diff options
Diffstat (limited to 'etc')
50 files changed, 951 insertions, 4 deletions
diff --git a/etc/Natron.profile b/etc/Natron.profile new file mode 100644 index 000000000..b21790fe4 --- /dev/null +++ b/etc/Natron.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for natron | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/natron.profile | ||
diff --git a/etc/Viber.profile b/etc/Viber.profile new file mode 100644 index 000000000..03e5f1086 --- /dev/null +++ b/etc/Viber.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for Viber | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/Viber.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.ViberPC | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | whitelist ${DOWNLOADS} | ||
17 | whitelist ${HOME}/.ViberPC | ||
18 | include /etc/firejail/whitelist-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | ipc-namespace | ||
22 | netfilter | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | notv | ||
28 | protocol unix,inet,inet6 | ||
29 | seccomp | ||
30 | shell none | ||
31 | |||
32 | disable-mnt | ||
33 | private-bin sh,bash,dash,dig,awk,Viber | ||
34 | private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf | ||
35 | private-tmp | ||
36 | |||
37 | noexec ${HOME} | ||
38 | noexec /tmp | ||
diff --git a/etc/akregator.profile b/etc/akregator.profile index 12bb06fb5..55434e45b 100644 --- a/etc/akregator.profile +++ b/etc/akregator.profile | |||
@@ -13,6 +13,12 @@ include /etc/firejail/disable-devel.inc | |||
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | mkfile ${HOME}/.config/akregatorrc | ||
17 | mkdir ${HOME}/.local/share/akregator | ||
18 | whitelist ${HOME}/.config/akregatorrc | ||
19 | whitelist ${HOME}/.local/share/akregator | ||
20 | include /etc/firejail/whitelist-common.inc | ||
21 | |||
16 | caps.drop all | 22 | caps.drop all |
17 | netfilter | 23 | netfilter |
18 | no3d | 24 | no3d |
@@ -27,6 +33,7 @@ seccomp | |||
27 | shell none | 33 | shell none |
28 | 34 | ||
29 | disable-mnt | 35 | disable-mnt |
36 | private-bin akregator,akregatorstorageexporter,dbus-launch,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper | ||
30 | private-dev | 37 | private-dev |
31 | private-tmp | 38 | private-tmp |
32 | 39 | ||
diff --git a/etc/amule.profile b/etc/amule.profile new file mode 100644 index 000000000..98ec52015 --- /dev/null +++ b/etc/amule.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for amule | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/amule.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.aMule | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | whitelist ${DOWNLOADS} | ||
17 | whitelist ${HOME}/.aMule | ||
18 | include /etc/firejail/whitelist-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | ipc-namespace | ||
22 | netfilter | ||
23 | no3d | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | nosound | ||
29 | notv | ||
30 | novideo | ||
31 | protocol unix,inet,inet6 | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | private-bin amule | ||
36 | private-dev | ||
37 | private-tmp | ||
38 | |||
39 | noexec ${HOME} | ||
40 | noexec /tmp | ||
diff --git a/etc/ardour4.profile b/etc/ardour4.profile new file mode 100644 index 000000000..7d1163174 --- /dev/null +++ b/etc/ardour4.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for ardour5 | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/ardour5.profile | ||
diff --git a/etc/ardour5.profile b/etc/ardour5.profile new file mode 100644 index 000000000..69b3dde46 --- /dev/null +++ b/etc/ardour5.profile | |||
@@ -0,0 +1,37 @@ | |||
1 | # Firejail profile for ardour5 | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/ardour5.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.config/ardour4 | ||
10 | noblacklist ${HOME}/.config/ardour5 | ||
11 | noblacklist ${HOME}/.lv2 | ||
12 | noblacklist ${HOME}/.vst | ||
13 | |||
14 | include /etc/firejail/disable-common.inc | ||
15 | include /etc/firejail/disable-devel.inc | ||
16 | include /etc/firejail/disable-passwdmgr.inc | ||
17 | include /etc/firejail/disable-programs.inc | ||
18 | |||
19 | caps.drop all | ||
20 | ipc-namespace | ||
21 | net none | ||
22 | nodvd | ||
23 | nogroups | ||
24 | nonewprivs | ||
25 | noroot | ||
26 | notv | ||
27 | protocol unix | ||
28 | seccomp | ||
29 | shell none | ||
30 | |||
31 | #private-bin sh,ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm | ||
