | /usr/bin/** ix, | ||
84 | /usr/sbin/** ix, | ||
85 | /usr/local/** ix, | ||
86 | /usr/lib/** ix, | ||
87 | /usr/games/** ix, | ||
88 | /opt/ r, | ||
89 | /opt/** r, | ||
90 | /opt/** ix, | ||
91 | #/home/** ix, | ||
92 | |||
93 | ########## | ||
94 | # Allow all networking functionality, and control it from Firejail. | ||
95 | ########## | ||
96 | network inet, | ||
97 | network inet6, | ||
98 | network unix, | ||
99 | network netlink, | ||
100 | network raw, | ||
101 | |||
102 | ########## | ||
103 | # There is no equivalent in Firejail for filtering signals. | ||
104 | ########## | ||
105 | signal, | ||
106 | |||
107 | ########## | ||
108 | # We let Firejail deal with capabilities. | ||
109 | ########## | ||
110 | capability chown, | ||
111 | capability dac_override, | ||
112 | capability dac_read_search, | ||
113 | capability fowner, | ||
114 | capability fsetid, | ||
115 | capability kill, | ||
116 | capability setgid, | ||
117 | capability setuid, | ||
118 | capability setpcap, | ||
119 | capability linux_immutable, | ||
120 | capability net_bind_service, | ||
121 | capability net_broadcast, | ||
122 | capability net_admin, | ||
123 | capability net_raw, | ||
124 | capability ipc_lock, | ||
125 | capability ipc_owner, | ||
126 | capability sys_module, | ||
127 | capability sys_rawio, | ||
128 | capability sys_chroot, | ||
129 | capability sys_ptrace, | ||
130 | capability sys_pacct, | ||
131 | capability sys_admin, | ||
132 | capability sys_boot, | ||
133 | capability sys_nice, | ||
134 | capability sys_resource, | ||
135 | capability sys_time, | ||
136 | capability sys_tty_config, | ||
137 | capability mknod, | ||
138 | capability lease, | ||
139 | capability audit_write, | ||
140 | capability audit_control, | ||
141 | capability setfcap, | ||
142 | capability mac_override, | ||
143 | capability mac_admin, | ||
144 | |||
145 | ########## | ||
146 | # We let Firejail deal with mount/umount functionality. | ||
147 | ########## | ||
148 | mount, | ||
149 | remount, | ||
150 | umount, | ||
151 | pivot_root, | ||
152 | |||
153 | } | ||
154 | |||
diff --git a/etc/firejail.config b/etc/firejail.config index 41cd08e68..824e3f503 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -9,24 +9,63 @@ | |||
9 | # Enable or disable chroot support, default enabled. | 9 | # Enable or disable chroot support, default enabled. |
10 | # chroot yes | 10 | # chroot yes |
11 | 11 | ||
12 | # Use chroot for desktop programs, default enabled. The sandbox will have full | ||
13 | # access to system's /dev directory in order to allow video acceleration, | ||
14 | # and it will harden the rest of the chroot tree. | ||
15 | # chroot-desktop yes | ||
16 | |||
12 | # Enable or disable file transfer support, default enabled. | 17 | # Enable or disable file transfer support, default enabled. |
13 | # file-transfer yes | 18 | # file-transfer yes |
14 | 19 | ||
20 | # Enable Firejail green prompt in terminal, default disabled | ||
21 | # firejail-prompt no | ||
22 | |||
23 | # Force use of nonewprivs. This mitigates the possibility of | ||
24 | # a user abusing firejail's features to trick a privileged (suid | ||
25 | # or file capabilities) process into loading code or configuration | ||
26 | # that is partially under their control. Default disabled. | ||
27 | # force-nonewprivs no | ||
28 | |||
15 | # Enable or disable networking features, default enabled. | 29 | # Enable or disable networking features, default enabled. |
16 | # network yes | 30 | # network yes |
17 | 31 | ||
32 | # Enable or disable overlayfs features, default enabled. | ||
33 | # overlayfs yes | ||
34 | |||
35 | # Remove /usr/local directories from private-bin list, default disabled. | ||
36 | # private-bin-no-local no | ||
37 | |||
38 | # Enable or disable private-home feature, default enabled | ||
39 | # private-home yes | ||
40 | |||
41 | # Enable --quiet as default every time the sandbox is started. Default disabled. | ||
42 | # quiet-by-default no | ||
43 | |||
44 | # Remount /proc and /sys inside the sandbox, default enabled. | ||
45 | # remount-proc-sys yes | ||
46 | |||
18 | # Enable or disable restricted network support, default disabled. If enabled, | 47 | # Enable or disable restricted network support, default disabled. If enabled, |
19 | # networking features should also be enabled (network yes). | 48 | # networking features should also be enabled (network yes). |
20 | # Restricted networking grants access to --interface and --net=ethXXX | 49 | # Restricted networking grants access to --interface, --net=ethXXX and |
21 | # only to root user. Regular users are only allowed --net=none. | 50 | # --netfilter only to root user. Regular users are only allowed --net=none. |
22 | # restricted-network no | 51 | # restricted-network no |
23 | 52 | ||
53 | # Change default netfilter configuration. When using --netfilter option without | ||
54 | # a file argument, the default filter is hardcoded (see man 1 firejail). This | ||
55 | # configuration entry allows the user to change the default by specifying | ||
56 | # a file containing the filter configuration. The filter file format is the | ||
57 | # format of iptables-save and iptable-restore commands. Example: | ||
58 | # netfilter-default /etc/iptables.iptables.rules | ||
59 | |||
24 | # Enable or disable seccomp support, default enabled. | 60 | # Enable or disable seccomp support, default enabled. |
25 | # seccomp yes | 61 | # seccomp yes |
26 | 62 | ||
27 | # Enable or disable user namespace support, default enabled. | 63 | # Enable or disable user namespace support, default enabled. |
28 | # userns yes | 64 | # userns yes |
29 | 65 | ||
66 | # Enable or disable whitelisting support, default enabled. | ||
67 | # whitelist yes | ||
68 | |||
30 | # Enable or disable X11 sandboxing support, default enabled. | 69 | # Enable or disable X11 sandboxing support, default enabled. |
31 | # x11 yes | 70 | # x11 yes |
32 | 71 | ||
@@ -36,3 +75,10 @@ | |||
36 | # xephyr-screen 800x600 | 75 | # xephyr-screen 800x600 |
37 | # xephyr-screen 1024x768 | 76 | # xephyr-screen 1024x768 |
38 | # xephyr-screen 1280x1024 | 77 | # xephyr-screen 1280x1024 |
78 | |||
79 | # Firejail window title in Xephyr, default enabled. | ||
80 | # xephyr-window-title yes | ||
81 | |||
82 | # Xephyr command extra parameters. None by default, and the declaration is commented out. | ||
83 | # xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev | ||
84 | # xephyr-extra-params -grayscale | ||
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile index 94c672acf..7e0eb486b 100644 --- a/etc/flashpeak-slimjet.profile +++ b/etc/flashpeak-slimjet.profile | |||
@@ -15,16 +15,15 @@ include /etc/firejail/disable-programs.inc | |||
15 | # | 15 | # |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | seccomp | ||
19 | protocol unix,inet,inet6,netlink | ||
20 | netfilter | 18 | netfilter |
19 | nonewprivs | ||
21 | noroot | 20 | noroot |
21 | protocol unix,inet,inet6,netlink | ||
22 | seccomp | ||
22 | 23 | ||
23 | whitelist ${DOWNLOADS} | 24 | whitelist ${DOWNLOADS} |
24 | mkdir ~/.config | ||
25 | mkdir ~/.config/slimjet | 25 | mkdir ~/.config/slimjet |
26 | whitelist ~/.config/slimjet | 26 | whitelist ~/.config/slimjet |
27 | mkdir ~/.cache | ||
28 | mkdir ~/.cache/slimjet | 27 | mkdir ~/.cache/slimjet |
29 | whitelist ~/.cache/slimjet | 28 | whitelist ~/.cache/slimjet |
30 | mkdir ~/.pki | 29 | mkdir ~/.pki |
diff --git a/etc/flowblade.profile b/etc/flowblade.profile new file mode 100644 index 000000000..12afdb0aa --- /dev/null +++ b/etc/flowblade.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # FlowBlade profile | ||
2 | noblacklist ${HOME}/.flowblade | ||
3 | noblacklist ${HOME}/.config/flowblade | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | |||
8 | caps.drop all | ||
9 | netfilter | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | protocol unix,inet,inet6,netlink | ||
13 | seccomp | ||
diff --git a/etc/franz.profile b/etc/franz.profile new file mode 100644 index 000000000..0b3be551b --- /dev/null +++ b/etc/franz.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # Franz profile | ||
2 | noblacklist ~/.config/Franz | ||
3 | noblacklist ~/.cache/Franz | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | |||
8 | caps.drop all | ||
9 | netfilter | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | protocol unix,inet,inet6,netlink | ||
13 | seccomp | ||
14 | #tracelog | ||
15 | |||
16 | whitelist ${DOWNLOADS} | ||
17 | mkdir ~/.config/Franz | ||
18 | whitelist ~/.config/Franz | ||
19 | mkdir ~/.cache/Franz | ||
20 | whitelist ~/.cache/Franz | ||
21 | mkdir ~/.pki | ||
22 | whitelist ~/.pki | ||
23 | |||
24 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/gajim.profile b/etc/gajim.profile new file mode 100644 index 000000000..eb60f858b --- /dev/null +++ b/etc/gajim.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for Gajim | ||
2 | noblacklist ${HOME}/.cache/gajim | ||
3 | noblacklist ${HOME}/.local/share/gajim | ||
4 | noblacklist ${HOME}/.config/gajim | ||
5 | |||
6 | mkdir ${HOME}/.cache/gajim | ||
7 | mkdir ${HOME}/.local/share/gajim | ||
8 | mkdir ${HOME}/.config/gajim | ||
9 | mkdir ${HOME}/Downloads | ||
10 | |||
11 | # Allow the local python 2.7 site packages, in case any plugins are using these | ||
12 | mkdir ${HOME}/.local/lib/python2.7/site-packages/ | ||
13 | whitelist ${HOME}/.local/lib/python2.7/site-packages/ | ||
14 | read-only ${HOME}/.local/lib/python2.7/site-packages/ | ||
15 | |||
16 | whitelist ${HOME}/.cache/gajim | ||
17 | whitelist ${HOME}/.local/share/gajim | ||
18 | whitelist ${HOME}/.config/gajim | ||
19 | whitelist ${HOME}/Downloads | ||
20 | |||
21 | include /etc/firejail/disable-common.inc | ||
22 | include /etc/firejail/disable-passwdmgr.inc | ||
23 | include /etc/firejail/disable-programs.inc | ||
24 | include /etc/firejail/disable-devel.inc | ||
25 | |||
26 | caps.drop all | ||
27 | netfilter | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | protocol unix,inet,inet6 | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | #private-bin python2.7 gajim | ||
36 | #private-etc fonts | ||
37 | private-dev | ||
38 | #private-tmp | ||
diff --git a/etc/gedit.profile b/etc/gedit.profile new file mode 100644 index 000000000..a25286bfa --- /dev/null +++ b/etc/gedit.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # gedit profile | ||
2 | |||
3 | # when gedit is started via gnome-shell, firejail is not applied because systemd will start it | ||
4 | |||
5 | noblacklist ~/.config/gedit | ||
6 | |||
7 | include /etc/firejail/disable-common.inc | ||
8 | include /etc/firejail/disable-programs.inc | ||
9 | #include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-passwdmgr.inc | ||
11 | |||
12 | caps.drop all | ||
13 | nogroups | ||
14 | nonewprivs | ||
15 | noroot | ||
16 | nosound | ||
17 | protocol unix | ||
18 | seccomp | ||
19 | netfilter | ||
20 | shell none | ||
21 | tracelog | ||
22 | |||
23 | # private-bin gedit | ||
24 | private-tmp | ||
25 | private-dev | ||
26 | # private-etc fonts | ||
diff --git a/etc/gimp.profile b/etc/gimp.profile new file mode 100644 index 000000000..cb441fc9d --- /dev/null +++ b/etc/gimp.profile | |||
@@ -0,0 +1,20 @@ | |||
1 | # gimp | ||
2 | noblacklist ${HOME}/.gimp* | ||
3 | include /etc/firejail/disable-common.inc | ||
4 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | netfilter | ||
9 | nogroups | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | nosound | ||
13 | protocol unix | ||
14 | seccomp | ||
15 | |||
16 | noexec ${HOME} | ||
17 | noexec /tmp | ||
18 | |||
19 | private-dev | ||
20 | private-tmp | ||
diff --git a/etc/git.profile b/etc/git.profile new file mode 100644 index 000000000..d60e58c03 --- /dev/null +++ b/etc/git.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # git profile | ||
2 | quiet | ||
3 | noblacklist ~/.gitconfig | ||
4 | noblacklist ~/.ssh | ||
5 | noblacklist ~/.gnupg | ||
6 | noblacklist ~/.emacs | ||
7 | noblacklist ~/.emacs.d | ||
8 | noblacklist ~/.viminfo | ||
9 | noblacklist ~/.vim | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | |||
15 | |||
16 | caps.drop all | ||
17 | netfilter | ||
18 | nogroups | ||
19 | nonewprivs | ||
20 | noroot | ||
21 | nosound | ||
22 | protocol unix,inet,inet6 | ||
23 | seccomp | ||
24 | shell none | ||
25 | |||
26 | private-dev | ||
diff --git a/etc/gitter.profile b/etc/gitter.profile new file mode 100644 index 000000000..f43f5f199 --- /dev/null +++ b/etc/gitter.profile | |||
@@ -0,0 +1,20 @@ | |||
1 | # Firejail profile for Gitter | ||
2 | noblacklist ~/.config/Gitter | ||
3 | include /etc/firejail/disable-common.inc | ||
4 | include /etc/firejail/disable-passwdmgr.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | |||
8 | caps.drop all | ||
9 | netfilter | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix,inet,inet6,netlink | ||
15 | seccomp | ||
16 | shell none | ||
17 | |||
18 | private-bin gitter | ||
19 | private-dev | ||
20 | private-tmp | ||
diff --git a/etc/gjs.profile b/etc/gjs.profile new file mode 100644 index 000000000..8d71728a2 --- /dev/null +++ b/etc/gjs.profile | |||
@@ -0,0 +1,28 @@ | |||
1 | # gjs (gnome javascript bindings) profile | ||
2 | |||
3 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
4 | |||
5 | noblacklist ~/.cache/org.gnome.Books | ||
6 | noblacklist ~/.config/libreoffice | ||
7 | noblacklist ~/.local/share/gnome-photos | ||
8 | noblacklist ~/.cache/libgweather | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-programs.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | |||
15 | caps.drop all | ||
16 | nogroups | ||
17 | nonewprivs | ||
18 | noroot | ||
19 | protocol unix,inet,inet6 | ||
20 | seccomp | ||
21 | netfilter | ||
22 | shell none | ||
23 | tracelog | ||
24 | |||
25 | # private-bin gjs,gnome-books,gnome-documents,gnome-photos,gnome-maps,gnome-weather | ||
26 | private-tmp | ||
27 | private-dev | ||
28 | # private-etc fonts | ||
diff --git a/etc/gnome-2048.profile b/etc/gnome-2048.profile new file mode 100644 index 000000000..f9982da61 --- /dev/null +++ b/etc/gnome-2048.profile | |||
@@ -0,0 +1,25 @@ | |||
1 | # | ||
2 | #Profile for gnome-2048 | ||
3 | # | ||
4 | |||
5 | #No Blacklist Paths | ||
6 | noblacklist ${HOME}/.local/share/gnome-2048 | ||
7 | |||
8 | #Blacklist Paths | ||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | |||
14 | #Whitelist Paths | ||
15 | mkdir ${HOME}/.local/share/gnome-2048 | ||
16 | whitelist ${HOME}/.local/share/gnome-2048 | ||
17 | include /etc/firejail/whitelist-common.inc | ||
18 | |||
19 | #Options | ||
20 | caps.drop all | ||
21 | netfilter | ||
22 | nonewprivs | ||
23 | noroot | ||
24 | protocol unix,inet,inet6 | ||
25 | seccomp | ||
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile new file mode 100644 index 000000000..10b06e173 --- /dev/null +++ b/etc/gnome-books.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # gnome-books profile | ||
2 | |||
3 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
4 | |||
5 | noblacklist ~/.cache/org.gnome.Books | ||
6 | |||
7 | include /etc/firejail/disable-common.inc | ||
