aboutsummaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
Diffstat (limited to 'etc')
-rw-r--r--etc/inc/disable-common.inc1
-rw-r--r--etc/inc/disable-programs.inc10
-rw-r--r--etc/profile-a-l/clamtk.profile16
-rw-r--r--etc/profile-a-l/discord.profile1
-rw-r--r--etc/profile-a-l/freshclam.profile2
-rw-r--r--etc/profile-m-z/nodejs-common.profile5
-rw-r--r--etc/profile-m-z/pnpm.profile11
-rw-r--r--etc/profile-m-z/pnpx.profile11
-rw-r--r--etc/profile-m-z/steam.profile2
-rw-r--r--etc/profile-m-z/tesseract.profile1
-rw-r--r--etc/profile-m-z/tiny-rdm.profile61
11 files changed, 108 insertions, 13 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 264fc29b2..55aabbc73 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -192,6 +192,7 @@ blacklist ${HOME}/.VirtualBox
192blacklist ${HOME}/VirtualBox VMs 192blacklist ${HOME}/VirtualBox VMs
193 193
194# GNOME Boxes 194# GNOME Boxes
195blacklist ${HOME}/.cache/gnome-boxes
195blacklist ${HOME}/.config/gnome-boxes 196blacklist ${HOME}/.config/gnome-boxes
196blacklist ${HOME}/.local/share/gnome-boxes 197blacklist ${HOME}/.local/share/gnome-boxes
197 198
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index e013872df..13b4b2078 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -22,7 +22,6 @@ blacklist ${HOME}/.Steampid
22blacklist ${HOME}/.TelegramDesktop 22blacklist ${HOME}/.TelegramDesktop
23blacklist ${HOME}/.VSCodium 23blacklist ${HOME}/.VSCodium
24blacklist ${HOME}/.ViberPC 24blacklist ${HOME}/.ViberPC
25blacklist ${HOME}/.VirtualBox
26blacklist ${HOME}/.WebStorm* 25blacklist ${HOME}/.WebStorm*
27blacklist ${HOME}/.Wolfram Research 26blacklist ${HOME}/.Wolfram Research
28blacklist ${HOME}/.ZAP 27blacklist ${HOME}/.ZAP
@@ -125,7 +124,6 @@ blacklist ${HOME}/.cache/geeqie
125blacklist ${HOME}/.cache/gegl-0.4 124blacklist ${HOME}/.cache/gegl-0.4
126blacklist ${HOME}/.cache/gfeeds 125blacklist ${HOME}/.cache/gfeeds
127blacklist ${HOME}/.cache/gimp 126blacklist ${HOME}/.cache/gimp
128blacklist ${HOME}/.cache/gnome-boxes
129blacklist ${HOME}/.cache/gnome-builder 127blacklist ${HOME}/.cache/gnome-builder
130blacklist ${HOME}/.cache/gnome-control-center 128blacklist ${HOME}/.cache/gnome-control-center
131blacklist ${HOME}/.cache/gnome-recipes 129blacklist ${HOME}/.cache/gnome-recipes
@@ -223,6 +221,7 @@ blacklist ${HOME}/.cache/supertuxkart
223blacklist ${HOME}/.cache/systemsettings 221blacklist ${HOME}/.cache/systemsettings
224blacklist ${HOME}/.cache/telepathy 222blacklist ${HOME}/.cache/telepathy
225blacklist ${HOME}/.cache/thunderbird 223blacklist ${HOME}/.cache/thunderbird
224blacklist ${HOME}/.cache/tiny-rdm
226blacklist ${HOME}/.cache/torbrowser 225blacklist ${HOME}/.cache/torbrowser
227blacklist ${HOME}/.cache/transmission 226blacklist ${HOME}/.cache/transmission
228blacklist ${HOME}/.cache/ueberzugpp 227blacklist ${HOME}/.cache/ueberzugpp
@@ -347,10 +346,10 @@ blacklist ${HOME}/.config/Slack
347blacklist ${HOME}/.config/Standard Notes 346blacklist ${HOME}/.config/Standard Notes
348blacklist ${HOME}/.config/SubDownloader 347blacklist ${HOME}/.config/SubDownloader
