diff options
Diffstat (limited to 'etc')
175 files changed, 743 insertions, 453 deletions
diff --git a/etc/0ad.profile b/etc/0ad.profile index 88c9c453b..565d42567 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile | |||
@@ -24,6 +24,7 @@ whitelist ${HOME}/.cache/0ad | |||
24 | whitelist ${HOME}/.config/0ad | 24 | whitelist ${HOME}/.config/0ad |
25 | whitelist ${HOME}/.local/share/0ad | 25 | whitelist ${HOME}/.local/share/0ad |
26 | include whitelist-common.inc | 26 | include whitelist-common.inc |
27 | include whitelist-var-common.inc | ||
27 | 28 | ||
28 | caps.drop all | 29 | caps.drop all |
29 | netfilter | 30 | netfilter |
diff --git a/etc/7z.profile b/etc/7z.profile index 15e99e936..284aa37a2 100644 --- a/etc/7z.profile +++ b/etc/7z.profile | |||
@@ -13,7 +13,9 @@ include disable-interpreters.inc | |||
13 | include disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | apparmor | ||
16 | caps.drop all | 17 | caps.drop all |
18 | hostname 7z | ||
17 | ipc-namespace | 19 | ipc-namespace |
18 | machine-id | 20 | machine-id |
19 | net none | 21 | net none |
@@ -33,4 +35,8 @@ shell none | |||
33 | tracelog | 35 | tracelog |
34 | x11 none | 36 | x11 none |
35 | 37 | ||
38 | #private-bin 7z,7z*,p7zip | ||
39 | private-cache | ||
36 | private-dev | 40 | private-dev |
41 | |||
42 | memory-deny-write-execute | ||
diff --git a/etc/7za.profile b/etc/7za.profile index 28e483a8c..14188e1f0 100644 --- a/etc/7za.profile +++ b/etc/7za.profile | |||
@@ -1,5 +1,6 @@ | |||
1 | # Firejail profile for 7za | 1 | # Firejail profile for 7za |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | ||
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include 7za.local | 5 | include 7za.local |
5 | # Persistent global definitions | 6 | # Persistent global definitions |
diff --git a/etc/7zr.profile b/etc/7zr.profile index 1b85badbc..2cb42fa40 100644 --- a/etc/7zr.profile +++ b/etc/7zr.profile | |||
@@ -1,5 +1,6 @@ | |||
1 | # Firejail profile for 7zr | 1 | # Firejail profile for 7zr |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | ||
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include 7zr.local | 5 | include 7zr.local |
5 | # Persistent global definitions | 6 | # Persistent global definitions |
diff --git a/etc/QMediathekView.profile b/etc/QMediathekView.profile index ece681c35..eb21349a9 100644 --- a/etc/QMediathekView.profile +++ b/etc/QMediathekView.profile | |||
@@ -39,6 +39,7 @@ nonewprivs | |||
39 | noroot | 39 | noroot |
40 | notv | 40 | notv |
41 | nou2f | 41 | nou2f |
42 | novideo | ||
42 | protocol unix,inet,inet6,netlink | 43 | protocol unix,inet,inet6,netlink |
43 | seccomp | 44 | seccomp |
44 | shell none | 45 | shell none |
diff --git a/etc/QOwnNotes.profile b/etc/QOwnNotes.profile index c774f3a60..af7c10448 100644 --- a/etc/QOwnNotes.profile +++ b/etc/QOwnNotes.profile | |||
@@ -20,7 +20,7 @@ include disable-programs.inc | |||
20 | include disable-xdg.inc | 20 | include disable-xdg.inc |
21 | 21 | ||
22 | mkdir ${HOME}/Nextcloud/Notes | 22 | mkdir ${HOME}/Nextcloud/Notes |
23 | mkdir ${HOME}.config/PBE | 23 | mkdir ${HOME}/.config/PBE |
24 | mkdir ${HOME}/.local/share/PBE | 24 | mkdir ${HOME}/.local/share/PBE |
25 | whitelist ${DOCUMENTS} | 25 | whitelist ${DOCUMENTS} |
26 | whitelist ${HOME}/Nextcloud/Notes | 26 | whitelist ${HOME}/Nextcloud/Notes |
diff --git a/etc/Viber.profile b/etc/Viber.profile index ecc500769..925e130de 100644 --- a/etc/Viber.profile +++ b/etc/Viber.profile | |||
@@ -28,12 +28,10 @@ nonewprivs | |||
28 | noroot | 28 | noroot |
29 | notv | 29 | notv |
30 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
31 | seccomp | 31 | seccomp !chroot |
32 | shell none | 32 | shell none |
33 | 33 | ||
34 | disable-mnt | 34 | disable-mnt |
35 | private-bin awk,bash,dig,sh,Viber | 35 | private-bin awk,bash,dig,sh,Viber |
36 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11 | 36 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11 |
37 | private-tmp | 37 | private-tmp |
38 | |||
39 | env QTWEBENGINE_DISABLE_SANDBOX=1 | ||
diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile index 5ef75022b..ab5fdf942 100644 --- a/etc/Xephyr.profile +++ b/etc/Xephyr.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for Xephyr | 1 | # Firejail profile for Xephyr |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | quiet | ||
4 | include Xephyr.local | 5 | include Xephyr.local |
5 | # Persistent global definitions | 6 | # Persistent global definitions |
6 | include globals.local | 7 | include globals.local |
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile index 3ecda698e..937d02d60 100644 --- a/etc/Xvfb.profile +++ b/etc/Xvfb.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for Xvfb | 1 | # Firejail profile for Xvfb |
2 | # Description: Virtual Framebuffer 'fake' X server | 2 | # Description: Virtual Framebuffer 'fake' X server |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include Xvfb.local | 6 | include Xvfb.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
@@ -30,6 +31,7 @@ nonewprivs | |||
30 | nosound | 31 | nosound |
31 | notv | 32 | notv |
32 | nou2f | 33 | nou2f |
34 | novideo | ||
33 | protocol unix | 35 | protocol unix |
34 | seccomp | 36 | seccomp |
35 | shell none | 37 | shell none |
diff --git a/etc/acat.profile b/etc/acat.profile index f35adf3dc..522d8db4e 100644 --- a/etc/acat.profile +++ b/etc/acat.profile | |||
@@ -1,5 +1,6 @@ | |||
1 | # Firejail profile for acat | 1 | # Firejail profile for acat |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | ||
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include acat.local | 5 | include acat.local |
5 | # Persistent global definitions | 6 | # Persistent global definitions |
diff --git a/etc/adiff.profile b/etc/adiff.profile index f22a27e79..a80886d56 100644 --- a/etc/adiff.profile +++ b/etc/adiff.profile | |||
@@ -1,5 +1,6 @@ | |||
1 | # Firejail profile for adiff | 1 | # Firejail profile for adiff |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | ||
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include adiff.local | 5 | include adiff.local |
5 | # Persistent global definitions | 6 | # Persistent global definitions |
diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile index 1c16f940e..ffc613f1e 100644 --- a/etc/akonadi_control.profile +++ b/etc/akonadi_control.profile | |||
@@ -17,6 +17,7 @@ noblacklist ${HOME}/.local/share/apps/korganizer | |||
17 | noblacklist ${HOME}/.local/share/contacts | 17 | noblacklist ${HOME}/.local/share/contacts |
18 | noblacklist ${HOME}/.local/share/local-mail | 18 | noblacklist ${HOME}/.local/share/local-mail |
19 | noblacklist ${HOME}/.local/share/notes | 19 | noblacklist ${HOME}/.local/share/notes |
20 | noblacklist /sbin | ||
20 | noblacklist /tmp/akonadi-* | 21 | noblacklist /tmp/akonadi-* |
21 | noblacklist /usr/sbin | 22 | noblacklist /usr/sbin |
22 | 23 | ||
@@ -45,8 +46,8 @@ nosound | |||
45 | notv | 46 | notv |
46 | nou2f | 47 | nou2f |
47 | novideo | 48 | novideo |
48 | # protocol unix,inet,inet6 | 49 | # protocol unix,inet,inet6,netlink |
49 | # seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | 50 | # seccomp !io_getevents,!io_setup,!io_submit,!ioprio_set |
50 | tracelog | 51 | tracelog |
51 | 52 | ||
52 | private-dev | 53 | private-dev |
diff --git a/etc/akregator.profile b/etc/akregator.profile index 466eff22d..34933f283 100644 --- a/etc/akregator.profile +++ b/etc/akregator.profile | |||
@@ -36,7 +36,7 @@ nou2f | |||
36 | novideo | 36 | novideo |
37 | protocol unix,inet,inet6,netlink | 37 | protocol unix,inet,inet6,netlink |
38 | # chroot syscalls are needed for setting up the built-in sandbox | 38 | # chroot syscalls are needed for setting up the built-in sandbox |
39 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 39 | seccomp !chroot |
40 | shell none | 40 | shell none |
41 | 41 | ||
42 | disable-mnt | 42 | disable-mnt |
diff --git a/etc/allow-common-devel.inc b/etc/allow-common-devel.inc new file mode 100644 index 000000000..1d794462c --- /dev/null +++ b/etc/allow-common-devel.inc | |||
@@ -0,0 +1,17 @@ | |||
1 | # Rust | ||
2 | noblacklist ${HOME}/.cargo/config | ||
3 | noblacklist ${HOME}/.cargo/registry | ||
4 | |||
5 | # Git | ||
6 | noblacklist ${HOME}/.config/git | ||
7 | noblacklist ${HOME}/.gitconfig | ||
8 | noblacklist ${HOME}/.git-credentials | ||
9 | |||
10 | # Python | ||
11 | noblacklist ${HOME}/.python-history | ||
12 | noblacklist ${HOME}/.python_history | ||
13 | noblacklist ${HOME}/.pythonhist | ||
14 | |||
15 | # Java | ||
16 | noblacklist ${HOME}/.gradle | ||
17 | noblacklist ${HOME}/.java | ||
diff --git a/etc/als.profile b/etc/als.profile index aa7f29337..5eae228b6 100644 --- a/etc/als.profile +++ b/etc/als.profile | |||
@@ -1,5 +1,6 @@ | |||
1 | # Firejail profile for als | 1 | # Firejail profile for als |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | ||
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include als.local | 5 | include als.local |
5 | # Persistent global definitions | 6 | # Persistent global definitions |
diff --git a/etc/android-studio.profile b/etc/android-studio.profile index ff7fb6711..2e4e564dd 100644 --- a/etc/android-studio.profile +++ b/etc/android-studio.profile | |||
@@ -7,17 +7,15 @@ include globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.AndroidStudio* | 8 | noblacklist ${HOME}/.AndroidStudio* |
9 | noblacklist ${HOME}/.android | 9 | noblacklist ${HOME}/.android |
10 | noblacklist ${HOME}/.config/git | ||
11 | noblacklist ${HOME}/.gitconfig | ||
12 | noblacklist ${HOME}/.git-credentials | ||
13 | noblacklist ${HOME}/.gradle | ||
14 | noblacklist ${HOME}/.jack-server | 10 | noblacklist ${HOME}/.jack-server |
15 | noblacklist ${HOME}/.jack-settings | 11 | noblacklist ${HOME}/.jack-settings |
16 | noblacklist ${HOME}/.java | ||
17 | noblacklist ${HOME}/.local/share/JetBrains | 12 | noblacklist ${HOME}/.local/share/JetBrains |
18 | noblacklist ${HOME}/.ssh | 13 | noblacklist ${HOME}/.ssh |
19 | noblacklist ${HOME}/.tooling | 14 | noblacklist ${HOME}/.tooling |
20 | 15 | ||
16 | # Allows files commonly used by IDEs | ||
17 | include allow-common-devel.inc | ||
18 | |||
21 | include disable-common.inc | 19 | include disable-common.inc |
22 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
23 | include disable-programs.inc | 21 | include disable-programs.inc |
diff --git a/etc/aosp.profile b/etc/aosp.profile index 701bf4733..a5b1ba9f1 100644 --- a/etc/aosp.profile +++ b/etc/aosp.profile | |||
@@ -7,18 +7,16 @@ include globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.android | 8 | noblacklist ${HOME}/.android |
9 | noblacklist ${HOME}/.bash_history | 9 | noblacklist ${HOME}/.bash_history |
10 | noblacklist ${HOME}/.config/git | ||
11 | noblacklist ${HOME}/.gitconfig | ||
12 | noblacklist ${HOME}/.git-credentials | ||
13 | noblacklist ${HOME}/.gradle | ||
14 | noblacklist ${HOME}/.jack-server | 10 | noblacklist ${HOME}/.jack-server |
15 | noblacklist ${HOME}/.jack-settings | 11 | noblacklist ${HOME}/.jack-settings |
16 | noblacklist ${HOME}/.java | ||
17 | noblacklist ${HOME}/.repo_.gitconfig.json | 12 | noblacklist ${HOME}/.repo_.gitconfig.json |
18 | noblacklist ${HOME}/.repoconfig | 13 | noblacklist ${HOME}/.repoconfig |
19 | noblacklist ${HOME}/.ssh | 14 | noblacklist ${HOME}/.ssh |
20 | noblacklist ${HOME}/.tooling | 15 | noblacklist ${HOME}/.tooling |
21 | 16 | ||
17 | # Allows files commonly used by IDEs | ||
18 | include allow-common-devel.inc | ||
19 | |||
22 | include disable-common.inc | 20 | include disable-common.inc |
23 | include disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
24 | include disable-programs.inc | 22 | include disable-programs.inc |
diff --git a/etc/apack.profile b/etc/apack.profile index b09d3d718..9fef911af 100644 --- a/etc/apack.profile +++ b/etc/apack.profile | |||
@@ -1,5 +1,6 @@ | |||
1 | # Firejail profile for apack | 1 | # Firejail profile for apack |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | ||
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include apack.local | 5 | include apack.local |
5 | # Persistent global definitions | 6 | # Persistent global definitions |
diff --git a/etc/arepack.profile b/etc/arepack.profile index d23fc21db..012f2f049 100644 --- a/etc/arepack.profile +++ b/etc/arepack.profile | |||
@@ -1,5 +1,6 @@ | |||
1 | # Firejail profile for arepack | 1 | # Firejail profile for arepack |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | ||
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include arepack.local | 5 | include arepack.local |
5 | # Persistent global definitions | 6 | # Persistent global definitions |
diff --git a/etc/asunder.profile b/etc/asunder.profile index fc10739aa..1f3acd735 100644 --- a/etc/asunder.profile +++ b/etc/asunder.profile | |||
@@ -30,6 +30,7 @@ nodbus | |||
30 | nonewprivs | 30 | nonewprivs |
31 | noroot | 31 | noroot |
32 | nou2f | 32 | nou2f |
33 | novideo | ||
33 | protocol unix,inet,inet6 | 34 | protocol unix,inet,inet6 |
34 | seccomp | 35 | seccomp |
35 | shell none | 36 | shell none |
diff --git a/etc/atom.profile b/etc/atom.profile index 8928baf5d..b9cb49d08 100644 --- a/etc/atom.profile +++ b/etc/atom.profile | |||
@@ -8,18 +8,9 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.atom | 9 | noblacklist ${HOME}/.atom |
10 | noblacklist ${HOME}/.config/Atom | 10 | noblacklist ${HOME}/.config/Atom |
11 | # allow rust | 11 | |
12 | noblacklist ${HOME}/.cargo/config | 12 | # Allows files commonly used by IDEs |
13 | noblacklist ${HOME}/.cargo/registry | 13 | include allow-common-devel.inc |
14 | # allow git config files | ||
15 | noblacklist ${HOME}/.config/git | ||
16 | noblacklist ${HOME}/.gitconfig | ||
17 | noblacklist ${HOME}/.git-credentials | ||
18 | # allow python dev files | ||
19 | noblacklist ${HOME}/.python-history | ||
20 | noblacklist ${HOME}/.python_history | ||
21 | noblacklist ${HOME}/.pythonhist | ||
22 | noblacklist ${HOME}/.pythonrc.py | ||
23 | 14 | ||
24 | include disable-common.inc | 15 | include disable-common.inc |
25 | include disable-exec.inc | 16 | include disable-exec.inc |
diff --git a/etc/atool.profile b/etc/atool.profile index c9d950259..fb75c8408 100644 --- a/etc/atool.profile +++ b/etc/atool.profile | |||
@@ -1,7 +1,7 @@ | |||
1 | # Firejail profile for atool | 1 | # Firejail profile for atool |
2 | # Description: Tool for managing file archives of various types | 2 | # Description: Tool for managing file archives of various types |
3 | quiet | ||
4 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include atool.local | 6 | include atool.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/aunpack.profile b/etc/aunpack.profile index c119ed9ad..6ce4aa491 100644 --- a/etc/aunpack.profile +++ b/etc/aunpack.profile | |||
@@ -1,5 +1,6 @@ | |||
1 | # Firejail profile for aunpack | 1 | # Firejail profile for aunpack |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | ||
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include aunpack.local | 5 | include aunpack.local |
5 | # Persistent global definitions | 6 | # Persistent global definitions |
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile index f46987cc7..6f7638fa3 100644 --- a/etc/baloo_file.profile +++ b/etc/baloo_file.profile | |||
@@ -39,7 +39,7 @@ nou2f | |||
39 | novideo | 39 | novideo |
40 | protocol unix | 40 | protocol unix |
41 | # blacklisting of ioprio_set system calls breaks baloo_file | 41 | # blacklisting of ioprio_set system calls breaks baloo_file |
42 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | 42 | seccomp !ioprio_set |
43 | shell none | 43 | shell none |
44 | # x11 xorg | 44 | # x11 xorg |
45 | 45 | ||
diff --git a/etc/baobab.profile b/etc/baobab.profile index d2980f75c..c419aa202 100644 --- a/etc/baobab.profile +++ b/etc/baobab.profile | |||
@@ -32,5 +32,3 @@ shell none | |||
32 | private-bin baobab | 32 | private-bin baobab |
33 | private-dev | 33 | private-dev |
34 | private-tmp | 34 | private-tmp |
35 | |||
36 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | ||
diff --git a/etc/basilisk.profile b/etc/basilisk.profile index 5bc91dc74..8dc3847a0 100644 --- a/etc/basilisk.profile +++ b/etc/basilisk.profile | |||
@@ -14,8 +14,8 @@ whitelist ${HOME}/.cache/moonchild productions/basilisk | |||
14 | whitelist ${HOME}/.moonchild productions | 14 | whitelist ${HOME}/.moonchild productions |
15 | 15 | ||
16 | # Basilisk can use the full firejail seccomp filter (unlike firefox >= 60) | 16 | # Basilisk can use the full firejail seccomp filter (unlike firefox >= 60) |
17 | ignore seccomp.drop | ||
18 | seccomp | 17 | seccomp |
18 | ignore seccomp | ||
19 | 19 | ||
20 | #private-bin basilisk | 20 | #private-bin basilisk |
21 | # private-etc must first be enabled in firefox-common.profile | 21 | # private-etc must first be enabled in firefox-common.profile |
diff --git a/etc/bibletime.profile b/etc/bibletime.profile index 4f1b05c88..0de3bc480 100644 --- a/etc/bibletime.profile +++ b/etc/bibletime.profile | |||
@@ -42,7 +42,7 @@ notv | |||
42 | nou2f | 42 | nou2f |
43 | novideo | 43 | novideo |
44 | protocol unix,inet,inet6,netlink | 44 | protocol unix,inet,inet6,netlink |
45 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 45 | seccomp !chroot |