8 | include /etc/firejail/disable-programs.inc | ||
9 | include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-passwdmgr.inc | ||
11 | |||
12 | caps.drop all | ||
13 | nogroups | ||
14 | nonewprivs | ||
15 | noroot | ||
16 | nosound | ||
17 | protocol unix | ||
18 | seccomp | ||
19 | netfilter | ||
20 | shell none | ||
21 | tracelog | ||
22 | |||
23 | # private-bin gjs gnome-books | ||
24 | private-tmp | ||
25 | private-dev | ||
26 | private-etc fonts | ||
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile new file mode 100644 index 000000000..49e068171 --- /dev/null +++ b/etc/gnome-calculator.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # | ||
2 | #Profile for gnome-calculator | ||
3 | # | ||
4 | |||
5 | #Blacklist Paths | ||
6 | include /etc/firejail/disable-common.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | include /etc/firejail/disable-devel.inc | ||
10 | |||
11 | include /etc/firejail/whitelist-common.inc | ||
12 | |||
13 | #Options | ||
14 | caps.drop all | ||
15 | netfilter | ||
16 | nonewprivs | ||
17 | noroot | ||
18 | protocol unix,inet,inet6 | ||
19 | seccomp | ||
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile new file mode 100644 index 000000000..4db485ea7 --- /dev/null +++ b/etc/gnome-chess.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # Firejail profile for gnome-chess | ||
2 | noblacklist ~/.local/share/gnome-chess | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-devel.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix | ||
15 | seccomp | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | private-bin fairymax,gnome-chess,hoichess | ||
20 | private-dev | ||
21 | private-etc fonts,gnome-chess | ||
22 | private-tmp | ||
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile new file mode 100644 index 000000000..6cccf9d32 --- /dev/null +++ b/etc/gnome-clocks.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # gnome-clocks profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | nogroups | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | nosound | ||
12 | protocol unix,inet,inet6 | ||
13 | seccomp | ||
14 | netfilter | ||
15 | shell none | ||
16 | tracelog | ||
17 | |||
18 | # private-bin gnome-clocks | ||
19 | private-tmp | ||
20 | private-dev | ||
21 | # private-etc fonts | ||
diff --git a/etc/gnome-contacts.profile b/etc/gnome-contacts.profile new file mode 100644 index 000000000..9dc25b26c --- /dev/null +++ b/etc/gnome-contacts.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # | ||
2 | #Profile for gnome-contacts | ||
3 | # | ||
4 | |||
5 | #Blacklist Paths | ||
6 | include /etc/firejail/disable-common.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | include /etc/firejail/disable-devel.inc | ||
10 | |||
11 | include /etc/firejail/whitelist-common.inc | ||
12 | |||
13 | #Options | ||
14 | caps.drop all | ||
15 | netfilter | ||
16 | nonewprivs | ||
17 | noroot | ||
18 | protocol unix,inet,inet6 | ||
19 | seccomp | ||
diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile new file mode 100644 index 000000000..c5def7aff --- /dev/null +++ b/etc/gnome-documents.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # gnome-documents profile | ||
2 | |||
3 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
4 | |||
5 | noblacklist ~/.config/libreoffice | ||
6 | |||
7 | include /etc/firejail/disable-common.inc | ||
8 | include /etc/firejail/disable-programs.inc | ||
9 | include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-passwdmgr.inc | ||
11 | |||
12 | caps.drop all | ||
13 | nogroups | ||
14 | nonewprivs | ||
15 | noroot | ||
16 | nosound | ||
17 | protocol unix | ||
18 | seccomp | ||
19 | netfilter | ||
20 | shell none | ||
21 | tracelog | ||
22 | |||
23 | private-tmp | ||
24 | private-dev | ||
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile new file mode 100644 index 000000000..f1451506e --- /dev/null +++ b/etc/gnome-maps.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # gnome-maps profile | ||
2 | |||
3 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | nogroups | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | nosound | ||
15 | protocol unix,inet,inet6 | ||
16 | seccomp | ||
17 | netfilter | ||
18 | shell none | ||
19 | tracelog | ||
20 | |||
21 | # private-bin gjs gnome-maps | ||
22 | private-tmp | ||
23 | private-dev | ||
24 | # private-etc fonts | ||
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index ec3698ac8..1b0fc9807 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile | |||
@@ -5,6 +5,13 @@ include /etc/firejail/disable-devel.inc | |||
5 | include /etc/firejail/disable-passwdmgr.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
6 | 6 | ||
7 | caps.drop all | 7 | caps.drop all |
8 | seccomp | 8 | nogroups |
9 | protocol unix,inet,inet6 | 9 | nonewprivs |
10 | noroot | 10 | noroot |
11 | protocol unix,inet,inet6 | ||
12 | seccomp | ||
13 | shell none | ||
14 | |||
15 | private-bin gnome-mplayer | ||
16 | private-dev | ||
17 | private-tmp | ||
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile new file mode 100644 index 000000000..4a8adeb22 --- /dev/null +++ b/etc/gnome-music.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # gnome-music profile | ||
2 | noblacklist ~/.local/share/gnome-music | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | protocol unix | ||
14 | seccomp | ||
15 | netfilter | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | # private-bin gnome-music,python3 | ||
20 | private-tmp | ||
21 | private-dev | ||
22 | # private-etc fonts | ||
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile new file mode 100644 index 000000000..8f9d60cb5 --- /dev/null +++ b/etc/gnome-photos.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # gnome-photos profile | ||
2 | |||
3 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
4 | |||
5 | noblacklist ~/.local/share/gnome-photos | ||
6 | |||
7 | include /etc/firejail/disable-common.inc | ||
8 | include /etc/firejail/disable-programs.inc | ||
9 | include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-passwdmgr.inc | ||
11 | |||
12 | caps.drop all | ||
13 | nogroups | ||
14 | nonewprivs | ||
15 | noroot | ||
16 | nosound | ||
17 | protocol unix | ||
18 | seccomp | ||
19 | netfilter | ||
20 | shell none | ||
21 | tracelog | ||
22 | |||
23 | # private-bin gjs gnome-photos | ||
24 | private-tmp | ||
25 | private-dev | ||
26 | # private-etc fonts | ||
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile new file mode 100644 index 000000000..9f93b8f15 --- /dev/null +++ b/etc/gnome-weather.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # gnome-weather profile | ||
2 | |||
3 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
4 | |||
5 | noblacklist ~/.cache/libgweather | ||
6 | |||
7 | include /etc/firejail/disable-common.inc | ||
8 | include /etc/firejail/disable-programs.inc | ||
9 | include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-passwdmgr.inc | ||
11 | |||
12 | caps.drop all | ||
13 | nogroups | ||
14 | nonewprivs | ||
15 | noroot | ||
16 | nosound | ||
17 | protocol unix,inet,inet6 | ||
18 | seccomp | ||
19 | netfilter | ||
20 | shell none | ||
21 | tracelog | ||
22 | |||
23 | # private-bin gjs gnome-weather | ||
24 | private-tmp | ||
25 | private-dev | ||
26 | # private-etc fonts | ||
diff --git a/etc/goobox.profile b/etc/goobox.profile new file mode 100644 index 000000000..8990943fc --- /dev/null +++ b/etc/goobox.profile | |||
@@ -0,0 +1,20 @@ | |||
1 | # goobox profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | nogroups | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | protocol unix | ||
12 | seccomp | ||
13 | netfilter | ||
14 | shell none | ||
15 | tracelog | ||
16 | |||
17 | # private-bin goobox | ||
18 | # private-tmp | ||
19 | # private-dev | ||
20 | # private-etc fonts | ||
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index 11f9f9e33..fe870274f 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile | |||
@@ -11,10 +11,8 @@ include /etc/firejail/disable-programs.inc | |||
11 | netfilter | 11 | netfilter |
12 | 12 | ||
13 | whitelist ${DOWNLOADS} | 13 | whitelist ${DOWNLOADS} |
14 | mkdir ~/.config | ||
15 | mkdir ~/.config/google-chrome-beta | 14 | mkdir ~/.config/google-chrome-beta |
16 | whitelist ~/.config/google-chrome-beta | 15 | whitelist ~/.config/google-chrome-beta |
17 | mkdir ~/.cache | ||
18 | mkdir ~/.cache/google-chrome-beta | 16 | mkdir ~/.cache/google-chrome-beta |
19 | whitelist ~/.cache/google-chrome-beta | 17 | whitelist ~/.cache/google-chrome-beta |
20 | mkdir ~/.pki | 18 | mkdir ~/.pki |
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index f253e5a90..f6680ac2d 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile | |||
@@ -11,10 +11,8 @@ include /etc/firejail/disable-programs.inc | |||
11 | netfilter | 11 | netfilter |
12 | 12 | ||
13 | whitelist ${DOWNLOADS} | 13 | whitelist ${DOWNLOADS} |
14 | mkdir ~/.config | ||
15 | mkdir ~/.config/google-chrome-unstable | 14 | mkdir ~/.config/google-chrome-unstable |
16 | whitelist ~/.config/google-chrome-unstable | 15 | whitelist ~/.config/google-chrome-unstable |
17 | mkdir ~/.cache | ||
18 | mkdir ~/.cache/google-chrome-unstable | 16 | mkdir ~/.cache/google-chrome-unstable |
19 | whitelist ~/.cache/google-chrome-unstable | 17 | whitelist ~/.cache/google-chrome-unstable |
20 | mkdir ~/.pki | 18 | mkdir ~/.pki |
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 5e168aae5..a9fcebe73 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile | |||
@@ -11,10 +11,8 @@ include /etc/firejail/disable-programs.inc | |||
11 | netfilter | 11 | netfilter |
12 | 12 | ||
13 | whitelist ${DOWNLOADS} | 13 | whitelist ${DOWNLOADS} |
14 | mkdir ~/.config | ||
15 | mkdir ~/.config/google-chrome | 14 | mkdir ~/.config/google-chrome |
16 | whitelist ~/.config/google-chrome | 15 | whitelist ~/.config/google-chrome |
17 | mkdir ~/.cache | ||
18 | mkdir ~/.cache/google-chrome | 16 | mkdir ~/.cache/google-chrome |
19 | whitelist ~/.cache/google-chrome | 17 | whitelist ~/.cache/google-chrome |
20 | mkdir ~/.pki | 18 | mkdir ~/.pki |
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile new file mode 100644 index 000000000..b4cf8d9ac --- /dev/null +++ b/etc/google-play-music-desktop-player.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # Google Play Music desktop player profile | ||
2 | noblacklist ~/.config/Google Play Music Desktop Player | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | netfilter | ||
13 | protocol unix,inet,inet6,netlink | ||
14 | seccomp | ||
15 | |||
16 | #whitelist ~/.pulse | ||
17 | #whitelist ~/.config/pulse | ||
18 | whitelist ~/.config/Google Play Music Desktop Player | ||
diff --git a/etc/gpa.profile b/etc/gpa.profile new file mode 100644 index 000000000..7d7277190 --- /dev/null +++ b/etc/gpa.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # gpa profile | ||
2 | noblacklist ~/.gnupg | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
16 | netfilter | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | # private-bin gpa,gpg | ||
21 | private-tmp | ||
22 | private-dev | ||
23 | # private-etc none | ||
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile new file mode 100644 index 000000000..b0ebdf43c --- /dev/null +++ b/etc/gpg-agent.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # gpg-agent profile | ||
2 | noblacklist ~/.gnupg | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix | ||
15 | seccomp | ||
16 | netfilter | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | # private-bin gpg-agent,gpg | ||
21 | private-tmp | ||
22 | private-dev | ||
23 | # private-etc none | ||
diff --git a/etc/gpg.profile b/etc/gpg.profile new file mode 100644 index 000000000..31372eb90 --- /dev/null +++ b/etc/gpg.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # gpg profile | ||
2 | noblacklist ~/.gnupg | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix | ||
15 | seccomp | ||
16 | netfilter | ||
17 | net none | ||
18 | shell none | ||
19 | tracelog | ||
20 | |||
21 | # private-bin gpg,gpg-agent | ||
22 | private-tmp | ||
23 | private-dev | ||
24 | # private-etc none | ||
diff --git a/etc/gpredict.profile b/etc/gpredict.profile new file mode 100644 index 000000000..801304c18 --- /dev/null +++ b/etc/gpredict.profile | |||
@@ -0,0 +1,25 @@ | |||
1 | # Firejail profile for gpredict. | ||
2 | noblacklist ~/.config/Gpredict | ||
3 | include /etc/firejail/disable-common.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | |||
8 | # Whitelist | ||
9 | whitelist ~/.config/Gpredict | ||
10 | |||
11 | caps.drop all | ||
12 | netfilter | ||
13 | nogroups | ||
14 | nonewprivs | ||
15 | noroot | ||
16 | nosound | ||
17 | protocol unix,inet,inet6 | ||
18 | seccomp | ||
19 | shell none | ||
20 | tracelog | ||
21 | |||
22 | private-bin gpredict | ||
23 | private-etc fonts,resolv.conf | ||
24 | private-dev | ||
25 | private-tmp | ||
diff --git a/etc/gtar.profile b/etc/gtar.profile new file mode 100644 index 000000000..2f675cd9d --- /dev/null +++ b/etc/gtar.profile | |||
@@ -0,0 +1,3 @@ | |||
1 | # gtar profile | ||
2 | quiet | ||
3 | include /etc/firejail/tar.profile | ||
diff --git a/etc/gthumb.profile b/etc/gthumb.profile new file mode 100644 index 000000000..055d78935 --- /dev/null +++ b/etc/gthumb.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # gthumb profile | ||
2 | noblacklist ${HOME}/.config/gthumb | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix | ||
15 | seccomp | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | private-bin gthumb | ||
20 | private-dev | ||
21 | private-tmp \ No newline at end of file | ||
diff --git a/etc/gwenview.profile b/etc/gwenview.profile new file mode 100644 index 000000000..c866c9e63 --- /dev/null +++ b/etc/gwenview.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # KDE gwenview profile | ||
2 | noblacklist ~/.kde/share/apps/gwenview | ||
3 | noblacklist ~/.kde/share/config/gwenviewrc | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | protocol unix | ||
14 | seccomp | ||
15 | nosound | ||
16 | |||
17 | private-dev | ||
18 | |||
19 | #Experimental: | ||
20 | #shell none | ||
21 | #private-bin gwenview | ||
22 | #private-etc X11 | ||
diff --git a/etc/gzip.profile b/etc/gzip.profile new file mode 100644 index 000000000..feb27c150 --- /dev/null +++ b/etc/gzip.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # gzip profile | ||
2 | quiet | ||
3 | ignore noroot | ||
4 | include /etc/firejail/default.profile | ||
5 | |||
6 | blacklist /tmp/.X11-unix | ||
7 | |||
8 | net none | ||
9 | no3d | ||
10 | nosound | ||
11 | shell none | ||
12 | tracelog | ||
13 | |||
14 | private-dev | ||
diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile index 5ab7cfe72..7910b7eb0 100644 --- a/etc/hedgewars.profile +++ b/etc/hedgewars.profile | |||
@@ -7,11 +7,16 @@ include /etc/firejail/disable-devel.inc | |||
7 | include /etc/firejail/disable-passwdmgr.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | netfilter | ||
11 | nogroups | ||
12 | nonewprivs | ||
10 | noroot | 13 | noroot |
11 | private-dev | ||
12 | seccomp | 14 | seccomp |
13 | tracelog | 15 | tracelog |
