diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/disable-common.inc | 1 | ||||
-rw-r--r-- | etc/inc/disable-programs.inc | 10 | ||||
-rw-r--r-- | etc/profile-a-l/clamtk.profile | 16 | ||||
-rw-r--r-- | etc/profile-a-l/discord.profile | 1 | ||||
-rw-r--r-- | etc/profile-a-l/freshclam.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/nodejs-common.profile | 5 | ||||
-rw-r--r-- | etc/profile-m-z/pnpm.profile | 11 | ||||
-rw-r--r-- | etc/profile-m-z/pnpx.profile | 11 | ||||
-rw-r--r-- | etc/profile-m-z/steam.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/tesseract.profile | 1 | ||||
-rw-r--r-- | etc/profile-m-z/tiny-rdm.profile | 61 |
11 files changed, 108 insertions, 13 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 264fc29b2..55aabbc73 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -192,6 +192,7 @@ blacklist ${HOME}/.VirtualBox | |||
192 | blacklist ${HOME}/VirtualBox VMs | 192 | blacklist ${HOME}/VirtualBox VMs |
193 | 193 | ||
194 | # GNOME Boxes | 194 | # GNOME Boxes |
195 | blacklist ${HOME}/.cache/gnome-boxes | ||
195 | blacklist ${HOME}/.config/gnome-boxes | 196 | blacklist ${HOME}/.config/gnome-boxes |
196 | blacklist ${HOME}/.local/share/gnome-boxes | 197 | blacklist ${HOME}/.local/share/gnome-boxes |
197 | 198 | ||
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index e013872df..13b4b2078 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -22,7 +22,6 @@ blacklist ${HOME}/.Steampid | |||
22 | blacklist ${HOME}/.TelegramDesktop | 22 | blacklist ${HOME}/.TelegramDesktop |
23 | blacklist ${HOME}/.VSCodium | 23 | blacklist ${HOME}/.VSCodium |
24 | blacklist ${HOME}/.ViberPC | 24 | blacklist ${HOME}/.ViberPC |
25 | blacklist ${HOME}/.VirtualBox | ||
26 | blacklist ${HOME}/.WebStorm* | 25 | blacklist ${HOME}/.WebStorm* |
27 | blacklist ${HOME}/.Wolfram Research | 26 | blacklist ${HOME}/.Wolfram Research |
28 | blacklist ${HOME}/.ZAP | 27 | blacklist ${HOME}/.ZAP |
@@ -125,7 +124,6 @@ blacklist ${HOME}/.cache/geeqie | |||
125 | blacklist ${HOME}/.cache/gegl-0.4 | 124 | blacklist ${HOME}/.cache/gegl-0.4 |
126 | blacklist ${HOME}/.cache/gfeeds | 125 | blacklist ${HOME}/.cache/gfeeds |
127 | blacklist ${HOME}/.cache/gimp | 126 | blacklist ${HOME}/.cache/gimp |
128 | blacklist ${HOME}/.cache/gnome-boxes | ||
129 | blacklist ${HOME}/.cache/gnome-builder | 127 | blacklist ${HOME}/.cache/gnome-builder |
130 | blacklist ${HOME}/.cache/gnome-control-center | 128 | blacklist ${HOME}/.cache/gnome-control-center |
131 | blacklist ${HOME}/.cache/gnome-recipes | 129 | blacklist ${HOME}/.cache/gnome-recipes |
@@ -223,6 +221,7 @@ blacklist ${HOME}/.cache/supertuxkart | |||
223 | blacklist ${HOME}/.cache/systemsettings | 221 | blacklist ${HOME}/.cache/systemsettings |
224 | blacklist ${HOME}/.cache/telepathy | 222 | blacklist ${HOME}/.cache/telepathy |
225 | blacklist ${HOME}/.cache/thunderbird | 223 | blacklist ${HOME}/.cache/thunderbird |
224 | blacklist ${HOME}/.cache/tiny-rdm | ||
226 | blacklist ${HOME}/.cache/torbrowser | 225 | blacklist ${HOME}/.cache/torbrowser |
227 | blacklist ${HOME}/.cache/transmission | 226 | blacklist ${HOME}/.cache/transmission |
228 | blacklist ${HOME}/.cache/ueberzugpp | 227 | blacklist ${HOME}/.cache/ueberzugpp |
@@ -347,10 +346,10 @@ blacklist ${HOME}/.config/Slack | |||
347 | blacklist ${HOME}/.config/Standard Notes | 346 | blacklist ${HOME}/.config/Standard Notes |