349blacklist ${HOME}/.config/Thunar 348blacklist ${HOME}/.config/Thunar
349blacklist ${HOME}/.config/TinyRDM
350blacklist ${HOME}/.config/Twitch 350blacklist ${HOME}/.config/Twitch
351blacklist ${HOME}/.config/Unknown Organization 351blacklist ${HOME}/.config/Unknown Organization
352blacklist ${HOME}/.config/VSCodium 352blacklist ${HOME}/.config/VSCodium
353blacklist ${HOME}/.config/VirtualBox
354blacklist ${HOME}/.config/Whalebird 353blacklist ${HOME}/.config/Whalebird
355blacklist ${HOME}/.config/Wire 354blacklist ${HOME}/.config/Wire
356blacklist ${HOME}/.config/Youtube 355blacklist ${HOME}/.config/Youtube
@@ -559,7 +558,6 @@ blacklist ${HOME}/.config/mpDris2
559blacklist ${HOME}/.config/mpd 558blacklist ${HOME}/.config/mpd
560blacklist ${HOME}/.config/mps-youtube 559blacklist ${HOME}/.config/mps-youtube
561blacklist ${HOME}/.config/mpv 560blacklist ${HOME}/.config/mpv
562blacklist ${HOME}/.config/msmtp
563blacklist ${HOME}/.config/mullvad-browser-flags.conf 561blacklist ${HOME}/.config/mullvad-browser-flags.conf
564blacklist ${HOME}/.config/mupen64plus 562blacklist ${HOME}/.config/mupen64plus
565blacklist ${HOME}/.config/mutt 563blacklist ${HOME}/.config/mutt
@@ -939,7 +937,6 @@ blacklist ${HOME}/.local/share/geeqie
939blacklist ${HOME}/.local/share/ghostwriter 937blacklist ${HOME}/.local/share/ghostwriter
940blacklist ${HOME}/.local/share/gitg 938blacklist ${HOME}/.local/share/gitg
941blacklist ${HOME}/.local/share/gnome-2048 939blacklist ${HOME}/.local/share/gnome-2048
942blacklist ${HOME}/.local/share/gnome-boxes
943blacklist ${HOME}/.local/share/gnome-builder 940blacklist ${HOME}/.local/share/gnome-builder
944blacklist ${HOME}/.local/share/gnome-chess 941blacklist ${HOME}/.local/share/gnome-chess
945blacklist ${HOME}/.local/share/gnome-klotski 942blacklist ${HOME}/.local/share/gnome-klotski
@@ -1019,6 +1016,7 @@ blacklist ${HOME}/.local/share/orage
1019blacklist ${HOME}/.local/share/org.kde.gwenview 1016blacklist ${HOME}/.local/share/org.kde.gwenview
1020blacklist ${HOME}/.local/share/pix 1017blacklist ${HOME}/.local/share/pix
1021blacklist ${HOME}/.local/share/plasma_notes 1018blacklist ${HOME}/.local/share/plasma_notes
1019blacklist ${HOME}/.local/share/pnpm
1022blacklist ${HOME}/.local/share/profanity 1020blacklist ${HOME}/.local/share/profanity
1023blacklist ${HOME}/.local/share/psi 1021blacklist ${HOME}/.local/share/psi
1024blacklist ${HOME}/.local/share/psi+ 1022blacklist ${HOME}/.local/share/psi+
@@ -1084,7 +1082,6 @@ blacklist ${HOME}/.mp3splt-gtk
1084blacklist ${HOME}/.mpd 1082blacklist ${HOME}/.mpd
1085blacklist ${HOME}/.mpdconf 1083blacklist ${HOME}/.mpdconf
1086blacklist ${HOME}/.mplayer 1084blacklist ${HOME}/.mplayer
1087blacklist ${HOME}/.msmtprc
1088blacklist ${HOME}/.mullvad/mullvadbrowser 1085blacklist ${HOME}/.mullvad/mullvadbrowser
1089blacklist ${HOME}/.multimc5 1086blacklist ${HOME}/.multimc5
1090blacklist ${HOME}/.nanorc 1087blacklist ${HOME}/.nanorc
@@ -1233,7 +1230,6 @@ blacklist ${RUNUSER}/*firefox*
1233blacklist ${RUNUSER}/akonadi 1230blacklist ${RUNUSER}/akonadi