14 | 16 | ||
17 | private-dev | ||
18 | private-tmp | ||
19 | |||
15 | mkdir ~/.hedgewars | 20 | mkdir ~/.hedgewars |
16 | whitelist ~/.hedgewars | 21 | whitelist ~/.hedgewars |
17 | include /etc/firejail/whitelist-common.inc | 22 | include /etc/firejail/whitelist-common.inc |
diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 8f6fd6217..5cefe45b5 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile | |||
@@ -1,10 +1,28 @@ | |||
1 | # HexChat instant messaging profile | 1 | # HexChat instant messaging profile |
2 | # Currently in testing (may not work for all users) | ||
2 | noblacklist ${HOME}/.config/hexchat | 3 | noblacklist ${HOME}/.config/hexchat |
4 | #noblacklist /usr/lib/python2* | ||
5 | #noblacklist /usr/lib/python3* | ||
3 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
4 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
5 | include /etc/firejail/disable-devel.inc | 8 | include /etc/firejail/disable-devel.inc |
6 | 9 | ||
7 | caps.drop all | 10 | caps.drop all |
8 | seccomp | 11 | netfilter |
9 | protocol unix,inet,inet6 | 12 | nogroups |
13 | nonewprivs | ||
10 | noroot | 14 | noroot |
15 | nosound | ||
16 | protocol unix,inet,inet6 | ||
17 | seccomp | ||
18 | shell none | ||
19 | tracelog | ||
20 | |||
21 | mkdir ~/.config/hexchat | ||
22 | whitelist ~/.config/hexchat | ||
23 | include /etc/firejail/whitelist-common.inc | ||
24 | |||
25 | private-bin hexchat | ||
26 | #debug note: private-bin requires perl, python, etc on some systems | ||
27 | private-dev | ||
28 | private-tmp | ||
diff --git a/etc/highlight.profile b/etc/highlight.profile new file mode 100644 index 000000000..f95f3924a --- /dev/null +++ b/etc/highlight.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # highlight profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | nogroups | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | nosound | ||
12 | protocol unix | ||
13 | seccomp | ||
14 | netfilter | ||
15 | net none | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | private-bin highlight | ||
20 | private-tmp | ||
21 | private-dev | ||
22 | |||
23 | |||
24 | |||
diff --git a/etc/icecat.profile b/etc/icecat.profile index 25d426ad2..0348076da 100644 --- a/etc/icecat.profile +++ b/etc/icecat.profile | |||
@@ -1,2 +1,50 @@ | |||
1 | # Firejail profile for GNU Icecat | 1 | # Firejail profile for GNU Icecat |
2 | include /etc/firejail/firefox.profile | 2 | noblacklist ~/.mozilla |
3 | noblacklist ~/.cache/mozilla | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | |||
8 | caps.drop all | ||
9 | netfilter | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | protocol unix,inet,inet6,netlink | ||
13 | seccomp | ||
14 | tracelog | ||
15 | |||
16 | whitelist ${DOWNLOADS} | ||
17 | mkdir ~/.mozilla | ||
18 | whitelist ~/.mozilla | ||
19 | mkdir ~/.cache/mozilla/icecat | ||
20 | whitelist ~/.cache/mozilla/icecat | ||
21 | whitelist ~/dwhelper | ||
22 | whitelist ~/.zotero | ||
23 | whitelist ~/.vimperatorrc | ||
24 | whitelist ~/.vimperator | ||
25 | whitelist ~/.pentadactylrc | ||
26 | whitelist ~/.pentadactyl | ||
27 | whitelist ~/.keysnail.js | ||
28 | whitelist ~/.config/gnome-mplayer | ||
29 | whitelist ~/.cache/gnome-mplayer/plugin | ||
30 | whitelist ~/.pki | ||
31 | |||
32 | # lastpass, keepassx | ||
33 | whitelist ~/.keepassx | ||
34 | whitelist ~/.config/keepassx | ||
35 | whitelist ~/keepassx.kdbx | ||
36 | whitelist ~/.lastpass | ||
37 | whitelist ~/.config/lastpass | ||
38 | |||
39 | |||
40 | #silverlight | ||
41 | whitelist ~/.wine-pipelight | ||
42 | whitelist ~/.wine-pipelight64 | ||
43 | whitelist ~/.config/pipelight-widevine | ||
44 | whitelist ~/.config/pipelight-silverlight5.1 | ||
45 | |||
46 | include /etc/firejail/whitelist-common.inc | ||
47 | |||
48 | # experimental features | ||
49 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | ||
50 | |||
diff --git a/etc/icedove.profile b/etc/icedove.profile index e9a63c8dd..310684bdb 100644 --- a/etc/icedove.profile +++ b/etc/icedove.profile | |||
@@ -11,9 +11,11 @@ mkdir ~/.icedove | |||
11 | whitelist ~/.icedove | 11 | whitelist ~/.icedove |
12 | 12 | ||
13 | noblacklist ~/.cache/icedove | 13 | noblacklist ~/.cache/icedove |
14 | mkdir ~/.cache | ||
15 | mkdir ~/.cache/icedove | 14 | mkdir ~/.cache/icedove |
16 | whitelist ~/.cache/icedove | 15 | whitelist ~/.cache/icedove |
17 | 16 | ||
17 | # allow browsers | ||
18 | ignore private-tmp | ||
18 | include /etc/firejail/firefox.profile | 19 | include /etc/firejail/firefox.profile |
20 | #include /etc/firejail/chromium.profile - chromium runs as suid! | ||
19 | 21 | ||
diff --git a/etc/img2txt.profile b/etc/img2txt.profile new file mode 100644 index 000000000..d55a31cd0 --- /dev/null +++ b/etc/img2txt.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # img2txt profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | nogroups | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | nosound | ||
12 | protocol unix | ||
13 | seccomp | ||
14 | netfilter | ||
15 | net none | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | #private-bin img2txt | ||
20 | private-tmp | ||
21 | private-dev | ||
22 | #private-etc none | ||
23 | |||
24 | |||
diff --git a/etc/inkscape.profile b/etc/inkscape.profile new file mode 100644 index 000000000..a0e86b6c9 --- /dev/null +++ b/etc/inkscape.profile | |||
@@ -0,0 +1,20 @@ | |||
1 | # inkscape | ||
2 | noblacklist ${HOME}/.inkscape | ||
3 | include /etc/firejail/disable-common.inc | ||
4 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | netfilter | ||
9 | nogroups | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | nosound | ||
13 | protocol unix | ||
14 | seccomp | ||
15 | |||
16 | noexec ${HOME} | ||
17 | noexec /tmp | ||
18 | |||
19 | private-dev | ||
20 | private-tmp | ||
diff --git a/etc/inox.profile b/etc/inox.profile new file mode 100644 index 000000000..49d2f2835 --- /dev/null +++ b/etc/inox.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # Inox browser profile | ||
2 | noblacklist ~/.config/inox | ||
3 | noblacklist ~/.cache/inox | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | |||
7 | netfilter | ||
8 | |||
9 | whitelist ${DOWNLOADS} | ||
10 | mkdir ~/.config/inox | ||
11 | whitelist ~/.config/inox | ||
12 | mkdir ~/.cache/inox | ||
13 | whitelist ~/.cache/inox | ||
14 | mkdir ~/.pki | ||
15 | whitelist ~/.pki | ||
16 | |||
17 | # lastpass, keepassx | ||
18 | whitelist ~/.keepassx | ||
19 | whitelist ~/.config/keepassx | ||
20 | whitelist ~/keepassx.kdbx | ||
21 | whitelist ~/.lastpass | ||
22 | whitelist ~/.config/lastpass | ||
23 | |||
24 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile new file mode 100644 index 000000000..1d6eb41f8 --- /dev/null +++ b/etc/jd-gui.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # | ||
2 | #Profile for jd-gui | ||
3 | # | ||
4 | |||
5 | noblacklist ${HOME}/.config/jd-gui.cfg | ||
6 | |||
7 | #Blacklist Paths | ||
8 | include /etc/firejail/disable-common.inc | ||
9 | include /etc/firejail/disable-programs.inc | ||
10 | include /etc/firejail/disable-passwdmgr.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | |||
13 | #Options | ||
14 | caps.drop all | ||
15 | netfilter | ||
16 | nonewprivs | ||
17 | noroot | ||
18 | protocol unix,inet,inet6 | ||
19 | seccomp | ||
diff --git a/etc/jitsi.profile b/etc/jitsi.profile new file mode 100644 index 000000000..046499abe --- /dev/null +++ b/etc/jitsi.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # Firejail profile for jitsi | ||
2 | noblacklist ~/.jitsi | ||
3 | include /etc/firejail/disable-common.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | |||
8 | caps.drop all | ||
9 | nogroups | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | protocol unix,inet,inet6 | ||
13 | seccomp | ||
14 | shell none | ||
15 | tracelog | ||
16 | |||
17 | private-tmp | ||
diff --git a/etc/k3b.profile b/etc/k3b.profile new file mode 100644 index 000000000..8a5fff0c6 --- /dev/null +++ b/etc/k3b.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # k3b profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | netfilter | ||
9 | nogroups | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | nosound | ||
13 | shell none | ||
14 | seccomp | ||
15 | protocol unix | ||
16 | |||
17 | # private-bin | ||
18 | # private-dev | ||
19 | # private-tmp | ||
20 | # private-etc | ||
21 | |||
diff --git a/etc/kate.profile b/etc/kate.profile new file mode 100644 index 000000000..4b07ea6cb --- /dev/null +++ b/etc/kate.profile | |||
@@ -0,0 +1,28 @@ | |||
1 | # kate profile | ||
2 | noblacklist ~/.local/share/kate | ||
3 | noblacklist ~/.config/katerc | ||
4 | noblacklist ~/.config/katepartrc | ||
5 | noblacklist ~/.config/kateschemarc | ||
6 | noblacklist ~/.config/katesyntaxhighlightingrc | ||
7 | noblacklist ~/.config/katevirc | ||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-programs.inc | ||
11 | #include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | |||
14 | caps.drop all | ||
15 | nogroups | ||
16 | nonewprivs | ||
17 | noroot | ||
18 | nosound | ||
19 | protocol unix | ||
20 | seccomp | ||
21 | netfilter | ||
22 | shell none | ||
23 | tracelog | ||
24 | |||
25 | # private-bin kate | ||
26 | private-tmp | ||
27 | private-dev | ||
28 | # private-etc fonts | ||
diff --git a/etc/keepass.profile b/etc/keepass.profile new file mode 100644 index 000000000..18a5f4ebd --- /dev/null +++ b/etc/keepass.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # keepass password manager profile | ||
2 | noblacklist ${HOME}/.config/keepass | ||
3 | noblacklist ${HOME}/.keepass | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | nogroups | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | nosound | ||
15 | protocol unix,inet,inet6 | ||
16 | seccomp | ||
17 | netfilter | ||
18 | shell none | ||
19 | |||
20 | private-tmp | ||
21 | private-dev | ||
diff --git a/etc/keepass2.profile b/etc/keepass2.profile new file mode 100644 index 000000000..9daa014e3 --- /dev/null +++ b/etc/keepass2.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # keepass password manager profile | ||
2 | #noblacklist ${HOME}/.config/KeePass | ||
3 | #noblacklist ${HOME}/.keepass | ||
4 | |||
5 | include /etc/firejail/keepass.profile | ||
diff --git a/etc/keepassx.profile b/etc/keepassx.profile new file mode 100644 index 000000000..d8621773f --- /dev/null +++ b/etc/keepassx.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # keepassx password manager profile | ||
2 | noblacklist ${HOME}/.config/keepassx | ||
3 | noblacklist ${HOME}/.keepassx | ||
4 | noblacklist ${HOME}/keepassx.kdbx | ||
5 | |||
6 | include /etc/firejail/disable-common.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-devel.inc | ||
9 | include /etc/firejail/disable-passwdmgr.inc | ||
10 | |||
11 | caps.drop all | ||
12 | nogroups | ||
13 | nonewprivs | ||
14 | noroot | ||
15 | nosound | ||
16 | protocol unix | ||
17 | seccomp | ||
18 | netfilter | ||
19 | shell none | ||
20 | |||
21 | private-tmp | ||
22 | private-dev | ||
diff --git a/etc/kmail.profile b/etc/kmail.profile index a7079661b..410ff36c6 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
@@ -7,8 +7,13 @@ include /etc/firejail/disable-devel.inc | |||
7 | include /etc/firejail/disable-passwdmgr.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | seccomp | ||
11 | protocol unix,inet,inet6,netlink | ||
12 | netfilter | 10 | netfilter |
11 | nogroups | ||
12 | nonewprivs | ||
13 | noroot | 13 | noroot |
14 | protocol unix,inet,inet6,netlink | ||
15 | seccomp | ||
14 | tracelog | 16 | tracelog |
17 | |||
18 | private-dev | ||
19 | # private-tmp | ||
diff --git a/etc/konversation.profile b/etc/konversation.profile new file mode 100644 index 000000000..c00b91c18 --- /dev/null +++ b/etc/konversation.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail konversation profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | netfilter | ||
9 | nogroups | ||
10 | noroot | ||
11 | seccomp | ||
12 | protocol unix,inet,inet6 | ||
13 | |||
14 | private-tmp | ||
diff --git a/etc/less.profile b/etc/less.profile new file mode 100644 index 000000000..08758aead --- /dev/null +++ b/etc/less.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # less profile | ||
2 | quiet | ||
3 | ignore noroot | ||
4 | include /etc/firejail/default.profile | ||
5 | |||
6 | net none | ||
7 | nosound | ||
8 | shell none | ||
9 | tracelog | ||
10 | |||
11 | private-dev | ||
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile new file mode 100644 index 000000000..d6aceb7a8 --- /dev/null +++ b/etc/libreoffice.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Firejail profile for LibreOffice | ||
2 | noblacklist ~/.config/libreoffice | ||
3 | noblacklist /usr/local/sbin | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nogroups | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
16 | tracelog | ||
17 | |||
18 | private-dev | ||
19 | # whitelist /tmp/.X11-unix/ | ||
diff --git a/etc/localc.profile b/etc/localc.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/localc.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | ################################ | ||
2 | # LibreOffice profile | ||
3 | ################################ | ||
4 | include /etc/firejail/libreoffice.profile | ||
5 | |||
diff --git a/etc/lodraw.profile b/etc/lodraw.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/lodraw.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | ################################ | ||
2 | # LibreOffice profile | ||
3 | ################################ | ||
4 | include /etc/firejail/libreoffice.profile | ||
5 | |||
diff --git a/etc/loffice.profile b/etc/loffice.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/loffice.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | ################################ | ||
2 | # LibreOffice profile | ||
3 | ################################ | ||
4 | include /etc/firejail/libreoffice.profile | ||
5 | |||
diff --git a/etc/lofromtemplate.profile b/etc/lofromtemplate.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/lofromtemplate.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | ################################ | ||
2 | # LibreOffice profile | ||
3 | ################################ | ||
4 | include /etc/firejail/libreoffice.profile | ||
5 | |||
diff --git a/etc/loimpress.profile b/etc/loimpress.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/loimpress.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | ################################ | ||
2 | # LibreOffice profile | ||
3 | ################################ | ||
4 | include /etc/firejail/libreoffice.profile | ||
5 | |||
diff --git a/etc/lollypop.profile b/etc/lollypop.profile new file mode 100644 index 000000000..41a662bca --- /dev/null +++ b/etc/lollypop.profile | |||
@@ -0,0 +1,20 @@ | |||
1 | # | ||
2 | #Profile for lollypop | ||
3 | # | ||
4 | |||
5 | #No Blacklist Paths | ||
6 | noblacklist ${HOME}/.local/share/lollypop | ||
7 | |||
8 | #Blacklist Paths | ||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | |||
14 | #Options | ||
15 | caps.drop all | ||
16 | netfilter | ||
17 | nonewprivs | ||
18 | noroot | ||