348 | blacklist ${HOME}/.config/SubDownloader | 347 | blacklist ${HOME}/.config/SubDownloader |
349 | blacklist ${HOME}/.config/Thunar | 348 | blacklist ${HOME}/.config/Thunar |
349 | blacklist ${HOME}/.config/TinyRDM | ||
350 | blacklist ${HOME}/.config/Twitch | 350 | blacklist ${HOME}/.config/Twitch |
351 | blacklist ${HOME}/.config/Unknown Organization | 351 | blacklist ${HOME}/.config/Unknown Organization |
352 | blacklist ${HOME}/.config/VSCodium | 352 | blacklist ${HOME}/.config/VSCodium |
353 | blacklist ${HOME}/.config/VirtualBox | ||
354 | blacklist ${HOME}/.config/Whalebird | 353 | blacklist ${HOME}/.config/Whalebird |
355 | blacklist ${HOME}/.config/Wire | 354 | blacklist ${HOME}/.config/Wire |
356 | blacklist ${HOME}/.config/Youtube | 355 | blacklist ${HOME}/.config/Youtube |
@@ -559,7 +558,6 @@ blacklist ${HOME}/.config/mpDris2 | |||
559 | blacklist ${HOME}/.config/mpd | 558 | blacklist ${HOME}/.config/mpd |
560 | blacklist ${HOME}/.config/mps-youtube | 559 | blacklist ${HOME}/.config/mps-youtube |
561 | blacklist ${HOME}/.config/mpv | 560 | blacklist ${HOME}/.config/mpv |
562 | blacklist ${HOME}/.config/msmtp | ||
563 | blacklist ${HOME}/.config/mullvad-browser-flags.conf | 561 | blacklist ${HOME}/.config/mullvad-browser-flags.conf |
564 | blacklist ${HOME}/.config/mupen64plus | 562 | blacklist ${HOME}/.config/mupen64plus |
565 | blacklist ${HOME}/.config/mutt | 563 | blacklist ${HOME}/.config/mutt |
@@ -939,7 +937,6 @@ blacklist ${HOME}/.local/share/geeqie | |||
939 | blacklist ${HOME}/.local/share/ghostwriter | 937 | blacklist ${HOME}/.local/share/ghostwriter |
940 | blacklist ${HOME}/.local/share/gitg | 938 | blacklist ${HOME}/.local/share/gitg |
941 | blacklist ${HOME}/.local/share/gnome-2048 | 939 | blacklist ${HOME}/.local/share/gnome-2048 |
942 | blacklist ${HOME}/.local/share/gnome-boxes | ||
943 | blacklist ${HOME}/.local/share/gnome-builder | 940 | blacklist ${HOME}/.local/share/gnome-builder |
944 | blacklist ${HOME}/.local/share/gnome-chess | 941 | blacklist ${HOME}/.local/share/gnome-chess |
945 | blacklist ${HOME}/.local/share/gnome-klotski | 942 | blacklist ${HOME}/.local/share/gnome-klotski |
@@ -1019,6 +1016,7 @@ blacklist ${HOME}/.local/share/orage | |||
1019 | blacklist ${HOME}/.local/share/org.kde.gwenview | 1016 | blacklist ${HOME}/.local/share/org.kde.gwenview |
1020 | blacklist ${HOME}/.local/share/pix | 1017 | blacklist ${HOME}/.local/share/pix |
1021 | blacklist ${HOME}/.local/share/plasma_notes | 1018 | blacklist ${HOME}/.local/share/plasma_notes |
1019 | blacklist ${HOME}/.local/share/pnpm | ||
1022 | blacklist ${HOME}/.local/share/profanity | 1020 | blacklist ${HOME}/.local/share/profanity |
1023 | blacklist ${HOME}/.local/share/psi | 1021 | blacklist ${HOME}/.local/share/psi |
1024 | blacklist ${HOME}/.local/share/psi+ | 1022 | blacklist ${HOME}/.local/share/psi+ |
@@ -1084,7 +1082,6 @@ blacklist ${HOME}/.mp3splt-gtk | |||
1084 | blacklist ${HOME}/.mpd | 1082 | blacklist ${HOME}/.mpd |
1085 | blacklist ${HOME}/.mpdconf | 1083 | blacklist ${HOME}/.mpdconf |
1086 | blacklist ${HOME}/.mplayer | 1084 | blacklist ${HOME}/.mplayer |
1087 | blacklist ${HOME}/.msmtprc | ||
1088 | blacklist ${HOME}/.mullvad/mullvadbrowser | 1085 | blacklist ${HOME}/.mullvad/mullvadbrowser |
1089 | blacklist ${HOME}/.multimc5 | 1086 | blacklist ${HOME}/.multimc5 |
1090 | blacklist ${HOME}/.nanorc | 1087 | blacklist ${HOME}/.nanorc |