1234blacklist ${RUNUSER}/psd/*firefox* 1231blacklist ${RUNUSER}/psd/*firefox*
1235blacklist ${RUNUSER}/qutebrowser 1232blacklist ${RUNUSER}/qutebrowser
1236blacklist /etc/msmtprc
1237blacklist /etc/ssmtp 1233blacklist /etc/ssmtp
1238blacklist /tmp/.wine-* 1234blacklist /tmp/.wine-*
1239blacklist /tmp/akonadi-* 1235blacklist /tmp/akonadi-*
diff --git a/etc/profile-a-l/clamtk.profile b/etc/profile-a-l/clamtk.profile
index 9fc73ee55..7651c5d32 100644
--- a/etc/profile-a-l/clamtk.profile
+++ b/etc/profile-a-l/clamtk.profile
@@ -1,4 +1,5 @@
1# Firejail profile for clamtk 1# Firejail profile for clamtk
2# Description: Easy to use, light-weight, on-demand virus scanner for Linux systems
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include clamtk.local 5include clamtk.local
@@ -7,15 +8,22 @@ include globals.local
7 8
8include disable-exec.inc 9include disable-exec.inc
9 10
11# Add the below lines to your clamtk.local if you update signatures databases per-user:
12#ignore net none
13#netfilter
14#protocol inet,inet6
15
10caps.drop all 16caps.drop all
11ipc-namespace 17ipc-namespace
12net none 18net none
13no3d 19no3d
14nodvd 20nodvd
15nogroups 21# nogroups breaks scanning
22#nogroups
16noinput 23noinput
17nonewprivs 24nonewprivs
18noroot 25# noroot breaks scanning
26#noroot
19nosound 27nosound
20notv 28notv
21nou2f 29nou2f
@@ -25,7 +33,9 @@ seccomp
25 33
26private-dev 34private-dev
27 35
28dbus-user none 36dbus-user filter
37dbus-user.talk ca.desrt.dconf
38dbus-user.talk org.gtk.vfs.UDisks2VolumeMonitor
29dbus-system none 39dbus-system none
30 40
31restrict-namespaces 41restrict-namespaces
diff --git a/etc/profile-a-l/discord.profile b/etc/profile-a-l/discord.profile
index a4fcae5b8..6e7d8f91d 100644
--- a/etc/profile-a-l/discord.profile
+++ b/etc/profile-a-l/discord.profile
@@ -11,6 +11,7 @@ mkdir ${HOME}/.config/discord
11whitelist ${HOME}/.config/discord 11whitelist ${HOME}/.config/discord
12whitelist /opt/Discord 12whitelist /opt/Discord
13whitelist /opt/discord 13whitelist /opt/discord
14whitelist /usr/share/discord
14 15
15private-bin discord,Discord 16private-bin discord,Discord
16 17
diff --git a/etc/profile-a-l/freshclam.profile b/etc/profile-a-l/freshclam.profile
index 133d66f0d..f59094567 100644
--- a/etc/profile-a-l/freshclam.profile
+++ b/etc/profile-a-l/freshclam.profile
@@ -2,7 +2,7 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3quiet 3quiet
4# Persistent local customizations 4# Persistent local customizations
5include clamav.local 5include freshclam.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile
index 4c463521c..f301196c6 100644
--- a/etc/profile-m-z/nodejs-common.profile
+++ b/etc/profile-m-z/nodejs-common.profile
@@ -7,7 +7,7 @@ include nodejs-common.local
7# added by caller profile 7# added by caller profile
8#include globals.local 8#include globals.local
9 9
10# Note: gulp, node-gyp, npm, npx, semver and yarn are all node scripts 10# Note: gulp, node-gyp, npm, npx, pnpm, pnpx, semver and yarn are all node scripts
11# using the `#!/usr/bin/env node` shebang. By sandboxing node the full 11# using the `#!/usr/bin/env node` shebang. By sandboxing node the full