32 | private-dev | ||
33 | #private-etc pulse,X11,alternatives,ardour4,ardour5,fonts | ||
34 | private-tmp | ||
35 | |||
36 | noexec ${HOME} | ||
37 | noexec /tmp | ||
diff --git a/etc/brackets.profile b/etc/brackets.profile new file mode 100644 index 000000000..0a8c592a7 --- /dev/null +++ b/etc/brackets.profile | |||
@@ -0,0 +1,29 @@ | |||
1 | # Firejail profile for brackets | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/brackets.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/Brackets | ||
9 | noblacklist /opt/brackets/ | ||
10 | noblacklist /opt/google/ | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | netfilter | ||
18 | nodvd | ||
19 | nogroups | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | nosound | ||
23 | notv | ||
24 | novideo | ||
25 | protocol unix,inet,inet6 | ||
26 | seccomp | ||
27 | shell none | ||
28 | |||
29 | private-dev | ||
diff --git a/etc/calligra.profile b/etc/calligra.profile new file mode 100644 index 000000000..e90c8efe8 --- /dev/null +++ b/etc/calligra.profile | |||
@@ -0,0 +1,29 @@ | |||
1 | # Firejail profile for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/calligra.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | include /etc/firejail/disable-common.inc | ||
9 | include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-passwdmgr.inc | ||
11 | include /etc/firejail/disable-programs.inc | ||
12 | |||
13 | caps.drop all | ||
14 | ipc-namespace | ||
15 | nodvd | ||
16 | nogroups | ||
17 | nonewprivs | ||
18 | noroot | ||
19 | notv | ||
20 | novideo | ||
21 | protocol unix | ||
22 | seccomp | ||
23 | shell none | ||
24 | |||
25 | private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch | ||
26 | private-dev | ||
27 | |||
28 | noexec ${HOME} | ||
29 | noexec /tmp | ||
diff --git a/etc/calligraauthor.profile b/etc/calligraauthor.profile new file mode 100644 index 000000000..629ab46c1 --- /dev/null +++ b/etc/calligraauthor.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/calligra.profile | ||
diff --git a/etc/calligraconverter.profile b/etc/calligraconverter.profile new file mode 100644 index 000000000..629ab46c1 --- /dev/null +++ b/etc/calligraconverter.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/calligra.profile | ||
diff --git a/etc/calligraflow.profile b/etc/calligraflow.profile new file mode 100644 index 000000000..629ab46c1 --- /dev/null +++ b/etc/calligraflow.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/calligra.profile | ||
diff --git a/etc/calligraplan.profile b/etc/calligraplan.profile new file mode 100644 index 000000000..629ab46c1 --- /dev/null +++ b/etc/calligraplan.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/calligra.profile | ||
diff --git a/etc/calligraplanwork.profile b/etc/calligraplanwork.profile new file mode 100644 index 000000000..629ab46c1 --- /dev/null +++ b/etc/calligraplanwork.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/calligra.profile | ||
diff --git a/etc/calligrasheets.profile b/etc/calligrasheets.profile new file mode 100644 index 000000000..629ab46c1 --- /dev/null +++ b/etc/calligrasheets.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/calligra.profile | ||
diff --git a/etc/calligrastage.profile b/etc/calligrastage.profile new file mode 100644 index 000000000..629ab46c1 --- /dev/null +++ b/etc/calligrastage.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/calligra.profile | ||
diff --git a/etc/calligrawords.profile b/etc/calligrawords.profile new file mode 100644 index 000000000..629ab46c1 --- /dev/null +++ b/etc/calligrawords.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/calligra.profile | ||
diff --git a/etc/cin.profile b/etc/cin.profile new file mode 100644 index 000000000..eeeda476f --- /dev/null +++ b/etc/cin.profile | |||
@@ -0,0 +1,31 @@ | |||
1 | # Firejail profile for cin | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/cin.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.bcast5 | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | caps.drop all | ||
16 | ipc-namespace | ||
17 | net none | ||
18 | nodvd | ||
19 | nogroups | ||
20 | nonewprivs | ||
21 | notv | ||
22 | noroot | ||
23 | protocol unix | ||
24 | seccomp | ||
25 | shell none | ||
26 | |||
27 | #private-bin cin | ||
28 | private-dev | ||
29 | |||
30 | noexec ${HOME} | ||
31 | noexec /tmp | ||