46 | shell none | 46 | shell none |
47 | 47 | ||
48 | disable-mnt | 48 | disable-mnt |
diff --git a/etc/brackets.profile b/etc/brackets.profile index 3e157d841..13a3bef79 100644 --- a/etc/brackets.profile +++ b/etc/brackets.profile | |||
@@ -8,13 +8,9 @@ include globals.local | |||
8 | noblacklist ${HOME}/.config/Brackets | 8 | noblacklist ${HOME}/.config/Brackets |
9 | #noblacklist /opt/brackets/ | 9 | #noblacklist /opt/brackets/ |
10 | #noblacklist /opt/google/ | 10 | #noblacklist /opt/google/ |
11 | # Uncomment the next two lines if you are developing rust. | 11 | |
12 | # or put it in your brackets.local | 12 | # Allows files commonly used by IDEs |
13 | #noblacklist ${HOME}/.cargo/config | 13 | include allow-common-devel.inc |
14 | #noblacklist ${HOME}/.cargo/registry | ||
15 | noblacklist ${HOME}/.config/git | ||
16 | noblacklist ${HOME}/.gitconfig | ||
17 | noblacklist ${HOME}/.git-credentials | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
@@ -31,7 +27,7 @@ notv | |||
31 | nou2f | 27 | nou2f |
32 | novideo | 28 | novideo |
33 | protocol unix,inet,inet6,netlink | 29 | protocol unix,inet,inet6,netlink |
34 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 30 | seccomp !chroot,!ioperm |
35 | shell none | 31 | shell none |
36 | 32 | ||
37 | private-cache | 33 | private-cache |
diff --git a/etc/bsdtar.profile b/etc/bsdtar.profile index 1411ce7bd..17c67ed26 100644 --- a/etc/bsdtar.profile +++ b/etc/bsdtar.profile | |||
@@ -20,8 +20,8 @@ ipc-namespace | |||
20 | machine-id | 20 | machine-id |
21 | net none | 21 | net none |
22 | no3d | 22 | no3d |
23 | nodvd | ||
24 | nodbus | 23 | nodbus |
24 | nodvd | ||
25 | nogroups | 25 | nogroups |
26 | nonewprivs | 26 | nonewprivs |
27 | # noroot | 27 | # noroot |
diff --git a/etc/bunzip2.profile b/etc/bunzip2.profile index ff86cbdfc..37b47c2ce 100644 --- a/etc/bunzip2.profile +++ b/etc/bunzip2.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for bunzip2 | 1 | # Firejail profile for bunzip2 |
2 | # Description: A high-quality data compression program | 2 | # Description: A high-quality data compression program |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include bunzip2.local | 6 | include bunzip2.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/bzcat.profile b/etc/bzcat.profile new file mode 100644 index 000000000..edefb6bb8 --- /dev/null +++ b/etc/bzcat.profile | |||
@@ -0,0 +1,15 @@ | |||
1 | # Firejail profile for bzcat | ||
2 | # Description: A high-quality data compression program | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include bzcat.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | ignore read-write | ||
12 | read-only ${HOME} | ||
13 | |||
14 | # Redirect | ||
15 | include gzip.profile | ||
diff --git a/etc/bzip2.profile b/etc/bzip2.profile index 0f2fdd35a..0756e0537 100644 --- a/etc/bzip2.profile +++ b/etc/bzip2.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for bzip2 | 1 | # Firejail profile for bzip2 |
2 | # Description: A high-quality data compression program | 2 | # Description: A high-quality data compression program |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include bzip2.local | 6 | include bzip2.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/checkbashisms.profile b/etc/checkbashisms.profile index fe3202cea..7b2d344e5 100644 --- a/etc/checkbashisms.profile +++ b/etc/checkbashisms.profile | |||
@@ -44,7 +44,7 @@ x11 none | |||
44 | 44 | ||
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-lib perl* | 47 | private-lib libfreebl3.so,perl* |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
50 | memory-deny-write-execute | 50 | memory-deny-write-execute |
diff --git a/etc/clementine.profile b/etc/clementine.profile index 147b0de4b..4d92157d0 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile | |||
@@ -27,7 +27,7 @@ nou2f | |||
27 | novideo | 27 | novideo |
28 | protocol unix,inet,inet6 | 28 | protocol unix,inet,inet6 |
29 | # blacklisting of ioprio_set system calls breaks clementine | 29 | # blacklisting of ioprio_set system calls breaks clementine |
30 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | 30 | seccomp !ioprio_set |
31 | 31 | ||
32 | private-dev | 32 | private-dev |
33 | private-tmp | 33 | private-tmp |
diff --git a/etc/code.profile b/etc/code.profile index 6faf429e1..7ac4e1619 100644 --- a/etc/code.profile +++ b/etc/code.profile | |||
@@ -5,20 +5,14 @@ include code.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cargo/config | ||
9 | noblacklist ${HOME}/.cargo/registry | ||
10 | noblacklist ${HOME}/.config/Code | 8 | noblacklist ${HOME}/.config/Code |
11 | noblacklist ${HOME}/.config/Code - OSS | 9 | noblacklist ${HOME}/.config/Code - OSS |
12 | noblacklist ${HOME}/.config/git | ||
13 | noblacklist ${HOME}/.gitconfig | ||
14 | noblacklist ${HOME}/.git-credentials | ||
15 | noblacklist ${HOME}/.python-history | ||
16 | noblacklist ${HOME}/.python_history | ||
17 | noblacklist ${HOME}/.pythonhist | ||
18 | noblacklist ${HOME}/.pythonrc.py | ||
19 | noblacklist ${HOME}/.vscode | 10 | noblacklist ${HOME}/.vscode |
20 | noblacklist ${HOME}/.vscode-oss | 11 | noblacklist ${HOME}/.vscode-oss |
21 | 12 | ||
13 | # Allows files commonly used by IDEs | ||
14 | include allow-common-devel.inc | ||
15 | |||
22 | include disable-common.inc | 16 | include disable-common.inc |
23 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
24 | include disable-programs.inc | 18 | include disable-programs.inc |
diff --git a/etc/conplay.profile b/etc/conplay.profile index 101ce2f17..d0ad7c753 100644 --- a/etc/conplay.profile +++ b/etc/conplay.profile | |||
@@ -1,4 +1,6 @@ | |||
1 | # Firejail profile for conplay | 1 | # Firejail profile for conplay |
2 | # Description: MPEG audio player/decoder | ||
3 | # This file is overwritten after every install/update | ||
2 | # Persistent local customizations | 4 | # Persistent local customizations |
3 | include conplay.local | 5 | include conplay.local |
4 | # Persistent global definitions | 6 | # Persistent global definitions |
diff --git a/etc/dconf-editor.profile b/etc/dconf-editor.profile index 7cd39ca6a..29f676535 100644 --- a/etc/dconf-editor.profile +++ b/etc/dconf-editor.profile | |||
@@ -41,5 +41,3 @@ private-dev | |||
41 | private-etc alternatives,dconf,fonts,gtk-3.0,machine-id | 41 | private-etc alternatives,dconf,fonts,gtk-3.0,machine-id |
42 | private-lib | 42 | private-lib |
43 | private-tmp | 43 | private-tmp |
44 | |||
45 | # memory-deny-write-execute | ||
diff --git a/etc/devhelp.profile b/etc/devhelp.profile index 60bebb0c9..02b752b5f 100644 --- a/etc/devhelp.profile +++ b/etc/devhelp.profile | |||
@@ -41,6 +41,6 @@ private-dev | |||
41 | private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl | 41 | private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl |
42 | private-tmp | 42 | private-tmp |
43 | 43 | ||
44 | #memory-deny-write-execute - breaks on Arch (see issue 1803) | 44 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
45 | 45 | ||
46 | read-only ${HOME} | 46 | read-only ${HOME} |
diff --git a/etc/dig.profile b/etc/dig.profile index 6f2c1f755..611cbf026 100644 --- a/etc/dig.profile +++ b/etc/dig.profile | |||
@@ -1,7 +1,7 @@ | |||
1 | # Firejail profile for dig | 1 | # Firejail profile for dig |
2 | # Description: DNS lookup utility | 2 | # Description: DNS lookup utility |
3 | quiet | ||
4 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include dig.local | 6 | include dig.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/dino.profile b/etc/dino.profile index f7b220936..82ddf2819 100644 --- a/etc/dino.profile +++ b/etc/dino.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for dino | 1 | # Firejail profile for dino |
2 | # Description: Modern XMPP Chat Client using GTK+/Vala | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include dino.local | 5 | include dino.local |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 7ca5a6b89..fe49ce2f4 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -67,6 +67,7 @@ blacklist ${HOME}/.config/khotkeysrc | |||
67 | blacklist ${HOME}/.config/krunnerrc | 67 | blacklist ${HOME}/.config/krunnerrc |
68 | blacklist ${HOME}/.config/kscreenlockerrc | 68 | blacklist ${HOME}/.config/kscreenlockerrc |
69 | blacklist ${HOME}/.config/ksslcertificatemanager | 69 | blacklist ${HOME}/.config/ksslcertificatemanager |
70 | blacklist ${HOME}/.config/kwalletrc | ||
70 | blacklist ${HOME}/.config/kwinrc | 71 | blacklist ${HOME}/.config/kwinrc |
71 | blacklist ${HOME}/.config/kwinrulesrc | 72 | blacklist ${HOME}/.config/kwinrulesrc |
72 | blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc | 73 | blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc |
@@ -79,6 +80,7 @@ blacklist ${HOME}/.kde/share/config/khotkeysrc | |||
79 | blacklist ${HOME}/.kde/share/config/krunnerrc | 80 | blacklist ${HOME}/.kde/share/config/krunnerrc |
80 | blacklist ${HOME}/.kde/share/config/kscreensaverrc | 81 | blacklist ${HOME}/.kde/share/config/kscreensaverrc |
81 | blacklist ${HOME}/.kde/share/config/ksslcertificatemanager | 82 | blacklist ${HOME}/.kde/share/config/ksslcertificatemanager |
83 | blacklist ${HOME}/.kde/share/config/kwalletrc | ||
82 | blacklist ${HOME}/.kde/share/config/kwinrc | 84 | blacklist ${HOME}/.kde/share/config/kwinrc |
83 | blacklist ${HOME}/.kde/share/config/kwinrulesrc | 85 | blacklist ${HOME}/.kde/share/config/kwinrulesrc |
84 | blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc | 86 | blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc |
@@ -89,6 +91,7 @@ blacklist ${HOME}/.kde4/share/config/khotkeysrc | |||
89 | blacklist ${HOME}/.kde4/share/config/krunnerrc | 91 | blacklist ${HOME}/.kde4/share/config/krunnerrc |
90 | blacklist ${HOME}/.kde4/share/config/kscreensaverrc | 92 | blacklist ${HOME}/.kde4/share/config/kscreensaverrc |
91 | blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager | 93 | blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager |
94 | blacklist ${HOME}/.kde4/share/config/kwalletrc | ||
92 | blacklist ${HOME}/.kde4/share/config/kwinrc | 95 | blacklist ${HOME}/.kde4/share/config/kwinrc |
93 | blacklist ${HOME}/.kde4/share/config/kwinrulesrc | 96 | blacklist ${HOME}/.kde4/share/config/kwinrulesrc |
94 | blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc | 97 | blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc |
@@ -281,8 +284,7 @@ read-only ${HOME}/bin | |||
281 | read-only ${HOME}/.bin | 284 | read-only ${HOME}/.bin |
282 | read-only ${HOME}/.local/bin | 285 | read-only ${HOME}/.local/bin |
283 | read-only ${HOME}/.cargo/bin | 286 | read-only ${HOME}/.cargo/bin |
284 | blacklist ${HOME}/.cargo/registry | 287 | read-only ${HOME}/.cargo/env |
285 | blacklist ${HOME}/.cargo/config | ||
286 | 288 | ||
287 | # Write-protection for desktop entries | 289 | # Write-protection for desktop entries |
288 | read-only ${HOME}/.config/menus | 290 | read-only ${HOME}/.config/menus |
@@ -297,11 +299,14 @@ blacklist ${HOME}/*.kdbx | |||
297 | blacklist ${HOME}/*.key | 299 | blacklist ${HOME}/*.key |
298 | blacklist ${HOME}/.Private | 300 | blacklist ${HOME}/.Private |
299 | blacklist ${HOME}/.caff | 301 | blacklist ${HOME}/.caff |
302 | blacklist ${HOME}/.cargo/credentials | ||
300 | blacklist ${HOME}/.cert | 303 | blacklist ${HOME}/.cert |
301 | blacklist ${HOME}/.config/keybase | 304 | blacklist ${HOME}/.config/keybase |
302 | blacklist ${HOME}/.davfs2/secrets | 305 | blacklist ${HOME}/.davfs2/secrets |
303 | blacklist ${HOME}/.ecryptfs | 306 | blacklist ${HOME}/.ecryptfs |
304 | blacklist ${HOME}/.fetchmailrc | 307 | blacklist ${HOME}/.fetchmailrc |
308 | blacklist ${HOME}/.git-credential-cache | ||
309 | blacklist ${HOME}/.git-credentials | ||
305 | blacklist ${HOME}/.gnome2/keyrings | 310 | blacklist ${HOME}/.gnome2/keyrings |
306 | blacklist ${HOME}/.gnupg | 311 | blacklist ${HOME}/.gnupg |
307 | blacklist ${HOME}/.config/hub | 312 | blacklist ${HOME}/.config/hub |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index cc6877693..e54b651a6 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -3,6 +3,7 @@ | |||
3 | include disable-programs.local | 3 | include disable-programs.local |
4 | 4 | ||
5 | blacklist ${HOME}/Arduino | 5 | blacklist ${HOME}/Arduino |
6 | blacklist ${HOME}/i2p | ||
6 | blacklist ${HOME}/Monero/wallets | 7 | blacklist ${HOME}/Monero/wallets |
7 | blacklist ${HOME}/Nextcloud/Notes | 8 | blacklist ${HOME}/Nextcloud/Notes |
8 | blacklist ${HOME}/SoftMaker | 9 | blacklist ${HOME}/SoftMaker |
@@ -28,9 +29,9 @@ blacklist ${HOME}/.Steam | |||
28 | blacklist ${HOME}/.Steampath | 29 | blacklist ${HOME}/.Steampath |
29 | blacklist ${HOME}/.Steampid | 30 | blacklist ${HOME}/.Steampid |
30 | blacklist ${HOME}/.TelegramDesktop | 31 | blacklist ${HOME}/.TelegramDesktop |
32 | blacklist ${HOME}/.VSCodium | ||
31 | blacklist ${HOME}/.ViberPC | 33 | blacklist ${HOME}/.ViberPC |
32 | blacklist ${HOME}/.VirtualBox | 34 | blacklist ${HOME}/.VirtualBox |
33 | blacklist ${HOME}/.VSCodium | ||
34 | blacklist ${HOME}/.WebStorm* | 35 | blacklist ${HOME}/.WebStorm* |
35 | blacklist ${HOME}/.Wolfram Research | 36 | blacklist ${HOME}/.Wolfram Research |
36 | blacklist ${HOME}/.ZAP | 37 | blacklist ${HOME}/.ZAP |
@@ -51,6 +52,8 @@ blacklist ${HOME}/.bibletime | |||
51 | blacklist ${HOME}/.bitcoin | 52 | blacklist ${HOME}/.bitcoin |
52 | blacklist ${HOME}/.bogofilter | 53 | blacklist ${HOME}/.bogofilter |
53 | blacklist ${HOME}/.bzf | 54 | blacklist ${HOME}/.bzf |
55 | blacklist ${HOME}/.cargo/registry | ||
56 | blacklist ${HOME}/.cargo/config | ||
54 | blacklist ${HOME}/.claws-mail | 57 | blacklist ${HOME}/.claws-mail |
55 | blacklist ${HOME}/.cliqz | 58 | blacklist ${HOME}/.cliqz |
56 | blacklist ${HOME}/.clonk | 59 | blacklist ${HOME}/.clonk |
@@ -94,9 +97,9 @@ blacklist ${HOME}/.config/MusicBrainz | |||
94 | blacklist ${HOME}/.config/Nathan Osman | 97 | blacklist ${HOME}/.config/Nathan Osman |
95 | blacklist ${HOME}/.config/Nylas Mail | 98 | blacklist ${HOME}/.config/Nylas Mail |
96 | blacklist ${HOME}/.config/PBE | 99 | blacklist ${HOME}/.config/PBE |
97 | blacklist ${HOME}/.config/Qlipper | ||
98 | blacklist ${HOME}/.config/QGIS | 100 | blacklist ${HOME}/.config/QGIS |
99 | blacklist ${HOME}/.config/QMediathekView | 101 | blacklist ${HOME}/.config/QMediathekView |
102 | blacklist ${HOME}/.config/Qlipper | ||
100 | blacklist ${HOME}/.config/QuiteRss | 103 | blacklist ${HOME}/.config/QuiteRss |
101 | blacklist ${HOME}/.config/QuiteRssrc | 104 | blacklist ${HOME}/.config/QuiteRssrc |
102 | blacklist ${HOME}/.config/Rambox | 105 | blacklist ${HOME}/.config/Rambox |
@@ -179,10 +182,11 @@ blacklist ${HOME}/.config/ghb | |||
179 | blacklist ${HOME}/.config/ghostwriter | 182 | blacklist ${HOME}/.config/ghostwriter |
180 | blacklist ${HOME}/.config/git | 183 | blacklist ${HOME}/.config/git |
181 | blacklist ${HOME}/.config/globaltime | 184 | blacklist ${HOME}/.config/globaltime |
185 | blacklist ${HOME}/.config/gnome-builder | ||
182 | blacklist ${HOME}/.config/gnome-mplayer | 186 | blacklist ${HOME}/.config/gnome-mplayer |
183 | blacklist ${HOME}/.config/gnome-mpv | 187 | blacklist ${HOME}/.config/gnome-mpv |
184 | blacklist ${HOME}/.config/godot | ||
185 | blacklist ${HOME}/.config/gnome-pie | 188 | blacklist ${HOME}/.config/gnome-pie |
189 | blacklist ${HOME}/.config/godot | ||
186 | blacklist ${HOME}/.config/google-chrome | 190 | blacklist ${HOME}/.config/google-chrome |
187 | blacklist ${HOME}/.config/google-chrome-beta | 191 | blacklist ${HOME}/.config/google-chrome-beta |
188 | blacklist ${HOME}/.config/google-chrome-unstable | 192 | blacklist ${HOME}/.config/google-chrome-unstable |
@@ -190,6 +194,7 @@ blacklist ${HOME}/.config/gpicview | |||
190 | blacklist ${HOME}/.config/gthumb | 194 | blacklist ${HOME}/.config/gthumb |
191 | blacklist ${HOME}/.config/gwenviewrc | 195 | blacklist ${HOME}/.config/gwenviewrc |
192 | blacklist ${HOME}/.config/hexchat | 196 | blacklist ${HOME}/.config/hexchat |
197 | blacklist ${HOME}/.config/i2p | ||
193 | blacklist ${HOME}/.config/inkscape | 198 | blacklist ${HOME}/.config/inkscape |
194 | blacklist ${HOME}/.config/inox | 199 | blacklist ${HOME}/.config/inox |
195 | blacklist ${HOME}/.config/iridium | 200 | blacklist ${HOME}/.config/iridium |
@@ -231,8 +236,8 @@ blacklist ${HOME}/.config/meteo-qt | |||
231 | blacklist ${HOME}/.config/mfusion | 236 | blacklist ${HOME}/.config/mfusion |
232 | blacklist ${HOME}/.config/midori | 237 | blacklist ${HOME}/.config/midori |
233 | blacklist ${HOME}/.config/mono | 238 | blacklist ${HOME}/.config/mono |
234 | blacklist ${HOME}/.config/mpd | ||
235 | blacklist ${HOME}/.config/mpDris2 | 239 | blacklist ${HOME}/.config/mpDris2 |
240 | blacklist ${HOME}/.config/mpd | ||
236 | blacklist ${HOME}/.config/mps-youtube | 241 | blacklist ${HOME}/.config/mps-youtube |
237 | blacklist ${HOME}/.config/mpv | 242 | blacklist ${HOME}/.config/mpv |
238 | blacklist ${HOME}/.config/mupen64plus | 243 | blacklist ${HOME}/.config/mupen64plus |
@@ -253,8 +258,8 @@ blacklist ${HOME}/.config/opera | |||
253 | blacklist ${HOME}/.config/opera-beta | 258 | blacklist ${HOME}/.config/opera-beta |
254 | blacklist ${HOME}/.config/orage | 259 | blacklist ${HOME}/.config/orage |
255 | blacklist ${HOME}/.config/org.kde.gwenviewrc | 260 | blacklist ${HOME}/.config/org.kde.gwenviewrc |