12# node.js stack will be firejailed. The only exception is nvm, which is implemented 12# node.js stack will be firejailed. The only exception is nvm, which is implemented
13# as a sourced shell function, not an executable binary. Hence it is not 13# as a sourced shell function, not an executable binary. Hence it is not
@@ -22,6 +22,7 @@ ignore read-only ${HOME}/.npmrc
22ignore read-only ${HOME}/.nvm 22ignore read-only ${HOME}/.nvm
23ignore read-only ${HOME}/.yarnrc 23ignore read-only ${HOME}/.yarnrc
24 24
25noblacklist ${HOME}/.local/share/pnpm
25noblacklist ${HOME}/.node-gyp 26noblacklist ${HOME}/.node-gyp
26noblacklist ${HOME}/.npm 27noblacklist ${HOME}/.npm
27noblacklist ${HOME}/.npmrc 28noblacklist ${HOME}/.npmrc
@@ -43,6 +44,7 @@ include disable-xdg.inc
43 44
44# If you want whitelisting, change ${HOME}/Projects below to your node projects directory 45# If you want whitelisting, change ${HOME}/Projects below to your node projects directory
45# and add the next lines to your nodejs-common.local. 46# and add the next lines to your nodejs-common.local.
47#mkdir ${HOME}/.local/share/pnpm
46#mkdir ${HOME}/.node-gyp 48#mkdir ${HOME}/.node-gyp
47#mkdir ${HOME}/.npm 49#mkdir ${HOME}/.npm
48#mkdir ${HOME}/.npm-packages 50#mkdir ${HOME}/.npm-packages
@@ -52,6 +54,7 @@ include disable-xdg.inc
52#mkdir ${HOME}/.yarn-config 54#mkdir ${HOME}/.yarn-config
53#mkdir ${HOME}/.yarncache 55#mkdir ${HOME}/.yarncache
54#mkfile ${HOME}/.yarnrc 56#mkfile ${HOME}/.yarnrc
57#whitelist ${HOME}/.local/share/pnpm
55#whitelist ${HOME}/.node-gyp 58#whitelist ${HOME}/.node-gyp
56#whitelist ${HOME}/.npm 59#whitelist ${HOME}/.npm
57#whitelist ${HOME}/.npm-packages 60#whitelist ${HOME}/.npm-packages
diff --git a/etc/profile-m-z/pnpm.profile b/etc/profile-m-z/pnpm.profile
new file mode 100644
index 000000000..08f88be43
--- /dev/null
+++ b/etc/profile-m-z/pnpm.profile
@@ -0,0 +1,11 @@
1# Firejail profile for pnpm
2# Description: Fast, disk space efficient package manager
3quiet
4# This file is overwritten after every install/update
5# Persistent local customizations
6include pnpm.local
7# Persistent global definitions
8include globals.local
9
10# Redirect
11include nodejs-common.profile
diff --git a/etc/profile-m-z/pnpx.profile b/etc/profile-m-z/pnpx.profile
new file mode 100644
index 000000000..a99d1232a
--- /dev/null
+++ b/etc/profile-m-z/pnpx.profile
@@ -0,0 +1,11 @@
1# Firejail profile for pnpx
2# Description: Part of the Node.js stack
3quiet
4# This file is overwritten after every install/update
5# Persistent local customizations
6include pnpx.local
7# Persistent global definitions
8include globals.local
9
10# Redirect
11include nodejs-common.profile
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index 34cb3631a..41de746dd 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -163,7 +163,7 @@ protocol unix,inet,inet6,netlink
163# Add 'ignore seccomp' to your steam.local if you experience this. 163# Add 'ignore seccomp' to your steam.local if you experience this.