diff --git a/etc/darktable.profile b/etc/darktable.profile index e04163486..c2dc0b42c 100644 --- a/etc/darktable.profile +++ b/etc/darktable.profile | |||
@@ -26,6 +26,7 @@ protocol unix,inet,inet6 | |||
26 | seccomp | 26 | seccomp |
27 | shell none | 27 | shell none |
28 | 28 | ||
29 | #private-bin darktable | ||
29 | private-dev | 30 | private-dev |
30 | private-tmp | 31 | private-tmp |
31 | 32 | ||
diff --git a/etc/dia.profile b/etc/dia.profile index a625ab36d..abe83ac8c 100644 --- a/etc/dia.profile +++ b/etc/dia.profile | |||
@@ -27,6 +27,7 @@ seccomp | |||
27 | shell none | 27 | shell none |
28 | 28 | ||
29 | disable-mnt | 29 | disable-mnt |
30 | #private-bin dia | ||
30 | private-dev | 31 | private-dev |
31 | private-tmp | 32 | private-tmp |
32 | 33 | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 3007a51b3..88b7e7d32 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -17,8 +17,10 @@ blacklist ${HOME}/.Steam | |||
17 | blacklist ${HOME}/.Steampath | 17 | blacklist ${HOME}/.Steampath |
18 | blacklist ${HOME}/.Steampid | 18 | blacklist ${HOME}/.Steampid |
19 | blacklist ${HOME}/.TelegramDesktop | 19 | blacklist ${HOME}/.TelegramDesktop |
20 | blacklist ${HOME}/.ViberPC | ||
20 | blacklist ${HOME}/.VirtualBox | 21 | blacklist ${HOME}/.VirtualBox |
21 | blacklist ${HOME}/.Wolfram Research | 22 | blacklist ${HOME}/.Wolfram Research |
23 | blacklist ${HOME}/.aMule | ||
22 | blacklist ${HOME}/.android | 24 | blacklist ${HOME}/.android |
23 | blacklist ${HOME}/.arduino15 | 25 | blacklist ${HOME}/.arduino15 |
24 | blacklist ${HOME}/.atom | 26 | blacklist ${HOME}/.atom |
@@ -35,6 +37,7 @@ blacklist ${HOME}/.config/Brackets | |||
35 | blacklist ${HOME}/.config/Clementine | 37 | blacklist ${HOME}/.config/Clementine |
36 | blacklist ${HOME}/.config/Cryptocat | 38 | blacklist ${HOME}/.config/Cryptocat |
37 | blacklist ${HOME}/.config/Franz | 39 | blacklist ${HOME}/.config/Franz |
40 | blacklist ${HOME}/.config/FreeCAD | ||
38 | blacklist ${HOME}/.config/Gitter | 41 | blacklist ${HOME}/.config/Gitter |
39 | blacklist ${HOME}/.config/Google | 42 | blacklist ${HOME}/.config/Google |
40 | blacklist ${HOME}/.config/Gpredict | 43 | blacklist ${HOME}/.config/Gpredict |
@@ -124,6 +127,7 @@ blacklist ${HOME}/.config/lximage-qt | |||
124 | blacklist ${HOME}/.config/mate-calc | 127 | blacklist ${HOME}/.config/mate-calc |
125 | blacklist ${HOME}/.config/mate/eom | 128 | blacklist ${HOME}/.config/mate/eom |
126 | blacklist ${HOME}/.config/mate/mate-dictionary | 129 | blacklist ${HOME}/.config/mate/mate-dictionary |
130 | blacklist ${HOME}/.config/mfusion | ||
127 | blacklist ${HOME}/.config/midori | 131 | blacklist ${HOME}/.config/midori |
128 | blacklist ${HOME}/.config/mpv | 132 | blacklist ${HOME}/.config/mpv |
129 | blacklist ${HOME}/.config/mupen64plus | 133 | blacklist ${HOME}/.config/mupen64plus |
@@ -188,6 +192,7 @@ blacklist ${HOME}/.conkeror.mozdev.org | |||
188 | blacklist ${HOME}/.curlrc | 192 | blacklist ${HOME}/.curlrc |
189 | blacklist ${HOME}/.dia | 193 | blacklist ${HOME}/.dia |
190 | blacklist ${HOME}/.dillo | 194 | blacklist ${HOME}/.dillo |
195 | blacklist ${HOME}/.dooble | ||
191 | blacklist ${HOME}/.dosbox | 196 | blacklist ${HOME}/.dosbox |
192 | blacklist ${HOME}/.dropbox-dist | 197 | blacklist ${HOME}/.dropbox-dist |
193 | blacklist ${HOME}/.electrum* | 198 | blacklist ${HOME}/.electrum* |
@@ -212,6 +217,7 @@ blacklist ${HOME}/.guayadeque | |||
212 | blacklist ${HOME}/.hedgewars | 217 | blacklist ${HOME}/.hedgewars |
213 | blacklist ${HOME}/.hugin | 218 | blacklist ${HOME}/.hugin |
214 | blacklist ${HOME}/.icedove | 219 | blacklist ${HOME}/.icedove |
220 | blacklist ${HOME}/.imagej | ||
215 | blacklist ${HOME}/.inkscape | 221 | blacklist ${HOME}/.inkscape |
216 | blacklist ${HOME}/.java | 222 | blacklist ${HOME}/.java |
217 | blacklist ${HOME}/.jitsi | 223 | blacklist ${HOME}/.jitsi |
@@ -410,6 +416,7 @@ blacklist ${HOME}/.cache/google-chrome | |||
410 | blacklist ${HOME}/.cache/google-chrome-beta | 416 | blacklist ${HOME}/.cache/google-chrome-beta |
411 | blacklist ${HOME}/.cache/google-chrome-unstable | 417 | blacklist ${HOME}/.cache/google-chrome-unstable |
412 | blacklist ${HOME}/.cache/icedove | 418 | blacklist ${HOME}/.cache/icedove |
419 | blacklist ${HOME}/.cache/INRIA/Natron | ||
413 | blacklist ${HOME}/.cache/inox | 420 | blacklist ${HOME}/.cache/inox |