19 | protocol unix,inet,inet6 | ||
20 | seccomp | ||
diff --git a/etc/lomath.profile b/etc/lomath.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/lomath.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | ################################ | ||
2 | # LibreOffice profile | ||
3 | ################################ | ||
4 | include /etc/firejail/libreoffice.profile | ||
5 | |||
diff --git a/etc/loweb.profile b/etc/loweb.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/loweb.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | ################################ | ||
2 | # LibreOffice profile | ||
3 | ################################ | ||
4 | include /etc/firejail/libreoffice.profile | ||
5 | |||
diff --git a/etc/lowriter.profile b/etc/lowriter.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/lowriter.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | ################################ | ||
2 | # LibreOffice profile | ||
3 | ################################ | ||
4 | include /etc/firejail/libreoffice.profile | ||
5 | |||
diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile new file mode 100644 index 000000000..76e864e0c --- /dev/null +++ b/etc/luminance-hdr.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # luminance-hdr | ||
2 | noblacklist ${HOME}/.config/Luminance | ||
3 | include /etc/firejail/disable-common.inc | ||
4 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | ipc-namespace | ||
9 | netfilter | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix | ||
15 | seccomp | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | noexec ${HOME} | ||
20 | noexec /tmp | ||
21 | |||
22 | private-tmp | ||
23 | private-dev | ||
diff --git a/etc/lxterminal.profile b/etc/lxterminal.profile index b6acf2587..12765c299 100644 --- a/etc/lxterminal.profile +++ b/etc/lxterminal.profile | |||
@@ -1,11 +1,10 @@ | |||
1 | # lxterminal (LXDE) profile | 1 | # lxterminal (LXDE) profile |
2 | |||
3 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
4 | include /etc/firejail/disable-programs.inc | 3 | include /etc/firejail/disable-programs.inc |
5 | include /etc/firejail/disable-passwdmgr.inc | 4 | include /etc/firejail/disable-passwdmgr.inc |
6 | 5 | ||
7 | caps.drop all | 6 | caps.drop all |
8 | seccomp | ||
9 | protocol unix,inet,inet6 | ||
10 | netfilter | 7 | netfilter |
8 | protocol unix,inet,inet6 | ||
9 | seccomp | ||
11 | #noroot - somehow this breaks on Debian Jessie! | 10 | #noroot - somehow this breaks on Debian Jessie! |
diff --git a/etc/lynx.profile b/etc/lynx.profile new file mode 100644 index 000000000..6e150f62e --- /dev/null +++ b/etc/lynx.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # lynx profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | nogroups | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | nosound | ||
12 | protocol unix,inet,inet6 | ||
13 | seccomp | ||
14 | netfilter | ||
15 | shell none | ||
16 | tracelog | ||
17 | |||
18 | # private-bin lynx | ||
19 | private-tmp | ||
20 | private-dev | ||
21 | # private-etc none | ||
22 | |||
diff --git a/etc/mcabber.profile b/etc/mcabber.profile new file mode 100644 index 000000000..48b46dba0 --- /dev/null +++ b/etc/mcabber.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # mcabber profile | ||
2 | noblacklist ${HOME}/.mcabber | ||
3 | noblacklist ${HOME}/.mcabberrc | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | netfilter | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | protocol inet,inet6 | ||
15 | seccomp | ||
16 | |||
17 | private-bin mcabber | ||
18 | private-etc null | ||
19 | private-dev | ||
20 | shell none | ||
21 | nosound | ||
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile new file mode 100644 index 000000000..c07a9a9e8 --- /dev/null +++ b/etc/mediainfo.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # mediainfo profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | nogroups | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | nosound | ||
12 | protocol unix | ||
13 | seccomp | ||
14 | netfilter | ||
15 | net none | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | private-bin mediainfo | ||
20 | private-tmp | ||
21 | private-dev | ||
22 | private-etc none | ||
23 | |||
24 | |||
25 | |||
26 | |||
diff --git a/etc/midori.profile b/etc/midori.profile index 7fc27e07c..046c45d94 100644 --- a/etc/midori.profile +++ b/etc/midori.profile | |||
@@ -5,7 +5,9 @@ include /etc/firejail/disable-programs.inc | |||
5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | 6 | ||
7 | caps.drop all | 7 | caps.drop all |
8 | seccomp | ||
9 | protocol unix,inet,inet6 | ||
10 | netfilter | 8 | netfilter |
9 | nonewprivs | ||
10 | # noroot - noroot break midori on Ubuntu 14.04 | ||
11 | protocol unix,inet,inet6 | ||
12 | seccomp | ||
11 | 13 | ||
diff --git a/etc/mpv.profile b/etc/mpv.profile new file mode 100644 index 000000000..80f8de54a --- /dev/null +++ b/etc/mpv.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # mpv media player profile | ||
2 | noblacklist ${HOME}/.config/mpv | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | protocol unix,inet,inet6 | ||
14 | seccomp | ||
15 | |||
16 | # to test | ||
17 | shell none | ||
18 | private-bin mpv,youtube-dl,python2.7 | ||
diff --git a/etc/multimc5.profile b/etc/multimc5.profile new file mode 100644 index 000000000..cc310f294 --- /dev/null +++ b/etc/multimc5.profile | |||
@@ -0,0 +1,27 @@ | |||
1 | # | ||
2 | #Profile for multimc5 | ||
3 | # | ||
4 | |||
5 | #No Blacklist Paths | ||
6 | noblacklist ${HOME}/.local/share/multimc5 | ||
7 | noblacklist ${HOME}/.multimc5 | ||
8 | |||
9 | #Blacklist Paths | ||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-programs.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-devel.inc | ||
14 | |||
15 | #Whitelist Paths | ||
16 | mkdir ${HOME}/.local/share/multimc5 | ||
17 | whitelist ${HOME}/.local/share/multimc5 | ||
18 | mkdir ${HOME}/.multimc5 | ||
19 | whitelist ${HOME}/.multimc5 | ||
20 | include /etc/firejail/whitelist-common.inc | ||
21 | |||
22 | #Options | ||
23 | caps.drop all | ||
24 | netfilter | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | protocol unix,inet,inet6 | ||
diff --git a/etc/mumble.profile b/etc/mumble.profile new file mode 100644 index 000000000..ddd70822d --- /dev/null +++ b/etc/mumble.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # mumble profile | ||
2 | noblacklist ${HOME}/.config/Mumble | ||
3 | noblacklist ${HOME}/.local/share/data/Mumble | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | mkdir ${HOME}/.config/Mumble | ||
10 | mkdir ${HOME}/.local/share/data/Mumble | ||
11 | whitelist ${HOME}/.config/Mumble | ||
12 | whitelist ${HOME}/.local/share/data/Mumble | ||
13 | include /etc/firejail/whitelist-common.inc | ||
14 | |||
15 | caps.drop all | ||
16 | netfilter | ||
17 | nonewprivs | ||
18 | nogroups | ||
19 | noroot | ||
20 | protocol unix,inet,inet6 | ||
21 | seccomp | ||
22 | shell none | ||
23 | tracelog | ||
24 | |||
25 | private-bin mumble | ||
26 | private-tmp | ||
diff --git a/etc/mupdf.profile b/etc/mupdf.profile new file mode 100644 index 000000000..7f9261d8b --- /dev/null +++ b/etc/mupdf.profile | |||
@@ -0,0 +1,30 @@ | |||
1 | # mupdf reader profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | nogroups | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | nosound | ||
12 | protocol unix | ||
13 | seccomp | ||
14 | netfilter | ||
15 | net none | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | private-tmp | ||
20 | private-dev | ||
21 | private-etc fonts | ||
22 | |||
23 | # mupdf will never write anything | ||
24 | read-only ${HOME} | ||
25 | |||
26 | # | ||
27 | # Experimental: | ||
28 | # | ||
29 | #seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev | ||
30 | # private-bin mupdf,sh,tempfile,rm | ||
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile index 7b38b411a..acb13e6b9 100644 --- a/etc/mupen64plus.profile +++ b/etc/mupen64plus.profile | |||
@@ -8,15 +8,13 @@ include /etc/firejail/disable-programs.inc | |||
8 | include /etc/firejail/disable-devel.inc | 8 | include /etc/firejail/disable-devel.inc |
9 | include /etc/firejail/disable-passwdmgr.inc | 9 | include /etc/firejail/disable-passwdmgr.inc |
10 | 10 | ||
11 | mkdir ${HOME}/.local | ||
12 | mkdir ${HOME}/.local/share | ||
13 | mkdir ${HOME}/.local/share/mupen64plus | 11 | mkdir ${HOME}/.local/share/mupen64plus |
14 | whitelist ${HOME}/.local/share/mupen64plus/ | 12 | whitelist ${HOME}/.local/share/mupen64plus/ |
15 | mkdir ${HOME}/.config | ||
16 | mkdir ${HOME}/.config/mupen64plus | 13 | mkdir ${HOME}/.config/mupen64plus |
17 | whitelist ${HOME}/.config/mupen64plus/ | 14 | whitelist ${HOME}/.config/mupen64plus/ |
18 | 15 | ||
19 | noroot | ||
20 | caps.drop all | 16 | caps.drop all |
21 | seccomp | ||
22 | net none | 17 | net none |
18 | nonewprivs | ||
19 | noroot | ||
20 | seccomp | ||
diff --git a/etc/mutt.profile b/etc/mutt.profile new file mode 100644 index 000000000..2718421c5 --- /dev/null +++ b/etc/mutt.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # mutt email client profile | ||
2 | noblacklist ~/.muttrc | ||
3 | noblacklist ~/.mutt | ||
4 | noblacklist ~/.mutt/muttrc | ||
5 | noblacklist ~/.mailcap | ||
6 | noblacklist ~/.gnupg | ||
7 | noblacklist ~/.mail | ||
8 | noblacklist ~/.Mail | ||
9 | noblacklist ~/mail | ||
10 | noblacklist ~/Mail | ||
11 | noblacklist ~/sent | ||
12 | noblacklist ~/postponed | ||
13 | noblacklist ~/.cache/mutt | ||
14 | noblacklist ~/.w3m | ||
15 | noblacklist ~/.elinks | ||
16 | noblacklist ~/.vim | ||
17 | noblacklist ~/.vimrc | ||
18 | noblacklist ~/.viminfo | ||
19 | noblacklist ~/.emacs | ||
20 | noblacklist ~/.emacs.d | ||
21 | noblacklist ~/.signature | ||
22 | noblacklist ~/.bogofilter | ||
23 | noblacklist ~/.msmtprc | ||
24 | |||
25 | include /etc/firejail/disable-common.inc | ||
26 | include /etc/firejail/disable-programs.inc | ||
27 | include /etc/firejail/disable-passwdmgr.inc | ||
28 | include /etc/firejail/disable-devel.inc | ||
29 | |||
30 | caps.drop all | ||
31 | netfilter | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | nosound | ||
36 | protocol unix,inet,inet6 | ||
37 | seccomp | ||
38 | shell none | ||
39 | |||
40 | private-dev | ||
diff --git a/etc/nautilus.profile b/etc/nautilus.profile new file mode 100644 index 000000000..264ee0b9d --- /dev/null +++ b/etc/nautilus.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # nautilus profile | ||
2 | |||
3 | # Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there is already a nautilus process running on gnome desktops firejail will have no effect. | ||
4 | |||
5 | noblacklist ~/.config/nautilus | ||
6 | |||
7 | include /etc/firejail/disable-common.inc | ||
8 | # nautilus needs to be able to start arbitrary applications so we cannot blacklist their files | ||
9 | #include /etc/firejail/disable-programs.inc | ||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | |||
13 | caps.drop all | ||
14 | nogroups | ||
15 | nonewprivs | ||
16 | noroot | ||
17 | protocol unix | ||
18 | seccomp | ||
19 | netfilter | ||
20 | shell none | ||
21 | tracelog | ||
22 | |||
23 | # private-bin nautilus | ||
24 | # private-tmp | ||
25 | # private-dev | ||
26 | # private-etc fonts | ||
diff --git a/etc/netsurf.profile b/etc/netsurf.profile new file mode 100644 index 000000000..2071e5519 --- /dev/null +++ b/etc/netsurf.profile | |||
@@ -0,0 +1,29 @@ | |||
1 | # Firejail profile for Mozilla Firefox (Iceweasel in Debian) | ||
2 | noblacklist ~/.config/netsurf | ||
3 | noblacklist ~/.cache/netsurf | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | |||
8 | caps.drop all | ||
9 | netfilter | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | protocol unix,inet,inet6,netlink | ||
13 | seccomp | ||
14 | tracelog | ||
15 | |||
16 | whitelist ${DOWNLOADS} | ||
17 | mkdir ~/.config/netsurf | ||
18 | whitelist ~/.config/netsurf | ||
19 | mkdir ~/.cache/netsurf | ||
20 | whitelist ~/.cache/netsurf | ||
21 | |||
22 | # lastpass, keepassx | ||
23 | whitelist ~/.keepassx | ||
24 | whitelist ~/.config/keepassx | ||
25 | whitelist ~/keepassx.kdbx | ||
26 | whitelist ~/.lastpass | ||
27 | whitelist ~/.config/lastpass | ||
28 | |||
29 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/nolocal.net b/etc/nolocal.net index 9c0c6e125..9fa785450 100644 --- a/etc/nolocal.net +++ b/etc/nolocal.net | |||
@@ -4,7 +4,8 @@ | |||
4 | :OUTPUT ACCEPT [0:0] | 4 | :OUTPUT ACCEPT [0:0] |
5 | 5 | ||
6 | ################################################################### | 6 | ################################################################### |
7 | # Client filter rejecting local network traffic, with the exception of DNS traffic | 7 | # Client filter rejecting local network traffic, with the exception of |
8 | # DNS traffic | ||
8 | # | 9 | # |
9 | # Usage: | 10 | # Usage: |
10 | # firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox | 11 | # firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox |
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile new file mode 100644 index 000000000..329275022 --- /dev/null +++ b/etc/odt2txt.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # odt2txt profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | nogroups | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | nosound | ||
12 | protocol unix | ||
13 | seccomp | ||
14 | netfilter | ||
15 | net none | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | private-bin odt2txt | ||
20 | private-tmp | ||
21 | private-dev | ||
22 | private-etc none | ||
23 | |||
24 | read-only ${HOME} | ||
diff --git a/etc/okular.profile b/etc/okular.profile new file mode 100644 index 000000000..22e223cea --- /dev/null +++ b/etc/okular.profile | |||
@@ -0,0 +1,25 @@ | |||
1 | # KDE okular profile | ||
2 | noblacklist ~/.kde/share/apps/okular | ||
3 | noblacklist ~/.kde/share/config/okularrc | ||
4 | noblacklist ~/.kde/share/config/okularpartrc | ||
5 | read-only ~/.kde/share/config/kdeglobals | ||
6 | include /etc/firejail/disable-common.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-devel.inc | ||
9 | include /etc/firejail/disable-passwdmgr.inc | ||
10 | |||
11 | caps.drop all | ||
12 | netfilter | ||
13 | nonewprivs | ||
14 | nogroups | ||
15 | noroot | ||
16 | nosound | ||
17 | protocol unix | ||
18 | seccomp | ||
19 | shell none | ||
20 | tracelog | ||
21 | |||
22 | # private-bin okular,kbuildsycoca4,kbuildsycoca5 | ||
23 | # private-etc X11 | ||
24 | private-dev | ||
25 | private-tmp | ||
diff --git a/etc/openbox.profile b/etc/openbox.profile index 6e2e5d6fd..f812768a1 100644 --- a/etc/openbox.profile +++ b/etc/openbox.profile | |||
@@ -5,8 +5,7 @@ | |||
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | 6 | ||
7 | caps.drop all | 7 | caps.drop all |
8 | seccomp | ||
9 | protocol unix,inet,inet6 | ||
10 | netfilter | 8 | netfilter |
11 | noroot | 9 | noroot |
12 | 10 | protocol unix,inet,inet6 | |
11 | seccomp | ||
diff --git a/etc/openshot.profile b/etc/openshot.profile new file mode 100644 index 000000000..f12bd7d11 --- /dev/null +++ b/etc/openshot.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # OpenShot profile | ||