@@ -1233,7 +1230,6 @@ blacklist ${RUNUSER}/*firefox* | |||
1233 | blacklist ${RUNUSER}/akonadi | 1230 | blacklist ${RUNUSER}/akonadi |
1234 | blacklist ${RUNUSER}/psd/*firefox* | 1231 | blacklist ${RUNUSER}/psd/*firefox* |
1235 | blacklist ${RUNUSER}/qutebrowser | 1232 | blacklist ${RUNUSER}/qutebrowser |
1236 | blacklist /etc/msmtprc | ||
1237 | blacklist /etc/ssmtp | 1233 | blacklist /etc/ssmtp |
1238 | blacklist /tmp/.wine-* | 1234 | blacklist /tmp/.wine-* |
1239 | blacklist /tmp/akonadi-* | 1235 | blacklist /tmp/akonadi-* |
diff --git a/etc/profile-a-l/clamtk.profile b/etc/profile-a-l/clamtk.profile index 9fc73ee55..7651c5d32 100644 --- a/etc/profile-a-l/clamtk.profile +++ b/etc/profile-a-l/clamtk.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for clamtk | 1 | # Firejail profile for clamtk |
2 | # Description: Easy to use, light-weight, on-demand virus scanner for Linux systems | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include clamtk.local | 5 | include clamtk.local |
@@ -7,15 +8,22 @@ include globals.local | |||
7 | 8 | ||
8 | include disable-exec.inc | 9 | include disable-exec.inc |
9 | 10 | ||
11 | # Add the below lines to your clamtk.local if you update signatures databases per-user: | ||
12 | #ignore net none | ||
13 | #netfilter | ||
14 | #protocol inet,inet6 | ||
15 | |||
10 | caps.drop all | 16 | caps.drop all |
11 | ipc-namespace | 17 | ipc-namespace |
12 | net none | 18 | net none |
13 | no3d | 19 | no3d |
14 | nodvd | 20 | nodvd |
15 | nogroups | 21 | # nogroups breaks scanning |
22 | #nogroups | ||
16 | noinput | 23 | noinput |
17 | nonewprivs | 24 | nonewprivs |
18 | noroot | 25 | # noroot breaks scanning |
26 | #noroot | ||
19 | nosound | 27 | nosound |
20 | notv | 28 | notv |
21 | nou2f | 29 | nou2f |
@@ -25,7 +33,9 @@ seccomp | |||
25 | 33 | ||
26 | private-dev | 34 | private-dev |
27 | 35 | ||
28 | dbus-user none | 36 | dbus-user filter |
37 | dbus-user.talk ca.desrt.dconf | ||
38 | dbus-user.talk org.gtk.vfs.UDisks2VolumeMonitor | ||
29 | dbus-system none | 39 | dbus-system none |
30 | 40 | ||
31 | restrict-namespaces | 41 | restrict-namespaces |
diff --git a/etc/profile-a-l/discord.profile b/etc/profile-a-l/discord.profile index a4fcae5b8..6e7d8f91d 100644 --- a/etc/profile-a-l/discord.profile +++ b/etc/profile-a-l/discord.profile | |||
@@ -11,6 +11,7 @@ mkdir ${HOME}/.config/discord | |||
11 | whitelist ${HOME}/.config/discord | 11 | whitelist ${HOME}/.config/discord |
12 | whitelist /opt/Discord | 12 | whitelist /opt/Discord |
13 | whitelist /opt/discord | 13 | whitelist /opt/discord |
14 | whitelist /usr/share/discord | ||
14 | 15 | ||
15 | private-bin discord,Discord | 16 | private-bin discord,Discord |
16 | 17 | ||
diff --git a/etc/profile-a-l/freshclam.profile b/etc/profile-a-l/freshclam.profile index 133d66f0d..f59094567 100644 --- a/etc/profile-a-l/freshclam.profile +++ b/etc/profile-a-l/freshclam.profile | |||
@@ -2,7 +2,7 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | 3 | quiet |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include clamav.local | 5 | include freshclam.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile index 4c463521c..f301196c6 100644 --- a/etc/profile-m-z/nodejs-common.profile +++ b/etc/profile-m-z/nodejs-common.profile | |||
@@ -7,7 +7,7 @@ include nodejs-common.local | |||