414 | blacklist ${HOME}/.cache/libgweather | 421 | blacklist ${HOME}/.cache/libgweather |
415 | blacklist ${HOME}/.cache/midori | 422 | blacklist ${HOME}/.cache/midori |
diff --git a/etc/dooble-qt4.profile b/etc/dooble-qt4.profile new file mode 100644 index 000000000..4e1227a0f --- /dev/null +++ b/etc/dooble-qt4.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for dooble | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/dooble.profile | ||
diff --git a/etc/dooble.profile b/etc/dooble.profile new file mode 100644 index 000000000..2a57b0ef3 --- /dev/null +++ b/etc/dooble.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for dooble | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/dooble-qt4.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.dooble | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | mkdir ${HOME}/.dooble | ||
17 | whitelist ${DOWNLOADS} | ||
18 | whitelist ${HOME}/.dooble | ||
19 | include /etc/firejail/whitelist-common.inc | ||
20 | |||
21 | caps.drop all | ||
22 | netfilter | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | notv | ||
28 | novideo | ||
29 | protocol unix,inet,inet6,netlink | ||
30 | seccomp | ||
31 | shell none | ||
32 | tracelog | ||
33 | |||
34 | disable-mnt | ||
35 | private-dev | ||
36 | private-tmp | ||
37 | |||
38 | noexec ${HOME} | ||
39 | noexec /tmp | ||
diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile new file mode 100644 index 000000000..3fd7f3d75 --- /dev/null +++ b/etc/fetchmail.profile | |||
@@ -0,0 +1,29 @@ | |||
1 | # Firejail profile for fetchmail | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/fetchmail.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | caps.drop all | ||
15 | netfilter | ||
16 | no3d | ||
17 | nodvd | ||
18 | nogroups | ||
19 | nonewprivs | ||
20 | noroot | ||
21 | nosound | ||
22 | notv | ||
23 | novideo | ||
24 | protocol unix,inet,inet6 | ||
25 | seccomp | ||
26 | shell none | ||
27 | |||
28 | #private-bin fetchmail,procmail,bash,chmod | ||
29 | private-dev | ||
diff --git a/etc/freecad.profile b/etc/freecad.profile new file mode 100644 index 000000000..4fde66839 --- /dev/null +++ b/etc/freecad.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | # Firejail profile for freecad | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/freecad.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.config/FreeCAD | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | ipc-namespace | ||
18 | net none | ||
19 | nodvd | ||
20 | nogroups | ||
21 | nonewprivs | ||
22 | noroot | ||
23 | nosound | ||
24 | notv | ||
25 | novideo | ||
26 | protocol unix | ||
27 | seccomp | ||
28 | shell none | ||
29 | |||
30 | private-bin freecad,freecadcmd | ||
31 | private-dev | ||
32 | private-tmp | ||
33 | |||
34 | noexec ${HOME} | ||
35 | noexec /tmp | ||
diff --git a/etc/freecadcmd.profile b/etc/freecadcmd.profile new file mode 100644 index 000000000..f8bbff593 --- /dev/null +++ b/etc/freecadcmd.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for freecad | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/freecad.profile | ||
diff --git a/etc/google-earth.profile b/etc/google-earth.profile new file mode 100644 index 000000000..b60f5b3a5 --- /dev/null +++ b/etc/google-earth.profile | |||
@@ -0,0 +1,48 @@ | |||
1 | # Firejail profile for google-earth | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/google-earth.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/Google | ||
9 | noblacklist ${HOME}/.googleearth/Cache/ | ||
10 | noblacklist ${HOME}/.googleearth/Temp/ | ||
11 | noblacklist ${HOME}/.googleearth/myplaces.backup.kml | ||
12 | noblacklist ${HOME}/.googleearth/myplaces.kml | ||
13 | |||
14 | include /etc/firejail/disable-common.inc | ||
15 | include /etc/firejail/disable-devel.inc | ||
16 | include /etc/firejail/disable-passwdmgr.inc | ||
17 | include /etc/firejail/disable-programs.inc | ||
18 | |||
19 | mkdir ${HOME}/.config/Google | ||
20 | mkdir ${HOME}/.googleearth/Cache/ | ||
21 | mkdir ${HOME}/.googleearth/Temp/ | ||
22 | mkfile ${HOME}/.googleearth/myplaces.backup.kml | ||
23 | mkfile ${HOME}/.googleearth/myplaces.kml | ||
24 | whitelist ${HOME}/.config/Google | ||
25 | whitelist ${HOME}/.googleearth/Cache/ | ||
26 | whitelist ${HOME}/.googleearth/Temp/ | ||
27 | whitelist ${HOME}/.googleearth/myplaces.backup.kml | ||
28 | whitelist ${HOME}/.googleearth/myplaces.kml | ||
29 | include /etc/firejail/whitelist-common.inc | ||