256 | blacklist ${HOME}/.config/pavucontrol.ini | ||
257 | blacklist ${HOME}/.config/pavucontrol-qt | 261 | blacklist ${HOME}/.config/pavucontrol-qt |
262 | blacklist ${HOME}/.config/pavucontrol.ini | ||
258 | blacklist ${HOME}/.config/pcmanfm | 263 | blacklist ${HOME}/.config/pcmanfm |
259 | blacklist ${HOME}/.config/pdfmod | 264 | blacklist ${HOME}/.config/pdfmod |
260 | blacklist ${HOME}/.config/Pinta | 265 | blacklist ${HOME}/.config/Pinta |
@@ -302,6 +307,7 @@ blacklist ${HOME}/.config/vivaldi | |||
302 | blacklist ${HOME}/.config/vivaldi-snapshot | 307 | blacklist ${HOME}/.config/vivaldi-snapshot |
303 | blacklist ${HOME}/.config/vlc | 308 | blacklist ${HOME}/.config/vlc |
304 | blacklist ${HOME}/.config/wesnoth | 309 | blacklist ${HOME}/.config/wesnoth |
310 | blacklist ${HOME}/.config/Whalebird | ||
305 | blacklist ${HOME}/.config/wireshark | 311 | blacklist ${HOME}/.config/wireshark |
306 | blacklist ${HOME}/.config/xchat | 312 | blacklist ${HOME}/.config/xchat |
307 | blacklist ${HOME}/.config/xed | 313 | blacklist ${HOME}/.config/xed |
@@ -322,6 +328,7 @@ blacklist ${HOME}/.config/yelp | |||
322 | blacklist ${HOME}/.config/youtube-dl | 328 | blacklist ${HOME}/.config/youtube-dl |
323 | blacklist ${HOME}/.config/zathura | 329 | blacklist ${HOME}/.config/zathura |
324 | blacklist ${HOME}/.config/zoomus.conf | 330 | blacklist ${HOME}/.config/zoomus.conf |
331 | blacklist ${HOME}/.config/Zulip | ||
325 | blacklist ${HOME}/.conkeror.mozdev.org | 332 | blacklist ${HOME}/.conkeror.mozdev.org |
326 | blacklist ${HOME}/.crawl | 333 | blacklist ${HOME}/.crawl |
327 | blacklist ${HOME}/.curlrc | 334 | blacklist ${HOME}/.curlrc |
@@ -350,8 +357,6 @@ blacklist ${HOME}/.freecol | |||
350 | blacklist ${HOME}/.freemind | 357 | blacklist ${HOME}/.freemind |
351 | blacklist ${HOME}/.frozen-bubble | 358 | blacklist ${HOME}/.frozen-bubble |
352 | blacklist ${HOME}/.gimp* | 359 | blacklist ${HOME}/.gimp* |
353 | blacklist ${HOME}/.git-credentials | ||
354 | blacklist ${HOME}/.git-credential-cache | ||
355 | blacklist ${HOME}/.gitconfig | 360 | blacklist ${HOME}/.gitconfig |
356 | blacklist ${HOME}/.gnome/gnome-schedule | 361 | blacklist ${HOME}/.gnome/gnome-schedule |
357 | blacklist ${HOME}/.googleearth/Cache/ | 362 | blacklist ${HOME}/.googleearth/Cache/ |
@@ -364,9 +369,11 @@ blacklist ${HOME}/.guayadeque | |||
364 | blacklist ${HOME}/.hashcat | 369 | blacklist ${HOME}/.hashcat |
365 | blacklist ${HOME}/.hedgewars | 370 | blacklist ${HOME}/.hedgewars |
366 | blacklist ${HOME}/.hugin | 371 | blacklist ${HOME}/.hugin |
372 | blacklist ${HOME}/.i2p | ||
367 | blacklist ${HOME}/.icedove | 373 | blacklist ${HOME}/.icedove |
368 | blacklist ${HOME}/.imagej | 374 | blacklist ${HOME}/.imagej |
369 | blacklist ${HOME}/.inkscape | 375 | blacklist ${HOME}/.inkscape |
376 | blacklist ${HOME}/.itch | ||
370 | blacklist ${HOME}/.jack-server | 377 | blacklist ${HOME}/.jack-server |
371 | blacklist ${HOME}/.jack-settings | 378 | blacklist ${HOME}/.jack-settings |
372 | blacklist ${HOME}/.jak | 379 | blacklist ${HOME}/.jak |
@@ -409,13 +416,13 @@ blacklist ${HOME}/.kde4/share/apps/kaffeine | |||
409 | blacklist ${HOME}/.kde4/share/apps/kcookiejar | 416 | blacklist ${HOME}/.kde4/share/apps/kcookiejar |
410 | blacklist ${HOME}/.kde4/share/apps/kget | 417 | blacklist ${HOME}/.kde4/share/apps/kget |
411 | blacklist ${HOME}/.kde4/share/apps/khtml | 418 | blacklist ${HOME}/.kde4/share/apps/khtml |
412 | blacklist ${HOME}/.kde4/share/apps/konqueror | ||
413 | blacklist ${HOME}/.kde4/share/apps/konqsidebartng | 419 | blacklist ${HOME}/.kde4/share/apps/konqsidebartng |
420 | blacklist ${HOME}/.kde4/share/apps/konqueror | ||
414 | blacklist ${HOME}/.kde4/share/apps/kopete | 421 | blacklist ${HOME}/.kde4/share/apps/kopete |
415 | blacklist ${HOME}/.kde4/share/apps/ktorrent | 422 | blacklist ${HOME}/.kde4/share/apps/ktorrent |
416 | blacklist ${HOME}/.kde4/share/apps/okular | 423 | blacklist ${HOME}/.kde4/share/apps/okular |
417 | blacklist ${HOME}/.kde4/share/config/baloorc | ||
418 | blacklist ${HOME}/.kde4/share/config/baloofilerc | 424 | blacklist ${HOME}/.kde4/share/config/baloofilerc |
425 | blacklist ${HOME}/.kde4/share/config/baloorc | ||
419 | blacklist ${HOME}/.kde4/share/config/digikam | 426 | blacklist ${HOME}/.kde4/share/config/digikam |
420 | blacklist ${HOME}/.kde4/share/config/gwenviewrc | 427 | blacklist ${HOME}/.kde4/share/config/gwenviewrc |
421 | blacklist ${HOME}/.kde4/share/config/k3brc | 428 | blacklist ${HOME}/.kde4/share/config/k3brc |
@@ -438,9 +445,9 @@ blacklist ${HOME}/.kinorc | |||
438 | blacklist ${HOME}/.klatexformula | 445 | blacklist ${HOME}/.klatexformula |
439 | blacklist ${HOME}/.kodi | 446 | blacklist ${HOME}/.kodi |
440 | blacklist ${HOME}/.lincity-ng | 447 | blacklist ${HOME}/.lincity-ng |
448 | blacklist ${HOME}/.links | ||
441 | blacklist ${HOME}/.linphone-history.db | 449 | blacklist ${HOME}/.linphone-history.db |
442 | blacklist ${HOME}/.linphonerc | 450 | blacklist ${HOME}/.linphonerc |
443 | blacklist ${HOME}/.links | ||
444 | blacklist ${HOME}/.lmmsrc.xml | 451 | blacklist ${HOME}/.lmmsrc.xml |
445 | blacklist ${HOME}/.local/lib/vivaldi | 452 | blacklist ${HOME}/.local/lib/vivaldi |
446 | blacklist ${HOME}/.local/share/0ad | 453 | blacklist ${HOME}/.local/share/0ad |
@@ -494,6 +501,7 @@ blacklist ${HOME}/.local/share/geeqie | |||
494 | blacklist ${HOME}/.local/share/gitg | 501 | blacklist ${HOME}/.local/share/gitg |
495 | blacklist ${HOME}/.local/share/gnome-2048 | 502 | blacklist ${HOME}/.local/share/gnome-2048 |
496 | blacklist ${HOME}/.local/share/gnome-chess | 503 | blacklist ${HOME}/.local/share/gnome-chess |
504 | blacklist ${HOME}/.local/share/gnome-builder | ||
497 | blacklist ${HOME}/.local/share/gnome-music | 505 | blacklist ${HOME}/.local/share/gnome-music |
498 | blacklist ${HOME}/.local/share/gnome-photos | 506 | blacklist ${HOME}/.local/share/gnome-photos |
499 | blacklist ${HOME}/.local/share/gnome-recipes | 507 | blacklist ${HOME}/.local/share/gnome-recipes |
@@ -502,10 +510,13 @@ blacklist ${HOME}/.local/share/gnome-twitch | |||
502 | blacklist ${HOME}/.local/share/godot | 510 | blacklist ${HOME}/.local/share/godot |
503 | blacklist ${HOME}/.local/share/gradio | 511 | blacklist ${HOME}/.local/share/gradio |
504 | blacklist ${HOME}/.local/share/gwenview | 512 | blacklist ${HOME}/.local/share/gwenview |
513 | blacklist ${HOME}/.local/share/i2p | ||
505 | blacklist ${HOME}/.local/share/kaffeine | 514 | blacklist ${HOME}/.local/share/kaffeine |
506 | blacklist ${HOME}/.local/share/kate | 515 | blacklist ${HOME}/.local/share/kate |
507 | blacklist ${HOME}/.local/share/kdenlive | 516 | blacklist ${HOME}/.local/share/kdenlive |
508 | blacklist ${HOME}/.local/share/kget | 517 | blacklist ${HOME}/.local/share/kget |
518 | blacklist ${HOME}/.local/share/kiwix | ||
519 | blacklist ${HOME}/.local/share/kiwix-desktop | ||
509 | blacklist ${HOME}/.local/share/klavaro | 520 | blacklist ${HOME}/.local/share/klavaro |
510 | blacklist ${HOME}/.local/share/kmail2 | 521 | blacklist ${HOME}/.local/share/kmail2 |
511 | blacklist ${HOME}/.local/share/knotes | 522 | blacklist ${HOME}/.local/share/knotes |
@@ -626,8 +637,7 @@ blacklist ${HOME}/.teeworlds | |||
626 | blacklist ${HOME}/.thunderbird | 637 | blacklist ${HOME}/.thunderbird |
627 | blacklist ${HOME}/.tilp | 638 | blacklist ${HOME}/.tilp |
628 | blacklist ${HOME}/.tooling | 639 | blacklist ${HOME}/.tooling |
629 | blacklist ${HOME}/.tor-browser-* | 640 | blacklist ${HOME}/.tor-browser* |
630 | blacklist ${HOME}/.tor-browser_* | ||
631 | blacklist ${HOME}/.torcs | 641 | blacklist ${HOME}/.torcs |
632 | blacklist ${HOME}/.tremulous | 642 | blacklist ${HOME}/.tremulous |
633 | blacklist ${HOME}/.ts3client | 643 | blacklist ${HOME}/.ts3client |
@@ -635,6 +645,8 @@ blacklist ${HOME}/.tuxguitar* | |||
635 | blacklist ${HOME}/.unknown-horizons | 645 | blacklist ${HOME}/.unknown-horizons |
636 | blacklist ${HOME}/.viking | 646 | blacklist ${HOME}/.viking |
637 | blacklist ${HOME}/.viking-maps | 647 | blacklist ${HOME}/.viking-maps |
648 | blacklist ${HOME}/.vim | ||
649 | blacklist ${HOME}/.vimrc | ||
638 | blacklist ${HOME}/.vscode | 650 | blacklist ${HOME}/.vscode |
639 | blacklist ${HOME}/.vscode-oss | 651 | blacklist ${HOME}/.vscode-oss |
640 | blacklist ${HOME}/.vst | 652 | blacklist ${HOME}/.vst |
@@ -704,6 +716,7 @@ blacklist ${HOME}/.cache/godot | |||
704 | blacklist ${HOME}/.cache/google-chrome | 716 | blacklist ${HOME}/.cache/google-chrome |
705 | blacklist ${HOME}/.cache/google-chrome-beta | 717 | blacklist ${HOME}/.cache/google-chrome-beta |
706 | blacklist ${HOME}/.cache/google-chrome-unstable | 718 | blacklist ${HOME}/.cache/google-chrome-unstable |
719 | blacklist ${HOME}/.cache/gnome-builder | ||
707 | blacklist ${HOME}/.cache/gnome-recipes | 720 | blacklist ${HOME}/.cache/gnome-recipes |
708 | blacklist ${HOME}/.cache/gnome-twitch | 721 | blacklist ${HOME}/.cache/gnome-twitch |
709 | blacklist ${HOME}/.cache/gradio | 722 | blacklist ${HOME}/.cache/gradio |
@@ -726,6 +739,7 @@ blacklist ${HOME}/.cache/libgweather | |||
726 | blacklist ${HOME}/.cache/liferea | 739 | blacklist ${HOME}/.cache/liferea |
727 | blacklist ${HOME}/.cache/Mendeley Ltd. | 740 | blacklist ${HOME}/.cache/Mendeley Ltd. |
728 | blacklist ${HOME}/.cache/midori | 741 | blacklist ${HOME}/.cache/midori |
742 | blacklist ${HOME}/.cache/minetest | ||
729 | blacklist ${HOME}/.cache/moonchild productions/basilisk | 743 | blacklist ${HOME}/.cache/moonchild productions/basilisk |
730 | blacklist ${HOME}/.cache/moonchild productions/pale moon | 744 | blacklist ${HOME}/.cache/moonchild productions/pale moon |
731 | blacklist ${HOME}/.cache/mozilla | 745 | blacklist ${HOME}/.cache/mozilla |
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index c04451373..bba94e3cb 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for dnscrypt-proxy | 1 | # Firejail profile for dnscrypt-proxy |
2 | # Description: Tool for securing communications between a client and a DNS resolver | 2 | # Description: Tool for securing communications between a client and a DNS resolver |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include dnscrypt-proxy.local | 6 | include dnscrypt-proxy.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index daf4795c3..dfb1b61c1 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for dnsmasq | 1 | # Firejail profile for dnsmasq |
2 | # Description: Small caching DNS proxy and DHCP/TFTP server | 2 | # Description: Small caching DNS proxy and DHCP/TFTP server |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include dnsmasq.local | 6 | include dnsmasq.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/emacs.profile b/etc/emacs.profile index f8b451f02..ab378105e 100644 --- a/etc/emacs.profile +++ b/etc/emacs.profile | |||
@@ -11,10 +11,9 @@ noblacklist ${HOME}/.emacs.d | |||
11 | # if you need gpg uncomment the following line | 11 | # if you need gpg uncomment the following line |
12 | # or put it into your emacs.local | 12 | # or put it into your emacs.local |
13 | #noblacklist ${HOME}/.gnupg | 13 | #noblacklist ${HOME}/.gnupg |
14 | noblacklist ${HOME}/.python-history | 14 | |
15 | noblacklist ${HOME}/.python_history | 15 | # Allows files commonly used by IDEs |
16 | noblacklist ${HOME}/.pythonhist | 16 | include allow-common-devel.inc |
17 | noblacklist ${HOME}/.pythonrc.py | ||
18 | 17 | ||
19 | include disable-common.inc | 18 | include disable-common.inc |
20 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
@@ -27,5 +26,6 @@ nogroups | |||
27 | nonewprivs | 26 | nonewprivs |
28 | noroot | 27 | noroot |
29 | notv | 28 | notv |
29 | novideo | ||
30 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
31 | seccomp | 31 | seccomp |
diff --git a/etc/eo-common.profile b/etc/eo-common.profile index f4b263f50..c4ad8ced4 100644 --- a/etc/eo-common.profile +++ b/etc/eo-common.profile | |||
@@ -43,5 +43,3 @@ private-dev | |||
43 | private-etc alternatives,dconf,fonts,gtk-3.0 | 43 | private-etc alternatives,dconf,fonts,gtk-3.0 |
44 | private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.* | 44 | private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.* |
45 | private-tmp | 45 | private-tmp |
46 | |||
47 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | ||
diff --git a/etc/etr.profile b/etc/etr.profile index d93d3de63..97a43bb59 100644 --- a/etc/etr.profile +++ b/etc/etr.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for etr | 1 | # Firejail profile for etr |
2 | # Description: High speed arctic racing game | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include etr.local | 5 | include etr.local |
@@ -29,6 +30,7 @@ nonewprivs | |||
29 | noroot | 30 | noroot |
30 | notv | 31 | notv |
31 | nou2f | 32 | nou2f |
33 | novideo | ||
32 | protocol unix,netlink | 34 | protocol unix,netlink |
33 | seccomp | 35 | seccomp |
34 | shell none | 36 | shell none |
diff --git a/etc/falkon.profile b/etc/falkon.profile index cabf5aeba..0024b6660 100644 --- a/etc/falkon.profile +++ b/etc/falkon.profile | |||
@@ -34,9 +34,10 @@ notv | |||
34 | nou2f | 34 | nou2f |
35 | protocol unix,inet,inet6,netlink | 35 | protocol unix,inet,inet6,netlink |
36 | # blacklisting of chroot system calls breaks falkon | 36 | # blacklisting of chroot system calls breaks falkon |
37 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 37 | seccomp !chroot |
38 | # tracelog | 38 | # tracelog |
39 | 39 | ||
40 | private-dev | 40 | private-dev |
41 | # private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies | ||
41 | # private-tmp - interferes with the opening of downloaded files | 42 | # private-tmp - interferes with the opening of downloaded files |
42 | 43 | ||
diff --git a/etc/feedreader.profile b/etc/feedreader.profile index e453cc611..e381b12d6 100644 --- a/etc/feedreader.profile +++ b/etc/feedreader.profile | |||
@@ -15,6 +15,7 @@ include disable-exec.inc | |||
15 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | include disable-xdg.inc | ||
18 | 19 | ||
19 | mkdir ${HOME}/.cache/feedreader | 20 | mkdir ${HOME}/.cache/feedreader |
20 | mkdir ${HOME}/.local/share/feedreader | 21 | mkdir ${HOME}/.local/share/feedreader |
diff --git a/etc/ffmpegthumbnailer.profile b/etc/ffmpegthumbnailer.profile index 3681c40f1..6d72c3b99 100644 --- a/etc/ffmpegthumbnailer.profile +++ b/etc/ffmpegthumbnailer.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for ffmpegthumbnailer | 1 | # Firejail profile for ffmpegthumbnailer |
2 | # Description: FFmpeg-based video thumbnailer | 2 | # Description: FFmpeg-based video thumbnailer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include ffmpegthumbnailer.local | 6 | include ffmpegthumbnailer.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/ffplay.profile b/etc/ffplay.profile index b42cc29bc..71187a5b5 100644 --- a/etc/ffplay.profile +++ b/etc/ffplay.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for ffplay | 1 | # Firejail profile for ffplay |
2 | # Description: FFmpeg-based media player | 2 | # Description: FFmpeg-based media player |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include ffplay.local | 6 | include ffplay.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/ffprobe.profile b/etc/ffprobe.profile index bd8643206..cb24a7d05 100644 --- a/etc/ffprobe.profile +++ b/etc/ffprobe.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for ffprobe | 1 | # Firejail profile for ffprobe |
2 | # Description: FFmpeg-based media prober | 2 | # Description: FFmpeg-based media prober |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include ffprobe.local | 6 | include ffprobe.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/file-roller.profile b/etc/file-roller.profile index db1426f36..496152540 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile | |||
@@ -37,5 +37,3 @@ tracelog | |||
37 | # private-bin file-roller | 37 | # private-bin file-roller |
38 | private-dev | 38 | private-dev |
39 | # private-tmp | 39 | # private-tmp |
40 | |||
41 | # memory-deny-write-execute | ||
diff --git a/etc/file.profile b/etc/file.profile index 69fa7d8cd..37c7ee9e7 100644 --- a/etc/file.profile +++ b/etc/file.profile | |||
@@ -33,10 +33,11 @@ shell none | |||
33 | tracelog | 33 | tracelog |
34 | x11 none | 34 | x11 none |
35 | 35 | ||
36 | #private-bin file | 36 | #private-bin bzip2,file,gzip,lrzip,lz4,lzip,xz,zstd |
37 | private-cache | 37 | private-cache |
38 | private-dev | 38 | private-dev |
39 | private-etc alternatives,localtime,magic,magic.mgc | 39 | private-etc alternatives,localtime,magic,magic.mgc |
40 | private-lib libarchive.so.*,libfakeroot,libmagic.so.* | 40 | private-lib file,libarchive.so.*,libfakeroot,libmagic.so.* |
41 | 41 | ||
42 | memory-deny-write-execute | 42 | memory-deny-write-execute |
43 | read-only ${HOME} | ||
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index 6ad4a9bc2..02d6199a0 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile | |||
@@ -46,7 +46,7 @@ notv | |||
46 | ?BROWSER_DISABLE_U2F: nou2f | 46 | ?BROWSER_DISABLE_U2F: nou2f |
47 | protocol unix,inet,inet6,netlink | 47 | protocol unix,inet,inet6,netlink |
48 | # The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds. | 48 | # The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds. |