7 | # added by caller profile | 7 | # added by caller profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | # Note: gulp, node-gyp, npm, npx, semver and yarn are all node scripts | 10 | # Note: gulp, node-gyp, npm, npx, pnpm, pnpx, semver and yarn are all node scripts |
11 | # using the `#!/usr/bin/env node` shebang. By sandboxing node the full | 11 | # using the `#!/usr/bin/env node` shebang. By sandboxing node the full |
12 | # node.js stack will be firejailed. The only exception is nvm, which is implemented | 12 | # node.js stack will be firejailed. The only exception is nvm, which is implemented |
13 | # as a sourced shell function, not an executable binary. Hence it is not | 13 | # as a sourced shell function, not an executable binary. Hence it is not |
@@ -22,6 +22,7 @@ ignore read-only ${HOME}/.npmrc | |||
22 | ignore read-only ${HOME}/.nvm | 22 | ignore read-only ${HOME}/.nvm |
23 | ignore read-only ${HOME}/.yarnrc | 23 | ignore read-only ${HOME}/.yarnrc |
24 | 24 | ||
25 | noblacklist ${HOME}/.local/share/pnpm | ||
25 | noblacklist ${HOME}/.node-gyp | 26 | noblacklist ${HOME}/.node-gyp |
26 | noblacklist ${HOME}/.npm | 27 | noblacklist ${HOME}/.npm |
27 | noblacklist ${HOME}/.npmrc | 28 | noblacklist ${HOME}/.npmrc |
@@ -43,6 +44,7 @@ include disable-xdg.inc | |||
43 | 44 | ||
44 | # If you want whitelisting, change ${HOME}/Projects below to your node projects directory | 45 | # If you want whitelisting, change ${HOME}/Projects below to your node projects directory |
45 | # and add the next lines to your nodejs-common.local. | 46 | # and add the next lines to your nodejs-common.local. |
47 | #mkdir ${HOME}/.local/share/pnpm | ||
46 | #mkdir ${HOME}/.node-gyp | 48 | #mkdir ${HOME}/.node-gyp |
47 | #mkdir ${HOME}/.npm | 49 | #mkdir ${HOME}/.npm |
48 | #mkdir ${HOME}/.npm-packages | 50 | #mkdir ${HOME}/.npm-packages |
@@ -52,6 +54,7 @@ include disable-xdg.inc | |||
52 | #mkdir ${HOME}/.yarn-config | 54 | #mkdir ${HOME}/.yarn-config |
53 | #mkdir ${HOME}/.yarncache | 55 | #mkdir ${HOME}/.yarncache |
54 | #mkfile ${HOME}/.yarnrc | 56 | #mkfile ${HOME}/.yarnrc |
57 | #whitelist ${HOME}/.local/share/pnpm | ||
55 | #whitelist ${HOME}/.node-gyp | 58 | #whitelist ${HOME}/.node-gyp |
56 | #whitelist ${HOME}/.npm | 59 | #whitelist ${HOME}/.npm |
57 | #whitelist ${HOME}/.npm-packages | 60 | #whitelist ${HOME}/.npm-packages |
diff --git a/etc/profile-m-z/pnpm.profile b/etc/profile-m-z/pnpm.profile new file mode 100644 index 000000000..08f88be43 --- /dev/null +++ b/etc/profile-m-z/pnpm.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for pnpm | ||
2 | # Description: Fast, disk space efficient package manager | ||
3 | quiet | ||
4 | # This file is overwritten after every install/update | ||
5 | # Persistent local customizations | ||
6 | include pnpm.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include nodejs-common.profile | ||
diff --git a/etc/profile-m-z/pnpx.profile b/etc/profile-m-z/pnpx.profile new file mode 100644 index 000000000..a99d1232a --- /dev/null +++ b/etc/profile-m-z/pnpx.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for pnpx | ||
2 | # Description: Part of the Node.js stack | ||
3 | quiet | ||
4 | # This file is overwritten after every install/update | ||
5 | # Persistent local customizations | ||
6 | include pnpx.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include nodejs-common.profile | ||