164# mount, name_to_handle_at, pivot_root and umount2 are used by Proton >= 5.13 164# mount, name_to_handle_at, pivot_root and umount2 are used by Proton >= 5.13
165# (see #4366). 165# (see #4366).
166seccomp !chroot,!mount,!name_to_handle_at,!pivot_root,!ptrace,!umount2 166seccomp !chroot,!mount,!name_to_handle_at,!pivot_root,!process_vm_readv,!ptrace,!umount2
167# process_vm_readv is used by GE-Proton7-18 (see #5185). 167# process_vm_readv is used by GE-Proton7-18 (see #5185).
168seccomp.32 !process_vm_readv 168seccomp.32 !process_vm_readv
169# tracelog breaks integrated browser 169# tracelog breaks integrated browser
diff --git a/etc/profile-m-z/tesseract.profile b/etc/profile-m-z/tesseract.profile
index 5babfb8d2..c0293406d 100644
--- a/etc/profile-m-z/tesseract.profile
+++ b/etc/profile-m-z/tesseract.profile
@@ -26,6 +26,7 @@ include whitelist-common.inc
26include whitelist-run-common.inc 26include whitelist-run-common.inc
27include whitelist-runuser-common.inc 27include whitelist-runuser-common.inc
28whitelist /usr/share/tessdata 28whitelist /usr/share/tessdata
29whitelist /usr/share/tesseract-ocr
29include whitelist-usr-share-common.inc 30include whitelist-usr-share-common.inc
30include whitelist-var-common.inc 31include whitelist-var-common.inc
31 32
diff --git a/etc/profile-m-z/tiny-rdm.profile b/etc/profile-m-z/tiny-rdm.profile
new file mode 100644
index 000000000..4134d666c
--- /dev/null
+++ b/etc/profile-m-z/tiny-rdm.profile
@@ -0,0 +1,61 @@
1# Firejail profile for tiny-rdm
2# Description: A Modern Redis GUI Client
3# This file is overwritten after every install/update
4# Persistent local customizations
5include tiny-rdm.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.cache/tiny-rdm
10noblacklist ${HOME}/.config/TinyRDM
11
12include disable-common.inc
13include disable-devel.inc
14include disable-exec.inc
15include disable-interpreters.inc
16include disable-programs.inc
17include disable-proc.inc
18include disable-shell.inc
19include disable-xdg.inc
20
21mkdir ${HOME}/.cache/tiny-rdm
22mkdir ${HOME}/.config/TinyRDM
23whitelist ${HOME}/.cache/tiny-rdm
24whitelist ${HOME}/.config/TinyRDM
25include whitelist-common.inc
26include whitelist-run-common.inc
27include whitelist-runuser-common.inc
28include whitelist-usr-share-common.inc
29include whitelist-var-common.inc
30
31apparmor
32caps.drop all
33ipc-namespace
34netfilter
35no3d
36nodvd
37nogroups
38noinput
39nonewprivs
40noprinters
41noroot
42notv
43nou2f
44novideo
45nosound
46protocol unix,inet,inet6
47seccomp
48seccomp.block-secondary
49tracelog
50
51disable-mnt
52private-bin tiny-rdm
53private-cache
54private-dev
55private-etc @network,@tls-ca,@x11
56private-tmp
57
58dbus-user none
59dbus-system none
60
61restrict-namespaces
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-19 23:47:54 +0000