2 | noblacklist ${HOME}/.openshot | ||
3 | noblacklist ${HOME}/.openshot_qt | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | |||
8 | caps.drop all | ||
9 | netfilter | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | protocol unix,inet,inet6,netlink | ||
13 | seccomp | ||
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile index 3d6edb286..12c91c744 100644 --- a/etc/opera-beta.profile +++ b/etc/opera-beta.profile | |||
@@ -8,10 +8,8 @@ include /etc/firejail/disable-devel.inc | |||
8 | netfilter | 8 | netfilter |
9 | 9 | ||
10 | whitelist ${DOWNLOADS} | 10 | whitelist ${DOWNLOADS} |
11 | mkdir ~/.config | ||
12 | mkdir ~/.config/opera-beta | 11 | mkdir ~/.config/opera-beta |
13 | whitelist ~/.config/opera-beta | 12 | whitelist ~/.config/opera-beta |
14 | mkdir ~/.cache | ||
15 | mkdir ~/.cache/opera-beta | 13 | mkdir ~/.cache/opera-beta |
16 | whitelist ~/.cache/opera-beta | 14 | whitelist ~/.cache/opera-beta |
17 | mkdir ~/.pki | 15 | mkdir ~/.pki |
diff --git a/etc/opera.profile b/etc/opera.profile index ff00eb349..e0c89a195 100644 --- a/etc/opera.profile +++ b/etc/opera.profile | |||
@@ -9,10 +9,8 @@ include /etc/firejail/disable-devel.inc | |||
9 | netfilter | 9 | netfilter |
10 | 10 | ||
11 | whitelist ${DOWNLOADS} | 11 | whitelist ${DOWNLOADS} |
12 | mkdir ~/.config | ||
13 | mkdir ~/.config/opera | 12 | mkdir ~/.config/opera |
14 | whitelist ~/.config/opera | 13 | whitelist ~/.config/opera |
15 | mkdir ~/.cache | ||
16 | mkdir ~/.cache/opera | 14 | mkdir ~/.cache/opera |
17 | whitelist ~/.cache/opera | 15 | whitelist ~/.cache/opera |
18 | mkdir ~/.opera | 16 | mkdir ~/.opera |
diff --git a/etc/palemoon.profile b/etc/palemoon.profile index fc4ea453b..71deec6bc 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile | |||
@@ -1,31 +1,30 @@ | |||
1 | # Firejail profile for Pale Moon | 1 | # Firejail profile for Pale Moon |
2 | |||
3 | # Noblacklists | ||
4 | noblacklist ~/.moonchild productions/pale moon | 2 | noblacklist ~/.moonchild productions/pale moon |
5 | noblacklist ~/.cache/moonchild productions/pale moon | 3 | noblacklist ~/.cache/moonchild productions/pale moon |
6 | |||
7 | # Included profiles | ||
8 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
9 | include /etc/firejail/disable-programs.inc | 5 | include /etc/firejail/disable-programs.inc |
10 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
11 | include /etc/firejail/whitelist-common.inc | 7 | include /etc/firejail/whitelist-common.inc |
12 | 8 | ||
13 | # Options | ||
14 | caps.drop all | ||
15 | seccomp | ||
16 | protocol unix,inet,inet6,netlink | ||
17 | netfilter | ||
18 | tracelog | ||
19 | noroot | ||
20 | |||
21 | whitelist ${DOWNLOADS} | 9 | whitelist ${DOWNLOADS} |
22 | mkdir ~/.moonchild productions | 10 | mkdir ~/.moonchild productions |
23 | whitelist ~/.moonchild productions | 11 | whitelist ~/.moonchild productions |
24 | mkdir ~/.cache | ||
25 | mkdir ~/.cache/moonchild productions | ||
26 | mkdir ~/.cache/moonchild productions/pale moon | 12 | mkdir ~/.cache/moonchild productions/pale moon |
27 | whitelist ~/.cache/moonchild productions/pale moon | 13 | whitelist ~/.cache/moonchild productions/pale moon |
28 | 14 | ||
15 | caps.drop all | ||
16 | netfilter | ||
17 | nogroups | ||
18 | nonewprivs | ||
19 | noroot | ||
20 | protocol unix,inet,inet6,netlink | ||
21 | seccomp | ||
22 | shell none | ||
23 | tracelog | ||
24 | |||
25 | private-bin palemoon | ||
26 | private-tmp | ||
27 | |||
29 | # These are uncommented in the Firefox profile. If you run into trouble you may | 28 | # These are uncommented in the Firefox profile. If you run into trouble you may |
30 | # want to uncomment (some of) them. | 29 | # want to uncomment (some of) them. |
31 | #whitelist ~/dwhelper | 30 | #whitelist ~/dwhelper |
@@ -40,9 +39,9 @@ whitelist ~/.cache/moonchild productions/pale moon | |||
40 | #whitelist ~/.pki | 39 | #whitelist ~/.pki |
41 | 40 | ||
42 | # For silverlight | 41 | # For silverlight |
43 | #whitelist ~/.wine-pipelight | 42 | #whitelist ~/.wine-pipelight |
44 | #whitelist ~/.wine-pipelight64 | 43 | #whitelist ~/.wine-pipelight64 |
45 | #whitelist ~/.config/pipelight-widevine | 44 | #whitelist ~/.config/pipelight-widevine |
46 | #whitelist ~/.config/pipelight-silverlight5.1 | 45 | #whitelist ~/.config/pipelight-silverlight5.1 |
47 | 46 | ||
48 | 47 | ||
@@ -55,3 +54,4 @@ whitelist ~/.config/lastpass | |||
55 | 54 | ||
56 | # experimental features | 55 | # experimental features |
57 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 56 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse |
57 | #private-dev (disabled for now as it will interfere with webcam use in palemoon) | ||
diff --git a/etc/parole.profile b/etc/parole.profile index 0c9a72143..1440a9ef7 100644 --- a/etc/parole.profile +++ b/etc/parole.profile | |||
@@ -8,8 +8,9 @@ private-etc passwd,group,fonts | |||
8 | private-bin parole,dbus-launch | 8 | private-bin parole,dbus-launch |
9 | 9 | ||
10 | caps.drop all | 10 | caps.drop all |
11 | seccomp | ||
12 | protocol unix,inet,inet6 | ||
13 | netfilter | 11 | netfilter |
12 | nonewprivs | ||
14 | noroot | 13 | noroot |
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
15 | shell none | 16 | shell none |
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile new file mode 100644 index 000000000..6e50f37cf --- /dev/null +++ b/etc/pdfsam.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # | ||
2 | #Profile for pdfsam | ||
3 | # | ||
4 | |||
5 | #Blacklist Paths | ||
6 | include /etc/firejail/disable-common.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | include /etc/firejail/disable-devel.inc | ||
10 | |||
11 | #Options | ||
12 | caps.drop all | ||
13 | netfilter | ||
14 | nonewprivs | ||
15 | noroot | ||
16 | protocol unix,inet,inet6 | ||
17 | seccomp | ||
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile new file mode 100644 index 000000000..632c9d15e --- /dev/null +++ b/etc/pdftotext.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # pdftotext profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | nogroups | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | nosound | ||
12 | protocol unix | ||
13 | seccomp | ||
14 | netfilter | ||
15 | net none | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | private-bin pdftotext | ||
20 | private-tmp | ||
21 | private-dev | ||
22 | private-etc none | ||
diff --git a/etc/pidgin.profile b/etc/pidgin.profile index fd497f082..850706145 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile | |||
@@ -2,10 +2,20 @@ | |||
2 | noblacklist ${HOME}/.purple | 2 | noblacklist ${HOME}/.purple |
3 | 3 | ||
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
7 | 8 | ||
8 | caps.drop all | 9 | caps.drop all |
9 | seccomp | 10 | netfilter |
10 | protocol unix,inet,inet6 | 11 | nogroups |
12 | nonewprivs | ||
11 | noroot | 13 | noroot |
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | private-bin pidgin | ||
20 | private-dev | ||
21 | private-tmp | ||
diff --git a/etc/pithos.profile b/etc/pithos.profile new file mode 100644 index 000000000..8270b8bee --- /dev/null +++ b/etc/pithos.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # | ||
2 | #Profile for pithos | ||
3 | # | ||
4 | |||
5 | #Blacklist Paths | ||
6 | include /etc/firejail/disable-common.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | include /etc/firejail/disable-devel.inc | ||
10 | |||
11 | include /etc/firejail/whitelist-common.inc | ||
12 | |||
13 | #Options | ||
14 | caps.drop all | ||
15 | netfilter | ||
16 | nonewprivs | ||
17 | noroot | ||
18 | protocol unix,inet,inet6 | ||
19 | seccomp | ||
diff --git a/etc/pix.profile b/etc/pix.profile new file mode 100644 index 000000000..dc8192b01 --- /dev/null +++ b/etc/pix.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # Firejail profile for pix | ||
2 | noblacklist ${HOME}/.config/pix | ||
3 | noblacklist ${HOME}/.local/share/pix | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | nogroups | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | nosound | ||
15 | protocol unix | ||
16 | seccomp | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | private-bin pix | ||
21 | private-dev | ||
22 | private-tmp \ No newline at end of file | ||
diff --git a/etc/pluma.profile b/etc/pluma.profile new file mode 100644 index 000000000..895cc2369 --- /dev/null +++ b/etc/pluma.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # Firejail profile for Xed | ||
2 | noblacklist ${HOME}/.config/pluma | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | net none | ||
11 | nogroups | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | nosound | ||
15 | seccomp | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | private-bin pluma | ||
20 | private-dev | ||
21 | private-tmp | ||
diff --git a/etc/polari.profile b/etc/polari.profile index 0bc46f3f7..ac9530c40 100644 --- a/etc/polari.profile +++ b/etc/polari.profile | |||
@@ -3,18 +3,14 @@ include /etc/firejail/disable-common.inc | |||
3 | include /etc/firejail/disable-programs.inc | 3 | include /etc/firejail/disable-programs.inc |
4 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
5 | 5 | ||
6 | mkdir ${HOME}/.local | ||
7 | mkdir ${HOME}/.local/share/ | ||
8 | mkdir ${HOME}/.local/share/Empathy | 6 | mkdir ${HOME}/.local/share/Empathy |
9 | whitelist ${HOME}/.local/share/Empathy | 7 | whitelist ${HOME}/.local/share/Empathy |
10 | mkdir ${HOME}/.local/share/telepathy | 8 | mkdir ${HOME}/.local/share/telepathy |
11 | whitelist ${HOME}/.local/share/telepathy | 9 | whitelist ${HOME}/.local/share/telepathy |
12 | mkdir ${HOME}/.local/share/TpLogger | 10 | mkdir ${HOME}/.local/share/TpLogger |
13 | whitelist ${HOME}/.local/share/TpLogger | 11 | whitelist ${HOME}/.local/share/TpLogger |
14 | mkdir ${HOME}/.config | ||
15 | mkdir ${HOME}/.config/telepathy-account-widgets | 12 | mkdir ${HOME}/.config/telepathy-account-widgets |
16 | whitelist ${HOME}/.config/telepathy-account-widgets | 13 | whitelist ${HOME}/.config/telepathy-account-widgets |
17 | mkdir ${HOME}/.cache | ||
18 | mkdir ${HOME}/.cache/telepathy | 14 | mkdir ${HOME}/.cache/telepathy |
19 | whitelist ${HOME}/.cache/telepathy | 15 | whitelist ${HOME}/.cache/telepathy |
20 | mkdir ${HOME}/.purple | 16 | mkdir ${HOME}/.purple |
@@ -22,8 +18,8 @@ whitelist ${HOME}/.purple | |||
22 | include /etc/firejail/whitelist-common.inc | 18 | include /etc/firejail/whitelist-common.inc |
23 | 19 | ||
24 | caps.drop all | 20 | caps.drop all |
25 | seccomp | ||
26 | protocol unix,inet,inet6 | ||
27 | noroot | ||
28 | netfilter | 21 | netfilter |
29 | 22 | nonewprivs | |
23 | noroot | ||
24 | protocol unix,inet,inet6 | ||
25 | seccomp | ||
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile new file mode 100644 index 000000000..e4e69b9f6 --- /dev/null +++ b/etc/psi-plus.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # Firejail profile for Psi+ | ||
2 | noblacklist ${HOME}/.config/psi+ | ||
3 | noblacklist ${HOME}/.local/share/psi+ | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | |||
8 | whitelist ${DOWNLOADS} | ||
9 | mkdir ~/.config/psi+ | ||
10 | whitelist ~/.config/psi+ | ||
11 | mkdir ~/.local/share/psi+ | ||
12 | whitelist ~/.local/share/psi+ | ||
13 | mkdir ~/.cache/psi+ | ||
14 | whitelist ~/.cache/psi+ | ||
15 | |||
16 | caps.drop all | ||
17 | netfilter | ||
18 | noroot | ||
19 | protocol unix,inet,inet6 | ||
20 | seccomp | ||
21 | |||
22 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 8bdc745fb..89e0e4c78 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
@@ -5,8 +5,15 @@ include /etc/firejail/disable-devel.inc | |||
5 | include /etc/firejail/disable-passwdmgr.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
6 | 6 | ||
7 | caps.drop all | 7 | caps.drop all |
8 | seccomp | ||
9 | protocol unix,inet,inet6 | ||
10 | netfilter | 8 | netfilter |
9 | nonewprivs | ||
11 | noroot | 10 | noroot |
12 | nosound | 11 | nosound |
12 | protocol unix,inet,inet6 | ||
13 | seccomp | ||
14 | |||
15 | # there are some problems with "Open destination folder", see bug #536 | ||
16 | #shell none | ||
17 | #private-bin qbittorrent | ||
18 | private-dev | ||
19 | private-tmp | ||
diff --git a/etc/qemu-launcher.profile b/etc/qemu-launcher.profile new file mode 100644 index 000000000..f9c8e6345 --- /dev/null +++ b/etc/qemu-launcher.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # qemu-launcher profile | ||
2 | noblacklist ~/.qemu-launcher | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | |||
8 | caps.drop all | ||
9 | netfilter | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | protocol unix,inet,inet6 | ||
14 | seccomp | ||
15 | shell none | ||
16 | tracelog | ||
17 | |||
18 | private-tmp | ||
19 | |||
diff --git a/etc/qemu-system-x86_64.profile b/etc/qemu-system-x86_64.profile new file mode 100644 index 000000000..65e1e44ea --- /dev/null +++ b/etc/qemu-system-x86_64.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # qemu profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-passwdmgr.inc | ||
5 | |||
6 | caps.drop all | ||
7 | netfilter | ||
8 | nogroups | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | protocol unix,inet,inet6 | ||
12 | seccomp | ||
13 | shell none | ||
14 | tracelog | ||
15 | |||
16 | private-tmp | ||
17 | |||
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile new file mode 100644 index 000000000..06c0db206 --- /dev/null +++ b/etc/qpdfview.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # qpdfview profile | ||
2 | noblacklist ${HOME}/.config/qpdfview | ||
3 | noblacklist ${HOME}/.local/share/qpdfview | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | nogroups | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | nosound | ||
15 | protocol unix | ||
16 | seccomp | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | private-bin qpdfview | ||
21 | private-dev | ||
22 | private-tmp | ||
diff --git a/etc/qtox.profile b/etc/qtox.profile index 80acc3873..81d8aa10e 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile | |||
@@ -3,13 +3,21 @@ noblacklist ${HOME}/.config/tox | |||
3 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
4 | include /etc/firejail/disable-programs.inc | 4 | include /etc/firejail/disable-programs.inc |
5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | 7 | ||
7 | mkdir ${HOME}/.config/tox | 8 | mkdir ${HOME}/.config/tox |
8 | whitelist ${HOME}/.config/tox | 9 | whitelist ${HOME}/.config/tox |
9 | whitelist ${DOWNLOADS} | 10 | whitelist ${DOWNLOADS} |
10 | include /etc/firejail/whitelist-common.inc | ||
11 | 11 | ||
12 | caps.drop all | 12 | caps.drop all |
13 | seccomp | 13 | netfilter |
14 | protocol unix,inet,inet6 | 14 | nogroups |
15 | nonewprivs | ||
15 | noroot | 16 | noroot |
17 | protocol unix,inet,inet6 | ||
18 | seccomp | ||
19 | shell none | ||
20 | tracelog | ||
21 | |||
22 | private-bin qtox | ||
23 | private-tmp | ||
diff --git a/etc/quassel.profile b/etc/quassel.profile index 72004da7f..f92dfeb9f 100644 --- a/etc/quassel.profile +++ b/etc/quassel.profile | |||
@@ -4,7 +4,8 @@ include /etc/firejail/disable-programs.inc | |||