30 | |||
31 | caps.drop all | ||
32 | ipc-namespace | ||
33 | netfilter | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | notv | ||
39 | novideo | ||
40 | protocol unix,inet,inet6 | ||
41 | seccomp | ||
42 | shell none | ||
43 | |||
44 | private-bin google-earth,sh,bash,dash,grep,sed,ls,dirname | ||
45 | private-dev | ||
46 | |||
47 | noexec ${HOME} | ||
48 | noexec /tmp | ||
diff --git a/etc/hugin.profile b/etc/hugin.profile index d3cd181b1..ff88e0d5c 100644 --- a/etc/hugin.profile +++ b/etc/hugin.profile | |||
@@ -25,6 +25,7 @@ protocol unix | |||
25 | seccomp | 25 | seccomp |
26 | shell none | 26 | shell none |
27 | 27 | ||
28 | private-bin PTBatcherGUI,calibrate_lens_gui,hugin,hugin_stitch_project,align_image_stack,autooptimiser,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,fulla,geocpset,hugin_executor,hugin_hdrmerge,hugin_lensdb,icpfind,linefind,nona,pano_modify,pano_trafo,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,tca_correct,verdandi,vig_optimize,enblend | ||
28 | private-dev | 29 | private-dev |
29 | private-tmp | 30 | private-tmp |
30 | 31 | ||
diff --git a/etc/imagej.profile b/etc/imagej.profile new file mode 100644 index 000000000..88a56c706 --- /dev/null +++ b/etc/imagej.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | # Firejail profile for imagej | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/imagej.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.imagej | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | ipc-namespace | ||
18 | net none | ||
19 | nodvd | ||
20 | nogroups | ||
21 | nonewprivs | ||
22 | noroot | ||
23 | nosound | ||
24 | notv | ||
25 | novideo | ||
26 | protocol unix | ||
27 | seccomp | ||
28 | shell none | ||
29 | |||
30 | private-bin imagej,bash,grep,sort,tail,tr,cut,whoami,hostname,uname,mkdir,ls,touch,free,awk,update-java-alternatives,basename,xprop,rm,ln | ||
31 | private-dev | ||
32 | private-tmp | ||
33 | |||
34 | noexec ${HOME} | ||
35 | noexec /tmp | ||
diff --git a/etc/inkscape.profile b/etc/inkscape.profile index 3266d8230..c062ab8ef 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile | |||
@@ -27,6 +27,7 @@ protocol unix | |||
27 | seccomp | 27 | seccomp |
28 | shell none | 28 | shell none |
29 | 29 | ||
30 | #private-bin inkscape | ||
30 | private-dev | 31 | private-dev |
31 | private-tmp | 32 | private-tmp |
32 | 33 | ||
diff --git a/etc/karbon.profile b/etc/karbon.profile new file mode 100644 index 000000000..3525a3e06 --- /dev/null +++ b/etc/karbon.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for krita | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/krita.profile | ||
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile new file mode 100644 index 000000000..a1a5f957c --- /dev/null +++ b/etc/kdenlive.profile | |||
@@ -0,0 +1,30 @@ | |||
1 | # Firejail profile for kdenlive | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/kdenlive.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | caps.drop all | ||
15 | net none | ||
16 | nodvd | ||
17 | nogroups | ||
18 | nonewprivs | ||
19 | noroot | ||
20 | notv | ||
21 | protocol unix,inet,inet6 | ||
22 | seccomp | ||
23 | shell none | ||
24 | |||
25 | private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper | ||
26 | private-dev | ||
27 | #private-etc fonts,alternatives,X11,pulse,passwd | ||
28 | |||
29 | noexec ${HOME} | ||
30 | noexec /tmp | ||
diff --git a/etc/krita.profile b/etc/krita.profile new file mode 100644 index 000000000..e91f5b242 --- /dev/null +++ b/etc/krita.profile | |||
@@ -0,0 +1,32 @@ | |||
1 | # Firejail profile for krita | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/krita.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | caps.drop all | ||
15 | ipc-namespace | ||
16 | net none | ||
17 | nodvd | ||
18 | nogroups | ||
19 | nonewprivs | ||
20 | noroot | ||
21 | nosound | ||
22 | notv | ||
23 | novideo | ||
24 | protocol unix | ||
25 | seccomp | ||
26 | shell none | ||
27 | |||
28 | private-dev | ||
29 | private-tmp | ||
30 | |||
31 | noexec ${HOME} | ||
32 | noexec /tmp | ||
diff --git a/etc/linphone.profile b/etc/linphone.profile new file mode 100644 index 000000000..41f9245a2 --- /dev/null +++ b/etc/linphone.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Firejail profile for linphone | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/linphone.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.linphone-history.db | ||