49 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 49 | seccomp !chroot |
50 | shell none | 50 | shell none |
51 | # Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930. | 51 | # Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930. |
52 | #tracelog | 52 | #tracelog |
diff --git a/etc/firefox.profile b/etc/firefox.profile index 84c647cb9..8d90a0917 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -16,6 +16,8 @@ whitelist ${HOME}/.mozilla | |||
16 | 16 | ||
17 | # firefox requires a shell to launch on Arch. | 17 | # firefox requires a shell to launch on Arch. |
18 | #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which | 18 | #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which |
19 | # Fedora use shell scripts to launch firefox, at least this is required | ||
20 | #private-bin awk,basename,bash,cat,dbus-launch,dbus-send,dirname,env,expr,false,firefox,firefox-wayland,ln,mkdir,pidof,rm,rmdir,sed,sh,tclsh,true,uname,which | ||
19 | # private-etc must first be enabled in firefox-common.profile | 21 | # private-etc must first be enabled in firefox-common.profile |
20 | #private-etc firefox | 22 | #private-etc firefox |
21 | 23 | ||
diff --git a/etc/firejail.config b/etc/firejail.config index 1f80cedee..565796d5a 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -2,9 +2,6 @@ | |||
2 | # keyword-argument pairs, one per line. Most features are enabled by default. | 2 | # keyword-argument pairs, one per line. Most features are enabled by default. |
3 | # Use 'yes' or 'no' as configuration values. | 3 | # Use 'yes' or 'no' as configuration values. |
4 | 4 | ||
5 | # Resolve symbolic links in path of user home directories, default disabled. | ||
6 | # homedir-symlink no | ||
7 | |||
8 | # Enable AppArmor functionality, default enabled. | 5 | # Enable AppArmor functionality, default enabled. |
9 | # apparmor yes | 6 | # apparmor yes |
10 | 7 | ||
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile index 3931aa64a..6cef181c8 100644 --- a/etc/frozen-bubble.profile +++ b/etc/frozen-bubble.profile | |||
@@ -31,6 +31,7 @@ nonewprivs | |||
31 | noroot | 31 | noroot |
32 | notv | 32 | notv |
33 | nou2f | 33 | nou2f |
34 | novideo | ||
34 | protocol unix,netlink | 35 | protocol unix,netlink |
35 | seccomp | 36 | seccomp |
36 | shell none | 37 | shell none |
diff --git a/etc/geany.profile b/etc/geany.profile index 2cffb8777..31599e32a 100644 --- a/etc/geany.profile +++ b/etc/geany.profile | |||
@@ -7,13 +7,9 @@ include geany.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/geany | 9 | noblacklist ${HOME}/.config/geany |
10 | noblacklist ${HOME}/.config/git | 10 | |
11 | noblacklist ${HOME}/.gitconfig | 11 | # Allows files commonly used by IDEs |
12 | noblacklist ${HOME}/.git-credentials | 12 | include allow-common-devel.inc |
13 | noblacklist ${HOME}/.python-history | ||
14 | noblacklist ${HOME}/.python_history | ||
15 | noblacklist ${HOME}/.pythonhist | ||
16 | noblacklist ${HOME}/.pythonrc.py | ||
17 | 13 | ||
18 | include disable-common.inc | 14 | include disable-common.inc |
19 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
diff --git a/etc/gedit.profile b/etc/gedit.profile index ed6efc3b6..837396654 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile | |||
@@ -8,13 +8,9 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/enchant | 9 | noblacklist ${HOME}/.config/enchant |
10 | noblacklist ${HOME}/.config/gedit | 10 | noblacklist ${HOME}/.config/gedit |
11 | noblacklist ${HOME}/.config/git | 11 | |
12 | noblacklist ${HOME}/.gitconfig | 12 | # Allows files commonly used by IDEs |
13 | noblacklist ${HOME}/.git-credentials | 13 | include allow-common-devel.inc |
14 | noblacklist ${HOME}/.python-history | ||
15 | noblacklist ${HOME}/.python_history | ||
16 | noblacklist ${HOME}/.pythonhist | ||
17 | noblacklist ${HOME}/.pythonrc.py | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | # include disable-devel.inc | 16 | # include disable-devel.inc |
diff --git a/etc/ghostwriter.profile b/etc/ghostwriter.profile index 1fb2d8f58..2479ec16d 100644 --- a/etc/ghostwriter.profile +++ b/etc/ghostwriter.profile | |||
@@ -35,9 +35,9 @@ protocol unix,inet,inet6,netlink | |||
35 | shell none | 35 | shell none |
36 | #tracelog -- breaks | 36 | #tracelog -- breaks |
37 | 37 | ||
38 | # Breaks Translation | 38 | private-bin gettext,ghostwriter,pandoc |
39 | #private-bin ghostwriter,pandoc | ||
40 | private-cache | 39 | private-cache |
41 | private-dev | 40 | private-dev |
42 | private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,fonts,gconf,groups,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg | 41 | # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed |
42 | private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,firejail,fonts,gconf,groups,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg | ||
43 | private-tmp | 43 | private-tmp |
diff --git a/etc/gimp.profile b/etc/gimp.profile index 762e743c8..fab7fa123 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile | |||
@@ -8,7 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory | 9 | # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory |
10 | # if you are not using external plugins, you can comment 'ignore noexec' statement below | 10 | # if you are not using external plugins, you can comment 'ignore noexec' statement below |
11 | # or put 'ignore ignore noexec ${HOME}' in your gimp.local | 11 | # or put 'noexec ${HOME}' in your gimp.local |
12 | ignore noexec ${HOME} | 12 | ignore noexec ${HOME} |
13 | 13 | ||
14 | noblacklist ${HOME}/.config/GIMP | 14 | noblacklist ${HOME}/.config/GIMP |
diff --git a/etc/git.profile b/etc/git.profile index f7c812e65..8b1c81ca4 100644 --- a/etc/git.profile +++ b/etc/git.profile | |||
@@ -15,7 +15,6 @@ noblacklist ${HOME}/.gitconfig | |||
15 | noblacklist ${HOME}/.git-credentials | 15 | noblacklist ${HOME}/.git-credentials |
16 | noblacklist ${HOME}/.gnupg | 16 | noblacklist ${HOME}/.gnupg |
17 | noblacklist ${HOME}/.nanorc | 17 | noblacklist ${HOME}/.nanorc |
18 | noblacklist ${HOME}/.oh-my-zsh | ||
19 | noblacklist ${HOME}/.ssh | 18 | noblacklist ${HOME}/.ssh |
20 | noblacklist ${HOME}/.vim | 19 | noblacklist ${HOME}/.vim |
21 | noblacklist ${HOME}/.viminfo | 20 | noblacklist ${HOME}/.viminfo |
diff --git a/etc/gitg.profile b/etc/gitg.profile index f6f51ef6f..08c1c94b6 100644 --- a/etc/gitg.profile +++ b/etc/gitg.profile | |||
@@ -22,6 +22,7 @@ include disable-programs.inc | |||
22 | include whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
23 | 23 | ||
24 | caps.drop all | 24 | caps.drop all |
25 | netfilter | ||
25 | no3d | 26 | no3d |
26 | nodvd | 27 | nodvd |
27 | nogroups | 28 | nogroups |
@@ -39,6 +40,3 @@ private-bin git,gitg,ssh | |||
39 | private-cache | 40 | private-cache |
40 | private-dev | 41 | private-dev |
41 | private-tmp | 42 | private-tmp |
42 | |||
43 | # mdwe breaks diff in older versions | ||
44 | #memory-deny-write-execute | ||
diff --git a/etc/gnome-builder.profile b/etc/gnome-builder.profile index dfa1a5da8..726a74089 100644 --- a/etc/gnome-builder.profile +++ b/etc/gnome-builder.profile | |||
@@ -6,15 +6,12 @@ include gnome-builder.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cargo/config | 9 | noblacklist ${HOME}/.cache/gnome-builder |
10 | noblacklist ${HOME}/.cargo/registry | 10 | noblacklist ${HOME}/.config/gnome-builder |
11 | noblacklist ${HOME}/.config/git | 11 | noblacklist ${HOME}/.local/share/gnome-builder |
12 | noblacklist ${HOME}/.gitconfig | 12 | |
13 | noblacklist ${HOME}/.git-credentials | 13 | # Allows files commonly used by IDEs |
14 | noblacklist ${HOME}/.python-history | 14 | include allow-common-devel.inc |
15 | noblacklist ${HOME}/.python_history | ||
16 | noblacklist ${HOME}/.pythonhist | ||
17 | noblacklist ${HOME}/.pythonrc.py | ||
18 | 15 | ||
19 | include disable-common.inc | 16 | include disable-common.inc |
20 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
diff --git a/etc/gnome-character-map.profile b/etc/gnome-character-map.profile index 35db448f2..27804fdd0 100644 --- a/etc/gnome-character-map.profile +++ b/etc/gnome-character-map.profile | |||
@@ -6,4 +6,5 @@ include gnome-character-map.local | |||
6 | # added by included profile | 6 | # added by included profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | # Redirect | ||
9 | include gucharmap.profile | 10 | include gucharmap.profile |
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile index 3bbad67bb..aa0b7dbe3 100644 --- a/etc/gnome-photos.profile +++ b/etc/gnome-photos.profile | |||
@@ -28,6 +28,7 @@ noroot | |||
28 | nosound | 28 | nosound |
29 | notv | 29 | notv |
30 | nou2f | 30 | nou2f |
31 | novideo | ||
31 | protocol unix | 32 | protocol unix |
32 | seccomp | 33 | seccomp |
33 | shell none | 34 | shell none |
diff --git a/etc/gnome-schedule.profile b/etc/gnome-schedule.profile index 6c9c83e5f..cbeb82465 100644 --- a/etc/gnome-schedule.profile +++ b/etc/gnome-schedule.profile | |||
@@ -13,15 +13,9 @@ noblacklist ${PATH}/at | |||
13 | noblacklist ${PATH}/crontab | 13 | noblacklist ${PATH}/crontab |
14 | 14 | ||
15 | # Needs access to these files/dirs | 15 | # Needs access to these files/dirs |
16 | noblacklist /etc/at.allow | ||
17 | noblacklist /etc/at.deny | ||
18 | noblacklist /etc/cron.allow | 16 | noblacklist /etc/cron.allow |
19 | noblacklist /etc/cron.deny | 17 | noblacklist /etc/cron.deny |
20 | noblacklist /etc/fonts | ||
21 | noblacklist /etc/ld.so.preload | ||
22 | noblacklist /etc/pam.d | ||
23 | noblacklist /etc/shadow | 18 | noblacklist /etc/shadow |
24 | noblacklist /var/spool/at | ||
25 | noblacklist /var/spool/cron | 19 | noblacklist /var/spool/cron |
26 | 20 | ||
27 | # cron job testing needs a terminal, resulting in sandbox escape (see disable-common.inc) | 21 | # cron job testing needs a terminal, resulting in sandbox escape (see disable-common.inc) |
@@ -41,14 +35,6 @@ include disable-xdg.inc | |||
41 | 35 | ||
42 | mkfile ${HOME}/.gnome/gnome-schedule | 36 | mkfile ${HOME}/.gnome/gnome-schedule |
43 | whitelist ${HOME}/.gnome/gnome-schedule | 37 | whitelist ${HOME}/.gnome/gnome-schedule |
44 | whitelist /etc/at.allow | ||
45 | whitelist /etc/at.deny | ||
46 | whitelist /etc/cron.allow | ||
47 | whitelist /etc/cron.deny | ||
48 | whitelist /etc/fonts | ||
49 | whitelist /etc/pam.d | ||
50 | whitelist /etc/ld.so.preload | ||
51 | whitelist /etc/shadow | ||
52 | whitelist /var/spool/atd | 38 | whitelist /var/spool/atd |
53 | whitelist /var/spool/cron | 39 | whitelist /var/spool/cron |
54 | include whitelist-common.inc | 40 | include whitelist-common.inc |
@@ -72,5 +58,6 @@ tracelog | |||
72 | disable-mnt | 58 | disable-mnt |
73 | private-cache | 59 | private-cache |
74 | private-dev | 60 | private-dev |
61 | private-etc at.allow,at.deny,cron.allow,cron.deny,fonts,ld.so.preload,pam.d,shadow | ||
75 | writable-var | 62 | writable-var |
76 | 63 | ||
diff --git a/etc/gnome-system-log.profile b/etc/gnome-system-log.profile index f1347a8dc..b2907b32c 100644 --- a/etc/gnome-system-log.profile +++ b/etc/gnome-system-log.profile | |||
@@ -6,8 +6,6 @@ include gnome-system-log.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist /var/log | ||
10 | |||
11 | include disable-common.inc | 9 | include disable-common.inc |
12 | include disable-devel.inc | 10 | include disable-devel.inc |
13 | include disable-exec.inc | 11 | include disable-exec.inc |
diff --git a/etc/gunzip.profile b/etc/gunzip.profile index aff990ec0..6e97c6b78 100644 --- a/etc/gunzip.profile +++ b/etc/gunzip.profile | |||
@@ -1,5 +1,6 @@ | |||
1 | # Firejail profile for gunzip | 1 | # Firejail profile for gunzip |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | ||
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include gunzip.local | 5 | include gunzip.local |
5 | # Persistent global definitions | 6 | # Persistent global definitions |
diff --git a/etc/gwenview.profile b/etc/gwenview.profile index 489be3931..5a5d81378 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile | |||
@@ -45,6 +45,6 @@ shell none | |||
45 | 45 | ||
46 | private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4 | 46 | private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4 |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg | 48 | private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg |
49 | 49 | ||
50 | # memory-deny-write-execute | 50 | # memory-deny-write-execute |
diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile index 1e9f898e0..898a07a5f 100644 --- a/etc/hedgewars.profile +++ b/etc/hedgewars.profile | |||
@@ -26,6 +26,7 @@ nonewprivs | |||
26 | noroot | 26 | noroot |
27 | notv | 27 | notv |
28 | nou2f | 28 | nou2f |
29 | novideo | ||
29 | seccomp | 30 | seccomp |
30 | tracelog | 31 | tracelog |
31 | 32 | ||
diff --git a/etc/i2prouter.profile b/etc/i2prouter.profile new file mode 100644 index 000000000..e46fb3317 --- /dev/null +++ b/etc/i2prouter.profile | |||
@@ -0,0 +1,71 @@ | |||
1 | # Firejail profile for I2P | ||
2 | # Description: A distributed anonymous network | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include i2prouter.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Notice: default browser will not be able to automatically open, due to sandbox. | ||
10 | # Auto-opening default browser can be disabled in the I2P router console. | ||
11 | # This profile will not currently work with any Arch User Repository i2p packages, | ||
12 | # use the distro-independent official java installer instead | ||
13 | |||
14 | # Only needed if i2prouter binary is in home directory, java installer does this | ||
15 | ignore noexec ${HOME} | ||
16 | |||
17 | noblacklist ${HOME}/.config/i2p | ||
18 | noblacklist ${HOME}/.i2p | ||
19 | noblacklist ${HOME}/.local/share/i2p | ||
20 | noblacklist ${HOME}/i2p | ||
21 | # Only needed if wrapper is placed in /usr/sbin/, ubuntu official ppa package does this | ||
22 | noblacklist /usr/sbin | ||
23 | |||
24 | # Allow java (blacklisted by disable-devel.inc) | ||
25 | include allow-java.inc | ||
26 | |||
27 | include disable-common.inc | ||
28 | include disable-devel.inc | ||
29 | include disable-exec.inc | ||
30 | include disable-interpreters.inc | ||
31 | include disable-passwdmgr.inc | ||
32 | include disable-programs.inc | ||
33 | include disable-xdg.inc | ||
34 | |||
35 | mkdir ${HOME}/.config/i2p | ||
36 | mkdir ${HOME}/.i2p | ||
37 | mkdir ${HOME}/.local/share/i2p | ||
38 | mkdir ${HOME}/i2p | ||
39 | whitelist ${HOME}/.config/i2p | ||
40 | whitelist ${HOME}/.i2p | ||
41 | whitelist ${HOME}/.local/share/i2p | ||
42 | whitelist ${HOME}/i2p | ||
43 | # Only needed if wrapper is placed in /usr/sbin/, ubuntu official ppa package does this | ||
44 | whitelist /usr/sbin/wrapper* | ||
45 | |||
46 | include whitelist-common.inc | ||
47 | |||
48 | # May break I2P if wrapper is placed in the home directory | ||
49 | # If using ubuntu official ppa, this should be fine to uncomment, as it puts wrapper in /usr/sbin/ | ||
50 | #apparmor | ||
51 | caps.drop all | ||
52 | ipc-namespace | ||
53 | machine-id | ||
54 | netfilter | ||
55 | no3d | ||
56 | nodvd | ||
57 | nogroups | ||
58 | nonewprivs | ||
59 | nosound | ||
60 | notv | ||
61 | nou2f | ||
62 | novideo | ||
63 | protocol unix,inet,inet6 | ||
64 | seccomp | ||
65 | shell none | ||
66 | |||
67 | disable-mnt | ||
68 | private-cache | ||
69 | private-dev | ||
70 | private-etc alternatives,ca-certificates,crypto-policies,i2p,java-8-openjdk,pki,ssl | ||
71 | private-tmp | ||
diff --git a/etc/idea.sh.profile b/etc/idea.sh.profile index 4f3047e08..a7d0d531f 100644 --- a/etc/idea.sh.profile +++ b/etc/idea.sh.profile | |||
@@ -7,17 +7,15 @@ include globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.IdeaIC* | 8 | noblacklist ${HOME}/.IdeaIC* |
9 | noblacklist ${HOME}/.android | 9 | noblacklist ${HOME}/.android |
10 | noblacklist ${HOME}/.config/git | ||
11 | noblacklist ${HOME}/.gitconfig | ||
12 | noblacklist ${HOME}/.git-credentials | ||
13 | noblacklist ${HOME}/.gradle | ||
14 | noblacklist ${HOME}/.jack-server | 10 | noblacklist ${HOME}/.jack-server |
15 | noblacklist ${HOME}/.jack-settings | 11 | noblacklist ${HOME}/.jack-settings |
16 | noblacklist ${HOME}/.java | ||
17 | noblacklist ${HOME}/.local/share/JetBrains | 12 | noblacklist ${HOME}/.local/share/JetBrains |
18 | noblacklist ${HOME}/.ssh | 13 | noblacklist ${HOME}/.ssh |
19 | noblacklist ${HOME}/.tooling | 14 | noblacklist ${HOME}/.tooling |
20 | 15 | ||
16 | # Allows files commonly used by IDEs | ||
17 | include allow-common-devel.inc | ||
18 | |||
21 | include disable-common.inc | 19 | include disable-common.inc |
22 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
23 | include disable-programs.inc | 21 | include disable-programs.inc |
diff --git a/etc/itch.profile b/etc/itch.profile index c0b4fe6ce..b3c78c810 100644 --- a/etc/itch.profile +++ b/etc/itch.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | # itch.io has native firejail/sandboxing support bundled in | 8 | # itch.io has native firejail/sandboxing support bundled in |
9 | # See https://itch.io/docs/itch/using/sandbox/linux.html | 9 | # See https://itch.io/docs/itch/using/sandbox/linux.html |
10 | 10 | ||
11 | noblacklist ${HOME}/.itch | ||