4 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
5 | 5 | ||
6 | caps.drop all | 6 | caps.drop all |
7 | seccomp | 7 | nonewprivs |
8 | protocol unix,inet,inet6 | ||
9 | noroot | 8 | noroot |
10 | netfilter | 9 | netfilter |
10 | protocol unix,inet,inet6 | ||
11 | seccomp | ||
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index 934a374de..dcacd4f29 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile | |||
@@ -1,5 +1,4 @@ | |||
1 | # Firejail profile for Qutebrowser (Qt5-Webkit+Python) browser | 1 | # Firejail profile for Qutebrowser (Qt5-Webkit+Python) browser |
2 | |||
3 | noblacklist ~/.config/qutebrowser | 2 | noblacklist ~/.config/qutebrowser |
4 | noblacklist ~/.cache/qutebrowser | 3 | noblacklist ~/.cache/qutebrowser |
5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
@@ -7,16 +6,18 @@ include /etc/firejail/disable-programs.inc | |||
7 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
8 | 7 | ||
9 | caps.drop all | 8 | caps.drop all |
10 | seccomp | ||
11 | protocol unix,inet,inet6,netlink | ||
12 | netfilter | 9 | netfilter |
13 | tracelog | 10 | nonewprivs |
14 | noroot | 11 | noroot |
12 | protocol unix,inet,inet6,netlink | ||
13 | seccomp | ||
14 | tracelog | ||
15 | 15 | ||
16 | whitelist ${DOWNLOADS} | 16 | whitelist ${DOWNLOADS} |
17 | mkdir ~/.config/qutebrowser | 17 | mkdir ~/.config/qutebrowser |
18 | whitelist ~/.config/qutebrowser | 18 | whitelist ~/.config/qutebrowser |
19 | mkdir ~/.cache | ||
20 | mkdir ~/.cache/qutebrowser | 19 | mkdir ~/.cache/qutebrowser |
21 | whitelist ~/.cache/qutebrowser | 20 | whitelist ~/.cache/qutebrowser |
21 | mkdir ~/.local/share/qutebrowser | ||
22 | whitelist ~/.local/share/qutebrowser | ||
22 | include /etc/firejail/whitelist-common.inc | 23 | include /etc/firejail/whitelist-common.inc |
diff --git a/etc/ranger.profile b/etc/ranger.profile new file mode 100644 index 000000000..3538f3eb2 --- /dev/null +++ b/etc/ranger.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # ranger file manager profile | ||
2 | noblacklist /usr/bin/perl | ||
3 | #noblacklist /usr/bin/cpan* | ||
4 | noblacklist /usr/share/perl* | ||
5 | noblacklist /usr/lib/perl* | ||
6 | noblacklist ~/.config/ranger | ||
7 | |||
8 | include /etc/firejail/disable-common.inc | ||
9 | include /etc/firejail/disable-programs.inc | ||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | |||
13 | caps.drop all | ||
14 | netfilter | ||
15 | net none | ||
16 | nogroups | ||
17 | nonewprivs | ||
18 | noroot | ||
19 | protocol unix | ||
20 | seccomp | ||
21 | nosound | ||
22 | |||
23 | private-tmp | ||
24 | private-dev | ||
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 782cd3832..e5e192486 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile | |||
@@ -5,7 +5,15 @@ include /etc/firejail/disable-devel.inc | |||
5 | include /etc/firejail/disable-passwdmgr.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
6 | 6 | ||
7 | caps.drop all | 7 | caps.drop all |
8 | seccomp | ||
9 | protocol unix,inet,inet6 | ||
10 | noroot | ||
11 | netfilter | 8 | netfilter |
9 | nogroups | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | protocol unix,inet,inet6 | ||
13 | seccomp | ||
14 | shell none | ||
15 | tracelog | ||
16 | |||
17 | private-bin rhythmbox | ||
18 | private-dev | ||
19 | private-tmp | ||
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index ae0430830..55bfcd77f 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile | |||
@@ -5,8 +5,14 @@ include /etc/firejail/disable-devel.inc | |||
5 | include /etc/firejail/disable-passwdmgr.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
6 | 6 | ||
7 | caps.drop all | 7 | caps.drop all |
8 | seccomp | ||
9 | protocol unix,inet,inet6 | ||
10 | netfilter | 8 | netfilter |
9 | nonewprivs | ||
11 | noroot | 10 | noroot |
12 | nosound | 11 | nosound |
12 | protocol unix,inet,inet6 | ||
13 | seccomp | ||
14 | |||
15 | shell none | ||
16 | private-bin rtorrent | ||
17 | private-dev | ||
18 | private-tmp \ No newline at end of file | ||
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index a10d5b0ec..b981d9516 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile | |||
@@ -6,18 +6,16 @@ include /etc/firejail/disable-programs.inc | |||
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | 7 | ||
8 | caps.drop all | 8 | caps.drop all |
9 | seccomp | ||
10 | protocol unix,inet,inet6,netlink | ||
11 | netfilter | 9 | netfilter |
12 | tracelog | 10 | nonewprivs |
13 | noroot | 11 | noroot |
12 | protocol unix,inet,inet6,netlink | ||
13 | seccomp | ||
14 | tracelog | ||
14 | 15 | ||
15 | whitelist ${DOWNLOADS} | 16 | whitelist ${DOWNLOADS} |
16 | mkdir ~/.mozilla | ||
17 | mkdir ~/.mozilla/seamonkey | 17 | mkdir ~/.mozilla/seamonkey |
18 | whitelist ~/.mozilla/seamonkey | 18 | whitelist ~/.mozilla/seamonkey |
19 | mkdir ~/.cache | ||
20 | mkdir ~/.cache/mozilla | ||
21 | mkdir ~/.cache/mozilla/seamonkey | 19 | mkdir ~/.cache/mozilla/seamonkey |
22 | whitelist ~/.cache/mozilla/seamonkey | 20 | whitelist ~/.cache/mozilla/seamonkey |
23 | whitelist ~/dwhelper | 21 | whitelist ~/dwhelper |
@@ -41,11 +39,10 @@ whitelist ~/.lastpass | |||
41 | whitelist ~/.config/lastpass | 39 | whitelist ~/.config/lastpass |
42 | 40 | ||
43 | #silverlight | 41 | #silverlight |
44 | whitelist ~/.wine-pipelight | 42 | whitelist ~/.wine-pipelight |
45 | whitelist ~/.wine-pipelight64 | 43 | whitelist ~/.wine-pipelight64 |
46 | whitelist ~/.config/pipelight-widevine | 44 | whitelist ~/.config/pipelight-widevine |
47 | whitelist ~/.config/pipelight-silverlight5.1 | 45 | whitelist ~/.config/pipelight-silverlight5.1 |
48 | 46 | ||
49 | # experimental features | 47 | # experimental features |
50 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 48 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse |
51 | |||
diff --git a/etc/server.profile b/etc/server.profile index 1b3cb7207..b8a34feb2 100644 --- a/etc/server.profile +++ b/etc/server.profile | |||
@@ -6,8 +6,12 @@ include /etc/firejail/disable-common.inc | |||
6 | include /etc/firejail/disable-programs.inc | 6 | include /etc/firejail/disable-programs.inc |
7 | include /etc/firejail/disable-passwdmgr.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | no3d | ||
12 | nosound | ||
13 | seccomp | ||
14 | |||
9 | private | 15 | private |
10 | private-dev | 16 | private-dev |
11 | private-tmp | 17 | private-tmp |
12 | seccomp | ||
13 | |||
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile new file mode 100644 index 000000000..03089482b --- /dev/null +++ b/etc/simple-scan.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # simple-scan profile | ||
2 | noblacklist ~/.cache/simple-scan | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix,inet,inet6 | ||
15 | #seccomp | ||
16 | netfilter | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | # private-bin simple-scan | ||
21 | # private-tmp | ||
22 | # private-dev | ||
23 | # private-etc fonts | ||
diff --git a/etc/skanlite.profile b/etc/skanlite.profile new file mode 100644 index 000000000..4dcfa64d9 --- /dev/null +++ b/etc/skanlite.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # skanlite profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | netfilter | ||
9 | nogroups | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | nosound | ||
13 | shell none | ||
14 | #seccomp | ||
15 | protocol unix,inet,inet6 | ||
16 | |||
17 | private-bin skanlite | ||
18 | # private-dev | ||
19 | # private-tmp | ||
20 | # private-etc | ||
21 | |||
diff --git a/etc/skype.profile b/etc/skype.profile index 26feac1a4..9cbcd5117 100644 --- a/etc/skype.profile +++ b/etc/skype.profile | |||
@@ -6,6 +6,7 @@ include /etc/firejail/disable-devel.inc | |||
6 | 6 | ||
7 | caps.drop all | 7 | caps.drop all |
8 | netfilter | 8 | netfilter |
9 | nonewprivs | ||
9 | noroot | 10 | noroot |
10 | seccomp | ||
11 | protocol unix,inet,inet6 | 11 | protocol unix,inet,inet6 |
12 | seccomp | ||
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile new file mode 100644 index 000000000..3f0a274f9 --- /dev/null +++ b/etc/skypeforlinux.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # skypeforlinux profile | ||
2 | noblacklist ${HOME}/.config/skypeforlinux | ||
3 | include /etc/firejail/disable-common.inc | ||
4 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | netfilter | ||
9 | noroot | ||
10 | seccomp | ||
11 | protocol unix,inet,inet6,netlink | ||
diff --git a/etc/slack.profile b/etc/slack.profile new file mode 100644 index 000000000..a85a28f03 --- /dev/null +++ b/etc/slack.profile | |||
@@ -0,0 +1,31 @@ | |||
1 | # Firejail profile for Slack | ||
2 | noblacklist ${HOME}/.config/Slack | ||
3 | noblacklist ${HOME}/Downloads | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | blacklist /var | ||
11 | |||
12 | caps.drop all | ||
13 | name slack | ||
14 | netfilter | ||
15 | nogroups | ||
16 | nonewprivs | ||
17 | noroot | ||
18 | protocol unix,inet,inet6,netlink | ||
19 | seccomp | ||
20 | shell none | ||
21 | |||
22 | private-bin slack | ||
23 | private-dev | ||
24 | private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime | ||
25 | private-tmp | ||
26 | |||
27 | mkdir ${HOME}/.config | ||
28 | mkdir ${HOME}/.config/Slack | ||
29 | whitelist ${HOME}/.config/Slack | ||
30 | whitelist ${HOME}/Downloads | ||
31 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/snap.profile b/etc/snap.profile new file mode 100644 index 000000000..e2ada3a99 --- /dev/null +++ b/etc/snap.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | ################################ | ||
2 | # Generic Ubuntu snap application profile | ||
3 | ################################ | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | |||
8 | whitelist ~/snap | ||
9 | whitelist ${DOWNLOADS} | ||
10 | include /etc/firejail/whitelist-common.inc | ||
11 | |||
12 | |||
diff --git a/etc/soffice.profile b/etc/soffice.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/soffice.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | ################################ | ||
2 | # LibreOffice profile | ||
3 | ################################ | ||
4 | include /etc/firejail/libreoffice.profile | ||
5 | |||
diff --git a/etc/spotify.profile b/etc/spotify.profile index fd4586dd5..6dbcc03ee 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile | |||
@@ -7,24 +7,37 @@ include /etc/firejail/disable-programs.inc | |||
7 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
8 | include /etc/firejail/disable-passwdmgr.inc | 8 | include /etc/firejail/disable-passwdmgr.inc |
9 | 9 | ||
10 | # Whitelist the folders needed by Spotify - This is more restrictive | 10 | # Whitelist the folders needed by Spotify |
11 | # than a blacklist though, but this is all spotify requires for | ||
12 | # streaming audio | ||
13 | mkdir ${HOME}/.config | ||
14 | mkdir ${HOME}/.config/spotify | 11 | mkdir ${HOME}/.config/spotify |
15 | whitelist ${HOME}/.config/spotify | 12 | whitelist ${HOME}/.config/spotify |
16 | mkdir ${HOME}/.local | ||
17 | mkdir ${HOME}/.local/share | ||
18 | mkdir ${HOME}/.local/share/spotify | 13 | mkdir ${HOME}/.local/share/spotify |
19 | whitelist ${HOME}/.local/share/spotify | 14 | whitelist ${HOME}/.local/share/spotify |
20 | mkdir ${HOME}/.cache | ||
21 | mkdir ${HOME}/.cache/spotify | 15 | mkdir ${HOME}/.cache/spotify |
22 | whitelist ${HOME}/.cache/spotify | 16 | whitelist ${HOME}/.cache/spotify |
23 | include /etc/firejail/whitelist-common.inc | ||
24 | 17 | ||
25 | caps.drop all | 18 | caps.drop all |
26 | seccomp | ||
27 | protocol unix,inet,inet6,netlink | ||
28 | netfilter | 19 | netfilter |
20 | nogroups | ||
21 | nonewprivs | ||
29 | noroot | 22 | noroot |
23 | protocol unix,inet,inet6,netlink | ||
24 | seccomp | ||
25 | shell none | ||
26 | |||
27 | private-bin spotify | ||
28 | private-etc fonts,machine-id,pulse,resolv.conf | ||
29 | private-dev | ||
30 | private-tmp | ||
30 | 31 | ||
32 | blacklist ${HOME}/.Xauthority | ||
33 | blacklist ${HOME}/.bashrc | ||
34 | blacklist /boot | ||
35 | blacklist /lost+found | ||
36 | blacklist /media | ||
37 | blacklist /mnt | ||
38 | blacklist /opt | ||
39 | blacklist /root | ||
40 | blacklist /sbin | ||
41 | blacklist /srv | ||
42 | blacklist /sys | ||
43 | blacklist /var | ||
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile new file mode 100644 index 000000000..548ede37d --- /dev/null +++ b/etc/ssh-agent.profile | |||
@@ -0,0 +1,16 @@ | |||
1 | # ssh-agent | ||
2 | quiet | ||
3 | noblacklist ~/.ssh | ||
4 | noblacklist /tmp/ssh-* | ||
5 | noblacklist /etc/ssh | ||
6 | |||
7 | include /etc/firejail/disable-common.inc | ||
8 | include /etc/firejail/disable-programs.inc | ||
9 | include /etc/firejail/disable-passwdmgr.inc | ||
10 | |||
11 | caps.drop all | ||
12 | netfilter | ||
13 | nonewprivs | ||
14 | noroot | ||
15 | protocol unix,inet,inet6 | ||
16 | seccomp | ||
diff --git a/etc/ssh.profile b/etc/ssh.profile index 7b282bde6..b7a8ed2b9 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile | |||
@@ -1,12 +1,16 @@ | |||
1 | # ssh client | 1 | # ssh client |
2 | quiet | ||
2 | noblacklist ~/.ssh | 3 | noblacklist ~/.ssh |
4 | noblacklist /tmp/ssh-* | ||
5 | noblacklist /etc/ssh | ||
3 | 6 | ||
4 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | 8 | include /etc/firejail/disable-programs.inc |
6 | include /etc/firejail/disable-passwdmgr.inc | 9 | include /etc/firejail/disable-passwdmgr.inc |
7 | 10 | ||
8 | caps.drop all | 11 | caps.drop all |
9 | seccomp | ||
10 | protocol unix,inet,inet6 | ||
11 | netfilter | 12 | netfilter |
13 | nonewprivs | ||
12 | noroot | 14 | noroot |
15 | protocol unix,inet,inet6 | ||
16 | seccomp | ||
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile new file mode 100644 index 000000000..ee19cee25 --- /dev/null +++ b/etc/start-tor-browser.profile | |||
@@ -0,0 +1,20 @@ | |||
1 | # Firejail profile for the Tor Brower Bundle | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-devel.inc | ||
4 | include /etc/firejail/disable-passwdmgr.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | |||
7 | caps.drop all | ||
8 | netfilter | ||
9 | nogroups | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | protocol unix,inet,inet6 | ||
13 | seccomp | ||
14 | shell none | ||
15 | tracelog | ||
16 | |||
17 | private-bin bash,grep,sed,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf | ||
18 | private-etc fonts | ||
19 | private-dev | ||
20 | private-tmp | ||
diff --git a/etc/steam.profile b/etc/steam.profile index 4c96e8258..5dc5e80ff 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -8,6 +8,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | netfilter | 10 | netfilter |
11 | nonewprivs | ||
11 | noroot | 12 | noroot |
13 | protocol unix,inet,inet6,netlink | ||
12 | seccomp | 14 | seccomp |
13 | protocol unix,inet,inet6 | ||
diff --git a/etc/stellarium.profile b/etc/stellarium.profile new file mode 100644 index 000000000..d57c9e5f7 --- /dev/null +++ b/etc/stellarium.profile | |||
@@ -0,0 +1,28 @@ | |||
1 | # Firejail profile for Stellarium. | ||
2 | noblacklist ~/.stellarium | ||
3 | noblacklist ~/.config/stellarium | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-devel.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | |||