9 | noblacklist ${HOME}/.linphonerc | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | mkfile ${HOME}/.linphone-history.db | ||
17 | mkfile ${HOME}/.linphonerc | ||
18 | whitelist ${HOME}/.linphone-history.db | ||
19 | whitelist ${HOME}/.linphonerc | ||
20 | whitelist ${HOME}/Downloads | ||
21 | include /etc/firejail/whitelist-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | netfilter | ||
25 | no3d | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | notv | ||
31 | novideo | ||
32 | protocol unix,inet,inet6 | ||
33 | seccomp | ||
34 | shell none | ||
35 | |||
36 | disable-mnt | ||
37 | private-dev | ||
38 | private-tmp | ||
39 | |||
40 | noexec ${HOME} | ||
41 | noexec /tmp | ||
diff --git a/etc/lmms.profile b/etc/lmms.profile new file mode 100644 index 000000000..29ed235c6 --- /dev/null +++ b/etc/lmms.profile | |||
@@ -0,0 +1,34 @@ | |||
1 | # Firejail profile for lmms | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/lmms.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.lmmsrc.xml | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | ipc-namespace | ||
18 | net none | ||
19 | no3d | ||
20 | nodvd | ||
21 | nogroups | ||
22 | nonewprivs | ||
23 | noroot | ||
24 | notv | ||
25 | novideo | ||
26 | protocol unix | ||
27 | seccomp | ||
28 | shell none | ||
29 | |||
30 | private-dev | ||
31 | private-tmp | ||
32 | |||
33 | noexec ${HOME} | ||
34 | noexec /tmp | ||
diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile index bd32e0c70..ec2a65290 100644 --- a/etc/luminance-hdr.profile +++ b/etc/luminance-hdr.profile | |||
@@ -26,6 +26,7 @@ seccomp | |||
26 | shell none | 26 | shell none |
27 | tracelog | 27 | tracelog |
28 | 28 | ||
29 | #private-bin luminance-hdr,luminance-hdr-cli,align_image_stack | ||
29 | private-dev | 30 | private-dev |
30 | private-tmp | 31 | private-tmp |
31 | 32 | ||
diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile new file mode 100644 index 000000000..be66cf6ee --- /dev/null +++ b/etc/macrofusion.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | # Firejail profile for macrofusion | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/macrofusion.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.config/mfusion | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | ipc-namespace | ||
18 | net none | ||
19 | nodvd | ||
20 | nogroups | ||
21 | nonewprivs | ||
22 | noroot | ||
23 | nosound | ||
24 | notv | ||
25 | novideo | ||
26 | protocol unix | ||
27 | seccomp | ||
28 | shell none | ||
29 | |||
30 | #private-bin python3,macrofusion,env,enfuse,exiftool,align_image_stack | ||
31 | private-dev | ||
32 | private-tmp | ||
33 | |||
34 | noexec ${HOME} | ||
35 | noexec /tmp | ||
diff --git a/etc/mpd.profile b/etc/mpd.profile new file mode 100644 index 000000000..7bfa47d77 --- /dev/null +++ b/etc/mpd.profile | |||
@@ -0,0 +1,33 @@ | |||
1 | # Firejail profile for mpd | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/mpd.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.mpdconf | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | netfilter | ||
18 | no3d | ||
19 | nodvd | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | notv | ||
23 | novideo | ||
24 | protocol unix,inet,inet6 | ||
25 | seccomp | ||
26 | shell none | ||
27 | |||
28 | #private-bin mpd,bash | ||
29 | private-dev | ||
30 | private-tmp | ||
31 | |||
32 | noexec ${HOME} | ||
33 | noexec /tmp | ||
diff --git a/etc/natron.profile b/etc/natron.profile new file mode 100644 index 000000000..d77539d83 --- /dev/null +++ b/etc/natron.profile | |||
@@ -0,0 +1,33 @@ | |||
1 | # Firejail profile for natron | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/natron.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.Natron | ||
10 | noblacklist ${HOME}/.cache/INRIA/Natron | ||
11 | noblacklist ${HOME}/.config/INRIA | ||
12 | noblacklist /opt/natron | ||
13 | |||
14 | include /etc/firejail/disable-common.inc | ||
15 | include /etc/firejail/disable-devel.inc | ||
16 | include /etc/firejail/disable-passwdmgr.inc | ||
17 | include /etc/firejail/disable-programs.inc | ||
18 | |||
19 | caps.drop all | ||
20 | netfilter | ||
21 | nodvd | ||
22 | nogroups | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | notv | ||
26 | protocol unix,inet,inet6 | ||
27 | seccomp | ||
28 | shell none | ||
29 | |||