11 | noblacklist ${HOME}/.config/itch | 12 | noblacklist ${HOME}/.config/itch |
12 | 13 | ||
13 | include disable-common.inc | 14 | include disable-common.inc |
@@ -16,7 +17,9 @@ include disable-interpreters.inc | |||
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
18 | 19 | ||
20 | mkdir ${HOME}/.itch | ||
19 | mkdir ${HOME}/.config/itch | 21 | mkdir ${HOME}/.config/itch |
22 | whitelist ${HOME}/.itch | ||
20 | whitelist ${HOME}/.config/itch | 23 | whitelist ${HOME}/.config/itch |
21 | include whitelist-common.inc | 24 | include whitelist-common.inc |
22 | 25 | ||
diff --git a/etc/kiwix-desktop.profile b/etc/kiwix-desktop.profile new file mode 100644 index 000000000..8b7b12882 --- /dev/null +++ b/etc/kiwix-desktop.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for kiwix-desktop | ||
2 | # Description: view/manage ZIM files | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include kiwix-desktop.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/kiwix | ||
10 | noblacklist ${HOME}/.local/share/kiwix-desktop | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.local/share/kiwix | ||
21 | mkdir ${HOME}/.local/share/kiwix-desktop | ||
22 | whitelist ${HOME}/.local/share/kiwix | ||
23 | whitelist ${HOME}/.local/share/kiwix-desktop | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | netfilter | ||
31 | # no3d | ||
32 | nodbus | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | # nosound | ||
38 | notv | ||
39 | nou2f | ||
40 | novideo | ||
41 | protocol unix,inet,inet6,netlink | ||
42 | seccomp !chroot | ||
43 | shell none | ||
44 | |||
45 | disable-mnt | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl | ||
49 | private-tmp | ||
diff --git a/etc/kmail.profile b/etc/kmail.profile index 0b602c79a..198b05a11 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
@@ -51,7 +51,7 @@ nou2f | |||
51 | novideo | 51 | novideo |
52 | protocol unix,inet,inet6,netlink | 52 | protocol unix,inet,inet6,netlink |
53 | # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls | 53 | # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls |
54 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 54 | seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set |
55 | # tracelog | 55 | # tracelog |
56 | 56 | ||
57 | private-dev | 57 | private-dev |
diff --git a/etc/kwin_x11.profile b/etc/kwin_x11.profile index ee07636d3..d512dd100 100644 --- a/etc/kwin_x11.profile +++ b/etc/kwin_x11.profile | |||
@@ -5,6 +5,9 @@ include kwin_x11.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # fix automatical kwin_x11 sandboxing: | ||
9 | # echo KDEWM=kwin_x11 >> ~/.pam_environment | ||
10 | |||
8 | noblacklist ${HOME}/.cache/kwin | 11 | noblacklist ${HOME}/.cache/kwin |
9 | noblacklist ${HOME}/.config/kwinrc | 12 | noblacklist ${HOME}/.config/kwinrc |
10 | noblacklist ${HOME}/.config/kwinrulesrc | 13 | noblacklist ${HOME}/.config/kwinrulesrc |
diff --git a/etc/less.profile b/etc/less.profile index 0f31d344b..282b033a6 100644 --- a/etc/less.profile +++ b/etc/less.profile | |||
@@ -8,8 +8,6 @@ include less.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | noblacklist ${HOME}/.lesshst | 10 | noblacklist ${HOME}/.lesshst |
11 | read-only ${HOME} | ||
12 | read-write ${HOME}/.lesshst | ||
13 | 11 | ||
14 | include disable-devel.inc | 12 | include disable-devel.inc |
15 | include disable-exec.inc | 13 | include disable-exec.inc |
@@ -45,3 +43,5 @@ private-dev | |||
45 | writable-var-log | 43 | writable-var-log |
46 | 44 | ||
47 | memory-deny-write-execute | 45 | memory-deny-write-execute |
46 | read-only ${HOME} | ||
47 | read-write ${HOME}/.lesshst | ||
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index b8a6201b2..aa113883e 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile | |||
@@ -34,6 +34,7 @@ nonewprivs | |||
34 | noroot | 34 | noroot |
35 | notv | 35 | notv |
36 | nou2f | 36 | nou2f |
37 | novideo | ||
37 | # comment the protocol line when using the ubuntu 18.04/debian 10 apparmor profile | 38 | # comment the protocol line when using the ubuntu 18.04/debian 10 apparmor profile |
38 | protocol unix,inet,inet6 | 39 | protocol unix,inet,inet6 |
39 | # comment seccomp when using the ubuntu 18.04/debian 10 apparmor profile | 40 | # comment seccomp when using the ubuntu 18.04/debian 10 apparmor profile |
diff --git a/etc/lrunzip.profile b/etc/lrunzip.profile index 72abec8bb..c010cbd96 100644 --- a/etc/lrunzip.profile +++ b/etc/lrunzip.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for lrunzip | 1 | # Firejail profile for lrunzip |
2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq | 2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include lrunzip.local | 6 | include lrunzip.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/lrz.profile b/etc/lrz.profile index c1f928bde..8077be945 100644 --- a/etc/lrz.profile +++ b/etc/lrz.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for lrz | 1 | # Firejail profile for lrz |
2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq | 2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include lrz.local | 6 | include lrz.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/lrzcat.profile b/etc/lrzcat.profile index edcd7f8cd..d05ee7aae 100644 --- a/etc/lrzcat.profile +++ b/etc/lrzcat.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for lrzcat | 1 | # Firejail profile for lrzcat |
2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq | 2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include lrzcat.local | 6 | include lrzcat.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/lrzip.profile b/etc/lrzip.profile index a69096e28..3767767f6 100644 --- a/etc/lrzip.profile +++ b/etc/lrzip.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for lrzip | 1 | # Firejail profile for lrzip |
2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq | 2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include lrzip.local | 6 | include lrzip.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/lrztar.profile b/etc/lrztar.profile index 54b04b4ec..673e9f62e 100644 --- a/etc/lrztar.profile +++ b/etc/lrztar.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for lrztar | 1 | # Firejail profile for lrztar |
2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq | 2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include lrztar.local | 6 | include lrztar.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/lrzuntar.profile b/etc/lrzuntar.profile index f21169b24..245d1c669 100644 --- a/etc/lrzuntar.profile +++ b/etc/lrzuntar.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for lrzuntar | 1 | # Firejail profile for lrzuntar |
2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq | 2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include lrzuntar.local | 6 | include lrzuntar.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/mencoder.profile b/etc/mencoder.profile index 136412d11..aac394a59 100644 --- a/etc/mencoder.profile +++ b/etc/mencoder.profile | |||
@@ -25,4 +25,5 @@ shell none | |||
25 | 25 | ||
26 | private-bin mencoder | 26 | private-bin mencoder |
27 | 27 | ||
28 | # Redirect | ||
28 | include mplayer.profile | 29 | include mplayer.profile |
diff --git a/etc/mousepad.profile b/etc/mousepad.profile index 3b9807b28..20370a5b5 100644 --- a/etc/mousepad.profile +++ b/etc/mousepad.profile | |||
@@ -26,6 +26,7 @@ noroot | |||
26 | nosound | 26 | nosound |
27 | notv | 27 | notv |
28 | nou2f | 28 | nou2f |
29 | novideo | ||
29 | protocol unix | 30 | protocol unix |
30 | seccomp | 31 | seccomp |
31 | shell none | 32 | shell none |
diff --git a/etc/mpd.profile b/etc/mpd.profile index 0b5ebf705..6c5963793 100644 --- a/etc/mpd.profile +++ b/etc/mpd.profile | |||
@@ -31,7 +31,7 @@ novideo | |||
31 | protocol unix,inet,inet6 | 31 | protocol unix,inet,inet6 |
32 | # blacklisting of ioprio_set system calls breaks auto-updating of | 32 | # blacklisting of ioprio_set system calls breaks auto-updating of |
33 | # MPD's database when files in music_directory are changed | 33 | # MPD's database when files in music_directory are changed |
34 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | 34 | seccomp !ioprio_set |
35 | shell none | 35 | shell none |
36 | 36 | ||
37 | #private-bin bash,mpd | 37 | #private-bin bash,mpd |
diff --git a/etc/mpsyt.profile b/etc/mpsyt.profile index 878a5f654..546755ecb 100644 --- a/etc/mpsyt.profile +++ b/etc/mpsyt.profile | |||
@@ -48,16 +48,22 @@ include whitelist-var-common.inc | |||
48 | apparmor | 48 | apparmor |
49 | caps.drop all | 49 | caps.drop all |
50 | netfilter | 50 | netfilter |
51 | nodbus | ||
52 | nodvd | ||
51 | # Seems to cause issues with Nvidia drivers sometimes | 53 | # Seems to cause issues with Nvidia drivers sometimes |
52 | nogroups | 54 | nogroups |
53 | nonewprivs | 55 | nonewprivs |
54 | noroot | 56 | noroot |
57 | notv | ||
58 | nou2f | ||
59 | novideo | ||
55 | protocol unix,inet,inet6 | 60 | protocol unix,inet,inet6 |
56 | seccomp | 61 | seccomp |
57 | shell none | 62 | shell none |
58 | tracelog | 63 | tracelog |
59 | 64 | ||
60 | private-bin env,ffmpeg,mplayer,mpsyt,mpv,python*,youtube-dl | 65 | private-bin env,ffmpeg,mplayer,mpsyt,mpv,python*,youtube-dl |
66 | #private-cache | ||
61 | private-dev | 67 | private-dev |
62 | private-tmp | 68 | private-tmp |
63 | 69 | ||
diff --git a/etc/mpv.profile b/etc/mpv.profile index d8163d20a..289a3cd5d 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile | |||
@@ -16,6 +16,7 @@ include allow-python2.inc | |||
16 | include allow-python3.inc | 16 | include allow-python3.inc |
17 | 17 | ||
18 | noblacklist ${MUSIC} | 18 | noblacklist ${MUSIC} |
19 | noblacklist ${PICTURES} | ||
19 | noblacklist ${VIDEOS} | 20 | noblacklist ${VIDEOS} |
20 | 21 | ||
21 | include disable-common.inc | 22 | include disable-common.inc |
diff --git a/etc/mutt.profile b/etc/mutt.profile index c424dbb85..92babd50f 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile | |||
@@ -17,7 +17,6 @@ noblacklist ${HOME}/.emacs | |||
17 | noblacklist ${HOME}/.emacs.d | 17 | noblacklist ${HOME}/.emacs.d |
18 | noblacklist ${HOME}/.gnupg | 18 | noblacklist ${HOME}/.gnupg |
19 | noblacklist ${HOME}/.mail | 19 | noblacklist ${HOME}/.mail |
20 | noblacklist ${HOME}/.mailcap | ||
21 | noblacklist ${HOME}/.msmtprc | 20 | noblacklist ${HOME}/.msmtprc |
22 | noblacklist ${HOME}/.mutt | 21 | noblacklist ${HOME}/.mutt |
23 | noblacklist ${HOME}/.muttrc | 22 | noblacklist ${HOME}/.muttrc |
diff --git a/etc/nano.profile b/etc/nano.profile index 30a6e03e7..9965d8a6b 100644 --- a/etc/nano.profile +++ b/etc/nano.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for nano | 1 | # Firejail profile for nano |
2 | # Description: nano is an easy text editor for the terminal | 2 | # Description: nano is an easy text editor for the terminal |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include nano.local | 6 | include nano.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/nethack-vultures.profile b/etc/nethack-vultures.profile index e1294153b..079f44ee7 100644 --- a/etc/nethack-vultures.profile +++ b/etc/nethack-vultures.profile | |||
@@ -7,7 +7,6 @@ include nethack.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.vultures | 9 | noblacklist ${HOME}/.vultures |
10 | noblacklist /var/log | ||
11 | 10 | ||
12 | include disable-common.inc | 11 | include disable-common.inc |
13 | include disable-devel.inc | 12 | include disable-devel.inc |
diff --git a/etc/okular.profile b/etc/okular.profile index 99357934d..56fd21fc8 100644 --- a/etc/okular.profile +++ b/etc/okular.profile | |||
@@ -49,7 +49,7 @@ tracelog | |||
49 | 49 | ||
50 | private-bin kbuildsycoca4,kdeinit4,lpr,okular | 50 | private-bin kbuildsycoca4,kdeinit4,lpr,okular |
51 | private-dev | 51 | private-dev |
52 | private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg | 52 | private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,xdg |
53 | # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients | 53 | # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients |
54 | 54 | ||
55 | # memory-deny-write-execute | 55 | # memory-deny-write-execute |
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile index d80b3d351..5925ccc09 100644 --- a/etc/open-invaders.profile +++ b/etc/open-invaders.profile | |||
@@ -27,6 +27,7 @@ nonewprivs | |||
27 | noroot | 27 | noroot |
28 | notv | 28 | notv |
29 | nou2f | 29 | nou2f |
30 | novideo | ||
30 | protocol unix,netlink | 31 | protocol unix,netlink |
31 | seccomp | 32 | seccomp |
32 | shell none | 33 | shell none |
diff --git a/etc/p7zip.profile b/etc/p7zip.profile index 644292f2b..7e0069afc 100644 --- a/etc/p7zip.profile +++ b/etc/p7zip.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for p7zip | 1 | # Firejail profile for p7zip |
2 | # Description: 7zr file archiver with high compression ratio | 2 | # Description: 7zr file archiver with high compression ratio |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include p7zip.local | 6 | include p7zip.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/palemoon.profile b/etc/palemoon.profile index 11464e6cf..acb2ce176 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile | |||
@@ -14,8 +14,8 @@ whitelist ${HOME}/.cache/moonchild productions/pale moon | |||
14 | whitelist ${HOME}/.moonchild productions | 14 | whitelist ${HOME}/.moonchild productions |
15 | 15 | ||
16 | # Palemoon can use the full firejail seccomp filter (unlike firefox >= 60) | 16 | # Palemoon can use the full firejail seccomp filter (unlike firefox >= 60) |
17 | ignore seccomp.drop | ||
18 | seccomp | 17 | seccomp |
18 | ignore seccomp | ||
19 | 19 | ||
20 | #private-bin palemoon | 20 | #private-bin palemoon |
21 | # private-etc must first be enabled in firefox-common.profile | 21 | # private-etc must first be enabled in firefox-common.profile |
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile index c5016201d..f1a5741d0 100644 --- a/etc/pdftotext.profile +++ b/etc/pdftotext.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for pdftotext | 1 | # Firejail profile for pdftotext |
2 | # Description: Portable Document Format (PDF) to text converter | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include pdftotext.local | 5 | include pdftotext.local |
diff --git a/etc/ping.profile b/etc/ping.profile index 00ac45c5a..4ff5250d7 100644 --- a/etc/ping.profile +++ b/etc/ping.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for ping | 1 | # Firejail profile for ping |
2 | # Description: send ICMP ECHO_REQUEST to network hosts | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/pingus.profile b/etc/pingus.profile index 782ee200d..a3adc55a2 100644 --- a/etc/pingus.profile +++ b/etc/pingus.profile | |||
@@ -27,6 +27,7 @@ nonewprivs | |||
27 | noroot | 27 | noroot |
28 | notv | 28 | notv |
29 | nou2f | 29 | nou2f |
30 | novideo | ||
30 | protocol unix,netlink | 31 | protocol unix,netlink |
31 | seccomp | 32 | seccomp |
32 | shell none | 33 | shell none |
diff --git a/etc/pluma.profile b/etc/pluma.profile index 81b2b1481..dadfcc44e 100644 --- a/etc/pluma.profile +++ b/etc/pluma.profile | |||
@@ -6,11 +6,11 @@ include pluma.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/enchant | ||
9 | noblacklist ${HOME}/.config/pluma | 10 | noblacklist ${HOME}/.config/pluma |
10 | noblacklist ${HOME}/.python-history | 11 | |
11 | noblacklist ${HOME}/.python_history | 12 | # Allows files commonly used by IDEs |
12 | noblacklist ${HOME}/.pythonhist | 13 | include allow-common-devel.inc |
13 | noblacklist ${HOME}/.pythonrc.py | ||
14 | 14 | ||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-devel.inc | 16 | include disable-devel.inc |
@@ -42,7 +42,7 @@ tracelog | |||
42 | 42 | ||
43 | private-bin pluma | 43 | private-bin pluma |
44 | private-dev | 44 | private-dev |
45 | private-lib pluma | 45 | private-lib aspell,gconv,libgspell-1.so.*,libreadline.so.*,libtinfo.so.*,pluma |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | memory-deny-write-execute | 48 | memory-deny-write-execute |
diff --git a/etc/ppsspp.profile b/etc/ppsspp.profile index 116698312..970290002 100644 --- a/etc/ppsspp.profile +++ b/etc/ppsspp.profile | |||
@@ -8,8 +8,6 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/ppsspp | 9 | noblacklist ${HOME}/.config/ppsspp |
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | # with >=llvm-4 mesa drivers need llvm stuff | ||
12 | noblacklist /usr/lib/llvm* | ||
13 | 11 | ||
14 | include disable-common.inc | 12 | include disable-common.inc |
15 | include disable-devel.inc | 13 | include disable-devel.inc |
diff --git a/etc/pycharm-community.profile b/etc/pycharm-community.profile index 17218adee..9ee426a95 100644 --- a/etc/pycharm-community.profile +++ b/etc/pycharm-community.profile | |||
@@ -6,14 +6,13 @@ include pycharm-community.local | |||
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.PyCharmCE* | 8 | noblacklist ${HOME}/.PyCharmCE* |
9 | noblacklist ${HOME}/.python-history | ||
10 | noblacklist ${HOME}/.python_history | ||
11 | noblacklist ${HOME}/.pythonhist | ||
12 | noblacklist ${HOME}/.pythonrc.py | ||
13 | 9 | ||
14 | # Allow java (blacklisted by disable-devel.inc) | 10 | # Allow java (blacklisted by disable-devel.inc) |
15 | include allow-java.inc | 11 | include allow-java.inc |
16 | 12 | ||