9 | # Whitelist | ||
10 | mkdir ~/.stellarium | ||
11 | whitelist ~/.stellarium | ||
12 | mkdir ~/.config/stellarium | ||
13 | whitelist ~/.config/stellarium | ||
14 | |||
15 | caps.drop all | ||
16 | netfilter | ||
17 | nogroups | ||
18 | nonewprivs | ||
19 | noroot | ||
20 | nosound | ||
21 | protocol unix,inet,inet6,netlink | ||
22 | seccomp | ||
23 | shell none | ||
24 | tracelog | ||
25 | |||
26 | private-bin stellarium | ||
27 | private-dev | ||
28 | private-tmp | ||
diff --git a/etc/strings.profile b/etc/strings.profile new file mode 100644 index 000000000..2b7724b11 --- /dev/null +++ b/etc/strings.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # strings profile | ||
2 | quiet | ||
3 | ignore noroot | ||
4 | include /etc/firejail/default.profile | ||
5 | |||
6 | net none | ||
7 | nosound | ||
8 | shell none | ||
9 | tracelog | ||
10 | |||
11 | private-dev | ||
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile new file mode 100644 index 000000000..69b2a0db2 --- /dev/null +++ b/etc/synfigstudio.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # synfigstudio | ||
2 | noblacklist ${HOME}/.config/synfig | ||
3 | noblacklist ${HOME}/.synfig | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | |||
8 | caps.drop all | ||
9 | netfilter | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | protocol unix | ||
13 | seccomp | ||
14 | |||
15 | noexec ${HOME} | ||
16 | noexec /tmp | ||
17 | |||
18 | private-dev | ||
19 | private-tmp | ||
diff --git a/etc/tar.profile b/etc/tar.profile new file mode 100644 index 000000000..3addb02fb --- /dev/null +++ b/etc/tar.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # tar profile | ||
2 | quiet | ||
3 | ignore noroot | ||
4 | include /etc/firejail/default.profile | ||
5 | |||
6 | blacklist /tmp/.X11-unix | ||
7 | |||
8 | hostname tar | ||
9 | net none | ||
10 | no3d | ||
11 | nosound | ||
12 | shell none | ||
13 | tracelog | ||
14 | |||
15 | # support compressed archives | ||
16 | private-bin sh,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop | ||
17 | private-dev | ||
18 | private-etc passwd,group,localtime | ||
diff --git a/etc/telegram.profile b/etc/telegram.profile index df6b6a270..7615c8eef 100644 --- a/etc/telegram.profile +++ b/etc/telegram.profile | |||
@@ -5,11 +5,8 @@ include /etc/firejail/disable-programs.inc | |||
5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | 6 | ||
7 | caps.drop all | 7 | caps.drop all |
8 | seccomp | ||
9 | protocol unix,inet,inet6 | ||
10 | noroot | ||
11 | netfilter | 8 | netfilter |
12 | 9 | nonewprivs | |
13 | whitelist ~/Downloads/Telegram Desktop | 10 | noroot |
14 | mkdir ${HOME}/.TelegramDesktop | 11 | protocol unix,inet,inet6 |
15 | whitelist ~/.TelegramDesktop | 12 | seccomp |
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index 7882367b9..568343ba6 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile | |||
@@ -11,9 +11,11 @@ mkdir ~/.thunderbird | |||
11 | whitelist ~/.thunderbird | 11 | whitelist ~/.thunderbird |
12 | 12 | ||
13 | noblacklist ~/.cache/thunderbird | 13 | noblacklist ~/.cache/thunderbird |
14 | mkdir ~/.cache | ||
15 | mkdir ~/.cache/thunderbird | 14 | mkdir ~/.cache/thunderbird |
16 | whitelist ~/.cache/thunderbird | 15 | whitelist ~/.cache/thunderbird |
17 | 16 | ||
17 | # allow browsers | ||
18 | ignore private-tmp | ||
18 | include /etc/firejail/firefox.profile | 19 | include /etc/firejail/firefox.profile |
20 | #include /etc/firejail/chromium.profile - chromium runs as suid! | ||
19 | 21 | ||
diff --git a/etc/totem.profile b/etc/totem.profile index 4d87cbb85..252b46979 100644 --- a/etc/totem.profile +++ b/etc/totem.profile | |||
@@ -1,11 +1,15 @@ | |||
1 | # Totem media player profile | 1 | # Totem media player profile |
2 | noblacklist ~/.config/totem | ||
3 | noblacklist ~/.local/share/totem | ||
4 | |||
2 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 6 | include /etc/firejail/disable-programs.inc |
4 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
5 | include /etc/firejail/disable-passwdmgr.inc | 8 | include /etc/firejail/disable-passwdmgr.inc |
6 | 9 | ||
7 | caps.drop all | 10 | caps.drop all |
8 | seccomp | 11 | nonewprivs |
9 | protocol unix,inet,inet6 | ||
10 | noroot | 12 | noroot |
11 | netfilter | 13 | netfilter |
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
diff --git a/etc/tracker.profile b/etc/tracker.profile new file mode 100644 index 000000000..217631216 --- /dev/null +++ b/etc/tracker.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # tracker profile | ||
2 | |||
3 | # Tracker is started by systemd on most systems. Therefore it is not firejailed by default | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | nogroups | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | nosound | ||
15 | protocol unix | ||
16 | seccomp | ||
17 | netfilter | ||
18 | shell none | ||
19 | tracelog | ||
20 | |||
21 | # private-bin tracker | ||
22 | # private-tmp | ||
23 | # private-dev | ||
24 | # private-etc fonts | ||
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile new file mode 100644 index 000000000..6cbc3415c --- /dev/null +++ b/etc/transmission-cli.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # transmission-cli bittorrent profile | ||
2 | noblacklist ${HOME}/.config/transmission | ||
3 | noblacklist ${HOME}/.cache/transmission | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | netfilter | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | nosound | ||
15 | protocol unix,inet,inet6 | ||
16 | seccomp | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | #private-bin transmission-cli | ||
21 | private-tmp | ||
22 | private-dev | ||
23 | private-etc none | ||
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index d61d36a8c..fa54ea81b 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
@@ -1,4 +1,4 @@ | |||
1 | # transmission-gtk profile | 1 | # transmission-gtk bittorrent profile |
2 | noblacklist ${HOME}/.config/transmission | 2 | noblacklist ${HOME}/.config/transmission |
3 | noblacklist ${HOME}/.cache/transmission | 3 | noblacklist ${HOME}/.cache/transmission |
4 | 4 | ||
@@ -8,9 +8,15 @@ include /etc/firejail/disable-devel.inc | |||
8 | include /etc/firejail/disable-passwdmgr.inc | 8 | include /etc/firejail/disable-passwdmgr.inc |
9 | 9 | ||
10 | caps.drop all | 10 | caps.drop all |
11 | seccomp | ||
12 | protocol unix,inet,inet6 | ||
13 | netfilter | 11 | netfilter |
12 | nonewprivs | ||
14 | noroot | 13 | noroot |
15 | tracelog | ||
16 | nosound | 14 | nosound |
15 | protocol unix,inet,inet6 | ||
16 | seccomp | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | private-bin transmission-gtk | ||
21 | private-dev | ||
22 | private-tmp | ||
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 3db7a5452..100fadc27 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile | |||
@@ -1,4 +1,4 @@ | |||
1 | # transmission-qt profile | 1 | # transmission-qt bittorrent profile |
2 | noblacklist ${HOME}/.config/transmission | 2 | noblacklist ${HOME}/.config/transmission |
3 | noblacklist ${HOME}/.cache/transmission | 3 | noblacklist ${HOME}/.cache/transmission |
4 | 4 | ||
@@ -8,9 +8,15 @@ include /etc/firejail/disable-devel.inc | |||
8 | include /etc/firejail/disable-passwdmgr.inc | 8 | include /etc/firejail/disable-passwdmgr.inc |
9 | 9 | ||
10 | caps.drop all | 10 | caps.drop all |
11 | seccomp | ||
12 | protocol unix,inet,inet6 | ||
13 | netfilter | 11 | netfilter |
12 | nonewprivs | ||
14 | noroot | 13 | noroot |
15 | tracelog | ||
16 | nosound | 14 | nosound |
15 | protocol unix,inet,inet6 | ||
16 | seccomp | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | private-bin transmission-qt | ||
21 | private-dev | ||
22 | private-tmp | ||
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile new file mode 100644 index 000000000..5e5284b34 --- /dev/null +++ b/etc/transmission-show.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # transmission-show profile | ||
2 | noblacklist ${HOME}/.config/transmission | ||
3 | noblacklist ${HOME}/.cache/transmission | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | netfilter | ||
12 | net none | ||
13 | nonewprivs | ||
14 | noroot | ||
15 | nosound | ||
16 | protocol unix | ||
17 | seccomp | ||
18 | shell none | ||
19 | tracelog | ||
20 | |||
21 | # private-bin | ||
22 | private-tmp | ||
23 | private-dev | ||
24 | private-etc none | ||
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index ef5aa7d4a..3ba28f772 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile | |||
@@ -6,13 +6,19 @@ include /etc/firejail/disable-programs.inc | |||
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | 7 | ||
8 | caps.drop all | 8 | caps.drop all |
9 | seccomp | ||
10 | protocol unix,inet,inet6 | ||
11 | netfilter | 9 | netfilter |
10 | nonewprivs | ||
12 | noroot | 11 | noroot |
12 | nosound | ||
13 | protocol unix,inet,inet6 | ||
14 | seccomp | ||
15 | shell none | ||
16 | |||
17 | private-bin uget-gtk | ||
18 | private-dev | ||
19 | private-tmp | ||
13 | 20 | ||
14 | whitelist ${DOWNLOADS} | 21 | whitelist ${DOWNLOADS} |
15 | mkdir ~/.config | ||
16 | mkdir ~/.config/uGet | 22 | mkdir ~/.config/uGet |
17 | whitelist ~/.config/uGet | 23 | whitelist ~/.config/uGet |
18 | include /etc/firejail/whitelist-common.inc | 24 | include /etc/firejail/whitelist-common.inc |
diff --git a/etc/unbound.profile b/etc/unbound.profile index 4365e4fee..5e2cb5f65 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile | |||
@@ -8,5 +8,6 @@ include /etc/firejail/disable-passwdmgr.inc | |||
8 | 8 | ||
9 | private | 9 | private |
10 | private-dev | 10 | private-dev |
11 | nosound | ||
11 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 12 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open |
12 | 13 | ||
diff --git a/etc/unrar.profile b/etc/unrar.profile new file mode 100644 index 000000000..bde6f4e22 --- /dev/null +++ b/etc/unrar.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # unrar profile | ||
2 | quiet | ||
3 | ignore noroot | ||
4 | include /etc/firejail/default.profile | ||
5 | |||
6 | blacklist /tmp/.X11-unix | ||
7 | |||
8 | hostname unrar | ||
9 | net none | ||
10 | no3d | ||
11 | nosound | ||
12 | shell none | ||
13 | tracelog | ||
14 | |||
15 | private-bin unrar | ||
16 | private-dev | ||
17 | private-etc passwd,group,localtime | ||
18 | private-tmp | ||
diff --git a/etc/unzip.profile b/etc/unzip.profile new file mode 100644 index 000000000..8c10d11a0 --- /dev/null +++ b/etc/unzip.profile | |||
@@ -0,0 +1,16 @@ | |||
1 | # unzip profile | ||
2 | quiet | ||
3 | ignore noroot | ||
4 | include /etc/firejail/default.profile | ||
5 | blacklist /tmp/.X11-unix | ||
6 | |||
7 | hostname unzip | ||
8 | net none | ||
9 | no3d | ||
10 | nosound | ||
11 | shell none | ||
12 | tracelog | ||
13 | |||
14 | private-bin unzip | ||
15 | private-dev | ||
16 | private-etc passwd,group,localtime | ||
diff --git a/etc/uudeview.profile b/etc/uudeview.profile new file mode 100644 index 000000000..d5b750a13 --- /dev/null +++ b/etc/uudeview.profile | |||
@@ -0,0 +1,15 @@ | |||
1 | # uudeview profile | ||
2 | quiet | ||
3 | ignore noroot | ||
4 | include /etc/firejail/default.profile | ||
5 | |||
6 | blacklist /etc | ||
7 | |||
8 | hostname uudeview | ||
9 | net none | ||
10 | nosound | ||
11 | shell none | ||
12 | tracelog | ||
13 | |||
14 | private-bin uudeview | ||
15 | private-dev | ||
diff --git a/etc/vim.profile b/etc/vim.profile new file mode 100644 index 000000000..b161fcbb0 --- /dev/null +++ b/etc/vim.profile | |||
@@ -0,0 +1,16 @@ | |||
1 | # vim profile | ||
2 | noblacklist ~/.vim | ||
3 | noblacklist ~/.vimrc | ||
4 | noblacklist ~/.viminfo | ||
5 | |||
6 | include /etc/firejail/disable-common.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | netfilter | ||
12 | nogroups | ||
13 | nonewprivs | ||
14 | noroot | ||
15 | protocol unix,inet,inet6 | ||
16 | seccomp | ||
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile new file mode 100644 index 000000000..36a1e0704 --- /dev/null +++ b/etc/virtualbox.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # VirtualBox profile | ||
2 | noblacklist ${HOME}/.VirtualBox | ||
3 | noblacklist ${HOME}/VirtualBox VMs | ||
4 | noblacklist ${HOME}/.config/VirtualBox | ||
5 | noblacklist /usr/bin/virtualbox | ||
6 | include /etc/firejail/disable-common.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | |||
12 | |||
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile index 449d9a168..08b046847 100644 --- a/etc/vivaldi.profile +++ b/etc/vivaldi.profile | |||
@@ -8,10 +8,8 @@ include /etc/firejail/disable-devel.inc | |||
8 | netfilter | 8 | netfilter |
9 | 9 | ||
10 | whitelist ${DOWNLOADS} | 10 | whitelist ${DOWNLOADS} |
11 | mkdir ~/.config | ||
12 | mkdir ~/.config/vivaldi | 11 | mkdir ~/.config/vivaldi |
13 | whitelist ~/.config/vivaldi | 12 | whitelist ~/.config/vivaldi |
14 | mkdir ~/.cache | ||
15 | mkdir ~/.cache/vivaldi | 13 | mkdir ~/.cache/vivaldi |
16 | whitelist ~/.cache/vivaldi | 14 | whitelist ~/.cache/vivaldi |
17 | include /etc/firejail/whitelist-common.inc | 15 | include /etc/firejail/whitelist-common.inc |
diff --git a/etc/vlc.profile b/etc/vlc.profile index 061ae6f78..2fd763f25 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -7,7 +7,14 @@ include /etc/firejail/disable-devel.inc | |||
7 | include /etc/firejail/disable-passwdmgr.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | seccomp | ||
11 | protocol unix,inet,inet6 | ||
12 | noroot | ||
13 | netfilter | 10 | netfilter |
11 | nogroups | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | protocol unix,inet,inet6,netlink | ||
15 | seccomp | ||
16 | shell none | ||
17 | |||
18 | private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc | ||
19 | private-dev | ||
20 | private-tmp | ||
diff --git a/etc/w3m.profile b/etc/w3m.profile new file mode 100644 index 000000000..d765217cf --- /dev/null +++ b/etc/w3m.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # w3m profile | ||
2 | noblacklist ~/.w3m | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
16 | netfilter | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | # private-bin w3m | ||
21 | private-tmp | ||
22 | private-dev | ||
23 | private-etc none | ||
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile new file mode 100644 index 000000000..7c7efade8 --- /dev/null +++ b/etc/warzone2100.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # Firejail profile for warzone2100 | ||
2 | # Currently supports warzone2100-3.1 | ||
3 | noblacklist ~/.warzone2100-3.1 | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-devel.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | |||
9 | # Whitelist | ||
10 | mkdir ~/.warzone2100-3.1 | ||
11 | whitelist ~/.warzone2100-3.1 | ||
12 | |||
13 | # Call these options | ||
14 | caps.drop all | ||
15 | netfilter | ||
16 | nogroups | ||
17 | nonewprivs | ||
18 | noroot | ||
19 | protocol unix,inet,inet6,netlink | ||
20 | seccomp | ||
21 | shell none | ||
22 | tracelog | ||
23 | |||
24 | private-bin warzone2100 | ||
25 | private-dev | ||