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index 34cb3631a..41de746dd 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile | |||
@@ -163,7 +163,7 @@ protocol unix,inet,inet6,netlink | |||
163 | # Add 'ignore seccomp' to your steam.local if you experience this. | 163 | # Add 'ignore seccomp' to your steam.local if you experience this. |
164 | # mount, name_to_handle_at, pivot_root and umount2 are used by Proton >= 5.13 | 164 | # mount, name_to_handle_at, pivot_root and umount2 are used by Proton >= 5.13 |
165 | # (see #4366). | 165 | # (see #4366). |
166 | seccomp !chroot,!mount,!name_to_handle_at,!pivot_root,!ptrace,!umount2 | 166 | seccomp !chroot,!mount,!name_to_handle_at,!pivot_root,!process_vm_readv,!ptrace,!umount2 |
167 | # process_vm_readv is used by GE-Proton7-18 (see #5185). | 167 | # process_vm_readv is used by GE-Proton7-18 (see #5185). |
168 | seccomp.32 !process_vm_readv | 168 | seccomp.32 !process_vm_readv |
169 | # tracelog breaks integrated browser | 169 | # tracelog breaks integrated browser |
diff --git a/etc/profile-m-z/tesseract.profile b/etc/profile-m-z/tesseract.profile index 5babfb8d2..c0293406d 100644 --- a/etc/profile-m-z/tesseract.profile +++ b/etc/profile-m-z/tesseract.profile | |||
@@ -26,6 +26,7 @@ include whitelist-common.inc | |||
26 | include whitelist-run-common.inc | 26 | include whitelist-run-common.inc |
27 | include whitelist-runuser-common.inc | 27 | include whitelist-runuser-common.inc |
28 | whitelist /usr/share/tessdata | 28 | whitelist /usr/share/tessdata |
29 | whitelist /usr/share/tesseract-ocr | ||
29 | include whitelist-usr-share-common.inc | 30 | include whitelist-usr-share-common.inc |
30 | include whitelist-var-common.inc | 31 | include whitelist-var-common.inc |
31 | 32 | ||
diff --git a/etc/profile-m-z/tiny-rdm.profile b/etc/profile-m-z/tiny-rdm.profile new file mode 100644 index 000000000..4134d666c --- /dev/null +++ b/etc/profile-m-z/tiny-rdm.profile | |||
@@ -0,0 +1,61 @@ | |||
1 | # Firejail profile for tiny-rdm | ||
2 | # Description: A Modern Redis GUI Client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include tiny-rdm.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/tiny-rdm | ||
10 | noblacklist ${HOME}/.config/TinyRDM | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-proc.inc | ||
18 | include disable-shell.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | mkdir ${HOME}/.cache/tiny-rdm | ||
22 | mkdir ${HOME}/.config/TinyRDM | ||
23 | whitelist ${HOME}/.cache/tiny-rdm | ||
24 | whitelist ${HOME}/.config/TinyRDM | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-run-common.inc | ||
27 | include whitelist-runuser-common.inc | ||
28 | include whitelist-usr-share-common.inc | ||
29 | include whitelist-var-common.inc | ||
30 | |||
31 | apparmor | ||
32 | caps.drop all | ||
33 | ipc-namespace | ||
34 | netfilter | ||
35 | no3d | ||
36 | nodvd | ||
37 | nogroups | ||
38 | noinput | ||
39 | nonewprivs | ||
40 | noprinters | ||
41 | noroot | ||
42 | notv | ||
43 | nou2f | ||
44 | novideo | ||
45 | nosound | ||
46 | protocol unix,inet,inet6 | ||
47 | seccomp | ||
48 | seccomp.block-secondary | ||
49 | tracelog | ||
50 | |||
51 | disable-mnt | ||
52 | private-bin tiny-rdm | ||
53 | private-cache | ||
54 | private-dev | ||
55 | private-etc @network,@tls-ca,@x11 | ||
56 | private-tmp | ||
57 | |||
58 | dbus-user none | ||
59 | dbus-system none | ||
60 | |||
61 | restrict-namespaces | ||