13 | # Allows files commonly used by IDEs | ||
14 | include allow-common-devel.inc | ||
15 | |||
17 | include disable-common.inc | 16 | include disable-common.inc |
18 | include disable-devel.inc | 17 | include disable-devel.inc |
19 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
diff --git a/etc/pzstd.profile b/etc/pzstd.profile new file mode 100644 index 000000000..ce9af3286 --- /dev/null +++ b/etc/pzstd.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for zstd | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include zstd.profile | ||
diff --git a/etc/qemu-system-x86_64.profile b/etc/qemu-system-x86_64.profile index 1399328d3..47b9d6a9a 100644 --- a/etc/qemu-system-x86_64.profile +++ b/etc/qemu-system-x86_64.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for qemu-system-x86_64 | 1 | # Firejail profile for qemu-system-x86_64 |
2 | # Description: QEMU system emulator for x86_64 | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include qemu-system-x86_64.local | 5 | include qemu-system-x86_64.local |
diff --git a/etc/qgis.profile b/etc/qgis.profile index 80a10efce..88ed0cd81 100644 --- a/etc/qgis.profile +++ b/etc/qgis.profile | |||
@@ -45,7 +45,7 @@ notv | |||
45 | nou2f | 45 | nou2f |
46 | novideo | 46 | novideo |
47 | # blacklisting of mbind system calls breaks old version | 47 | # blacklisting of mbind system calls breaks old version |
48 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,migrate_pages,mincore,move_pages,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,set_mempolicy,syslog,umount,userfaultfd,vmsplice | 48 | seccomp !mbind |
49 | protocol unix,inet,inet6,netlink | 49 | protocol unix,inet,inet6,netlink |
50 | shell none | 50 | shell none |
51 | tracelog | 51 | tracelog |
diff --git a/etc/qt-faststart.profile b/etc/qt-faststart.profile index cf459472a..2cdff33a6 100644 --- a/etc/qt-faststart.profile +++ b/etc/qt-faststart.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for qt-faststart | 1 | # Firejail profile for qt-faststart |
2 | # Description: FFmpeg-based media utility | 2 | # Description: FFmpeg-based media utility |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include qt-faststart.local | 6 | include qt-faststart.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile index 954b1a3b4..3f3270dd6 100644 --- a/etc/qupzilla.profile +++ b/etc/qupzilla.profile | |||
@@ -3,7 +3,8 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include qupzilla.local | 4 | include qupzilla.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | # added by included profile |
7 | #include globals.local | ||
7 | 8 | ||
8 | noblacklist ${HOME}/.cache/qupzilla | 9 | noblacklist ${HOME}/.cache/qupzilla |
9 | noblacklist ${HOME}/.config/qupzilla | 10 | noblacklist ${HOME}/.config/qupzilla |
@@ -17,26 +18,10 @@ include disable-programs.inc | |||
17 | 18 | ||
18 | mkdir ${HOME}/.cache/qupzilla | 19 | mkdir ${HOME}/.cache/qupzilla |
19 | mkdir ${HOME}/.config/qupzilla | 20 | mkdir ${HOME}/.config/qupzilla |
20 | whitelist ${DOWNLOADS} | ||
21 | whitelist ${HOME}/.cache/qupzilla | 21 | whitelist ${HOME}/.cache/qupzilla |
22 | whitelist ${HOME}/.config/qupzilla | 22 | whitelist ${HOME}/.config/qupzilla |
23 | include whitelist-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | 23 | ||
26 | caps.drop all | ||
27 | netfilter | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | protocol unix,inet,inet6,netlink | ||
35 | # blacklisting of chroot system calls breaks qupzilla | ||
36 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | ||
37 | # tracelog | ||
38 | |||
39 | private-dev | ||
40 | # private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies | ||
41 | # private-tmp - interferes with the opening of downloaded files | 24 | # private-tmp - interferes with the opening of downloaded files |
42 | 25 | ||
26 | # Redirect | ||
27 | include falkon.profile | ||
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index e556ecf1f..95c189458 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile | |||
@@ -9,8 +9,6 @@ include globals.local | |||
9 | noblacklist ${HOME}/.cache/qutebrowser | 9 | noblacklist ${HOME}/.cache/qutebrowser |
10 | noblacklist ${HOME}/.config/qutebrowser | 10 | noblacklist ${HOME}/.config/qutebrowser |
11 | noblacklist ${HOME}/.local/share/qutebrowser | 11 | noblacklist ${HOME}/.local/share/qutebrowser |
12 | # with >=llvm-4 mesa drivers need llvm stuff | ||
13 | noblacklist /usr/lib/llvm* | ||
14 | 12 | ||
15 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
16 | include allow-python2.inc | 14 | include allow-python2.inc |
@@ -38,5 +36,5 @@ noroot | |||
38 | notv | 36 | notv |
39 | protocol unix,inet,inet6,netlink | 37 | protocol unix,inet,inet6,netlink |
40 | # blacklisting of chroot system calls breaks qt webengine | 38 | # blacklisting of chroot system calls breaks qt webengine |
41 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 39 | seccomp !chroot |
42 | # tracelog | 40 | # tracelog |
diff --git a/etc/riot-desktop.profile b/etc/riot-desktop.profile index e6af4c2cb..4372fabe1 100644 --- a/etc/riot-desktop.profile +++ b/etc/riot-desktop.profile | |||
@@ -7,8 +7,7 @@ include riot-desktop.local | |||
7 | # added by included profile | 7 | # added by included profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | ignore seccomp | 10 | seccomp !chroot |
11 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | ||
12 | 11 | ||
13 | # Redirect | 12 | # Redirect |
14 | include riot-web.profile | 13 | include riot-web.profile |
diff --git a/etc/rnano.profile b/etc/rnano.profile index 565c957e0..d9048982a 100644 --- a/etc/rnano.profile +++ b/etc/rnano.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for rnano | 1 | # Firejail profile for rnano |
2 | # Description: A restricted nano | 2 | # Description: A restricted nano |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include rnano.local | 6 | include rnano.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/rsync-download_only.profile b/etc/rsync-download_only.profile new file mode 100644 index 000000000..bda3bca92 --- /dev/null +++ b/etc/rsync-download_only.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for rsync | ||
2 | # Description: a fast, versatile, remote (and local) file-copying tool | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include rsync.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | # Warning: This profile is writte to use rsync as an client for downloading, | ||
11 | # it is not writen to use rsync as an daemon (rsync --daemon) or to create backups. | ||
12 | |||
13 | # Usage: firejail --profile=rsync-download_only rsync | ||
14 | |||
15 | blacklist /tmp/.X11-unix | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | # Uncomment or add to rsync.local to enable extra hardening | ||
26 | #whitelist ${DOWNLOADS} | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | caps.drop all | ||
30 | ipc-namespace | ||
31 | machine-id | ||
32 | netfilter | ||
33 | no3d | ||
34 | nodbus | ||
35 | nodvd | ||
36 | nogroups | ||
37 | nonewprivs | ||
38 | noroot | ||
39 | nosound | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix,inet,inet6 | ||
44 | seccomp | ||
45 | shell none | ||
46 | tracelog | ||
47 | |||
48 | disable-mnt | ||
49 | private-bin rsync | ||
50 | private-cache | ||
51 | private-dev | ||
52 | private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl | ||
53 | private-tmp | ||
54 | |||
55 | memory-deny-write-execute | ||
diff --git a/etc/scallion.profile b/etc/scallion.profile index 232ec4346..dee9e1f40 100644 --- a/etc/scallion.profile +++ b/etc/scallion.profile | |||
@@ -7,7 +7,6 @@ include scallion.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${PATH}/llvm* | 9 | noblacklist ${PATH}/llvm* |
10 | noblacklist /usr/lib/llvm* | ||
11 | noblacklist ${PATH}/openssl | 10 | noblacklist ${PATH}/openssl |
12 | noblacklist ${PATH}/openssl-1.0 | 11 | noblacklist ${PATH}/openssl-1.0 |
13 | noblacklist ${DOCUMENTS} | 12 | noblacklist ${DOCUMENTS} |
diff --git a/etc/scp.profile b/etc/scp.profile index ca902061c..287b8029a 100644 --- a/etc/scp.profile +++ b/etc/scp.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for scp | 1 | # Firejail profile for scp |
2 | # Description: Secure shell copy | 2 | # Description: Secure shell copy |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include scp.local | 6 | include scp.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/seahorse-daemon.profile b/etc/seahorse-daemon.profile index 7c0e59c74..6410da4d8 100644 --- a/etc/seahorse-daemon.profile +++ b/etc/seahorse-daemon.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for seahorse-daemon | 1 | # Firejail profile for seahorse-daemon |
2 | # Description: PGP encryption and signing | 2 | # Description: PGP encryption and signing |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include seahorse-daemon.local | 6 | include seahorse-daemon.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/seahorse-tool.profile b/etc/seahorse-tool.profile index 96f365a4b..4bf23c512 100644 --- a/etc/seahorse-tool.profile +++ b/etc/seahorse-tool.profile | |||
@@ -7,8 +7,6 @@ include seahorse-tool.local | |||
7 | # added by included profile | 7 | # added by included profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | noblacklist ${DOWNLOADS} | ||
11 | |||
12 | private-tmp | 10 | private-tmp |
13 | 11 | ||
14 | memory-deny-write-execute | 12 | memory-deny-write-execute |
diff --git a/etc/seahorse.profile b/etc/seahorse.profile index 0c824e95b..b9a0fd149 100644 --- a/etc/seahorse.profile +++ b/etc/seahorse.profile | |||
@@ -8,7 +8,6 @@ include globals.local | |||
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
10 | 10 | ||
11 | noblacklist ${HOME}/.config/dconf | ||
12 | noblacklist ${HOME}/.gnupg | 11 | noblacklist ${HOME}/.gnupg |
13 | noblacklist ${HOME}/.ssh | 12 | noblacklist ${HOME}/.ssh |
14 | noblacklist /tmp/ssh-* | 13 | noblacklist /tmp/ssh-* |
diff --git a/etc/sftp.profile b/etc/sftp.profile index c980e1751..66dc2a57b 100644 --- a/etc/sftp.profile +++ b/etc/sftp.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for sftp | 1 | # Firejail profile for sftp |
2 | # Description: Secure file transport protocol | 2 | # Description: Secure file transport protocol |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include sftp.local | 6 | include sftp.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/shotcut.profile b/etc/shotcut.profile index e6c48561f..5b3c5439d 100644 --- a/etc/shotcut.profile +++ b/etc/shotcut.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for shotcut | 1 | # Firejail profile for shotcut |
2 | # Description: A free, open source, cross-platform video editor | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include shotcut.local | 5 | include shotcut.local |
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile index 64441483d..a0c9e8303 100644 --- a/etc/simple-scan.profile +++ b/etc/simple-scan.profile | |||
@@ -27,7 +27,7 @@ notv | |||
27 | # novideo | 27 | # novideo |
28 | protocol unix,inet,inet6,netlink | 28 | protocol unix,inet,inet6,netlink |
29 | # blacklisting of ioperm system calls breaks simple-scan | 29 | # blacklisting of ioperm system calls breaks simple-scan |
30 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 30 | seccomp !ioperm |
31 | shell none | 31 | shell none |
32 | tracelog | 32 | tracelog |
33 | 33 | ||
diff --git a/etc/simutrans.profile b/etc/simutrans.profile index 7febcde46..c6f5f70b0 100644 --- a/etc/simutrans.profile +++ b/etc/simutrans.profile | |||
@@ -27,6 +27,7 @@ nonewprivs | |||
27 | noroot | 27 | noroot |
28 | notv | 28 | notv |
29 | nou2f | 29 | nou2f |
30 | novideo | ||
30 | protocol unix | 31 | protocol unix |
31 | seccomp | 32 | seccomp |
32 | shell none | 33 | shell none |
diff --git a/etc/skanlite.profile b/etc/skanlite.profile index c10be717b..6f9bfd201 100644 --- a/etc/skanlite.profile +++ b/etc/skanlite.profile | |||
@@ -27,7 +27,7 @@ notv | |||
27 | # novideo | 27 | # novideo |
28 | protocol unix,inet,inet6,netlink | 28 | protocol unix,inet,inet6,netlink |
29 | # blacklisting of ioperm system calls breaks skanlite | 29 | # blacklisting of ioperm system calls breaks skanlite |
30 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 30 | seccomp !ioperm |
31 | shell none | 31 | shell none |
32 | 32 | ||
33 | # private-bin kbuildsycoca4,kdeinit4,skanlite | 33 | # private-bin kbuildsycoca4,kdeinit4,skanlite |
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile index eae7dada0..fe9ededa4 100644 --- a/etc/skypeforlinux.profile +++ b/etc/skypeforlinux.profile | |||
@@ -25,7 +25,7 @@ nonewprivs | |||
25 | noroot | 25 | noroot |
26 | notv | 26 | notv |
27 | protocol unix,inet,inet6,netlink | 27 | protocol unix,inet,inet6,netlink |
28 | seccomp | 28 | seccomp !chroot |
29 | shell none | 29 | shell none |
30 | 30 | ||
31 | disable-mnt | 31 | disable-mnt |
diff --git a/etc/slack.profile b/etc/slack.profile index 5c10ef0ba..8b5338fa7 100644 --- a/etc/slack.profile +++ b/etc/slack.profile | |||
@@ -20,7 +20,6 @@ include whitelist-common.inc | |||
20 | include whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | name slack | ||
24 | netfilter | 23 | netfilter |
25 | nodvd | 24 | nodvd |
26 | nogroups | 25 | nogroups |
@@ -35,5 +34,5 @@ shell none | |||
35 | disable-mnt | 34 | disable-mnt |
36 | private-bin locale,slack | 35 | private-bin locale,slack |
37 | private-dev | 36 | private-dev |
38 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl | 37 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe |
39 | private-tmp | 38 | private-tmp |
diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile index 9cba69a77..d423bb65c 100644 --- a/etc/sqlitebrowser.profile +++ b/etc/sqlitebrowser.profile | |||
@@ -42,4 +42,4 @@ private-dev | |||
42 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,ssl | 42 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,ssl |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
45 | #memory-deny-write-execute - breaks on Arch | 45 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile index 15e2de9b0..9934e92b0 100644 --- a/etc/ssh-agent.profile +++ b/etc/ssh-agent.profile | |||
@@ -24,6 +24,7 @@ nodvd | |||
24 | nonewprivs | 24 | nonewprivs |
25 | noroot | 25 | noroot |
26 | notv | 26 | notv |
27 | novideo | ||
27 | protocol unix,inet,inet6 | 28 | protocol unix,inet,inet6 |
28 | seccomp | 29 | seccomp |
29 | shell none | 30 | shell none |
diff --git a/etc/ssh.profile b/etc/ssh.profile index 7a9bb5abe..6949299af 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile | |||
@@ -30,6 +30,7 @@ nonewprivs | |||
30 | nosound | 30 | nosound |
31 | notv | 31 | notv |
32 | nou2f | 32 | nou2f |
33 | novideo | ||
33 | protocol unix,inet,inet6 | 34 | protocol unix,inet,inet6 |
34 | seccomp | 35 | seccomp |
35 | shell none | 36 | shell none |
diff --git a/etc/standardnotes-desktop.profile b/etc/standardnotes-desktop.profile index 5703f932a..aa6902854 100644 --- a/etc/standardnotes-desktop.profile +++ b/etc/standardnotes-desktop.profile | |||
@@ -34,7 +34,7 @@ nosound | |||
34 | notv | 34 | notv |
35 | nou2f | 35 | nou2f |
36 | protocol unix,inet,inet6,netlink | 36 | protocol unix,inet,inet6,netlink |
37 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 37 | seccomp !chroot |
38 | 38 | ||
39 | disable-mnt | 39 | disable-mnt |
40 | private-dev | 40 | private-dev |
diff --git a/etc/start-tor-browser.desktop.profile b/etc/start-tor-browser.desktop.profile index 9c3175ad7..2f73c9fee 100644 --- a/etc/start-tor-browser.desktop.profile +++ b/etc/start-tor-browser.desktop.profile | |||
@@ -6,8 +6,7 @@ include start-tor-browser.desktop.local | |||
6 | # added by included profile | 6 | # added by included profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.tor-browser-* | 9 | noblacklist ${HOME}/.tor-browser* |
10 | noblacklist ${HOME}/.tor-browser_* | ||
11 | 10 | ||
12 | whitelist ${HOME}/.tor-browser-ar | 11 | whitelist ${HOME}/.tor-browser-ar |
13 | whitelist ${HOME}/.tor-browser-ca | 12 | whitelist ${HOME}/.tor-browser-ca |
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile index 1c2a2cd10..a8b5d109e 100644 --- a/etc/start-tor-browser.profile +++ b/etc/start-tor-browser.profile | |||
@@ -28,7 +28,7 @@ notv | |||
28 | nou2f | 28 | nou2f |
29 | novideo | 29 | novideo |
30 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
31 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 31 | seccomp !chroot |
32 | shell none | 32 | shell none |
33 | # tracelog may cause issues, see github issue #1930 | 33 | # tracelog may cause issues, see github issue #1930 |
34 | #tracelog | 34 | #tracelog |
diff --git a/etc/steam.profile b/etc/steam.profile index 569f281a0..654ea825e 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -19,8 +19,6 @@ noblacklist ${HOME}/.local/share/vulkan | |||
19 | noblacklist ${HOME}/.steam | 19 | noblacklist ${HOME}/.steam |
20 | noblacklist ${HOME}/.steampath | 20 | noblacklist ${HOME}/.steampath |
21 | noblacklist ${HOME}/.steampid | 21 | noblacklist ${HOME}/.steampid |
22 | # with >=llvm-4 mesa drivers need llvm stuff | ||
23 | noblacklist /usr/lib/llvm* | ||
24 | # needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work | 22 | # needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work |