30 | private-bin natron,Natron,NatronRenderer | ||
31 | |||
32 | noexec ${HOME} | ||
33 | noexec /tmp | ||
diff --git a/etc/pidgin.profile b/etc/pidgin.profile index dd610920a..d195cf586 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile | |||
@@ -27,3 +27,6 @@ tracelog | |||
27 | private-bin pidgin | 27 | private-bin pidgin |
28 | private-dev | 28 | private-dev |
29 | private-tmp | 29 | private-tmp |
30 | |||
31 | noexec ${HOME} | ||
32 | noexec /tmp | ||
diff --git a/etc/ricochet.profile b/etc/ricochet.profile new file mode 100644 index 000000000..6da0e21d5 --- /dev/null +++ b/etc/ricochet.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for ricochet | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/ricochet.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.local/share/Ricochet | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | whitelist ${DOWNLOADS} | ||
17 | whitelist ${HOME}/.local/share/Ricochet | ||
18 | include /etc/firejail/whitelist-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | ipc-namespace | ||
22 | netfilter | ||
23 | no3d | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | notv | ||
29 | novideo | ||
30 | protocol unix,inet,inet6 | ||
31 | seccomp | ||
32 | shell none | ||
33 | |||
34 | disable-mnt | ||
35 | private-bin ricochet,tor | ||
36 | private-dev | ||
37 | #private-etc fonts,tor,X11,alternatives | ||
38 | |||
39 | noexec ${HOME} | ||
40 | noexec /tmp | ||
diff --git a/etc/scribus.profile b/etc/scribus.profile index e4c88be49..dd06fa59f 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile | |||
@@ -38,5 +38,6 @@ protocol unix | |||
38 | seccomp | 38 | seccomp |
39 | tracelog | 39 | tracelog |
40 | 40 | ||
41 | #private-bin scribus,gs | ||
41 | private-dev | 42 | private-dev |
42 | # private-tmp | 43 | # private-tmp |
diff --git a/etc/shotcut.profile b/etc/shotcut.profile new file mode 100644 index 000000000..e30bc1f46 --- /dev/null +++ b/etc/shotcut.profile | |||
@@ -0,0 +1,31 @@ | |||
1 | # Firejail profile for shotcut | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/shotcut.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.config/Meltytech | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | net none | ||
18 | nodvd | ||
19 | nogroups | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | notv | ||
23 | protocol unix | ||
24 | seccomp | ||
25 | shell none | ||
26 | |||
27 | #private-bin shotcut,melt,qmelt,nice | ||
28 | private-dev | ||
29 | |||
30 | noexec ${HOME} | ||
31 | noexec /tmp | ||
diff --git a/etc/skype.profile b/etc/skype.profile index f3e504a3f..b12f9879e 100644 --- a/etc/skype.profile +++ b/etc/skype.profile | |||
@@ -24,6 +24,7 @@ seccomp | |||
24 | shell none | 24 | shell none |
25 | 25 | ||
26 | disable-mnt | 26 | disable-mnt |
27 | #private-bin skype,bash | ||
27 | private-dev | 28 | private-dev |
28 | private-tmp | 29 | private-tmp |
29 | 30 | ||
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index 08ece1e9b..b0014ace6 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile | |||
@@ -26,6 +26,7 @@ protocol unix | |||
26 | seccomp | 26 | seccomp |
27 | shell none | 27 | shell none |
28 | 28 | ||
29 | #private-bin synfigstudio | ||
29 | private-dev | 30 | private-dev |
30 | private-tmp | 31 | private-tmp |
31 | 32 | ||
diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile new file mode 100644 index 000000000..86f96ba50 --- /dev/null +++ b/etc/teamspeak3.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for teamspeak3 | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/teamspeak3.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.ts3client | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | mkdir ${HOME}/.ts3client | ||
16 | whitelist ${DOWNLOADS} | ||
17 | whitelist ${HOME}/.ts3client | ||
18 | include /etc/firejail/whitelist-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | ipc-namespace | ||
22 | netfilter | ||
23 | no3d | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | notv | ||
29 | novideo | ||
30 | protocol unix,inet,inet6 | ||
31 | seccomp | ||
32 | shell none | ||
33 | |||
34 | disable-mnt | ||
35 | private-dev | ||
36 | private-tmp | ||
37 | |||
38 | noexec ${HOME} | ||
39 | noexec /tmp | ||
diff --git a/etc/tor-browser-en.profile b/etc/tor-browser-en.profile new file mode 100644 index 000000000..bf3a80139 --- /dev/null +++ b/etc/tor-browser-en.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/torbrowser-launcher.profile | ||