26 | private-tmp | ||
diff --git a/etc/weechat.profile b/etc/weechat.profile index 280a5f9d8..410061278 100644 --- a/etc/weechat.profile +++ b/etc/weechat.profile | |||
@@ -4,8 +4,12 @@ include /etc/firejail/disable-common.inc | |||
4 | include /etc/firejail/disable-programs.inc | 4 | include /etc/firejail/disable-programs.inc |
5 | 5 | ||
6 | caps.drop all | 6 | caps.drop all |
7 | seccomp | ||
8 | protocol unix,inet,inet6 | ||
9 | netfilter | 7 | netfilter |
8 | nonewprivs | ||
10 | noroot | 9 | noroot |
11 | netfilter | 10 | protocol unix,inet,inet6 |
11 | seccomp | ||
12 | |||
13 | # no private-bin support for various reasons: | ||
14 | # Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc, | ||
15 | # logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins \ No newline at end of file | ||
diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index 340ba0db5..bb489ddeb 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile | |||
@@ -9,20 +9,16 @@ include /etc/firejail/disable-devel.inc | |||
9 | include /etc/firejail/disable-passwdmgr.inc | 9 | include /etc/firejail/disable-passwdmgr.inc |
10 | 10 | ||
11 | caps.drop all | 11 | caps.drop all |
12 | seccomp | 12 | nonewprivs |
13 | protocol unix,inet,inet6 | ||
14 | noroot | 13 | noroot |
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
15 | 16 | ||
16 | private-dev | 17 | private-dev |
18 | private-tmp | ||
17 | 19 | ||
18 | whitelist /tmp/.X11-unix | ||
19 | |||
20 | mkdir ${HOME}/.local | ||
21 | mkdir ${HOME}/.local/share | ||
22 | mkdir ${HOME}/.local/share/wesnoth | 20 | mkdir ${HOME}/.local/share/wesnoth |
23 | mkdir ${HOME}/.config | ||
24 | mkdir ${HOME}/.config/wesnoth | 21 | mkdir ${HOME}/.config/wesnoth |
25 | mkdir ${HOME}/.cache | ||
26 | mkdir ${HOME}/.cache/wesnoth | 22 | mkdir ${HOME}/.cache/wesnoth |
27 | whitelist ${HOME}/.local/share/wesnoth | 23 | whitelist ${HOME}/.local/share/wesnoth |
28 | whitelist ${HOME}/.config/wesnoth | 24 | whitelist ${HOME}/.config/wesnoth |
diff --git a/etc/wget.profile b/etc/wget.profile new file mode 100644 index 000000000..d9bca2acc --- /dev/null +++ b/etc/wget.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # wget profile | ||
2 | quiet | ||
3 | include /etc/firejail/disable-common.inc | ||
4 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | netfilter | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | nogroups | ||
12 | nosound | ||
13 | protocol unix,inet,inet6 | ||
14 | seccomp | ||
15 | shell none | ||
16 | |||
17 | |||
18 | # private-bin wget | ||
19 | # private-etc resolv.conf | ||
20 | private-dev | ||
21 | private-tmp | ||
22 | |||
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index 9d5ef3d96..d4e69948e 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc | |||
@@ -1,5 +1,6 @@ | |||
1 | # common whitelist for all profiles | 1 | # common whitelist for all profiles |
2 | 2 | ||
3 | whitelist ~/.XCompose | ||
3 | whitelist ~/.config/mimeapps.list | 4 | whitelist ~/.config/mimeapps.list |
4 | whitelist ~/.icons | 5 | whitelist ~/.icons |
5 | whitelist ~/.config/user-dirs.dirs | 6 | whitelist ~/.config/user-dirs.dirs |
@@ -13,16 +14,25 @@ whitelist ~/.fonts.d | |||
13 | whitelist ~/.fontconfig | 14 | whitelist ~/.fontconfig |
14 | whitelist ~/.fonts.conf | 15 | whitelist ~/.fonts.conf |
15 | whitelist ~/.fonts.conf.d | 16 | whitelist ~/.fonts.conf.d |
17 | whitelist ~/.local/share/fonts | ||
16 | whitelist ~/.config/fontconfig | 18 | whitelist ~/.config/fontconfig |
17 | whitelist ~/.cache/fontconfig | 19 | whitelist ~/.cache/fontconfig |
18 | 20 | ||
19 | # gtk | 21 | # gtk |
20 | whitelist ~/.gtkrc | 22 | whitelist ~/.gtkrc |
21 | whitelist ~/.gtkrc-2.0 | 23 | whitelist ~/.gtkrc-2.0 |
24 | whitelist ~/.config/gtk-2.0 | ||
22 | whitelist ~/.config/gtk-3.0 | 25 | whitelist ~/.config/gtk-3.0 |
23 | whitelist ~/.themes | 26 | whitelist ~/.themes |
27 | whitelist ~/.kde/share/config/gtkrc | ||
28 | whitelist ~/.kde/share/config/gtkrc-2.0 | ||
24 | 29 | ||
25 | # dconf | 30 | # dconf |
26 | mkdir ~/.config | ||
27 | mkdir ~/.config/dconf | 31 | mkdir ~/.config/dconf |
28 | whitelist ~/.config/dconf | 32 | whitelist ~/.config/dconf |
33 | |||
34 | # qt/kde | ||
35 | whitelist ~/.config/kdeglobals | ||
36 | whitelist ~/.kde/share/config/oxygenrc | ||
37 | whitelist ~/.kde/share/config/kdeglobals | ||
38 | whitelist ~/.kde/share/icons | ||
diff --git a/etc/wine.profile b/etc/wine.profile index ea6db8511..18e5346af 100644 --- a/etc/wine.profile +++ b/etc/wine.profile | |||
@@ -9,5 +9,6 @@ include /etc/firejail/disable-devel.inc | |||
9 | 9 | ||
10 | caps.drop all | 10 | caps.drop all |
11 | netfilter | 11 | netfilter |
12 | nonewprivs | ||
12 | noroot | 13 | noroot |
13 | seccomp | 14 | seccomp |
diff --git a/etc/wire.profile b/etc/wire.profile new file mode 100644 index 000000000..ec8ed8771 --- /dev/null +++ b/etc/wire.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # wire messenger profile | ||
2 | noblacklist ~/.config/Wire | ||
3 | noblacklist ~/.config/wire | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | netfilter | ||
12 | nonewprivs | ||
13 | nogroups | ||
14 | noroot | ||
15 | protocol unix,inet,inet6,netlink | ||
16 | seccomp | ||
17 | shell none | ||
18 | |||
19 | private-tmp | ||
20 | private-dev | ||
21 | |||
22 | # Note: the current beta version of wire is located in /opt/Wire/wire and therefore not in PATH. | ||
23 | # To use wire with firejail run "firejail /opt/Wire/wire" | ||
diff --git a/etc/wireshark.profile b/etc/wireshark.profile new file mode 100644 index 000000000..898fc787e --- /dev/null +++ b/etc/wireshark.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # Firejail profile for | ||
2 | noblacklist ${HOME}/.config/wireshark | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nogroups | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | nosound | ||
15 | protocol unix,inet,inet6,netlink | ||
16 | seccomp | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | private-bin wireshark | ||
21 | private-dev | ||
22 | private-tmp | ||
diff --git a/etc/xchat.profile b/etc/xchat.profile index fcea4245e..1f2865cab 100644 --- a/etc/xchat.profile +++ b/etc/xchat.profile | |||
@@ -6,6 +6,9 @@ include /etc/firejail/disable-programs.inc | |||
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | 7 | ||
8 | caps.drop all | 8 | caps.drop all |
9 | seccomp | 9 | nonewprivs |
10 | protocol unix,inet,inet6 | ||
11 | noroot | 10 | noroot |
11 | protocol unix,inet,inet6 | ||
12 | seccomp | ||
13 | |||
14 | # private-bin requires perl, python, etc. | ||
diff --git a/etc/xed.profile b/etc/xed.profile new file mode 100644 index 000000000..051710a70 --- /dev/null +++ b/etc/xed.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # Firejail profile for Xed | ||
2 | noblacklist ${HOME}/.config/xed | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | net none | ||
11 | nogroups | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | nosound | ||
15 | seccomp | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | private-bin xed | ||
20 | private-dev | ||
21 | private-tmp | ||
diff --git a/etc/xfburn.profile b/etc/xfburn.profile new file mode 100644 index 000000000..1dd24aa61 --- /dev/null +++ b/etc/xfburn.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # xfburn profile | ||
2 | noblacklist ~/.config/xfburn | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix | ||
15 | seccomp | ||
16 | netfilter | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | # private-bin xfburn | ||
21 | # private-tmp | ||
22 | # private-dev | ||
23 | # private-etc fonts | ||
diff --git a/etc/xiphos.profile b/etc/xiphos.profile new file mode 100644 index 000000000..b7fb6ecf3 --- /dev/null +++ b/etc/xiphos.profile | |||
@@ -0,0 +1,30 @@ | |||
1 | # Firejail profile for xiphos | ||
2 | noblacklist ~/.sword | ||
3 | noblacklist ~/.xiphos | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | include /etc/firejail/disable-programs.inc | ||
9 | |||
10 | blacklist ~/.bashrc | ||
11 | blacklist ~/.Xauthority | ||
12 | |||
13 | caps.drop all | ||
14 | netfilter | ||
15 | nogroups | ||
16 | nonewprivs | ||
17 | noroot | ||
18 | nosound | ||
19 | protocol unix,inet,inet6 | ||
20 | seccomp | ||
21 | shell none | ||
22 | tracelog | ||
23 | |||
24 | private-bin xiphos | ||
25 | private-etc fonts,resolv.conf,sword | ||
26 | private-dev | ||
27 | private-tmp | ||
28 | |||
29 | whitelist ${HOME}/.sword | ||
30 | whitelist ${HOME}/.xiphos | ||
diff --git a/etc/xonotic-glx.profile b/etc/xonotic-glx.profile new file mode 100644 index 000000000..b255ffdbb --- /dev/null +++ b/etc/xonotic-glx.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # | ||
2 | #Profile for xonotic:xonotic-glx | ||
3 | # | ||
4 | |||
5 | include /etc/firejail/xonotic.profile | ||
diff --git a/etc/xonotic-sdl.profile b/etc/xonotic-sdl.profile new file mode 100644 index 000000000..783667304 --- /dev/null +++ b/etc/xonotic-sdl.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # | ||
2 | #Profile for xonotic:xonotic-sdl | ||
3 | # | ||
4 | |||
5 | include /etc/firejail/xonotic.profile | ||
diff --git a/etc/xonotic.profile b/etc/xonotic.profile new file mode 100644 index 000000000..75d649619 --- /dev/null +++ b/etc/xonotic.profile | |||
@@ -0,0 +1,25 @@ | |||
1 | # | ||
2 | #Profile for xonotic | ||
3 | # | ||
4 | |||
5 | #No Blacklist Paths | ||
6 | noblacklist ${HOME}/.xonotic | ||
7 | |||
8 | #Blacklist Paths | ||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | |||
14 | #Whitelist Paths | ||
15 | mkdir ${HOME}/.xonotic | ||
16 | whitelist ${HOME}/.xonotic | ||
17 | include /etc/firejail/whitelist-common.inc | ||
18 | |||
19 | #Options | ||
20 | caps.drop all | ||
21 | netfilter | ||
22 | nonewprivs | ||
23 | noroot | ||
24 | protocol unix,inet,inet6 | ||
25 | seccomp | ||
diff --git a/etc/generic.profile b/etc/xpdf.profile index f2c7d4114..7ea368bbe 100644 --- a/etc/generic.profile +++ b/etc/xpdf.profile | |||
@@ -1,15 +1,18 @@ | |||
1 | ################################ | 1 | ################################ |
2 | # Generic GUI application profile | 2 | # xpdf application profile |
3 | ################################ | 3 | ################################ |
4 | noblacklist ${HOME}/.xpdfrc | ||
4 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | 6 | include /etc/firejail/disable-programs.inc |
6 | include /etc/firejail/disable-passwdmgr.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
7 | 8 | ||
8 | #blacklist ${HOME}/.wine | ||
9 | |||
10 | caps.drop all | 9 | caps.drop all |
11 | seccomp | 10 | net none |
12 | protocol unix,inet,inet6 | 11 | nonewprivs |
13 | netfilter | ||
14 | noroot | 12 | noroot |
13 | protocol unix | ||
14 | shell none | ||
15 | seccomp | ||
15 | 16 | ||
17 | private-dev | ||
18 | private-tmp | ||
diff --git a/etc/xplayer.profile b/etc/xplayer.profile new file mode 100644 index 000000000..191d2f67f --- /dev/null +++ b/etc/xplayer.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # Xplayer profile | ||
2 | noblacklist ~/.config/xplayer | ||
3 | noblacklist ~/.local/share/xplayer | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | netfilter | ||
12 | nogroups | ||
13 | nonewprivs | ||
14 | noroot | ||
15 | protocol unix,inet,inet6 | ||
16 | seccomp | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer | ||
21 | private-dev | ||
22 | private-tmp | ||
diff --git a/etc/xpra.profile b/etc/xpra.profile new file mode 100644 index 000000000..8584e4e5b --- /dev/null +++ b/etc/xpra.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # xpra profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | netfilter | ||
9 | nogroups | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | nosound | ||
13 | shell none | ||
14 | seccomp | ||
15 | protocol unix,inet,inet6 | ||
16 | |||
17 | # private-bin | ||
18 | private-dev | ||
19 | private-tmp | ||
20 | # private-etc | ||
21 | |||
diff --git a/etc/xreader.profile b/etc/xreader.profile new file mode 100644 index 000000000..d2a000bd0 --- /dev/null +++ b/etc/xreader.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # Xreader profile | ||
2 | noblacklist ~/.config/xreader | ||
3 | noblacklist ~/.cache/xreader | ||
4 | noblacklist ~/.local/share | ||
5 | |||
6 | include /etc/firejail/disable-common.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-devel.inc | ||
9 | include /etc/firejail/disable-passwdmgr.inc | ||
10 | |||
11 | caps.drop all | ||
12 | nogroups | ||
13 | nonewprivs | ||
14 | noroot | ||
15 | nosound | ||
16 | protocol unix | ||
17 | seccomp | ||
18 | shell none | ||
19 | tracelog | ||
20 | |||
21 | private-bin xreader, xreader-previewer, xreader-thumbnailer | ||
22 | private-dev | ||
23 | private-tmp | ||
diff --git a/etc/xviewer.profile b/etc/xviewer.profile new file mode 100644 index 000000000..ca380b4c7 --- /dev/null +++ b/etc/xviewer.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # xviewer profile | ||
2 | noblacklist ~/.config/xviewer | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix | ||
15 | seccomp | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | private-dev | ||
20 | private-bin xviewer | ||
21 | private-tmp | ||
diff --git a/etc/xz.profile b/etc/xz.profile new file mode 100644 index 000000000..5b29f7338 --- /dev/null +++ b/etc/xz.profile | |||
@@ -0,0 +1,3 @@ | |||
1 | # xz profile | ||
2 | quiet | ||
3 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/xzdec.profile b/etc/xzdec.profile new file mode 100644 index 000000000..6164e3200 --- /dev/null +++ b/etc/xzdec.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # xzdec profile | ||
2 | quiet | ||
3 | ignore noroot | ||
4 | include /etc/firejail/default.profile | ||
5 | |||
6 | blacklist /tmp/.X11-unix | ||
7 | |||
8 | net none | ||
9 | no3d | ||
10 | nosound | ||
11 | shell none | ||
12 | tracelog | ||
13 | |||
14 | private-dev | ||
diff --git a/etc/zathura.profile b/etc/zathura.profile new file mode 100644 index 000000000..6c93a2480 --- /dev/null +++ b/etc/zathura.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # zathura document viewer profile | ||
2 | noblacklist ~/.config/zathura | ||
3 | noblacklist ~/.local/share/zathura | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | net none | ||
12 | nogroups | ||
13 | nonewprivs | ||
14 | noroot | ||
15 | nosound | ||
16 | shell none | ||
17 | seccomp | ||
18 | protocol unix | ||
19 | |||
20 | private-bin zathura | ||
21 | private-dev | ||
22 | private-etc fonts | ||
23 | private-tmp | ||
24 | |||
25 | read-only ~/ | ||
26 | read-write ~/.local/share/zathura/ | ||
diff --git a/etc/zoom.profile b/etc/zoom.profile new file mode 100644 index 000000000..4c08868cf --- /dev/null +++ b/etc/zoom.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # Firejail profile for zoom.us | ||
2 | noblacklist ~/.config/zoomus.conf | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | |||
8 | |||
9 | # Whitelists | ||
10 | |||
11 | mkdir ~/.zoom | ||
12 | whitelist ~/.zoom | ||
13 | |||
14 | |||
15 | caps.drop all | ||
16 | netfilter | ||
17 | nonewprivs | ||
18 | noroot | ||
19 | protocol unix,inet,inet6 | ||
20 | seccomp | ||
21 | |||
22 | private-tmp | ||