25 | noblacklist /sbin | 23 | noblacklist /sbin |
26 | noblacklist /usr/sbin | 24 | noblacklist /usr/sbin |
diff --git a/etc/strings.profile b/etc/strings.profile index 621e8e177..0817d7331 100644 --- a/etc/strings.profile +++ b/etc/strings.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for strings | 1 | # Firejail profile for strings |
2 | # Description: print the strings of printable characters in files | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
@@ -43,3 +44,4 @@ private-lib libfakeroot | |||
43 | private-tmp | 44 | private-tmp |
44 | 45 | ||
45 | memory-deny-write-execute | 46 | memory-deny-write-execute |
47 | read-only ${HOME} | ||
diff --git a/etc/subdownloader.profile b/etc/subdownloader.profile index d0176a657..6de408740 100644 --- a/etc/subdownloader.profile +++ b/etc/subdownloader.profile | |||
@@ -31,6 +31,7 @@ nonewprivs | |||
31 | noroot | 31 | noroot |
32 | notv | 32 | notv |
33 | nou2f | 33 | nou2f |
34 | novideo | ||
34 | protocol unix,inet,inet6 | 35 | protocol unix,inet,inet6 |
35 | seccomp | 36 | seccomp |
36 | shell none | 37 | shell none |
diff --git a/etc/supertux2.profile b/etc/supertux2.profile index 287a078b3..4c64ee766 100644 --- a/etc/supertux2.profile +++ b/etc/supertux2.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for supertux2 | 1 | # Firejail profile for supertux2 |
2 | # Description: Jump'n run like game | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include supertux2.local | 5 | include supertux2.local |
@@ -27,6 +28,7 @@ nonewprivs | |||
27 | noroot | 28 | noroot |
28 | notv | 29 | notv |
29 | nou2f | 30 | nou2f |
31 | novideo | ||
30 | protocol unix,netlink | 32 | protocol unix,netlink |
31 | seccomp | 33 | seccomp |
32 | shell none | 34 | shell none |
diff --git a/etc/supertuxkart.profile b/etc/supertuxkart.profile index 2cd5ec3ad..8a48eeac8 100644 --- a/etc/supertuxkart.profile +++ b/etc/supertuxkart.profile | |||
@@ -47,7 +47,7 @@ disable-mnt | |||
47 | private-bin supertuxkart | 47 | private-bin supertuxkart |
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,selinux,ssl,system-fips,xdg | 50 | private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,ssl |
51 | private-tmp | 51 | private-tmp |
52 | private-opt none | 52 | private-opt none |
53 | private-srv none | 53 | private-srv none |
diff --git a/etc/tb-starter-wrapper.profile b/etc/tb-starter-wrapper.profile index 8a7d45449..ffe9605b6 100644 --- a/etc/tb-starter-wrapper.profile +++ b/etc/tb-starter-wrapper.profile | |||
@@ -13,7 +13,7 @@ noblacklist ${HOME}/.tb | |||
13 | mkdir ${HOME}/.tb | 13 | mkdir ${HOME}/.tb |
14 | whitelist ${HOME}/.tb | 14 | whitelist ${HOME}/.tb |
15 | 15 | ||
16 | x11 xorg | 16 | private-bin tb-starter-wrapper |
17 | 17 | ||
18 | # Redirect | 18 | # Redirect |
19 | include torbrowser-launcher.profile | 19 | include torbrowser-launcher.profile |
diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile index 8d5917148..c1c666f58 100644 --- a/etc/teamspeak3.profile +++ b/etc/teamspeak3.profile | |||
@@ -33,7 +33,7 @@ notv | |||
33 | nou2f | 33 | nou2f |
34 | novideo | 34 | novideo |
35 | protocol unix,inet,inet6,netlink | 35 | protocol unix,inet,inet6,netlink |
36 | seccomp | 36 | seccomp !chroot |
37 | shell none | 37 | shell none |
38 | 38 | ||
39 | disable-mnt | 39 | disable-mnt |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 2fc5c3ef1..0d67e222f 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -87,6 +87,9 @@ include globals.local | |||
87 | # Allow lua (blacklisted by disable-interpreters.inc) | 87 | # Allow lua (blacklisted by disable-interpreters.inc) |
88 | #include allow-lua.inc | 88 | #include allow-lua.inc |
89 | 89 | ||
90 | # Allows files commonly used by IDEs | ||
91 | #include allow-common-devel.inc | ||
92 | |||
90 | #include disable-common.inc | 93 | #include disable-common.inc |
91 | #include disable-devel.inc | 94 | #include disable-devel.inc |
92 | #include disable-exec.inc | 95 | #include disable-exec.inc |
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index 30ad6feea..bc45d9f9d 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt | |||
@@ -1,6 +1,9 @@ | |||
1 | Hints for writing seccomp.drop lines | 1 | Hints for writing seccomp.drop lines |
2 | ==================================== | 2 | ==================================== |
3 | 3 | ||
4 | Definition of groups | ||
5 | -------------------- | ||
6 | |||
4 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime | 7 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime |
5 | @module=delete_module,finit_module,init_module | 8 | @module=delete_module,finit_module,init_module |
6 | @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write | 9 | @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write |
@@ -20,6 +23,8 @@ Hints for writing seccomp.drop lines | |||
20 | 23 | ||
21 | @default-keep=execve,prctl | 24 | @default-keep=execve,prctl |
22 | 25 | ||
26 | Inheritance of groups | ||
27 | --------------------- | ||
23 | 28 | ||
24 | +---------+----------------+---------------+ | 29 | +---------+----------------+---------------+ |
25 | | @clock | @cpu-emulation | @default-keep | | 30 | | @clock | @cpu-emulation | @default-keep | |
@@ -41,7 +46,28 @@ Hints for writing seccomp.drop lines | |||
41 | | @default-nodebuggers | | 46 | | @default-nodebuggers | |
42 | +----------------------+ | 47 | +----------------------+ |
43 | 48 | ||
49 | common used seccomp.drop lines | ||
50 | ------------------------------ | ||
44 | 51 | ||
45 | @default without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 52 | @default without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
46 | 53 | ||
47 | @default-nodebuggers without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 54 | @default-nodebuggers without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
55 | |||
56 | Building a seccomp.drop line if seccomp breaks a programm | ||
57 | --------------------------------------------------------- | ||
58 | |||
59 | ``` | ||
60 | $ journalctl --grep=syscall --follow | ||
61 | <...> audit[…]: SECCOMP <...> syscall=161 <...> | ||
62 | $ firejail --debug-syscalls | grep 161 | ||
63 | 161 - chroot | ||
64 | ``` | ||
65 | |||
66 | TODO: write a short explanation | ||
67 | TODO: suggest to use `allow-debuggers` instead of `seccomp.drop` if possible | ||
68 | |||
69 | see also | ||
70 | -------- | ||
71 | |||
72 | - contrib/syscalls.sh | ||
73 | - https://firejail.wordpress.com/documentation-2/seccomp-guide/ | ||
diff --git a/etc/tor-browser.profile b/etc/tor-browser.profile new file mode 100644 index 000000000..0cd84abf5 --- /dev/null +++ b/etc/tor-browser.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser | ||
7 | whitelist ${HOME}/.tor-browser | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile index 75bcb04b4..1183cd2f7 100644 --- a/etc/torbrowser-launcher.profile +++ b/etc/torbrowser-launcher.profile | |||
@@ -42,13 +42,13 @@ notv | |||
42 | nou2f | 42 | nou2f |
43 | novideo | 43 | novideo |
44 | protocol unix,inet,inet6 | 44 | protocol unix,inet,inet6 |
45 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 45 | seccomp !chroot |
46 | shell none | 46 | shell none |
47 | # tracelog may cause issues, see github issue #1930 | 47 | # tracelog may cause issues, see github issue #1930 |
48 | #tracelog | 48 | #tracelog |
49 | 49 | ||
50 | disable-mnt | 50 | disable-mnt |
51 | private-bin bash,cat,cp,cut,dirname,env,expr,file,getconf,gpg,grep,gxmessage,id,kdialog,ln,mkdir,pwd,python*,readlink,realpath,rm,sed,sh,tail,tar,tclsh,test,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity | 51 | private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity |
52 | private-dev | 52 | private-dev |
53 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl | 53 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl |
54 | private-tmp | 54 | private-tmp |
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile index 60732bcf2..486be5fe6 100644 --- a/etc/transmission-cli.profile +++ b/etc/transmission-cli.profile | |||
@@ -7,37 +7,8 @@ include transmission-cli.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | noblacklist ${HOME}/.cache/transmission | 10 | private-bin transmission-cli |
11 | noblacklist ${HOME}/.config/transmission | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | apparmor | ||
21 | caps.drop all | ||
22 | machine-id | ||
23 | netfilter | ||
24 | nodbus | ||
25 | nodvd | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | nosound | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol inet,inet6 | ||
33 | seccomp | ||
34 | shell none | ||
35 | tracelog | ||
36 | |||
37 | # private-bin transmission-cli | ||
38 | private-dev | ||
39 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | 11 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl |
40 | private-lib | ||
41 | private-tmp | ||
42 | 12 | ||
43 | memory-deny-write-execute | 13 | # Redirect |
14 | include transmission-common.profile | ||
diff --git a/etc/transmission-common.profile b/etc/transmission-common.profile new file mode 100644 index 000000000..1b1fc4af7 --- /dev/null +++ b/etc/transmission-common.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for transmission-common | ||
2 | # Description: Fast, easy and free BitTorrent client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include transmission-common.local | ||
6 | |||
7 | noblacklist ${HOME}/.cache/transmission | ||
8 | noblacklist ${HOME}/.config/transmission | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | |||
17 | mkdir ${HOME}/.cache/transmission | ||
18 | mkdir ${HOME}/.config/transmission | ||
19 | whitelist ${DOWNLOADS} | ||
20 | whitelist ${HOME}/.cache/transmission | ||
21 | whitelist ${HOME}/.config/transmission | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | apparmor | ||
26 | caps.drop all | ||
27 | machine-id | ||
28 | netfilter | ||
29 | nodbus | ||
30 | nodvd | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix,inet,inet6 | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | private-dev | ||
43 | private-lib | ||
44 | private-tmp | ||
45 | |||
46 | memory-deny-write-execute | ||
diff --git a/etc/transmission-create.profile b/etc/transmission-create.profile index 9b84bc33a..8220b7887 100644 --- a/etc/transmission-create.profile +++ b/etc/transmission-create.profile | |||
@@ -1,11 +1,13 @@ | |||
1 | # Firejail profile for transmission-create | 1 | # Firejail profile for transmission-create |
2 | # Description: CLI utility to create BitTorrent .torrent files | 2 | # Description: CLI utility to create BitTorrent .torrent files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include transmission-create.local | 6 | include transmission-create.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
7 | # added by included profile | 8 | include globals.local |
8 | #include globals.local | 9 | |
10 | private-bin transmission-create | ||
9 | 11 | ||
10 | # Redirect | 12 | # Redirect |
11 | include transmission-cli.profile | 13 | include transmission-common.profile |
diff --git a/etc/transmission-daemon.profile b/etc/transmission-daemon.profile index 9a6052ada..f1e7fcb17 100644 --- a/etc/transmission-daemon.profile +++ b/etc/transmission-daemon.profile | |||
@@ -7,38 +7,16 @@ include transmission-daemon.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | noblacklist ${HOME}/.cache/transmission | 10 | whitelist /var/lib/transmission |
11 | noblacklist ${HOME}/.config/transmission | ||
12 | 11 | ||
13 | include disable-common.inc | 12 | caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot |
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | 13 | ||
20 | apparmor | 14 | private-bin transmission-daemon |
21 | caps.drop all | ||
22 | machine-id | ||
23 | netfilter | ||
24 | nodbus | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | nosound | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol inet,inet6 | ||
34 | seccomp | ||
35 | shell none | ||
36 | tracelog | ||
37 | |||
38 | # private-bin transmission-daemon | ||
39 | private-dev | ||
40 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | 15 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl |
41 | private-lib | ||
42 | private-tmp | ||
43 | 16 | ||
44 | memory-deny-write-execute | 17 | read-write /var/lib/transmission |
18 | writable-var-log | ||
19 | writable-run-user | ||
20 | |||
21 | # Redirect | ||
22 | include transmission-common.profile | ||
diff --git a/etc/transmission-edit.profile b/etc/transmission-edit.profile index 07990aa15..df381b5cd 100644 --- a/etc/transmission-edit.profile +++ b/etc/transmission-edit.profile | |||
@@ -1,11 +1,13 @@ | |||
1 | # Firejail profile for transmission-edit | 1 | # Firejail profile for transmission-edit |
2 | # Description: CLI utility to modify BitTorrent .torrent files' announce URLs | 2 | # Description: CLI utility to modify BitTorrent .torrent files' announce URLs |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include transmission-edit.local | 6 | include transmission-edit.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
7 | # added by included profile | 8 | include globals.local |
8 | #include globals.local | 9 | |
10 | private-bin transmission-edit | ||
9 | 11 | ||
10 | # Redirect | 12 | # Redirect |
11 | include transmission-cli.profile | 13 | include transmission-common.profile |
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 29df63573..01bdeb4ef 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
@@ -1,50 +1,15 @@ | |||
1 | # Firejail profile for transmission-gtk | 1 | # Firejail profile for transmission-gtk |
2 | # Description: Fast, easy and free BitTorrent client (GTK GUI) | 2 | # Description: Fast, easy and free BitTorrent client (GTK GUI) |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include transmission-gtk.local | 6 | include transmission-gtk.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
7 | include globals.local | 8 | include globals.local |
8 | 9 | ||
9 | noblacklist ${HOME}/.cache/transmission | ||
10 | noblacklist ${HOME}/.config/transmission | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | mkdir ${HOME}/.cache/transmission | ||
20 | mkdir ${HOME}/.config/transmission | ||
21 | whitelist ${DOWNLOADS} | ||
22 | whitelist ${HOME}/.cache/transmission | ||
23 | whitelist ${HOME}/.config/transmission | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | machine-id | ||
30 | netfilter | ||
31 | nodbus | ||
32 | nodvd | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | nosound | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix,inet,inet6 | ||
40 | seccomp | ||
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | private-bin transmission-gtk | 10 | private-bin transmission-gtk |
45 | private-dev | ||
46 | private-lib | ||
47 | private-tmp | ||
48 | 11 | ||
49 | # Causes freeze during opening file dialog in Archlinux, see issue #1855 | 12 | ignore memory-deny-write-execute |
50 | # memory-deny-write-execute | 13 | |
14 | # Redirect | ||
15 | include transmission-common.profile | ||
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 9fda5245f..94f3c3a20 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile | |||
@@ -1,49 +1,18 @@ | |||
1 | # Firejail profile for transmission-qt | 1 | # Firejail profile for transmission-qt |
2 | # Description: Fast, easy and free BitTorrent client (Qt GUI) | 2 | # Description: Fast, easy and free BitTorrent client (Qt GUI) |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include transmission-qt.local | 6 | include transmission-qt.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
7 | include globals.local | 8 | include globals.local |
8 | 9 | ||
9 | noblacklist ${HOME}/.cache/transmission | 10 | private-bin transmission-qt |
10 | noblacklist ${HOME}/.config/transmission | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | mkdir ${HOME}/.cache/transmission | ||
20 | mkdir ${HOME}/.config/transmission | ||
21 | whitelist ${DOWNLOADS} | ||
22 | whitelist ${HOME}/.cache/transmission | ||
23 | whitelist ${HOME}/.config/transmission | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | 11 | ||
27 | apparmor | 12 | # private-lib - breaks on Arch |
28 | caps.drop all | 13 | ignore private-lib |
29 | machine-id | ||
30 | netfilter | ||
31 | nodbus | ||
32 | nodvd | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | nosound | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix,inet,inet6 | ||
40 | seccomp | ||
41 | shell none | ||
42 | tracelog | ||
43 | 14 | ||
44 | private-bin transmission-qt | 15 | ignore memory-deny-write-execute |
45 | private-dev | ||
46 | # private-lib - problems on Arch | ||
47 | private-tmp | ||
48 | 16 | ||
49 | # memory-deny-write-execute - problems on Qt 5.10.0, KDE Frameworks 5.41.0 | 17 | # Redirect |
18 | include transmission-common.profile | ||
diff --git a/etc/transmission-remote-cli.profile b/etc/transmission-remote-cli.profile index 98b875fc5..8b3a966c1 100644 --- a/etc/transmission-remote-cli.profile +++ b/etc/transmission-remote-cli.profile | |||
@@ -1,25 +1,17 @@ | |||
1 | # Firejail profile for transmission-remote-cli | 1 | # Firejail profile for transmission-remote-cli |