diff --git a/etc/tor.profile b/etc/tor.profile new file mode 100644 index 000000000..fcb123eef --- /dev/null +++ b/etc/tor.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for tor | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/tor.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | # How to use: | ||
9 | # Create a script called anything (e.g. mytor) | ||
10 | # with the following contents: | ||
11 | |||
12 | # #!/bin/bash | ||
13 | # TORCMD="tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 1" | ||
14 | # sudo -b daemon -f -d -- firejail --profile=/home/<username>/.config/firejail/tor.profile $TORCMD | ||
15 | |||
16 | # You'll also likely want to disable the system service (if it exists) | ||
17 | # Run mytor (or whatever you called the script above) whenever you want to start tor | ||
18 | |||
19 | include /etc/firejail/disable-common.inc | ||
20 | include /etc/firejail/disable-devel.inc | ||
21 | include /etc/firejail/disable-passwdmgr.inc | ||
22 | include /etc/firejail/disable-programs.inc | ||
23 | |||
24 | caps.keep setuid,setgid,net_bind_service,dac_read_search | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | no3d | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | nosound | ||
32 | notv | ||
33 | novideo | ||
34 | protocol unix,inet,inet6 | ||
35 | seccomp | ||
36 | shell none | ||
37 | writable-var | ||
38 | |||
39 | disable-mnt | ||
40 | private | ||
41 | private-bin tor,bash | ||
42 | private-dev | ||
43 | private-etc tor,passwd | ||
44 | private-tmp | ||
45 | |||
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile index 763c2d051..3b6b65bec 100644 --- a/etc/torbrowser-launcher.profile +++ b/etc/torbrowser-launcher.profile | |||
@@ -5,17 +5,20 @@ include /etc/firejail/torbrowser-launcher.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | 8 | noblacklist ~/.tor-browser-en | |
9 | noblacklist ~/.config/torbrowser | 9 | noblacklist ~/.config/torbrowser |
10 | whitelist ~/.config/torbrowser | ||
11 | noblacklist ~/.local/share/torbrowser | 10 | noblacklist ~/.local/share/torbrowser |
12 | whitelist ~/.local/share/torbrowser | ||
13 | 11 | ||
14 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
18 | 16 | ||
17 | whitelist ~/.tor-browser-en | ||
18 | whitelist ~/.config/torbrowser | ||
19 | whitelist ~/.local/share/torbrowser | ||
20 | include /etc/firejail/whitelist-common.inc | ||
21 | |||
19 | caps.drop all | 22 | caps.drop all |
20 | netfilter | 23 | netfilter |
21 | nodvd | 24 | nodvd |
@@ -29,7 +32,7 @@ seccomp | |||
29 | shell none | 32 | shell none |
30 | tracelog | 33 | tracelog |
31 | 34 | ||
32 | private-bin torbrowser-launcher,python2.7,python,bash,dash,sh,grep,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf | 35 | private-bin bash,cp,dash,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python,python2.7,readlink,rm,sed,sh,tail,test,tor-browser-en,torbrowser-launcher |
33 | private-dev | 36 | private-dev |
34 | private-etc fonts | 37 | private-etc fonts |
35 | private-tmp | 38 | private-tmp |
diff --git a/etc/x-terminal-emulator.profile b/etc/x-terminal-emulator.profile new file mode 100644 index 000000000..1395b81c9 --- /dev/null +++ b/etc/x-terminal-emulator.profile | |||
@@ -0,0 +1,20 @@ | |||
1 | # Firejail profile for x-terminal-emulator | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/x-terminal-emulator.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | caps.drop all | ||
10 | ipc-namespace | ||
11 | net none | ||
12 | netfilter | ||
13 | nogroups | ||
14 | noroot | ||
15 | protocol unix | ||
16 | seccomp | ||
17 | |||
18 | private-dev | ||
19 | |||
20 | noexec /tmp | ||
diff --git a/etc/zart.profile b/etc/zart.profile new file mode 100644 index 000000000..6e136d0c9 --- /dev/null +++ b/etc/zart.profile | |||
@@ -0,0 +1,30 @@ | |||
1 | # Firejail profile for zart | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/zart.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | caps.drop all | ||
15 | ipc-namespace | ||
16 | net none | ||
17 | nodvd | ||
18 | nogroups | ||
19 | nonewprivs | ||
20 | noroot | ||
21 | notv | ||
22 | protocol unix | ||
23 | seccomp | ||
24 | shell none | ||
25 | |||
26 | private-bin zart,ffmpeg,melt,ffprobe,ffplay | ||
27 | private-dev | ||
28 | |||
29 | noexec ${HOME} | ||
30 | noexec /tmp | ||