2 | # Description: A remote control utility for transmission-daemon (CLI) | 2 | # Description: A remote control utility for transmission-daemon (CLI) |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include transmission-remote-cli.local | 6 | include transmission-remote-cli.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
7 | # added by included profile | 8 | include globals.local |
8 | #include globals.local | ||
9 | 9 | ||
10 | # Allow python (blacklisted by disable-interpreters.inc) | 10 | # Allow python (blacklisted by disable-interpreters.inc) |
11 | include allow-python2.inc | 11 | include allow-python2.inc |
12 | include allow-python3.inc | 12 | include allow-python3.inc |
13 | 13 | ||
14 | mkdir ${HOME}/.cache/transmission | 14 | private-bin python*,transmission-remote-cli |
15 | mkdir ${HOME}/.config/transmission | ||
16 | whitelist ${HOME}/.cache/transmission | ||
17 | whitelist ${HOME}/.config/transmission | ||
18 | include whitelist-common.inc | ||
19 | include whitelist-var-common.inc | ||
20 | |||
21 | # private-bin python* | ||
22 | private-etc fonts | ||
23 | 15 | ||
24 | # Redirect | 16 | # Redirect |
25 | include transmission-remote.profile | 17 | include transmission-common.profile |
diff --git a/etc/transmission-remote-gtk.profile b/etc/transmission-remote-gtk.profile index b7173def5..a6400e2c0 100644 --- a/etc/transmission-remote-gtk.profile +++ b/etc/transmission-remote-gtk.profile | |||
@@ -1,20 +1,22 @@ | |||
1 | # Firejail profile for transmission-remote-gtk | 1 | # Firejail profile for transmission-remote-gtk |
2 | # Description: A remote control utility for transmission-daemon (GTK GUI) | 2 | # Description: A remote control utility for transmission-daemon (GTK GUI) |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include transmission-remote-gtk.local | 6 | include transmission-remote-gtk.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
7 | # added by included profile | 8 | include globals.local |
8 | #include globals.local | ||
9 | 9 | ||
10 | mkdir ${HOME}/.cache/transmission | 10 | noblacklist ${HOME}/.config/transmission-remote-gtk |
11 | mkdir ${HOME}/.config/transmission | ||
12 | whitelist ${HOME}/.cache/transmission | ||
13 | whitelist ${HOME}/.config/transmission | ||
14 | include whitelist-common.inc | ||
15 | include whitelist-var-common.inc | ||
16 | 11 | ||
17 | private-etc fonts | 12 | mkdir ${HOME}/.config/transmission-remote-gtk |
13 | whitelist ${HOME}/.config/transmission-remote-gtk | ||
14 | |||
15 | private-etc fonts,hostname,hosts,resolv.conf | ||
16 | # Problems with private-lib (see issue #2889) | ||
17 | ignore private-lib | ||
18 | |||
19 | ignore memory-deny-write-execute | ||
18 | 20 | ||
19 | # Redirect | 21 | # Redirect |
20 | include transmission-remote.profile | 22 | include transmission-common.profile |
diff --git a/etc/transmission-remote.profile b/etc/transmission-remote.profile index ddeb9adf9..fee4999e6 100644 --- a/etc/transmission-remote.profile +++ b/etc/transmission-remote.profile | |||
@@ -7,37 +7,8 @@ include transmission-remote.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | noblacklist ${HOME}/.cache/transmission | 10 | private-bin transmission-remote |
11 | noblacklist ${HOME}/.config/transmission | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | apparmor | ||
21 | caps.drop all | ||
22 | machine-id | ||
23 | netfilter | ||
24 | nodbus | ||
25 | nodvd | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | nosound | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol inet,inet6 | ||
33 | seccomp | ||
34 | shell none | ||
35 | tracelog | ||
36 | |||
37 | # private-bin transmission-remote | ||
38 | private-dev | ||
39 | private-etc alternatives,hosts,nsswitch.conf | 11 | private-etc alternatives,hosts,nsswitch.conf |
40 | private-lib | ||
41 | private-tmp | ||
42 | 12 | ||
43 | memory-deny-write-execute | 13 | # Redirect |
14 | include transmission-common.profile | ||
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile index 779606f04..5a3c83f58 100644 --- a/etc/transmission-show.profile +++ b/etc/transmission-show.profile | |||
@@ -1,41 +1,14 @@ | |||
1 | # Firejail profile for transmission-show | 1 | # Firejail profile for transmission-show |
2 | # Description: CLI utility to show BitTorrent .torrent file metadata | 2 | # Description: CLI utility to show BitTorrent .torrent file metadata |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include transmission-show.local | 6 | include transmission-show.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
7 | include globals.local | 8 | include globals.local |
8 | 9 | ||
9 | noblacklist ${HOME}/.cache/transmission | 10 | private-bin transmission-show |
10 | noblacklist ${HOME}/.config/transmission | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | apparmor | ||
20 | caps.drop all | ||
21 | machine-id | ||
22 | netfilter | ||
23 | nodbus | ||
24 | nodvd | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol inet,inet6 | ||
32 | seccomp | ||
33 | shell none | ||
34 | tracelog | ||
35 | |||
36 | private-dev | ||
37 | private-etc alternatives,hosts,nsswitch.conf | 11 | private-etc alternatives,hosts,nsswitch.conf |
38 | private-lib | ||
39 | private-tmp | ||
40 | 12 | ||
41 | memory-deny-write-execute | 13 | # Redirect |
14 | include transmission-common.profile | ||
diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile index b62d3111d..7223ea2e1 100644 --- a/etc/unknown-horizons.profile +++ b/etc/unknown-horizons.profile | |||
@@ -23,6 +23,7 @@ nonewprivs | |||
23 | noroot | 23 | noroot |
24 | notv | 24 | notv |
25 | nou2f | 25 | nou2f |
26 | novideo | ||
26 | protocol unix,inet,inet6,netlink | 27 | protocol unix,inet,inet6,netlink |
27 | seccomp | 28 | seccomp |
28 | shell none | 29 | shell none |
diff --git a/etc/unzstd.profile b/etc/unzstd.profile new file mode 100644 index 000000000..ce9af3286 --- /dev/null +++ b/etc/unzstd.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for zstd | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include zstd.profile | ||
diff --git a/etc/vim.profile b/etc/vim.profile index 49abb0d44..d27a9a633 100644 --- a/etc/vim.profile +++ b/etc/vim.profile | |||
@@ -6,14 +6,13 @@ include vim.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.python-history | ||
10 | noblacklist ${HOME}/.python_history | ||
11 | noblacklist ${HOME}/.pythonhist | ||
12 | noblacklist ${HOME}/.pythonrc.py | ||
13 | noblacklist ${HOME}/.vim | 9 | noblacklist ${HOME}/.vim |
14 | noblacklist ${HOME}/.viminfo | 10 | noblacklist ${HOME}/.viminfo |
15 | noblacklist ${HOME}/.vimrc | 11 | noblacklist ${HOME}/.vimrc |
16 | 12 | ||
13 | # Allows files commonly used by IDEs | ||
14 | include allow-common-devel.inc | ||
15 | |||
17 | include disable-common.inc | 16 | include disable-common.inc |
18 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 18 | include disable-programs.inc |
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile index 45f9949f3..c0dbc9116 100644 --- a/etc/virtualbox.profile +++ b/etc/virtualbox.profile | |||
@@ -26,7 +26,7 @@ whitelist ${DOWNLOADS} | |||
26 | include whitelist-common.inc | 26 | include whitelist-common.inc |
27 | include whitelist-var-common.inc | 27 | include whitelist-var-common.inc |
28 | 28 | ||
29 | caps.drop all | 29 | caps.keep net_raw,sys_admin,sys_nice |
30 | netfilter | 30 | netfilter |
31 | nodvd | 31 | nodvd |
32 | notv | 32 | notv |
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile index 85cbc5e43..e65e0a0c3 100644 --- a/etc/warzone2100.profile +++ b/etc/warzone2100.profile | |||
@@ -30,6 +30,7 @@ nonewprivs | |||
30 | noroot | 30 | noroot |
31 | notv | 31 | notv |
32 | nou2f | 32 | nou2f |
33 | novideo | ||
33 | protocol unix,inet,inet6,netlink | 34 | protocol unix,inet,inet6,netlink |
34 | seccomp | 35 | seccomp |
35 | shell none | 36 | shell none |
diff --git a/etc/webstorm.profile b/etc/webstorm.profile index e820bae00..fc4e8e571 100644 --- a/etc/webstorm.profile +++ b/etc/webstorm.profile | |||
@@ -7,14 +7,13 @@ include globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.WebStorm* | 8 | noblacklist ${HOME}/.WebStorm* |
9 | noblacklist ${HOME}/.android | 9 | noblacklist ${HOME}/.android |
10 | noblacklist ${HOME}/.config/git | ||
11 | noblacklist ${HOME}/.gitconfig | ||
12 | noblacklist ${HOME}/.git-credentials | ||
13 | noblacklist ${HOME}/.gradle | ||
14 | noblacklist ${HOME}/.local/share/JetBrains | 10 | noblacklist ${HOME}/.local/share/JetBrains |
15 | noblacklist ${HOME}/.ssh | 11 | noblacklist ${HOME}/.ssh |
16 | noblacklist ${HOME}/.tooling | 12 | noblacklist ${HOME}/.tooling |
17 | 13 | ||
14 | # Allows files commonly used by IDEs | ||
15 | include allow-common-devel.inc | ||
16 | |||
18 | noblacklist ${PATH}/node | 17 | noblacklist ${PATH}/node |
19 | noblacklist ${HOME}/.nvm | 18 | noblacklist ${HOME}/.nvm |
20 | 19 | ||
diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index a67d3a1b8..934edfce9 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile | |||
@@ -30,6 +30,7 @@ nonewprivs | |||
30 | noroot | 30 | noroot |
31 | notv | 31 | notv |
32 | nou2f | 32 | nou2f |
33 | novideo | ||
33 | protocol unix,inet,inet6 | 34 | protocol unix,inet,inet6 |
34 | seccomp | 35 | seccomp |
35 | 36 | ||
diff --git a/etc/whalebird.profile b/etc/whalebird.profile new file mode 100644 index 000000000..26932b6b3 --- /dev/null +++ b/etc/whalebird.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for whalebird | ||
2 | # Description: Electron-based Mastodon/Pleroma client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include whalebird.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/Whalebird | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.config/Whalebird | ||
20 | whitelist ${HOME}/.config/Whalebird | ||
21 | whitelist ${DOWNLOADS} | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | apparmor | ||
26 | caps.drop all | ||
27 | netfilter | ||
28 | no3d | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix,inet,inet6 | ||
37 | seccomp | ||
38 | shell none | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin whalebird | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-etc fonts,machine-id | ||
45 | private-tmp | ||
diff --git a/etc/whois.profile b/etc/whois.profile index f101ee637..859542533 100644 --- a/etc/whois.profile +++ b/etc/whois.profile | |||
@@ -1,7 +1,7 @@ | |||
1 | # Firejail profile for whois | 1 | # Firejail profile for whois |
2 | # Description: Intelligent WHOIS client | 2 | # Description: Intelligent WHOIS client |
3 | quiet | ||
4 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include whois.local | 6 | include whois.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/wine.profile b/etc/wine.profile index 34c695cf1..192c375cd 100644 --- a/etc/wine.profile +++ b/etc/wine.profile | |||
@@ -11,8 +11,6 @@ noblacklist ${HOME}/.local/share/Steam | |||
11 | noblacklist ${HOME}/.local/share/steam | 11 | noblacklist ${HOME}/.local/share/steam |
12 | noblacklist ${HOME}/.steam | 12 | noblacklist ${HOME}/.steam |
13 | noblacklist ${HOME}/.wine | 13 | noblacklist ${HOME}/.wine |
14 | # with >=llvm-4 mesa drivers need llvm stuff | ||
15 | noblacklist /usr/lib/llvm* | ||
16 | 14 | ||
17 | include disable-common.inc | 15 | include disable-common.inc |
18 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/xed.profile b/etc/xed.profile index a02f1ef51..a67230e51 100644 --- a/etc/xed.profile +++ b/etc/xed.profile | |||
@@ -9,7 +9,6 @@ noblacklist ${HOME}/.config/xed | |||
9 | noblacklist ${HOME}/.python-history | 9 | noblacklist ${HOME}/.python-history |
10 | noblacklist ${HOME}/.python_history | 10 | noblacklist ${HOME}/.python_history |
11 | noblacklist ${HOME}/.pythonhist | 11 | noblacklist ${HOME}/.pythonhist |
12 | noblacklist ${HOME}/.pythonrc.py | ||
13 | 12 | ||
14 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
15 | include allow-python2.inc | 14 | include allow-python2.inc |
diff --git a/etc/xmr-stak.profile b/etc/xmr-stak.profile index 3fbdf66ab..c6ba9bd9d 100644 --- a/etc/xmr-stak.profile +++ b/etc/xmr-stak.profile | |||
@@ -6,7 +6,6 @@ include xmr-stak.local | |||
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.xmr-stak | 8 | noblacklist ${HOME}/.xmr-stak |
9 | noblacklist /usr/lib/llvm* | ||
10 | 9 | ||
11 | include disable-common.inc | 10 | include disable-common.inc |
12 | include disable-devel.inc | 11 | include disable-devel.inc |
diff --git a/etc/xpra.profile b/etc/xpra.profile index 6f66b9300..1033a7471 100644 --- a/etc/xpra.profile +++ b/etc/xpra.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for xpra | 1 | # Firejail profile for xpra |
2 | # Description: Tool to detach/reattach running X programs | 2 | # Description: Tool to detach/reattach running X programs |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include xpra.local | 6 | include xpra.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index 6fc519bee..d87d29ee8 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile | |||
@@ -19,6 +19,8 @@ noblacklist ${VIDEOS} | |||
19 | include allow-python2.inc | 19 | include allow-python2.inc |
20 | include allow-python3.inc | 20 | include allow-python3.inc |
21 | 21 | ||
22 | blacklist /tmp/.X11-unix | ||
23 | |||
22 | include disable-common.inc | 24 | include disable-common.inc |
23 | include disable-devel.inc | 25 | include disable-devel.inc |
24 | include disable-exec.inc | 26 | include disable-exec.inc |
diff --git a/etc/zathura.profile b/etc/zathura.profile index 922284353..db03076be 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile | |||
@@ -28,6 +28,7 @@ noroot | |||
28 | nosound | 28 | nosound |
29 | notv | 29 | notv |
30 | nou2f | 30 | nou2f |
31 | novideo | ||
31 | protocol unix | 32 | protocol unix |
32 | seccomp | 33 | seccomp |
33 | shell none | 34 | shell none |
diff --git a/etc/zpaq.profile b/etc/zpaq.profile index 6bf3605eb..80329ecfd 100644 --- a/etc/zpaq.profile +++ b/etc/zpaq.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for zpaq | 1 | # Firejail profile for zpaq |
2 | # Description: Programmable file compressor, library and utilities. Based on the PAQ compression algorithm. | 2 | # Description: Programmable file compressor, library and utilities. Based on the PAQ compression algorithm. |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include zpaq.local | 6 | include zpaq.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/zstd.profile b/etc/zstd.profile new file mode 100644 index 000000000..ea7bbfb0d --- /dev/null +++ b/etc/zstd.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for zstd | ||
2 | # Description: Zstandard - Fast real-time compression algorithm | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include zstd.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | |||
17 | apparmor | ||
18 | caps.drop all | ||
19 | hostname zstd | ||
20 | ipc-namespace | ||
21 | machine-id | ||
22 | net none | ||
23 | no3d | ||
24 | nodbus | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | #noroot | ||
29 | nosound | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix | ||
34 | seccomp | ||
35 | shell none | ||
36 | tracelog | ||
37 | x11 none | ||
38 | |||
39 | private-cache | ||
40 | private-dev | ||
41 | |||
42 | memory-deny-write-execute | ||
diff --git a/etc/zstdcat.profile b/etc/zstdcat.profile new file mode 100644 index 000000000..ce9af3286 --- /dev/null +++ b/etc/zstdcat.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for zstd | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include zstd.profile | ||
diff --git a/etc/zstdgrep.profile b/etc/zstdgrep.profile new file mode 100644 index 000000000..ce9af3286 --- /dev/null +++ b/etc/zstdgrep.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for zstd | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include zstd.profile | ||
diff --git a/etc/zstdless.profile b/etc/zstdless.profile new file mode 100644 index 000000000..ce9af3286 --- /dev/null +++ b/etc/zstdless.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for zstd | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include zstd.profile | ||
diff --git a/etc/zstdmt.profile b/etc/zstdmt.profile new file mode 100644 index 000000000..ce9af3286 --- /dev/null +++ b/etc/zstdmt.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for zstd | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include zstd.profile | ||
diff --git a/etc/zulip.profile b/etc/zulip.profile new file mode 100644 index 000000000..999c2f77a --- /dev/null +++ b/etc/zulip.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for zulip | ||
2 | # Description: Real-time team chat based on the email threading model | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include zulip.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | ignore noexec /tmp | ||
10 | |||
11 | noblacklist ${HOME}/.config/Zulip | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | mkdir ${HOME}/.config/Zulip | ||
22 | whitelist ${HOME}/.config/Zulip | ||
23 | whitelist ${DOWNLOADS} | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | netfilter | ||
30 | no3d | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix,inet,inet6 | ||
39 | seccomp | ||
40 | shell none | ||
41 | |||
42 | disable-mnt | ||
43 | private-bin locale,zulip | ||
44 | private-cache | ||
45 | private-dev | ||
46 | private-etc asound.conf,fonts,machine-id | ||
47 | private-tmp | ||